CN118074987A - Browser secure access handling method, system, device and readable storage medium - Google Patents
Browser secure access handling method, system, device and readable storage medium Download PDFInfo
- Publication number
- CN118074987A CN118074987A CN202410214522.5A CN202410214522A CN118074987A CN 118074987 A CN118074987 A CN 118074987A CN 202410214522 A CN202410214522 A CN 202410214522A CN 118074987 A CN118074987 A CN 118074987A
- Authority
- CN
- China
- Prior art keywords
- browser
- user
- login
- data
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000001514 detection method Methods 0.000 claims abstract description 52
- 230000009471 action Effects 0.000 claims abstract description 34
- 238000011282 treatment Methods 0.000 claims abstract description 32
- 230000006399 behavior Effects 0.000 claims description 31
- 230000006854 communication Effects 0.000 claims description 19
- 238000013475 authorization Methods 0.000 claims description 18
- 238000004891 communication Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 16
- 230000005764 inhibitory process Effects 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 11
- 230000002265 prevention Effects 0.000 claims description 10
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 235000014510 cooky Nutrition 0.000 claims description 7
- 238000007639 printing Methods 0.000 claims description 5
- 238000009877 rendering Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a browser secure access handling method, a system and a device, wherein the method comprises the following steps: acquiring a login gateway address request of a login browser of a user client, carrying out gateway login authentication on the user client, and issuing a user credential after the authentication is passed; configuring a corresponding user policy based on the user credentials; executing application security access and treatment through a user policy, specifically: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser. By the method, unified management and control of the files can be realized, uploading and downloading control can be realized from the access entrance of the browser end, and the risk of file leakage can be reduced while the identification accuracy is high; sensitive data can be processed in the browser without installing a client.
Description
Technical Field
The present invention relates to the field of communications security technologies, and in particular, to a method, a system, an apparatus, and a readable storage medium for secure access of a browser.
Background
In the current network environment, in order to provide a secure network environment, an enterprise can provide detection for networked devices such as PCs, such as some terminal access software, antivirus software and the like, to check and evaluate the security configuration and compliance of an operating system, and the terminal environment meets the requirements of the enterprise and can be accessed to the internet.
In the current method for checking the security configuration and compliance of an operating system, it is most common to provide that client software is installed on a terminal, such as antivirus software, EDR and other software. If the internet is an external network, the internal network of the enterprise needs to be connected, and the secure VPN software on the terminal needs to be connected to the internal network. Based on antivirus software, the problem of terminal baseline detection can be solved, the problem of safe internet surfing cannot be solved, and VPN needs to install tools or software on the terminal independently, so that the function of safe internet surfing can be realized, but the problem of terminal baseline detection cannot be solved.
Currently, a browser is used as an entry for a user to access a web application, and common technologies for a secure browser include: and (3) safe connection: the secure browser establishes an encrypted connection by using Secure Sockets Layer (SSL) or transport layer security protocol (TLS), ensuring that the communication between the user and the website is encrypted, preventing man-in-the-middle attacks and data theft. Privacy protection: secure browsers typically provide privacy protection functions such as preventing access to advertisement trackers, third party cookies, malware, and malicious websites. They may also provide a private browsing mode to prevent browsing history, form data, and cookies from being recorded. Malicious website interception: the secure browser uses a secure blacklist or cloud security service to detect and intercept known malicious websites to prevent users from accessing websites that may contain malware, phishing websites, or fraud. Download protection: the secure browser may detect and intercept downloads of potential malware or virus files and provide real-time alerts or automatically quarantine/delete these files. And (3) verifying the identity of the website: the secure browser uses digital certificates and Certificate Authorities (CAs) to verify the identity of websites to ensure that users connect to legitimate and trusted websites.
The current solution is to provide a proxy gateway through a DLP scheme or hijack traffic at a terminal, identify actions such as uploading and downloading user file operations or identify whether content is sensitive data through traffic detection, and then make corresponding treatments. Then the following problems may exist:
DLP identification accuracy problem: the files are multiple in types, all types of files cannot be covered, and the problem of file identification accuracy exists; DLP can not solve the requirement that the file does not go out of the isolation network, but can only prohibit or allow the actions such as uploading and downloading the file; the secure browser: only the sensitive data of the webpage and the user behavior can be solved, and the requirements of the base line detection and the secure encryption access of the terminal trusted environment cannot be met. Therefore, various problems such as data leakage still occur.
Disclosure of Invention
The invention provides a browser secure access handling method, a browser secure access handling system, a browser secure access handling device and a browser secure access handling device for overcoming the defects in the prior art.
In order to solve the technical problems, the invention is solved by the following technical scheme:
A browser secure access handling method, comprising the steps of:
Acquiring a login gateway address request of a login browser of a user client, performing gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
Configuring corresponding user policies based on the user credentials, wherein the user policies at least comprise browser type, login policies, data security, baseline detection, access control and disposal actions;
executing application security access and treatment through a user policy, specifically: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
As an implementation manner, the application security access comprises user behavior control, sensitive data no-out-of-domain, webpage sensitive data, user behavior analysis and browser type identification;
The user behavior control at least comprises copy inhibition, source code checking inhibition, storage inhibition, printing inhibition, screen capture prevention and downloading prevention and safety behavior control;
The sensitive data out-of-domain at least comprises the steps of automatically identifying file uploading and downloading actions for the file sensitive data and uploading the file uploading and downloading actions to a cloud disk, so that the file data out-of-domain is prevented from being leaked to the outside;
The webpage sensitive data specifically comprises: re-rendering the original display page by means of decryption covering and watermarking so as to enable the sensitive data to be desensitized and displayed;
The user behavior analysis specifically comprises the following steps: analyzing and evaluating identity information, equipment state and user behavior data of a user client to form a user behavior safety baseline;
The browser type identification specifically includes: and identifying the browser type, if the browser type is a non-snow-North browser, directly intercepting the browser type, and if the browser type is a snow-North browser, carrying out corresponding treatment.
As an implementation manner, gateway login authentication is performed on the user client, which includes the following steps:
acquiring a gateway address request input by a user client and performing door knocking authorization;
Releasing the login authority of the user client after the door knocking authorization, and closing the authority if the door knocking authorization is abnormal, wherein the abnormal door knocking authorization comprises failure of the door knocking authorization or overtime of the door knocking authorization;
and acquiring a user name and a password input by the user client in the browser and verifying whether a login strategy meets configuration requirements, wherein the login strategy comprises remote login, trusted time and trusted position.
As an implementation manner, the baseline detection is performed based on the login request, and if the baseline detection meets the configuration requirement, the user client is allowed to perform data security access and perform treatment actions through the cheno browser, including the following steps:
Intercepting a login gateway address request input by a user client and performing baseline detection;
detecting whether the environment of the user client meets the configuration requirement, prompting the user client to pass the detection and display the display result after the detection is passed, and not allowing the data to be accessed safely and prompting if the detection is not passed;
And establishing secure connection communication between the Xueno browser and the gateway based on a communication protocol and an encryption protocol, wherein the communication protocol supports TCP/UDP, the encryption protocol supports national encryption connection, and further data security access and treatment action are performed.
As an implementation manner, the establishing the secure connection communication between the cheno browser and the gateway based on the communication protocol and the encryption protocol specifically includes: based on TCP protocol or UDP protocol, the browser and gateway establish a secure channel and transmit data, the browser uses public key to encrypt data, and the gateway uses private key to decrypt data.
As an embodiment, the method further comprises the steps of: and encrypting and storing the privacy data accessed by the application, wherein the privacy data at least comprises browsing history, form data and Cookie data.
As an embodiment, the treatment comprises at least: access is released, access is blocked, user client source IP is blocked, user client account is blocked, and abnormal session is logged off.
A browser safety access disposal system comprises a data acquisition module, a strategy configuration module and an execution disposal module;
The data acquisition module is used for acquiring a login gateway address request of a login browser of a user client, carrying out gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
The policy configuration module configures corresponding user policies based on the user credentials, wherein the user policies at least comprise browser type, login policy, data security, baseline detection, access control and handling actions;
the execution and treatment module is used for executing the application security access and treatment through the user policy, and specifically comprises the following steps: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
A computer readable storage medium storing a computer program which when executed by a processor performs the method of:
Acquiring a login gateway address request of a login browser of a user client, performing gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
Configuring corresponding user policies based on the user credentials, wherein the user policies at least comprise browser type, login policies, data security, baseline detection, access control and disposal actions;
executing application security access and treatment through a user policy, specifically: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
An apparatus for browser secure access handling comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the method when executing the computer program of:
Acquiring a login gateway address request of a login browser of a user client, performing gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
Configuring corresponding user policies based on the user credentials, wherein the user policies at least comprise browser type, login policies, data security, baseline detection, access control and disposal actions;
executing application security access and treatment through a user policy, specifically: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
The invention has the remarkable technical effects due to the adoption of the technical scheme:
By the method, unified management and control of the files can be realized, uploading and downloading control can be realized from the access entrance of the browser end, and the risk of file leakage can be reduced while the identification accuracy is high;
In addition, the files can be uniformly uploaded, downloaded and stored in the cloud disk, so that the files can only be circulated in an internal isolation network and cannot be transferred to the inside through an external network, and the security risk caused by transferring external virus files to the inside is reduced;
sensitive data can be processed in the browser without installing a client.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a schematic overall flow diagram of the method of the present invention;
FIG. 2 is a schematic flow chart diagram of one embodiment of the present invention;
fig. 3 is a schematic diagram of the system architecture of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples, which are illustrative of the present invention and are not intended to limit the present invention thereto.
The gateway is a Xuenuo zero trust gateway, the user credentials are credentials of Xuenuo zero trust identity authentication, and the cloud space is a file storage network disk provided by Xuenuo. The application discloses a data leakage prevention scheme realized by a snow-no browser, which solves the problem that enterprise user data is leaked to the outside.
The whole scheme is based on the interaction realization of the snow-no browser and the gateway, and specifically comprises the following steps: (1) The snow nuo browser is safely accessed to protect enterprise data and applications; terminal identity authentication: only after the legal user knocks the door through SPA, the legal user can access the application; safety baseline detection: only after the terminal environment baseline detection passes, the application can be accessed; and (3) safe connection: and the encryption channel is established by application to transmit data, and an encryption algorithm and a national encryption algorithm are used for guaranteeing the integrity and confidentiality of the data and the authenticity of the identity of a communication main body in the communication process; user behavior control: copy inhibition, source code checking inhibition, storage inhibition, printing inhibition, screen capture prevention, downloading prevention, watermark prevention and the like; sensitive data does not go out of domain: automatically identifying downloading actions, redirecting the file to an enterprise cloud disk, and preventing data from leaking outside the domain; privacy protection: the browsing history, the form data and the Cookie are stored after being encrypted, so that the theft by a third party is prevented.
The method also comprises (2) user behavior analysis and security risk identification, and specifically comprises the following steps: user behavior security baseline: the security gateway performs unified analysis and evaluation based on the identity information, the equipment state, the user behavior and other data reported by the terminal, and forms a user behavior security baseline; threat analysis: monitoring various security events and activities in enterprise networks and systems; threat intelligence: and integrating cloud threat information to realize safe linkage.
(3) The safety control platform dynamically evaluates and disposes risks, and specifically comprises the following steps: managing and controlling according to the full access identity: integrating a main stream identity source and an authentication source; application resource access management: fine granularity control can be formed on the resources; risk treatment: the risk is detected by a variety of treatment methods.
See the following specific examples for details.
Example 1:
A browser secure access handling method, as shown in fig. 1, includes the steps of:
s100, acquiring a login gateway address request of a login browser of a user client, performing gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
s200, configuring corresponding user strategies based on user credentials, wherein the user strategies at least comprise browser types, login strategies, data security, baseline detection, access control and disposal actions;
S300, executing application security access and treatment through a user policy, wherein the application security access and treatment specifically comprises the following steps: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
In one embodiment, the application security access includes user behavior management, sensitive data out of domain, web page sensitive data, user behavior analysis, and browser type identification;
The user behavior control at least comprises copy inhibition, source code checking inhibition, storage inhibition, printing inhibition, screen capture prevention and downloading prevention and safety behavior control;
The sensitive data out-of-domain at least comprises the steps of automatically identifying file uploading and downloading actions for the file sensitive data and uploading the file uploading and downloading actions to a cloud disk, so that the file data out-of-domain is prevented from being leaked to the outside;
The webpage sensitive data specifically comprises: re-rendering the original display page by means of decryption covering and watermarking so as to enable the sensitive data to be desensitized and displayed;
The user behavior analysis specifically comprises the following steps: analyzing and evaluating identity information, equipment state and user behavior data of a user client to form a user behavior safety baseline;
The browser type identification specifically includes: and identifying the browser type, if the browser type is a non-snow-North browser, directly intercepting the browser type, and if the browser type is a snow-North browser, carrying out corresponding treatment.
In step S100, gateway login authentication is performed on the user client, as shown in fig. 2, including the following steps:
s110, acquiring a gateway address request input by a user client and performing door knocking authorization;
s120, releasing the login authority of the user client after the door knocking authorization, and closing the authority if the door knocking authorization is abnormal, wherein the abnormal door knocking authorization comprises failure of the door knocking authorization or overtime of the door knocking authorization;
s130, acquiring a user name and a password input by a user client in a browser and verifying whether a login strategy meets configuration requirements, wherein the login strategy comprises remote login, trusted time and trusted location.
In popular terms, after a user client inputs a gateway address, clicking SPA to knock the gate, defaulting the gateway to reject unauthorized access, enabling the user to start a browser to knock the gate to authorize before logging in, and releasing the login authority by the gateway after successful gate knocking; if the knocking fails or the gateway closes the authority after the timeout time, returning to the knocking page; inputting a user name and a password in a browser for login; the gateway checks whether the user name password is correct; the gateway detects whether the login strategy meets the configuration requirement, including remote login, trusted time and trusted position, if the login strategy is triggered, the login can be allowed only after confirmation in a mode of forbidden login or secondary authentication according to the configuration of an administrator; after the login authentication is passed, a certificate and a strategy which can pass the identity authentication are issued to the browser, and the user certificate comprises a user_id of the user, wherein the user_id is used as a unique identifier of the user.
In step S300, the baseline detection is performed based on the login request, and if the baseline detection meets the configuration requirement, the user client is allowed to perform data security access and perform treatment actions through the cheno browser, including the following steps:
S310, intercepting a login gateway address request input by a user client and performing baseline detection;
S320, detecting whether the environment of the user client meets the configuration requirement, prompting the user client to pass detection and display the display result after the detection is passed, and not allowing the data to be accessed safely and prompting if the detection is not passed;
S330, establishing secure connection communication between the Xueno browser and the gateway based on a communication protocol and an encryption protocol, wherein the communication protocol supports TCP/UDP, the encryption protocol supports national encryption connection, and further data security access and processing actions are performed.
In one embodiment, the establishing the secure connection communication between the snow-no browser and the gateway based on the communication protocol and the encryption protocol specifically includes: based on TCP protocol or UDP protocol, the browser and gateway establish a secure channel and transmit data, the browser uses public key to encrypt data, and the gateway uses private key to decrypt data.
In order to make the data transmission more secure and the access more secure, the method further comprises the steps of: and encrypting and storing the privacy data accessed by the application, wherein the privacy data at least comprises browsing history, form data and Cookie data.
It will be appreciated, therefore, that application access as referred to herein will include at least user behavior management: inhibit copying, inhibit viewing source code, inhibit saving, inhibit printing, prevent screen capture, prevent downloading, etc. for security action control;
Sensitive data does not go out of domain: automatically identifying file uploading and downloading actions for the file sensitive data, and redirecting the file to an enterprise cloud disk to prevent the file data from leaking outside the domain; webpage sensitive data: the original page is re-rendered by the processing of the decryption cover and the watermark, so that the sensitive data is prevented from being directly displayed; user behavior analysis: the security gateway performs unified analysis and evaluation based on the identity information, the equipment state, the user behavior and other data reported by the terminal, and forms a user behavior security baseline. Meanwhile, in the access process, integrating cloud threat information through a security detection engine, and identifying a security event; browser type identification: the application accessed by the browser passes through the gateway by way of the reverse proxy. The gateway can identify the browser type, if the browser is a direct interception of a non-Xueno browser, the gateway carries out corresponding treatment; privacy protection: and user privacy data in the access process, including browsing history, form data and Cookie are stored after being encrypted, so that the user privacy data is prevented from being stolen by a third party.
Example 2:
a browser secure access handling system, as shown in fig. 3, includes a data acquisition module 100, a policy configuration module 200, and an execution handling module 300;
The data acquisition module 100 is configured to acquire a login gateway address request for a user client to login to a browser, perform gateway login authentication on the user client, and issue a user credential after the authentication is passed, where the user credential includes a user unique identifier;
The policy configuration module 200 configures a corresponding user policy based on the user credentials, where the user policy at least includes a browser type, a login policy, data security, baseline detection, access control, and a handling action;
The execution handling module 300 is configured to execute application security access and handling by using a user policy, specifically: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
Example 3:
In one embodiment, a browser secure access handling device is provided, where the browser secure access handling device may be a server or a mobile terminal. The browser secure access handling device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the browser secure access device is configured to provide computing and control capabilities. The memory of the browser safe access handling device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database is used to store all data of the browser's secure access handling device. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a method for secure browser access.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that:
reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. Thus, the appearances of the phrase "one embodiment" or "an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention. In addition, the specific embodiments described in the present specification may differ in terms of parts, shapes of components, names, and the like. All equivalent or simple changes of the structure, characteristics and principle according to the inventive concept are included in the protection scope of the present invention. Those skilled in the art may make various modifications or additions to the described embodiments or substitutions in a similar manner without departing from the scope of the invention as defined in the accompanying claims.
Claims (10)
1. A browser secure access handling method, comprising the steps of:
Acquiring a login gateway address request of a login browser of a user client, performing gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
Configuring corresponding user policies based on the user credentials, wherein the user policies at least comprise browser type, login policies, data security, baseline detection, access control and disposal actions;
executing application security access and treatment through a user policy, specifically: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
2. The browser secure access handling method of claim 1, wherein the application secure access includes user behavior management, sensitive data out of domain, web page sensitive data, user behavior analysis, and browser type identification;
The user behavior control at least comprises copy inhibition, source code checking inhibition, storage inhibition, printing inhibition, screen capture prevention and downloading prevention and safety behavior control;
The sensitive data out-of-domain at least comprises the steps of automatically identifying file uploading and downloading actions for the file sensitive data and uploading the file uploading and downloading actions to a cloud disk, so that the file data out-of-domain is prevented from being leaked to the outside;
The webpage sensitive data specifically comprises: re-rendering the original display page by means of decryption covering and watermarking so as to enable the sensitive data to be desensitized and displayed;
The user behavior analysis specifically comprises the following steps: analyzing and evaluating identity information, equipment state and user behavior data of a user client to form a user behavior safety baseline;
The browser type identification specifically includes: and identifying the browser type, if the browser type is a non-snow-North browser, directly intercepting the browser type, and if the browser type is a snow-North browser, carrying out corresponding treatment.
3. The browser secure access handling method according to claim 1, wherein gateway login authentication is performed on the user client, comprising the steps of:
acquiring a gateway address request input by a user client and performing door knocking authorization;
Releasing the login authority of the user client after the door knocking authorization, and closing the authority if the door knocking authorization is abnormal, wherein the abnormal door knocking authorization comprises failure of the door knocking authorization or overtime of the door knocking authorization;
and acquiring a user name and a password input by the user client in the browser and verifying whether a login strategy meets configuration requirements, wherein the login strategy comprises remote login, trusted time and trusted position.
4. The method for disposing of secure access of a browser according to claim 1, wherein the step of performing baseline detection based on the login request, and allowing the user client to perform secure access of data and perform disposing action through the cheno browser if the baseline detection meets the configuration requirement, comprises the steps of:
Intercepting a login gateway address request input by a user client and performing baseline detection;
detecting whether the environment of the user client meets the configuration requirement, prompting the user client to pass the detection and display the display result after the detection is passed, and not allowing the data to be accessed safely and prompting if the detection is not passed;
And establishing secure connection communication between the Xueno browser and the gateway based on a communication protocol and an encryption protocol, wherein the communication protocol supports TCP/UDP, the encryption protocol supports national encryption connection, and further data security access and treatment action are performed.
5. The browser secure access handling method according to claim 1, wherein the establishing secure connection communication between the cheno browser and the gateway based on a communication protocol and an encryption protocol is specifically: based on TCP protocol or UDP protocol, the browser and gateway establish a secure channel and transmit data, the browser uses public key to encrypt data, and the gateway uses private key to decrypt data.
6. The browser secure access handling method of claim 5, further comprising the steps of: and encrypting and storing the privacy data accessed by the application, wherein the privacy data at least comprises browsing history, form data and Cookie data.
7. The browser secure access handling method of claim 1, wherein handling comprises at least: access is released, access is blocked, user client source IP is blocked, user client account is blocked, and abnormal session is logged off.
8. The browser safety access disposal system is characterized by comprising a data acquisition module, a strategy configuration module and an execution disposal module;
The data acquisition module is used for acquiring a login gateway address request of a login browser of a user client, carrying out gateway login authentication on the user client, and issuing a user credential after the authentication is passed, wherein the user credential comprises a user unique identifier;
The policy configuration module configures corresponding user policies based on the user credentials, wherein the user policies at least comprise browser type, login policy, data security, baseline detection, access control and handling actions;
the execution and treatment module is used for executing the application security access and treatment through the user policy, and specifically comprises the following steps: and judging whether the browser type is a snow-no browser, if so, performing baseline detection based on the login request, and if the baseline detection meets the configuration requirement, allowing the user client to perform data security access and executing treatment actions through the snow-no browser.
9. A computer readable storage medium storing a computer program, which when executed by a processor implements the method of any one of claims 1 to 6.
10. An apparatus for browser secure access handling comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 6 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410214522.5A CN118074987A (en) | 2024-02-27 | 2024-02-27 | Browser secure access handling method, system, device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410214522.5A CN118074987A (en) | 2024-02-27 | 2024-02-27 | Browser secure access handling method, system, device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118074987A true CN118074987A (en) | 2024-05-24 |
Family
ID=91101821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410214522.5A Pending CN118074987A (en) | 2024-02-27 | 2024-02-27 | Browser secure access handling method, system, device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118074987A (en) |
-
2024
- 2024-02-27 CN CN202410214522.5A patent/CN118074987A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| US20190354709A1 (en) | Enforcement of same origin policy for sensitive data | |
| US9781114B2 (en) | Computer security system | |
| US20190207772A1 (en) | Network scan for detecting compromised cloud-identity access information | |
| EP2328319B1 (en) | Method, system and server for realizing the secure access control | |
| KR101143847B1 (en) | Network security apparatus and method thereof | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| Atashzar et al. | A survey on web application vulnerabilities and countermeasures | |
| CN115001870B (en) | Information security protection system, method and storage medium | |
| KR101373542B1 (en) | System for Privacy Protection which uses Logical Network Division Method based on Virtualization | |
| US7594268B1 (en) | Preventing network discovery of a system services configuration | |
| CN113904826B (en) | Data transmission method, device, equipment and storage medium | |
| CN112016073A (en) | Method for constructing server zero trust connection architecture | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| CN106576050B (en) | Three-tier security and computing architecture | |
| Khandelwal et al. | Frontline techniques to prevent web application vulnerability | |
| CN118074987A (en) | Browser secure access handling method, system, device and readable storage medium | |
| CN118074985A (en) | Browser file management and control method, system, device and readable storage medium | |
| WO2009005698A1 (en) | Computer security system | |
| KR101009261B1 (en) | Certificate-based network access control system using network filtering device | |
| Udaykumar | A Study on Network Threats, Attacks & Security Measures | |
| Liu | Ethical Hacking of a Smart Video Doorbell | |
| Dunhaupt | Vulnerabilities of industrial automation systems | |
| US11695799B1 (en) | System and method for secure user access and agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links | |
| US11757934B1 (en) | Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |