CN118101251A - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
CN118101251A
CN118101251A CN202410139529.5A CN202410139529A CN118101251A CN 118101251 A CN118101251 A CN 118101251A CN 202410139529 A CN202410139529 A CN 202410139529A CN 118101251 A CN118101251 A CN 118101251A
Authority
CN
China
Prior art keywords
domain name
url
access
cross
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410139529.5A
Other languages
Chinese (zh)
Inventor
施瑞瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202410139529.5A priority Critical patent/CN118101251A/en
Publication of CN118101251A publication Critical patent/CN118101251A/en
Pending legal-status Critical Current

Links

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The application provides an access control method and device, and relates to the technical field of security. The method can be applied to network security equipment, and comprises the following steps: acquiring a Uniform Resource Locator (URL) generated by a user for resource access; extracting domain name information from the URL; when the main domain name in the domain name information hits a domain name white list, if the domain name access generated during the user resource access is determined not to belong to the cross domain name access based on the domain name information, the URL is released; if the domain name access is determined to belong to cross domain name access based on the domain name information, operating the URL in a set safe operation environment to obtain log data generated in the process of operating the URL; carrying out safety identification processing on the domain name information according to the log data; and blocking the URL when the domain name information is identified to contain a malicious domain name.

Description

Access control method and device
Technical Field
The present application relates to the field of security technologies, and in particular, to an access control method and apparatus.
Background
Along with the severe situation of network security, enterprises and public institutions pay more and more attention to monitoring construction of network environment, and higher requirements are also put forward on website access behaviors. The network access behavior is autonomously controlled, only the website access strongly related to the user is released, and most malicious attacks are shielded outside the network, so that the network access behavior is the current mainstream demand.
For the access control mode, how to improve the application effect, enhance the user experience and reduce the access of malicious websites is a main point of attraction. How to access and control through the domain name whitelist of the web site, how to request the domain name website corresponding to the domain name in the accessed domain name whitelist, and the security problem caused by unrestricted cross-domain resources not in the domain name whitelist become the difficulty of current implementation. For example, access control through a black-and-white list alone can cause various presentation problems, such as incapacitation, confusion of font images, and the like, when a web site is accessed.
When access control is performed based on a domain name white list, a rule-based white list behavior monitoring method exists, the method adopts a URL domain name classification feature library to perform domain name access control, black and white list limitation is performed on specified domain names, and access to certain specified domain names is prevented or only allowed. Although the scheme has the characteristic of low false alarm rate, the method can cause that a plurality of cross-site resources cannot be displayed, and the domain name which is not displayed is manually added, so that the workload is high.
In another rule access control method based on active crawler, the method can optimize the problem that many cross-site resources cannot be displayed due to domain name access control based on a white list, but the method realizes the display of the cross-site resources by adding the crawling of active resource sites of the white list and bringing the active resource sites into the white list.
Therefore, how to perform secure access control when a user accesses based on a domain name is one of the technical problems to be considered.
Disclosure of Invention
In view of the above, the present application provides an access control method and apparatus for performing secure domain name access control when a user accesses based on a domain name.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, there is provided an access control method applied to a network security device, the method comprising:
Acquiring a Uniform Resource Locator (URL) generated by a user for resource access;
extracting domain name information from the URL;
when the main domain name in the domain name information hits a domain name white list, if the domain name access generated during the user resource access is determined not to belong to the cross domain name access based on the domain name information, the URL is released;
If the domain name access is determined to belong to cross domain name access based on the domain name information, operating the URL in a set safe operation environment to obtain log data generated in the process of operating the URL;
carrying out safety identification processing on the domain name information according to the log data;
and blocking the URL when the domain name information is identified to contain a malicious domain name.
According to a second aspect of the present application, there is provided an access control apparatus provided in a network security device, the apparatus comprising:
the first acquisition unit is used for acquiring a Uniform Resource Locator (URL) generated by resource access of a user;
an extracting unit for extracting domain name information from the URL;
A releasing unit, configured to release the URL if it is determined, based on the domain name information, that the domain name access generated when the user resource access does not belong to the cross domain name access when the main domain name in the domain name information hits the domain name whitelist;
The calling unit is used for operating the URL in a set safe operation environment if the domain name access belongs to cross domain name access based on the domain name information, and obtaining log data generated in the process of operating the URL; carrying out safety identification processing on the domain name information according to the log data;
And the blocking unit is used for blocking the URL when the domain name information is identified to contain the malicious domain name.
According to a third aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiment of the present application.
According to a fourth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to carry out the method provided by the first aspect of the embodiments of the present application.
The embodiment of the application has the beneficial effects that:
In the access control method and the access control device provided by the embodiment of the application, the uniform resource locator URL generated by the resource access of the user is obtained; extracting domain name information from the URL; when the main domain name in the domain name information hits a domain name white list, if the domain name access generated during the user resource access is determined not to belong to the cross domain name access based on the domain name information, the URL is released; if the domain name access is determined to belong to cross domain name access based on the domain name information, operating the URL in a set safe operation environment to obtain log data generated in the process of operating the URL; carrying out safety identification processing on the domain name information according to the log data; and blocking the URL when the domain name information is identified to contain a malicious domain name. Therefore, only the resource access belonging to the malicious domain name in the cross domain name is blocked by performing domain name identification on the cross domain name access, and the safety cross domain access in the cross domain name access is released, so that the occurrence of the situation of safety threat caused by directly releasing the cross domain name access is avoided, and the safety control of the cross domain name access is realized.
Drawings
Fig. 1 is a schematic flow chart of an access control method according to an embodiment of the present application;
Fig. 2 is a schematic structural diagram of an access control device according to an embodiment of the present application;
fig. 3 is a schematic hardware structure of an electronic device implementing an access control method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" depending on the context.
The access control method provided by the application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of an access control method provided by the present application, where the method may be applied to a network security device, and the network security device may be, but is not limited to, a firewall, a security gateway, and so on. The network security equipment can comprise the following steps when implementing the method:
S101, obtaining a uniform resource locator URL generated by the resource access of a user.
In this step, when the user accesses the resource, the access of the service resource can be triggered on the web page or the application, and based on this, the network security device can capture the URL generated when the user accesses the resource.
It should be noted that the URL may be directly initiated by the user, or may be generated by the domain name server after receiving the initial URL of the user, in order to meet the resource access requirement of the user.
S102, extracting domain name information from the URL.
In this step, the network security device may start the operation of performing security identification on the URL after obtaining the URL.
And S103, when the main domain name in the domain name information hits a domain name white list, if the domain name access generated during the user resource access is determined not to belong to the cross domain name access based on the domain name information, releasing the URL.
In this step, when the network security device identifies the URL, it essentially identifies the domain name, so the network security device can extract all domain name information from the URL. Because the domain name information in the general URL may include the main domain name and some may further include the sub domain name or cross domain name when the domain name is accessed, in order to improve the domain name recognition speed to a certain extent, the network security device may pre-configure a domain name whitelist, in which each domain name allowed to pass is pre-configured, where the domain name in the domain name whitelist may be the main domain name, may also include the main domain name and the sub domain name, and may specifically be configured according to the actual situation.
Thus, taking the domain name in the domain name white list as the main domain name for illustration, the network security device can extract the main domain name from the domain name information, then use the main domain name to match the domain name white list, and when the domain name white list is hit, the network security device indicates that the service resource corresponding to the main domain name is allowed to be accessed.
It is noted that the above sub domain name may be a secondary domain name, a tertiary domain name, or the like of the above main domain name.
Optionally, the domain name white list may further record a correspondence between each main domain name that is legal and compliant and user information of a user that is allowed to access the corresponding domain name; the user information may include, but is not limited to, ip addresses at which the user has access to the resource, unique accounts used by the user at which the user has access to the business resource, resource access by the user, and so on. Thus, when the URL is obtained, user information of the user can be obtained, then the user information and the main domain name in the domain name information are queried for the domain name white list, and when the domain name white list contains the main domain name in the domain name information and the user information corresponding to the main domain name in the domain name white list contains the user information, the user is allowed to access the main domain name.
On the basis, in order to realize the identification of the cross domain name, the application further identifies the domain name information when determining that the main domain name is in the domain name white list so as to determine whether the domain name access caused by the current resource access is the cross domain name access, and when the cross domain name access does not exist, the domain name information or other information contained in the domain name information accords with the domain name information required by the resource access under the main domain name, so that the URL can be released, namely the current resource access of the user is allowed.
The term "cross domain name" means that cross domain access is generated when resource access is performed, that is, when resource access is performed, the URL includes an embedded website, thereby realizing cross domain access. For ease of understanding, 3 ways of belonging to cross domain name access are given below, with reference to table 1:
TABLE 1
Different domain names Www.xx.com and www.xxx.com
The domain names are the same, the ports are different Www.xx.com:8080 and www.xx.com:8081
Second-level domain name difference Service. Xx. Com and goods. Xx. Com
Notably, the domain name and port are the same, but the request path is different, in which case it does not belong to cross-domain access.
And S104, if the domain name access belongs to cross domain name access based on the domain name information, operating the URL in a set safe operation environment to obtain log data generated in the process of operating the URL.
In this step, when the domain name information satisfies the above-mentioned domain name crossing situation, for example, the domain name information includes different domain names, or the domain names are the same, or the ports are the same, then the network security device may determine that the domain name access belongs to the domain name crossing access; on this basis, in order to ensure the security of cross-domain access, the cross-domain access needs to be identified, and in order to improve the accuracy of the identification result, the embodiment proposes that the network security device may provide a secure operation environment, and then call the secure operation environment to simulate the operation of the URL in the secure operation environment, so as to identify the security based on the log data generated in the URL operation process.
S105, carrying out safety identification processing on the domain name information according to the log data.
In this step, the log data is data related to domain name identification, and may further include related data reflecting resource access by the user. Based on the log data, which domain name is accessed by the user through what address can be directly reflected, so that the accuracy of a domain name recognition result can be ensured when the domain name information is safely recognized based on the log data.
S106, when the domain name information is identified to contain a malicious domain name, blocking the URL.
In this step, when the domain name information includes a malicious domain name based on the log data, it indicates that the current user is visiting an illegal domain name website, and security threat is likely to be brought to the intranet, and the URL may be blocked at this time. Therefore, on one hand, the identification of the security of cross domain name access is realized, and the problem of security threat caused by passing illegal network stations caused by direct passing of the cross domain name in the prior art is also solved.
When the domain name information is identified to not contain a malicious domain name, namely, belongs to normal cross domain name access, the URL can be released so as to meet the access target of the service resource requested by the user.
In the access control method provided by the application, the uniform resource locator URL generated by the user for resource access is obtained; extracting domain name information from the URL; when the main domain name in the domain name information hits a domain name white list, if the domain name access generated during the user resource access is determined not to belong to the cross domain name access based on the domain name information, the URL is released; if the domain name access is determined to belong to cross domain name access based on the domain name information, operating the URL in a set safe operation environment to obtain log data generated in the process of operating the URL; carrying out safety identification processing on the domain name information according to the log data; and blocking the URL when the domain name information is identified to contain a malicious domain name. Therefore, only the resource access belonging to the malicious domain name in the cross domain name is blocked by performing domain name identification on the cross domain name access, and the safety cross domain access in the cross domain name access is released, so that the occurrence of the situation of safety threat caused by directly releasing the cross domain name access is avoided, and the safety control of the cross domain name access is realized.
Optionally, based on any one of the above embodiments, it is provided that, before executing the URL in the setting secure running environment in step S104, the method further includes the following steps: acquiring a cross domain name white list; if the domain name information has the cross domain name information hitting the cross domain name white list, releasing the URL;
Specifically, because the domain name identification is performed by simulating the URL, some time is also required, in order to save the domain name identification time to a certain extent and ensure the accuracy of the domain name identification result, the embodiment proposes that a cross domain name whitelist can be preset in the network security device, and allowed cross domain names can be stored in the cross domain name whitelist, so that the network security device can match the domain names except the main domain name in the domain name information with the cross domain name whitelist, and when the matching is successful, the cross domain access is safe, and the network security device can release the URL to display the cross domain name resource to the user.
It should be noted that, the above cross domain name whitelist may also be provided with a correspondence between the main domain name and the cross domain name information, for example, the correspondence between the main domain name and the cross domain name information in the URL which is safe and allowed to pass in the cross domain access and exists in the history may be written into the above cross domain name whitelist. In this way, when the network security device determines that the current domain name access belongs to the cross domain name access based on the domain name information, the network security device can acquire the main domain name and the cross domain name information based on the URL and then match the main domain name and the cross domain name information with the domain name white list, and when the matching is successful, the network security device indicates that the current cross domain name access is safe, so that the URL can be released. Alternatively, the above-mentioned cross domain name information may be, but not limited to, a cross domain name, a port, etc., and the above-mentioned cross domain name may be a cross domain main domain name, a secondary domain name, etc. in the domain name information.
Optionally, based on any of the foregoing embodiments, in this embodiment, the cross domain name white list may further set a correspondence between user information of a user and cross domain name information, where user information corresponding to different users is different. On the basis, the domain name information is acquired, and meanwhile, the user information of the user can be acquired; therefore, before simulating URL operation, whether the corresponding relation between the user information and the cross-domain information exists in the cross-domain white list can be judged, for example, when the cross-domain white list is matched, the cross-domain information can be firstly inquired, after the cross-domain information is included in the cross-domain white list, whether the obtained user information exists in the user information corresponding to the cross-domain information is determined, when the obtained user information exists, the cross-domain access of the user is allowed, and at the moment, the network security equipment can release the URL.
Further, when the domain name information has the cross domain name information hitting the cross domain name white list, the URL is operated in a set safe operation environment, and log data generated in the process of operating the URL is obtained.
Optionally, in order to improve the access control speed to a certain extent, the above cross domain name white list may be set to be dynamically updated; for example, when the domain name information of this time does not hit the cross domain name white list, but after the permission URL is simulated in the permission environment is set, and security identification is performed based on the generated log data, the domain name information is found to not contain a malicious domain name, and when the domain name information belongs to security cross domain access, the cross domain name information in the domain name information can be written into the cross domain name white list, so that when resource access is performed based on the URL, rapid access control can be performed directly based on the cross domain name white list.
Further, there may be a case that the cross domain information is safe when the cross domain information is used for cross domain access, but the cross domain information is unsafe when the cross domain information is used for cross domain access after a period of time, so in order to further improve the security of the cross domain access, the embodiment proposes that an aging time of the cross domain information in the cross domain white list may also be set, and when the aging time of a certain cross domain information arrives, the cross domain information is deleted from the cross domain white list. When the resource access is carried out based on the cross domain name information, the identification can be carried out again, if the situation of the malicious domain name still does not exist, the situation of the malicious domain name is written into a cross domain name white list, and the aging time monitoring is restarted.
Accordingly, after step S106 is performed, the present embodiment proposes the following processing procedure: and writing the malicious domain name contained in the domain name information into a cross domain name blacklist.
Specifically, in order to improve the access control speed to a certain extent, a cross domain name blacklist can be further set; when the domain name information contains a malicious domain name, the security threat exists in the cross domain name access, namely, the cross domain website may be an illegal website, a malicious website and the like, and at this time, the cross domain information in the domain name information is written into a cross domain name blacklist in a cross domain mode for subsequent access control.
Therefore, when the cross-domain access is carried out subsequently, the domain name information can be matched with the cross-domain blacklist, when the domain name information hits the cross-domain blacklist, the condition that illegal websites and malicious websites are accessed in the current resource access is indicated, and at the moment, the network security equipment can directly carry out blocking processing to realize security access control.
Optionally, the cross-domain name blacklist may further include a correspondence between the main domain name and cross-domain name information, and/or a correspondence between user information of the user and cross-domain name information, so as to achieve the purpose of accurate positioning. Reference is specifically made to the above description of the cross domain whitelist, and will not be described in detail here.
Alternatively, the above-mentioned cross-domain name blacklist may be set to be dynamically updated, for example, an aging time is set for each piece of cross-domain name information in the cross-domain name blacklist, and when the aging time arrives, the cross-domain name information is deleted from the cross-domain name blacklist, and the related description may refer to the cross-domain name blacklist, which is not described in detail herein. In this way, it is avoided that there may be a direct blocking of cross domain information allowing cross domain access due to being always in the cross domain blacklist.
Alternatively, based on any of the above embodiments, in this embodiment, the step of running the URL in the set secure running environment in step S106 may be performed according to the following procedure, to obtain log data generated in the process of running the URL: blocking the URL when the URL belonging to cross domain name access is actively initiated by the user; and when the URL which belongs to cross domain name access is actively initiated by the domain name server of the main domain name when receiving the resource access of the user, simulating the operation of accessing the URL, and generating the log data.
In practical applications, the cross domain name access may be actively initiated by a user or may be actively initiated by a domain name server of the main domain name, for example, actively initiated by a website corresponding to the domain name in the domain name white list. The user is actively initiated, so that the cross-domain access directly initiated by the user is generally prevented, and the website is actively initiated to the cross-domain access of a third party, and the security of the cross-domain access can be identified. Based on the above, the network security device further identifies the URL, and if it is determined that the URL belonging to the cross domain name access is actively initiated by the user, for example, when it is determined that the domain name information in the URL is embedded with the third party domain name and is actively initiated by the user, the network security device can directly block the URL at this time; and when confirming that the domain name server with the URL accessed by the cross domain name as the main domain name is actively initiated when receiving the resource access of the user, simulating and running the URL in the set safe running environment. Thus, the flexibility of access control can be improved.
Alternatively, based on any one of the above embodiments, in this embodiment, the log data may include, but is not limited to, user operation data and network traffic data; on the basis, the step of carrying out safety identification processing on the domain name information according to the log data can be carried out according to the following process: extracting host characteristic data of a host used by the user for resource access from the user operation data; extracting domain name characteristic data from the network traffic data; and inputting the host characteristic data and the domain name characteristic data into a domain name security identification model, and identifying whether the domain name information has a malicious domain name.
The domain name security recognition model is obtained by training a random forest model based on a host characteristic data sample of a sample user and a domain name characteristic data sample corresponding to resource access of the sample user.
Specifically, the host characteristic data and the domain name characteristic data are subjected to list induction and then processed into binary data which can be input into a domain name security recognition model, and the domain name security recognition model can output a domain name recognition result accessed across domain names at this time. In this way, the operation of the URL is simulated in the set safe operation environment, and then the domain name safety identification is carried out based on the log data generated in the operation process, so that the domain name identification result of the cross domain name access can be more accurately obtained. Moreover, the URL is operated in the set safe operation environment instead of being directly operated in the network environment, so that the safety of the intranet is further ensured.
Alternatively, the above-mentioned set secure operating environment may be, but not limited to, a sandbox environment in which, in addition to the domain name identification using the above-mentioned domain name security identification model, the sandbox environment itself may identify some malicious downloading behavior. Specifically, the sandbox environment and the running environment of the network security device are independent, that is, the security problem caused by running the URL in the sandbox environment does not affect the security of the network security device and even the intranet. On the basis, the network security device can send the log data to the security sandbox, then the security sandbox executes the URL to obtain the log data generated in the URL running process, and the domain name information is subjected to security identification processing according to the log data, and then the identification result is fed back to the network security device, so that the network security device controls the URL according to the identification result, and resource access control of a user is realized.
According to the embodiment, the sandbox environment and the domain name security identification model are adopted, malicious domain names, C & C, webpage tampering, advertisement popup windows and unhealthy websites can be effectively identified, the use experience of users is enhanced, and the attack risk of the user network environment is reduced.
In addition, the training process of the domain name security recognition model is as follows: a sample library is constructed, the training sample library can comprise a host characteristic data sample and a domain name characteristic data sample which are normally accessed across domain names, a host characteristic data sample and a domain name characteristic data sample which are abnormally accessed across domain names, and each sample is marked as normal or abnormal. Then dividing the sample library into a training set and a testing set; training a random forest by using a training set, predicting a trained random forest model by using a testing set after the training is finished, comparing a predicted result with a real labeling result, calculating indexes such as accuracy, precision or recall rate, evaluating the model predicted result based on the indexes, determining whether parameter adjustment of the model is required or not according to the evaluation result, adjusting related parameters in the random forest model when the parameter adjustment is required, and then training the random forest model by using the training set again; if the parameter adjustment is not needed based on the evaluation result, the training is finished, and the domain name safety recognition model is output and obtained.
It should be noted that, the random forest is formed by a plurality of sub-models, so when training the random forest model, training the sub-models one by one is needed, and after training all the sub-models, the random forest model is trained; if the submodel is not trained, training samples are randomly selected from the training set, and the untrained submodel is trained until all submodel training in the random forest model is completed.
Alternatively, the samples in the sample library may be: after the top100 ten thousand popular websites are subjected to white list cleaning, accessing the resources of each test website or related sub-domain name websites, and then capturing and obtaining corresponding host characteristic data samples and domain name characteristic data samples. The samples can also obtain corresponding host feature data samples and domain name feature data samples by directly accessing resources across domain name websites based on the whitelisted domain names. Of course, the above is merely an example, and is not intended to limit the sample.
Optionally, the User operation data may include, but is not limited to, source ip address, port, user agents User-Agent, referer, accesss table for accessing resources by a User, and the like, and accordingly, the host characteristic data is part or all of the User operation data; and the network traffic data may include, but is not limited to: website title, description information, domain name sequence, cookie, sec-Fetch-Mode, origin, etc., and accordingly, the domain name feature data is part or all of the user operation data.
The reference is an http protocol request header field, which is used to indicate the URL of the source page of the request. When a web page contains a link to other pages, when the user clicks on the link, the browser automatically adds the reference header to the request so that the domain name server knows from which page the user jumped. Reference is mainly used for statistics and log analysis and for protection against hotlinking.
Accesss table above is an http protocol request header field for indicating the source or domain that is allowed to access the resource. It is one of the cores of the CORS (Cross source resource sharing) mechanism for controlling the access rights of cross-domain requests.
The Sec-Fetch-Mode is an http protocol request header field, which indicates where the browser originated the request.
And the origin is an http protocol request header field for indicating the source or domain of the request. It contains protocol, host and port information. The value of the Origin field is typically automatically generated by the browser and used for cross-domain verification in the CORS mechanism.
Therefore, by implementing the access control method provided by any embodiment, not only malicious behaviors such as website Trojan, malicious domain name and the like can be effectively identified, but also whether unsafe behaviors exist in the website can be detected, so that operation and maintenance personnel can be reminded of timely processing; thereby reducing network security impact and bandwidth occupation impact. Cross-domain challenge behavior for unhealthy websites may also be identified. In addition, the method has universality, can be applied to safety products or software platforms, is beneficial to users to autonomously define the release requirement of the website, and can not cause the problems that the website is not fully displayed and the healthy website embedded resource sites cannot be accessed.
Based on the same inventive concept, the application also provides an access control device corresponding to the access control method. The implementation of the access control device may be referred to in particular in the description of the access control method described above, and will not be discussed here.
Referring to fig. 2, fig. 2 is an access control apparatus according to an exemplary embodiment of the present application, which is disposed in a network security device, and includes:
A first obtaining unit 201, configured to obtain a URL generated by a user performing resource access;
an extracting unit 202, configured to extract domain name information from the URL;
A releasing unit 203, configured to release the URL if it is determined, based on the domain name information, that the domain name access generated when the user resource access does not belong to a cross domain name access when the main domain name in the domain name information hits a domain name white list;
A calling unit 204, configured to, if it is determined based on the domain name information that the domain name access belongs to a cross domain name access, run the URL in a set secure running environment, and obtain log data generated in the process of running the URL; carrying out safety identification processing on the domain name information according to the log data;
And the blocking unit 205 is configured to block the URL when it is identified that the domain name information includes a malicious domain name.
By performing domain name identification on the cross domain name access, only blocking processing is performed on the resource access belonging to the malicious domain name in the cross domain name, and the security cross domain access in the cross domain name access is released, so that the occurrence of security threat caused by directly releasing the cross domain name access is avoided, and meanwhile, the security control of the cross domain name access is realized.
Optionally, the apparatus further includes:
a second obtaining unit (not shown in the figure) for obtaining a white list crossing domain names before the calling unit runs the URL in a set secure running environment to obtain log data generated in the process of running the URL;
The releasing unit 203 is further configured to release the URL if there is cross-domain information hitting the cross-domain white list in the domain information;
The calling unit 204 is further configured to, when there is cross domain name information hitting the cross domain name white list in the domain name information, run the URL in a set secure running environment, and obtain log data generated in the process of running the URL.
Optionally, the apparatus may further include:
and a writing unit (not shown in the figure) for writing the malicious domain name contained in the domain name information into a cross domain name blacklist after the blocking unit blocks the URL when recognizing that the domain name information contains the malicious domain name.
Optionally, based on any one of the foregoing embodiments, in this embodiment, the calling unit 204 is specifically configured to block the URL when the URL belonging to cross domain name access is actively initiated by the user; and when the URL which belongs to cross domain name access is actively initiated by the domain name server of the main domain name when receiving the resource access of the user, simulating the operation of accessing the URL, and generating the log data.
Optionally, based on any one of the above embodiments, in this embodiment, the log data includes user operation data and network traffic data;
on this basis, the calling unit 204 is specifically configured to extract, from the user operation data, host characteristic data of a host used by the user for resource access; extracting domain name characteristic data from the network traffic data; inputting the host characteristic data and the domain name characteristic data into a domain name security identification model, and identifying whether the domain name information has a malicious domain name or not;
the domain name security recognition model is obtained by training a random forest model based on a host characteristic data sample of a sample user and a domain name characteristic data sample corresponding to resource access of the sample user.
Based on the same inventive concept, the embodiment of the application provides an electronic device, which can be the network security device. As shown in fig. 3, the electronic device includes a processor 301 and a machine-readable storage medium 302, the machine-readable storage medium 302 storing a computer program executable by the processor 301, the processor 301 being caused by the computer program to perform an access control method provided by any of the embodiments of the present application. The electronic device further comprises a communication interface 303 and a communication bus 304, wherein the processor 301, the communication interface 303 and the machine readable storage medium 302 perform communication with each other via the communication bus 304.
The communication bus mentioned above for the electronic device may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The machine-readable storage medium 302 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In addition, the present embodiment also provides a machine-readable storage medium storing a computer program which, when being called and executed by a processor, causes the processor to execute the access control method provided by any one of the embodiments of the present application.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present solution. Those of ordinary skill in the art will understand and implement the present application without undue burden.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (10)

1. An access control method, applied to a network security device, comprising:
Acquiring a Uniform Resource Locator (URL) generated by a user for resource access;
extracting domain name information from the URL;
when the main domain name in the domain name information hits a domain name white list, if the domain name access generated during the user resource access is determined not to belong to the cross domain name access based on the domain name information, the URL is released;
If the domain name access is determined to belong to cross domain name access based on the domain name information, operating the URL in a set safe operation environment to obtain log data generated in the process of operating the URL;
carrying out safety identification processing on the domain name information according to the log data;
and blocking the URL when the domain name information is identified to contain a malicious domain name.
2. The method of claim 1, wherein prior to running the URL in a secure operating environment to obtain log data generated during running the URL, the method further comprises:
Acquiring a cross domain name white list;
if the domain name information has the cross domain name information hitting the cross domain name white list, releasing the URL;
The method further comprises the steps of:
When the domain name information has the cross domain name information hitting the cross domain name white list, the URL is operated in a set safe operation environment, and log data generated in the process of operating the URL is obtained.
3. The method of claim 2, wherein blocking the URL when the domain name information is identified as containing a malicious domain name, further comprising:
And writing the malicious domain name contained in the domain name information into a cross domain name blacklist.
4. The method of claim 1, wherein running the URL in a set secure operating environment, obtaining log data generated during running the URL, comprises:
blocking the URL when the URL belonging to cross domain name access is actively initiated by the user;
and when the URL which belongs to cross domain name access is actively initiated by the domain name server of the main domain name when receiving the resource access of the user, simulating the operation of accessing the URL, and generating the log data.
5. The method of claim 1, wherein the log data includes user operation data and network traffic data;
And carrying out safety identification processing on the domain name information according to the log data, wherein the safety identification processing comprises the following steps:
Extracting host characteristic data of a host used by the user for resource access from the user operation data;
Extracting domain name characteristic data from the network traffic data;
inputting the host characteristic data and the domain name characteristic data into a domain name security identification model, and identifying whether the domain name information has a malicious domain name or not;
the domain name security recognition model is obtained by training a random forest model based on a host characteristic data sample of a sample user and a domain name characteristic data sample corresponding to resource access of the sample user.
6. An access control apparatus, disposed in a network security device, the apparatus comprising:
the first acquisition unit is used for acquiring a Uniform Resource Locator (URL) generated by resource access of a user;
an extracting unit for extracting domain name information from the URL;
A releasing unit, configured to release the URL if it is determined, based on the domain name information, that the domain name access generated when the user resource access does not belong to the cross domain name access when the main domain name in the domain name information hits the domain name whitelist;
The calling unit is used for operating the URL in a set safe operation environment if the domain name access belongs to cross domain name access based on the domain name information, and obtaining log data generated in the process of operating the URL; carrying out safety identification processing on the domain name information according to the log data;
And the blocking unit is used for blocking the URL when the domain name information is identified to contain the malicious domain name.
7. The apparatus as recited in claim 6, further comprising:
The second obtaining unit is used for obtaining a cross domain name white list before the calling unit runs the URL in a set safe running environment to obtain log data generated in the process of running the URL;
the releasing unit is further configured to release the URL if the domain name information includes cross domain name information hitting the cross domain name white list;
The calling unit is further configured to operate the URL in a set secure operating environment when the domain name information includes cross domain name information hitting the cross domain name whitelist, so as to obtain log data generated in the process of operating the URL.
8. The apparatus as recited in claim 7, further comprising:
And the writing unit is used for writing the malicious domain name contained in the domain name information into a cross-domain name blacklist after the blocking unit blocks the URL when recognizing that the domain name information contains the malicious domain name.
9. The apparatus of claim 6, wherein the device comprises a plurality of sensors,
The calling unit is specifically configured to block the URL when the URL belonging to cross domain name access is actively initiated by the user; and when the URL which belongs to cross domain name access is actively initiated by the domain name server of the main domain name when receiving the resource access of the user, simulating the operation of accessing the URL, and generating the log data.
10. The apparatus of claim 6, wherein the log data comprises user operation data and network traffic data;
The calling unit is specifically configured to extract host characteristic data of a host used by the user for accessing the resource from the user operation data; extracting domain name characteristic data from the network traffic data; inputting the host characteristic data and the domain name characteristic data into a domain name security identification model, and identifying whether the domain name information has a malicious domain name or not;
the domain name security recognition model is obtained by training a random forest model based on a host characteristic data sample of a sample user and a domain name characteristic data sample corresponding to resource access of the sample user.
CN202410139529.5A 2024-01-31 2024-01-31 Access control method and device Pending CN118101251A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410139529.5A CN118101251A (en) 2024-01-31 2024-01-31 Access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410139529.5A CN118101251A (en) 2024-01-31 2024-01-31 Access control method and device

Publications (1)

Publication Number Publication Date
CN118101251A true CN118101251A (en) 2024-05-28

Family

ID=91160887

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410139529.5A Pending CN118101251A (en) 2024-01-31 2024-01-31 Access control method and device

Country Status (1)

Country Link
CN (1) CN118101251A (en)

Similar Documents

Publication Publication Date Title
US20210058354A1 (en) Determining Authenticity of Reported User Action in Cybersecurity Risk Assessment
CN109831465B (en) Website intrusion detection method based on big data log analysis
CN107294982B (en) Webpage backdoor detection method and device and computer readable storage medium
US10904286B1 (en) Detection of phishing attacks using similarity analysis
CN110417778B (en) Access request processing method and device
CN108932426B (en) Unauthorized vulnerability detection method and device
CN108664793B (en) Method and device for detecting vulnerability
CN108989355B (en) Vulnerability detection method and device
US9251367B2 (en) Device, method and program for preventing information leakage
CN107528818B (en) Data processing method and device for media file
CN109547426B (en) Service response method and server
CN106548075B (en) Vulnerability detection method and device
CN103701794A (en) Identification method and device for denial of service attack
CN109145585B (en) Method and device for detecting weak password of website
CN111711617A (en) Method and device for detecting web crawler, electronic equipment and storage medium
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
CN107426136B (en) Network attack identification method and device
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
CN108804501B (en) Method and device for detecting effective information
CN109981533B (en) DDoS attack detection method, device, electronic equipment and storage medium
CN107612946B (en) IP address detection method and device and electronic equipment
CN112019377B (en) Method, system, electronic device and storage medium for network user role identification
CN111131166B (en) User behavior prejudging method and related equipment
CN113709136B (en) Access request verification method and device
CN118101251A (en) Access control method and device

Legal Events

Date Code Title Description
PB01 Publication