WO2021068205A1 - 访问控制方法、装置、服务器和计算机可读介质 - Google Patents
访问控制方法、装置、服务器和计算机可读介质 Download PDFInfo
- Publication number
- WO2021068205A1 WO2021068205A1 PCT/CN2019/110639 CN2019110639W WO2021068205A1 WO 2021068205 A1 WO2021068205 A1 WO 2021068205A1 CN 2019110639 W CN2019110639 W CN 2019110639W WO 2021068205 A1 WO2021068205 A1 WO 2021068205A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- caller
- server
- visits
- access request
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- This application relates to the field of data access, and more specifically, to an access control method, device, server, and computer-readable medium.
- the current current limiting method can control the service frequency and prevent the system from crashing due to requests exceeding the service capacity, the current limiting method is too single or fixed, and not flexible enough.
- This application proposes an access control method, device, server and computer-readable medium to improve the above-mentioned drawbacks.
- an embodiment of the present application provides an access control method, which is applied to a server, the method includes: obtaining an access request sent by a caller to access the server; if the server is allowed to be accessed by the caller , Execute the access operation of the caller in response to the access request; obtain the access times of the access request sent by the caller within a preset period of time as the caller’s access times; according to the caller’s access times.
- the calling end sets a time period for banning access, and during the banning time period, the server is prohibited from being accessed by the calling side, wherein the higher the number of visits by the calling side, the greater the length of the time period for banning access.
- an embodiment of the present application also provides an access control device, which is applied to a server, and the device includes: an acquisition unit, a response unit, a determination unit, and a processing unit.
- the obtaining unit is used to obtain the access request sent by the calling end to access the server.
- the response unit is configured to, if the server is allowed to be accessed by the calling side, respond to the access request and execute the access operation of the calling side.
- the determining unit is configured to obtain the access times of the access request sent by the caller within a preset time length as the caller's access times.
- the processing unit is configured to set a ban period for the caller according to the number of visits by the caller. During the ban period, the server is forbidden to be accessed by the caller, wherein the number of visits by the caller is greater High, the greater the length of the banned period.
- an embodiment of the present application also provides a server, including: one or more processors; a memory; one or more application programs, wherein the one or more application programs are stored in the memory and Is configured to be executed by the one or more processors, and the one or more programs are configured to execute the above-mentioned method.
- an embodiment of the present application also provides a computer-readable medium, the readable storage medium stores a program code executable by a processor, and when multiple instructions in the program code are executed by the processor The processor is caused to execute the above-mentioned method.
- the access control method, device, server, and computer-readable medium provided in this application obtain the access request sent by the calling end, and the access request is the request sent when the calling end requests to access the server.
- the server judges that if the called terminal is allowed to access, it responds to the access request and executes the calling terminal's access operation.
- the server is forbidden to be accessed by the caller, wherein the higher the number of visits by the caller, the greater the length of the access prohibition period.
- the server after the server affects the access request of the caller, it can set a ban period for the caller according to the number of visits of the caller, and the higher the number of visits of the caller, the greater the length of the ban period, making the ban period dynamically change , Which is related to the number of visits of the calling end, avoids a single or fixed current-limiting method, and improves the flexibility of current-limiting.
- Fig. 1 shows an application scenario diagram of the access control method and device provided by the embodiments of the present application
- FIG. 2 shows a method flowchart of an access control method provided by an embodiment of the present application
- FIG. 3 shows a method flowchart of an access control method provided by another embodiment of the present application.
- FIG. 4 shows a method flowchart of an access control method provided by another embodiment of the present application.
- FIG. 5 shows a method flowchart of an access control method provided by still another embodiment of the present application.
- FIG. 6 shows a method flowchart of an access control method provided by still another embodiment of the present application.
- FIG. 7 shows a block diagram of a module of an access control device provided by an embodiment of the present application.
- FIG. 8 shows a block diagram of a module of an access control device provided by another embodiment of the present application.
- FIG. 9 shows a module block diagram of a server provided by an embodiment of the present application.
- Fig. 10 shows a storage unit provided by an embodiment of the present application for storing or carrying program code for implementing the access control method according to the embodiment of the present application.
- FIG. 1 shows an application scenario diagram of the access control method and device provided by the embodiments of the present application.
- the electronic device 100 and the server 200 are located in a wireless network or a wired network, and the electronic device 100 and the server 200 perform data interaction.
- the client is installed in the electronic device 100, for example, it may be an application program installed in the electronic device 100.
- the user logs in through an account at the client, and all information corresponding to the account can be stored in the storage space of the server 200.
- the server 200 may be a separate server, or a server cluster, and may be a local server or a cloud server.
- the electronic device 100 can access the server 200, the electronic device 100 can act as a calling end and request access to the server 200.
- the electronic device 100 can act as a calling end and request access to the server 200.
- most of the services in the external interface layer of the server are equipped with flow limiters in order to restrict access to traffic beyond expectations. Part of the traffic.
- Some service plans often use ip or some unique device identifiers to identify each caller while limiting the current flow, and then calculate and record the number of calls made by each caller within a unit time range. When a specified threshold is exceeded Next, the caller will be added to the blacklist, and then the caller’s request will be directly rejected. However, this method of restricting current traffic is too rude. For some specific scenarios, such as spike or ticket grabbing services, some normal system users will indeed send a large number of non-malicious requests in a short period of time, but the frequency is relative to The tens of thousands of malicious attacks per second or even higher frequency issued by the program cannot be compared. If the normal user request is directly recognized as a malicious request and the user is directly shielded, it is obviously very unfriendly to the caller of the service. Therefore, the current limiting method is not reasonable enough, and the method is too simple.
- an embodiment of the present application provides an access control method, as shown in FIG. 2, which is applied to the above-mentioned server 200, so as to reasonably set the access restriction policy.
- the method includes: S201 to S204.
- the caller may be a client in the electronic device, and the access request may be a request for the caller to interact with the server.
- the access request may be a login request, a request for sending data, or a request for downloading data.
- the access request may send an access request to the server when the caller detects that the trigger event occurs.
- the trigger event can be triggered by the user operating the calling side, for example, clicking a button on the calling side, the corresponding operation of the button needs to download certain data in the server or submit certain data to the server, for example, in the shopping APP If the order is submitted within the operation, the trigger is initiated by the user.
- the trigger request can also be triggered by a buried point event in the calling terminal. Specifically, multiple buried points may be set in the calling terminal in advance.
- the specific preset event Assuming that the event can be triggered by a non-user, for example, a timed time, specifically, it can be that the caller determines that it is a trigger of a buried point at the end of the time, and then sends an access request to the server.
- the access request sent by the caller may be sent by a program at a certain frequency, specifically, when a user triggers or a buried point triggers a certain operation, for example, a login operation. Then the program sends multiple access requests to the server at a certain frequency.
- the access authority of the caller on the server may include permitted access and disallowed access.
- the access authority may be set by the server for the caller, and the server will record the access authority of the caller, for example, in the server Recording the access authority of the caller can be recorded in the server according to the identifier of the caller and the status of the access authority.
- the server obtains the access request sent by the caller, it can determine the identity of the caller corresponding to the access request, so that it can determine whether the caller is allowed to access, that is, it can determine whether the server is allowed to be accessed by the caller. access.
- the access state parameter corresponding to the identifier of the calling terminal may be stored in the server, and it can be determined whether the calling terminal is allowed to call the server according to the parameter, which is specifically introduced in the subsequent embodiments.
- the server determines that the called terminal is allowed to access, it responds to the access request and executes the calling terminal's access operation.
- S203 Obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- the preset time length may be a time length set according to requirements. Specifically, the starting point of the preset time length may be the time point of responding to the access request, that is, the server determines that the server is allowed to be accessed by the caller. , And start from the moment of responding to the access request, within a preset time length, count the number of access requests sent by the caller to the server within the time length, so as to count the number of calls by the caller. Then, in this embodiment, the access request acquired within the preset time length will not be responded.
- the time starting point of the preset time length may be the time when the access request sent by the calling end to access the server is acquired.
- the server stores a record of the number of visits of the caller, which can be the starting point at the time of the first response to the access request sent by the caller, record the time point corresponding to each visit, and store it to the call In the access record corresponding to the end. Then, when it is determined that the server is allowed to be accessed by the calling end and responds to the access request, the number of accesses within a preset length of time is obtained in the access record, where the preset length of time may be in the access count record, The preset length of time before the time of responding to the access request.
- the way to obtain the access times of the access request sent by the caller within the preset time length may be to take the time of responding to the access request as the end point, and determine the time before the end point. The number of access requests sent by the caller recorded in the access count record within 1 second.
- S204 Set a ban period for the caller according to the number of visits by the caller.
- the server is forbidden to be accessed by the caller. The higher the number of visits by the caller, the higher the number of visits by the caller. The greater the length of the banned period.
- the access prohibition period is the time period set by the server for the caller to prohibit the caller from accessing the server.
- the server records that the access authority of the caller remains in a prohibited state, that is, the server prohibits Accessed by the caller.
- the banned period is determined according to the number of visits by the calling end, that is, after the server responds to the caller’s visit, it sets a banned period for the caller based on the number of caller’s access counts within a preset length of time. Then when the access request sent by the caller is obtained later, if the time of obtaining the access request is still within the banned period, when the server judges that the server is allowed to be accessed by the caller, the judgment result obtained is that the server If access by the caller is prohibited, the server will not respond to the access request, and will not perform the access operation corresponding to the access request.
- the higher the number of visits of the calling terminal the greater the length of the banned access period. Therefore, for those calling terminals that send a large number of access requests in a short period of time through a program, the duration of their banned access is longer, and For callers with fewer visits, the banned visit period will be shorter.
- an embodiment of the present application provides an access control method. As shown in FIG. 3, the method is applied to the above-mentioned server 200 so as to reasonably set the access restriction policy. Specifically, the method includes: S301 to S306.
- S303 Obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- the functional relationship between the number of visits and the length of the banned access time that is, through the functional relationship, the number of visits is used as the input of the functional relationship, that is, the number of visits is the independent variable in the functional relationship, and the length of the banned access time is the functional relationship
- the output of, that is, the length of the banned access time is the dependent variable in the function relationship, and the number of visits and the length of the banned access time satisfy the above functional relationship.
- S305 Determine, according to the functional relationship, the length of the access prohibition time corresponding to the number of visits by the calling end.
- the number of accesses of the access request sent by the caller within the preset time length is input into the function relationship to obtain the length of the banned access time corresponding to the number of accesses of the caller.
- S306 Set a banned period for the caller according to the length of the banned period.
- the ban period according to the length of the ban period. Specifically, set the time start of the banned visit period and the time end of the banned visit period, then the length of time between the start of the banned visit period and the end of the banned visit period is the length of the banned visit period, and the time start of the banned visit period to the banned visit period The period at the end of the time period is the banned period.
- the time starting point of the banned visit period may be the moment when the banned visit time length is obtained.
- the access-ban period determined by the functional relationship still satisfies the rule that the higher the number of visits by the calling terminal, the greater the length of the access-ban period.
- the functional relationship may be that in the functional relationship, the greater the number of visits, the faster the length of the banned visit time increases.
- the functional relationship is an increasing function, and as the number of accesses increases, the output of the functional relationship also increases.
- the functional relationship may be a non-incremental function, and as the number of visits increases, the greater the number of visits, the greater the increase in the length of the banned access time output by the functional relationship.
- the functional relationship may be a power function.
- the power function has the following characteristics:
- num is the number of visits
- punish_factor is a constant
- punish_factor is greater than 1
- y is the length of time banned from accessing.
- the power function is used to provide a scalable penalty scheme to prevent valuable service resources from being wasted.
- the higher the request frequency the greater the punishment for malicious requests, and the smaller or no punishment for the normal and occasional high-frequency user requests.
- the server is allowed to be accessed by the caller, the response to the access request can take into account the processing speed of the server.
- FIG. 4 An embodiment of the present application provides an access control method, such as As shown in FIG. 4, this method is applied to the above-mentioned server 200 in order to reasonably set the access restriction policy. Specifically, the method includes: S401 to S405.
- the server request processing rate is the number of access requests processed by the server in a unit time.
- the access request processing rate may be set according to actual use, specifically, may be set according to the number of callers of the access request currently received by the server and the system resources of the server.
- S403 Respond to the access request according to the access request processing rate, and execute the access operation of the calling end.
- the server When the server obtains the access requests from multiple callers, it temporarily stores the access requests, and processes the access requests one by one according to the access request processing rate. Specifically, in response to the access request according to the access request processing rate and the leaky bucket algorithm, the access operation of the caller is executed.
- the core idea of the Leaky Bucket algorithm can be that the access request is regarded as a water flow that first enters the specified capacity n (usually the number of requests allowed to be processed by the server per unit time, that is, the access request processing rate).
- the container which can be regarded as an array list, etc.
- the “leaky bucket” container discharges water at a certain rate every 1/n (that is, a request is released).
- the request speed will overflow directly (access request frequency Exceeding the interface release rate), it will wait or reject the request. It can be seen that the leaky bucket algorithm can maintain a strict and smooth rate of requests entering the system for processing.
- S404 Obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- S405 Set a ban period for the caller according to the number of visits by the caller. During the ban period, the server is prohibited from being accessed by the caller. The higher the number of visits by the caller, the higher the number of visits by the caller. The greater the length of the banned period.
- the server when the server obtains the access request sent by the calling end, if the server is allowed to be accessed by the calling end, it responds to the access request with a leaky bucket algorithm according to the access processing speed of the server, and then passes
- the number of visits of the access request sent by the caller within the preset time length is a period for the caller to set a ban on access, specifically, to set a period for the caller based on the power function and the number of visits.
- the server after the server affects the access request of the caller, it can set a ban period for the caller according to the number of visits of the caller, and the higher the number of visits of the caller, the greater the length of the ban period, making the ban period dynamically change , Which is related to the number of visits of the calling end, avoids a single or fixed current-limiting method, and improves the flexibility of current-limiting.
- it uses the power function to provide a scalable penalty scheme to prevent valuable service resources from being wasted. The higher the request frequency, the greater the punishment for malicious requests, while the normal and occasional high-frequency user requests are less severely punished or not punished.
- the leaky bucket algorithm is used to respond to access requests to keep the server processing the response request smoothly. .
- an embodiment of the present application provides an access control method. As shown in Fig. 5, this method is applied to the above-mentioned server 200 so as to reasonably set the access restriction policy. Specifically, the method includes: S501 to S508.
- S501 Obtain an access request sent by the calling end for accessing the server.
- the data stored in the server corresponding to the calling end is stored in the distributed cache corresponding to the server. Specifically, the access prohibition period, the number of visits, the access status, and the corresponding respective ones of the calling end are applied to this application.
- the data of the provided access control methods are all stored in the distributed cache.
- Redis is an open source key-value storage system, based on high-speed memory access and its distributed and scalable characteristics, providing an efficient solution for the high concurrency and high availability of Internet applications. It is often used as a cache layer of distributed applications, sharing data between various server instances, providing fast feedback for client requests, and alleviating the pressure on the bottom of the application database. At the same time, its rich data structure and API are provided for various application scenarios. A strong support.
- the call identifier of the calling end is stored in the server, and the call identifier corresponds to the access state.
- the key value is the service name
- the call identifier "call” is spliced
- the uuid is spliced (for example, server A, the corresponding key value is "serviceA_call_uuid")
- the call identifier of the caller is serviceA_call_uuid
- the call identifier includes first information and second information, where the first information is the identifier of the server, and the second field is the identifier of the caller.
- the caller initiates a service call request, and the request carries a unique identifier of the caller, where the unique identifier may be the ip or device number of the caller, which may be called uuid.
- S503 Determine whether the access state of the calling end is a state that allows access.
- the access state includes the state that is allowed to be accessed and the state that is forbidden to be accessed. It can also be that there is only one state, that is, the state that is allowed to be accessed. As long as the access state corresponding to the call identifier is not the state that is allowed to be accessed, the call identifier is determined The corresponding access status is a status where access is prohibited. If the state is allowed to be accessed, execute S504; otherwise, return to execute S501.
- the access status of the calling side is a state that allows access
- S505 Obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- a counter identifier is set for the caller to store the access times of the caller, that is, the value of the counter identifier is the number of visits by the caller.
- the access request includes the identification of the calling end, and the counting identification is set according to the calling identification.
- the caller initiates a service call request, and the request carries a unique identifier of the caller, where the unique identifier may be the ip or device number of the caller, which may be referred to as uuid.
- the server recognizes the calling end, splices "times" with the name of the server, and then splices the string of uuid as the key value. For example, server A, the corresponding key value is "serviceA_times_uuid".
- the preset time length corresponding to the caller is acquired, and the number of accesses of the access request sent by the caller within the preset time length is counted as the caller's number of visits.
- the preset time lengths corresponding to different callers can be different.
- the corresponding relationship between the caller ID and the time length can be set in the server in advance, and the corresponding relationship between the caller ID and the time length can be determined in the corresponding relationship.
- the time length is used as the preset time length corresponding to the caller.
- the server judges whether the key value exists in the distributed cache redis of the server, and there are two situations at this time:
- the key value is set and counted at the same time.
- the value of the key is set to the initial value of 1, and a preset time length is set for the key.
- the preset time length is the unit time that the system needs to count (as mentioned in the above embodiment, it can be 1 second).
- the preset time length set for the key in advance is obtained, the key count is incremented by 1, and the number of accesses within the preset time length is accumulated.
- the number of accesses of the access request sent by the caller within the preset time length can be obtained.
- the incr method is used to count the number of accesses of the access request sent by the caller within the preset time length as the number of accesses of the caller, that is, the incr method of redis is called to add 1 to the key count.
- the Redis Incr command increases the numeric value stored in the key by one. If the key does not exist, the value of the key will be initialized to 0 first, and then the INCR operation will be executed. If the value contains the wrong type, or the value of the string type cannot be represented as a number, then an error is returned. According to the Incr instruction, the counter function can be realized.
- S506 Set a ban period for the caller according to the number of visits by the caller. During the ban period, the server is forbidden to be accessed by the caller. The higher the number of visits by the caller, the higher the number of visits by the caller. The greater the length of the banned period.
- the server attempts to apply to the current-limiting component based on the leaky bucket algorithm to execute this access request, and the current-limiting component determines whether the current access request can be released according to the server's access request processing rate set by the system This visit request. If the application is successful, the access request will be executed for the corresponding caller.
- S507 Set the access state of the calling end to a state of being prohibited from being accessed during the time period of prohibiting access.
- the access status of the caller is set to a state that is forbidden to be accessed, and a banned period is set for the caller, then during the banned period, the access state of the caller is kept as forbidden The state of being visited.
- the server sets the call identifier of the caller to true in redis, where true is the state that is forbidden to be accessed.
- the server reads the call identifier as true, it determines that the access state of the caller is set to the state that is forbidden to be accessed. .
- the access request sent by the caller will not be executed, because the server continues to be in a state of being prohibited from being accessed during the banned period, and at the end of the banned period, the caller’s access status is set
- serviceA_call_uuid If it is, respond to the visit according to the leaky bucket algorithm Request, set serviceA_call_uuid to true in redis, and set a corresponding banned access period. Specifically, it can be set according to the above-mentioned power function, where the value of key "serviceA_times_uuid" is num, and the specific implementation can refer to the aforementioned The embodiments are not repeated here. And, during the banned period, keep serviceA_call_uuid as true.
- an embodiment of the present application provides an access control method. As shown in FIG. 6, the method is applied to the above-mentioned server 200 so as to reasonably set the access restriction policy. Specifically, the method includes: S601 to S609.
- S601 Obtain an access request sent by the calling end to access the server.
- S602 Detect whether the call identifier of the caller can be read in the distributed cache.
- the specific implementation of the call identifier of the caller can refer to the foregoing embodiment.
- the call identifier of the caller exists in the server, specifically, if the call identifier of the caller exists in the redis of the server, it means that the server is called. If the calling terminal has been called, it can be determined that the server is not called by the calling terminal when the calling identification of the calling terminal is not detected, that is, it is determined that the server is allowed to be accessed by the calling terminal, and then S605 is executed.
- the call identifier is serviceA_call_uuid. If there is a key value in redis, where the key value is serviceA_call_uuid, the operation of executing the access request according to the leaky bucket algorithm is executed.
- S604 Determine whether the access state of the calling end is a state that allows access.
- S606 Obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- S607 Set a ban period for the caller according to the number of visits by the caller. During the ban period, the server is prohibited from being accessed by the caller. The higher the number of visits by the caller, the higher the number of visits by the caller. The greater the length of the banned period.
- S608 Set the access state of the calling terminal to a state of being prohibited from being accessed during the time period of prohibiting access.
- S609 At the end of the access prohibition period, set the access status of the caller to a state that allows access or delete the call identifier of the caller in the distributed cache.
- the call identifier of the caller is not stored in the server, and the call identifier of the caller can be deleted in the distributed cache at the end of the access prohibition period.
- the method of executing the access operation of the caller can be compared with the above-mentioned judging whether the access status of the caller is allowed to be accessed, if it is allowed to be accessed. , It is determined that the server is allowed to be accessed by the calling side, and then in response to the access request, a combination of the access operations of the calling side is performed. Specifically, reference may be made to the foregoing embodiment, and details are not described herein again.
- FIG. 7 shows a structural block diagram of an access control apparatus 700 provided by an embodiment of the present application.
- the apparatus may include: an acquisition unit 701, a response unit 702, a determination unit 703, and a processing unit 704.
- the obtaining unit 701 is configured to obtain an access request sent by the calling end to access the server.
- the response unit 702 is configured to, if the server is allowed to be accessed by the caller, respond to the access request and execute the access operation of the caller.
- the determining unit 703 is configured to obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- the processing unit 704 is configured to set a ban period for the caller according to the number of visits by the caller. During the ban period, the server is prohibited from being accessed by the caller, wherein the number of visits by the caller is The higher the value, the greater the length of the banned visit period.
- FIG. 8 shows a structural block diagram of an access control apparatus 800 provided by an embodiment of the present application.
- the apparatus may include: an acquisition unit 801, a response unit 802, a determination unit 803, a processing unit 804, and a setting unit 805.
- the obtaining unit 801 is configured to obtain an access request sent by the calling end to access the server.
- the response unit 802 is configured to respond to the access request and execute the access operation of the calling side if the server is allowed to be accessed by the calling side.
- the response unit 802 is further configured to obtain the access request processing rate of the server if the server is allowed to be accessed by the caller; respond to the access request according to the access request processing rate, and execute the access of the caller operating. Further, the response unit is further configured to respond to the access request according to the access request processing rate and the leaky bucket algorithm, and execute the access operation of the caller.
- the response unit 802 is also used to obtain the access status of the caller; determine whether the access status of the caller is an allowed access state; if it is an access allowed state, determine that the server is allowed to be accessed by the caller, Then, in response to the access request, the access operation of the caller is executed.
- the response unit 802 is specifically configured to detect whether the call identifier of the caller can be read in the distributed cache; if the call identifier cannot be read, it is determined that the server is allowed to be used by the caller. Access; if the call identifier can be read, the access status of the caller corresponding to the call identifier is obtained; it is determined whether the access status of the caller is a state that allows access.
- the determining unit 803 is configured to obtain the number of accesses of the access request sent by the caller within a preset time length as the number of accesses of the caller.
- the determining unit 803 is further configured to obtain a preset time length corresponding to the caller; and count the number of accesses of the access request sent by the caller within the preset time length as the number of caller visits.
- the incr method is used to count the number of accesses of the access request sent by the caller within the preset time length as the number of caller's accesses.
- the processing unit 804 is configured to set a ban period for the caller according to the number of visits by the caller. During the ban period, the server is prohibited from being accessed by the caller, wherein the number of visits by the caller is The higher the value, the greater the length of the banned period.
- the processing unit 804 is further configured to obtain the functional relationship between the number of accesses set in advance and the length of banned access time; determine the banned time length corresponding to the number of visits of the caller according to the functional relationship;
- the length of the visit time is the time period set by the caller to ban visits.
- the functional relationship is a power function.
- num is the number of visits
- punish_factor is a constant
- punish_factor is greater than 1
- y is the length of time banned from accessing.
- the setting unit 805 is configured to set the access status of the calling terminal to a state where access is prohibited during the access prohibition period; at the end of the access prohibition period, set the access status of the calling terminal to be accessed permitted status.
- the setting unit 805 is further configured to set the access status of the calling side to a state where access is prohibited during the access prohibition period; and at the end of the access prohibition period, set the access status of the calling side to be access permitted State or delete the call identifier of the caller in the distributed cache.
- the calling identifier includes first information and second information, wherein the first information is an identifier of the server, and the second field is an identifier of the calling terminal.
- the distributed cache is a redis storage system.
- the preset time length is 1 second.
- the coupling between the modules may be electrical, mechanical or other forms of coupling.
- each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
- the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
- the server 200 may be an electronic device capable of running application programs, such as a smart phone, a tablet computer, or an e-book.
- the server 200 in this application may include one or more of the following components: a processor 110, a memory 120, and one or more application programs.
- One or more application programs may be stored in the memory 120 and configured to be Or multiple processors 110 execute, and one or more programs are configured to execute the method described in the foregoing method embodiment.
- the processor 110 may include one or more processing cores.
- the processor 110 uses various interfaces and lines to connect various parts of the entire server 200, and executes the server by running or executing instructions, programs, code sets, or instruction sets stored in the memory 120, and calling data stored in the memory 120. 200's various functions and processing data.
- the processor 110 may use at least one of digital signal processing (Digital Signal Processing, DSP), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), and Programmable Logic Array (Programmable Logic Array, PLA).
- DSP Digital Signal Processing
- FPGA Field-Programmable Gate Array
- PLA Programmable Logic Array
- the processor 110 may be integrated with one or a combination of a central processing unit (CPU), a graphics processing unit (GPU), a modem, and the like.
- the CPU mainly processes the operating system, user interface, and application programs; the GPU is used for rendering and drawing of display content; the modem is used for processing wireless communication. It can be understood that the above-mentioned modem may not be integrated into the processor 110, but may be implemented by a communication chip alone.
- the memory 120 may include random access memory (RAM) or read-only memory (Read-Only Memory), where the memory may be the aforementioned distributed cache, that is, redis.
- the memory 120 may be used to store instructions, programs, codes, code sets or instruction sets.
- the memory 120 may include a program storage area and a data storage area, where the program storage area may store instructions for implementing the operating system and instructions for implementing at least one function (such as touch function, sound playback function, image playback function, etc.) , Instructions used to implement the following various method embodiments, etc.
- the storage data area can also store data (such as phone book, audio and video data, chat record data) created by the server 200 during use.
- FIG. 10 shows a structural block diagram of a computer-readable storage medium provided by an embodiment of the present application.
- the computer-readable medium 800 stores program code, and the program code can be invoked by a processor to execute the method described in the foregoing method embodiment.
- the computer-readable storage medium 800 may be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
- the computer-readable storage medium 800 includes a non-transitory computer-readable storage medium.
- the computer-readable storage medium 800 has storage space for the program code 810 for executing any method steps in the above-mentioned methods. These program codes can be read from or written into one or more computer program products.
- the program code 810 may be compressed in a suitable form, for example.
- the access control method, device, server, and computer-readable medium provided by the present application obtain the access request sent by the caller, and the access request is the request sent when the caller requests to access the server.
- the server judges that if the called terminal is allowed to access, it responds to the access request and executes the calling terminal's access operation.
- the server is forbidden to be accessed by the caller, wherein the higher the number of visits by the caller, the greater the length of the access prohibition period.
- the server after the server affects the access request of the caller, it can set a ban period for the caller according to the number of visits of the caller, and the higher the number of visits of the caller, the greater the length of the ban period, making the ban period dynamically change , Which is related to the number of visits of the calling end, avoids a single or fixed current-limiting method, and improves the flexibility of current-limiting.
- the embodiments of the present application play a role in identifying malicious requests, and use the characteristics of the power function to provide a scalable penalty solution to prevent valuable service resources from being wasted.
Abstract
Description
Claims (21)
- 一种访问控制方法,其特征在于,应用于服务器,所述方法包括:获取调用端发送的请求访问所述服务器的访问请求;若所述服务器允许被所述调用端访问,则响应所述访问请求,执行所述调用端的访问操作;获取在预设时间长度内所述调用端发送的访问请求的访问次数,作为调用端访问次数;根据所述调用端访问次数为所述调用端设置禁访时段,在所述禁访时段内,所述服务器禁止被所述调用端访问,其中,所述调用端访问次数越高,所述禁访时段的长度越大。
- 根据权利要求1所述的方法,其特征在于,根据所述调用端访问次数为所述调用端设置禁访时段,包括:获取预先设置的访问次数与禁访时间长度之间的函数关系;根据所述函数关系确定所述调用端访问次数对应的禁访时间长度;根据所述禁访时间长度为所述调用端设置禁访时段。
- 根据权利要求2所述的方法,其特征在于,所述函数关系中,访问次数越大,所述禁访时间长度增大的越快。
- 根据权利要求3所述的方法,其特征在于,所述函数关系为幂函数。
- 根据权利要求4所述的方法,其特征在于,所述访问次数与禁访时间长度之间的函数关系为:y=(num) punish_factor其中,num为访问次数,punish_factor为常数,且punish_factor大于1,y为禁访时间长度。
- 根据权利要求1-5任一所述的方法,其特征在于,所述若所述服务器允许被所述调用端访问,则响应所述访问请求,执行所述调用端的访问操作,包括:若所述服务器允许被所述调用端访问,获取所述服务器的访问请求处理速率;根据所述访问请求处理速率响应所述访问请求,执行所述调用端的访问操作。
- 根据权利要求6所述的方法,其特征在于,所述根据所述访问请求处理速率响应所述访问请求,执行所述调用端的访问操作,包括:根据所述访问请求处理速率和所述漏桶算法响应所述访问请求,执行所述调用端的访问操作。
- 根据权利要求1-5任一所述的方法,其特征在于,所述若所述服务器允许被所述调用端访问,则响应所述访问请求,执行所述调用端的访问操作,包括:获取所述调用端的访问状态;判断所述调用端的访问状态是否为允许被访问的状态;若是允许被访问的状态,判定所述服务器允许被所述调用端访问,则响应所述访问请求,执行所述调用端的访问操作。
- 根据权利要求8所述的方法,其特征在于,所述根据所述调用端访问次数为所述调用端设置禁访时段之后,还包括:在所述禁访时段内时,设置所述调用端的访问状态为禁止被访问的状态;在所述禁访时段结束时,设置所述调用端的访问状态为允许被访问的状态。
- 根据权利要求8所述的方法,其特征在于,所述调用端的访问状态和调用标识被对应存储于所述服务器的分布式缓存内;所述获取所述调用端的访问状态,判断所述调用端的访问状态是否为允许被访问的状态,包括:检测是否能够在所述分布式缓存内读取到所述调用端的调用标识;若不能读取到所述调用标识,则判定所述服务器允许被所述调用端访问;若能够读取到所述调用标识,获取所述调用标识对应的所述调用端的访问状态;判断所述调用端的访问状态是否为允许被访问的状态。
- 根据权利要求10所述的方法,其特征在于,所述根据所述调用端访问次数为所述调用端设置禁访时段之后,还包括:在所述禁访时段内时,设置所述调用端的访问状态为禁止被访问的状态;在所述禁访时段结束时,设置所述调用端的访问状态为允许被访问的状态或将所述调用端的调用标识在所述分布式缓存内删除。
- 根据权利要求11所述的方法,其特征在于,所述调用标识包括第一信息和第二信息,其中,所述第一信息为所述服务器的标识,所述第二字段为所述调用端的标识。
- 根据权利要求1所述的方法,其特征在于,所述获取在预设时间长度内所述调用端发送的访问请求的访问次数,作为调用端访问次数,包括:获取所述调用端对应的预设时间长度;统计所述预设时间长度内所述调用端发送的访问请求的访问次数,作为调用端访问次数。
- 根据权利要求13所述的方法,其特征在于,所述调用端访问次数存储于所述服务器的分布式缓存内,所述统计所述预设时间长度内所述调用端发送的访问请求的访问次数,作为调用端访问次数,包括:通过incr方法统计所述预设时间长度内所述调用端发送的访问请求的访问次数,作为调用端访问次数。
- 根据权利要求8、11或14所述的方法,其特征在于,所述分布式缓存为redis存储系统。
- 根据权利要求1所述的方法,其特征在于,所述预设时间长度为1秒钟。
- 一种访问控制装置,其特征在于,应用于服务器,所述装置包括:获取单元,用于获取调用端发送的请求访问所述服务器的访问请求;响应单元,用于若所述服务器允许被所述调用端访问,则响应所述访问请求,执行所述调用端的访问操作;确定单元,用于获取在预设时间长度内所述调用端发送的访问请求的访问次数,作为调用端访问次数;处理单元,用于根据所述调用端访问次数为所述调用端设置禁访时段,在所述禁访时段内,所述服务器禁止被所述调用端访问,其中,所述调用端访问次数越高,所述禁访时段的长度越大。
- 根据权利要求17所述的装置,其特征在于,所述处理单元还用于:获取预先设置的访问次数与禁访时间长度之间的函数关系;根据所述函数关系确定所述调用端访问次数对应的禁访时间长度;根据所述禁访时间长度为所述调用端设置禁访时段。
- 根据权利要求18所述的装置,其特征在于,所述函数关系为幂函数。
- 一种服务器,其特征在于,包括:一个或多个处理器;存储器;一个或多个应用程序,其中所述一个或多个应用程序被存储在所述存储器中并被配置为由所述一个或多个处理器执行,所述一个或多个程序配置用于执行如权利要求 1-16任一项所述的方法。
- 一种计算机可读介质,其特征在于,所述可读存储介质存储有处理器可执行的程序代码,所述程序代码中的多条指令被所述处理器执行时使所述处理器执行权利要求1-16任一项所述方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201980099241.7A CN114223177A (zh) | 2019-10-11 | 2019-10-11 | 访问控制方法、装置、服务器和计算机可读介质 |
PCT/CN2019/110639 WO2021068205A1 (zh) | 2019-10-11 | 2019-10-11 | 访问控制方法、装置、服务器和计算机可读介质 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2019/110639 WO2021068205A1 (zh) | 2019-10-11 | 2019-10-11 | 访问控制方法、装置、服务器和计算机可读介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021068205A1 true WO2021068205A1 (zh) | 2021-04-15 |
Family
ID=75437608
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/110639 WO2021068205A1 (zh) | 2019-10-11 | 2019-10-11 | 访问控制方法、装置、服务器和计算机可读介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114223177A (zh) |
WO (1) | WO2021068205A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113572701A (zh) * | 2021-07-26 | 2021-10-29 | 杭州米络星科技(集团)有限公司 | 服务接口流控方法、装置、设备及存储介质 |
CN113691457A (zh) * | 2021-08-10 | 2021-11-23 | 中国银联股份有限公司 | 限流控制方法、装置、设备及存储介质 |
CN114553791A (zh) * | 2022-01-19 | 2022-05-27 | 浙江百应科技有限公司 | 一种外部接口限流方法、装置、电子设备以及存储介质 |
CN115208939A (zh) * | 2022-07-14 | 2022-10-18 | Oppo广东移动通信有限公司 | 访问控制方法、装置、存储介质及电子设备 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1032236A1 (en) * | 1999-02-24 | 2000-08-30 | ICO Services Ltd. | Improved congestion control using access classes |
CN1816215A (zh) * | 2005-01-12 | 2006-08-09 | 株式会社Ntt都科摩 | 数据通信限制方法、数据通信限制系统及移动终端 |
CN102841915A (zh) * | 2011-05-19 | 2012-12-26 | 巴比禄股份有限公司 | 文件管理装置及其控制方法 |
CN104618352A (zh) * | 2015-01-16 | 2015-05-13 | 沈文策 | 一种基于脚本的流量防刷方法及系统 |
CN107547548A (zh) * | 2017-09-05 | 2018-01-05 | 北京京东尚科信息技术有限公司 | 数据处理方法及系统 |
CN109743294A (zh) * | 2018-12-13 | 2019-05-10 | 平安科技(深圳)有限公司 | 接口访问控制方法、装置、计算机设备及存储介质 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108400963A (zh) * | 2017-10-23 | 2018-08-14 | 平安科技(深圳)有限公司 | 电子装置、访问请求控制方法和计算机可读存储介质 |
CN109873794B (zh) * | 2017-12-04 | 2022-11-08 | 北京安云世纪科技有限公司 | 一种拒绝服务攻击的防护方法及服务器 |
CN108683604B (zh) * | 2018-04-03 | 2021-11-26 | 平安科技(深圳)有限公司 | 并发访问控制方法、终端设备及介质 |
-
2019
- 2019-10-11 CN CN201980099241.7A patent/CN114223177A/zh active Pending
- 2019-10-11 WO PCT/CN2019/110639 patent/WO2021068205A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1032236A1 (en) * | 1999-02-24 | 2000-08-30 | ICO Services Ltd. | Improved congestion control using access classes |
CN1816215A (zh) * | 2005-01-12 | 2006-08-09 | 株式会社Ntt都科摩 | 数据通信限制方法、数据通信限制系统及移动终端 |
CN102841915A (zh) * | 2011-05-19 | 2012-12-26 | 巴比禄股份有限公司 | 文件管理装置及其控制方法 |
CN104618352A (zh) * | 2015-01-16 | 2015-05-13 | 沈文策 | 一种基于脚本的流量防刷方法及系统 |
CN107547548A (zh) * | 2017-09-05 | 2018-01-05 | 北京京东尚科信息技术有限公司 | 数据处理方法及系统 |
CN109743294A (zh) * | 2018-12-13 | 2019-05-10 | 平安科技(深圳)有限公司 | 接口访问控制方法、装置、计算机设备及存储介质 |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113572701A (zh) * | 2021-07-26 | 2021-10-29 | 杭州米络星科技(集团)有限公司 | 服务接口流控方法、装置、设备及存储介质 |
CN113691457A (zh) * | 2021-08-10 | 2021-11-23 | 中国银联股份有限公司 | 限流控制方法、装置、设备及存储介质 |
CN113691457B (zh) * | 2021-08-10 | 2023-07-18 | 中国银联股份有限公司 | 限流控制方法、装置、设备及存储介质 |
CN114553791A (zh) * | 2022-01-19 | 2022-05-27 | 浙江百应科技有限公司 | 一种外部接口限流方法、装置、电子设备以及存储介质 |
CN115208939A (zh) * | 2022-07-14 | 2022-10-18 | Oppo广东移动通信有限公司 | 访问控制方法、装置、存储介质及电子设备 |
CN115208939B (zh) * | 2022-07-14 | 2024-03-19 | Oppo广东移动通信有限公司 | 访问控制方法、装置、存储介质及电子设备 |
Also Published As
Publication number | Publication date |
---|---|
CN114223177A (zh) | 2022-03-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021068205A1 (zh) | 访问控制方法、装置、服务器和计算机可读介质 | |
CN111030936B (zh) | 网络访问的限流控制方法、装置及计算机可读存储介质 | |
US10356127B2 (en) | Methods and systems for applying security policies in a virtualization environment | |
US20230376454A1 (en) | Method and system for applying data retention policies in a computing platform | |
CN109542361B (zh) | 一种分布式存储系统文件读取方法、系统及相关装置 | |
US11671402B2 (en) | Service resource scheduling method and apparatus | |
WO2014059650A1 (zh) | 一种音频管理方法及装置 | |
US10831915B2 (en) | Method and system for isolating application data access | |
US9779250B1 (en) | Intelligent application wrapper | |
US11443037B2 (en) | Identification of invalid requests | |
WO2021189257A1 (zh) | 恶意进程的检测方法、装置、电子设备及存储介质 | |
US10223535B2 (en) | Ranking security scans based on vulnerability information from third party resources | |
US20210274013A1 (en) | Scan protection with rate limiting | |
WO2019047708A1 (zh) | 资源配置方法及相关产品 | |
CN113517985A (zh) | 文件数据处理方法、装置、电子设备及计算机可读介质 | |
WO2016169212A1 (zh) | 文件管理方法和装置 | |
CN109525512B (zh) | 一种bgp邻居的建立方法及装置 | |
CN115039082A (zh) | 日志写入方法、装置、电子设备以及存储介质 | |
WO2023011233A1 (zh) | 流量管理方法、装置、设备及计算机可读存储介质 | |
CN112866265B (zh) | 一种csrf攻击防护方法及装置 | |
WO2020238971A1 (zh) | 文件共享方法、装置、系统、服务器、终端及存储介质 | |
CN111770126B (zh) | 服务请求处理方法、装置及存储介质 | |
US20230412693A1 (en) | Network-aware endpoint data loss prevention for web transactions | |
CN107547345A (zh) | 一种vxlan动态接入方法、装置、设备及介质 | |
WO2023246168A1 (zh) | 一种微服务迁移方法、装置及计算设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19948288 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19948288 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 29/09/2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19948288 Country of ref document: EP Kind code of ref document: A1 |