Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Access control method, device and system, computer equipment and storage medium

An access control, computer program technology, applied in transmission systems, electrical components, etc., can solve problems such as being vulnerable to piggyback attacks, difficult to accurately set the service exposure time window, affecting normal access, etc., so as to reduce the time of scanning and detection. , the effect of reducing ineffective time and reducing risk

Active Publication Date: 2020-05-08
BEIJING QIANXIN TECH +1
View PDF11 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] In the current SPA implementation scheme, when the SDP connection opening host is located behind a Network Address Translation (NAT) device, and it is authorized by SPA to connect to the SDP accepting host, the SDP connection opening host's allowed connection IP address is the SDP connection Enable the external egress address of the host, which is the IP address of the NAT device. For example, the IP address of the host whose SDP connection is enabled is 192.168.1.2, and its converted external IP address is 10.10.1.10. After authorization, all The access request whose source IP is 10.10.1.10 can be accepted by the SDP connection accepting host. If there is an attacker at this time, it is in the same subnet as the SDP connection opening host (for example, its IP is 192.168.1.3), then its The external IP address is also 10.10.1.10. During the service exposure time window of the SDP connection accepting host, the attacker can also directly access this service. That is to say, in the above SPA implementation scheme, it is vulnerable to piggyback attacks ( Piggyback Attack, the act of illegally accessing hidden services through a legal channel established by another user)
[0005] In the existing technology, the risk of being attacked is mitigated by adopting random ports and controlling the length of the service exposure time window. However, the inventors found that the length of the service exposure time window is difficult to accurately set. The service exposure time window is opened If the service exposure time is too short, the time window will expire and be closed before legitimate users can establish an access connection, which will affect normal access. The service exposure time window will be opened for too long, leaving plenty of time for attackers to detect random ports. access service

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Access control method, device and system, computer equipment and storage medium
  • Access control method, device and system, computer equipment and storage medium
  • Access control method, device and system, computer equipment and storage medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0035] The embodiment of the present invention provides an access control method. The execution subject of the access control method is the connection accepting host. Through the interaction with the connection opening host and the controller, the normal connection from the connection opening host to the connection accepting host can be achieved without affecting the connection opening host. On the premise of access, close the service exposure time window in time to reduce the invalid time when the service exposure time window is opened, thereby reducing the time for attackers to scan and detect, and reducing the risk of piggyback attacks. specifically, figure 1 A flow chart of the access control method provided by Embodiment 1 of the present invention, such as figure 1 As shown, the access control method provided in this embodiment includes the following steps S101 to S104.

[0036] Step S101: After the authorization detection packet is authorized, open the service exposure ...

Embodiment 2

[0054] Embodiment 2 of the present invention provides a preferred access control method to control the access of the hidden service from the connection-opening host to the connection-accepting host. Some technical features are the same as those of the first embodiment above. The specific description and corresponding technologies The effect can refer to the first embodiment above. Furthermore, in the second embodiment, by tracking the number of connections between the connection opening host and the connection accepting host, it is judged whether the target port has completed the access connection based on whether the number of connections reaches the maximum number of connections, and then the service exposure can be closed at an appropriate time. Time window to improve the accuracy of access control. specifically, figure 2 The flow chart of the access control method provided by Embodiment 2 of the present invention, such as figure 2 As shown, the access control method pr...

Embodiment 3

[0070] Corresponding to the first embodiment above, the third embodiment of the present invention provides an access control device, the access control device is set on the connection accepting host, the corresponding technical features and technical effects can be referred to above, and will not be repeated here. image 3 The block diagram of the access control device provided for Embodiment 3 of the present invention, such as image 3 As shown, the device includes an opening module 301 , a grabbing module 302 , an analysis and judgment module 303 and a closing module 304 .

[0071] Wherein, the opening module 301 is used to open the service exposure time window after the authorization detection packet is authorized, wherein, when the service exposure time window is opened, the connection opening host sending the authorization detection packet can access the target port of the connection accepting host; Grabbing module 302 is used for grabbing the data packet sent and receive...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an access control method, device and system, computer equipment and a storage medium. The access control method is applied to a connection receiving host and comprises the stepsof opening a service exposure time window after authorization of an authorization detection packet is passed, wherein in the state that the service exposure time window is opened, a connection opening host sending the authorization detection packet can have access to a target port of the connection receiving host; capturing a data packet transmitted and received by the connection receiving host;analyzing the data packet to judge whether the target port completes the access connection or not; and when the target port completes the access connection, closing the service exposure time window. According to the invention, the risk of carrying attack can be reduced on the premise of not influencing normal access.

Description

technical field [0001] The present invention relates to the technical field of access control, in particular to an access control method, device, system, computer equipment and storage medium. Background technique [0002] As enterprises embrace emerging technologies such as cloud computing, mobile Internet, and IoT, their data and applications are no longer limited to the intranet. Therefore, the traditional firewall-based physical boundary defense can no longer meet the needs, and has been replaced by a software-defined boundary (Software Defined Perimeter, that is, SDP). SDP is a new generation network security model proposed by the International Cloud Security Alliance (CSA) in 2014. SDP advocates network stealth, zero trust, and minimal authorization, and is an enterprise security architecture more suitable for the cloud and mobile era. [0003] In the SDP security framework, its basic components include: SDP connection opening host, SDP connection acceptance host and...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1425H04L63/1441H04L63/108
Inventor 刘成伟张泽洲简明魏勇
Owner BEIJING QIANXIN TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products