技术领域Technical field
本申请属于数据处理技术领域,具体涉及一种数据处理方法、数据处理装置、计算机可读介质以及电子设备。This application belongs to the field of data processing technology, and specifically relates to a data processing method, data processing device, computer-readable medium and electronic equipment.
背景技术Background technique
网络环境中存在大量高级持续性威胁,例如APT攻击,APT攻击通常利用定制的恶意软件、0Day漏洞或相关逃逸技术,突破IPC、防火墙,AV等基于文件特征的传统防御检测设备,针对系统中未知漏洞以及未能及时修复的已知漏洞进行攻击。攻击者在攻陷的设备内利用不同的应用访问企业内部站点,数据或功能接口等资源,以此探测系统漏洞,探测企业资源开放的敏感端口等,通过恶意代码注入到应用等方式,绕过安全检测逻辑,以此通过访问控制策略,进入到客户端与服务端发放网络访问票据环节中。更有甚者,通过攻陷主机,通过多个应用申请网络访问票据,发起针对内网服务的Dos攻击。There are a large number of advanced persistent threats in the network environment, such as APT attacks. APT attacks usually use customized malware, 0Day vulnerabilities or related escape techniques to break through traditional defense detection equipment based on file characteristics such as IPC, firewalls, and AV, targeting unknown systems. Vulnerabilities and known vulnerabilities that cannot be fixed in time. Attackers use different applications in compromised devices to access resources such as internal corporate sites, data or functional interfaces to detect system vulnerabilities, detect sensitive ports open to corporate resources, etc., and bypass security by injecting malicious code into applications. Detection logic is used to enter the process of issuing network access tickets between the client and the server through the access control policy. What's more, by compromising the host, applying for network access tickets through multiple applications, launching DoS attacks against intranet services.
随着零信任安全管理系统的广泛使用,在构建零信任安全管理系统时,要考虑到终端的网络环境复杂,容易被攻击,在保障用户正常访问的同时,需要及时阻止攻击者利用已攻陷的主机针对企业资源的访问。With the widespread use of zero-trust security management systems, when building a zero-trust security management system, it is necessary to consider that the network environment of the terminal is complex and easy to be attacked. While ensuring normal user access, it is necessary to promptly prevent attackers from exploiting compromised Host access to enterprise resources.
发明内容Contents of the invention
本申请的目的在于提供一种数据处理方法、数据处理装置、计算机可读介质以及电子设备,能够克服相关技术中存在的零信任网络系统的安全性低和可用性差的问题。The purpose of this application is to provide a data processing method, a data processing device, a computer-readable medium and an electronic device that can overcome the problems of low security and poor availability of zero-trust network systems existing in related technologies.
本申请的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本申请的实践而习得。Additional features and advantages of the invention will be apparent from the detailed description which follows, or, in part, may be learned by practice of the invention.
根据本申请实施例的一个方面,提供一种数据处理方法,该方法包括:获取与目标请求对应的事件触发时间,所述目标请求为网络访问票据的申请请求或者使用请求,所述网络访问票据与零信任网络访问相关;基于所述事件触发时间确定检测时间段,并获取与所述检测时间段对应的API调用信息;根据所述API调用信息、零信任网络访问必行逻辑过程和标记API判断所述零信任网络访问的合规性,其中,所述零信任网络访问必行逻辑过程包括申请网络访问票据必行逻辑过程和使用网络访问票据必行逻辑过程,所述标记API为预埋的与零信任安全管理系统的控制进程相关的API。According to an aspect of an embodiment of the present application, a data processing method is provided. The method includes: obtaining an event triggering time corresponding to a target request. The target request is an application request or a usage request for a network access ticket. The network access ticket Relevant to zero-trust network access; determine the detection time period based on the event trigger time, and obtain the API call information corresponding to the detection time period; based on the API call information, zero-trust network access required logical processes and mark APIs Determine the compliance of the zero-trust network access, wherein the required logical process for zero-trust network access includes the required logical process for applying for a network access ticket and the required logical process for using the network access ticket, and the marking API is pre-embedded API related to the control process of the zero-trust security management system.
根据本申请实施例的一个方面,提供一种数据处理装置,该装置包括:获取模块,用于获取与目标请求对应的事件触发时间,所述目标请求为网络访问票据的申请请求或者使用请求,所述网络访问票据与零信任网络访问相关;所述获取模块,还用于基于所述事件触发时间确定检测时间段,并获取与所述检测时间段对应的API调用信息;判断模块,用于根据所述API调用信息、零信任网络访问必行逻辑过程和标记API判断所述零信任网络访问的合规性,其中,所述访问必行逻辑过程包括申请网络访问票据必行逻辑过程和使用网络访问票据必行逻辑过程,所述标记API为预埋的与零信任安全管理系统的控制进程相关的API。According to one aspect of the embodiment of the present application, a data processing device is provided. The device includes: an acquisition module, used to acquire an event triggering time corresponding to a target request, where the target request is an application request or use request for a network access ticket, The network access ticket is related to zero trust network access; the acquisition module is also used to determine the detection time period based on the event trigger time, and obtain the API call information corresponding to the detection time period; the judgment module is used to The compliance of the zero-trust network access is judged based on the API call information, the required logical process for zero-trust network access and the marked API, where the required logical process for access includes the required logical process for applying for a network access ticket and the use of The network access ticket must go through a logical process, and the marking API is a pre-embedded API related to the control process of the zero-trust security management system.
根据本申请实施例的一个方面,提供一种计算机可读介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如以上技术方案中的数据处理方法。According to one aspect of an embodiment of the present application, a computer-readable medium is provided, on which a computer program is stored. When the computer program is executed by a processor, the data processing method in the above technical solution is implemented.
根据本申请实施例的一个方面,提供一种电子设备,该电子设备包括:处理器;以及存储器,用于存储所述处理器的可执行指令;其中,所述处理器被配置为经由执行所述可执行指令来执行如以上技术方案中的数据处理方法。According to an aspect of an embodiment of the present application, an electronic device is provided. The electronic device includes: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the The executable instructions are used to execute the data processing method in the above technical solution.
根据本申请实施例的一个方面,提供一种计算机程序产品,该计算机程序产品包括计算机指令,当所述计算机指令在计算机上运行时,使得所述计算机执行如以上技术方案中的数据处理方法。According to one aspect of an embodiment of the present application, a computer program product is provided. The computer program product includes computer instructions. When the computer instructions are run on a computer, the computer is caused to execute the data processing method in the above technical solution.
本申请实施例提供的数据处理方法,首先获取与目标请求对应的事件触发时间,其中目标请求为网络访问票据的申请请求或者使用请求,该网络访问票据与零信任网络访问相关;接着基于事件触发时间确定检测时间段,并获取与检测时间段对应的API调用信息;最后根据API调用信息、零信任网络访问必行逻辑过程和标记API判断零信任网络访问的合规性,其中,零信任网络访问必行逻辑过程包括申请网络访问票据必行逻辑过程和使用网络访问票据必行逻辑过程,标记API为预埋的与零信任安全管理系统的控制进程相关的API。本申请能够在网络访问票据的申请或使用的逻辑过程中预埋与零信任安全管理系统的控制进程相关的标记API,当接收到网络访问票据相关的申请或使用请求后,获取检测时间段内的API调用记录,通过判断API调用记录中的调用者的进程是否符合请求或使用网络访问票据的必行逻辑路径,以及调用信息是否与请求或使用网络访问票据必行逻辑过程对应的标记API的调用信息相同,以对零信任网络访问是否合规进行判断,一方面能够精准区分正常的网络访问和异常的网络访问;另一方面能够抵御攻击者篡改终端服务以绕过检测逻辑和访问控制策略,或利用攻陷主机对服务器执行DOS攻击,提高了零信任安全管理系统的可靠性和抵御攻击的能力,进而提升了终端零信任网络安全和企业办公的安全。The data processing method provided by the embodiment of this application first obtains the event triggering time corresponding to the target request, where the target request is an application request or use request for a network access ticket, and the network access ticket is related to zero trust network access; and then triggers based on the event Determine the detection time period and obtain the API call information corresponding to the detection time period; finally, determine the compliance of zero trust network access based on the API call information, the required logical process for zero trust network access, and the marked API. Among them, zero trust network access The access must-do logical process includes the must-do logical process of applying for a network access ticket and the must-do logical process of using the network access ticket. The marked API is a pre-embedded API related to the control process of the zero-trust security management system. This application can embed the tag API related to the control process of the zero-trust security management system in the logical process of application or use of network access tickets. After receiving the application or use request related to network access tickets, obtain the tag API within the detection time period. API call records, by judging whether the caller's process in the API call record conforms to the required logical path for requesting or using network access tickets, and whether the call information corresponds to the marked API corresponding to the required logical process for requesting or using network access tickets. The calling information is the same to determine whether zero-trust network access is compliant. On the one hand, it can accurately distinguish between normal network access and abnormal network access; on the other hand, it can resist attackers from tampering with terminal services to bypass detection logic and access control policies. , or use a compromised host to perform a DOS attack on the server, which improves the reliability of the zero-trust security management system and its ability to resist attacks, thereby improving the security of the terminal zero-trust network and the security of corporate offices.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and do not limit the present application.
附图说明Description of the drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.
图1示意性地示出了应用本申请实施例中的数据处理方法的系统架构的结构示意图。Figure 1 schematically shows a schematic structural diagram of the system architecture applying the data processing method in the embodiment of the present application.
图2示意性地示出了本申请实施例中数据处理方法的步骤流程示意图。Figure 2 schematically shows a flow chart of the steps of the data processing method in the embodiment of the present application.
图3示意性地示出了本申请实施例中在企业资源系统中使用零信任安全管理系统的架构示意图。Figure 3 schematically shows an architectural diagram of using the zero-trust security management system in the enterprise resource system in this embodiment of the present application.
图4示意性地示出了本申请实施例中的iOA零信任安全管理系统的数据处理流程示意图。Figure 4 schematically shows a schematic diagram of the data processing flow of the iOA zero-trust security management system in the embodiment of the present application.
图5示意性地示出了本申请实施例中的配置零信任网关的界面示意图。Figure 5 schematically shows an interface diagram for configuring a zero-trust gateway in this embodiment of the present application.
图6示意性示出了本申请实施例中的在策略管理页面进行策略配置的界面示意图。Figure 6 schematically shows an interface diagram for policy configuration on the policy management page in this embodiment of the present application.
图7示意性示出了本申请实施例中的配置用户可访问业务系统的界面示意图。Figure 7 schematically shows an interface diagram for configuring a user-accessible business system in an embodiment of the present application.
图8示意性示出了本申请实施例中的在添加资源页面对用户可访问的站点进行配置的界面示意图。Figure 8 schematically shows an interface diagram for configuring sites accessible to users on the add resource page in this embodiment of the present application.
图9示意性地示出了本申请实施例中数据处理装置的结构框图。Figure 9 schematically shows a structural block diagram of the data processing device in the embodiment of the present application.
图10示意性示出了适于用来实现本申请实施例的电子设备的计算机系统结构框图。FIG. 10 schematically shows a structural block diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present application.
具体实施方式Detailed ways
现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本申请将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in various forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concepts of the example embodiments. To those skilled in the art.
此外,所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施例中。在下面的描述中,提供许多具体细节从而给出对本申请的实施例的充分理解。然而,本领域技术人员将意识到,可以实践本申请的技术方案而没有特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知方法、装置、实现或者操作以避免模糊本申请的各方面。Furthermore, the described features, structures or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the present application. However, those skilled in the art will appreciate that the technical solutions of the present application may be practiced without one or more of the specific details, or other methods, components, devices, steps, etc. may be adopted. In other instances, well-known methods, apparatus, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present application.
附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software form, or implemented in one or more hardware modules or integrated circuits, or implemented in different networks and/or processor devices and/or microcontroller devices. entity.
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flowcharts shown in the drawings are only illustrative, and do not necessarily include all contents and operations/steps, nor must they be performed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be merged or partially merged, so the actual order of execution may change according to the actual situation.
在本申请的相关技术中,企业管理员根据以企业资源、可信应用的特征、设备信息等维度,以特定用户或用户所在的组为单位制定和下发零信任访问控制策略,从访问代理劫持的网络流量中筛选出目标是企业内资源且符合访问控制策略的流量,经过网络访问票据申请后,发往资源侧网关执行流量代理访问。在这个过程中,访问代理连同访问网关为企业资源的访问流量构建流通的数据通道,零信任客户端与零信任服务端起着允许流量是否能够通过数据通道的控制作用。In the related technology of this application, enterprise administrators formulate and issue zero-trust access control policies based on enterprise resources, characteristics of trusted applications, device information and other dimensions, based on specific users or groups of users, from the access agent The hijacked network traffic is screened out for traffic that targets resources within the enterprise and complies with the access control policy. After applying for a network access ticket, it is sent to the resource-side gateway to perform traffic proxy access. In this process, the access proxy and the access gateway build a flowing data channel for access traffic to enterprise resources. The zero-trust client and zero-trust server play a role in controlling whether traffic can pass through the data channel.
零信任服务端发送网络访问票据时,有一个重要的因素是发起流量的应用是否可信,零信任客户端负责采集访问资源的应用的特征信息,包括应用可执行文件哈希值、版权信息、应用的数字签名信息,服务端接收到这些信息后,根据零信任网络访问策略和应用检测信息(根据可执行文件哈希值检测进程是否属于高危进程),识别出该应用是否存在安全风险,以及该应用是否具备访问企业资源的权限。When the zero trust server sends a network access ticket, an important factor is whether the application that initiates the traffic is trustworthy. The zero trust client is responsible for collecting characteristic information of the application that accesses resources, including application executable file hash value, copyright information, The digital signature information of the application. After receiving this information, the server identifies whether the application has security risks based on the zero-trust network access policy and application detection information (detecting whether the process is a high-risk process based on the hash value of the executable file), and Whether the application has permission to access corporate resources.
但是相关技术存在相应地弊端:攻击者在攻陷的设备内利用不同的应用访问企业内部站点、数据或功能接口等资源,以此探测系统漏洞,探测企业资源开放的敏感端口等,或者通过恶意代码注入到应用等方式,绕过安全检测逻辑,以此通过零信任访问控制策略,进入到客户端与服务端发放网络访问票据环节中。更有甚者,通过攻陷主机,通过多个应用申请网络访问票据,发起针对内网服务的Dos攻击,极大降低零信任网络系统的安全性和可用性。However, related technologies have corresponding drawbacks: attackers use different applications in compromised devices to access resources such as internal corporate sites, data or functional interfaces to detect system vulnerabilities, detect sensitive ports open to corporate resources, etc., or through malicious code By injecting it into the application, the security detection logic can be bypassed, and the zero-trust access control policy can be used to enter the process of issuance of network access tickets between the client and the server. What's more, by compromising the host, applying for network access tickets through multiple applications, and launching DoS attacks against intranet services, the security and availability of the zero-trust network system are greatly reduced.
针对本领域的相关技术,本申请实施例提出了一种数据处理方法,通过在网络访问票据的申请及使用阶段进行检测和合规性判断,有效地防御了攻击者的攻击,提高了零信任访问控制系统的可靠性和安全性,并且提高了企业办公的安全性。在对本申请实施例中的数据处理方法进行详细说明之前,先对本申请涉及的技术名词进行解释。In view of related technologies in this field, the embodiment of this application proposes a data processing method, which effectively prevents attacks from attackers and improves zero trust by performing detection and compliance judgment during the application and use stages of network access tickets. The reliability and security of the access control system are improved, and the security of corporate offices is improved. Before describing the data processing method in the embodiment of the present application in detail, the technical terms involved in the present application will be explained first.
1.登录凭证:用户成功登录零信任客户端后,零信任服务端为该用户指定的一个加密串,表示该用户的登录授权信息,包括用户信息和授权有效期。登陆凭证加密存储在客户端。1. Login credentials: After the user successfully logs in to the zero trust client, the zero trust server specifies an encrypted string for the user, representing the user's login authorization information, including user information and authorization validity period. Login credentials are stored encrypted on the client side.
2.网络请求票据:零信任服务端为单个网络请求发放的授权信息,用于标识该网络请求的授权状态。2. Network request ticket: Authorization information issued by the zero-trust server for a single network request, used to identify the authorization status of the network request.
3.零信任访问控制策略:由用户可使用的进程信息(可信应用)以及可访问的业务站点(可达区域)组成,在权限开通的情况下,用户可通过任何一个可信应用访问到任一个可达区域。零信任访问控制策略的粒度为登录用户,允许为不同的登录用户制定不同的零信任策略。3. Zero-trust access control strategy: It consists of process information that users can use (trusted applications) and accessible business sites (reachable areas). When permissions are enabled, users can access through any trusted application. Any reachable area. The granularity of the zero-trust access control policy is the logged-in user, allowing different zero-trust policies to be formulated for different logged-in users.
4.零信任网关:部署在企业应用程序和数据资源的入口,负责对每一个访问企业资源的会话请求进行验证和请求转发。4. Zero trust gateway: Deployed at the entrance of enterprise applications and data resources, it is responsible for verifying and forwarding every session request to access enterprise resources.
5.访问代理:终端访问代理是部署于受控设备的发起安全访问的终端代理,负责访问主体可信身份验证的请求发起,验证身份可信,即可与访问网关建立加密的访问连接,同时也是访问控制的策略执行点。5. Access proxy: The terminal access proxy is a terminal proxy deployed on the controlled device that initiates secure access. It is responsible for initiating requests for trusted authentication of the access subject. After verifying that the identity is trustworthy, an encrypted access connection can be established with the access gateway. At the same time It is also the policy enforcement point for access control.
6.直连访问:在零信任网络访问架构中,某个应用对站点发起网络访问请求,由全流量代理劫持到流量后,经由全流量代理向该目标站点发起网络访问,即发起直接连接的访问,由全流量代理将该目标站点的网络响应发送给该应用,这种访问模式称为直连访问。6. Direct access: In the zero-trust network access architecture, an application initiates a network access request to a site. After the full-traffic proxy hijacks the traffic, it initiates network access to the target site through the full-traffic proxy, that is, a direct connection is initiated. For access, the full-traffic proxy sends the network response of the target site to the application. This access mode is called direct access.
7.代理访问:在零信任网络访问架构中,某个应用对站点发起网络访问请求,由全流量代理劫持到流量后,由全流量代理向智能网关发起流量转发,经由智能网关代理针对目标业务站点的访问,访问后由智能网关将该目标站点的网络响应发送给全流量代理,由全流量代理将目标站点的网络响应转发至该应用,这种访问模式称为代理访问。7. Proxy access: In the zero-trust network access architecture, an application initiates a network access request to the site. After the full-traffic proxy hijacks the traffic, the full-traffic proxy initiates traffic forwarding to the smart gateway, and the target business is targeted through the smart gateway proxy. When accessing a site, the smart gateway will send the network response of the target site to the full-traffic proxy, and the full-traffic proxy will forward the network response of the target site to the application. This access mode is called proxy access.
8.访问主体:在网络中,发起访问的一方,访问内网业务资源的人/设备/应用/,是由人、设备、应用等因素单一组成或者组合形成的一种数字实体。8. Access subject: In the network, the party initiating the access, the person/device/application/ who accesses the intranet business resources, is a digital entity composed of a single or combination of people, devices, applications and other factors.
9.访问客体:在网络中,被访问的一方,即企业内网业务资源,包括应用,系统(开发测试环境,运维环境,生产环境等),数据,接口,功能等。9. Access object: In the network, the party being accessed is the enterprise intranet business resources, including applications, systems (development and testing environment, operation and maintenance environment, production environment, etc.), data, interfaces, functions, etc.
10.持久化库:数据据持久化就是将内存中的数据结构或对象模型转换为关系模型、XML、JSON、二进制流等,以及将存储模型转换为内存中的数据模型的统称,持久化库就是存储在设备本地的磁盘文件或数据文件中的由内存中数据结构或对象模型转换而来的关系模型、XML、JSON、二进制流等内容的存储介质,可以使用加密文件,嵌入型数据库等实现。10. Persistence library: Data persistence is the collective name for converting data structures or object models in memory into relational models, XML, JSON, binary streams, etc., and converting storage models into data models in memory. Persistence library It is a storage medium for relational models, XML, JSON, binary streams and other content converted from in-memory data structures or object models that are stored in disk files or data files locally on the device. It can be implemented using encrypted files, embedded databases, etc. .
11.策略:管理员在管理端下发的用于企业终端管理的一系列规则集合。包括补丁修复、零信任网络管控、安全加固策略等。策略可能包含票据、时效、有效次数等敏感信息。11. Policy: A set of rules issued by the administrator on the management side for enterprise terminal management. Including patch repairs, zero-trust network management and control, security reinforcement strategies, etc. Policies may contain sensitive information such as tickets, time limits, and validity times.
12.五元组:通信术语,由网络访问流量的源IP地址,源端口,目标IP地址,目标端口,和传输层协议这五个量组成的一个集合。12. Five-tuple: Communication term, a set composed of five quantities: source IP address, source port, destination IP address, destination port, and transport layer protocol of network access traffic.
接下来,对应用本申请技术方案的示例性系统架构进行说明。Next, an exemplary system architecture applying the technical solution of this application will be described.
图1示意性地示出了应用本申请技术方案的示例性系统架构框图。Figure 1 schematically shows an exemplary system architecture block diagram applying the technical solution of the present application.
如图1所示,系统架构100可以包括终端设备101、零信任服务器102、业务服务器103、零信任网关104和网络。其中,终端设备101可以是诸如智能手机、平板电脑、笔记本电脑、台式电脑、智能电视、智能车载终端等各种具有显示屏幕的电子设备,终端设备101中安装有零信任客户端,用户通过终端设备101登陆零信任客户端后,由零信任客户端、零信任服务器102和零信任网关104可以组建形成零信任安全管理系统,用于为企业资源访问业务提供安全保障。零信任服务器102是用于为零信任安全管理系统提供策略下发、网络访问票据核发和校验、未知进程的送检以及安全检测等服务的,业务服务器103是用于为访问企业业务系统的用户提供企业资源的,iOA服务器102和业务服务器103可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云计算服务的云服务器。零信任网关104部署在企业应用程序和数据资源的入口,负责每一个访问企业资源的会话请求的验证、授权和转发。网络可以是能够在终端设备101和零信任服务器102、终端设备101和业务服务器103之间提供通信链路的各种连接类型的通信介质,例如可以是有线通信链路或者无线通信链路。As shown in Figure 1, the system architecture 100 may include a terminal device 101, a zero-trust server 102, a business server 103, a zero-trust gateway 104 and a network. Among them, the terminal device 101 can be various electronic devices with display screens such as smartphones, tablet computers, laptops, desktop computers, smart TVs, smart vehicle terminals, etc. The terminal device 101 is installed with a zero-trust client, and the user can After the device 101 logs into the zero-trust client, the zero-trust client, the zero-trust server 102 and the zero-trust gateway 104 can be formed to form a zero-trust security management system to provide security protection for enterprise resource access services. The zero trust server 102 is used to provide services such as policy issuance, network access ticket issuance and verification, unknown process inspection, and security detection for the zero trust security management system. The business server 103 is used for accessing the enterprise business system. If the user provides enterprise resources, the iOA server 102 and the business server 103 can be independent physical servers, a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides cloud computing services. The zero trust gateway 104 is deployed at the entrance of enterprise applications and data resources, and is responsible for the verification, authorization and forwarding of each session request to access enterprise resources. The network may be a communication medium of various connection types capable of providing communication links between the terminal device 101 and the zero trust server 102, and between the terminal device 101 and the business server 103. For example, it may be a wired communication link or a wireless communication link.
根据实现需要,本申请实施例中的系统架构可以具有任意数目的终端设备、零信任服务器、业务服务器和网络。例如,零信任服务器、业务服务器可以是由多个服务器设备组成的服务器群组。另外,本申请实施例提供的技术方案可以应用于终端设备101中,具体地,可以应用于终端设备101中的零信任客户端。Depending on implementation needs, the system architecture in the embodiments of this application can have any number of terminal devices, zero-trust servers, business servers, and networks. For example, a zero-trust server and a business server can be a server group composed of multiple server devices. In addition, the technical solutions provided by the embodiments of this application can be applied to the terminal device 101, specifically, to the zero-trust client in the terminal device 101.
在本申请的一个实施例中,访问主体通过终端设备101中安装的应用发起针对访问客体的网络访问请求,零信任客户端通过代理客户端劫持到该网络请求,代理客户端向零信任客户端发起鉴权请求,也就是向零信任客户端申请当次网络请求的凭证,零信任客户端在接收到鉴权请求后,向零信任服务器102发送网络访问票据申请请求,零信任服务器对网络访问票据申请请求中包含的信息进行审核,当审核通过时,向零信任客户端发送网络访问票据、票据最大使用次数以及票据有效时间等信息,接着零信任客户端将该些信息发送至代理客户端。代理客户端接收到该些信息后,一方面可以将该些信息加密存储于内存中,待需要使用时,从内存中获取加密的网络访问票据,通过解密以获取网络访问票据,并基于网络访问票据进行原始网络访问流量的转发,一方面可以将该些信息存储于缓存中,需要使用时,从缓存中获取网络访问票据,并基于网络访问票据进行原始网络访问流量的转发,另一方面还可以在获取该些信息后,直接基于所获取的网络访问票据进行原始网络访问流量的转发。在代理客户端基于网络访问票据进行原始网络访问流量的转发时,首先将原始网络访问请求和网络访问票据同时发送至零信任网关104,由零信任网关104代理实际的业务访问,接着零信任网关104将网络访问票据发送至零信任服务器102进行校验,当校验通过后,零信任网关104将原始网络访问请求发送至对应的业务服务器103,以获取对应的企业资源,并将企业资源反馈至代理客户端。In one embodiment of the present application, the access subject initiates a network access request for the access object through the application installed in the terminal device 101, the zero trust client hijacks the network request through the proxy client, and the proxy client sends a request to the zero trust client. Initiate an authentication request, that is, apply to the zero trust client for the certificate of the current network request. After receiving the authentication request, the zero trust client sends a network access ticket application request to the zero trust server 102, and the zero trust server The information contained in the ticket application request is reviewed. When the review is passed, information such as the network access ticket, the maximum number of ticket uses, and the ticket validity time are sent to the zero trust client. Then the zero trust client sends this information to the proxy client. . After the proxy client receives the information, it can encrypt the information and store it in the memory. When it needs to be used, it can obtain the encrypted network access ticket from the memory, decrypt it to obtain the network access ticket, and based on the network access The ticket forwards the original network access traffic. On the one hand, the information can be stored in the cache. When needed, the network access ticket is obtained from the cache, and the original network access traffic is forwarded based on the network access ticket. On the other hand, it can also After obtaining this information, the original network access traffic can be forwarded directly based on the obtained network access ticket. When the proxy client forwards the original network access traffic based on the network access ticket, the original network access request and the network access ticket are first sent to the zero trust gateway 104 at the same time. The zero trust gateway 104 acts as an agent for the actual business access, and then the zero trust gateway 104 sends the network access ticket to the zero trust server 102 for verification. When the verification passes, the zero trust gateway 104 sends the original network access request to the corresponding business server 103 to obtain the corresponding enterprise resources and feed back the enterprise resources. to the proxy client.
在本申请的一个实施例中,本申请中的零信任服务器102、业务服务器103可以是提供云计算服务的云服务器,也就是说,本申请涉及云存储和云计算技术。In one embodiment of this application, the zero trust server 102 and business server 103 in this application may be cloud servers that provide cloud computing services. That is to say, this application involves cloud storage and cloud computing technology.
云存储(cloud storage)是在云计算概念上延伸和发展出来的一个新的概念,分布式云存储系统(以下简称存储系统)是指通过集群应用、网格技术以及分布存储文件系统等功能,将网络中大量各种不同类型的存储设备(存储设备也称之为存储结点)通过应用软件或应用接口集合起来协同工作,共同对外提供数据存储和业务访问功能的一个存储系统。Cloud storage (cloud storage) is a new concept extended and developed from the concept of cloud computing. Distributed cloud storage system (hereinafter referred to as storage system) refers to functions such as cluster application, grid technology and distributed storage file system. A storage system that brings together a large number of different types of storage devices in the network (storage devices are also called storage nodes) to work together through application software or application interfaces to jointly provide data storage and business access functions to the outside world.
目前,存储系统的存储方法为:创建逻辑卷,在创建逻辑卷时,就为每个逻辑卷分配物理存储空间,该物理存储空间可能是某个存储设备或者某几个存储设备的磁盘组成。客户端在某一逻辑卷上存储数据,也就是将数据存储在文件系统上,文件系统将数据分成许多部分,每一部分是一个对象,对象不仅包含数据而且还包含数据标识(ID,ID entity)等额外的信息,文件系统将每个对象分别写入该逻辑卷的物理存储空间,且文件系统会记录每个对象的存储位置信息,从而当客户端请求访问数据时,文件系统能够根据每个对象的存储位置信息让客户端对数据进行访问。Currently, the storage method of the storage system is to create logical volumes. When creating logical volumes, physical storage space is allocated to each logical volume. The physical storage space may be composed of disks of a certain storage device or several storage devices. The client stores data on a certain logical volume, that is, the data is stored on the file system. The file system divides the data into many parts. Each part is an object. The object not only contains data but also contains data identification (ID, ID entity). and other additional information, the file system writes each object to the physical storage space of the logical volume separately, and the file system records the storage location information of each object, so that when the client requests to access data, the file system can according to each The storage location information of the object allows the client to access the data.
存储系统为逻辑卷分配物理存储空间的过程,具体为:按照对存储于逻辑卷的对象的容量估量(该估量往往相对于实际要存储的对象的容量有很大余量)和独立冗余磁盘阵列(RAID,Redundant Array of Independent Disk)的组别,预先将物理存储空间划分成分条,一个逻辑卷可以理解为一个分条,从而为逻辑卷分配了物理存储空间。The process of the storage system allocating physical storage space to a logical volume, specifically based on the capacity estimation of the objects stored in the logical volume (this estimation often has a large margin relative to the actual capacity of the objects to be stored) and independent redundant disks The group of RAID (Redundant Array of Independent Disk) divides the physical storage space into stripes in advance. A logical volume can be understood as a stripe, thereby allocating physical storage space to the logical volume.
云计算(cloud computing)是一种计算模式,它将计算任务分布在大量计算机构成的资源池上,使各种应用系统能够根据需要获取计算力、存储空间和信息服务。提供资源的网络被称为“云”。“云”中的资源在使用者看来是可以无限扩展的,并且可以随时获取,按需使用,随时扩展,按使用付费。Cloud computing is a computing model that distributes computing tasks across a resource pool composed of a large number of computers, enabling various application systems to obtain computing power, storage space and information services as needed. The network that provides resources is called a "cloud". The resources in the "cloud" can be infinitely expanded from the user's point of view, and can be obtained at any time, used on demand, expanded at any time, and paid according to use.
作为云计算的基础能力提供商,会建立云计算资源池(简称云平台,一般称为IaaS(Infrastructure as a Service,基础设施即服务)平台,在资源池中部署多种类型的虚拟资源,供外部客户选择使用。云计算资源池中主要包括:计算设备(为虚拟化机器,包含操作系统)、存储设备、网络设备。As a basic capability provider of cloud computing, a cloud computing resource pool (cloud platform for short, generally called IaaS (Infrastructure as a Service, infrastructure as a service) platform) will be established to deploy various types of virtual resources in the resource pool to provide External customers choose to use it. The cloud computing resource pool mainly includes: computing equipment (virtualized machines, including operating systems), storage equipment, and network equipment.
按照逻辑功能划分,在IaaS(Infrastructure as a Service,基础设施即服务)层上可以部署PaaS(Platform as a Service,平台即服务)层,PaaS层之上再部署SaaS(Software as a Service,软件即服务)层,也可以直接将SaaS部署在IaaS上。PaaS为软件运行的平台,如数据库、web容器等。SaaS为各式各样的业务软件,如web门户网站、短信群发器等。一般来说,SaaS和PaaS相对于IaaS是上层。According to the logical function division, the PaaS (Platform as a Service, Platform as a Service) layer can be deployed on the IaaS (Infrastructure as a Service, Infrastructure as a Service) layer, and the SaaS (Software as a Service, Software as a Service) layer can be deployed on the PaaS layer. Service) layer, SaaS can also be deployed directly on IaaS. PaaS is a platform for software running, such as databases, web containers, etc. SaaS is a variety of business software, such as web portals, SMS bulk senders, etc. Generally speaking, SaaS and PaaS are upper layers compared to IaaS.
下面结合具体实施方式对本申请提供的数据处理方法、数据处理装置、计算机可读介质以及电子设备等技术方案做出详细说明。The technical solutions such as data processing methods, data processing devices, computer-readable media, and electronic equipment provided in this application will be described in detail below in conjunction with specific implementation modes.
图2示意性示出了本申请一个实施例中的数据处理方法的步骤流程示意图,该数据处理方法由零信任客户端执行,该零信任客户端具体可以是图1中终端设备101中安装的零信任客户端。如图2所示,本申请实施例中的数据处理方法主要可以包括如下的步骤S210至步骤S230。Figure 2 schematically shows a step flow chart of a data processing method in an embodiment of the present application. The data processing method is executed by a zero-trust client. Specifically, the zero-trust client can be installed in the terminal device 101 in Figure 1 Zero trust client. As shown in Figure 2, the data processing method in the embodiment of the present application may mainly include the following steps S210 to step S230.
步骤S210:获取与目标请求对应的事件触发时间,所述目标请求为网络访问票据的申请请求或者使用请求,所述网络访问票据与零信任网络访问相关;Step S210: Obtain the event trigger time corresponding to the target request, which is an application request or use request for a network access ticket, and the network access ticket is related to zero-trust network access;
步骤S220:基于所述事件触发时间确定检测时间段,并获取与所述检测时间段对应的API调用信息;Step S220: Determine a detection time period based on the event trigger time, and obtain API call information corresponding to the detection time period;
步骤S230:根据所述API调用信息、零信任网络访问必行逻辑过程和标记API判断所述零信任网络访问的合规性,其中,所述零信任网络访问必行逻辑过程包括申请网络访问票据必行逻辑过程和使用网络访问票据必行逻辑过程,所述标记API为预埋的与零信任安全管理系统的控制进程相关的API。Step S230: Determine the compliance of the zero-trust network access based on the API call information, the required logical process for zero-trust network access, and the marked API, where the required logical process for zero-trust network access includes applying for a network access ticket The logical process must be executed and the logical process must be executed using the network access ticket. The marking API is a pre-embedded API related to the control process of the zero-trust security management system.
本申请实施例提供的数据处理方法,能够在网络访问票据的申请或使用的逻辑过程中预埋与零信任安全管理系统的控制进程相关的标记API,当接收到网络访问票据的申请或使用请求后,获取检测时间段内的API调用记录,通过判断API调用记录中的调用者的进程是否符合请求或使用网络访问票据的必行逻辑路径,以及调用信息是否与请求或使用网络访问票据必行逻辑过程对应的标记API的调用信息相同,以对零信任网络访问是否合规进行判断,一方面能够精准区分正常的网络访问和异常的网络访问;另一方面能够抵御攻击者篡改终端服务以绕过检测逻辑和访问控制策略,或利用攻陷主机对服务器执行DOS攻击,提高了零信任安全管理系统的可靠性和抵御攻击的能力,进而提升了终端零信任网络安全和企业办公的安全。The data processing method provided by the embodiment of this application can embed the tag API related to the control process of the zero-trust security management system in the logical process of application or use of network access tickets. When the application or use request of network access tickets is received, Then, obtain the API call records within the detection period, and determine whether the caller's process in the API call record meets the required logical path for requesting or using network access tickets, and whether the call information is consistent with requesting or using network access tickets. The call information of the marked API corresponding to the logical process is the same to judge whether the zero-trust network access is compliant. On the one hand, it can accurately distinguish between normal network access and abnormal network access; on the other hand, it can resist attackers from tampering with terminal services to circumvent By detecting logic and access control policies, or using compromised hosts to perform DOS attacks on servers, the reliability of the zero-trust security management system and its ability to withstand attacks are improved, thereby improving terminal zero-trust network security and enterprise office security.
下面以腾讯零信任安全管理系统iOA(Intelligent Office Automation,智能办公自动化系统)为例对本申请实施例中基于零信任安全管理系统进行网络访问的数据处理流程的各个步骤进行说明,相应地,零信任客户端为iOA客户端、零信任服务器为iOA服务器。在对本申请中的数据处理方法进行说明之前,首先对本申请所涉及的零信任安全管理系统以及基于零信任安全管理系统进行网络访问的流程进行说明。The following uses Tencent's zero-trust security management system iOA (Intelligent Office Automation, intelligent office automation system) as an example to describe each step of the data processing process for network access based on the zero-trust security management system in the embodiment of this application. Correspondingly, zero-trust The client is the iOA client and the zero trust server is the iOA server. Before describing the data processing method in this application, first, the zero-trust security management system involved in this application and the process of network access based on the zero-trust security management system will be described.
在本申请的一个实施例中,零信任安全管理系统采用基于可信身份、可信设备、可信应用、可信链路授予访问权限,并强制所有访问都必须经过认证、授权和加密,助力企业员工位于何处(Anywhere)、在何时(Anytime)、使用何设备(Any device)都可安全地访问授权资源,以处理任何业务(Any work)的新型“4A办公”方式。图3示意性示出了在企业资源系统中使用零信任安全管理系统的架构示意图,如图3所示,零信任安全管理系统300包括零信任客户端301、零信任网关302和零信任服务器303,进一步地,可以从零信任客户端301中提取代理客户端304,通过零信任代理304和零信任网关302为访问主体通过网络访问请求访问客体的资源提供统一入口,通过零信任客户端301和零信任服务器303为统一入口提供鉴权操作,只有通过鉴权的网络请求才能由零信任代理304转发给零信任网关302,通过零信任网关302代理实际业务系统的访问。In one embodiment of this application, the zero-trust security management system grants access permissions based on trusted identities, trusted devices, trusted applications, and trusted links, and forces all access to be authenticated, authorized, and encrypted to help Enterprise employees can securely access authorized resources wherever they are (Anywhere), at any time (Anytime), and using any device (Any device) to handle any business (Any work) in the new "4A office" way. Figure 3 schematically shows an architectural diagram of using a zero trust security management system in an enterprise resource system. As shown in Figure 3, the zero trust security management system 300 includes a zero trust client 301, a zero trust gateway 302 and a zero trust server 303. , further, the proxy client 304 can be extracted from the zero trust client 301, and the zero trust proxy 304 and the zero trust gateway 302 provide a unified entrance for the access subject to access the object's resources through network access requests. Through the zero trust client 301 and The zero trust server 303 provides authentication operations for the unified portal. Only network requests that pass authentication can be forwarded to the zero trust gateway 302 by the zero trust agent 304, and access to the actual business system is proxied through the zero trust gateway 302.
图4示意性示出了基于iOA零信任安全管理系统进行网络访问的数据处理流程示意图,如图4所示,(1)访问主体通过安装在终端设备中的应用发起针对访问客体的网络请求pid-URL;(2)安装在终端设备中的iOA客户端可以通过代理客户端劫持到该网络请求,并向iOA客户端发起鉴权请求,也就是向iOA客户端申请当次网络请求的网络访问凭证,该鉴权请求中的请求参数包括源IP或者域名、源端口、目的IP或者域名、目的端口和应用对应的进程识别号PID(Process ID);(3)iOA客户端通过代理客户端发送的进程PID采集进程的MD5、进程路径、进程最近修改时间、版权信息、签名信息等;(4)iOA客户端根据进程的MD5、进程路径、进程最近修改时间、版权信息、签名信息等,以及代理客户端传递过来的网络请求的源IP或者域名、源端口、目的IP或者域名和目的端口,向iOA服务器申请票据;iOA服务器对票据申请请求中的参数进行审核,如果审核通过,则生成网络访问票据,并将网络访问票据、票据最大使用次数和票据有效时间发送给iOA客户端;(5)iOA客户端将采集的应用进程发送给iOA服务器,以通过iOA服务器中的送检服务将应用进程发送至云端的病毒查杀服务进行病毒检测;(6)iOA客户端将接收到的网络访问票据、票据最大使用次数和票据有效时间作为响应发送给代理客户端;(7)代理客户端首先向零信任网关发起Https请求,其中在Authorization首部字段中带上iOA客户端传递过来的网络访问票据;(8)零信任网关收到代理客户端的请求后,解析出首部字段中的网络访问票据,向iOA服务端校验票据;(9)iOA服务器向零信任网关发送校验结果,如果校验成功,则零信任网关跟代理客户端成功建立连接;(10)代理客户端将原始网络请求发送给访问网关,由零信任网关转发至对应的业务服务器,代理实际的应用网络访问;(11)业务服务器向零信任网关反馈相应的业务资源;(12)零信任网关将业务资源反馈至代理客户端;(13)代理客户端将业务资源反馈至终端设备。如果(8)中校验网络访问票据失败,则代理客户端与零信任网关的连接中断。Figure 4 schematically shows a schematic diagram of the data processing flow for network access based on the iOA zero-trust security management system. As shown in Figure 4, (1) the access subject initiates a network request pid for the access object through the application installed in the terminal device -URL; (2) The iOA client installed in the terminal device can hijack the network request through the proxy client and initiate an authentication request to the iOA client, that is, apply to the iOA client for network access for the current network request. Credentials, the request parameters in the authentication request include source IP or domain name, source port, destination IP or domain name, destination port and the process identification number PID (Process ID) corresponding to the application; (3) The iOA client sends it through the proxy client The process PID collects the process's MD5, process path, process's latest modification time, copyright information, signature information, etc.; (4) The iOA client collects the process's MD5, process path, process's latest modification time, copyright information, signature information, etc., and Proxy the source IP or domain name, source port, destination IP or domain name and destination port of the network request passed by the client, and apply for a ticket from the iOA server; the iOA server reviews the parameters in the ticket application request, and if the review passes, generates a network Access the ticket, and send the network access ticket, the maximum number of ticket uses, and the ticket validity time to the iOA client; (5) the iOA client sends the collected application process to the iOA server to transfer the application through the inspection submission service in the iOA server The process is sent to the virus scanning and killing service in the cloud for virus detection; (6) The iOA client sends the received network access ticket, the maximum number of ticket usages and the ticket validity time to the proxy client as a response; (7) The proxy client first Initiate an HTTPS request to the zero trust gateway, including the network access ticket passed by the iOA client in the Authorization header field; (8) After receiving the request from the proxy client, the zero trust gateway parses out the network access ticket in the header field, Verify the ticket to the iOA server; (9) The iOA server sends the verification result to the zero trust gateway. If the verification is successful, the zero trust gateway successfully establishes a connection with the proxy client; (10) The proxy client sends the original network request To the access gateway, the zero trust gateway forwards it to the corresponding business server to proxy the actual application network access; (11) the business server feeds back the corresponding business resources to the zero trust gateway; (12) the zero trust gateway feeds back the business resources to the proxy client terminal; (13) The agent client feeds back service resources to the terminal device. If the verification of the network access ticket in (8) fails, the connection between the proxy client and the zero trust gateway is interrupted.
如图4中所示,在iOA服务器中设置有多个服务模块,例如策略中心、票据中心、送检服务、安全检测服务等等。As shown in Figure 4, there are multiple service modules set up in the iOA server, such as policy center, bill center, inspection submission service, security detection service, etc.
其中,策略中心用于进行零信任网络访问策略的配置和下发,在进行零信任网络访问策略的配置时,iOA服务器可以与iOA管理端连通,在iOA管理端的显示界面中显示相应地页面,便于企业管理员在页面中进行策略配置,并在完成配置后,将零信任网络访问策略下发至iOA客户端,以便iOA客户端根据零信任网络访问策略对用户的网络资源访问进行管理。图5-8示意性示出了零信任网络访问策略的配置界面示意图,如图5所示,企业管理员可以在零信任网关页面进行零信任网关的配置;如图6所示,企业管理员可以在策略管理页面进行策略配置,例如对可信应用配置、对业务系统进行配置等等,如图7所示,企业管理员可以在可访问业务系统页面进行用户可访问业务系统进行配置,针对不同的用户或者用户组可以设置不同的可访问业务系统;如图8所示,企业管理员可以在添加资源页面对用户可访问的站点进行配置。Among them, the policy center is used to configure and issue zero-trust network access policies. When configuring zero-trust network access policies, the iOA server can be connected to the iOA management terminal, and the corresponding page is displayed in the display interface of the iOA management terminal. It is convenient for enterprise administrators to configure policies on the page, and after completing the configuration, send the zero-trust network access policy to the iOA client so that the iOA client can manage users' access to network resources according to the zero-trust network access policy. Figure 5-8 schematically shows the configuration interface of the zero trust network access policy. As shown in Figure 5, the enterprise administrator can configure the zero trust gateway on the zero trust gateway page; as shown in Figure 6, the enterprise administrator Policy configuration can be performed on the policy management page, such as trusted application configuration, business system configuration, etc. As shown in Figure 7, enterprise administrators can configure user-accessible business systems on the accessible business system page. Different users or user groups can set different accessible business systems; as shown in Figure 8, the enterprise administrator can configure the sites accessible to users on the add resource page.
票据中心是响应iOA客户端的票据申请请求反馈网络访问票据,以及在零信任网关接收到网络访问票据之后,对网络访问票据进行校验的。The ticket center responds to the iOA client's ticket application request, feeds back the network access ticket, and verifies the network access ticket after the zero trust gateway receives the network access ticket.
送检服务是将iOA客户端上传的应用的进程发送至云端的病毒查杀服务进行病毒检测的。The inspection submission service sends the application process uploaded by the iOA client to the cloud virus scanning service for virus detection.
安全检测服务具体包括身份验证模块、设备可信模块和应用检测模块,身份验证模块用于对用户身份进行验证,设备可信模块用于验证终端设备硬件信息和设备安全状态,应用检测模块用于检测应用进程是否安全,如是否有漏洞、是否有病毒木马等。当安全检测中心对各个维度的检测都通过时,则向iOA客户端发送网络访问票据,与此同时,送检服务还持续对进程进行病毒查杀,当检测到进程中存在病毒时,则通知iOA客户端执行异步阻断操作,中断网络访问票据的使用。The security detection service specifically includes an identity verification module, a device trust module and an application detection module. The identity verification module is used to verify user identity, the device trust module is used to verify terminal device hardware information and device security status, and the application detection module is used to Detect whether the application process is safe, such as whether there are vulnerabilities, viruses and Trojans, etc. When the security detection center passes the detection in all dimensions, it will send a network access ticket to the iOA client. At the same time, the inspection submission service will continue to perform virus scanning on the process. When a virus is detected in the process, it will notify The iOA client performs an asynchronous blocking operation to interrupt the use of network access tickets.
代理客户端在劫持应用流量时存在两种劫持方案,一种是全流量劫持,一种是企业内流量劫持,其中,全流量劫持就是将终端设备发送的网络访问流量全部劫持,基于全流量劫持的零信任架构通过引入基于虚拟网卡或内核驱动引流的代理客户端全量劫持终端设备中的网络访问流量,将流量的特征经过零信任网络访问控制策略过滤后,发往互联网站点的流量直接由代理客户端连向目标站点或数据访问接口,或者在内核引流这一侧识别出是互联网站点的访问,则直接放通以直连的形式发往目标业务系统或访问接口,同时将网络访问流量中针对企业内数据获业务站点的访问,在网络访问票据申请通过后,由零信任网关执行访问代理;企业内流量劫持则是直接劫持与零信任网络访问策略中配置好的企业内站点、业务系统、应用、接口等对应的网络访问流量,并在网络访问票据申请通过后,由零信任网关执行访问代理。There are two hijacking schemes when the proxy client hijacks application traffic, one is full flow hijacking, and the other is intra-enterprise traffic hijacking. Full flow hijacking is to hijack all network access traffic sent by the terminal device. Based on full flow hijacking The zero-trust architecture introduces a proxy client based on a virtual network card or kernel driver to hijack all network access traffic in the terminal device. After the traffic characteristics are filtered by the zero-trust network access control policy, the traffic sent to the Internet site is directly handled by the proxy. If the client connects to the target site or data access interface, or if the kernel traffic diversion side identifies the access to an Internet site, it will directly allow the access to the target business system or access interface in the form of a direct connection, and at the same time, the network access traffic will be blocked. For intra-enterprise data access to business sites, after the network access ticket application is passed, the zero-trust gateway executes the access proxy; intra-enterprise traffic hijacking is directly hijacked with intra-enterprise sites and business systems configured in the zero-trust network access policy , applications, interfaces, etc. corresponding network access traffic, and after the network access ticket application is passed, the zero trust gateway executes the access proxy.
本申请的一个目的是保护企业办公的安全,因此本申请实施例的重点在于企业资源的访问控制,而在企业资源的访问控制过程中,要通过零信任安全管理系统成功访问到企业数据、接口或业务站点,需要由访问主体成功申请到网络访问票据,且由零信任网关成功完成网络访问票据的校验才能成功实现企业资源的访问。由于网络访问票据成功申请后,有一定时间的缓存期,且网络访问票据在使用过程中可能出现冒用的问题,因此网络访问票据在申请后,针对同一网络访问票据的使用还需要做到每一个访问会话级别的实时校验,本发明实施例聚焦于网络访问票据的申请和使用这两个场景,目的是阻止异常访问的网络访问票据申请,和异常的网络访问票据使用过程。One purpose of this application is to protect the security of enterprise offices. Therefore, the focus of the embodiments of this application is on the access control of enterprise resources. In the process of access control of enterprise resources, enterprise data and interfaces must be successfully accessed through the zero-trust security management system. Or business site, the access subject needs to successfully apply for a network access ticket, and the zero trust gateway successfully completes the verification of the network access ticket to successfully access enterprise resources. Since a network access ticket will be cached for a certain period of time after it is successfully applied for, and the network access ticket may be used fraudulently during use, after the network access ticket is applied for, the use of the same network access ticket needs to be done every time. A real-time verification at the access session level. The embodiment of the present invention focuses on the two scenarios of application and use of network access tickets. The purpose is to prevent abnormal access network access ticket applications and abnormal network access ticket usage processes.
值得说明的是,一个终端设备可以同时通过多个应用访问企业业务站点,也就是说,同时存在多个并行的进程,而每个进程的分析方法都是一样的,因此接下来的实施例仅针对一个应用访问一个站点的进程进行说明。接下来,基于图3和图4对图2所示的数据处理流程进行说明。It is worth noting that a terminal device can access an enterprise business site through multiple applications at the same time. That is to say, there are multiple parallel processes at the same time, and the analysis method of each process is the same. Therefore, the following embodiment only Describe the process of an application accessing a site. Next, the data processing flow shown in Fig. 2 will be described based on Figs. 3 and 4.
在步骤S210中,获取与目标请求对应的事件触发时间,所述目标请求为网络访问票据的申请请求或者使用请求,所述网络访问票据与零信任网络访问相关。In step S210, the event triggering time corresponding to the target request is obtained. The target request is an application request or a usage request for a network access ticket, and the network access ticket is related to zero-trust network access.
在本申请的一个实施例中,在判断访问主体的网络访问是否合规、是否符合预期的正常访问时,首先需要接收与网络访问票据相关的请求,请求的类型不同,网络访问的合规性判断方法也有所不同。在本申请的实施例中,主要关注网络访问票据的申请和使用这两个场景,那么目标请求也就包括两类,一类是网络访问票据的申请请求,另一类是网络访问票据的使用请求。In one embodiment of this application, when determining whether the access subject's network access is compliant and meets the expected normal access, it is first necessary to receive a request related to the network access ticket. The type of request is different, and the compliance of the network access is The judgment methods are also different. In the embodiment of this application, we mainly focus on the two scenarios of application and use of network access tickets. Then the target requests also include two categories, one is the application request for network access tickets, and the other is the use of network access tickets. ask.
在接收到网络访问票据的申请请求或者使用请求后,需要对其合规性进行判断,进而再根据该判断结果对零信任网络访问的合规性进行判断。在本申请实施例中,可以根据调用者的进程和申请网络访问票据或者使用网络访问票据所必行的逻辑过程是否一致,以及申请网络访问票据或者使用网络访问票据必行逻辑过程中所预埋的标记API是否被全部命中进行判断,如果逻辑过程相同并且全部的标记API被命中,则说明访问主体对企业资源的网络访问是合规的。其中,申请网络访问票据或者使用网络访问票据必行逻辑过程以及标记API是预先设置好的,并且标记API是预埋的与iOA自身的控制进程对应的API。After receiving an application request or use request for a network access ticket, its compliance needs to be judged, and then the compliance of zero-trust network access is judged based on the judgment results. In the embodiment of this application, it can be determined based on whether the caller's process is consistent with the logical process required to apply for a network access ticket or use a network access ticket, and the preset logic process that must be executed when applying for a network access ticket or using a network access ticket. Determine whether all the marked APIs are hit. If the logic process is the same and all the marked APIs are hit, it means that the access subject's network access to enterprise resources is compliant. Among them, the logical process required to apply for a network access ticket or use a network access ticket and the marking API are preset, and the marking API is a pre-embedded API corresponding to the control process of iOA itself.
在本申请的一个实施例中,关于网络访问票据的申请和使用过程中,必行的逻辑过程包括以下几种:In one embodiment of this application, during the application and use process of network access tickets, the necessary logical processes include the following:
1.申请网络访问票据时,需要采集终端信息、登录用户信息、登录票据、应用特征等信息,根据所采集的信息向iOA服务器申请网络访问票据。成功申请到网络访问票据后,需要加入内存的加密缓存中。也就是说,申请网络访问票据包括信息采集、票据申请、加密存储三个步骤。1. When applying for a network access ticket, you need to collect terminal information, login user information, login tickets, application characteristics and other information, and apply for a network access ticket from the iOA server based on the collected information. After successfully applying for a network access ticket, it needs to be added to the encrypted cache in the memory. In other words, applying for a network access ticket includes three steps: information collection, ticket application, and encrypted storage.
其中,终端信息具体可以是终端唯一标识符、终端软硬件信息、合规检测结果等,登陆用户信息具体为登陆iOA客户端的用户的用户名、用户id等,登陆票据为内存中存储用户登录认证的信息,未完成登录认证的用户禁止访问企业资源,应用特征具体可以是源IP或者域名、源端口、目的IP或者域名、目的端口,以及根据应用对应的进程PID采集的进程的MD5、进程路径、进程最近修改时间、版权信息和签名信息等。Among them, the terminal information can be the terminal unique identifier, terminal software and hardware information, compliance detection results, etc. The login user information is the user name, user id, etc. of the user who logs in to the iOA client. The login ticket is the user login authentication stored in the memory. Information, users who have not completed login authentication are prohibited from accessing enterprise resources. The application characteristics can be the source IP or domain name, source port, destination IP or domain name, destination port, as well as the MD5 and process path of the process collected according to the process PID corresponding to the application. , the latest modification time of the process, copyright information and signature information, etc.
2.由于网络原因或服务端故障导致票据申请失败,进入本地网络访问票据的生成环节,iOA客户端基于与1中类似的信息,采取与iOA服务端约定的生成算法生成本地网络访问票据。值得说明的是,本地网络访问票据也是零信任网络访问票据的一种,当基于本地网络访问票据进行流量转发时,代理客户端将本地网络访问票据、生成本地网络访问票据所需的信息以及原始访问请求都发送至零信任网关,零信任网关接收到本地网络访问票据和生成本地网络访问票据所需的信息后,将这些信息发送至iOA服务器,iOA服务器接收到本地网络访问票据和生成本地网络访问票据所需的信息后,首先根据预约的生成算法和生成本地网络访问票据所需的信息生成一待匹配网络访问票据,然后将接收到的本地网络访问票据与待匹配网络访问票据进行比对,如果两个票据相同,则票据校验通过,可以将原始访问请求发送至对应的业务站点,如果两个票据不同,则票据校验不通过,则禁止将原始访问请求发送至对应的业务站点。2. If the ticket application fails due to network reasons or server failure, the local network access ticket generation step is entered. Based on information similar to that in 1, the iOA client adopts the generation algorithm agreed with the iOA server to generate the local network access ticket. It is worth noting that the local network access ticket is also a type of zero-trust network access ticket. When forwarding traffic based on the local network access ticket, the proxy client will use the local network access ticket, the information required to generate the local network access ticket, and the original Access requests are sent to the zero trust gateway. After the zero trust gateway receives the local network access ticket and the information required to generate the local network access ticket, it sends the information to the iOA server. The iOA server receives the local network access ticket and generates the local network access ticket. After accessing the information required for the ticket, first generate a network access ticket to be matched based on the reservation generation algorithm and the information required to generate a local network access ticket, and then compare the received local network access ticket with the network access ticket to be matched. , if the two tickets are the same, the ticket verification passes, and the original access request can be sent to the corresponding business site. If the two tickets are different, the ticket verification fails, and the original access request is prohibited from being sent to the corresponding business site. .
3.网络访问票据使用过程中,因为同一个应用访问同一个业务站点,在票据的有效期内,才能复用同一个网络访问票据,因此可以从内存类型的加密缓存中取出与当前流量和应用特征对应的加密后的网络访问票据,对加密后的网络访问票据进行解密,并由访问代理发往零信任网关执行票据校验操作,同时销毁解密后的票据明文。3. During the use of network access tickets, because the same application accesses the same business site, the same network access ticket can be reused within the validity period of the ticket. Therefore, the current traffic and application characteristics can be retrieved from the memory type encrypted cache. The corresponding encrypted network access ticket is decrypted and sent by the access agent to the zero trust gateway to perform the ticket verification operation, and at the same time, the decrypted ticket plain text is destroyed.
根据以上三种必行逻辑过程可以确定,申请网络访问票据的必行逻辑过程包括两种逻辑过程,一种是逻辑过程1(成功从iOA服务器获取网络访问票据的响应),记为第一必行逻辑过程,一种是从逻辑过程1转为逻辑过程2(从iOA服务器获取网络访问票据失败,转入本地网络访问票据的生成),记为第二必行逻辑过程;使用网络访问票据的必行逻辑过程包括三种逻辑过程,一种是逻辑过程3(从内存加密缓存中临时取出已有网络访问票据),记为第三必行逻辑过程,一种是根据逻辑过程1获取网络访问票据后立即使用,记为第四必行逻辑过程,另一种是根据逻辑过程1从iOA服务器获取网络访问票据失败,转入逻辑过程2进行本地网络访问票据的生成后立即使用,而不是从加密缓存中获取,记为第五必行逻辑过程。According to the above three necessary logical processes, it can be determined that the necessary logical process for applying for a network access ticket includes two logical processes. One is logical process 1 (response for successfully obtaining the network access ticket from the iOA server), which is recorded as the first necessary process. Execute the logical process, one is to switch from logical process 1 to logical process 2 (failed to obtain the network access ticket from the iOA server, transfer to the generation of the local network access ticket), recorded as the second must-execute logical process; use the network access ticket The obligatory logical process includes three logical processes. One is logical process 3 (temporarily removing the existing network access ticket from the memory encryption cache), which is recorded as the third obligatory logical process. The other is to obtain network access according to logical process 1. Use the ticket immediately after the ticket is generated, which is recorded as the fourth required logical process. The other method is to fail to obtain the network access ticket from the iOA server according to the logical process 1, and transfer to the logical process 2 to generate the local network access ticket and use it immediately, instead of from Obtaining it from the encrypted cache is recorded as the fifth mandatory logical process.
需要说明的是,上述第一必行逻辑过程中采集终端信息、登录用户信息、登陆票据和应用特征信息的过程中,除了第1次采用标记API去执行实际采集外,后续同样通过内存级的加密缓存或本地的持久化库中获取缓存的值,以加速处理过程。It should be noted that in the above-mentioned first necessary logic process to collect terminal information, logged-in user information, login tickets and application feature information, in addition to using the marking API to perform actual collection for the first time, subsequent steps are also performed through memory-level Get the cached value from an encrypted cache or local persistence library to speed up the process.
上述五种必行逻辑过程是预先配置好的iOA自身控制进程实现网络访问票据申请和使用所必经的逻辑过程,当第三方应用触发网络访问后,正常情况下,就需要按照所设定的必行逻辑过程进行网络访问票据申请和使用,如果检测到调用者的进程不符合所设定的必行逻辑过程,则说明第三方应用触发的网络访问是不合规的。The above five mandatory logical processes are the logical processes that the pre-configured iOA itself control process must go through to apply for and use network access tickets. When a third-party application triggers network access, under normal circumstances, it needs to follow the set The required logical process is used to apply for and use network access tickets. If it is detected that the caller's process does not comply with the set required logical process, it means that the network access triggered by the third-party application is not compliant.
但是,由于调用者的进程存在伪造的可能,也就是说,攻击者可能会伪造与预设的申请或使用网络访问票据的必行逻辑过程相同的进程,如果仅凭调用者的进程与申请或使用网络访问票据的必行逻辑过程是否相同判断网络访问的合规性是不可靠的,进一步地,还需要通过预埋的标记API判断调用者的进程是否是按照iOA零信任安全管理系统所设定的必行逻辑过程实现的,其中预埋的标记API是iOA自身的控制进程对应的API,只有当调用者的进程所触发的API命中了所有预埋的标记API,才能证明调用者的进程是合规的,应用发起的网络访问是合规的。值得说明的是,本申请实施例中第三方应用程序是一个触发点,对预埋的标记API的触发检测是通过iOA客户端中的安全模块执行的,并且安全模块还可以根据API调用信息对标记API的调用进行合规性检测。However, since the caller's process may be forged, that is to say, the attacker may forge a process that is the same as the preset logical process required to apply for or use a network access ticket. It is unreliable to judge the compliance of network access by using the same logical process of using network access tickets. Furthermore, it is also necessary to use the pre-embedded marking API to determine whether the caller's process is set in accordance with the iOA zero-trust security management system. It is implemented by a certain logical process that must be executed. The pre-embedded mark API is the API corresponding to iOA's own control process. Only when the API triggered by the caller's process hits all the pre-embedded mark APIs can the caller's process be proved. It is compliant, and the network access initiated by the application is compliant. It is worth noting that in the embodiment of this application, the third-party application is a trigger point, and the trigger detection of the pre-embedded mark API is performed through the security module in the iOA client, and the security module can also detect the trigger based on the API call information. Mark API calls for compliance testing.
在本申请的一个实施例中,在申请或使用网络访问票据的必行逻辑过程中,预埋iOA自身的控制进程一定会执行的标记API或标记API列表,并实时检测预埋的标记API的调用记录识别访问主体的网络访问是否是符合预期的正常访问,其中,标记API可以通过对网络访问票据的申请或者使用的必行逻辑过程中所存在的所有API中的部分API进行设置生成,例如只对必行逻辑过程中的1个、3个、5个等数量的API进行标记,当然标记API的数量可以根据实际情况进行调整,在生成标记API时,可以通过在API中塞入用于标识或者后续可以用于匹配是否相等的参数生成。举例而言,将网络访问票据写入内存加密缓存中需要调用到用于生成对称加密的秘钥的API:BcryptGenerateSymmetricKey、加密API:BcryptEncrypt和用于在堆上分配密文空间的API:HeapAlloc,等,那么在预埋这些API时,可以将部分参数设计成标识字符串,或者一个用于后续可以检测是否与实际值相等的参数。In one embodiment of the present application, in the necessary logical process of applying for or using a network access ticket, a tag API or a tag API list that will be executed by iOA's own control process is pre-embedded, and the status of the pre-embedded tag API is detected in real time. The call record identifies whether the network access of the access subject is a normal access as expected. The mark API can be generated by applying for a network access ticket or setting some of the APIs that exist in the required logic process, such as Only 1, 3, 5, etc. APIs in the required logical process are marked. Of course, the number of marked APIs can be adjusted according to the actual situation. When generating the marked API, you can insert the used Identification or subsequent parameter generation can be used to match whether or not they are equal. For example, writing a network access ticket to the memory encryption cache requires calling the API used to generate the key for symmetric encryption: BcryptGenerateSymmetricKey, the encryption API: BcryptEncrypt, and the API used to allocate ciphertext space on the heap: HeapAlloc, etc. , then when embedding these APIs, some parameters can be designed as identification strings, or a parameter that can be used to later detect whether it is equal to the actual value.
在本申请的一个实施例中,预埋的标记API或者标记API列表由企业管理员在管理端进行配置,不同的系统平台可配置不同的标记API或者标记API列表,并由企业管理员配置、更新和下发,标记API或者标记API列表下发至iOA客户端后,由iOA客户端中设置的安全模块接收并解析,并根据解析获得的标记API或者标记API列表更新检测API列表。当应用的访问进程触发到标记API的调用后,可以通过iOA客户端采集调用参数、调用者的进程、调用时间等信息,并将所采集的信息发送至缓冲队列中进行存储,该缓冲队列为设置于终端设备本地的缓冲队列,缓冲队列还设置有最大存储数量和最大存储时长,当缓冲队列中存储的标记API调用信息超出最大存储数量时,可以将超出最大存储时长的标记API调用信息从缓冲队列中剔除掉,并将新采集到的标记API调用信息按序存储于缓冲队列中。在标记API的调用触发后,还可以采集当前API的调用时间、调用参数、调用者的进程等信息,并将所采集的信息发送至缓冲队列中进行存储,当前API的调用时间、调用参数、调用者的进程等信息主要用于辅助对标记API的调整,例如对应某个必行逻辑过程预埋了2个标记API,每次采集标记API调用信息的时候都能采集到这两个标记API,那么可以增加标记API的数量,以提高合规性的判断标准,如果对应某个必行逻辑过程预埋了5个标记API,但是每次采集API调用信息的时候只能命中其中部分标记API,那么可以将合规性的判断标准放松,减少标记API的数量。In one embodiment of this application, the pre-embedded tag API or tag API list is configured by the enterprise administrator on the management side. Different system platforms can be configured with different tag APIs or tag API lists, and are configured by the enterprise administrator. Update and delivery: After the tag API or tag API list is delivered to the iOA client, it will be received and parsed by the security module set in the iOA client, and the detection API list will be updated based on the tag API or tag API list obtained through parsing. When the access process of the application triggers a call to the mark API, the call parameters, caller's process, call time and other information can be collected through the iOA client, and the collected information is sent to the buffer queue for storage. The buffer queue is The buffer queue is set locally on the terminal device. The buffer queue is also set with a maximum storage quantity and a maximum storage duration. When the tag API call information stored in the buffer queue exceeds the maximum storage quantity, the tag API call information that exceeds the maximum storage duration can be removed from the buffer queue. Remove it from the buffer queue, and store the newly collected tag API call information in the buffer queue in order. After the call of the marked API is triggered, you can also collect the current API call time, call parameters, caller's process and other information, and send the collected information to the buffer queue for storage. The current API call time, call parameters, Information such as the caller's process is mainly used to assist in the adjustment of the mark API. For example, two mark APIs are pre-buried for a certain required logical process. These two mark APIs can be collected every time the mark API call information is collected. , then the number of marked APIs can be increased to improve the compliance judgment standard. If 5 marked APIs are pre-buried for a certain required logical process, but only some of the marked APIs can be hit each time the API call information is collected. , then the compliance judgment standards can be relaxed and the number of marked APIs can be reduced.
在本申请的一个实施例中,在接收到与网络访问票据相关的申请请求或使用请求后,还需要获取与该申请请求或使用请求对应的事件触发时间,并根据事件触发时间确定检测时间段,以便根据检测时间段获取与该请求对应的标记API调用信息,并用于后续的合规性分析。In one embodiment of the present application, after receiving an application request or usage request related to a network access ticket, it is also necessary to obtain the event triggering time corresponding to the application request or usage request, and determine the detection time period based on the event triggering time. , in order to obtain the marked API call information corresponding to the request according to the detection time period, and use it for subsequent compliance analysis.
对于不同类型的请求,事件触发时间的确定方式也不同,当请求为网络访问票据的申请请求时,需要关注的事件为iOA客户端接收申请请求的事件,因此事件触发时间为iOA客户端接收到申请请求的时间,当请求为使用网络访问票据进行流量转发的使用请求时,需要关注的事件为iOA客户端向代理客户端发送网络访问票据的事件,因此事件触发时间为iOA客户端向代理客户端发送网络访问票据的时间。For different types of requests, the event trigger time is determined in different ways. When the request is an application request for a network access ticket, the event that needs attention is the event when the iOA client receives the application request. Therefore, the event trigger time is when the iOA client receives the application request. The time of the application request. When the request is a request for traffic forwarding using a network access ticket, the event that needs attention is the event that the iOA client sends a network access ticket to the proxy client. Therefore, the event triggering time is when the iOA client sends a network access ticket to the proxy client. The time the client sends the network access ticket.
在步骤S220中,基于所述事件触发时间确定检测时间段,获取与所述检测时间段对应的API调用信息。In step S220, a detection time period is determined based on the event trigger time, and API calling information corresponding to the detection time period is obtained.
在本申请的一个实施例中,在获取与请求对应的事件触发时间后,可以将事件触发时间作为基准时间,根据该基准时间和配置的预设时间段可以确定起始时间和结束时间,并根据起始时间和结束时间确定一检测时间段,进而可以根据检测时间段从缓冲队列中获取该检测时间段内的API调用信息,所获取的API调用信息即为与该请求对应的调用信息,并且该API调用信息中包含标记API的调用信息。在本申请的实施例中,可以通过两种不同的方式确定检测时间段。In one embodiment of the present application, after obtaining the event triggering time corresponding to the request, the event triggering time can be used as the base time, and the start time and end time can be determined based on the base time and the configured preset time period, and Determine a detection time period based on the start time and end time, and then obtain the API call information within the detection time period from the buffer queue according to the detection time period. The API call information obtained is the call information corresponding to the request. And the API call information contains the call information of the marked API. In the embodiment of the present application, the detection time period can be determined in two different ways.
第一种,首先获取iOA服务器配置的预设时间段,然后将事件触发时间作为起始时间,将基于事件触发时间增加该预设时间段得到的时间作为结束时间,最后即可根据起始时间和结束时间得到检测时间段。The first method is to first obtain the preset time period configured by the iOA server, then use the event trigger time as the start time, and add the time based on the event trigger time to the preset time period as the end time. Finally, the start time can be used and the end time to get the detection time period.
具体地,当请求为获取网络访问票据的申请请求时,代理客户端向iOA客户端发送申请网络访问票据的请求,那么可以将iOA客户端接收到该申请请求的时间标记为起始时间,同时获取第一预设时间段,并根据起始时间和第一预设时间段确定结束时间,进而根据起始时间和结束时间确定检测时间段。例如,代理客户端在第5s的时候向iOA客户端发送申请网络访问票据的请求,iOA服务器配置并下发的第一预设时间段为60s,那么可以确定检测时间段为[5s,65s]。Specifically, when the request is an application request to obtain a network access ticket, the proxy client sends a request to apply for a network access ticket to the iOA client, then the time when the iOA client receives the application request can be marked as the starting time, and at the same time Obtain the first preset time period, determine the end time based on the start time and the first preset time period, and then determine the detection time period based on the start time and the end time. For example, if the proxy client sends a request for a network access ticket to the iOA client at the 5th second, and the first preset time period configured and issued by the iOA server is 60s, then the detection time period can be determined to be [5s, 65s] .
当请求为使用网络访问票据进行流量转发的使用请求时,代理客户端向iOA客户端请求获取网络访问票据,那么可以将iOA客户端将网络访问票据发送至代理客户端的时间标记为起始时间,同时获取第二预设时间段,并根据起始时间和第二预设时间段确定结束时间,进而根据起始时间和结束时间确定检测时间段。例如,iOA客户端在第20s的时候向代理客户端发送网络访问票据,iOA服务器配置并下发的第二预设时间段为60s,那么可以确定检测时间段为[20s,80s]。When the request is to use a network access ticket for traffic forwarding, the proxy client requests the iOA client to obtain a network access ticket, then the time when the iOA client sends the network access ticket to the proxy client can be marked as the start time, At the same time, the second preset time period is obtained, the end time is determined based on the start time and the second preset time period, and the detection time period is determined based on the start time and the end time. For example, if the iOA client sends a network access ticket to the proxy client at the 20th second, and the second preset time period configured and issued by the iOA server is 60s, then the detection time period can be determined to be [20s, 80s].
第二种,首先获取iOA服务器配置的预设时间段,然后将事件触发时间作为基准时间,并根据基准时间和预设时间段确定起始时间和结束时间,最后即可根据起始时间和结束时间得到检测时间段。The second method is to first obtain the preset time period configured by the iOA server, then use the event trigger time as the base time, and determine the start time and end time based on the base time and the preset time period. Finally, the start time and end time can be determined based on the base time and the preset time period. Time gets the detection time period.
具体地,可以以接收到网络访问票据的票据申请时间或者将网络访问票据发送至代理客户端的发送时间作为基准时间,根据基准时间和第二预设时间段分别确定起始时间和结束时间,进而根据起始时间和结束时间确定检测时间段。例如接收到网络访问票据的票据申请时间为t1,第一预设时间段为m1,那么可以将(t1-m1)作为起始时间,将(t1+m1)作为结束时间,检测时间段即为[t1-m1,t1+m1];将网络访问票据发送至代理客户端的发送时间为t2,第二预设时间段为m2,那么可以将(t2-m2)作为起始时间,将(t2+m2)作为结束时间,检测时间段即为[t2-m2,t2+m2],其中t1、t2、m1和m2为正数。Specifically, the ticket application time of receiving the network access ticket or the sending time of sending the network access ticket to the proxy client can be used as the base time, and the start time and the end time are respectively determined according to the base time and the second preset time period, and then Determine the detection time period based on the start time and end time. For example, the ticket application time for receiving a network access ticket is t1, and the first preset time period is m1, then (t1-m1) can be used as the starting time, (t1+m1) can be used as the ending time, and the detection time period is [t1-m1, t1+m1]; The sending time of sending the network access ticket to the proxy client is t2, and the second preset time period is m2, then (t2-m2) can be used as the starting time, and (t2+ m2) as the end time, the detection time period is [t2-m2, t2+m2], where t1, t2, m1 and m2 are positive numbers.
根据不同的获取API调用信息的需求,可以采用不同的方式确定检测时间段,例如,当只需要获取接收到申请请求或者使用请求之后的API调用信息时,可以采用第一种方式确定检测时间段,当需要获取接收到申请请求或者使用请求之前以及之后的API调用信息时,则可以采用第二种方式确定检测时间段。According to different needs for obtaining API call information, different methods can be used to determine the detection time period. For example, when it is only necessary to obtain API call information after receiving an application request or use request, the first method can be used to determine the detection time period. , when you need to obtain API call information before and after receiving an application request or usage request, you can use the second method to determine the detection time period.
值得说明的是,考虑到在一个终端设备中可以同时通过多个应用向多个站点进行企业资源的访问,因此数据并发量大,数据的存储会存在延迟,因此在iOA服务器配置第一预设时间段和第二预设时间段的时候,可以适当地将第一预设时间段和第二预设时间段设置的长一些,这样可以避免因为时延所造成的数据获取不完整的问题,进而可以进一步保障合规性分析的结论的正确性。It is worth mentioning that considering that one terminal device can access enterprise resources from multiple sites through multiple applications at the same time, the amount of data concurrency is large and there will be a delay in data storage. Therefore, configure the first default on the iOA server. When the time period and the second preset time period are set, the first preset time period and the second preset time period can be appropriately set longer, so as to avoid the problem of incomplete data acquisition caused by time delay. This can further ensure the correctness of the conclusions of the compliance analysis.
在本申请的一个实施例中,API调用信息包括调用者的进程信息和API的名称,根据调用者的进程信息、API的名称、申请网络访问票据必行逻辑过程或者使用网络访问票据必行逻辑过程以及申请网络访问票据必行逻辑过程对应的标记API的名称或者使用网络访问票据必行逻辑过程对应的标记API的名称判断网络访问票据的申请请求或者使用请求的合规性,进而根据判断结果确定零信任网络访问的合规性。In one embodiment of the present application, the API call information includes the caller's process information and the name of the API. According to the caller's process information, the name of the API, the logical process must be executed when applying for a network access ticket or the logic must be executed when using a network access ticket. process and the name of the marking API corresponding to the logical process that must be executed when applying for a network access ticket or the name of the marking API corresponding to the logical process that must be executed when using a network access ticket to determine the compliance of the application request or use request for the network access ticket, and then based on the judgment result Determine compliance for zero trust network access.
进一步地,API调用信息还可以包括API的相对调用顺序和/或调用参数,进而可以根据API的相对调用顺序和/或调用参数、以及申请网络访问票据必行逻辑过程对应的标记API的相对调用顺序和/或调用参数或者使用网络访问票据必行逻辑过程对应的标记API的相对调用顺序和/或调用参数判断网络访问票据的申请请求或者使用请求的合规性,进而根据判断结果确定零信任网络访问的合规性。当然,还可以在配置零信任网络访问控制策略的时候配置其它用于进行合规性判断的条件,本申请实施例在此不再赘述。Further, the API call information may also include the relative calling sequence and/or calling parameters of the API, and then the relative calling of the marked API corresponding to the relative calling sequence and/or calling parameters of the API, as well as the logical process required to apply for a network access ticket. The relative calling sequence and/or calling parameters of the marked API corresponding to the required logical process of using the network access ticket determine the compliance of the application request or use request of the network access ticket, and then determine the zero trust based on the judgment result. Network access compliance. Of course, you can also configure other conditions for compliance judgment when configuring the zero-trust network access control policy, which will not be described again in the embodiment of this application.
在步骤S230中,根据所述标记API、零信任网络访问必行逻辑过程和标记API调用信息判断所述零信任网络访问的合规性,其中,所述零信任网络访问必行逻辑过程包括申请网络访问票据必行逻辑过程和使用网络访问票据必行逻辑过程,所述标记API为预埋的与零信任安全管理系统的控制进程相关的API。In step S230, the compliance of the zero trust network access is determined based on the marked API, the required logical process for zero trust network access and the marked API call information, wherein the required logical process for zero trust network access includes application The network access ticket must execute the logical process and the network access ticket must execute the logical process. The marking API is a pre-embedded API related to the control process of the zero trust security management system.
在本申请的一个实施例中,当API调用信息包括调用者的进程信息和API的名称时,可以通过将调用者的进程信息与申请网络访问票据必行逻辑过程或者使用网络访问票据必行逻辑过程进行比对,以获取第一比对结果,并将API的名称与申请网络访问票据必行逻辑过程对应的标记API的名称或者使用网络访问票据必行逻辑过程对应的标记API的名称进行比对,以获取第二比对结果,进而根据第一比对结果和第二比对结果确定网络访问票据的申请请求或者使用请求的合规性。如果第一比对结果和第二比对结果均为相同时,说明网络访问票据的申请请求或者使用请求是合规的,访问主体进行零信任网络访问是符合预期的正常访问,如果第一比对结果和第二比对结果中的至少一个为不同时,说明网络访问票据的申请请求或者使用请求是不合规,访问主体进行零信任网络访问是不符合预期的异常访问。In one embodiment of the present application, when the API call information includes the caller's process information and the name of the API, the caller's process information can be combined with the necessary logical process of applying for a network access ticket or using the network access ticket necessary logic. The process is compared to obtain the first comparison result, and the name of the API is compared with the name of the marked API corresponding to the logical process required to apply for a network access ticket or the name of the marked API corresponding to the logical process required to use the network access ticket. to obtain a second comparison result, and then determine the compliance of the application request or use request for a network access ticket based on the first comparison result and the second comparison result. If the first comparison result and the second comparison result are the same, it means that the application request or use request of the network access ticket is compliant, and the zero-trust network access by the access subject is normal access as expected. If the first comparison When at least one of the results and the second comparison result is different, it means that the application request or use request for the network access ticket is non-compliant, and the access subject's zero-trust network access is an abnormal access that does not meet expectations.
当API调用信息还包括API的相对调用顺序和/或调用参数时,基于上述根据调用者的进程信息和API的名称进行合规性的判断步骤外,还可以将API的相对调用顺序与申请网络访问票据必行逻辑过程对应的标记API的相对调用顺序或者使用网络访问票据必行逻辑过程对应的标记API的相对调用顺序进行比对,以获取第三比对结果,和/或,将调用参数与申请网络访问票据必行逻辑过程对应的标记API的调用参数或者使用网络访问票据必行逻辑过程对应的标记API的调用参数进行比对,以获取第四比对结果,进而根据第一比对结果、第二比对结果、第三比对结果和/或第四比对结果确定网络访问票据的申请请求或者使用请求是否合规性。如果所有判断条件的判断结果均为相同时,说明网络访问票据的申请请求或者使用请求是合规的,访问主体进行零信任网络访问是符合预期的正常访问,如果所有判断条件中的至少一个的判断结果为不同时,说明网络访问票据的申请请求或者使用请求是不合规的,访问主体进行零信任网络访问是不符合预期的异常访问。其中,在判断调用参数是否与申请网络访问票据必行逻辑过程对应的标记API的调用参数或者使用网络访问票据必行逻辑过程对应的标记API的调用参数相同时,可以根据预埋标记API时在API中设置的标识或者可用于匹配是否相等的参数来对所采集的API的调用参数进行校验,也就是说,如果采集到的API的调用参数中存在预埋标记API时所设置的标识或可匹配的参数,则说明调用参数校验正常。When the API call information also includes the relative calling sequence of the API and/or the calling parameters, in addition to the above steps of determining compliance based on the caller's process information and the name of the API, the relative calling sequence of the API can also be compared with the application network. Compare the relative calling sequence of the marking API corresponding to the logical process of accessing the ticket, or use the relative calling sequence of the marking API corresponding to the logical process of accessing the ticket through the network to obtain the third comparison result, and/or, change the calling parameters Compare with the calling parameters of the marking API corresponding to the logical process of applying for a network access ticket or the calling parameters of the marking API corresponding to the logical process of using a network access ticket to obtain the fourth comparison result, and then based on the first comparison The result, the second comparison result, the third comparison result and/or the fourth comparison result determine whether the application request or use request for the network access ticket is compliant. If the judgment results of all judgment conditions are the same, it means that the application request or use request of the network access ticket is compliant, and the zero-trust network access by the access subject is normal access as expected. If at least one of all judgment conditions is When the judgment result is different, it means that the application request or use request of the network access ticket is non-compliant, and the zero-trust network access by the access subject is an abnormal access that does not meet the expectations. Among them, when judging whether the calling parameters are the same as the calling parameters of the marking API corresponding to the logical process of applying for network access tickets or the calling parameters of the marking API corresponding to the logical process of using network access tickets, you can use the pre-embedded marking API in The identifier set in the API can be used to match equal parameters to verify the collected API call parameters. That is to say, if there is a pre-embedded mark API in the collected API call parameters, the identifier set or If the parameters can be matched, it means that the calling parameter verification is normal.
在本申请中的一个实施例中,在判断调用者的进程信息是否符合申请网络访问票据必行逻辑过程或者使用网络访问票据必行逻辑过程时,就是判定调用者的进程信息是否与步骤S210中所记载的五种逻辑过程相同,具体地,当调用者的进程信息是与网络访问票据的申请请求相关的信息时,那么需要判断调用者的进程信息是否与第一必行逻辑过程或者第二必行逻辑过程相同,当调用者的进程信息是与网络访问票据的使用请求相关的信息时,那么需要判断调用者的进程信息是否与第三必行逻辑过程、第四必行逻辑过程或者第五必行逻辑过程相同。In one embodiment of the present application, when determining whether the caller's process information conforms to the logical process required to apply for a network access ticket or to use a network access ticket, it is determined whether the caller's process information is consistent with the logical process in step S210. The five recorded logical processes are the same. Specifically, when the caller's process information is information related to the application request for a network access ticket, then it needs to be judged whether the caller's process information is consistent with the first must-execute logical process or the second The obligatory logical process is the same. When the caller's process information is information related to the use request of the network access ticket, then it needs to be judged whether the caller's process information is consistent with the third obligatory logical process, the fourth obligatory logical process or the third obligatory logical process. The logic process of the Five Must Actions is the same.
在本申请的一个实施例中,在判定零信任网络访问的合规性之后,可以根据合规性的判断结果执行相应地目标操作。具体地:In one embodiment of the present application, after determining the compliance of zero-trust network access, corresponding target operations can be performed based on the compliance determination results. specifically:
当判定零信任网络访问是合规的,是符合预期的正常访问时,可以继续为访问主体提供零信任网络访问服务。When it is determined that zero-trust network access is compliant and is normal access as expected, you can continue to provide zero-trust network access services to the access subject.
当判定零信任网络访问是不合规的,是不符合预期的异常访问时,禁止向该终端设备发放零信任网络访问票据,同时将相关行为作为异常类审计日志上报至iOA服务器,用于iOA服务器针对iOA客户端、终端设备以及物理网络做进一步地处置,例如将该终端设备加入黑名单、禁止该用户登录iOA客户端使用零信任功能、禁止指定应用申请网络访问票据、强制剔除登录态、将物理网络转入隔离网等等。When it is determined that zero-trust network access is non-compliant and is an abnormal access that does not meet expectations, it is prohibited to issue zero-trust network access tickets to the terminal device, and the relevant behavior is reported to the iOA server as an abnormal audit log for use in iOA The server performs further processing on the iOA client, terminal device and physical network, such as adding the terminal device to the blacklist, prohibiting the user from logging into the iOA client to use the zero trust function, prohibiting specified applications from applying for network access tickets, and forcibly removing the login status. Convert the physical network to an isolation network and so on.
在本申请的一个实施例中,iOA客户端除了检测是否有标记API的调用记录外,还检测其中的基本安全加固逻辑是否被破坏,进而根据基于标记API调用信息所确定的判断结果和对基本安全加固逻辑的检测结果判断是否存在攻击者攻击零信任安全管理系统,进一步防止恶意攻击者篡改终端安全服务以达到存在已知漏洞,探测服务器敏感端,或者在攻陷主机中实时Dos攻击的行为。其中,对基本安全加固逻辑的检测主要包括以下四点:In one embodiment of the present application, in addition to detecting whether there is a call record of the marked API, the iOA client also detects whether the basic security hardening logic is destroyed, and then based on the judgment result determined based on the marked API call information and the basic The detection results of the security hardening logic determine whether there are attackers attacking the zero-trust security management system, further preventing malicious attackers from tampering with terminal security services to achieve known vulnerabilities, detecting sensitive ends of the server, or conducting real-time DoS attacks on compromised hosts. Among them, the detection of basic security hardening logic mainly includes the following four points:
1.周期性检测目录下负责安全检测和合规加固的模块是否缺失;1. Periodically check whether the modules responsible for security detection and compliance reinforcement in the directory are missing;
2.检测与安全相关的关键服务是否处于运行状态、是否被恶意停止或致盲;2. Detect whether key security-related services are running, maliciously stopped or blinded;
3.登录态(包括登陆票据)是否存在;3. Whether the login state (including login ticket) exists;
4.标记API的触发进程是否是iOA自身发起的合规进程,是否具备版权信息和正常的数字签名信息。4. Mark whether the triggering process of the API is a compliance process initiated by iOA itself, and whether it has copyright information and normal digital signature information.
其中,当上述四点中的任意一点存在异常时,例如,当检测到目录下负责安全检测和合规加固的模块缺失、与安全相关的关键服务处于停止状态、登录票据不存在、未处于登陆状态、标记API的触发进程不是iOA自身发起的进程、不具备版权信息和正常的数字签名信息,等等,都视为iOA客户端的基本安全加固逻辑被破坏,这时中止网络访问票据的申请和使用,零信任网络访问不再执行,同时向iOA服务器上报审计日志。Among them, when there is an abnormality in any of the above four points, for example, when it is detected that the module responsible for security detection and compliance reinforcement in the directory is missing, key security-related services are in a stopped state, the login ticket does not exist, and the login is not in progress Status, marking API triggering process is not a process initiated by iOA itself, does not have copyright information and normal digital signature information, etc., etc., all are regarded as the basic security reinforcement logic of the iOA client is destroyed, and the application for network access tickets is suspended at this time. When used, zero-trust network access is no longer performed, and audit logs are reported to the iOA server.
在本申请的一个实施例中,iOA客户端一方面负责检测基本安全加固逻辑是否被破坏,一方面根据标记API调用记录判断访问主体的访问是否异常,二者中的至少一个存在异常都认为系统受到攻击者的破坏,需要进行相应的处置措施。In one embodiment of the present application, the iOA client is responsible for detecting whether the basic security hardening logic is destroyed on the one hand, and judging whether the access subject's access is abnormal based on the marked API call record. If at least one of the two is abnormal, the system considers it abnormal. If it is damaged by an attacker, corresponding measures need to be taken.
在本申请的一个实施例中,检测基本安全加固逻辑是否被破坏以及标记API是否被调用均可以由iOA客户端中的安全模块实现,并且安全模块在检测基本安全加固逻辑是否被破坏,以及检测预埋的标记API调用记录是否合规,与网络访问票据的申请和使用是并行的关系。具体而言,二者并非同步执行的,而是通过相互探测确保零信任网络访问的安全性。安全模块在周期性检测的同时,识别出有预埋的标记API被调用的记录,且API调用的规则符合必行逻辑过程中标记API调用的相对顺序和特征,该特征例如可以是某些可比对的调用参数,但是没有检测到基于零信任安全管理系统进行申请网络访问票据或者使用网络访问票据的记录,那么说明访问主体伪造了网络访问票据,这时就可以将该访问主体以及该访问主体的网络访问行为标记为异常;同样地,网络访问票据的申请和使用的过程中,会查找安全模块当前的检测结果,若检测到安全模块检测的结果异常,则会中止网络访问票据的申请和使用,并向iOA服务器上报审计日志。In one embodiment of the present application, detecting whether the basic security hardening logic is damaged and whether the marking API is called can be implemented by the security module in the iOA client, and the security module detects whether the basic security hardening logic is damaged, and detects Whether the pre-marked API call record is compliant or not is parallel to the application and use of network access tickets. Specifically, the two are not executed simultaneously, but ensure the security of zero-trust network access through mutual detection. While periodically detecting, the security module identifies records of pre-embedded marked API calls, and the rules of API calls comply with the relative order and characteristics of marked API calls in the required logical process. The characteristics can be, for example, certain comparable The correct call parameters, but no record of applying for a network access ticket or using a network access ticket based on the zero-trust security management system is detected, which means that the access subject has forged a network access ticket. At this time, the access subject and the access subject can be The network access behavior is marked as abnormal; similarly, during the application and use of network access tickets, the current detection results of the security module will be searched. If an abnormal detection result of the security module is detected, the application and use of network access tickets will be terminated. Use and report audit logs to the iOA server.
在本申请的一个实施例中,iOA服务器还可以对系统的可用性进行配置,并将所配置的策略下发至iOA客户端,通过iOA客户端根据策略进行相应操作。具体地,可以配置网络访问票据申请的频率控制逻辑,当网络访问票据申请的频率高于第一频率阈值时,限制网络访问票据的申请,以降低票据服务压力,还可以配置标记API调用的频率控制逻辑,当iOA客户端识别出标记API调用的频率高于第二频率阈值时,则在一定时间内不发放网络访问票据,自动延长网络访问票据缓存时间等等。其中,第一频率阈值和第二频率阈值可以是零信任安全管理系统所能承受的最大网络访问票据申请频率和标记API调用频率,本申请实施例对此不作具体限定。In one embodiment of the present application, the iOA server can also configure the availability of the system and deliver the configured policy to the iOA client, and the iOA client performs corresponding operations according to the policy. Specifically, the frequency control logic of network access ticket application can be configured. When the frequency of network access ticket application is higher than the first frequency threshold, the application of network access ticket is restricted to reduce the ticket service pressure. The frequency of marking API calls can also be configured. Control logic, when the iOA client identifies that the frequency of marked API calls is higher than the second frequency threshold, network access tickets will not be issued within a certain period of time, the network access ticket cache time will be automatically extended, and so on. The first frequency threshold and the second frequency threshold may be the maximum network access ticket application frequency and marking API call frequency that the zero trust security management system can withstand, which are not specifically limited in this embodiment of the application.
本申请实施例中的数据处理方法可以应用于任意的企业办公场景,例如工作人员居家办公、在外出差等,需要通过零信任安全管理系统访问企业站点,获取相应的业务资源,等等。接下来,以工作人员基于零信任安全管理系统通过浏览器对某企业站点进行访问为例,对本申请实施例中的数据处理方法进行具体说明。The data processing method in the embodiment of this application can be applied to any enterprise office scenario, such as staff working from home, going on business trips, etc., who need to access the enterprise site through the zero-trust security management system to obtain corresponding business resources, etc. Next, taking a staff member's access to an enterprise website through a browser based on the zero-trust security management system as an example, the data processing method in the embodiment of this application will be described in detail.
工作人员首先需要登录安装在终端设备上的iOA客户端,通过输入用户名、用户ID、密码等信息登录iOA客户端,然后打开浏览器并输入相应的站点地址以获取该站点对应的资源。在输入站点地址后,iOA客户端中执行代理访问的代理客户端劫持到终端设备的网络访问请求,并根据与该网络访问请求对应的五元组信息向iOA客户端发起网络访问票据的申请请求。iOA客户端根据五元组信息中的应用进程PID获取进程MD5、进程路径、进程最新修改、版权信息和签名信息,连同五元组信息中除PID之外的其它四元组信息生成网络访问票据申请请求,发送至iOA服务器以接收iOA服务器反馈的网络访问票据,并将接收到的网络访问票据加密存储于加密缓存中。或者,当iOA服务器故障或者网络原因导致网络访问票据未生成时,转为本地网络访问票据的生成,根据与iOA服务器协商的生成算法生成网络访问票据。Staff first need to log in to the iOA client installed on the terminal device, log in to the iOA client by entering user name, user ID, password and other information, then open the browser and enter the corresponding site address to obtain the resources corresponding to the site. After entering the site address, the proxy client that performs proxy access in the iOA client hijacks the network access request to the terminal device, and initiates a network access ticket application request to the iOA client based on the five-tuple information corresponding to the network access request. . The iOA client obtains the process MD5, process path, process latest modification, copyright information and signature information based on the application process PID in the five-tuple information, and generates a network access ticket together with other four-tuple information except PID in the five-tuple information. The application request is sent to the iOA server to receive the network access ticket fed back by the iOA server, and the received network access ticket is encrypted and stored in the encrypted cache. Or, when the iOA server fails or the network access ticket is not generated due to network reasons, the generation of the local network access ticket is switched to the generation algorithm negotiated with the iOA server to generate the network access ticket.
为了判断网络访问票据的申请是否存在异常,可以在接收到网络访问票据的申请请求后,将接收申请请求的时间作为基准时间,同时根据接收申请请求的时间和配置的第一时间段确定起始时间和结束时间;接着根据起始时间和结束时间确定检测时间段,并从API缓冲队列中获取该检测时间段内的API调用信息,该API调用信息包括API名称、API的相对调用顺序、API的调用参数和调用者的进程,其中API缓冲队列中存储有应用发起的进程所触发的所有API的调用信息,其中包括标记API的调用信息;然后将调用者的进程与预设的申请网络访问请求必行逻辑过程进行比对,API的名称与申请网络访问请求必行逻辑过程对应的标记API的名称进行比对、API的相对调用顺序与申请网络访问请求必行逻辑过程对应的标记API的相对调用顺序进行比对、API的调用参数与申请网络访问请求必行逻辑过程对应的标记API的调用参数进行比对,当调用者的进程符合第一必行逻辑过程或者第二必行逻辑过程并且API的名称、相对调用顺序和调用参数与申请网络访问请求必行逻辑过程对应的标记API的名称、相对调用顺序和调用参数相同时,则可以确定网络访问票据的申请请求是合规的。In order to determine whether there is an abnormality in the application for a network access ticket, after receiving the application request for a network access ticket, the time when the application request is received can be used as the base time, and the start time can be determined based on the time when the application request is received and the configured first time period. time and end time; then determine the detection time period based on the start time and end time, and obtain the API call information within the detection time period from the API buffer queue. The API call information includes the API name, the relative calling order of the API, and the The call parameters and the caller's process, where the API buffer queue stores all API call information triggered by the process initiated by the application, including the call information of the marked API; then the caller's process and the preset application network access Compare the required logical process of the request, compare the name of the API with the name of the marked API corresponding to the required logical process of applying for network access, and compare the relative calling order of the API with the marked API corresponding to the required logical process of applying for network access. The relative calling sequence is compared, and the calling parameters of the API are compared with the calling parameters of the marked API corresponding to the required logical process of applying for a network access request. When the caller's process meets the first required logical process or the second required logical process, And when the name, relative calling sequence, and calling parameters of the API are the same as the name, relative calling sequence, and calling parameters of the marked API corresponding to the logical process required to apply for a network access request, it can be determined that the application request for a network access ticket is compliant.
接着,代理客户端可以从iOA客户端或者缓存中获取网络访问票据,使用网络访问票据进行流量转发。具体地,可以将网络访问票据和原始访问请求发送至零信任网关,零信任网关首先对网络访问票据进行验证,将网络访问票据发送至iOA服务器进行验证,当验证通过后,零信任网关将原始访问请求发送至对应站点的业务服务器,并接收业务服务器发送的业务资源,接着将业务资源反馈至代理客户端,并通过代理客户端反馈至终端设备,以供使用。Then, the proxy client can obtain the network access ticket from the iOA client or cache, and use the network access ticket to forward traffic. Specifically, the network access ticket and the original access request can be sent to the zero-trust gateway. The zero-trust gateway first verifies the network access ticket, and sends the network access ticket to the iOA server for verification. When the verification is passed, the zero-trust gateway will authenticate the original access request. The access request is sent to the business server of the corresponding site, and the business resources sent by the business server are received, and then the business resources are fed back to the proxy client, and fed back to the terminal device through the proxy client for use.
为了判断网络访问票据的使用是否存在异常,可以将iOA客户端向代理客户端发送网络访问票据的时间作为基准时间,同时根据发送网络访问票据的时间和配置的第二时间段确定起始时间和结束时间;接着根据起始时间和结束时间确定检测时间段,并从API缓冲队列中获取该检测时间段内的API调用信息,该API调用信息包括API名称、API的相对调用顺序、API的调用参数和调用者的进程,其中API缓冲队列中存储有应用发起的进程所触发的所有API的调用信息;然后将调用者的进程与预设的申请网络访问请求必行逻辑过程进行比对,API的名称与申请网络访问请求必行逻辑过程对应的标记API的名称进行比对、API的相对调用顺序与申请网络访问请求必行逻辑过程对应的标记API的相对调用顺序进行比对、API的调用参数与申请网络访问请求必行逻辑过程对应的标记API的调用参数进行比对,当调用者的进程符合第三必行逻辑过程、第四必行逻辑过程或者第五必行逻辑过程,并且API的名称、相对调用顺序和调用参数与申请网络访问请求必行逻辑过程对应的标记API的名称、相对调用顺序和调用参数相同时,则可以确定网络访问票据的使用是合规的。In order to determine whether there is an abnormality in the use of network access tickets, the time when the iOA client sends the network access ticket to the proxy client can be used as the base time, and the start time and the configured second time period can be determined based on the time when the network access ticket is sent and the configured second time period. End time; then determine the detection time period based on the start time and end time, and obtain the API call information within the detection time period from the API buffer queue. The API call information includes the API name, the relative calling order of the API, and the call of the API. parameters and the caller's process, where the API buffer queue stores all API call information triggered by the process initiated by the application; then the caller's process is compared with the preset logical process that must be executed to apply for a network access request, and the API Compare the name with the name of the marked API corresponding to the required logical process of applying for a network access request, compare the relative calling order of the API with the relative calling order of the marked API corresponding to the required logical process of applying for a network access request, and compare the API calls The parameters are compared with the calling parameters of the marked API corresponding to the required logical process of the application for network access request. When the caller's process meets the third required logical process, the fourth required logical process or the fifth required logical process, and the API When the name, relative calling sequence, and calling parameters are the same as the name, relative calling sequence, and calling parameters of the marked API corresponding to the logical process required to apply for a network access request, it can be determined that the use of network access tickets is compliant.
当判定网络访问票据的申请和使用都是合规的时候,说明访问主体的网络访问是符合预期的正常访问,可以继续为访问主体提供相应地服务。When it is determined that the application and use of network access tickets are compliant, it means that the access subject's network access is in line with expected normal access, and corresponding services can continue to be provided to the access subject.
在本申请的一个实施例中,当判断网络访问票据的申请或者使用是不合规的时候,可以收集相关日志,并将相关日志发送至iOA服务器,以使iOA服务器对访问主体执行相应地处置措施。在本申请的实施例中,还可以通过iOA服务器对网络访问票据的申请和使用的合规性进行判断,当判定合规时,继续通过零信任安全管理系统为访问主体提供服务,当判定不合规时,则直接对访问主体执行相应地处置措施。In one embodiment of the present application, when it is determined that the application or use of a network access ticket is non-compliant, relevant logs can be collected and sent to the iOA server, so that the iOA server can handle the access subject accordingly. measure. In the embodiment of this application, the iOA server can also be used to judge the compliance of the application and use of network access tickets. When it is judged to be compliant, it will continue to provide services to the access subject through the zero-trust security management system. When it is judged that it is not compliant, When compliance is met, corresponding disposal measures will be directly implemented against the access subject.
本申请中的数据处理方法,首先获取与目标请求对应的事件触发时间,其中目标请求为网络访问票据的申请请求或者使用请求,该网络访问票据与零信任网络访问相关;接着基于事件触发时间确定检测时间段,并获取与检测时间段对应的API调用信息;最后根据API调用信息、零信任网络访问必行逻辑过程和标记API判断零信任网络访问的合规性。本申请能够在网络访问票据的申请或使用的逻辑过程中预埋与零信任安全管理系统的控制进程相关的标记API,当接收到网络访问票据的申请或者使用请求后,获取检测时间段内的API调用记录,通过判断API调用记录中的调用者的进程是否符合请求或使用网络访问票据的必行逻辑路径,以及调用信息是否与请求或使用网络访问票据必行逻辑过程对应的标记API的调用信息相同,以对零信任网络访问是否正常进行判断,一方面能够精准区分正常的网络访问和异常的网络访问;另一方面能够抵御攻击者篡改终端服务以绕过检测逻辑和访问控制策略,或利用攻陷主机对服务器执行DOS攻击,提高了零信任安全管理系统的可靠性和抵御攻击的能力,进而提升了终端零信任网络安全和企业办公的安全。The data processing method in this application first obtains the event trigger time corresponding to the target request, where the target request is an application request or use request for a network access ticket, which is related to zero trust network access; and then determines based on the event trigger time Detect the time period and obtain the API call information corresponding to the detection time period; finally, determine the compliance of zero trust network access based on the API call information, the required logical process for zero trust network access, and the marked API. This application can embed the tag API related to the control process of the zero-trust security management system in the logical process of application or use of network access tickets. After receiving the application or use request of network access tickets, obtain the information within the detection time period. API call record, by judging whether the caller's process in the API call record conforms to the required logical path to request or use the network access ticket, and whether the call information corresponds to the marked API call corresponding to the required logical process to request or use the network access ticket. The information is the same to judge whether zero-trust network access is normal. On the one hand, it can accurately distinguish between normal network access and abnormal network access; on the other hand, it can resist attackers from tampering with terminal services to bypass detection logic and access control policies, or Using compromised hosts to perform DOS attacks on servers improves the reliability of the zero-trust security management system and its ability to withstand attacks, thereby improving terminal zero-trust network security and enterprise office security.
应当注意,尽管在附图中以特定顺序描述了本申请中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。It should be noted that although the various steps of the methods in this application are described in a specific order in the drawings, this does not require or imply that these steps must be performed in that specific order, or that all of the steps shown must be performed to achieve the desired results. the result of. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc.
以下介绍本申请的装置实施例,可以用于执行本申请上述实施例中的数据处理方法。图9示意性地示出了本申请实施例提供的数据处理装置的结构框图。如图9所示,数据处理装置900包括:获取模块910和判断模块920,具体地:The following describes device embodiments of the present application, which can be used to perform the data processing methods in the above embodiments of the present application. Figure 9 schematically shows a structural block diagram of a data processing device provided by an embodiment of the present application. As shown in Figure 9, the data processing device 900 includes: an acquisition module 910 and a judgment module 920, specifically:
获取模块910,用于获取与目标请求对应的事件触发时间,所述目标请求为网络访问票据的申请请求或者使用请求,所述网络访问票据与零信任网络访问相关;The acquisition module 910 is used to obtain the event triggering time corresponding to the target request. The target request is an application request or a use request for a network access ticket, and the network access ticket is related to zero-trust network access;
所述获取模块910,还用于基于所述事件触发时间确定检测时间段,并获取与所述检测时间段对应的API调用信息;The acquisition module 910 is also configured to determine a detection time period based on the event trigger time, and obtain API call information corresponding to the detection time period;
判断模块920,用于根据所述标记API调用信息、零信任网络访问必行逻辑过程和标记API判断所述零信任网络访问的合规性,其中,所述访问必行逻辑过程包括申请网络访问票据必行逻辑过程和使用网络访问票据必行逻辑过程,所述标记API为预埋的与零信任安全管理系统的控制进程相关的API。The judgment module 920 is used to judge the compliance of the zero trust network access based on the marked API call information, the required logical process for zero trust network access and the marked API, wherein the required logical process for access includes applying for network access. The ticket must be executed logical process and the ticket must be executed using the network. The marking API is a pre-embedded API related to the control process of the zero trust security management system.
在本申请的一些实施例中,当所述请求为所述申请请求,所述事件触发时间为接收所述申请请求的时间时;基于以上技术方案,所述获取模块910配置为:获取第一预设时间段;将接收所述申请请求的时间作为基准时间,根据接收所述基准时间和所述第一预设时间段确定结束时间;根据所述起始时间和所述结束时间确定所述检测时间段。In some embodiments of the present application, when the request is the application request and the event trigger time is the time of receiving the application request; based on the above technical solution, the acquisition module 910 is configured to: obtain the first Preset time period; use the time when the application request is received as the base time, determine the end time based on receiving the base time and the first preset time period; determine the end time based on the start time and the end time Detection time period.
在本申请的一些实施例中,所述API调用信息包括所调用的API的名称和调用者的进程;基于以上技术方案,所述判断模块920配置为:将所述调用者的进程与申请网络访问票据必行逻辑过程进行比对,以获取第一比对结果;将所述API的名称与所述申请网络访问票据必行逻辑过程对应的标记API的名称进行比对,以获取第二比对结果;当所述第一比对结果和所述第二比对结果均为相同时,则判定所述零信任网络访问是合规的;当所述第一比对结果和/或所述第二比对结果为不同时,则判定所述零信任网络访问是不合规的。In some embodiments of the present application, the API call information includes the name of the called API and the caller's process; based on the above technical solution, the judgment module 920 is configured to: compare the caller's process with the application network Compare the required logical process for access tickets to obtain the first comparison result; compare the name of the API with the name of the marked API corresponding to the required logical process for applying for network access tickets to obtain the second comparison result. When the first comparison result and the second comparison result are the same, it is determined that the zero trust network access is compliant; when the first comparison result and/or the When the second comparison result is different, it is determined that the zero-trust network access is non-compliant.
在本申请的一些实施例中,所述API调用信息包括所调用的API的名称、调用者的进程、API的相对调用顺序和调用参数;基于以上技术方案,所述判断模块920配置为:将所述调用者的进程与所述申请网络访问票据必行逻辑过程进行比对,以获取第一比对结果;将所述API的名称与所述申请网络访问票据必行逻辑过程对应的标记API的名称进行比对,以获取第二比对结果;将所述API的相对调用顺序与所述申请网络访问票据必行逻辑过程对应的所述标记API的相对调用顺序进行比对,以获取第三比对结果;将所述API的调用参数与所述申请网络访问票据必行逻辑过程对应的所述标记API的调用参数进行比对,以获取第四比对结果;当所述第一比对结果、所述第二比对结果、所述第三比对结果和所述第四比对结果均为相同时,则判定所述零信任网络访问是合规的;当所述第一比对结果、所述第二比对结果、所述第三比对结果和所述第四比对结果中至少一个为不同时,则判定所述零信任网络访问是不合规的。In some embodiments of the present application, the API call information includes the name of the called API, the caller's process, the relative calling order of the API, and the calling parameters; based on the above technical solution, the judgment module 920 is configured to: Compare the caller's process with the required logical process for applying for a network access ticket to obtain the first comparison result; compare the name of the API with the marked API corresponding to the required logical process for applying for a network access ticket Compare the names to obtain the second comparison result; compare the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the required logical process of applying for a network access ticket, to obtain the second comparison result. Three comparison results; compare the call parameters of the API with the call parameters of the marked API corresponding to the required logical process of applying for a network access ticket to obtain the fourth comparison result; when the first comparison When the comparison result, the second comparison result, the third comparison result and the fourth comparison result are all the same, it is determined that the zero trust network access is compliant; when the first comparison result When at least one of the comparison result, the second comparison result, the third comparison result and the fourth comparison result is different, it is determined that the zero trust network access is non-compliant.
在本申请的一些实施例中,基于以上技术方案,所述申请网络访问票据必行逻辑过程包括第一必行逻辑过程和第二必行逻辑过程;其中,所述第一必行逻辑过程为根据所采集的信息成功从零信任服务器处获取网络访问票据,并将所述网络访问票据加密存储;所述第二必行逻辑过程为从所述零信任服务器获取网络访问票据失败后,根据所采集的信息在本地生成网络访问票据。In some embodiments of the present application, based on the above technical solution, the required logical process for applying for a network access ticket includes a first required logical process and a second required logical process; wherein, the first required logical process is The network access ticket is successfully obtained from the zero trust server according to the collected information, and the network access ticket is encrypted and stored; the second necessary logical process is to obtain the network access ticket from the zero trust server after the failure, according to the The collected information generates network access tickets locally.
在本申请的一些实施例中,当所述请求为所述使用请求,所述事件触发时间为将所述网络访问票据发送至代理客户端的时间时;基于以上技术方案,所述获取模块910配置为:获取第二预设时间段;将发送所述网络访问票据至代理客户端的时间作为基准时间,根据所述基准时间和所述第二预设时间段确定结束时间;根据所述起始时间和所述结束时间确定所述检测时间段。In some embodiments of the present application, when the request is the usage request and the event trigger time is the time when the network access ticket is sent to the proxy client; based on the above technical solution, the acquisition module 910 configures To: obtain the second preset time period; use the time when the network access ticket is sent to the proxy client as the base time, and determine the end time based on the base time and the second preset time period; base on the start time and the end time to determine the detection time period.
在本申请的一些实施例中,基于以上技术方案,所述获取模块920还配置为:从标记API调用缓冲队列中获取与所述检测时间段对应的API调用信息,所述API调用信息包括所述标记API的调用信息。In some embodiments of the present application, based on the above technical solution, the acquisition module 920 is also configured to: acquire the API call information corresponding to the detection time period from the marked API call buffer queue, where the API call information includes the Describes the call information of the marked API.
在本申请的一些实施例中,所述API调用信息包括所调用的API的名称和调用者的进程;基于以上技术方案,所述判断模块920配置为:将所述调用者的进程与所述使用网络访问票据必行逻辑过程进行比对,以获取第一比对结果;将所述API的名称与所述使用网络访问票据必行逻辑过程对应的标记API的名称进行比对,以获取第二比对结果;当所述第一比对结果和所述第二比对结果均为相同时,则判定所述零信任网络访问是合规的;当所述第一比对结果和/或所述第二比对结果为不同时,则判定所述零信任网络访问是不合规的。In some embodiments of the present application, the API call information includes the name of the called API and the caller's process; based on the above technical solution, the judgment module 920 is configured to: compare the caller's process with the caller's process. Compare the logical process using network access tickets to obtain the first comparison result; compare the name of the API with the name of the marked API corresponding to the logical process using network access tickets to obtain the third comparison result. Two comparison results; when the first comparison result and the second comparison result are the same, it is determined that the zero trust network access is compliant; when the first comparison result and/or When the second comparison result is different, it is determined that the zero-trust network access is non-compliant.
在本申请的一些实施例中,所述API调用信息包括所调用的API的名称、调用者的进程、API的相对调用顺序和调用参数;基于以上技术方案,所述判断模块920配置为:将所述调用者的进程与所述使用网络访问票据必行逻辑过程进行比对,以获取第一比对结果;将所述API的名称与所述使用网络访问票据必行逻辑过程对应的标记API的名称进行比对,以获取第二比对结果;将所述API的相对调用顺序与所述使用网络访问票据必行逻辑过程对应的标记API的相对调用顺序进行比对,以获取第三比对结果;将所述API的调用参数与所述使用网络访问票据必行逻辑过程对应的标记API的调用参数进行比对,以获取第四比对结果;当所述第一比对结果、所述第二比对结果、所述第三比对结果和所述第四比对结果均为相同时,则判定所述零信任网络访问是合规的;当所述第一比对结果、所述第二比对结果、所述第三比对结果和所述第四比对结果中至少一个为不同时,则判定所述零信任网络访问是不合规的。In some embodiments of the present application, the API call information includes the name of the called API, the caller's process, the relative calling order of the API, and the calling parameters; based on the above technical solution, the judgment module 920 is configured to: Compare the caller's process with the logical process that must be executed by using the network access ticket to obtain the first comparison result; compare the name of the API with the marked API corresponding to the logical process that must be executed by using the network access ticket. compare the names to obtain the second comparison result; compare the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the required logical process of using network access tickets to obtain the third comparison Compare the results; compare the call parameters of the API with the call parameters of the marked API corresponding to the logical process of using the network access ticket to obtain the fourth comparison result; when the first comparison result, the When the second comparison result, the third comparison result and the fourth comparison result are all the same, it is determined that the zero trust network access is compliant; when the first comparison result, all When at least one of the second comparison result, the third comparison result and the fourth comparison result is different, it is determined that the zero trust network access is non-compliant.
在本申请的一个实施例中,所述使用网络访问票据必行逻辑过程包括:第三必行逻辑过程、第四必行逻辑过程和第五必行逻辑过程;其中,所述第三必行逻辑过程为获取与当前应用信息对应的加密网络访问票据,对所述加密网络访问票据进行解密以获取网络访问票据,并使用所述网络访问票据进行流量转发;所述第四必行逻辑过程为根据所采集的信息成功从零信任服务器处获取网络访问票据后,直接使用所述网络访问票据进行流量转发;所述第五必行逻辑过程为从所述零信任服务器处获取所述网络访问票据失败时,根据所采集的信息在本地生成网络访问票据,并直接使用所述网络访问票据进行流量转发。In one embodiment of the present application, the necessary logical process for using network access tickets includes: a third necessary logical process, a fourth necessary logical process, and a fifth necessary logical process; wherein, the third necessary logical process The logical process is to obtain the encrypted network access ticket corresponding to the current application information, decrypt the encrypted network access ticket to obtain the network access ticket, and use the network access ticket to perform traffic forwarding; the fourth required logic process is After successfully obtaining the network access ticket from the zero trust server based on the collected information, the network access ticket is directly used for traffic forwarding; the fifth necessary logical process is to obtain the network access ticket from the zero trust server In case of failure, a network access ticket is generated locally based on the collected information, and the network access ticket is directly used for traffic forwarding.
在本申请的一些实施例中,基于以上技术方案,所述数据处理装置900还包括:检测模块,用于检测基本安全加固逻辑是否被破坏,并根据所述合规性的判断结果和检测结果执行目标操作。In some embodiments of the present application, based on the above technical solutions, the data processing device 900 further includes: a detection module for detecting whether the basic security hardening logic is destroyed, and based on the compliance judgment results and detection results Perform the target operation.
在本申请的一些实施例中,基于以上技术方案,所述检测模块配置为:检测目录下负责安全检测和合规加固的模块是否缺失;检测关键服务是否处于运行状态、是否被恶意停止或者是否被致盲;检测登录态和登陆票据是否存在;以及,检测标记API的调用是否合规、是否具备版权信息以及是否具备正常的数字签名。In some embodiments of this application, based on the above technical solution, the detection module is configured to: detect whether the module responsible for security detection and compliance reinforcement in the directory is missing; detect whether the key service is running, whether it has been maliciously stopped, or whether Be blinded; check whether the login status and login ticket exist; and check whether the call to the marked API is compliant, has copyright information, and has a normal digital signature.
在本申请的一些实施例中,基于以上技术方案,所述检测模块配置为:当所述合规性的判断结果和所述检测结果中的至少一个为异常时,则禁止使用所述零信任安全控制系统进行零信任网络访问。In some embodiments of this application, based on the above technical solution, the detection module is configured to: when at least one of the compliance judgment result and the detection result is abnormal, the use of the zero trust is prohibited. Security control systems for zero trust network access.
在本申请的一些实施例中,基于以上技术方案,所述数据处理装置900还配置为:获取所述网络访问票据的申请频率;当所述申请频率大于第一频率阈值时,拒绝所述网络访问票据的申请请求。In some embodiments of the present application, based on the above technical solution, the data processing device 900 is also configured to: obtain the application frequency of the network access ticket; when the application frequency is greater than the first frequency threshold, reject the network Application request for access ticket.
在本申请的一些实施例中,基于以上技术方案,所述数据处理装置900还配置为:获取所述标记API的调用频率;当所述标记API的调用频率大于第二频率阈值时,停止发放网络访问票据,并延长缓存中的网络访问票据的缓存时间。In some embodiments of the present application, based on the above technical solution, the data processing device 900 is further configured to: obtain the calling frequency of the marking API; when the calling frequency of the marking API is greater than the second frequency threshold, stop issuing Network access tickets and extend the cache time of network access tickets in the cache.
本申请各实施例中提供的数据处理装置的具体细节已经在对应的方法实施例中进行了详细的描述,此处不再赘述。The specific details of the data processing device provided in each embodiment of the present application have been described in detail in the corresponding method embodiments and will not be described again here.
图10示意性地示出了用于实现本申请实施例的电子设备的计算机系统结构框图,该电子设备可以是如图1中所示的终端设备101、零信任服务器102和业务服务器103。Figure 10 schematically shows a computer system structural block diagram of an electronic device used to implement an embodiment of the present application. The electronic device can be the terminal device 101, zero trust server 102 and business server 103 as shown in Figure 1.
需要说明的是,图10示出的电子设备的计算机系统1000仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。It should be noted that the computer system 1000 of the electronic device shown in FIG. 10 is only an example, and should not impose any restrictions on the functions and scope of use of the embodiments of the present application.
如图10所示,计算机系统1000包括中央处理器1001(Central Processing Unit,CPU),其可以根据存储在只读存储器1002(Read-Only Memory,ROM)中的程序或者从存储部分1008加载到随机访问存储器1003(Random Access Memory,RAM)中的程序而执行各种适当的动作和处理。在随机访问存储器1003中,还存储有系统操作所需的各种程序和数据。中央处理器1001、在只读存储器1002以及随机访问存储器1003通过总线1004彼此相连。输入/输出接口1005(Input/Output接口,即I/O接口)也连接至总线1004。As shown in Figure 10, the computer system 1000 includes a central processing unit 1001 (Central Processing Unit, CPU), which can be loaded into a random computer according to a program stored in a read-only memory 1002 (Read-Only Memory, ROM) or from a storage part 1008. The program in the memory 1003 (Random Access Memory, RAM) is accessed to execute various appropriate actions and processes. In the random access memory 1003, various programs and data required for system operation are also stored. The central processing unit 1001, the read-only memory 1002 and the random access memory 1003 are connected to each other through a bus 1004. The input/output interface 1005 (Input/Output interface, ie, I/O interface) is also connected to the bus 1004.
在一些实施例中,以下部件连接至输入/输出接口1005:包括键盘、鼠标等的输入部分1006;包括诸如阴极射线管(Cathode Ray Tube,CRT)、液晶显示器(Liquid CrystalDisplay,LCD)等以及扬声器等的输出部分1007;包括硬盘等的存储部分1008;以及包括诸如局域网卡、调制解调器等的网络接口卡的通信部分1009。通信部分1009经由诸如因特网的网络执行通信处理。驱动器1010也根据需要连接至输入/输出接口1005。可拆卸介质1011,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1010上,以便于从其上读出的计算机程序根据需要被安装入存储部分1008。In some embodiments, the following components are connected to the input/output interface 1005: an input portion 1006 including a keyboard, a mouse, etc.; including a cathode ray tube (CRT), a liquid crystal display (LCD), etc.; and a speaker. an output part 1007, etc.; a storage part 1008 including a hard disk, etc.; and a communication part 1009 including a network interface card such as a LAN card, a modem, etc. The communication section 1009 performs communication processing via a network such as the Internet. Driver 1010 is also connected to input/output interface 1005 as needed. Removable media 1011, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, etc., are installed on the drive 1010 as needed, so that a computer program read therefrom is installed into the storage portion 1008 as needed.
特别地,根据本申请的实施例,各个方法流程图中所描述的过程可以被实现为计算机软件程序。例如,本申请的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分1009从网络上被下载和安装,和/或从可拆卸介质1011被安装。在该计算机程序被中央处理器1001执行时,执行本申请的系统中限定的各种功能。In particular, according to embodiments of the present application, the processes described in the respective method flow charts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product including a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such embodiments, the computer program may be downloaded and installed from the network via communication portion 1009 and/or installed from removable media 1011. When the computer program is executed by the central processor 1001, various functions defined in the system of the present application are executed.
需要说明的是,本申请实施例所示的计算机可读介质可以是计算机可读信号介质或者计算机可读介质或者是上述两者的任意组合。计算机可读介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读信号介质还可以是计算机可读介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、有线等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the embodiments of the present application may be a computer-readable signal medium or a computer-readable medium, or any combination of the above two. The computer-readable medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or any combination thereof. More specific examples of computer readable media may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard drive, random access memory (RAM), read only memory (ROM), erasable programmable Read-only memory (Erasable Programmable Read Only Memory, EPROM), flash memory, optical fiber, portable compact disk read-only memory (Compact Disc Read-Only Memory, CD-ROM), optical storage device, magnetic storage device, or any suitable one of the above combination. As used herein, a computer-readable medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, in which computer-readable program code is carried. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. A computer-readable signal medium may also be any computer-readable medium other than computer-readable media that can send, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer-readable medium may be transmitted using any suitable medium, including but not limited to: wireless, wired, etc., or any suitable combination of the above.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operations of possible implementations of systems, methods, and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more logic functions that implement the specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block in the block diagram or flowchart illustration, and combinations of blocks in the block diagram or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations, or may be implemented by special purpose hardware-based systems that perform the specified functions or operations. Achieved by a combination of specialized hardware and computer instructions.
应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本申请的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units of equipment for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to the embodiments of the present application, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of one module or unit described above may be further divided into being embodied by multiple modules or units.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台电子设备执行根据本申请实施方式的方法。Through the above description of the embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or can be implemented by software combined with necessary hardware. Therefore, the technical solution according to the embodiment of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to cause an electronic device to execute the method according to the embodiment of the present application.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。Other embodiments of the present application will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary technical means in the technical field that are not disclosed in this application. .
应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It is to be understood that the present application is not limited to the precise structures described above and illustrated in the accompanying drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211400208.3ACN116961967A (en) | 2022-11-09 | 2022-11-09 | Data processing methods, devices, computer-readable media and electronic equipment |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211400208.3ACN116961967A (en) | 2022-11-09 | 2022-11-09 | Data processing methods, devices, computer-readable media and electronic equipment |
| Publication Number | Publication Date |
|---|---|
| CN116961967Atrue CN116961967A (en) | 2023-10-27 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211400208.3APendingCN116961967A (en) | 2022-11-09 | 2022-11-09 | Data processing methods, devices, computer-readable media and electronic equipment |
| Country | Link |
|---|---|
| CN (1) | CN116961967A (en) |
| Publication | Publication Date | Title |
|---|---|---|
| US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| US11223480B2 (en) | Detecting compromised cloud-identity access information | |
| JP5714078B2 (en) | Authentication for distributed secure content management systems | |
| US8266683B2 (en) | Automated security privilege setting for remote system users | |
| US10341350B2 (en) | Actively identifying and neutralizing network hot spots | |
| US9531749B2 (en) | Prevention of query overloading in a server application | |
| US20150213449A1 (en) | Risk-based control of application interface transactions | |
| US9311485B2 (en) | Device reputation management | |
| CN202663444U (en) | Cloud safety data migration model | |
| Kumar et al. | Exploring security issues and solutions in cloud computing services–a survey | |
| KR102576357B1 (en) | Zero Trust Security Authentication System | |
| Gupta et al. | Taxonomy of cloud security | |
| Munir et al. | Secure cloud architecture | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN111314381A (en) | Safety isolation gateway | |
| CN104796432A (en) | Data protection method and safety bastion host | |
| CN108076077A (en) | A kind of conversation controlling method and device | |
| CN108429746A (en) | A privacy data protection method and system for cloud tenants | |
| CN114598489B (en) | A method and related device for determining a trusted terminal | |
| CN110602134A (en) | Method, device and system for identifying illegal terminal access based on session label | |
| CN104023033A (en) | Safety production method for cloud services | |
| US20240297887A1 (en) | Mid-session trust assessment | |
| TW201633205A (en) | Systems and methods for malicious code detection | |
| CN109639695A (en) | Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework | |
| CN118802149A (en) | Access processing method and device based on zero-trust network, electronic device, and medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |