CN112600863A - Safe remote access system and method - Google Patents

Safe remote access system and method Download PDF

Info

Publication number
CN112600863A
CN112600863A CN202110241031.6A CN202110241031A CN112600863A CN 112600863 A CN112600863 A CN 112600863A CN 202110241031 A CN202110241031 A CN 202110241031A CN 112600863 A CN112600863 A CN 112600863A
Authority
CN
China
Prior art keywords
access
module
browser
judging
webpage address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110241031.6A
Other languages
Chinese (zh)
Inventor
何宇
丁立波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Minyu Information Technology Co ltd
Original Assignee
Nanjing Minyu Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Minyu Information Technology Co ltd filed Critical Nanjing Minyu Information Technology Co ltd
Priority to CN202110241031.6A priority Critical patent/CN112600863A/en
Publication of CN112600863A publication Critical patent/CN112600863A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to the technical field of remote access of browsers, and particularly discloses a safe remote access system which comprises a safety confirmation unit, a connection unit and a control unit, wherein the safety confirmation unit is used for receiving an access request, judging the authority of an access request sender and establishing a connection channel based on the authority of the request sender; the access rating unit is used for acquiring an access purpose and judging the level of the access purpose; and the identity authentication unit is used for acquiring authentication information based on the level of the access purpose and sending access content based on the authentication information. According to the invention, by means of detecting the access source, the remote access way is limited in the browser, malicious programs are prevented from bypassing security protection means through common software, and a multi-account login way is set for important information, so that a user can seek for a friend to log in, and the subsequent responsibility tracing is facilitated while the safety is improved.

Description

Safe remote access system and method
Technical Field
The invention relates to the technical field of remote access of browsers, in particular to a safe remote access system and a safe remote access method.
Background
By remote access is meant that the client logs into the local network using WAN technology through some remote connection (e.g. Modem + phone line), and not necessarily "remote" but may be in the next place. It is obvious that Remote Access Service (RAS) is a Service that allows a computer to Access local network resources through some kind of Remote connection and provides Access services for users that are not conditionally connected directly to the local network.
In our daily life, remote access through a browser is the most common way, and every surfing internet at ordinary times is actually an application of remote access, in this process, there are potential safety hazards, along with the development of internet technology, the types of current software are more and more, many good software can bring great help to our life and work, but many malicious software can steal our information, and therefore, the safety problem of remote access needs to be considered.
At present, most of the mainstream security measures adopt a mode of a pass and a verification code, the mode has good protection effect, people can be prevented, and cracking software can be effectively prevented from trying out the pass in an enumeration mode; however, there is a mode of implanting plug-ins in software now, go to visit the browser through various software, the website that has the agreement with the software just can not carry out information verification because of the visit of inside software, just so can walk around original security protection means, cause information leakage, in addition, traditional pass is mostly single pass, namely, one person has one set of pass of oneself, to some important information, the security protection level of one set of pass is not enough far away, how on original basis, improve the security level of browser remote access, the problem that needs to solve.
Disclosure of Invention
The present invention is directed to a system and method for secure remote access to solve the above problems.
In order to achieve the purpose, the invention provides the following technical scheme: a secure remote access system is proposed, the system comprising: the safety confirmation unit is used for receiving the access request, judging the authority of an access request sender and establishing a connection channel based on the authority of the request sender; the access rating unit is used for acquiring an access purpose and judging the level of the access purpose;
and the identity authentication unit is used for acquiring authentication information based on the level of the access purpose and sending access content based on the authentication information.
As a further limitation of the technical solution of the embodiment of the present invention, the security confirmation unit includes:
the monitoring module is used for monitoring the behavior of the software of the terminal accessing the network in real time;
the intercepting module is used for intercepting a webpage address of a request when receiving an access request;
the searching module is used for searching the identification field in the webpage address and judging whether the identification field is the same as the reserved field;
the first judgment module is used for judging whether the webpage address is sent by the browser or not if the webpage address of the access request is the same as the server address, and establishing a connection channel based on a judgment result;
and the guiding module is used for sending the access flow if the webpage address of the access request is different from the server address.
As a further limitation of the technical solution of the embodiment of the present invention, the first determining module includes:
the running state identification module is used for judging the running state of the browser;
the first operation module is used for sending an access flow if the browser does not operate; if the browser is running, the browser is used for reading a historical access website in the historical record of the browser and judging whether the historical access website is the same as the requested webpage address or not;
and the second operation module is used for establishing a connection channel if the historical access website is the same as the requested webpage address, and sending an access flow if the historical access website is different from the requested webpage address.
As a further limitation of the technical solution of the embodiment of the present invention, the access rating unit includes:
the instruction sending module is used for sending an access purpose acquisition instruction;
the data receiving module is used for receiving the access purpose sent by the terminal;
the extraction module is used for traversing the database, inquiring corresponding data content based on the access purpose and extracting corresponding level codes;
and the confirming module is used for confirming the level of the access purpose based on the level code.
As a further limitation of the technical solution of the embodiment of the present invention, the extraction module includes:
the connection establishing module is used for establishing a connection channel with the database;
the reading module is used for reading data elements of a database and extracting index items in the data elements;
and the level code confirming module is used for judging whether the index item is the same as the access purpose or not, extracting the level code of the data element if the index item is the same as the access purpose, and reading the next data element if the index item is different from the access purpose.
As a further limitation of the technical solution of the embodiment of the present invention, the confirmation module includes:
the second judging module is used for confirming the grading threshold value and judging the size of the grade code and the threshold value;
and the grading module is used for confirming the level of the access purpose based on the judgment result.
As a further limitation of the present invention, the authentication unit comprises:
the mapping module is used for reading the level of the access purpose and mapping the level into the account number;
the connection module is used for opening an information verification port based on the account number and acquiring verification information;
a third judging module, configured to read registration information in an account database based on the verification information, and judge whether the verification information is the same as the registration information;
and the output module is used for sending the access content based on the judgment result.
A secure remote access method, the method comprising:
receiving an access request, judging the authority of an access request sender, and establishing a connection channel based on the authority of the request sender;
obtaining an access purpose and judging the level of the access purpose;
and acquiring verification information based on the level of the access destination, and sending access content based on the verification information.
Further, the specific steps of receiving the access request, determining the authority of the access request sender, and establishing the connection channel based on the authority of the request sender include:
monitoring the behavior of the software of the terminal accessing the network in real time;
intercepting a requested webpage address when receiving an access request;
searching the identification field in the webpage address, judging whether the identification field is the same as the reserved field or not,
if the webpage address of the access request is the same as the server address, judging whether the webpage address is sent by a browser or not, and establishing a connection channel based on a judgment result;
and if the webpage address of the access request is different from the server address, sending an access flow.
The specific steps of judging whether the webpage address is sent by the browser or not and establishing a connection channel based on the judgment result comprise:
judging the running state of the browser,
if the browser does not operate, sending an access flow; if the browser is running, reading a historical access website in the historical record of the browser, and judging whether the historical access website is the same as the requested webpage address;
if the historical access website is the same as the requested webpage address, a connection channel is established, and if the historical access website is different from the requested webpage address, an access flow is sent.
Compared with the prior art, the invention has the beneficial effects that: according to the invention, by means of detecting the access source, the remote access way is limited in the browser, malicious programs are prevented from bypassing security protection means through common software, and a multi-account login way is set for important information, so that a user can seek for a friend to log in, and the subsequent responsibility tracing is facilitated while the safety is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention.
Fig. 1 is an architecture diagram of a secure remote access system.
Fig. 2 is a block diagram showing the construction of the secure remote access system.
Fig. 3 is a schematic structural diagram of a security confirmation unit in the secure remote access system.
Fig. 4 is a schematic structural diagram of a first determining module in a security validation unit.
Fig. 5 is a schematic diagram of the structure of an access rating unit in a secure remote access system.
Fig. 6 is a schematic diagram of the structure of an extraction module in the access rating unit.
Fig. 7 is a schematic diagram of the structure of a validation module in the access rating unit.
Fig. 8 is a schematic structural diagram of an authentication unit in the secure remote access system.
Fig. 9 is a flow diagram of a secure remote access method.
FIG. 10 is a sub-flow block diagram of a secure remote access method.
Fig. 11 is a schematic diagram of a specific hardware structure of the electronic device.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present invention more clearly apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items.
At present, most of the mainstream security measures adopt a mode of a pass and a verification code, the mode has good protection effect, people can be prevented, and cracking software can be effectively prevented from trying out the pass in an enumeration mode; however, there is a mode of implanting plug-ins in software now, go to visit the browser through various software, the website that has the agreement with the software just can not carry out information verification because of the visit of inside software, just so can walk around original security protection means, cause information leakage, in addition, traditional pass is single pass mostly, account number and password correspond promptly, one person has one set of pass of oneself, to some important information, the security protection level of one set of pass is far away not enough, how on original basis, improve the security level of browser remote access, the problem that needs to solve.
In order to solve the above problems, the present specification provides a secure remote access system and method, which limit a remote access path to a browser by detecting an access source, so as to prevent a malicious program from bypassing a security protection means through common software, and set a plurality of verification methods for important information, in practical applications, a user needs to contact other people around the user to access the important information, and needs to cooperate with verification information of a plurality of people to access the important information, and because of the existing verification code function, a phenomenon of private family-friend account numbers generally does not occur; the secure remote access system is most commonly a school educational administration system, and the application scheme of the invention can be better understood by means of a model of the school educational administration system.
Fig. 1 shows an architecture diagram of a secure remote access system.
As shown in fig. 1, the system architecture includes two parties, which are a user terminal and a service device, respectively, where the user terminal and the service device transmit data to each other through a network, the network may be a medium for providing a communication link between the user terminal and the service device, and the connection type of the network is mainly a wireless communication link.
The user may use the user terminal to interact with the service device over the network to send access requests or to receive feedback signals. The user terminal may be hardware or software, and when the user terminal is hardware, the user terminal may be various electronic devices having a communication function, including but not limited to a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like; when the user terminal is software, the user terminal may be installed in the electronic device listed above, and may be implemented as multiple pieces of software or software modules, or may be implemented as a single piece of software or software modules, which is not limited herein.
The service device may be a server providing various services, the service device may receive an access request sent by the user terminal, and then the service device may implement functions through the units, during which there is a large amount of data interaction, and finally generate a credit value, and send the credit value to the user terminal.
The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as a plurality of software or software modules, or may be implemented as a single software or software module. And is not particularly limited herein.
It should be understood that the number of user terminals and service devices in fig. 1 is merely illustrative. There may be any number of user terminals and service devices, as desired for implementation.
Example 1
Fig. 2 shows a block diagram of the structure of the secure remote access system 10, and for convenience of illustration, only the parts related to the embodiment of the present invention are shown:
in an embodiment of the present invention, system 10 includes:
the safety confirmation unit 11 is used for receiving the access request, judging the authority of the access request sender, and establishing a connection channel based on the authority of the request sender;
the security confirmation unit is used for determining an access source, wherein an access request sender is software and not a user, and aims to detect the way in which the user remotely accesses, because the final access purpose is the same, the security improvement by limiting the access source is effective and easy, at present, the browser has high stability, various browser software is mature, the security is naturally high, and the browser is not easily implanted into a plug-in; specifically, the safety confirmation unit limits the access source in the browser;
for example, the educational administration system of the school adopting the invention can not access the educational administration system through the jump web page on the software, and only accesses the educational administration system through the browser.
An access rating unit 12, configured to obtain an access purpose and determine a level of the access purpose;
the access rating unit is used for acquiring an access purpose, the access purpose acquiring mode is the conventional common technology, namely a check box and an access purpose preset option, a user selects a purpose in advance, and after the purpose is read by the service equipment, the level is judged;
for example, the educational administration system of the school of the invention is adopted, the purpose is selected before the user logs in, and then the verification information such as the account number, the password or the verification code is typed in.
An authentication unit 13 for acquiring authentication information based on the level of the access purpose and transmitting access content based on the authentication information.
The identity authentication unit has the function of identity authentication, but the identity authentication mode is different from the traditional identity authentication mode, and the traditional identity authentication process generally only authenticates one set of pass, namely, one person can log in the system, but in the system, different levels are determined according to different access purposes, and a plurality of sets of passes are authenticated according to different levels;
for example, when accessing some important data, the educational administration system of the school according to the present invention needs a plurality of people to access together, or one person seeks help of a plurality of people, so as to access the educational administration system to obtain information, which can also become a method for permission limitation, and can be applied to other occasions.
Fig. 3 shows a schematic structural diagram of the security confirmation unit 11 in the secure remote access system 10.
The security confirmation unit 11 includes:
the monitoring module 111 is used for monitoring the behavior of the software of the terminal accessing the network in real time;
the monitoring module is used for monitoring the behavior of the terminal software accessing the network in real time, the function is not to monitor the terminal equipment all the time, the monitoring is difficult to realize through a browser all the time, and can be completed only through the background running of the software, so that the behavior of the software accessing the network of the real-time monitoring terminal is actually a feedback signal, namely when the system is accessed, the access behavior is monitored, and further subsequent operation is carried out.
An intercepting module 112, configured to intercept a web page address of a request when receiving an access request;
the intercepting module is used for intercepting a requested webpage address, and it needs to be noted that the module is triggered when a system is accessed, a fault area exists, since the access address is the address where the system is located, the system address can be directly recorded, the intercepted requested webpage address is not necessary to be added with snaking, actually, a series of transmission processes exist between the requested webpage address and the system address, and in the process, the change is very easy to occur, especially some legal jump webpages, which is the access mode allowed by the system, but if the system address is directly recorded, and the system address is used as a comparison template, the access limitation is improved, and the convenience of system access is influenced.
The searching module 113 is configured to search for an identification field in the web page address, and determine whether the identification field is the same as the reserved field;
the intercepted web page is the most real visited website in the terminal software, and the visited website must have its own specific field, such as www.
A first judging module 114, configured to, if the web address of the access request is the same as the server address, judge whether the web address is sent by the browser, and establish a connection channel based on a judgment result;
the step of judging that the web page address of the access request is the same as the server address is a necessary step for accessing the network, if the actual site is not accessed, the step of possibly jumping the web page, judging whether the web page address is sent by the browser or not, and establishing a connection channel based on the judgment result is a core step, namely, the difference between the method and the system is different from the prior art.
The guiding module 115 is configured to send an access flow if the web page address of the access request is different from the server address.
The guiding module is used for sending a correct access flow, because many existing websites can be triggered in various ways, the triggering way is actually triggering the monitoring module, after the monitoring module, a step of judging again is a process of judging whether a webpage address is the same as a server address, the step is equivalent to secondary detection, and is a protective measure.
Fig. 4 shows a schematic structural diagram of the first judging module 114 in the security confirmation unit.
The first determining module 114 includes:
an operation state identification module 1141, configured to determine an operation state of the browser;
this is the first decision that if none of the browsers are running, then the access request is naturally not made by the browser.
A first running module 1142, configured to send an access flow if the browser is not running; if the browser is running, the browser is used for reading a historical access website in the historical record of the browser and judging whether the historical access website is the same as the requested webpage address or not;
due to the nature of the browser, when the webpage is accessed, the website can be updated in the historical record in real time, and whether the website is accessed through the browser can be determined by accessing the historical record.
The second operation module 1143 is configured to establish a connection channel if the historical access website is the same as the requested webpage address, and send an access flow if the historical access website is different from the requested webpage address.
If the historical access website is the same as the requested webpage address, the access request sent by the browser can be determined, and if the historical access website is different from the requested webpage address, but in fact, the user also accesses the service equipment, and the access is not safe enough, so that the access flow is sent, and the user can conveniently access the service equipment.
Fig. 5 shows a schematic diagram of the structure of the access rating unit 12 in the secure remote access system 10.
The access rating unit 12 includes:
an instruction sending module 121, configured to send an access destination obtaining instruction;
the service equipment sends an access destination acquisition instruction to the terminal equipment, and the access destination acquisition mode of the terminal adopts a check box structure, so that the mode is very convenient, and the judgment can be carried out according to the actual situation as for multi-selection or single selection.
A data receiving module 122, configured to receive an access destination sent by a terminal;
and after acquiring the access purpose, the terminal equipment sends the access purpose to the service equipment, and the service equipment receives the access purpose.
The extraction module 123 is configured to traverse the database, query corresponding data content based on an access purpose, and extract a corresponding level code;
the data content is stored in the database, which is mainly a data element, each item of content of the data element is numerous, wherein, a reserved field corresponding to an access purpose is certainly included, the comparison is convenient, the corresponding data element, namely the data content, can be inquired only by comparing whether the access purpose is the same as a reserved word or not, in addition, the data element also includes a level code, after the data element is positioned, the corresponding level code can be easily extracted, and then the subsequent operation is carried out.
A confirming module 124 for confirming the level of the access purpose based on the level code.
The confirmation module performs subsequent operations based on the level code, the specific operation mode depends on the data type of the level code, in most cases, the level code is a character string, and if the level code is required to be changed into a level, the level code is obviously a number, and the process has to be transcoded.
Fig. 6 shows a schematic structural diagram of the extraction module 123 in the access rating unit.
The extraction module 123 includes:
a connection establishing module 1231, configured to establish a connection channel with a database;
the connection establishment module is a necessary step for accessing the database;
the reading module 1232 is configured to read a data element of the database, and extract an index entry in the data element;
the index item extracted from the data element in the reading module is the reserved field corresponding to the access destination, in other words, the content in the check box used when the access destination is obtained is the union of the index items.
A level code confirming module 1233, configured to determine whether the index entry is the same as the access destination, extract a level code of the data element if the index entry is the same as the access destination, and read a next data element if the index entry is different from the access destination;
the level code confirming module comprises a judging step of judging whether the index item is the same as the access purpose or not, if so, extracting the level code of the data element, which is the purpose of the module, and if not, continuing circulation.
Fig. 7 shows a schematic diagram of the structure of the validation module 124 in the access rating unit 12.
The confirmation module 124 includes:
a second judging module 1241, configured to determine a classification threshold, and judge the size of the classification code and the threshold;
the second judging module essentially performs grouping operation on the level codes, the threshold is preset, and the level codes and the threshold are compared and then sequenced; it should be noted that the rank may be determined by the ranking module first, and then the rank is compared with the threshold value to rank the ranks, the two modes are different algorithms, and the two modes can be implemented by common computer languages, and different algorithms are adopted for different storage modes, so as to facilitate program optimization.
A grading module 1242, configured to confirm the level of the access destination based on the determination result.
And the grading module is matched with the second judging module to jointly complete the function.
Fig. 8 shows a schematic configuration diagram of the identity verification unit 13 in the secure remote access system 10.
The authentication unit 13 includes: a mapping module 131, configured to read a level of an access destination, and map the level as an account number;
the mapping module is used for processing the levels, the levels are subjected to a grouping processing process, the number of the groups is a 'gear', different data contents are graded through a threshold, and the grading process represents different importance degrees.
The connection module 132 is configured to open an information verification port based on the account number and acquire verification information;
the service equipment opens the information verification port through the connection module, for example, a common login window is only one account number and one password plus one verification code, but in the invention, the information verification port is opened based on the account number, for example, the account number is two, so that two common login windows exist, namely two account numbers, two passwords plus corresponding verification codes, and from the program point of view, the realization difficulty is very low, and the change of the code structure is almost zero.
A third determining module 133, configured to read registration information in the account database based on the verification information, and determine whether the verification information is the same as the registration information;
the third judging module is the traditional pass verification stage, which is a very common prior art, and the implementation process is very easy.
And an output module 134, configured to send the access content based on the determination result.
Based on the judgment result of the third judgment module, whether the access content is sent or not is determined, for important files, through two or more sets of login windows which are commonly used, the safety is improved, meanwhile, the responsibility of information leakage can be facilitated, namely, different people can be found through a plurality of account numbers, the investigation and the evidence making are facilitated.
Example 2
Fig. 9 shows a flow chart of the secure remote access method, and for convenience of explanation, only the parts related to the present embodiment are shown:
in an embodiment of the invention, the method comprises:
step S1: receiving an access request, judging the authority of an access request sender, and establishing a connection channel based on the authority of the request sender;
said step S1 is implemented by the security confirmation unit 11;
step S2: obtaining an access purpose and judging the level of the access purpose;
said step S2 is implemented by the access rating unit 12;
step S3: acquiring verification information based on the level of the access destination, and sending access content based on the verification information;
said step S3 is implemented by the authentication unit 13;
further, FIG. 10 illustrates a sub-flow block diagram of a secure remote access method;
the specific steps of receiving the access request, judging the authority of the access request sender, and establishing a connection channel based on the authority of the request sender comprise:
monitoring the behavior of the software of the terminal accessing the network in real time;
intercepting a requested webpage address when receiving an access request;
searching the identification field in the webpage address, judging whether the identification field is the same as the reserved field or not,
if the webpage address of the access request is the same as the server address, judging whether the webpage address is sent by a browser or not, and establishing a connection channel based on a judgment result;
and if the webpage address of the access request is different from the server address, sending an access flow.
Specifically, the specific step of determining whether the web page address is sent by a browser, and establishing a connection channel based on the determination result includes:
judging the running state of the browser,
if the browser does not operate, sending an access flow; if the browser is running, reading a historical access website in the historical record of the browser, and judging whether the historical access website is the same as the requested webpage address;
if the historical access website is the same as the requested webpage address, a connection channel is established, and if the historical access website is different from the requested webpage address, an access flow is sent.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the modules may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
One or more embodiments of the present specification also provide an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor.
Fig. 11 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor, a memory, an input/output interface, a communication interface, and a bus. Wherein the processor, the memory, the input/output interface and the communication interface are communicatively connected to each other within the device by a bus.
The secure remote access method for the processor may be implemented by using a general-purpose CPU, a microprocessor, an application specific integrated circuit, or one or more integrated circuits, and the like, and is used to execute a relevant program to implement the technical solutions provided in the embodiments of the present specification.
The memory security remote access method can be realized in the forms of ROM, RAM, static memory device, dynamic memory device, etc. The memory secure remote access method may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory secure remote access method and called by the processor secure remote access method to be executed.
The input/output interface safe remote access method is used for connecting an input/output module to realize information input and output. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface secure remote access method is used for connecting a communication module (not shown in the figure) to realize the communication interaction of the equipment and other equipment. The communication module can realize communication in a wired mode and also can realize communication in a wireless mode, such as mobile network, WIFI, Bluetooth and the like.
The bus secure remote access method includes a path for transferring information between various components of the device, such as a processor secure remote access method, a memory secure remote access method, an input/output interface secure remote access method, and a communication interface secure remote access method.
It should be noted that although the above-described device shows only a processor secure remote access method, a memory secure remote access method, an input/output interface secure remote access method, a communication interface secure remote access method, and a bus secure remote access method, in a specific implementation, the device may also include other components necessary to achieve proper operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is merely exemplary in nature, and is not intended to intimate that the scope of the disclosure is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to integrated circuit chips and other components may or may not be shown in the provided figures, for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the present description. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented, i.e., such specifics should be well within purview of one skilled in the art. Where specific details are set forth in order to describe example embodiments of the disclosure, it will be apparent to one skilled in the art that one or more embodiments of the disclosure may be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (7)

1. A secure remote access system, the system comprising:
the safety confirmation unit is used for receiving the access request, judging the authority of an access request sender and establishing a connection channel based on the authority of the request sender;
the access rating unit is used for acquiring an access purpose and judging the level of the access purpose;
the identity authentication unit is used for acquiring authentication information based on the level of the access purpose and sending access content based on the authentication information;
the security confirmation unit includes:
the monitoring module is used for monitoring the behavior of the software of the terminal accessing the network in real time;
the intercepting module is used for intercepting a webpage address of a request when receiving an access request;
the searching module is used for searching the identification field in the webpage address and judging whether the identification field is the same as the reserved field;
the first judgment module is used for judging whether the webpage address is sent by the browser or not if the webpage address of the access request is the same as the server address, and establishing a connection channel based on a judgment result;
and the guiding module is used for sending the access flow if the webpage address of the access request is different from the server address.
2. The secure remote access system of claim 1, wherein the first determination module comprises:
the running state identification module is used for judging the running state of the browser;
the first operation module is used for sending an access flow if the browser does not operate; if the browser is running, the browser is used for reading a historical access website in the historical record of the browser and judging whether the historical access website is the same as the requested webpage address or not;
and the second operation module is used for establishing a connection channel if the historical access website is the same as the requested webpage address, and sending an access flow if the historical access website is different from the requested webpage address.
3. The secure remote access system of claim 1, wherein the access rating unit comprises:
the instruction sending module is used for sending an access purpose acquisition instruction;
the data receiving module is used for receiving the access purpose sent by the terminal;
the extraction module is used for traversing the database, inquiring corresponding data content based on the access purpose and extracting corresponding level codes;
and the confirming module is used for confirming the level of the access purpose based on the level code.
4. The secure remote access system of claim 3, wherein the extraction module comprises:
the connection establishing module is used for establishing a connection channel with the database;
the reading module is used for reading data elements of a database and extracting index items in the data elements;
and the level code confirming module is used for judging whether the index item is the same as the access purpose or not, extracting the level code of the data element if the index item is the same as the access purpose, and reading the next data element if the index item is different from the access purpose.
5. The secure remote access system of claim 4, wherein the confirmation module comprises:
the second judging module is used for confirming the grading threshold value and judging the size of the grade code and the threshold value;
and the grading module is used for confirming the level of the access purpose based on the judgment result.
6. The secure remote access system of claim 1, wherein the authentication unit comprises:
the mapping module is used for reading the level of the access purpose and mapping the level into the account number;
the connection module is used for opening an information verification port based on the account number and acquiring verification information;
a third judging module, configured to read registration information in an account database based on the verification information, and judge whether the verification information is the same as the registration information;
and the output module is used for sending the access content based on the judgment result.
7. A secure remote access method, the method comprising:
receiving an access request, judging the authority of an access request sender, and establishing a connection channel based on the authority of the request sender;
obtaining an access purpose and judging the level of the access purpose;
acquiring verification information based on the level of the access destination, and sending access content based on the verification information;
the specific steps of receiving the access request, judging the authority of the access request sender, and establishing a connection channel based on the authority of the request sender comprise:
monitoring the behavior of the software of the terminal accessing the network in real time;
intercepting a requested webpage address when receiving an access request;
searching the identification field in the webpage address, judging whether the identification field is the same as the reserved field or not,
if the webpage address of the access request is the same as the server address, judging whether the webpage address is sent by a browser or not, and establishing a connection channel based on a judgment result;
if the webpage address of the access request is different from the server address, sending an access flow;
the specific steps of judging whether the webpage address is sent by the browser or not and establishing a connection channel based on the judgment result comprise:
judging the running state of the browser,
if the browser does not operate, sending an access flow; if the browser is running, reading a historical access website in the historical record of the browser, and judging whether the historical access website is the same as the requested webpage address;
if the historical access website is the same as the requested webpage address, a connection channel is established, and if the historical access website is different from the requested webpage address, an access flow is sent.
CN202110241031.6A 2021-03-04 2021-03-04 Safe remote access system and method Pending CN112600863A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110241031.6A CN112600863A (en) 2021-03-04 2021-03-04 Safe remote access system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110241031.6A CN112600863A (en) 2021-03-04 2021-03-04 Safe remote access system and method

Publications (1)

Publication Number Publication Date
CN112600863A true CN112600863A (en) 2021-04-02

Family

ID=75210158

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110241031.6A Pending CN112600863A (en) 2021-03-04 2021-03-04 Safe remote access system and method

Country Status (1)

Country Link
CN (1) CN112600863A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113822603A (en) * 2021-11-22 2021-12-21 北京华科软科技有限公司 Cloud computing processing method based on SaaS
CN116032652A (en) * 2023-01-31 2023-04-28 湖南创亿达实业发展有限公司 Gateway authentication method and system based on intelligent interactive touch panel
CN117932583A (en) * 2024-03-19 2024-04-26 中科国信南京科技有限公司 Self-service terminal operation detection method and system based on data monitoring

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103780450A (en) * 2012-10-24 2014-05-07 腾讯科技(深圳)有限公司 Browser access web address detection method and system
CN105426415A (en) * 2015-10-30 2016-03-23 Tcl集团股份有限公司 Management method, device and system of website access request
CN105827404A (en) * 2015-01-05 2016-08-03 ***通信集团陕西有限公司 Identity authentication method, identity authentication device, and server
US20190109861A1 (en) * 2016-05-31 2019-04-11 Alibaba Group Holding Limited Method and device for preventing server from being attacked
CN112347523A (en) * 2020-11-12 2021-02-09 智粤云(广州)数字信息科技有限公司 Information safety system based on cloud computing
CN112395020A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Safety protection method of intranet, client, target server and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103780450A (en) * 2012-10-24 2014-05-07 腾讯科技(深圳)有限公司 Browser access web address detection method and system
CN105827404A (en) * 2015-01-05 2016-08-03 ***通信集团陕西有限公司 Identity authentication method, identity authentication device, and server
CN105426415A (en) * 2015-10-30 2016-03-23 Tcl集团股份有限公司 Management method, device and system of website access request
US20190109861A1 (en) * 2016-05-31 2019-04-11 Alibaba Group Holding Limited Method and device for preventing server from being attacked
CN112395020A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Safety protection method of intranet, client, target server and storage medium
CN112347523A (en) * 2020-11-12 2021-02-09 智粤云(广州)数字信息科技有限公司 Information safety system based on cloud computing

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113822603A (en) * 2021-11-22 2021-12-21 北京华科软科技有限公司 Cloud computing processing method based on SaaS
CN116032652A (en) * 2023-01-31 2023-04-28 湖南创亿达实业发展有限公司 Gateway authentication method and system based on intelligent interactive touch panel
CN116032652B (en) * 2023-01-31 2023-08-25 湖南创亿达实业发展有限公司 Gateway authentication method and system based on intelligent interactive touch panel
CN117932583A (en) * 2024-03-19 2024-04-26 中科国信南京科技有限公司 Self-service terminal operation detection method and system based on data monitoring

Similar Documents

Publication Publication Date Title
EP3069465B1 (en) System and method for credentialed access to a remote server
CN112600863A (en) Safe remote access system and method
US9954855B2 (en) Login method and apparatus, and open platform system
CN102724186B (en) Phishing website detection system and detection method
US20180255097A1 (en) Method and device for application information risk management
CN101388768B (en) Method and device for detecting malicious HTTP request
US9262642B1 (en) Adaptive client-aware session security as a service
CN113098870A (en) Phishing detection method and device, electronic equipment and storage medium
CN113342639B (en) Applet security risk assessment method and electronic device
US11068892B2 (en) System and method for secure personal information retrieval
CN104685510A (en) Identifying whether application is malicious
CN102769632A (en) Method and system for grading detection and prompt of fishing website
US8407766B1 (en) Method and apparatus for monitoring sensitive data on a computer network
CN107872433A (en) A kind of auth method and its equipment
CN107770192A (en) Identity authentication method and computer-readable recording medium in multisystem
US20200084199A1 (en) Techniques for identification of location of relevant fields in a credential-seeking web page
CN106897586A (en) A kind of application programming interface API right management methods and device
CN109145585A (en) There are the method and devices of weak passwurd for a kind of detection website
CN102891861A (en) Client-based phishing website detecting method and device
US20200159988A1 (en) Crowd-source as a backup to asynchronous indentification of a type of form and relevant fields in a credential-seeking web page
US8539335B2 (en) Entering data into a webpage
CN106686151A (en) IP address obtaining method and device
CN103336693B (en) The creation method of refer chain, device and security detection equipment
CN103124260A (en) Method and device for logging in Web page
CN113014576B (en) Service authority control method, device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210402