+

CN102754488B - User access control method, device and system - Google Patents

User access control method, device and system Download PDF

Info

Publication number
CN102754488B
CN102754488B CN201180000362.5A CN201180000362A CN102754488B CN 102754488 B CN102754488 B CN 102754488B CN 201180000362 A CN201180000362 A CN 201180000362A CN 102754488 B CN102754488 B CN 102754488B
Authority
CN
China
Prior art keywords
access request
data
content
information content
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201180000362.5A
Other languages
Chinese (zh)
Other versions
CN102754488A (en
Inventor
陶艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN102754488A publication Critical patent/CN102754488A/en
Application granted granted Critical
Publication of CN102754488B publication Critical patent/CN102754488B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

A method, a device and a system for controlling user access relate to the field of communication, realize the deep content detection of targeted user access data, and can effectively control the user access data in real time. The method for controlling the user access comprises the following steps: receiving an access request sent by a user; copying the information content of the access request to a content identification device; and updating the blacklist data or the white list data according to the judgment result of the information content of the access request returned by the content identification device.

Description

用户访问的控制方法、装置及系统User access control method, device and system

技术领域 technical field

本发明涉及通信领域,尤其涉及一种用户访问的控制方法、装置及系统。The present invention relates to the communication field, in particular to a user access control method, device and system.

背景技术 Background technique

为保证用户访问数据过程的安全性,目前数据业务中普遍需要对数据业务用户访问过程进行黑白名单数据(包括黑名单数据和白名单数据)控制,一般情况下,黑白名单数据由第三方系统提供,黑名单通常是指含有非法内容、可能对用户造成威胁的网站的名单,白名单通常是指合法的、不会对用户造成威胁的网站的名单,当用户访问黑名单中的网站时,根据黑白名单数据中的黑名单数据阻断用户的访问过程。In order to ensure the security of the user's access to data, currently in the data business, it is generally necessary to control the data business user's access process with black and white list data (including black list data and white list data). Generally, the black and white list data is provided by a third-party system , the blacklist usually refers to a list of websites that contain illegal content and may pose a threat to users, and the whitelist usually refers to a list of legitimate websites that do not pose a threat to users. When a user visits a website in the blacklist, according to The blacklist data in the blacklist and whitelist data blocks the user's access process.

现有技术通常通过以下方法实现用户访问数据的控制。如图1所示,第三方系统扫描分析互连网网站信息并提炼获取黑白名单数据,然后将获得的黑白名单数据发送至网络管理员,网络管理员将获得的黑白名单数据通过网关的WEB界面手动同步给网关。网关将黑白名单数据刷新到内存中后,根据黑白名单对用户请求进行控制。本技术方案中,由于第三方系统所分析扫描的内容不仅仅是针对用户发送的请求,而是无数个互联网网站,造成黑白名单数据冗余,加重了网关的负担;黑白名单数据生成后,需要网络管理员导入到网关,因此黑白名单数据不能及时更新;大多数第三方系统不能对数据内容自动做深度分析,误判率较高。In the prior art, the control of user access to data is generally realized through the following methods. As shown in Figure 1, the third-party system scans and analyzes Internet website information and extracts and obtains blacklist and whitelist data, and then sends the obtained blacklist and whitelist data to the network administrator, and the network administrator manually synchronizes the obtained blacklist and whitelist data through the WEB interface of the gateway to the gateway. After the gateway refreshes the black and white list data into the memory, it controls user requests according to the black and white lists. In this technical solution, because the content analyzed and scanned by the third-party system is not only the request sent by the user, but countless Internet websites, resulting in redundant black and white list data, which increases the burden on the gateway; after the black and white list data is generated, it needs to The network administrator imports it to the gateway, so the blacklist and whitelist data cannot be updated in time; most third-party systems cannot automatically perform in-depth analysis of the data content, and the misjudgment rate is high.

发明内容 Contents of the invention

本发明的实施例所要解决的技术问题是如何有效地控制用户访问数据,减少人工参与,提高黑白名单数据控制的拦截效率。The technical problem to be solved by the embodiments of the present invention is how to effectively control user access to data, reduce manual participation, and improve the interception efficiency of blacklist and whitelist data control.

为解决上述技术问题,本发明的实施例采用如下技术方案:In order to solve the above technical problems, embodiments of the present invention adopt the following technical solutions:

一种用户访问的控制方法,包括:A method for controlling user access, comprising:

接收用户发送的访问请求;Receive access requests sent by users;

将所述访问请求的信息内容复制到内容识别装置;copying the information content of the access request to a content identification device;

所述访问请求的信息内容为经过协议识别和协议转换后的,内容识别装置可识别的信息内容;The information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion;

根据所述内容识别装置返回的对所述访问请求的信息内容的判断结果,更新黑名单数据或白名单数据。The blacklist data or whitelist data is updated according to the judgment result of the information content of the access request returned by the content recognition device.

一种用户访问的控制方法,包括:A method for controlling user access, comprising:

接收网关发送的用户访问请求的信息内容;Receive the information content of the user access request sent by the gateway;

所述访问请求的信息内容为经过网关协议识别和协议转换后的,内容识别装置可识别的信息内容;The information content of the access request is the information content that can be identified by the content identification device after gateway protocol identification and protocol conversion;

根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;According to the information content of the access request, obtain a judgment result including blacklist data or whitelist data of the address requested by the access request;

将所述判断结果发送至网关,以便于所述网关根据所述判断结果更新黑名单数据或白名单数据。Sending the judging result to the gateway, so that the gateway can update blacklist data or whitelist data according to the judging result.

一种网关,包括:A gateway comprising:

接收单元,用于接收用户发送的访问请求;a receiving unit, configured to receive an access request sent by a user;

复制单元,用于将所述访问请求的信息内容复制到内容识别装置,a copying unit, configured to copy the information content of the access request to the content identification device,

所述访问请求的信息内容为经过协议识别和协议转换后的,内容识别装置可识别的信息内容;The information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion;

更新单元,用于根据所述内容识别装置返回的对所述访问请求的信息内容的判断结果,更新黑名单数据或白名单数据。An update unit, configured to update blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device.

一种内容识别装置,包括:A content recognition device, comprising:

接收单元,用于接收网关发送的用户的访问请求的信息内容;a receiving unit, configured to receive the information content of the user's access request sent by the gateway;

所述访问请求的信息内容为经过网关协议识别和协议转换后的,内容识别装置可识别的信息内容;The information content of the access request is the information content that can be identified by the content identification device after gateway protocol identification and protocol conversion;

第一识别单元,用于根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;The first identifying unit is configured to obtain a judgment result including blacklist data or whitelist data of the address requested by the access request according to the information content of the access request;

第一发送单元,用于将所述判断结果发送至网关,以便于网关根据所述判断结果更新黑名单数据或白名单数据。The first sending unit is configured to send the judgment result to the gateway, so that the gateway can update blacklist data or whitelist data according to the judgment result.

一种用户访问的控制系统,包括:网关和内容识别装置,A control system for user access, including: a gateway and a content identification device,

所述网关用于接收用户发送的访问请求;将所述访问请求的信息内容复制到内容识别装置;The gateway is used to receive the access request sent by the user; copy the information content of the access request to the content identification device;

所述内容识别装置用于接收所述网关发送的用户访问请求的信息内容;所述访问请求的信息内容为经过网关的协议识别和协议转换后的,内容识别装置可识别的信息内容;根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;将所述判断结果发送至所述网关;The content identification device is used to receive the information content of the user access request sent by the gateway; the information content of the access request is the information content that can be identified by the content identification device after the protocol identification and protocol conversion of the gateway; according to the information content of the access request, obtain a judgment result including blacklist data or whitelist data of the address requested by the access request; send the judgment result to the gateway;

所述网关还用于根据所述内容识别装置返回的对所述访问请求的信息内容的判断结果,更新所述黑名单数据或白名单数据。The gateway is further configured to update the blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device.

本发明实施例的用户访问的控制方法,通过网关对用户的访问请求进行黑白名单数据的判断,同时利用网关自身的协议识别和协议转换的功能,用户请求的信息内容经网关转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的深度内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。The user access control method of the embodiment of the present invention uses the gateway to judge the black and white list data of the user's access request, and at the same time utilizes the gateway's own protocol identification and protocol conversion functions, and the information content requested by the user is converted into a content identification device through the gateway After the identifiable data is copied to the content recognition device, the targeted in-depth content detection of user access data is realized, and the content recognition device promptly includes the address requested by the access request into the blacklist data or whitelist data for judgment The results are returned to the gateway. Compared with the prior art, which requires the network administrator to manually update the black and white list data, the embodiment of the present invention can update the black and white list data in real time, reducing manual participation, thereby effectively controlling user access to data, and greatly improving the efficiency of black and white list data control. interception efficiency.

附图说明 Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only of the present invention. For some embodiments, those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1为现有技术黑白名单数据控制系统架构示意图;FIG. 1 is a schematic diagram of the architecture of a black and white list data control system in the prior art;

图2为本发明实施例中用户访问的控制方法系统架构的示意图;FIG. 2 is a schematic diagram of a system architecture of a method for controlling user access in an embodiment of the present invention;

图3为本发明实施例中用户访问的控制方法的流程图之一;Fig. 3 is one of the flowcharts of the control method of user access in the embodiment of the present invention;

图4为本发明实施例中用户访问的控制方法的流程图之二;Fig. 4 is the second flow chart of the user access control method in the embodiment of the present invention;

图5为本发明实施例中用户访问的控制方法的流程图之三;Fig. 5 is the third flowchart of the user access control method in the embodiment of the present invention;

图6为本发明实施例中网关的结构示意图;FIG. 6 is a schematic structural diagram of a gateway in an embodiment of the present invention;

图7为本发明实施例中内容识别装置的结构示意图;FIG. 7 is a schematic structural diagram of a content identification device in an embodiment of the present invention;

图8为本发明实施例中用户访问的控制系统的结构示意图。FIG. 8 is a schematic structural diagram of a control system for user access in an embodiment of the present invention.

具体实施方式 detailed description

本发明实施例提供一种用户访问的控制方法、装置及系统,实现了有针对性的对用户访问数据的深度内容检测,并且能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。Embodiments of the present invention provide a user access control method, device, and system, which realize targeted in-depth content detection of user access data, and can update black and white list data in real time, reducing manual participation, thereby effectively controlling user access. Access data, greatly improving the interception efficiency of black and white list data control.

下面结合附图对本发明实施例作详细描述:Embodiment of the present invention is described in detail below in conjunction with accompanying drawing:

实施例一Embodiment one

本实施例提供一种用户访问的控制方法,如图3所示,该方法包括:This embodiment provides a method for controlling user access, as shown in Figure 3, the method includes:

步骤101、接收用户发送的访问请求。Step 101, receiving an access request sent by a user.

步骤102、将所述访问请求的信息内容复制到内容识别装置;所述访问请求的信息内容为经过协议识别和协议转换后的,内容识别装置可识别的信息内容。所述访问请求的信息内容是指根据用户的访问请求从网络侧得到的信息内容。Step 102. Copy the information content of the access request to the content identification device; the information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion. The information content of the access request refers to the information content obtained from the network side according to the user's access request.

内容识别装置是一种能够对网络上的文本、图片、视频等内容做识别、分析的装置。但目前现有的内容识别装置识别能力比较单一,例如只能针对超文本传输协议(HypertextTransferProtocol,简称HTTP)网页访问的数据进行识别,对于非HTTP的数据如无线应用协议(WirelessApplicationProtocol,简称WAP)数据、实时流传输协议(RealTimeStreamingProtocol,简称RTSP)数据、串流媒体传送协议(MicrosoftMediaServerprotocol,简称MMS)数据等无法识别,分析检测的范围较小。The content identification device is a device capable of identifying and analyzing content such as text, pictures, and videos on the network. However, the current existing content recognition devices have relatively single recognition capabilities. For example, they can only recognize data accessed by Hypertext Transfer Protocol (Hypertext Transfer Protocol, referred to as HTTP) web pages. For non-HTTP data such as Wireless Application Protocol (Wireless Application Protocol, referred to as WAP) data , Real Time Streaming Protocol (Real Time Streaming Protocol, referred to as RTSP) data, streaming media transfer protocol (Microsoft Media Server protocol, referred to as MMS) data, etc. cannot be identified, and the scope of analysis and detection is relatively small.

为使内容识别装置能够进行较大范围的识别、分析,本实施例给内容识别装置连接一个可进行协议识别和协议转换的网络设备,举例来说,这种网络设备可以是网关。In order to enable the content identification device to perform identification and analysis in a wider range, this embodiment connects the content identification device to a network device that can perform protocol identification and protocol conversion. For example, this network device can be a gateway.

如图2所示,用户和互联网之间设置有网关,内容识别装置与网关相连接。As shown in Figure 2, a gateway is set between the user and the Internet, and the content identification device is connected to the gateway.

本实施例提供的用户访问的控制主要是黑白名单控制,并且本实施例可以通过网关来对用户的访问请求进行黑白名单数据控制。黑白名单数据存储在网关中,网关接收用户发送的访问请求后,可以先对这个访问请求进行判断,判断访问请求所请求的地址是否在已有的黑名单数据和白名单数据中,如果不在黑名单数据和白名单数据中,网关将访问请求的信息内容进行处理后,如经过协议识别和协议转换,然后复制到内容识别装置中。这里的复制方法可以是分光,分光至内容识别装置是指将网关将接收的信息复制相同的一份并发送至内容识别装置。The control of user access provided by this embodiment is mainly black and white list control, and this embodiment can control the user's access request through the gateway to control the black and white list data. The black and white list data is stored in the gateway. After the gateway receives the access request sent by the user, it can first judge the access request to determine whether the address requested by the access request is in the existing black list data and white list data. In list data and white list data, the gateway processes the information content of the access request, such as protocol identification and protocol conversion, and then copies it to the content identification device. Here, the copying method may be optical splitting, and the optical splitting to the content identification device means that the gateway copies the same copy of the received information and sends it to the content identification device.

由于网关本身具有协议识别和协议转换的功能,深度包检测(DeepPacketInspection,简称DPI)能力强,因此,网关可以将各种形式的访问请求的信息内容转换为内容识别装置可识别的HTTP的数据。同时,内容识别装置也实现了对多种数据的识别、分析。因此,通过相互连接的网关和内容识别装置能够实现对用户访问的多种数据类型的信息内容的黑白名单控制。Since the gateway itself has the functions of protocol identification and protocol conversion, and has strong Deep Packet Inspection (DPI) capability, the gateway can convert the information content of various forms of access requests into HTTP data recognizable by the content identification device. At the same time, the content recognition device also realizes the recognition and analysis of various data. Therefore, through the interconnected gateway and the content identification device, it is possible to implement black and white list control on various data types of information content accessed by users.

本实施例的地址可以为互联网上的网页地址,也可以为本地磁盘或者局域网上的某一台计算机的地址,本发明实施例在此不作限定。The address in this embodiment may be a webpage address on the Internet, or a local disk or an address of a computer on a local area network, which is not limited in this embodiment of the present invention.

本实施例中,内容识别装置在网关的互联网出口处进行旁路分光流量,通过利用网关的DPI能力以及协议转换功能,使得分光点的位置屏蔽了内容识别装置与各个终端之间的协议适配问题,这样就解决了现有的内容识别装置识别范围小的问题。内容识别装置就可对多种数据类型的用户访问请求的信息内容进行分析。In this embodiment, the content recognition device bypasses the splitting traffic at the Internet exit of the gateway. By using the DPI capability and protocol conversion function of the gateway, the position of the splitting point shields the protocol adaptation between the content recognition device and each terminal. problem, thus solving the problem that the existing content recognition device has a small recognition range. The content identification device can analyze the information content of user access requests of various data types.

步骤103、根据内容识别装置返回的对访问请求的信息内容的判断结果,更新黑白数据名单。Step 103: Update the black and white data list according to the judgment result of the information content of the access request returned by the content recognition device.

内容识别装置对访问请求的信息内容进行分析后,做出将访问请求所请求的地址列入黑名单数据或白名单数据的判断,然后将判断结果发送给网关。网关定时检测内容识别装置有无判断结果发送过来,当检测到有后,网关根据内容识别装置发送过来的判断结果更新存储在网关中的黑白名单数据。After analyzing the information content of the access request, the content identification device makes a judgment to include the address requested by the access request in the blacklist data or whitelist data, and then sends the judgment result to the gateway. The gateway regularly detects the presence or absence of the content identification device and sends the judgment result, and when it is detected, the gateway updates the black and white list data stored in the gateway according to the judgment result sent by the content identification device.

当然,所述更新黑白数据名单,也包括原来网关的黑白名单中还没有数据,通过接收内容识别装置经过分析后的黑白名单结果,形成首次黑白名单数据存储在网关中,对下一次的用户请求进行黑白名单访问控制。Of course, the updated black and white data list also includes that there is no data in the original black and white list of the gateway. By receiving the black and white list results analyzed by the content recognition device, the first black and white list data is stored in the gateway, and the next user request Perform black and white list access control.

本实施例的用户访问的控制方法,通过利用网关自身的协议识别和协议转换的功能,用户请求的信息内容经网关转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的深度内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能并实时更新黑白名单数据,减少了人工参与,有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。In the method for controlling user access in this embodiment, by using the gateway's own protocol identification and protocol conversion functions, the information content requested by the user is converted by the gateway into data recognizable by the content identification device, and then copied to the content identification device. Targeted in-depth content detection of user access data, the content recognition device promptly returns the judgment result of the address requested by the access request to the blacklist data or whitelist data to the gateway, compared with the existing technology, the network administrator needs to manually update black and white List data, the embodiment of the present invention can update the black and white list data in real time, reduces manual participation, effectively controls user access to data, and greatly improves the interception efficiency of black and white list data control.

实施例二Embodiment two

本实施例提供一种用户访问的控制方法,如图4所示,该方法包括:This embodiment provides a method for controlling user access, as shown in Figure 4, the method includes:

步骤201、内容识别装置接收网关发送的用户的访问请求的信息内容。Step 201, the content identification device receives the information content of the user's access request sent by the gateway.

内容识别装置用于对用户的访问请求的信息内容,如文本、图片、视频等内容进行深度分析,并识别出其中的非法内容。内容识别装置只能针对HTTP数据进行识别,因此,这里“内容识别装置接收的网关发送的用户的访问请求的信息内容”为HTTP数据。访问请求的信息内容为经过协议识别和协议转换后的,内容识别装置可识别的信息内容。The content identification device is used to conduct in-depth analysis on the information content of the user's access request, such as text, picture, video and other content, and identify illegal content therein. The content identification device can only identify HTTP data, therefore, "the information content of the user's access request received by the content identification device and sent by the gateway" is HTTP data. The information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion.

步骤202、内容识别装置根据访问请求的信息内容,获得包括将访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;Step 202, the content identification device obtains a judgment result including blacklist data or whitelist data of the address requested by the access request according to the information content of the access request;

内容识别装置分析访问请求的信息内容,并根据系统预设的标准得出分析结果,再根据得出分析结果判断将访问请求所请求的地址列入黑名单数据或白名单数据。The content recognition device analyzes the information content of the access request, obtains the analysis result according to the system preset standard, and then judges to include the address requested by the access request in the blacklist data or whitelist data according to the analysis result.

步骤203、内容识别装置将判断结果发送至网关,以便于网关根据判断结果更新黑名单数据或白名单数据。Step 203, the content identification device sends the judgment result to the gateway, so that the gateway can update the blacklist data or whitelist data according to the judgment result.

在实际应用过程中,通常会出现以下现象:原来黑名单数据中的网站经改良后不存在非法内容,应列入白名单数据;或者原来白名单数据中的网站由于新加入了非法内容等,应列入黑名单数据。上述情况的存在使得网关中存储的黑白名单数据不准确,严重影响了用户的使用。In the actual application process, the following phenomenon usually occurs: the website in the original blacklist data has no illegal content after improvement, and should be included in the whitelist data; or the website in the original whitelist data has newly added illegal content, etc. Should be blacklisted data. The existence of the above situation makes the black and white list data stored in the gateway inaccurate, which seriously affects the use of users.

为了避免上述情况的出现,本实施例的内容识别装置还设有爬取单元,用于根据预先制定的爬取策略主动爬取信息内容,爬取的信息内容至少为黑名单数据和白名单数据中的网站的信息内容。这里爬取策略是指爬取的时间、频率、爬取的目标网站等。这里的爬取的方法也可以理解为抽样检查等方法。In order to avoid the occurrence of the above situation, the content recognition device of this embodiment is also provided with a crawling unit for actively crawling information content according to a pre-established crawling strategy, and the crawled information content is at least blacklist data and whitelist data The information content of the website in . The crawling strategy here refers to the crawling time, frequency, crawling target website, etc. The crawling method here can also be understood as methods such as sampling inspection.

爬取单元所爬取的信息内容同样可以先经过网关的转换,然后进入内容识别装置进行分析,得到将爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果。内容识别装置将判断结果发送至网关,网关根据判断结果更新黑名单数据或白名单数据。The information content crawled by the crawling unit can also be converted by the gateway first, and then enter the content recognition device for analysis, and obtain the judgment result of including the address of the crawled information content into the blacklist data or whitelist data. The content identification device sends the judgment result to the gateway, and the gateway updates the blacklist data or whitelist data according to the judgment result.

本实施例的用户访问的控制方法,通过网关对用户的访问请求进行黑白名单数据的判断,同时利用网关自身的协议识别和协议转换的功能,用户请求的信息内容经网关转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的深度内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。进一步的,本实施例还设置了爬取单元来主动爬取网关中黑白名单数据中的网站的信息内容,避免了原有黑白名单数据中的网站属性发生变化,但黑白名单数据却无法改变的问题,大大提高了网关的拦截准确性。The user access control method of this embodiment uses the gateway to judge the black and white list data of the user's access request, and at the same time utilizes the gateway's own protocol identification and protocol conversion functions, and the information content requested by the user is converted into a content identification device through the gateway. After the identified data is copied to the content recognition device, the targeted in-depth content detection of user access data is realized, and the content recognition device promptly includes the address requested by the access request into the blacklist data or the judgment result of the whitelist data Returning to the gateway, compared with the prior art that requires the network administrator to manually update the black and white list data, the embodiment of the present invention can update the black and white list data in real time, reducing manual participation, thereby effectively controlling user access to data, and greatly improving the interception of black and white list data control efficiency. Further, this embodiment also sets a crawling unit to actively crawl the information content of the websites in the black and white list data in the gateway, avoiding the change of the website attributes in the original black and white list data, but the black and white list data cannot be changed. problem, greatly improving the interception accuracy of the gateway.

实施例三Embodiment Three

本实施例提供一种用户访问的控制方法,如图5所示,该方法包括:This embodiment provides a method for controlling user access, as shown in Figure 5, the method includes:

步骤301、网关接收用户发送的访问请求。Step 301, the gateway receives the access request sent by the user.

步骤302、网关判断访问请求所请求的地址是否在黑名单数据或白名单数据中。Step 302, the gateway judges whether the address requested by the access request is in the blacklist data or the whitelist data.

本实施例中,黑白名单数据存储在网关中,并通过网关来对用户的访问请求进行黑白名单数据控制的。黑白名单数据通常为一系列网页的地址(UniformResourceLocator,简称URL)。In this embodiment, the blacklist and whitelist data are stored in the gateway, and the access requests of users are controlled by the gateway. The blacklist and whitelist data are usually addresses of a series of webpages (UniformResourceLocator, URL for short).

步骤303、若地址在白名单数据中,网关放行用户的访问请求。Step 303, if the address is in the white list data, the gateway allows the user's access request.

步骤304、若地址在黑名单数据中,网关阻断或者警告用户的访问请求。Step 304, if the address is in the blacklist data, the gateway blocks or warns the user's access request.

举例来说,如果网关判断用户所请求的地址是属于黑名单数据中的地址,按照预设的处理方式,向用户发出警告,提示用户是否继续访问,或者直接中断此次访问。For example, if the gateway judges that the address requested by the user belongs to the address in the blacklist data, according to the preset processing method, it will send a warning to the user, prompting the user whether to continue the visit, or directly interrupt the visit.

步骤305、网关若判断用户发送的访问请求所请求的地址不在黑名单数据和白名单数据中,则将访问请求的信息内容复制到内容识别装置,访问请求的信息内容为经过协议识别和协议转换后的内容识别装置可识别的信息内容。Step 305, if the gateway judges that the address requested by the access request sent by the user is not in the blacklist data and whitelist data, then the information content of the access request is copied to the content identification device, and the information content of the access request is the protocol identification and protocol conversion. The content of the information that can be identified by the subsequent content identification device.

如果用户发送的访问请求所请求的地址不在黑名单数据和白名单数据中,网关将访问请求的信息内容转换为内容识别装置可识别的HTTP数据后,复制到内容识别装置中。If the address requested by the access request sent by the user is not in the blacklist data and whitelist data, the gateway converts the information content of the access request into HTTP data recognizable by the content recognition device, and then copies it to the content recognition device.

在实际应用过程中,通常会出现以下现象:原来黑名单数据中的网站经改良后不存在非法内容,应列入白名单数据;或者原来白名单数据中的网站由于新加入了非法内容等,应列入黑名单数据。上述情况的存在使得网关中存储的黑白名单数据不准确,严重影响了用户的使用。In the actual application process, the following phenomenon usually occurs: the website in the original blacklist data has no illegal content after improvement, and should be included in the whitelist data; or the website in the original whitelist data has newly added illegal content, etc. Should be blacklisted data. The existence of the above situation makes the black and white list data stored in the gateway inaccurate, which seriously affects the use of users.

为了避免上述情况的出现,本实施例的内容识别装置还设有爬取单元,用于根据预先制定的爬取策略主动爬取信息内容,爬取的信息内容至少为黑名单数据和白名单数据中的网站的信息内容。这里爬取策略是指爬取的时间、频率、爬取的目标网站等。In order to avoid the occurrence of the above situation, the content recognition device of this embodiment is also provided with a crawling unit for actively crawling information content according to a pre-established crawling strategy, and the crawled information content is at least blacklist data and whitelist data The information content of the website in . The crawling strategy here refers to the crawling time, frequency, crawling target website, etc.

爬取单元所爬取的信息内容同样先经过网关的转换,然后进入内容识别装置进行分析,得到将爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果。内容识别装置将判断结果发送至网关,网关根据判断结果更新黑名单数据或白名单数据。The information content crawled by the crawling unit is also converted by the gateway first, and then enters the content recognition device for analysis, and the judgment result of including the address of the crawled information content in the blacklist data or whitelist data is obtained. The content identification device sends the judgment result to the gateway, and the gateway updates the blacklist data or whitelist data according to the judgment result.

步骤306、网关根据内容识别装置返回的对访问请求的信息内容的判断结果,更新黑名单数据或白名单数据。Step 306, the gateway updates the blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device.

为了实现网关和内容识别装置之间的快速通讯,本实施例将网关和内容识别装置部署在同一地点并用网线将两者连接,或者直接将两者集成在一起,成为一个系统。In order to realize fast communication between the gateway and the content recognition device, in this embodiment, the gateway and the content recognition device are deployed at the same place and connected with a network cable, or directly integrated together to form a system.

内容识别装置对访问请求的信息内容进行分析后,做出访问请求所请求的地址列入黑名单数据或白名单数据的判断,然后将判断结果发送给网关。这里的判断结果包括将访问请求所请求的地址列入所述黑名单数据或白名单数据中的结果。网关定时检测内容识别装置有无判断结果发送过来,当检测到有后,网关根据内容识别装置发送过来的判断结果更新存储在网关中的黑白名单数据。After analyzing the information content of the access request, the content identification device makes a judgment that the address requested by the access request is included in the blacklist data or whitelist data, and then sends the judgment result to the gateway. The judgment result here includes the result of including the address requested by the access request in the blacklist data or whitelist data. The gateway regularly detects the presence or absence of the content identification device and sends the judgment result, and when it is detected, the gateway updates the black and white list data stored in the gateway according to the judgment result sent by the content identification device.

此外,需要说明的是,为了保证用户访问互联网的速度,本实施例中,已更新的黑名单数据或白名单数据可以只对用户后续发送的访问请求有效。也就是说,网关判断用户发送的访问请求所请求的地址不在黑名单数据和白名单数据中后,放行此次访问请求。因为内容识别装置的分析、判断过程会造成一定的时延,势必会给用户带来不便,因此,为了保证用户访问互联网的速度和效率,可对网关进行上述设置。In addition, it should be noted that, in order to ensure the speed of the user's access to the Internet, in this embodiment, the updated blacklist data or whitelist data may only be valid for subsequent access requests sent by the user. That is to say, after the gateway judges that the address requested by the access request sent by the user is not in the blacklist data and whitelist data, the access request is released. Because the analysis and judgment process of the content recognition device will cause a certain delay, it will inevitably bring inconvenience to the user. Therefore, in order to ensure the speed and efficiency of the user's access to the Internet, the above settings can be performed on the gateway.

在实际应用中,不同的用户终端可能会经过不同的网关访问互联网,为了提高设备的利用率,降低运营成本,可将若干网关与同一个内容识别装置相连接。In practical applications, different user terminals may access the Internet through different gateways. In order to improve equipment utilization and reduce operating costs, several gateways can be connected to the same content recognition device.

本实施例的用户访问的控制方法,通过网关对用户的访问请求进行黑白名单数据的判断,所请求的网页在黑名单时阻断或者警告,在白名单时放行,同时利用网关自身的协议识别和协议转换的功能,用户请求的信息内容经网关转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。本实施例还设置了爬取单元来主动爬取网关中黑白名单数据中的网站的信息内容,避免了原有黑白名单数据中的网站属性发生变化,但黑白名单数据却无法改变的问题,大大提高了网关的拦截准确性。The user access control method of the present embodiment uses the gateway to judge the black and white list data of the user's access request. The requested web page is blocked or warned when it is in the black list, and it is released when it is in the white list. At the same time, it uses the protocol identification of the gateway itself With the function of protocol conversion, the information content requested by the user is converted into data recognizable by the content recognition device through the gateway, and then copied to the content recognition device, which realizes targeted content detection of the user's access data, and the content recognition device timely Request the requested address to be included in the blacklist data or the judgment result in the whitelist data to return to the gateway. Compared with the prior art, the network administrator needs to manually update the blacklist and whitelist data. The embodiment of the present invention can update the blacklist and whitelist data in real time, reducing manual participation , so as to effectively control user access to data, and greatly improve the interception efficiency of black and white list data control. This embodiment is also provided with a crawling unit to actively crawl the information content of the websites in the black and white list data in the gateway, avoiding the problem that the website attributes in the original black and white list data change, but the black and white list data cannot be changed. Improved interception accuracy for gateways.

实施例四Embodiment Four

本实施例提供一种网关,如图6所示,包括:接收单元10、复制单元11和更新单元12。This embodiment provides a gateway, as shown in FIG. 6 , including: a receiving unit 10 , a replicating unit 11 and an updating unit 12 .

其中,接收单元10接收用户发送的访问请求;Wherein, the receiving unit 10 receives the access request sent by the user;

复制单元11,用于将访问请求的信息内容复制到内容识别装置,访问请求的信息内容为经过协议识别和协议转换后的内容识别装置可识别的信息内容。The copying unit 11 is configured to copy the information content of the access request to the content identification device, and the information content of the access request is information content that can be identified by the content identification device after protocol identification and protocol conversion.

更新单元12,用于根据内容识别装置返回的对访问请求的信息内容的判断结果,更新黑名单数据或白名单数据。The updating unit 12 is configured to update the blacklist data or the whitelist data according to the judgment result of the information content of the access request returned by the content recognition device.

本实施例的网关还包括:判断单元13,The gateway of this embodiment also includes: a judging unit 13,

判断单元13,用于判断访问请求所请求的地址是否在黑名单数据或白名单数据中;A judging unit 13, configured to judge whether the address requested by the access request is in the blacklist data or the whitelist data;

若地址在黑名单数据中,阻断或者警告用户的访问请求,若地址在白名单数据中,放行用户的访问请求,若地址不在所述黑名单数据和白名单数据中,将访问请求的信息内容复制到内容识别装置。If the address is in the blacklist data, block or warn the user's access request, if the address is in the whitelist data, release the user's access request, if the address is not in the blacklist data and whitelist data, access the requested information The content is copied to a content-aware device.

本实施例中的判断单元13还用于:判断用户后续发送的访问请求所请求的地址是否在已更新的黑名单数据或白名单数据中。The judging unit 13 in this embodiment is further configured to: judge whether the address requested by the user's subsequent access request is in the updated blacklist data or whitelist data.

为了实现网关和内容识别装置之间的快速通讯,本实施例将网关和内容识别装置部署在同一地点并用网线将两者连接,或者直接将两者集成在一起,成为一个系统。In order to realize fast communication between the gateway and the content recognition device, in this embodiment, the gateway and the content recognition device are deployed at the same place and connected with a network cable, or directly integrated together to form a system.

内容识别装置对访问请求的信息内容进行分析后,做出访问请求所请求的地址列入黑名单数据或白名单数据的判断,然后将判断结果发送给网关。网关定时检测内容识别装置有无判断结果发送过来,当检测到有后,网关根据内容识别装置发送过来的判断结果更新存储在网关中的黑白名单数据。After analyzing the information content of the access request, the content identification device makes a judgment that the address requested by the access request is included in the blacklist data or whitelist data, and then sends the judgment result to the gateway. The gateway regularly detects the presence or absence of the content identification device and sends the judgment result, and when it is detected, the gateway updates the black and white list data stored in the gateway according to the judgment result sent by the content identification device.

在实际应用中,不同的用户终端可能会经过不同的网关访问互联网,为了提高设备的利用率,降低运营成本,可将若干网关与同一个内容识别装置相连接。In practical applications, different user terminals may access the Internet through different gateways. In order to improve equipment utilization and reduce operating costs, several gateways can be connected to the same content recognition device.

本实施例的网关具备前述所有实施例中网关所描述的功能,在此不再赘述。The gateway in this embodiment has the functions described in the gateways in all the foregoing embodiments, which will not be repeated here.

本实施例的网关,通过对用户的访问请求进行黑白名单数据的判断,同时利用网关自身的协议识别和协议转换的功能,用户请求的信息内容经网关转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的深度内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。In the gateway of this embodiment, by judging the black and white list data of the user's access request, and using the protocol identification and protocol conversion functions of the gateway itself, after the information content requested by the user is converted into data recognizable by the content identification device through the gateway, Copying to the content recognition device realizes targeted in-depth content detection of user access data. The content recognition device returns the judgment result of the address requested by the access request to the blacklist data or whitelist data to the gateway in a timely manner. Compared with the prior art, the network administrator needs to manually update the black and white list data. The embodiment of the present invention can update the black and white list data in real time, reducing manual participation, thereby effectively controlling user access to data, and greatly improving the interception efficiency of black and white list data control.

实施例五Embodiment five

本实施例提供一种内容识别装置,如图7所示,包括:接收单元21、第一识别单元22、第一发送单元23,This embodiment provides a content identification device, as shown in FIG. 7 , including: a receiving unit 21, a first identification unit 22, a first sending unit 23,

其中,接收单元21,用于接收网关发送的用户的访问请求的信息内容;访问请求的信息内容为经过协议识别和协议转换后的内容识别装置可识别的信息内容;Wherein, the receiving unit 21 is used to receive the information content of the user's access request sent by the gateway; the information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion;

第一识别单元22,用于根据访问请求的信息内容,获得包括将访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;The first identifying unit 22 is configured to obtain a judgment result including blacklist data or whitelist data of the address requested by the access request according to the information content of the access request;

第一发送单元23,用于将判断结果发送至网关,以便于网关根据所述判断结果更新黑名单数据或白名单数据。The first sending unit 23 is configured to send the judgment result to the gateway, so that the gateway can update blacklist data or whitelist data according to the judgment result.

本实施例的内容识别装置,还包括:爬取单元24、第二识别单元25和第二发送单元26,The content identification device of this embodiment also includes: a crawling unit 24, a second identification unit 25 and a second sending unit 26,

其中,爬取单元24,用于根据预先制定的爬取策略主动爬取信息内容,爬取的信息内容至少为黑名单数据和白名单数据中的网站的信息内容,这里爬取策略是指爬取的时间、频率、爬取的目标网站等,爬取单元所爬取的信息内容同样先经过网关的转换,然后进入内容识别装置进行分析,得到将爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果。内容识别装置将判断结果发送至网关,网关根据判断结果更新黑名单数据或白名单数据;Among them, the crawling unit 24 is used to actively crawl information content according to a pre-established crawling strategy, and the crawled information content is at least the information content of websites in the blacklist data and whitelist data, where the crawling strategy refers to crawling The crawling time, frequency, crawling target website, etc., the information content crawled by the crawling unit is also converted by the gateway first, and then enters the content recognition device for analysis, and the address of the crawled information content is blacklisted Judgment results of data or whitelist data. The content recognition device sends the judgment result to the gateway, and the gateway updates the blacklist data or whitelist data according to the judgment result;

第二识别单元25,用于根据所述爬取的信息内容获得将爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果;The second identification unit 25 is configured to obtain a judgment result of including the address of the crawled information content in blacklist data or whitelist data according to the crawled information content;

第二发送单元26,用于将判断结果发送至网关,以便于网关根据判断结果更新黑名单数据或白名单数据。The second sending unit 26 is configured to send the judgment result to the gateway, so that the gateway can update the blacklist data or whitelist data according to the judgment result.

为了实现网关和内容识别装置之间的快速通讯,本实施例将网关和内容识别装置部署在同一地点并用网线将两者连接,或者直接将两者集成在一起,成为一个系统。In order to realize fast communication between the gateway and the content recognition device, in this embodiment, the gateway and the content recognition device are deployed at the same place and connected with a network cable, or directly integrated together to form a system.

内容识别装置对访问请求的信息内容进行分析后,做出访问请求所请求的地址列入黑名单数据或白名单数据的判断,然后将判断结果发送给网关。网关定时检测内容识别装置有无判断结果发送过来,当检测到有后,网关根据内容识别装置发送过来的判断结果更新存储在网关中的黑白名单数据。After analyzing the information content of the access request, the content identification device makes a judgment that the address requested by the access request is included in the blacklist data or whitelist data, and then sends the judgment result to the gateway. The gateway regularly detects the presence or absence of the content identification device and sends the judgment result, and when it is detected, the gateway updates the black and white list data stored in the gateway according to the judgment result sent by the content identification device.

在实际应用中,不同的用户终端可能会经过不同的网关访问互联网,为了提高设备的利用率,降低运营成本,可将若干网关与同一个内容识别装置相连接。In practical applications, different user terminals may access the Internet through different gateways. In order to improve equipment utilization and reduce operating costs, several gateways can be connected to the same content recognition device.

本实施例的内容识别装置具备前述实施例三中内容识别装置所描述的功能,在此不再赘述。The content identification device in this embodiment has the functions described in the content identification device in the third embodiment above, and will not be repeated here.

本实施例的内容识别装置,利用网关自身的协议识别和协议转换的功能,将用户请求的信息内容转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。本实施例还设置了爬取单元来主动爬取网关中黑白名单数据中的网站的信息内容,避免了原有黑白名单数据中的网站属性发生变化,但黑白名单数据却无法改变的问题,大大提高了网关的拦截准确性。The content identification device of this embodiment uses the gateway's own protocol identification and protocol conversion functions to convert the information content requested by the user into data recognizable by the content identification device, and then copy it to the content identification device to achieve targeted For the content detection of user access data, the content identification device promptly returns the judgment result of the address requested by the access request in the blacklist data or whitelist data to the gateway. Compared with the prior art, the network administrator needs to manually update the blacklist and whitelist data. The present invention The embodiment can update black and white list data in real time, reducing manual participation, thereby effectively controlling user access to data, and greatly improving the interception efficiency of black and white list data control. This embodiment is also provided with a crawling unit to actively crawl the information content of the websites in the black and white list data in the gateway, avoiding the problem that the website attributes in the original black and white list data change, but the black and white list data cannot be changed. Improved interception accuracy for gateways.

实施例六Embodiment six

本实施例提供一种用户访问的控制系统,如图8所示,包括:网关1和内容识别装置2,网关1和内容识别装置2通过网线相连接,This embodiment provides a control system for user access, as shown in FIG. 8 , including: a gateway 1 and a content identification device 2, the gateway 1 and the content identification device 2 are connected by a network cable,

其中,网关1用于在判断用户发送的访问请求所请求的地址不在黑名单数据和白名单数据中后,将访问请求的信息内容复制到内容识别装置2;访问请求的信息内容为经过协议识别和协议转换后的内容识别装置可识别的信息内容;Among them, the gateway 1 is used to copy the information content of the access request to the content identification device 2 after judging that the address requested by the access request sent by the user is not in the blacklist data and whitelist data; the information content of the access request is identified through the protocol and the information content that can be identified by the content identification device after protocol conversion;

由于网关本身具有协议识别和协议转换的功能,因此,网关可以将各种形式的访问请求的信息内容转换为内容识别装置可识别的HTTP数据。这样就解决了现有的内容识别装置识别范围小的问题。内容识别装置就可对所有的用户访问请求的信息内容进行分析。Since the gateway itself has the functions of protocol identification and protocol conversion, the gateway can convert the information content of various forms of access requests into HTTP data recognizable by the content identification device. In this way, the problem of the narrow recognition range of the existing content recognition device is solved. The content recognition device can analyze the information content of all user access requests.

内容识别装置2用于接收网关1发送的用户的访问请求的信息内容;根据访问请求的信息内容,获得包括将访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;然后将判断结果发送至所述网关1;The content recognition device 2 is used to receive the information content of the user's access request sent by the gateway 1; according to the information content of the access request, obtain a judgment result including blacklist data or whitelist data of the address requested by the access request; and then The judgment result is sent to the gateway 1;

网关1还用于根据内容识别装置2返回的对访问请求的信息内容的判断结果,更新黑名单数据或白名单数据。The gateway 1 is also used to update the blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device 2 .

本实施例的内容识别装置2,还可进一步包括:爬取单元、第二识别单元和第二发送单元,The content identification device 2 of this embodiment may further include: a crawling unit, a second identification unit, and a second sending unit,

其中,爬取单元,用于根据预先制定的爬取策略主动爬取信息内容,爬取的信息内容至少为黑名单数据和白名单数据中的网站的信息内容,这里爬取策略是指爬取的时间、频率、爬取的目标网站等,爬取单元所爬取的信息内容同样先经过网关的转换,然后进入内容识别装置进行分析,得到将爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果。内容识别装置将判断结果发送至网关,网关根据判断结果更新黑名单数据或白名单数据;Among them, the crawling unit is used to actively crawl information content according to a pre-established crawling strategy. The crawled information content is at least the information content of websites in the blacklist data and whitelist data. The crawling strategy here refers to crawling Time, frequency, crawling target website, etc., the information content crawled by the crawling unit is also converted by the gateway first, and then enters the content recognition device for analysis, and the address of the crawled information content is blacklisted. Or the judgment result of the whitelist data. The content recognition device sends the judgment result to the gateway, and the gateway updates the blacklist data or whitelist data according to the judgment result;

第二识别单元,用于根据所述爬取的信息内容获得将爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果;The second identification unit is used to obtain a judgment result of including the address of the crawled information content in blacklist data or whitelist data according to the crawled information content;

第二发送单元,用于将判断结果发送至网关,以便于网关根据判断结果更新黑名单数据或白名单数据。The second sending unit is configured to send the judgment result to the gateway, so that the gateway can update the blacklist data or whitelist data according to the judgment result.

为了实现网关1和内容识别装置2之间的快速通讯,本实施例将网关1和内容识别装置2部署在同一地点并用网线将两者连接,或者直接将两者集成在一起,成为一个系统。In order to realize fast communication between the gateway 1 and the content recognition device 2, the present embodiment deploys the gateway 1 and the content recognition device 2 at the same place and connects them with a network cable, or directly integrates the two together to form a system.

内容识别装置2对访问请求的信息内容进行分析后,做出访问请求所请求的地址列入黑名单数据或白名单数据的判断,然后将判断结果发送给网关1。网关1定时检测内容识别装置有无判断结果发送过来,当检测到有后,网关1根据内容识别装置发送过来的判断结果更新存储在网关1中的黑白名单数据。After the content identification device 2 analyzes the information content of the access request, it judges that the address requested by the access request is included in the blacklist data or whitelist data, and then sends the judgment result to the gateway 1 . The gateway 1 regularly detects whether the content recognition device has a judgment result and sends it. When it detects the presence of the content recognition device, the gateway 1 updates the black and white list data stored in the gateway 1 according to the judgment result sent by the content recognition device.

在实际应用中,不同的用户终端可能会经过不同的网关访问互联网,为了提高设备的利用率,降低运营成本,可将若干网关1与同一个内容识别装置2相连接。In practical applications, different user terminals may access the Internet through different gateways. In order to improve equipment utilization and reduce operating costs, several gateways 1 can be connected to the same content recognition device 2 .

此外,本实施例也可将网关1和内容识别装置2集成,作为一种装置来使用。In addition, in this embodiment, the gateway 1 and the content recognition device 2 can also be integrated and used as a device.

本实施例的网关1、内容识别装置2具备实施例四、五的网关、内容识别装置的功能,在此不再赘述。The gateway 1 and the content recognition device 2 in this embodiment have the functions of the gateway and the content recognition device in Embodiments 4 and 5, which will not be repeated here.

本实施例的用户访问的控制系统,通过网关对用户的访问请求进行黑白名单数据的判断,同时利用网关自身的协议识别和协议转换的功能,用户请求的信息内容经网关转换为内容识别装置可识别的数据后,复制到内容识别装置,实现了有针对性的对用户访问数据的深度内容检测,内容识别装置及时将访问请求所请求的地址列入黑名单数据或白名单数据中的判断结果返回给网关,相比现有技术需要网管手动更新黑白名单数据,本发明实施例能实时更新黑白名单数据,减少了人工参与,从而有效地控制用户访问数据,大大提高了黑白名单数据控制的拦截效率。The user access control system of this embodiment uses the gateway to judge the black and white list data of the user's access request, and at the same time utilizes the gateway's own protocol identification and protocol conversion functions. After the identified data is copied to the content recognition device, the targeted in-depth content detection of user access data is realized, and the content recognition device promptly includes the address requested by the access request into the blacklist data or the judgment result of the whitelist data Returning to the gateway, compared with the prior art that requires the network administrator to manually update the black and white list data, the embodiment of the present invention can update the black and white list data in real time, reducing manual participation, thereby effectively controlling user access to data, and greatly improving the interception of black and white list data control efficiency.

通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,并且,所述存储介质为非临时性存储介质,如计算机的软盘,硬盘或光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be realized by means of software plus necessary general-purpose hardware, and of course also by hardware, but in many cases the former is a better embodiment . Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of a software product, the computer software product is stored in a readable storage medium, and the The storage medium is a non-transitory storage medium, such as a floppy disk, a hard disk, or an optical disk of a computer, and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the various embodiments described in the present invention. Methods.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (11)

1.一种用户访问的控制方法,其特征在于,包括:1. A control method for user access, comprising: 接收用户发送的访问请求;Receive access requests sent by users; 将所述访问请求的信息内容复制到内容识别装置,所述内容识别装置是一种能够对网络上包括文本、图片或视频内容做识别、分析的装置;Copying the information content of the access request to a content identification device, the content identification device is a device capable of identifying and analyzing content including text, pictures or video on the network; 所述访问请求的信息内容为经过协议识别和协议转换后的,内容识别装置可识别的信息内容,并且所述访问请求的信息内容是指根据用户的访问请求从网络侧得到的信息内容;The information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion, and the information content of the access request refers to the information content obtained from the network side according to the user's access request; 根据所述内容识别装置返回的对所述访问请求的信息内容的判断结果,更新黑名单数据或白名单数据;updating blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device; 所述判断结果为所述内容识别装置分析访问请求的信息内容,并根据系统预设的标准得出分析结果,再根据得出分析结果判断将访问请求所请求的地址列入黑名单数据或白名单数据。The judgment result is that the content recognition device analyzes the information content of the access request, obtains the analysis result according to the system preset standard, and then judges whether to include the address requested by the access request in the blacklist data or whitelist according to the obtained analysis result. list data. 2.根据权利要求1所述的方法,其特征在于,所述判断结果包括将所述访问请求所请求的地址列入所述黑名单数据或白名单数据中的结果。2. The method according to claim 1, wherein the judgment result includes a result of including the address requested by the access request in the blacklist data or whitelist data. 3.根据权利要求1所述的方法,其特征在于,在接收用户发送的访问请求之后,将所述访问请求的信息内容复制到内容识别装置之前包括:3. The method according to claim 1, characterized in that, after receiving the access request sent by the user, before copying the information content of the access request to the content identification device comprises: 判断所述访问请求所请求的地址是否在所述黑名单数据或白名单数据中,judging whether the address requested by the access request is in the blacklist data or whitelist data, 若所述地址在所述黑名单数据中,阻断或者警告用户的访问请求;If the address is in the blacklist data, block or warn the user's access request; 若所述地址在所述白名单数据中,放行所述用户的访问请求;If the address is in the whitelist data, release the user's access request; 若所述地址不在所述黑名单数据和白名单数据中,将所述访问请求的信息内容复制到内容识别装置。If the address is not in the blacklist data and whitelist data, copy the information content of the access request to the content identification device. 4.一种用户访问的控制方法,其特征在于,包括:4. A method for controlling user access, comprising: 接收网关发送的用户访问请求的信息内容;Receive the information content of the user access request sent by the gateway; 所述访问请求的信息内容为经过网关协议识别和协议转换后的,内容识别装置可识别的信息内容,并且所述访问请求的信息内容是指根据用户的访问请求从网络侧得到的信息内容,所述内容识别装置是一种能够对网络上包括文本、图片或视频内容做识别、分析的装置;The information content of the access request is the information content that can be identified by the content identification device after gateway protocol identification and protocol conversion, and the information content of the access request refers to the information content obtained from the network side according to the user's access request, The content identification device is a device capable of identifying and analyzing content including text, pictures or video on the network; 根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;According to the information content of the access request, obtain a judgment result including blacklist data or whitelist data of the address requested by the access request; 将所述判断结果发送至网关,以便于所述网关根据所述判断结果更新黑名单数据或白名单数据;sending the judgment result to the gateway, so that the gateway can update blacklist data or whitelist data according to the judgment result; 所述根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果包括:According to the information content of the access request, obtaining the judgment result including putting the address requested by the access request into blacklist data or whitelist data includes: 分析访问请求的信息内容,并根据系统预设的标准得出分析结果,再根据得出分析结果判断将访问请求所请求的地址列入黑名单数据或白名单数据。Analyze the information content of the access request, and obtain the analysis result according to the standard preset by the system, and then judge to include the address requested by the access request into the blacklist data or whitelist data according to the analysis result. 5.根据权利要求4所述的方法,其特征在于,还包括:5. The method according to claim 4, further comprising: 根据预先制定的爬取策略爬取信息内容,爬取的信息内容至少为黑名单数据或白名单数据中的网站的信息内容;Crawl information content according to a pre-established crawling strategy, and the crawled information content is at least the information content of websites in the blacklist data or whitelist data; 根据所述爬取的信息内容,获得包括将所述爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果;According to the crawled information content, obtaining a judgment result including including the address of the crawled information content in blacklist data or whitelist data; 将所述判断结果发送至网关,以便于网关根据所述判断结果更新黑名单数据或白名单数据。The judgment result is sent to the gateway, so that the gateway updates the blacklist data or whitelist data according to the judgment result. 6.一种网关,其特征在于,包括:6. A gateway, characterized in that, comprising: 接收单元,用于接收用户发送的访问请求;a receiving unit, configured to receive an access request sent by a user; 复制单元,用于将所述访问请求的信息内容复制到内容识别装置,a copying unit, configured to copy the information content of the access request to the content identification device, 所述访问请求的信息内容为经过协议识别和协议转换后的,内容识别装置可识别的信息内容,并且所述访问请求的信息内容是指根据用户的访问请求从网络侧得到的信息内容,所述内容识别装置是一种能够对网络上包括文本、图片或视频内容做识别、分析的装置;The information content of the access request is the information content that can be identified by the content identification device after protocol identification and protocol conversion, and the information content of the access request refers to the information content obtained from the network side according to the user's access request, so The content identification device is a device capable of identifying and analyzing content including text, pictures or videos on the network; 更新单元,用于根据所述内容识别装置返回的对所述访问请求的信息内容的判断结果,更新黑名单数据或白名单数据;An update unit, configured to update blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device; 所述判断结果为所述内容识别装置分析访问请求的信息内容,并根据系统预设的标准得出分析结果,再根据得出分析结果判断将访问请求所请求的地址列入黑名单数据或白名单数据。The judgment result is that the content recognition device analyzes the information content of the access request, obtains the analysis result according to the system preset standard, and then judges whether to include the address requested by the access request in the blacklist data or whitelist according to the obtained analysis result. list data. 7.根据权利要求6所述的网关,其特征在于,所述判断结果包括将所述访问请求所请求的地址列入所述黑名单数据或白名单数据中的结果。7. The gateway according to claim 6, wherein the judgment result includes a result of including the address requested by the access request in the blacklist data or whitelist data. 8.根据权利要求6所述的网关,其特征在于,还包括:8. The gateway according to claim 6, further comprising: 判断单元,用于判断所述访问请求所请求的地址是否在所述黑名单数据或白名单数据中;a judging unit, configured to judge whether the address requested by the access request is in the blacklist data or whitelist data; 若所述地址在所述黑名单数据中,阻断或者警告用户的访问请求;If the address is in the blacklist data, block or warn the user's access request; 若所述地址在所述白名单数据中,放行所述用户的访问请求;If the address is in the whitelist data, release the user's access request; 若所述地址不在所述黑名单数据和白名单数据中,将所述访问请求的信息内容复制到内容识别装置。If the address is not in the blacklist data and whitelist data, copy the information content of the access request to the content identification device. 9.一种内容识别装置,其特征在于,包括:9. A content identification device, characterized in that it comprises: 接收单元,用于接收网关发送的用户的访问请求的信息内容;a receiving unit, configured to receive the information content of the user's access request sent by the gateway; 所述访问请求的信息内容为经过网关协议识别和协议转换后的,内容识别装置可识别的信息内容,并且所述访问请求的信息内容是指根据用户的访问请求从网络侧得到的信息内容,所述内容识别装置是一种能够对网络上包括文本、图片或视频内容做识别、分析的装置;The information content of the access request is the information content that can be identified by the content identification device after gateway protocol identification and protocol conversion, and the information content of the access request refers to the information content obtained from the network side according to the user's access request, The content identification device is a device capable of identifying and analyzing content including text, pictures or video on the network; 第一识别单元,用于根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;The first identifying unit is configured to obtain a judgment result including blacklist data or whitelist data of the address requested by the access request according to the information content of the access request; 第一发送单元,用于将所述判断结果发送至网关,以便于网关根据所述判断结果更新黑名单数据或白名单数据;A first sending unit, configured to send the judgment result to the gateway, so that the gateway can update blacklist data or whitelist data according to the judgment result; 所述内容识别装置还用于分析访问请求的信息内容,并根据系统预设的标准得出分析结果,再根据得出分析结果判断将访问请求所请求的地址列入黑名单数据或白名单数据。The content identification device is also used to analyze the information content of the access request, and obtain the analysis result according to the system preset standard, and then judge whether to include the address requested by the access request in the blacklist data or whitelist data according to the analysis result . 10.根据权利要求9所述的内容识别装置,还包括:10. The content identification device of claim 9, further comprising: 爬取单元,用于根据预先制定的爬取策略主动爬取信息内容,爬取的信息内容至少为黑名单数据和白名单数据中的网站的信息内容;The crawling unit is used to actively crawl information content according to a pre-established crawling strategy, and the crawled information content is at least the information content of websites in the blacklist data and whitelist data; 第二识别单元,用于根据所述爬取的信息内容获得包括将所述爬取的信息内容的地址列入黑名单数据或白名单数据的判断结果;The second identification unit is used to obtain a judgment result including including the address of the crawled information content in blacklist data or whitelist data according to the crawled information content; 第二发送单元,用于将所述判断结果发送至网关,以便于网关根据所述判断结果更新黑名单数据或白名单数据。The second sending unit is configured to send the judgment result to the gateway, so that the gateway can update blacklist data or whitelist data according to the judgment result. 11.一种用户访问的控制系统,其特征在于,包括:网关和内容识别装置,11. A control system for user access, comprising: a gateway and a content identification device, 所述网关用于接收用户发送的访问请求;将所述访问请求的信息内容复制到内容识别装置;The gateway is used to receive the access request sent by the user; copy the information content of the access request to the content identification device; 所述内容识别装置用于接收所述网关发送的用户访问请求的信息内容;所述访问请求的信息内容为经过网关的协议识别和协议转换后的,内容识别装置可识别的信息内容,并且所述访问请求的信息内容是指根据用户的访问请求从网络侧得到的信息内容;根据所述访问请求的信息内容,获得包括将所述访问请求所请求的地址列入黑名单数据或白名单数据的判断结果;将所述判断结果发送至所述网关,所述内容识别装置是一种能够对网络上包括文本、图片或视频内容做识别、分析的装置;The content identification device is used to receive the information content of the user access request sent by the gateway; the information content of the access request is the information content that can be identified by the content identification device after the protocol identification and protocol conversion of the gateway, and the The information content of the access request refers to the information content obtained from the network side according to the user's access request; according to the information content of the access request, obtaining includes blacklist data or whitelist data of the address requested by the access request the judgment result; sending the judgment result to the gateway, the content identification device is a device capable of identifying and analyzing text, pictures or video content on the network; 所述网关还用于根据所述内容识别装置返回的对所述访问请求的信息内容的判断结果,更新所述黑名单数据或白名单数据;The gateway is further configured to update the blacklist data or whitelist data according to the judgment result of the information content of the access request returned by the content recognition device; 所述内容识别装置还用于分析访问请求的信息内容,并根据系统预设的标准得出分析结果,再根据得出分析结果判断将访问请求所请求的地址列入黑名单数据或白名单数据。The content identification device is also used to analyze the information content of the access request, and obtain the analysis result according to the system preset standard, and then judge whether to include the address requested by the access request in the blacklist data or whitelist data according to the analysis result .
CN201180000362.5A 2011-04-18 2011-04-18 User access control method, device and system Expired - Fee Related CN102754488B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/072964 WO2011103835A2 (en) 2011-04-18 2011-04-18 User access control method, apparatus and system

Publications (2)

Publication Number Publication Date
CN102754488A CN102754488A (en) 2012-10-24
CN102754488B true CN102754488B (en) 2016-06-08

Family

ID=44507279

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180000362.5A Expired - Fee Related CN102754488B (en) 2011-04-18 2011-04-18 User access control method, device and system

Country Status (2)

Country Link
CN (1) CN102754488B (en)
WO (1) WO2011103835A2 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789868A (en) * 2016-09-05 2017-05-31 中国人民财产保险股份有限公司 A kind of website user's Activity recognition and managing and control system
CN106506533A (en) * 2016-12-09 2017-03-15 上海谐桐信息技术有限公司 Communication system, server, analysis and network safety browsing method and system
CN111262817A (en) * 2018-11-30 2020-06-09 中移物联网有限公司 A control method, management and control platform, gateway device and computer storage medium
CN109495508B (en) * 2018-12-26 2021-07-13 成都科来网络技术有限公司 Firewall configuration method based on service access data
CN109862025B (en) * 2019-02-28 2021-10-01 北京安护环宇科技有限公司 Access control method, device and system based on black and white lists
CN115865427B (en) * 2022-11-14 2023-07-21 重庆伏特猫科技有限公司 Data acquisition and monitoring method based on data routing gateway

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588879A (en) * 2004-08-12 2005-03-02 复旦大学 Internet content filtering system and method
CN101202633A (en) * 2006-12-13 2008-06-18 株式会社日立制作所 Data publishing system and index holding device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100678925B1 (en) * 2006-01-27 2007-02-06 삼성전자주식회사 Mobile device, apparatus and method for transmitting content therefor
CN101035128B (en) * 2007-04-18 2010-04-21 大连理工大学 Recognition and filtering method of triple webpage text content based on Chinese punctuation marks
CN100474819C (en) * 2007-05-17 2009-04-01 华为技术有限公司 A deep message detection method, network device and system
CN101674293B (en) * 2008-09-11 2013-04-03 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN101567888B (en) * 2008-12-29 2011-12-21 郭世泽 Safety protection method of network feedback host computer
CN101572701B (en) * 2009-02-10 2013-11-20 中科信息安全共性技术国家工程研究中心有限公司 Security gateway system for resisting DDoS attack for DNS service
CN101610473A (en) * 2009-07-24 2009-12-23 成都思维世纪科技有限责任公司 MMS content method for supervising and realize the device of this method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588879A (en) * 2004-08-12 2005-03-02 复旦大学 Internet content filtering system and method
CN101202633A (en) * 2006-12-13 2008-06-18 株式会社日立制作所 Data publishing system and index holding device

Also Published As

Publication number Publication date
CN102754488A (en) 2012-10-24
WO2011103835A3 (en) 2012-03-29
WO2011103835A2 (en) 2011-09-01

Similar Documents

Publication Publication Date Title
CN103179132B (en) A kind of method and device detecting and defend CC attack
US9817969B2 (en) Device for detecting cyber attack based on event analysis and method thereof
US9215242B2 (en) Methods and systems for preventing unauthorized acquisition of user information
CN107770132B (en) A method and device for detecting a domain name generated by an algorithm
CN109474575B (en) A kind of detection method and device of DNS tunnel
CN102754488B (en) User access control method, device and system
WO2015101337A1 (en) Malicious website address prompt method and router
CN102884764B (en) Message receiving method, deep packet inspection device, and system
CN110086811B (en) Malicious script detection method and related device
CN102932370B (en) A kind of security sweep method, equipment and system
EP2755157A1 (en) Detecting undesirable content
CN103746982B (en) A kind of http network condition code automatic generation method and its system
CN103607385A (en) Method and apparatus for security detection based on browser
CN106550056B (en) A kind of domain name analytic method and device
CN101854335A (en) A filtering method, system and network equipment
US20140344573A1 (en) Decrypting Files for Data Leakage Protection in an Enterprise Network
CN101309180A (en) A Safe Network Intrusion Detection System Suitable for Virtual Machine Environment
CN103346972A (en) Flow control device and method based on user terminal
CN104363251B (en) Website security detection method and device
CN106156611A (en) The dynamic analysing method of smart mobile phone application program and system
CN106899549B (en) Network security detection method and device
CN104378389B (en) Website security detection method and device
US20160142432A1 (en) Resource classification using resource requests
CN105978844A (en) Network access control method, router and system based on router
US10855704B1 (en) Neutralizing malicious locators

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160608

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载