WO2023040983A1 - Access request processing method, electronic apparatus, electronic device, and medium - Google Patents

Abstract

The present disclosure relates to an access request processing method, an electronic apparatus, an electronic device, and a medium. In the present disclosure, a user terminal device may receive an access request sent by a target terminal, and determine, on the basis of a pre-configured security access policy, a risk type that is for describing a security risk degree and that corresponds to the access request. After determining that the risk type corresponding to the access request is a high risk type, the access request is directed to a corresponding target node such that the target node processes and responds to the access request. Finally, response information returned by the target node is received and sent to the target terminal, wherein the response information comprises at least part of a file data stream rendered by the target node.

Description

Access request processing method, electronic device, electronic equipment, and medium

This disclosure is based on the Chinese patent application submitted to the China Patent Office on September 18, 2021, with the application number 202111112491.5, and the title of the invention is "Access Request Processing Method, Electronic Device, Electronic Equipment, and Medium", and requires the Chinese patent application Priority, the entire content of the Chinese patent application is hereby incorporated by reference into this disclosure.

technical field

Embodiments of the present disclosure relate to but are not limited to a method for processing an access request, an electronic device, an electronic device, and a medium.

Background technique

With the development of Internet technology, the scale and speed of network attacks are increasing, and the challenges faced by network security are becoming increasingly severe.

In related technologies, generally, a firewall or security software is installed to avoid network attacks. However, the installation process of the firewall or security software is relatively cumbersome, and sometimes needs to be installed on multiple devices. At the same time, the firewall or security software needs to be maintained by professionals, resulting in high labor and economic costs.

Therefore, how to ensure the network security of users and reduce the cost of maintaining various security devices has become a technical problem that needs to be solved urgently.

Contents of the invention

The following is an overview of the topics described in detail in this article. This summary is not intended to limit the scope of the claims.

The present disclosure provides an access request processing method, an electronic device, an electronic device, and a medium to solve the problems in the related art that the user's network access is prone to security risks and the cost of maintaining various security devices is high.

According to the first aspect of the present disclosure, a method for processing an access request is provided, which is applied to a user terminal device, and the method includes:

receiving an access request sent by the target terminal;

Determine a risk type corresponding to the access request based on the access request and a pre-configured security access policy, where the risk type is used to describe the security risk degree corresponding to the access request;

If the risk type corresponding to the access request is a high risk type, directing the access request to a corresponding target node, so that the target node processes and responds to the access request;

Receiving response information returned by the target node, and sending the response information to the target terminal, the response information including at least part of the file data stream rendered by the target node.

According to the second aspect of the present disclosure, a method for processing an access request is provided, which is applied to a distributed node in a distributed network, and the method includes:

According to the access request sent by the user terminal device, the data to be rendered corresponding to the access request is obtained, and the access request is diverted by the user terminal device according to a pre-configured security access policy;

Rendering at least part of the data to obtain a corresponding file data stream;

Sending the file data stream as response information to the user terminal device, so that the user terminal device sends the response information to the target terminal.

According to a third aspect of the present disclosure, a method for processing an access request is provided, which is applied to a target terminal, and the method includes:

Sending an access request to the user terminal device, so that the user terminal device performs access control on the access request according to a pre-configured security access policy;

receiving response information sent by the user terminal device, the response information including at least part of the file data stream rendered by the target node;

According to the file data stream, the resource corresponding to the access request is displayed.

According to a fourth aspect of the present disclosure, an access request processing electronic device is provided, which is applied to a user terminal device, including:

The first receiving module is configured to receive the access request sent by the target terminal;

A determination module configured to determine a risk type corresponding to the access request based on the access request and a preconfigured security access policy, where the risk type is used to describe the degree of security risk corresponding to the access request;

A processing module configured to divert the access request to a corresponding target node if the risk type corresponding to the access request is a high risk type, so that the target node processes and responds to the access request;

A first sending module, configured to receive response information returned by the target node, and send the response information to the target terminal, the response information including at least part of the file data stream rendered by the target node .

Wherein, according to the fifth aspect of the present disclosure, an access request processing electronic device is provided, which is applied to distributed nodes in a distributed network, including:

The obtaining module is configured to obtain the data to be rendered corresponding to the access request according to the access request sent by the user terminal device, and the access request is drained by the user terminal device according to a pre-configured security access policy;

A generating module configured to render at least part of the data to obtain a corresponding file data stream;

The response module is configured to send the file data stream to the user terminal device as response information, so that the user terminal device sends the response information to the target terminal.

Among them, according to the sixth aspect of the present disclosure, an access request processing electronic device is provided, which is applied to a target terminal, including:

The second sending module is configured to send an access request to a user terminal device, so that the user terminal device performs access control on the access request according to a pre-configured security access policy;

The second receiving module is configured to receive response information sent by the user terminal device, where the response information includes at least part of the file data stream rendered by the target node;

The display module is configured to display the resource corresponding to the access request according to the file data stream.

According to a seventh aspect of the present disclosure, an electronic device is provided, including:

a memory configured to store executable instructions; and

A display configured to be displayed with the memory to execute the executable instructions so as to complete the operation of any one of the access request processing methods described above.

According to an eighth aspect of the present disclosure, there is provided a computer-readable storage medium configured to store computer-readable instructions, and when the instructions are executed, operations of the access request processing method described in any one of the above aspects are performed.

In the present disclosure, the user terminal device may receive the access request sent by the target terminal, and based on the pre-configured security access policy, determine the risk type corresponding to the access request and used to describe the degree of security risk. And after determining that the risk type corresponding to the access request is a high risk type, the access request is diverted to the corresponding target node, so that the target node processes and responds to the access request, and finally receives the response information returned by the target node, and sends the response information to the The target terminal sends, wherein the response information includes at least part of the file data stream rendered by the target node. By applying the technical solution of the present disclosure, the access request initiated by the end user can be diverted to a specific node in the distributed network through the user terminal device according to the pre-configured security access policy, so that the node can process the access request And return the response data to the end user through the user terminal equipment. In this way, it avoids the disadvantages of bringing user data security risks caused by the access request initiated by the end user directly to the malicious website, ensures the user's network security, and also does not require the user to maintain multiple security devices, reducing maintenance costs.

The technical solutions of the present disclosure will be described in further detail below with reference to the accompanying drawings and exemplary embodiments.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure. Other aspects will be apparent to others upon reading and understanding the drawings and detailed description.

Description of drawings

The accompanying drawings constituting a part of the present disclosure are used to provide a further understanding of the present disclosure, and the exemplary embodiments and descriptions of the present disclosure are used to explain the present disclosure, and do not constitute an improper limitation of the present disclosure. In the attached picture:

Fig. 1 is a schematic diagram of a method for processing an access request according to an exemplary embodiment;

Fig. 2 is a schematic diagram showing another access request processing method according to an exemplary embodiment;

Fig. 3 is a schematic diagram showing another access request processing method according to an exemplary embodiment;

4-5 are schematic flowcharts of a method for processing an access request according to an exemplary embodiment;

6-8 are schematic diagrams of an electronic device for processing an access request according to an exemplary embodiment;

Fig. 9 is a schematic diagram of an electronic device for processing an access request according to an exemplary embodiment.

Detailed ways

Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that relative arrangements of components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.

At the same time, it should be understood that, for the convenience of description, the sizes of the various parts shown in the drawings are not drawn according to the actual proportional relationship.

The following description of at least one exemplary embodiment is merely illustrative in nature and not intended as any limitation of the disclosure, its application or uses.

Techniques, methods and devices known to those of ordinary skill in the relevant art may not be discussed in detail, but where appropriate, such techniques, methods and devices should be considered part of the description.

It should be noted that like numerals and letters denote like items in the following figures, therefore, once an item is defined in one figure, it does not require further discussion in subsequent figures.

In addition, the technical solutions of the various embodiments of the present disclosure can be combined with each other, but it must be based on the realization of those skilled in the art. When the combination of technical solutions is contradictory or cannot be realized, it should be considered as a combination of technical solutions. Does not exist, nor is it within the scope of protection claimed by the present disclosure.

It should be noted that all directional indications (such as up, down, left, right, front, back...) in the embodiments of the present disclosure are only used to explain the relationship between the components in a certain posture (as shown in the drawing). If the specific posture changes, the directional indication will also change accordingly.

The method for processing an access request according to an exemplary embodiment of the present disclosure will be described below with reference to FIGS. 1-5 . It should be noted that the following application scenarios are only shown to facilitate understanding of the spirit and principles of the present disclosure, and the implementation manners of the present disclosure are not limited in this regard. On the contrary, the embodiments of the present disclosure can be applied to any applicable scene.

Fig. 1 is a schematic flowchart of a method for processing an access request according to an exemplary embodiment. As shown in Figure 1, the method is applied to user terminal equipment, including:

S101. Receive an access request sent by a target terminal.

Wherein, the user terminal device may be a device close to the user side on the network location, the user terminal device may receive the data flow sent by the mobile terminal, and perform certain processing based on the received data flow, such as security access control, data leakage prevention and so on, and then send the data flow to the corresponding target network or target device. For example, the user terminal equipment may be a CPE (Customer Premise Equipment, user front equipment), a wireless router, a firewall, a server, an optical modem, a portable computer or a desktop computer, and the like.

The user terminal equipment in the exemplary embodiments of the present disclosure can be applied in various network environments, for example, including various local area networks, metropolitan area networks, and wide area networks. In some exemplary embodiments, user terminal equipment can be applied in SD-WAN (Software Defined Wide Area Network, software-defined wide area network), which can also be applied in distributed networks, such as content distribution networks or edge computing networks, etc. , which is not specifically limited in the present disclosure.

In an exemplary embodiment, the user terminal device may also provide functions provided by the above-mentioned user terminal device, such as security access control, data leakage prevention, and the like. For example, the target terminal may determine the risk type of the access request based on the access request, and if the risk type is a high risk type, send the access request to the corresponding target node for subsequent processing.

In an exemplary embodiment, the user terminal device may support network access of one or more mobile terminals. For example, the user terminal device may receive one access request at a time for processing, or it may receive multiple access requests at a time, and separately Process each access request, etc.

The access request may be sent by the target terminal to request access to the information of the corresponding resource. In an exemplary embodiment, the resource may be various types of resources. For example, the resource may include but not limited to web page resources, video resources, pictures resources, audio resources or text resources, etc. In an exemplary embodiment, the access request may also be information requesting access to cloud resources, such as cloud games, cloud desktops, and the like.

In an exemplary embodiment of the present disclosure, the user may generate an access request by clicking on a specific area (such as an "access" button or a "game start" button, etc.) on the display interface of the target terminal. The target terminal may send the access request to the user terminal device. After receiving the access request, the user terminal device may perform subsequent processing based on the access request.

In an exemplary embodiment, the target terminal may send the access request to the user terminal device corresponding to the IP address based on the IP address of the user terminal device. In another exemplary embodiment, a diversion tunnel may be pre-established between the target terminal and the user terminal device, and the target terminal may send an access request to the user terminal device based on the diversion tunnel. In an exemplary embodiment, the tunneling protocol for establishing the diversion tunnel may include but not limited to GRE, IPsec, or PAC, etc., and it may also be any other tunneling protocol that the target terminal and user terminal equipment can support. limited.

S102. Based on the access request and the preconfigured security access policy, determine a risk type corresponding to the access request, where the risk type is used to describe a security risk degree corresponding to the access request.

Wherein, the security access policy may be policy information used to perform security access control on the access requests received by the user terminal equipment, so as to ensure the user's network security and avoid potential data security risks caused by accessing dangerous websites.

In an exemplary embodiment of the present disclosure, after receiving an access request, the user terminal device may determine whether it is a high-risk access request based on a pre-stored security access policy.

In an exemplary embodiment, for the pre-stored security access policy, it may be configured in advance by the user (for example, the user using the target terminal or the management user of the business platform that provides the service, etc.) and configured on the user terminal on the device.

Wherein, the present disclosure does not specifically limit how to determine the risk type corresponding to the access request according to the security access policy. For example, the address information corresponding to the access request can be matched with the high-risk addresses contained in the pre-stored risk address set, so as to determine the potential risk corresponding to the access request according to whether the address information is in the risk address set. Alternatively, the domain name information corresponding to the access request can also be matched with the high-risk domain names contained in the pre-stored risky domain name set, so as to determine the hidden risk corresponding to the access request according to whether the domain name information is in the risky domain name set. Alternatively, the protocol type corresponding to the access request can also be matched with the high-risk protocols contained in the pre-stored risk protocol type set, so as to determine the potential risk corresponding to the access request according to whether the protocol type is in the risk protocol type set . The above are merely exemplary embodiments, and the present disclosure does not make any special limitation thereto.

S103. If the risk type corresponding to the access request is a high risk type, divert the access request to a corresponding target node, so that the target node processes and responds to the access request.

In an exemplary implementation manner, when the user terminal device determines that the access request is of a high-risk type, then in order to avoid the problem of potential safety hazards in user data caused by directly sending the access request to a risky website in the related art. The user terminal device can send the access request to a distributed node in the distributed network, and use the distributed node (ie, the target node) to process the access request accordingly, so as to ensure that the subsequent response data returned to the user terminal The content of is rendered by the target node. In order to avoid the problem existing in the related technology, which is caused by rendering data at the user terminal, which may easily lead to hidden dangers of user data security.

In an exemplary embodiment, the target node may be any one or more nodes in the CDN distributed network, and the nodes may be edge nodes or non-edge nodes.

For example, if the target node is a distributed node in the CDN network, after the distributed node receives the high-risk access request diverted, it can first forward the diverted access request to the CDN service. If the data resource corresponding to the access request is found at the current node, at least part of the data can be rendered, and the corresponding file data stream can be obtained and sent to the user terminal device. When the distributed node does not find the data resource corresponding to the access request on the current node, it can perform the back-to-source operation, and after receiving the data resource from the source server or the upper node, start the rendering instance on the distributed node. In an exemplary embodiment, each access request can establish a corresponding rendering instance to render webpage content, elements or other resources, convert it into a safe file data stream, and then return it to the user terminal device.

In another exemplary embodiment, the target node may be an edge node in an edge cloud network, which may be a cloud computing platform based on the core of cloud computing technology and edge computing capabilities, built on edge infrastructure , to form an elastic cloud platform with comprehensive computing, network, storage, security and other capabilities at the edge. The edge cloud network may include multiple edge nodes (that is, distributed nodes). After the edge node receives the high-risk type of access request diverted, it can perform the back-to-source operation, and after receiving the data resource corresponding to the access request from the source server, start the rendering instance on the edge node. In an exemplary embodiment, each access request can establish a corresponding rendering instance to render webpage content, elements or other resources, convert it into a safe file data stream, and then return it to the user terminal device.

Exemplary embodiments of the present disclosure can divert high-risk access requests to CDN edge nodes through the default routing gateway, that is, predetermine the correspondence between user terminal equipment and target nodes, and when the access request is determined to be high-risk type, the access request can be sent to the corresponding target node, so that the access request can be processed by the target node.

In an exemplary embodiment of the present disclosure, if it is determined that the risk type corresponding to the access request is a low risk type, the user terminal device may send the access request to the corresponding target device or target network, for example, the access request is For a request to visit www.A.com, after determining that the risk type of the access request is a low-risk type, indicating that www.A.com is a safe destination address, the user terminal device can send the access request to www.A.com. com's source server.

S104. Receive response information returned by the target node, and send the response information to the target terminal, where the response information includes at least part of the file data stream rendered by the target node.

In the present disclosure, the user terminal device may receive the access request sent by the target terminal, and determine the risk type corresponding to the access request for describing the degree of security risk based on the pre-configured security access policy. And after determining that the risk type corresponding to the access request is a high risk type, the access request is diverted to the corresponding target node, so that the target node processes and responds to the access request, and finally receives the response information returned by the target node, and sends the response information to the The target terminal sends, wherein the response information includes at least part of the file data stream rendered by the target node. By applying the technical solution of the present disclosure, the access request initiated by the end user can be diverted to a specific node in the distributed network through the user terminal device, so that the node processes the access request and sends the response data through the user terminal device returned to the end user. In this way, the disadvantages of bringing hidden dangers to user data security caused by the access request initiated by the end user directly reaching the malicious website are avoided.

In some exemplary embodiments, the response information further includes a control data flow for instructing the target terminal to render the unrendered data.

In an exemplary embodiment, since the target node may render all the data resources corresponding to the access request and return them to the user terminal device, or may render only part of the data resources and return them to the user terminal device. Therefore, if there is unrendered data that needs to be returned to the target terminal, the response information may further include a control data flow for instructing the target terminal to render the unrendered data.

In an exemplary embodiment, the control data stream may carry unrendered data for the target terminal to acquire, thus, the target terminal does not need to acquire additionally, which not only improves the processing efficiency of the target terminal, but also This prevents the target terminal from accessing malicious websites, thereby ensuring the data security of the target terminal.

Exemplary embodiments of the present disclosure do not specifically limit the manner of how to determine the data to be rendered by the target node. For example, the target node can be determined according to the dynamic and static types of the data to be rendered corresponding to the access request. For example, the data of the dynamic type is processed by the target node, and the data of the static type is rendered by the target terminal, etc.; the target node can also be determined according to the access request The size of the corresponding data to be rendered is determined, for example, the data whose size exceeds a certain threshold is rendered by the target node, and the data whose size is smaller than the threshold is rendered by the target terminal, and so on.

In some exemplary embodiments, based on the access request and a pre-configured security access policy, determining the risk type corresponding to the access request includes;

According to the protocol type, URL, or requested data type of the access request, and the pre-configured security access policy, determine the risk type corresponding to the access request.

In some exemplary embodiments, based on the access request and the pre-configured security access policy, determining the risk type corresponding to the access request includes:

Determine the address information corresponding to the access request;

Based on the address information and the pre-configured security access policy, determine the risk type corresponding to the access request.

In an exemplary embodiment, the risk type of the access request may be determined according to whether the address information corresponding to the access request is in the risk address set.

Specifically, for example, the address information corresponding to the access request may be matched with a pre-stored risk address set, so as to determine the hidden risk corresponding to the access request according to whether the address information is in the risk address set. In an exemplary embodiment, if the address information corresponding to the access request exists in the risk address set, it may be determined that the access request corresponds to a high risk type. Otherwise, it is determined that the access request corresponds to a non-high risk category.

In another exemplary embodiment, it is also possible to determine the risk type corresponding to the access request according to at least one of the protocol type, URL, or requested data type in the access request and the pre-configured security access policy, and determine For the manner, reference may be made to the above description, and the present disclosure will not repeat them here. Thus, the risk type of the access request can be determined based on various information carried in the access request, which can ensure the effectiveness of determining the risk type, thereby ensuring the security of the user's network access.

In some exemplary embodiments, based on the address information and the pre-configured security access policy, determining the risk type corresponding to the access request includes:

Matching the address information with a preset high-risk address set, where at least one high-risk address is included in the high-risk address set;

If the address information exists in the high-risk address set, determine that the risk type corresponding to the access request is a high-risk type.

Wherein, the address information includes at least one of a target access address, a source address, or a static route corresponding to the access request.

In an exemplary embodiment, the target access address corresponding to the access request can be matched with a pre-stored risk address set, so as to determine the potential risk corresponding to the access request according to whether the target access address is in the risk address set. Alternatively, the source address corresponding to the access request can also be matched with the pre-stored risk domain name set, so as to determine the potential risk corresponding to the access request according to whether the source address is in the risk domain name set. Alternatively, the static routing information corresponding to the access request can also be matched with the pre-stored risk static routing information set, so as to determine the potential risk corresponding to the access request according to whether the static routing information is in the risk static routing information set. In an exemplary embodiment, the static route may be a predetermined transmission route of the access request of the target terminal, and if the address of a certain hop in the transmission route is in the risk address set, it means that the transmission route has a security risk , therefore, the risk type of the access request may be determined as a high risk type.

In some exemplary embodiments, before determining the risk type corresponding to the access request based on the access request and the pre-configured security access policy, the method further includes:

Receive updated information on security access policies sent by distributed nodes or security management platforms;

The previously stored security access policy is updated according to the update information.

In an exemplary implementation manner, the pre-configured security access policy in the present disclosure may be updated periodically, and the present disclosure does not specifically limit the subject or period of generating update information. For example, the distributed node may update the security access policy according to a certain update cycle to generate update information, or the security management platform may update the security access policy according to a certain update cycle to generate update information.

In an exemplary embodiment, when the user terminal device detects that there is currently updated information, it can update and upgrade the currently acquired security access policy according to the updated information. So as to ensure the best security access policy for access requests.

In some exemplary embodiments, directing the access request to the corresponding target node includes:

The access request is sent to the corresponding target node using a private communication protocol, GRE, IPsec or PAC.

In an exemplary implementation manner, in the process of diverting the access request to the corresponding target node in the present disclosure, the access request may be sent through various transmission methods. For example, use a private communication protocol to send an access request, or send an access request through a GRE (General Routing Encapsulation, general routing encapsulation) channel. Access requests can also be sent through IPsec (Security Architecture for IP network IP layer protocol security structure). Or, access requests can be sent through PAC (Programmable Automation Controller proxy automatic configuration) rules and so on.

In an exemplary embodiment, after receiving an access request, the user terminal device may send a scheduling request for the target access address to a scheduling node in the distributed network according to the target access address included in the access request, so that the scheduling The node assigns a target node for processing the access request to the scheduling request of the target access address according to preset rules. Among them, the preset rule can be that the scheduling node determines the area information of the corresponding target terminal or the area information of the source station according to the access request, and selects the area information of the terminal or the area information of the source station from multiple distributed nodes according to the load balancing algorithm. The nodes whose parameters such as area information match are taken as the target nodes.

In an exemplary embodiment, a distributed node may include multiple servers, such as a scheduling server, a configuration server, at least one distributed server, and the like. The user terminal device may send a scheduling request for the access request to the scheduling server (that is, the scheduling node), and the scheduling server may select one of at least one distributed server according to a preset scheduling rule or a load balancing algorithm as the access request. Access the requested target node, and return the address information of the target node to the user terminal device, so that the user terminal device can send the access request to the corresponding target node for subsequent processing according to the address information.

In an exemplary embodiment, after the user terminal device receives the address information of the target node fed back by the scheduling node, it can use a private protocol to send the access request to the address information of the target node through a pre-allocated channel and transmission mode , so that the target node will subsequently process and respond to the access request. Through the setting of the private protocol, it is not easy to be maliciously cracked or intercepted by others, which ensures the security of data transmission.

Fig. 2 is a schematic flowchart of a method for processing an access request according to an exemplary embodiment. As shown in Figure 2, the method distributes distributed nodes in the network, including:

S201. Obtain data to be rendered corresponding to the access request according to the access request sent by the user terminal device, and the access request is diverted by the user terminal device according to a pre-configured security access policy.

In an exemplary implementation, when the user terminal device determines that the access request is of a high-risk type, then in order to avoid the problem of potential safety hazards in user data caused by directly sending the access request to a risky website in the related art. The user terminal device can send the access request to a distributed node in the distributed network, and use the distributed node (ie, the target node) to process the access request accordingly, so as to ensure that the subsequent response data returned to the user terminal The content of is rendered by the target node. In order to avoid the problem existing in the related technology, which is caused by rendering data at the user terminal, which may easily lead to hidden dangers of user data security.

In an exemplary embodiment, the distributed nodes (ie target nodes) in the distributed network in the present disclosure may be determined by the scheduling nodes in the scheduling server.

In an exemplary implementation manner, the distributed node may be a distributed node randomly or pre-designated by the scheduling node from multiple distributed nodes as the target node. In another exemplary embodiment, the scheduling node can also select from multiple Among the distributed nodes, a distributed node that matches the terminal area information; and/or, the source station area information is selected as the target node.

Certainly, the distributed nodes (that is, the target nodes) in the distributed network in the present disclosure may also be determined in other ways, such as pre-allocation, etc., which are not specifically limited in the present disclosure.

Wherein, the distributed network in the exemplary embodiment of the present disclosure may be a CDN (Content Delivery Network, content distribution network) network, and the CDN network may include multiple distributed nodes. In addition to the CDN network, the distributed network can also be a server cluster composed of multiple servers according to the distributed architecture, and the distributed node is any server in the server cluster.

In an exemplary embodiment, the distributed network can also be an edge cloud network, which can be based on the core of cloud computing technology and edge computing capabilities, and a cloud computing platform built on edge infrastructure to form An elastic cloud platform with comprehensive computing, network, storage, and security capabilities at the edge. The edge cloud network may include multiple edge nodes (that is, distributed nodes), so as to provide services on the edge of the network closer to the terminal. It should be noted that the exemplary embodiments of the present disclosure do not limit what kind of network the distributed network is, and a network with a distributed architecture composed of any number of computing devices is applicable to the present disclosure.

For example, if the target node is a distributed node in the CDN network, after the distributed node receives the diverted high-risk access request, it can first forward the diverted access request to the CDN service. If the data resource corresponding to the access request is found at the current node, at least part of the data can be rendered, and the corresponding file data stream can be obtained and sent to the user terminal device. When the distributed node does not find the data resource corresponding to the access request on the node, it can perform the back-to-source operation, and after receiving the data resource from the source server or the upper node, start the rendering instance on the distributed node. In an exemplary embodiment, each access request can establish a corresponding rendering instance to render webpage content, elements or other types of resources, and convert it into a safe file data stream and return it to the user terminal device.

S202. Render at least part of the data to obtain a corresponding file data stream.

In an exemplary embodiment of the present disclosure, the distributed nodes in the present disclosure may render all the data resources corresponding to the access request and return them to the user terminal device, or may render only part of the data resources and return them to the user terminal device . This disclosure does not limit it.

The rendering application instance in some exemplary embodiments of the present disclosure may include multiple pre-configured plug-ins, for example, flash plug-ins. In this way, subsequent page rendering can be realized without temporarily loading or installing corresponding plug-ins, which helps to improve rendering efficiency and save storage resources of the target terminal.

In an exemplary embodiment of the present disclosure, after receiving the access request, the distributed nodes may process based on the access request and feed back response information. For example, if the access request is an access request for a web page, the distributed node can obtain the page elements and components corresponding to the web page, and perform at least partial rendering according to the page elements and components to obtain the corresponding file data stream. The file data stream is sent to the user terminal device as response information, and then the user terminal device sends it to the target terminal.

In an exemplary embodiment, the distributed node generates the corresponding file data stream based on the rendered data, which can avoid carrying malicious code or virus before the data is rendered, and as the response information is returned to the target terminal, it ensures that the target terminal data security.

Some exemplary embodiments of the present disclosure may further include a step of establishing a general-purpose rendering application instance. In an exemplary embodiment, a common rendering application instance may be used to render page content of target terminals with different attribute information, such as target terminals with different screen sizes and/or target terminals with different resolutions. Therefore, by establishing a common rendering application instance, the tedious establishment of multiple times can be avoided, and a single rendering application instance can be adapted to target terminals with different attribute information, thereby improving rendering efficiency.

Specifically, the present disclosure can generate a general rendering application instance according to preset rules, for example, a general rendering application instance is generated for the first received access request every day, every week, or every month, so as to utilize the general rendering application instance for subsequent Access requests are processed expeditiously. For example, processing multiple access requests at the same time or sorting multiple access requests. In an exemplary embodiment, the present disclosure can delete or release the relevant rendering data corresponding to the current rendering task each time after the current rendering task is completed, so as to avoid the leakage of user privacy data caused by other people's acquisition and improve the information of the present disclosure. safety.

In addition, at least part of the rendering described in this disclosure may be that the target node renders all the data resources corresponding to the access request and returns them to the user terminal device, or it may be that the distributed node only renders part of the data resources and returns them to the user terminal device. user terminal equipment. This disclosure does not limit it.

In this exemplary embodiment, during the process of determining the data to be rendered, it can be obtained by acquiring attribute information of the target terminal used to describe the task processing capability of the target terminal. In an exemplary embodiment, if the task processing capability of the target terminal is poor, no or less data rendered by it may be allocated, and if the task processing capability of the target terminal is stronger, more data rendered by it may be allocated , thus saving the computing resources of the target node.

More specifically, the task processing capability attribute information may include at least one of computing resource occupancy information, network status information, and processor performance information of the target terminal.

S203. Send the file data stream as response information to the user terminal device, so that the user terminal device sends the response information to the target terminal.

In this exemplary embodiment, after the target node generates the rendered file data stream, the file data stream can be sent to the corresponding user terminal device as the response information of the access request, and then forwarded by the user terminal device to the corresponding target terminal.

Therefore, by performing at least partial rendering on the data to be rendered by the target node, the security risk of the target terminal's network access can be reduced, and the security of the target terminal can be guaranteed.

In some exemplary embodiments, sending the file data stream to the user terminal device as response information, so that the user terminal device sends the response information to the target terminal, includes:

For the unrendered data, generate a control data flow for instructing the target terminal to render the unrendered data;

Send the control data stream and the file data stream as response information to the user terminal device, so that the user terminal device sends the response information to the target terminal.

In an exemplary embodiment, since the distributed node may render all data resources corresponding to the access request and return them to the user terminal device, or may render only part of the data resources and return them to the user terminal device. Therefore, if there is unrendered data that needs to be returned to the target terminal, the response information may further include a control data flow for instructing the target terminal to render the unrendered data. So that the subsequent distributed nodes can send the control data flow and the file data flow to the user terminal equipment as response information.

Likewise, the present disclosure does not specifically limit how to determine the data to be rendered by the target node. For example, the target node may determine which data to be rendered is rendered by itself and which data to be rendered is rendered by the target terminal according to the dynamic and static content types of the requested page corresponding to the access request. Thus rendering only for data rendered by itself. In this exemplary embodiment, in the process of determining the data to be rendered, it may also be obtained by acquiring the attribute information of the target terminal used to describe the task processing capability of the target terminal. The details are as described above, which will not be repeated in this disclosure.

After the target terminal receives the response information containing the control data flow and the file data flow, it can render the unrendered data based on the control data flow, and update the file data flow, so as to obtain the completed resources, according to The resource is displayed in the interface.

In some exemplary embodiments, before obtaining the data to be rendered corresponding to the access request according to the access request sent by the user terminal device, the method further includes:

Identify high-risk addresses and obtain updated information on security access policies;

The update information is sent to the user terminal equipment, so that the user terminal equipment can update the security access policy according to the update information.

In this exemplary embodiment, distributed nodes can identify risky addresses, thereby adding high-risk addresses in the network to the risky address set, and generating update information for security access policies, for example, adding the existing risky address set Add high-risk addresses not included in the list, or delete high-risk addresses that have been released from the existing risk address set, etc. Therefore, the distributed node can send the update information to the user terminal device, so that the user terminal device can update the existing security access policy according to the update information, so as to ensure the timeliness of the security access policy.

Wherein, the pre-configured security access policy mentioned above in the present disclosure may be updated regularly, and the present disclosure does not specifically limit the subject or period of generating update information. For example, the distributed nodes can update the security access policy according to a certain update cycle to generate update information, or the security management platform can update the security access policy according to a certain update cycle to generate update information, which can be based on a fixed cycle The update may be performed without a fixed later period, which is not particularly limited in the present disclosure.

In some exemplary embodiments, the access request includes attribute information of the target terminal, and the attribute information is used to describe the page display characteristics of the target terminal;

Render at least part of the data to obtain the corresponding file data stream, including:

According to the access request, read the attribute information of the target terminal;

According to the attribute information, establish a rendering application instance corresponding to the attribute information;

At least part of the data is rendered by using a rendering application instance to obtain a corresponding file data stream.

In an exemplary embodiment, the attribute information used to describe the page display characteristics of the target terminal may be at least one of screen size information, resolution information, and operating platform environment information of the target terminal.

Regarding the manner of acquiring attribute information, the target terminal may carry attribute information describing its own page display characteristics on the access request during the process of sending the access request. After the distributed node receives the access request, it can directly read the attribute information carried in the access request, thereby improving the subsequent processing efficiency of the target node.

Among them, the target terminal can be, for example, a desktop computer, a notebook computer, a smart phone, a tablet computer, a smart watch, a smart bracelet, smart glasses, a smart speaker, a car computer, an AR device, and a VR device, etc., which have data access and data storage functions. one or more of the devices.

In the exemplary embodiment of the present disclosure, based on the attribute information generated by the target terminal to characterize the page display characteristics of the target terminal, the distributed node can establish a rendering application instance corresponding to it, and execute the rendering application instance to obtain and process the corresponding Access the data to be rendered corresponding to the request, thereby saving the computing resources of the target node, avoiding the situation that the general rendering application instance does not match the target terminal, and the computing capacity is excessive or too small.

Specifically, in the exemplary embodiments of the present disclosure, the page display characteristics of the user terminal may be determined through an operating electronic device and/or screen display parameters of the user terminal. Wherein, for example, the operating electronic device may include an Android operating electronic device, an IOS operating electronic device, a Win operating electronic device, and the like. The screen display parameters may correspond to screen size, screen resolution, and so on. In an exemplary embodiment, for different operating electronic devices and/or different screen display parameters, in order to adapt to the page characteristics of the target terminal, the corresponding rendering application instance is opened, which can ensure the pertinence of the rendering application instance and save target The computing resources of the node.

In some exemplary embodiments, at least part of the data is rendered to obtain a corresponding file data stream, including:

According to the access request, sending an acquisition request for the attribute information of the target terminal to the target terminal, where the attribute information is used to describe the page display characteristics of the target terminal;

Based on the attribute information fed back by the target terminal according to the acquisition request, a rendering application instance corresponding to the attribute information is established;

At least part of the data is rendered by using a rendering application instance to obtain a corresponding file data stream.

Regarding the manner of acquiring attribute information, after receiving the access request sent by the user terminal device, the distributed node may send an acquisition request for acquiring attribute information to the target terminal that generates the access request. In this way, after receiving the attribute information fed back by the target terminal, a corresponding rendering application instance can be specifically established for it. Thus, the target node sends an acquisition request for attribute information to the target terminal, so that the target terminal can perceive the processing process of the target node, so that it can perform corresponding operations under unexpected circumstances (such as current node failure or slow response, etc.) , such as re-initiating access requests or sending processing progress queries.

In some exemplary embodiments, according to the access request sent by the user terminal device, obtaining the data to be rendered corresponding to the access request includes:

According to the access request sent by the user terminal device, determine the data to be rendered corresponding to the access request;

Detect whether the current node has data stored;

If so, get the data from the current node;

If not, get the data from the original server.

In an exemplary implementation, after the distributed node receives the diverted high-risk type of access request, it may first check whether there is data to be rendered corresponding to the access request stored in the current node. If it is stored, find the data resource corresponding to the access request from the current node and render at least part of the data, and get the corresponding file data stream and send it to the user terminal device

If not found, the distributed node can get the page content from other nodes than the current node, central cloud, data center or source server. And after receiving the data resource subsequently, start the rendering instance on the edge node. That is, render according to the content and elements of the webpage requested by the access request, so as to convert it into a secure file data stream and return it to the user terminal device as a response message.

Fig. 3 is a schematic flowchart of a method for processing an access request according to an exemplary embodiment. As shown in Figure 3, this method is applied to the target terminal, including:

S301. Send an access request to a user terminal device, so that the user terminal device performs access control on the access request according to a pre-configured security access policy.

S302. Receive response information sent by the user terminal device, where the response information includes at least part of the file data stream rendered by the target node.

In an exemplary implementation manner, in order to avoid the problem of potential safety hazards in user data caused by directly sending an access request generated by a target terminal used by a user to a risky website in the related art. In this disclosure, the user terminal device can receive the access request sent by the target terminal device, so that the user terminal device can subsequently send the access request to the distributed node, and the distributed node can pull the request from the target object corresponding to the access request The corresponding data to be rendered. In order to render the data to be rendered subsequently to generate a file data stream and return it to the user terminal device, and the user terminal device sends it back to the target terminal.

S303. Display resources corresponding to the access request according to the file data flow.

In an exemplary embodiment, after the target terminal receives the file data stream rendered by the target node, it can display the resource corresponding to the access request on its own display screen for viewing by the user according to the file data stream.

By applying the technical solution of the present disclosure, the access request initiated by the end user can be diverted to a specific node in the distributed network through the user terminal device, so that the node processes the access request and sends the response data through the user terminal device returned to the end user. In this way, the disadvantage of bringing user data security risks caused by the access request initiated by the end user directly reaching the malicious website is avoided.

In some exemplary embodiments, the response information further includes a control data flow for instructing the current terminal to render the unrendered data;

According to the file data flow, display the resource corresponding to the access request, including:

Update the file data stream according to the control data stream and unrendered data;

According to the updated file data flow, the resource corresponding to the access request is displayed.

In an exemplary embodiment, since the distributed node may render all data resources corresponding to the access request and return them to the user terminal device, or may render only part of the data resources and return them to the user terminal device. Therefore, if there is unrendered data that needs to be returned to the target terminal, the response information may further include a control data flow for instructing the target terminal to render the unrendered data. After receiving the control data stream, the subsequent target terminal can update the file data stream according to the control data stream and unrendered data, that is, the target terminal can render the unrendered data based on the control data stream and The file data stream is updated, so that after preset processing is performed on the updated file data stream, the resource corresponding to the access request is displayed on its own display screen for viewing and feedback by the user. In an exemplary embodiment, if the target node renders all the data to obtain the file data stream, the target terminal can directly display the resource corresponding to the access request on its own display screen based on the file data stream for the user to view and feedback.

Fig. 4 is an overall flowchart of a method for processing an access request according to an exemplary embodiment. Specifically include:

The user terminal device can receive the access request sent by the target terminal, and based on the pre-configured security access policy, after determining that the risk type corresponding to the access request is a high risk type, the access request will be diverted to the corresponding distributed node, so that the distributed The distributed node processes and responds to the access request, and finally receives the response information returned by the distributed node including the file data stream for rendering at least part of the data, and sends the response information to the target terminal.

Fig. 5 is an overall flow chart showing a method for processing an access request according to an exemplary embodiment. Specifically include:

The target terminal sends an access request to the user terminal device; and the user terminal device determines the risk type corresponding to the access request to describe the degree of security risk corresponding to the access request based on the access request and the pre-configured security access policy, and determines the access request After the risk type corresponding to the request is a high risk type, the high risk type access request is sent to the target node.

In an exemplary implementation, after the target node receives a high-risk type of access request, it can obtain the data to be rendered corresponding to the access request from the current node or the original server, and render at least part of the data to obtain the corresponding file data stream, and, for the unrendered data, after generating the control data stream for instructing the target terminal to render the unrendered data, the control data stream and the file data stream can be sent to the user terminal device as response information , so that the user terminal device sends the response information to the target terminal.

Finally, after receiving the response information of the control data flow and the file data flow, the target terminal can display the resource corresponding to the access request according to the control data flow and the file data flow.

Fig. 6 shows an electronic device for processing an access request according to an exemplary embodiment. Among them, including a first receiving module 401, a determining module 402, a processing module 403, and a first sending module 404, which are applied to user terminal equipment, including:

The first receiving module 401 is configured to receive an access request sent by a target terminal;

The determining module 402 is configured to determine a risk type corresponding to the access request based on the access request and a pre-configured security access policy, where the risk type is used to describe the security risk degree corresponding to the access request;

The processing module 403 is configured to divert the access request to a corresponding target node if the risk type corresponding to the access request is a high risk type, so that the target node processes and responds to the access request;

The first sending module 404 is configured to receive response information returned by the target node, and send the response information to the target terminal, the response information including at least part of the file data rendered by the target node flow.

In the present disclosure, the user terminal device may receive the access request sent by the target terminal, and determine the risk type corresponding to the access request for describing the degree of security risk based on the pre-configured security access policy. And after determining that the risk type corresponding to the access request is a high risk type, the access request is diverted to the corresponding target node, so that the target node processes and responds to the access request, and finally receives the response information returned by the target node, and sends the response information to the The target terminal sends, wherein the response information includes at least part of the file data stream rendered by the target node.

In another exemplary implementation manner of the present disclosure, it further includes: the response information further includes a control data flow for instructing the target terminal to render data that has not been rendered.

In another exemplary implementation manner of the present disclosure, the determining module 402 further includes:

The determination module 402 is configured to determine the risk type corresponding to the access request according to the protocol type, URL, or requested data type of the access request, and a pre-configured security access policy.

In another exemplary implementation manner of the present disclosure, the determining module 402 further includes:

A determining module 402 configured to determine address information corresponding to the access request;

The determining module 402 is configured to determine a risk type corresponding to the access request based on the address information and a pre-configured security access policy.

In another exemplary implementation manner of the present disclosure, the determining module 402 further includes:

The determination module 402 is configured to match the address information with a preset high-risk address set, where the high-risk address set includes at least one high-risk address;

The determining module 402 is configured to determine that the risk type corresponding to the access request is a high risk type if the address information exists in the high risk address set.

In another exemplary implementation manner of the present disclosure, it further includes: the address information includes at least one of a target access address, a source address, or a static route corresponding to the access request.

In another exemplary implementation manner of the present disclosure, the determining module 402 further includes:

The determination module 402 is configured to receive update information for the security access policy sent by the distributed node or the security management platform;

The determining module 402 is configured to update the previously stored security access policy according to the update information.

In another exemplary implementation manner of the present disclosure, the determining module 402 further includes:

The determining module 402 is configured to send the access request to the corresponding target node by using a private communication protocol, GRE, IPsec or PAC.

Fig. 7 shows an electronic device for processing an access request according to an exemplary embodiment. Among them, including an acquisition module 405, a generation module 406, and a response module 407, which are applied to distributed nodes in a distributed network, including:

The obtaining module 405 is configured to obtain the data to be rendered corresponding to the access request according to the access request sent by the user terminal device, and the access request is diverted by the user terminal device according to a pre-configured security access policy;

The generating module 406 is configured to render at least part of the data to obtain a corresponding file data stream;

The response module 407 is configured to send the file data stream to the user terminal device as response information, so that the user terminal device sends the response information to the target terminal.

In another exemplary implementation manner of the present disclosure, the generating module 406 further includes:

A generating module 406, configured to generate a control data stream for instructing the target terminal to render the unrendered data for the unrendered data;

The generating module 406 is configured to send the control data stream and the file data stream to the user terminal device as response information, so that the user terminal device sends the response information to the target terminal.

In another exemplary implementation manner of the present disclosure, the generating module 406 further includes:

The generating module 406 is configured to identify high-risk addresses and obtain update information for security access policies;

The generating module 406 is configured to send the update information to the user terminal device, so that the user terminal device can update the security access policy according to the update information.

In another exemplary implementation manner of the present disclosure, the generating module 406 further includes:

The generation module 406 is configured to render at least part of the data to obtain a corresponding file data stream, including:

The generating module 406 is configured to read the attribute information of the target terminal according to the access request;

The generating module 406 is configured to create a rendering application instance corresponding to the attribute information according to the attribute information;

The generating module 406 is configured to use the rendering application instance to render at least part of the data to obtain a corresponding file data stream.

In another exemplary implementation manner of the present disclosure, the generating module 406 further includes:

The generating module 406 is configured to send to the target terminal an acquisition request for attribute information of the target terminal according to the access request, where the attribute information is used to describe the page display characteristics of the target terminal;

The generating module 406 is configured to create a rendering application instance corresponding to the attribute information based on the attribute information fed back by the target terminal according to the acquisition request;

The generating module 406 is configured to use the rendering application instance to render at least part of the data to obtain a corresponding file data stream.

In another exemplary implementation manner of the present disclosure, the generating module 406 further includes:

The generating module 406 is configured to determine the data to be rendered corresponding to the access request according to the access request sent by the user terminal device;

A generating module 406 configured to detect whether the current node stores the data;

A generating module 406, configured to obtain the data from the current node, if any;

The generating module 406 is configured to obtain the data from the original server if there is no data.

Fig. 8 shows an electronic device for processing an access request according to an exemplary embodiment. Among them, including the second sending module 408, the second receiving module 409, and the display module 410, applied to the target terminal, including:

The second sending module 408 is configured to send an access request to the user terminal device, so that the user terminal device performs access control on the access request according to a pre-configured security access policy;

The second receiving module 409 is configured to receive response information sent by the user terminal device, where the response information includes at least part of the file data stream rendered by the target node;

The display module 410 is configured to display the resource corresponding to the access request according to the file data stream.

In another exemplary implementation manner of the present disclosure, the second receiving module 409 further includes:

The second receiving module 409 is configured to display the resource corresponding to the access request according to the file data stream, including:

The second receiving module 409 is configured to update the file data stream according to the control data stream and the unrendered data;

The second receiving module 409 is configured to display the resource corresponding to the access request according to the updated file data stream.

Fig. 9 is a logical structural block diagram of an electronic device according to an exemplary embodiment. For example, the electronic device 500 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, and the like.

In an exemplary embodiment, there is also provided a non-transitory computer-readable storage medium including instructions, such as a memory including instructions, the instructions can be executed by a processor of an electronic device to complete the above-mentioned network monitoring method, the method includes: In the present disclosure, the user terminal device may receive the access request sent by the target terminal, and determine the risk type corresponding to the access request for describing the degree of security risk based on the pre-configured security access policy. And after determining that the risk type corresponding to the access request is a high risk type, the access request is diverted to the corresponding target node, so that the target node processes and responds to the access request, and finally receives the response information returned by the target node, and sends the response information to the The target terminal sends, wherein the response information includes at least part of the file data stream rendered by the target node. The above instructions may also be executed by the processor of the electronic device to complete other steps involved in the above exemplary embodiments. For example, the non-transitory computer readable storage medium may be ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like.

In an exemplary embodiment, an application program/computer program product is also provided, including one or more instructions, the one or more instructions can be executed by a processor of an electronic device, so as to complete the above-mentioned network monitoring method, the The method includes: in this disclosure, the user terminal device may receive the access request sent by the target terminal, and determine the risk type corresponding to the access request for describing the degree of security risk based on the pre-configured security access policy. And after determining that the risk type corresponding to the access request is a high risk type, the access request is diverted to the corresponding target node, so that the target node processes and responds to the access request, and finally receives the response information returned by the target node, and sends the response information to the The target terminal sends, wherein the response information includes at least part of the file data stream rendered by the target node. The above instructions may also be executed by the processor of the electronic device to complete other steps involved in the above exemplary embodiments.

FIG. 9 is an example diagram of a computer device 50 . Those skilled in the art can understand that the schematic diagram 9 is only an example of the computer device 50, and does not constitute a limitation to the computer device 50, and may include more or less components than those shown in the figure, or combine certain components, or different components , for example, the computer device 50 may also include an input and output device, a network access device, a bus, and the like.

The so-called processor 502 may be a central processing unit (Central Processing Unit, CPU), and may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor 502 can also be any conventional processor, etc. The processor 502 is the control center of the computer device 50 and uses various interfaces and lines to connect various parts of the entire computer device 50 .

The memory 501 can be used to store computer-readable instructions 503 , and the processor 502 implements various functions of the computer device 50 by running or executing computer-readable instructions or modules stored in the memory 501 and calling data stored in the memory 501 . The memory 501 can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, at least one application program required by a function (such as a sound playback function, an image playback function, etc.); Data created using the computer device 50 and the like. In addition, the memory 501 can include a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, a flash memory card (Flash Card), at least one magnetic disk storage device, a flash memory device, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), or other non-volatile/volatile storage devices.

If the integrated modules of the computer device 50 are realized in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, all or part of the procedures in the methods of the above exemplary embodiments in the present disclosure can also be completed by instructing related hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium In this example, when the computer readable instructions are executed by the processor, the steps of the above exemplary method embodiments can be realized.

Other embodiments of the present disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The present disclosure is intended to cover any modification, use or adaptation of the present disclosure. These modifications, uses or adaptations follow the general principles of the present disclosure and include common knowledge or conventional technical means in the technical field not disclosed in the present disclosure. . The specification and examples are to be considered exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It should be understood that the present disclosure is not limited to the precise constructions which have been described above and shown in the drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Industrial Applicability

In the access request processing method, electronic device, electronic equipment and medium provided by the present disclosure, the access request initiated by the terminal user is diverted to a specific node in the distributed network through the user terminal device according to the pre-configured security access policy , so that the node processes the access request and returns the response data to the terminal user through the user terminal device. In this way, it avoids the disadvantages of bringing user data security risks caused by the access request initiated by the end user directly to the malicious website, ensures the user's network security, and also does not require the user to maintain multiple security devices, reducing maintenance costs.

Claims (21)

A method for processing an access request, applied to a user terminal device, comprising: receiving an access request sent by the target terminal; Determine a risk type corresponding to the access request based on the access request and a pre-configured security access policy, where the risk type is used to describe the security risk degree corresponding to the access request; If the risk type corresponding to the access request is a high risk type, directing the access request to a corresponding target node, so that the target node processes and responds to the access request; Receiving response information returned by the target node, and sending the response information to the target terminal, where the response information includes at least part of the file data stream rendered by the target node. The method according to claim 1, wherein the response information further includes a control data flow for instructing the target terminal to render the unrendered data. The method according to claim 1, wherein, based on the access request and a pre-configured security access policy, determining the risk type corresponding to the access request includes: The risk type corresponding to the access request is determined according to the protocol type, the URL, or the requested data type of the access request, and a pre-configured security access policy. The method according to claim 1, wherein, based on the access request and a pre-configured security access policy, determining the risk type corresponding to the access request comprises: determining address information corresponding to the access request; Based on the address information and the pre-configured security access policy, determine the risk type corresponding to the access request. The method according to claim 4, wherein, based on the address information and a pre-configured security access policy, determining the risk type corresponding to the access request includes: matching the address information with a preset high-risk address set, where the high-risk address set includes at least one high-risk address; If the address information exists in the high-risk address set, determine that the risk type corresponding to the access request is a high-risk type. The method according to claim 4, wherein the address information includes at least one of a target access address, a source address, or a static route corresponding to the access request. The method according to claim 1, wherein, before determining the risk type corresponding to the access request based on the access request and the pre-configured security access policy, further comprising: Receive update information for the security access policy sent by the distributed nodes or the security management platform; The previously stored security access policy is updated according to the update information. The method according to claim 1, wherein said directing said access request to a corresponding target node comprises: The access request is sent to the corresponding target node by using a private communication protocol, GRE, IPsec or PAC. A method for processing access requests, applied to distributed nodes in a distributed network, comprising: According to the access request sent by the user terminal device, the data to be rendered corresponding to the access request is obtained, and the access request is diverted by the user terminal device according to a pre-configured security access policy; Rendering at least part of the data to obtain a corresponding file data stream; Sending the file data stream as response information to the user terminal device, so that the user terminal device sends the response information to the target terminal. The method according to claim 9, wherein sending the file data stream to the user terminal device as response information, so that the user terminal device sends the response information to the target terminal, comprises: For the unrendered data, generate a control data stream for instructing the target terminal to render the unrendered data; Sending the control data stream and the file data stream as response information to the user terminal device, so that the user terminal device sends the response information to the target terminal. The method according to claim 9, wherein, before obtaining the data to be rendered corresponding to the access request according to the access request sent by the user terminal device, further comprising: Identify high-risk addresses and obtain updated information on security access policies; Sending the update information to the user terminal equipment, so that the user terminal equipment can update the security access policy according to the update information. The method according to claim 9, wherein the access request includes attribute information of the target terminal, and the attribute information is used to describe the page display characteristics of the target terminal; Render at least part of the data to obtain a corresponding file data stream, including: According to the access request, read the attribute information of the target terminal; Establish a rendering application instance corresponding to the attribute information according to the attribute information; Render at least part of the data by using the rendering application instance to obtain a corresponding file data stream. The method according to claim 9, wherein rendering at least part of the data to obtain a corresponding file data stream comprises: According to the access request, sending an acquisition request for attribute information of the target terminal to the target terminal, where the attribute information is used to describe the page display characteristics of the target terminal; Establishing a rendering application instance corresponding to the attribute information based on the attribute information fed back by the target terminal according to the acquisition request; Render at least part of the data by using the rendering application instance to obtain a corresponding file data stream. The method according to claim 9, wherein said obtaining the data to be rendered corresponding to the access request according to the access request sent by the user terminal device comprises: According to the access request sent by the user terminal device, determine the data to be rendered corresponding to the access request; Detect whether the current node stores the data; If yes, obtaining the data from the current node; If not, get the data from the original server. A method for processing an access request, applied to a target terminal, comprising: Sending an access request to the user terminal device, so that the user terminal device performs access control on the access request according to a pre-configured security access policy; receiving response information sent by the user terminal device, the response information including at least part of the file data stream rendered by the target node; According to the file data stream, the resource corresponding to the access request is displayed. The method according to claim 15, wherein the response information further includes a control data flow for instructing the current terminal to render the unrendered data; According to the file data flow, display the resource corresponding to the access request, including: updating the file data stream according to the control data stream and the unrendered data; According to the updated file data stream, the resource corresponding to the access request is displayed. An electronic device for processing access requests, applied to user terminal equipment, including: The first receiving module is configured to receive the access request sent by the target terminal; A determination module configured to determine a risk type corresponding to the access request based on the access request and a preconfigured security access policy, where the risk type is used to describe the degree of security risk corresponding to the access request; A processing module configured to divert the access request to a corresponding target node if the risk type corresponding to the access request is a high risk type, so that the target node processes and responds to the access request; A first sending module, configured to receive response information returned by the target node, and send the response information to the target terminal, the response information including at least part of the file data stream rendered by the target node . An access request processing electronic device, applied to distributed nodes in a distributed network, comprising: The obtaining module is configured to obtain the data to be rendered corresponding to the access request according to the access request sent by the user terminal device, and the access request is drained by the user terminal device according to a pre-configured security access policy; A generating module configured to render at least part of the data to obtain a corresponding file data stream; The response module is configured to send the file data stream to the user terminal device as response information, so that the user terminal device sends the response information to the target terminal. An electronic device for processing an access request, applied to a target terminal, comprising: The second sending module is configured to send an access request to a user terminal device, so that the user terminal device performs access control on the access request according to a pre-configured security access policy; The second receiving module is configured to receive response information sent by the user terminal device, where the response information includes at least part of the file data stream rendered by the target node; The display module is configured to display the resource corresponding to the access request according to the file data stream. An electronic device comprising: a memory configured to store executable instructions; and, A processor configured to be displayed with the memory to execute the executable instructions so as to complete the operations of the access request processing method in any one of claims 1-16. A computer-readable storage medium configured to store computer-readable instructions, wherein, when the instructions are executed, the operations of the access request processing method in any one of claims 1-16 are performed.

Images