A tenant security access control method, device and electronic equipment
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NSFOCUS INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2026-05-14
- Publication Date
- 2026-06-19
AI Technical Summary
In an IPv6 network environment, existing technologies require maintaining a large number of tenant mapping entries in the cloud, resulting in low query and forwarding performance. Furthermore, misjudgment of a single security service can lead to misjudgment of the entire service chain, and the billing method of full rental results in invalid payments.
By configuring a service subscription identifier field in the traffic packets, the source address and destination address are parsed to determine the target security service, and corresponding protection policies are executed based on the detection results. The detection results are recorded in the destination address, and a comprehensive judgment is made on actions such as blocking, rate limiting, and allowing.
It achieves high-performance tenant isolation transmission, avoids performance bottlenecks in multi-table join queries, reduces misjudgments, and provides a performance-based billing model.
Smart Images

Figure CN122247753A_ABST
Abstract
Claims
1. A tenant secure access control method, characterized in that, include: Receive traffic packets sent by tenants; The traffic packet includes a source address and a destination address, and the source address includes a service subscription identifier field; The source address is parsed, and the value of the first field corresponding to the service subscription identifier field is extracted from the source address. Based on the value of the first field, the target security services subscribed by the tenant are determined. Each target security service is invoked to perform security checks on the traffic data packets corresponding to the traffic packets, and the corresponding check results are obtained; the check results include checks passed and checks failed. The protection strategy corresponding to the detection result is invoked to process the traffic packets.
2. The method as described in claim 1, characterized in that, The source address and destination address each include an enterprise identifier field and an enterprise branch identifier field; before parsing the source address and extracting the first subscription field value corresponding to the service subscription identifier field from the source address, the method further includes: The first enterprise identifier corresponding to the enterprise identifier field and the first enterprise branch identifier corresponding to the enterprise branch identifier field are parsed from the source address. Parse the second enterprise identifier corresponding to the enterprise identifier field and the second enterprise branch identifier corresponding to the enterprise branch identifier field from the destination address; Based on the first enterprise identifier, the first enterprise branch identifier, the second enterprise identifier, and the second enterprise branch identifier, it is determined that the source address and the destination address correspond to the same tenant.
3. The method as described in claim 1, characterized in that, The service subscription identifier field includes multiple bits, each bit corresponding to a security service, and different values of each bit are used to characterize whether the corresponding security service has been subscribed to. The invocation of the protection policy corresponding to the detection result to process the traffic packets includes: The number of target security services that fail the detection is determined among the target security services mentioned above; Based on the pre-configured relationship between the quantity and the protection policy, the protection policy corresponding to the target quantity is determined, and the determined protection policy is invoked to process the traffic packets.
4. The method as described in claim 3, characterized in that, The destination address includes an execution result identifier field; determining the number of target security services among the target security services whose detection result is a failed detection includes: The destination address is parsed, and the second field value corresponding to the execution result identifier field is extracted from the source address. The second field value is then reset based on the detection results corresponding to each security service. The non-zero value in the reset second field value indicates that the detection result of the corresponding security service is a failure. Perform a bitwise AND operation on the first field value and the reset second field value, and determine the number of non-zero values in the result as the target number; After determining the number of target security services among the target security services whose detection results are failed, the method further includes: Restore the value of the second field to its original value before the reset.
5. The method as described in claim 3, characterized in that, The process involves determining the protection policy corresponding to the target number based on a pre-configured relationship between the quantity and the protection policy, and then invoking the determined protection policy to process the traffic packets, including: If the target number is lower than the first preset threshold, the traffic packet is forwarded to the server corresponding to the destination address; If the target number is not lower than the first preset threshold and is lower than the second preset threshold, the traffic packet is rate-limited and forwarded to the server corresponding to the destination address, and an alarm message is generated to be fed back to the tenant. If the target number is not lower than the second preset threshold, the traffic packets are blocked and an alarm message is generated to be fed back to the tenant. The value of the second preset threshold is greater than that of the first preset threshold.
6. The method as described in claim 1, characterized in that, Before receiving the traffic packets sent by the tenant, the method further includes: In response to the enterprise information entry request sent by the tenant, generate an enterprise identifier and an enterprise branch identifier corresponding to the tenant; In response to the tenant's subscription operation for the security service, a subscription identifier is generated in the service subscription identifier field corresponding to the tenant; In response to the terminal information input request sent by the tenant, a terminal identifier corresponding to the terminal to be input is generated, and the terminal identifier to be input is associated with the enterprise identifier, the enterprise branch identifier and the subscription identifier; In response to an address allocation request sent by a terminal to be allocated, the enterprise identifier, enterprise branch identifier, and subscription identifier associated with the terminal to be allocated are determined based on the terminal identifier of the terminal to be allocated carried in the address allocation request. The addressing algorithm is used to process the enterprise identifier, enterprise branch identifier, and subscription identifier associated with the determined terminal to be assigned, to obtain the address information corresponding to the terminal to be assigned, and then the address information is sent to the terminal to be assigned.
7. The method according to any one of claims 1 to 6, characterized in that, After processing the traffic packets by invoking the protection policy corresponding to the detection result, the method further includes: Generate a security log corresponding to the tenant, the security log including: the enterprise identifier, enterprise branch identifier, terminal identifier, server identifier, detection result, and protected traffic size corresponding to the traffic packet; and, Among the target security services, the target security service whose detection result is "failed" is identified, and the tenant is billed based on the identified target security service.
8. A tenant security access control device, characterized in that, include: The message receiving module is used to receive traffic messages sent by tenants; The traffic packet includes a source address and a destination address, and the source address includes a service subscription identifier field; The address resolution module is used to resolve the source address, extract the first field value corresponding to the service subscription identifier field from the source address, and determine the target security services subscribed by the tenant based on the first field value; The security detection module is used to call the security services of each target respectively to perform security detection on the traffic data packets corresponding to the traffic packets, and obtain the corresponding detection results; the detection results include detection passed and detection failed. The message processing module is used to invoke the protection policy corresponding to the detection result and process the traffic message.
9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor, when executing a computer program stored in the memory, implements the method steps of any one of claims 1-7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-7.