A tenant security access control method, device and electronic equipment

CN122247753APending Publication Date: 2026-06-19NSFOCUS INFORMATION TECHNOLOGY CO LTD +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NSFOCUS INFORMATION TECHNOLOGY CO LTD
Filing Date
2026-05-14
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In an IPv6 network environment, existing technologies require maintaining a large number of tenant mapping entries in the cloud, resulting in low query and forwarding performance. Furthermore, misjudgment of a single security service can lead to misjudgment of the entire service chain, and the billing method of full rental results in invalid payments.

Method used

By configuring a service subscription identifier field in the traffic packets, the source address and destination address are parsed to determine the target security service, and corresponding protection policies are executed based on the detection results. The detection results are recorded in the destination address, and a comprehensive judgment is made on actions such as blocking, rate limiting, and allowing.

Benefits of technology

It achieves high-performance tenant isolation transmission, avoids performance bottlenecks in multi-table join queries, reduces misjudgments, and provides a performance-based billing model.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247753A_ABST
    Figure CN122247753A_ABST
Patent Text Reader

Abstract

This application provides a tenant secure access control method, apparatus, and electronic device, relating to the field of communication technology. In this application, a traffic packet sent by a tenant is received. The traffic packet includes a source address and a destination address, and the source address includes a service subscription identifier field. The source address is parsed to extract a first field value corresponding to the service subscription identifier field, and the target security services subscribed to by the tenant are determined based on the first field value. Each target security service is invoked to perform security detection on the traffic data packet corresponding to the traffic packet, and corresponding detection results are obtained. The detection results include detection passed and detection failed. A protection policy corresponding to the detection result is invoked to process the traffic packet. This approach can meet the high-performance transmission service requirements of tenant isolation across multiple regions in an IPv6 network environment.
Need to check novelty before this filing date? Find Prior Art

Claims

1. A tenant secure access control method, characterized in that, include: Receive traffic packets sent by tenants; The traffic packet includes a source address and a destination address, and the source address includes a service subscription identifier field; The source address is parsed, and the value of the first field corresponding to the service subscription identifier field is extracted from the source address. Based on the value of the first field, the target security services subscribed by the tenant are determined. Each target security service is invoked to perform security checks on the traffic data packets corresponding to the traffic packets, and the corresponding check results are obtained; the check results include checks passed and checks failed. The protection strategy corresponding to the detection result is invoked to process the traffic packets.

2. The method as described in claim 1, characterized in that, The source address and destination address each include an enterprise identifier field and an enterprise branch identifier field; before parsing the source address and extracting the first subscription field value corresponding to the service subscription identifier field from the source address, the method further includes: The first enterprise identifier corresponding to the enterprise identifier field and the first enterprise branch identifier corresponding to the enterprise branch identifier field are parsed from the source address. Parse the second enterprise identifier corresponding to the enterprise identifier field and the second enterprise branch identifier corresponding to the enterprise branch identifier field from the destination address; Based on the first enterprise identifier, the first enterprise branch identifier, the second enterprise identifier, and the second enterprise branch identifier, it is determined that the source address and the destination address correspond to the same tenant.

3. The method as described in claim 1, characterized in that, The service subscription identifier field includes multiple bits, each bit corresponding to a security service, and different values ​​of each bit are used to characterize whether the corresponding security service has been subscribed to. The invocation of the protection policy corresponding to the detection result to process the traffic packets includes: The number of target security services that fail the detection is determined among the target security services mentioned above; Based on the pre-configured relationship between the quantity and the protection policy, the protection policy corresponding to the target quantity is determined, and the determined protection policy is invoked to process the traffic packets.

4. The method as described in claim 3, characterized in that, The destination address includes an execution result identifier field; determining the number of target security services among the target security services whose detection result is a failed detection includes: The destination address is parsed, and the second field value corresponding to the execution result identifier field is extracted from the source address. The second field value is then reset based on the detection results corresponding to each security service. The non-zero value in the reset second field value indicates that the detection result of the corresponding security service is a failure. Perform a bitwise AND operation on the first field value and the reset second field value, and determine the number of non-zero values ​​in the result as the target number; After determining the number of target security services among the target security services whose detection results are failed, the method further includes: Restore the value of the second field to its original value before the reset.

5. The method as described in claim 3, characterized in that, The process involves determining the protection policy corresponding to the target number based on a pre-configured relationship between the quantity and the protection policy, and then invoking the determined protection policy to process the traffic packets, including: If the target number is lower than the first preset threshold, the traffic packet is forwarded to the server corresponding to the destination address; If the target number is not lower than the first preset threshold and is lower than the second preset threshold, the traffic packet is rate-limited and forwarded to the server corresponding to the destination address, and an alarm message is generated to be fed back to the tenant. If the target number is not lower than the second preset threshold, the traffic packets are blocked and an alarm message is generated to be fed back to the tenant. The value of the second preset threshold is greater than that of the first preset threshold.

6. The method as described in claim 1, characterized in that, Before receiving the traffic packets sent by the tenant, the method further includes: In response to the enterprise information entry request sent by the tenant, generate an enterprise identifier and an enterprise branch identifier corresponding to the tenant; In response to the tenant's subscription operation for the security service, a subscription identifier is generated in the service subscription identifier field corresponding to the tenant; In response to the terminal information input request sent by the tenant, a terminal identifier corresponding to the terminal to be input is generated, and the terminal identifier to be input is associated with the enterprise identifier, the enterprise branch identifier and the subscription identifier; In response to an address allocation request sent by a terminal to be allocated, the enterprise identifier, enterprise branch identifier, and subscription identifier associated with the terminal to be allocated are determined based on the terminal identifier of the terminal to be allocated carried in the address allocation request. The addressing algorithm is used to process the enterprise identifier, enterprise branch identifier, and subscription identifier associated with the determined terminal to be assigned, to obtain the address information corresponding to the terminal to be assigned, and then the address information is sent to the terminal to be assigned.

7. The method according to any one of claims 1 to 6, characterized in that, After processing the traffic packets by invoking the protection policy corresponding to the detection result, the method further includes: Generate a security log corresponding to the tenant, the security log including: the enterprise identifier, enterprise branch identifier, terminal identifier, server identifier, detection result, and protected traffic size corresponding to the traffic packet; and, Among the target security services, the target security service whose detection result is "failed" is identified, and the tenant is billed based on the identified target security service.

8. A tenant security access control device, characterized in that, include: The message receiving module is used to receive traffic messages sent by tenants; The traffic packet includes a source address and a destination address, and the source address includes a service subscription identifier field; The address resolution module is used to resolve the source address, extract the first field value corresponding to the service subscription identifier field from the source address, and determine the target security services subscribed by the tenant based on the first field value; The security detection module is used to call the security services of each target respectively to perform security detection on the traffic data packets corresponding to the traffic packets, and obtain the corresponding detection results; the detection results include detection passed and detection failed. The message processing module is used to invoke the protection policy corresponding to the detection result and process the traffic message.

9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor, when executing a computer program stored in the memory, implements the method steps of any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-7.