CN115220665B - Access method and system of distributed storage system - Google Patents
Access method and system of distributed storage system Download PDFInfo
- Publication number
- CN115220665B CN115220665B CN202211112374.3A CN202211112374A CN115220665B CN 115220665 B CN115220665 B CN 115220665B CN 202211112374 A CN202211112374 A CN 202211112374A CN 115220665 B CN115220665 B CN 115220665B
- Authority
- CN
- China
- Prior art keywords
- user side
- user
- action
- password
- application software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/067—Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0622—Securing storage systems in relation to access
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/0643—Management of files
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Human Computer Interaction (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses an access method and system of a distributed storage system. Wherein, the method comprises the following steps: receiving a password and a secret key sent by a user side, and verifying the password and the secret key; after the password and the key are verified, authenticating the application software corresponding to the user side; after the application software passes the authentication, verifying the physical equipment of the user side; after the physical device passes the authentication, determining the access right of the user side based on the password and the key; and acquiring the characteristic information of the user side in real time, determining whether the access authority of the user side is matched with the characteristic information, and providing the confidential storage file on the distributed storage system to the user side under the condition of matching. The method and the device solve the technical problem that confidential storage files in the distributed storage system are easy to leak in the related technology.
Description
Technical Field
The application relates to the field of cloud storage, in particular to an access method and system of a distributed storage system.
Background
The distributed storage management software is installed on a plurality of servers with large-capacity disks to form a distributed storage system. The distributed storage management software is responsible for establishing storage clusters among the servers to form a large storage pool, managing the reading and writing of data to the disks of the servers, completing the random distribution of data blocks and providing a reading and writing interface for an upper layer.
When reading and writing data, the existing distributed storage system with enhanced security usually needs a user to input a password or a key file for verification when starting a file system or mounting the file system, and the whole file system can be read and written after the verification is passed.
According to the distributed storage system, if a file system is started by a user through password and key verification when a hacker invades, the hacker does not need to break the defense line of the password or the key any more, and the hacker can directly invade the file system when the user uses the file system. Moreover, a hacker can copy the decrypted file to an unencrypted file system and then steal the file. In addition, the password and the key may be delivered to a hacker by an insider, or the hacker directly steals the password and the key, so that the confidential document is leaked.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides an access method and system of a distributed storage system, so as to at least solve the technical problem that confidential storage files in the distributed storage system are easy to leak in the related technology.
According to an aspect of an embodiment of the present application, there is provided an access method of a lasso-prevented distributed storage system, including: receiving a password and a secret key sent by a user side, and verifying the password and the secret key; after the password and the key are verified, authenticating the application software corresponding to the user side; after the application software passes the authentication, verifying the physical equipment of the user side; after the physical device passes the authentication, determining the access right of the user side based on the password and the key; and acquiring the characteristic information of the user side in real time, determining whether the access authority of the user side is matched with the characteristic information, and providing the confidential storage file on the distributed storage system to the user side under the condition of matching.
According to another aspect of the embodiments of the present application, there is also provided a lasso-prevention distributed storage system, including a user side; a server configured to: receiving a password and a secret key sent by a user side, and verifying the password and the secret key; after the password and the key are verified, authenticating the application software corresponding to the user side; after the application software passes the authentication, verifying the physical equipment of the user side; after the physical device passes the authentication, determining the access right of the user side based on the password and the secret key; and collecting the characteristic information of the user side in real time, determining whether the access authority of the user side is matched with the characteristic information, and providing the confidential storage files on the distributed storage system to the user side under the condition of matching.
In the embodiment of the application, secret key password verification, application software verification, physical equipment verification and face verification are adopted, after the verification is passed, the action of a user is identified, and whether the access environment is safe or not is determined based on the action of the user, so that the technical effect of safely accessing the confidential storage file is achieved, and the technical problem that the confidential storage file in a distributed storage system in the related technology is easy to leak is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of an access method of a distributed storage system according to an embodiment of the application;
FIG. 2A is a flow chart of another access method for a distributed storage system according to an embodiment of the application;
FIG. 2B is a flowchart illustrating an initialization process according to an embodiment of the present application;
FIG. 3 is a flow chart of a further method of accessing a distributed storage system according to an embodiment of the present application;
FIG. 4 is a flow chart diagram of a method of motion recognition according to an embodiment of the application;
fig. 5 is a schematic structural diagram of an access system of a further distributed storage system according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
According to an embodiment of the present application, there is provided an access method of a distributed storage system, as shown in fig. 1, the method including:
step S102, receiving the password and the secret key sent by the user side, and verifying the password and the secret key.
And step S104, after the password and the key pass the verification, authenticating the application software corresponding to the user side.
And step S106, after the application software passes the authentication, verifying the physical equipment of the user side.
In one example, authenticating the physical device of the user end comprises: acquiring the MAC address of the user side, the serial number of the hard disk, the serial number of the memory and the serial number of the CPU; and verifying the physical equipment of the user side based on the MAC address, the serial number of the hard disk, the serial number of the memory and the serial number of the CPU.
And step S108, after the physical equipment passes the verification, determining the access right of the user side based on the password and the secret key.
Step S110, collecting the characteristic information of the user terminal in real time, determining whether the access authority of the user terminal is matched with the characteristic information, and providing the confidential storage file on the distributed storage system to the user terminal under the condition of matching.
In one example, the following characteristic information of the user terminal is collected in real time: face information and environment information; and comparing the collected characteristic information with corresponding pre-stored characteristic information to determine whether the access authority of the user side is matched with the collected characteristic information.
In one example, after determining that the access right of the user side matches the collected characteristic information, the method further includes: identifying whether a user at the user side wears glasses or not based on the face information; and under the condition that the user wears the glasses, judging whether the glasses are the glasses with the image pickup function, and cutting off an access channel of the confidential storage file when the glasses are determined to have the image pickup function.
In one example, prior to receiving the password and the key sent by the user terminal, the method further comprises at least one of: detecting whether the recording and video recording function of the user side is normal; detecting whether the screen locking function of the user side is normal or not; detecting whether the face recognition function of the user side is normal or not; and detecting whether the key and password initialization detection function of the user side is normal. Only in the case where the detection is normal, the authentication process is performed with respect to the received password and key.
In one example, after determining that the access right of the user side and the collected characteristic information match, the method further comprises at least one of: sending a screen copying and recording prohibition instruction to the application software of the user side so as to prohibit the user side from copying and recording screens through the application software; sending an instruction for forbidding remote connection to the application software of the user end so as to forbid other terminals from being remotely connected to the physical equipment of the user end through the application software; and sending a recording instruction to the application software of the user side so as to enable the user side to record the audio and the video through the application software.
In one example, after providing the confidential storage file on the distributed storage system to the user side, the method further comprises at least one of: acquiring action state information of the user side in real time, and judging whether the action of the user side is in a preset action range or not; and when the action of the user is determined to be within a preset action range, sending a screen locking instruction to the application software so as to lock the screen of the physical equipment of the user side through the application software.
For example, acquiring an action state image of the user side in real time; adopting a linear iterative clustering method to perform iterative clustering on all pixels in the collected action state image until the residual error of the super-pixels obtained by clustering is lower than a preset value; calculating a semantic region to be created in the acquired action state image by using a recursive filtering algorithm, and calculating the semantic class probability of the semantic region to be created; according to the superpixels and the semantic probabilities, performing feature segmentation on the collected action state images, and determining the action of a user at the user side based on the segmented features; and judging whether the action of the user at the user end is within a preset action range or not based on the determined action.
In one example, before receiving the password and the key sent by the user terminal, the method further comprises: receiving a key and password initialization request of a super user, and creating a system user account based on the key and password initialization request; after providing the confidential storage file on the distributed storage system to the user side, the method further comprises: and receiving a logout request of the user side, and deleting the created user account on the basis of the logout request.
The embodiment of the application solves the technical problem that confidential storage files in a distributed storage system in the related technology are easy to leak through the method.
Example 2
According to an embodiment of the present application, another access method for a distributed storage system is provided, as shown in fig. 2A, the method includes:
step S202, initialization.
The initialization process comprises a networking process, a server side initialization, a user side initialization, a password key initialization and the like. Specifically, the step of initialization includes step S2022 to step S2028 as shown in fig. 2B.
Step S2022, the devices are connected in a networking manner.
If the use scene allows, the whole access network of the distributed storage system can be physically isolated from the external network, so that the independent networking security on the physical networking is higher. The switch is incorporated into the supervisor management at the time of network connection. And in the networking process, recording network MAC addresses and electronic serial numbers of all physical devices of the server and the user.
Step S2024, the server initializes.
And the server is electrified to carry out system initialization, and after the hardware detection and the software detection of the system are passed, the super user is waited to be connected through the user side.
In step S2026, the ue initializes.
The user side comprises application software and physical equipment. The application software has different versions and can run on different operating systems respectively. During initialization, it is necessary to confirm whether the physical devices of the user side include a camera and a recording microphone, and also confirm whether the network of the user side can communicate with the server side.
Specifically, application software of a user side is installed, whether the recording function of the user side is normal or not is detected, whether the screen locking function is normal or not is detected, whether the face recognition function is normal or not is detected, and whether the key and password initialization function is normal or not is detected. And under the condition that the detection is normal, waiting for the super user to enter so as to initialize the system key and the user password.
In this embodiment, the user side is provided with the dedicated application software, so that the secret storage file can be accessed only after the application software of the user side is authenticated, and the security of the system is improved.
In step S2028, a cryptographic key is initialized.
The super user logs in the user side by the secret key and the password, and the user side identifies that the user is the super user and initiates a system secret key and user password initialization process.
The application software of the user terminal initiates a password key initialization request to the server terminal, wherein the request carries user terminal authentication information, and the user terminal authentication information comprises an MAC address of a user network card, a serial number of a user hard disk, a serial number of a user memory, a serial number of a user CPU (Central processing Unit) and the like.
And determining a key and password authentication server which is regularly operated in the follow-up day according to the response of the initialization request. The password key authentication server can be at a server side for storing files, and can also be at a third-party server meeting the security requirement.
Based on the determined authentication server, the creation and setup of the system user is started.
After the initialization is finished, the super user authorizes the ordinary user, at the moment, the ordinary user can log in through another user side, and the super user can check the login state of the ordinary user.
Step S204, starting the distributed storage system.
And the super user logs in the user side and starts the distributed storage system. Only the super user can start and stop the distributed storage system, and in addition, only the super user can authorize the access authority of the common user to the distributed storage system. The super user can modify the access authority of the common user to the distributed storage system on line, can kick off the common user off line on line, and can delete the common user on line. Superuser may review the access records of all users, including when and for what files the user has accessed via which user terminal, the length of time of access, and the audio recordings when the user accessed these files. In one example, a system at the server may provide a user access statistics report to the supervisor.
And step S206, the super user logs in.
And the super user logs in the user side and stores the confidential storage file into the distributed storage system. In one example, the confidential storage file is stored encrypted in the distributed storage system.
In step S208, the general user logs in.
And the common user logs in the user side and accesses the confidential storage file in the distributed storage system.
Step S210, closing the access channel.
The user leaves the user terminal, or the user closes the application for accessing the confidential document, and the user terminal automatically closes the access channel.
The embodiment can prevent secret information from being leaked, and the secret document cannot be read because of no authorization and key of the super user and corresponding face verification. Even if a hacker violently robs the confidential storage file, the data of the confidential storage file is encrypted, so that the secret cannot be leaked. In addition, the super user can browse the use conditions of the ordinary user, such as who reads which confidential documents when, the time length of reading and the condition of reading, thereby facilitating the circulation and post supervision of the confidential storage documents.
Example 3
According to an embodiment of the present application, there is provided another access method for a distributed storage system, as shown in fig. 3, the method includes:
step S301, cryptographic key verification.
And receiving the password key sent by the user side, and verifying the password key. Thus, even if a hacker steals the key, the key cannot be accessed without the password, and the supervisor can cancel the authority of the key in real time.
Step S302, application software authentication.
And verifying whether the application software at the user side is bound and authenticated software, so that only the specified application program can access the confidential storage file to prevent the access of a hacker program.
Step S303, hardware verification.
And receiving authentication information such as the MAC address of a user network card, the serial number of a user hard disk, the serial number of a user memory, the serial number of a user CPU (Central processing Unit) and the like sent by the user side, and verifying whether hardware, namely physical equipment of the user side is equipment bound with the server side or not based on the authentication information, so that a hacker can be prevented from being combined with an insider to access unsafe equipment.
And step S304, environment monitoring.
After the user side is started, monitoring the environment of the user side, for example, prohibiting the user side from performing screen copying and screen recording operations so as to prevent the user from revealing confidential storage files; forbidding a remote connection user side to prevent a hacker united user from revealing confidential information through a remote desktop; after the camera is started, the face recognition is carried out, the camera for face recognition has a camera recognition function, equipment such as camera glasses with a pinhole camera can be recognized, and when the pinhole camera is recognized, the confidential storage file is prohibited from being read.
Step S305, monitoring in the using process.
After the user passes the verification and can access the confidential storage files on the distributed storage system, the user action of the user side can be monitored in the access process, whether the user has operations such as video recording and the like or not can be judged, and the audio recording and video recording functions can be started at the same time to monitor the user operations.
1) Motion monitoring
In the using process, when the user is detected to leave the screen, the automatic screen locking function is started to prevent the screen from being shot remotely or passers-by from peeping confidential storage files. The unlocking screen requires the re-execution of steps S301 to S305. In another example, the actions of the user can be recognized, whether the user uses the external device to record the screen or not is judged, and when the user is determined to record the screen, the automatic screen locking function is started.
The step of motion monitoring will be described in detail in embodiment 4, and will not be described here.
2) Recording and video monitoring
During use, the recording and video recording functions are started to prevent confidential information from being transmitted by voice or handwriting, so that the post-examination is facilitated. In the video recording process, the pinhole camera is identified in real time, and once the camera is identified, the screen is locked immediately to cut off an access channel of the confidential storage file. The audio and video recording data can be stored in a server side of the distributed storage system in an encrypted mode.
And step S306, closing the access channel.
After the user finishes accessing, the access channel can be automatically closed through the application software.
In one example, to further improve security, the computer desk and chair may be designed to be anti-peeping in combination with a computer, for example, the computer may be placed in a sealed kiosk-like space that has electromagnetic shielding in addition to camera monitoring. In addition, before the user enters the access space of the distributed storage system, electronic equipment detection can be carried out on the user, and equipment such as a glasses camera is prevented from entering.
Example 4
According to an embodiment of the present application, there is provided an action recognition method, as shown in fig. 4, the method including:
and step S402, acquiring the action state image of the user terminal in real time.
Two continuous frames of user side images, namely the motion state images of the user, are collected at a preset time interval, for example, 5 seconds, and the two frames of motion state images are unified to the same coordinate system through translation and rotation.
And S404, performing iterative clustering on all pixels in the acquired action state image by adopting a linear iterative clustering method until the residual error of the super-pixels obtained by clustering is lower than a preset value.
And aiming at each action state data, performing superpixel segmentation on the action state image by adopting a linear iterative clustering method. And randomly initializing in a specific equation regular interval, calculating the distance between adjacent clustering centers based on the position of the clustering centers, the number of pre-divided super pixels with the same size and the number of pixels in each action state image, and calculating the super pixel value based on the distance between the adjacent clustering centers. In this way, the super-pixel values are continuously updated by iterative clustering and continue until the residual is below the preset value.
Step S406, calculating a semantic region to be created in the acquired motion state image using a recursive filtering algorithm, and calculating a semantic class probability of the semantic region to be created.
According to the embodiment of the application, a human body region in an action state image is used as a semantic region to be created, and the semantic class probability of the human body region is estimated by using a recursive Bayesian filtering algorithm.
Step S408, according to the superpixel and the semantic probability, performing feature segmentation on the collected action state image, and determining the action of the user at the user side based on the segmented features.
And performing feature segmentation on the motion state image based on the superpixel segmentation and semantic analysis. Specifically, based on superpixel segmentation and semantic analysis, key points in the motion state image are identified, key point descriptors are calculated at each key point, outer points generated in the comparison process are eliminated, and a transformation matrix is estimated from the remaining set of inner point correspondence. In this way, the motion of the user can be estimated by comparing the transformation matrix obtained by the corresponding processing of the two motion state images with the positions of the key point descriptors in the two motion state images.
Step S410, determining whether the user 'S motion at the user end is within a preset motion range based on the estimated user' S motion.
Based on the estimated user actions, it is determined whether the actions are actions within a preset action range. For example, whether the actions are off-screen actions, handheld video recording device actions, etc. If the action of the user is identified to belong to the preset action range, screen locking operation is started, and the access channel of the user to the confidential storage file is closed.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application or portions thereof that contribute to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a ROM/RAM, a magnetic disk, and an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device) to execute the method described in the embodiments of the present application.
Example 5
According to an embodiment of the present application, there is also provided an access system of a distributed storage system, as shown in fig. 5, the system includes: a client 52, a server 54, and a distributed storage system 56.
The user side 52 is used to access confidential storage files in the distributed storage system 56 through the server side 54.
The server 54 receives the password and the key sent by the user, and verifies the password and the key; after the password and the key are verified, authenticating the application software corresponding to the user side; after the application software passes the authentication, verifying the physical equipment of the user side; after the physical device passes the authentication, determining the access right of the user side based on the password and the key; and collecting the characteristic information of the user side in real time, determining whether the access authority of the user side is matched with the characteristic information, and providing the confidential storage files on the distributed storage system to the user side under the condition of matching.
The system in this embodiment may implement the access method of the distributed storage system in the foregoing embodiment, and therefore, details are not described here.
Example 6
Embodiments of the present application also provide a storage medium. Alternatively, in the present embodiment, the storage medium described above may be configured to store program codes for executing the access method of the distributed storage system in the above embodiment.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
Optionally, for a specific example in this embodiment, reference may be made to the examples described in embodiments 1 to 4, which is not described herein again.
Application scenarios
The embodiments in the present application can be applied to many scenarios.
For example, scenario one, storage and distribution of confidential storage files, where confidential files are stored in a distributed storage system by a super user, and ordinary users access the confidential files by a user side.
For example, in scenario two, in order to prevent disclosure and strange, only the designated user can read the confidential storage file at the designated user side, and there is a recording and reading process. Hackers cannot acquire confidential storage files through a network, cannot move away a file server through physical violence, and cannot read file contents without authorization and keys of a super user.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solutions of the present application, which are essential or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the methods described in the embodiments of the present application.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In some embodiments provided in the present application, it should be understood that the disclosed ue can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (8)
1. An access method for a distributed storage system, comprising:
receiving a password and a secret key sent by a user side, and verifying the password and the secret key;
after the password and the key are verified, authenticating the application software corresponding to the user side;
after the application software passes the authentication, verifying the physical equipment of the user side;
after the physical device passes the authentication, determining the access right of the user side based on the password and the key;
acquiring characteristic information of the user side in real time, determining whether the access authority of the user side is matched with the characteristic information, and providing a confidential storage file on a distributed storage system to the user side under the condition of matching;
wherein after the confidential storage file on the distributed storage system is provided to the user side, the method further comprises:
acquiring action state information of the user side in real time, and judging whether the action of the user side is within a preset action range;
when the action of the user is determined to be within a preset action range, sending a screen locking instruction to the application software so as to lock the screen of the physical equipment of the user side through the application software;
the method comprises the following steps of acquiring action state information of the user side in real time, and judging whether the action of a user of the user side is within a preset action range, wherein the method comprises the following steps:
acquiring an action state image of the user side in real time, wherein the action state information comprises the action state image;
adopting a linear iterative clustering method to perform iterative clustering on all pixels in the collected action state image until the residual error of the super-pixels obtained by clustering is lower than a preset value;
calculating a semantic region to be created in the acquired action state image by using a recursive filtering algorithm, and calculating the semantic class probability of the semantic region to be created;
according to the superpixels and the semantic probabilities, performing feature segmentation on the collected action state images, and determining the action of a user at the user side based on the segmented features;
and judging whether the action of the user at the user end is within a preset action range or not based on the determined action.
2. The method of claim 1, wherein before receiving the password and the key sent by the user side, the method further comprises at least one of:
detecting whether the recording and video recording function of the user side is normal;
detecting whether the screen locking function of the user side is normal or not;
detecting whether the face recognition function of the user side is normal or not;
and detecting whether the key and password initialization functions of the user side are normal.
3. The method of claim 1, wherein authenticating the physical device at the user end comprises:
acquiring the MAC address of the user side, the serial number of the hard disk, the serial number of the memory and the serial number of the CPU;
and verifying the physical equipment of the user side based on the MAC address, the serial number of the hard disk, the serial number of the memory and the serial number of the CPU.
4. The method of claim 1, wherein collecting the characteristic information of the user at the user end in real time and determining whether the access right of the user end is matched with the characteristic information comprises:
the following characteristic information of the user side is collected in real time: face information and environment information;
and comparing the acquired characteristic information with corresponding pre-stored characteristic information to determine whether the access authority of the user side is matched with the acquired characteristic information.
5. The method of claim 4, wherein after determining that the access right of the user terminal matches the collected feature information, the method further comprises:
identifying whether a user at the user side wears glasses or not based on the face information;
and under the condition that the user wears the glasses, judging whether the glasses are the glasses with the image pickup function or not, and cutting off an access channel of the confidential storage file when the glasses are determined to have the image pickup function.
6. The method of claim 1, wherein after determining that the access rights of the user terminal and the collected characteristic information match, the method further comprises at least one of:
sending a command of forbidding screen copying and screen recording to the application software of the user side so as to forbid the user side to copy and screen recording through the application software;
sending an instruction for forbidding remote connection to the application software of the user terminal so as to forbid other terminals from being remotely connected to the physical equipment of the user terminal through the application software;
and sending a recording instruction to the application software of the user side so as to enable the user side to record the audio and the video through the application software.
7. The method of claim 1,
before receiving the password and the key sent by the user side, the method further comprises the following steps: receiving a key and password initialization request of a super user, and creating a system user account for the user side based on the key and password initialization request, wherein the super user is an administrator of the confidential storage file in the distributed storage system;
after providing the confidential storage files on the distributed storage system to the user side, the method further comprises: and receiving a logout request of the user side, and deleting the user account number established for the user side based on the logout request.
8. An access system for a distributed storage system, comprising:
a user side;
a server configured to:
receiving a password and a secret key sent by the user side, and verifying the password and the secret key;
after the password and the key are verified, authenticating the application software corresponding to the user side;
after the application software passes the authentication, verifying the physical equipment of the user side;
after the physical device passes the authentication, determining the access right of the user side based on the password and the key;
collecting the characteristic information of the user side in real time, determining whether the access authority of the user side is matched with the characteristic information or not, and providing the confidential storage files on the distributed storage system to the user side under the condition of matching;
acquiring action state information of the user side in real time, and judging whether the action of the user side is within a preset action range;
when the action of the user is determined to be within a preset action range, sending a screen locking instruction to the application software so as to lock the screen of the physical equipment of the user side through the application software;
the method comprises the following steps of acquiring action state information of the user side in real time, and judging whether the action of a user of the user side is within a preset action range, wherein the method comprises the following steps:
acquiring an action state image of the user side in real time, wherein the action state information comprises the action state image;
adopting a linear iterative clustering method to perform iterative clustering on all pixels in the collected action state image until the residual error of the super-pixels obtained by clustering is lower than a preset value;
calculating a semantic region to be created in the acquired action state image by using a recursive filtering algorithm, and calculating the semantic class probability of the semantic region to be created;
according to the superpixels and the semantic probabilities, performing feature segmentation on the collected action state images, and determining the action of a user at the user side based on the segmented features;
and judging whether the action of the user at the user end is within a preset action range or not based on the determined action.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211112374.3A CN115220665B (en) | 2022-09-14 | 2022-09-14 | Access method and system of distributed storage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211112374.3A CN115220665B (en) | 2022-09-14 | 2022-09-14 | Access method and system of distributed storage system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115220665A CN115220665A (en) | 2022-10-21 |
| CN115220665B true CN115220665B (en) | 2022-12-20 |
Family
ID=83617198
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211112374.3A Active CN115220665B (en) | 2022-09-14 | 2022-09-14 | Access method and system of distributed storage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115220665B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603563A (en) * | 2016-12-30 | 2017-04-26 | 厦门市美亚柏科信息股份有限公司 | Information safety realization method and system based on biometric features identification |
| CN109150828A (en) * | 2018-07-10 | 2019-01-04 | 珠海腾飞科技有限公司 | A kind of verifying register method and system |
| CN111427860A (en) * | 2019-01-09 | 2020-07-17 | 阿里巴巴集团控股有限公司 | Distributed storage system and data processing method thereof |
| CN111886600A (en) * | 2018-04-10 | 2020-11-03 | 华为技术有限公司 | Device and method for instance level segmentation of image |
| CN114626079A (en) * | 2022-03-22 | 2022-06-14 | 深圳壹账通智能科技有限公司 | File viewing method, device, equipment and storage medium based on user permission |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104732551A (en) * | 2015-04-08 | 2015-06-24 | 西安电子科技大学 | Level set image segmentation method based on superpixel and graph-cup optimizing |
| US10740300B1 (en) * | 2017-12-07 | 2020-08-11 | Commvault Systems, Inc. | Synchronization of metadata in a distributed storage system |
| US10650531B2 (en) * | 2018-03-16 | 2020-05-12 | Honda Motor Co., Ltd. | Lidar noise removal using image pixel clusterings |
| CN108959978A (en) * | 2018-06-28 | 2018-12-07 | 北京海泰方圆科技股份有限公司 | The generation of key and acquisition methods and device in equipment |
| CN109872374A (en) * | 2019-02-19 | 2019-06-11 | 江苏通佑视觉科技有限公司 | A kind of optimization method, device, storage medium and the terminal of image, semantic segmentation |
| US11240024B2 (en) * | 2019-07-29 | 2022-02-01 | EMC IP Holding Company LLC | Cryptographic key management using key proxies and generational indexes |
| CN112926596B (en) * | 2021-02-10 | 2023-04-07 | 北京邮电大学 | Real-time superpixel segmentation method and system based on recurrent neural network |
| CN114372254B (en) * | 2021-08-16 | 2023-03-24 | 中电长城网际系统应用有限公司 | Multi-authentication authorization method under big data environment |
| CN113570629B (en) * | 2021-09-28 | 2022-01-18 | 山东大学 | Semantic segmentation method and system for removing dynamic objects |
| CN114117374A (en) * | 2021-11-30 | 2022-03-01 | 深圳壹账通智能科技有限公司 | Authentication method, device, equipment and medium based on distributed system |
-
2022
- 2022-09-14 CN CN202211112374.3A patent/CN115220665B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603563A (en) * | 2016-12-30 | 2017-04-26 | 厦门市美亚柏科信息股份有限公司 | Information safety realization method and system based on biometric features identification |
| CN111886600A (en) * | 2018-04-10 | 2020-11-03 | 华为技术有限公司 | Device and method for instance level segmentation of image |
| CN109150828A (en) * | 2018-07-10 | 2019-01-04 | 珠海腾飞科技有限公司 | A kind of verifying register method and system |
| CN111427860A (en) * | 2019-01-09 | 2020-07-17 | 阿里巴巴集团控股有限公司 | Distributed storage system and data processing method thereof |
| CN114626079A (en) * | 2022-03-22 | 2022-06-14 | 深圳壹账通智能科技有限公司 | File viewing method, device, equipment and storage medium based on user permission |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115220665A (en) | 2022-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9396352B2 (en) | System and method to provide server control for access to mobile client data | |
| KR102107277B1 (en) | System and method for anti-fishing or anti-ransomware application | |
| CN112487383B (en) | Computer system for guaranteeing information security and control method thereof | |
| US5969632A (en) | Information security method and apparatus | |
| CN113315637B (en) | Security authentication method, device and storage medium | |
| CN110766850B (en) | Visitor information management method, access control system, server and storage medium | |
| CN107392008A (en) | Cipher management method, Password Management equipment and computer-readable recording medium | |
| CN107292133B (en) | Artificial intelligence confusion technical method and device | |
| CN105809045A (en) | Method and device for processing equipment systems during data reset | |
| CN115220665B (en) | Access method and system of distributed storage system | |
| Zolkin et al. | Problems of personal data and information protection in corporate computer networks | |
| US20070055478A1 (en) | System and method for active data protection in a computer system in response to a request to access to a resource of the computer system | |
| JP5353147B2 (en) | Face matching system | |
| KR20200013013A (en) | System and method for anti-fishing or anti-ransomware application | |
| CN114357398A (en) | Terminal access right processing method and device and electronic equipment | |
| CN111291429B (en) | Data protection method and system | |
| US11586711B2 (en) | Systems and methods for securing and controlling access to electronic data, electronic systems, and digital accounts | |
| CN115048662A (en) | File protection method, device, equipment and storage medium | |
| Lee et al. | A study on a secure USB mechanism that prevents the exposure of authentication information for smart human care services | |
| CN112214763A (en) | Data monitoring method and device | |
| CN115567215B (en) | Block chain distributed data storage system capable of preventing attack and decoding and access storage method | |
| CN211506486U (en) | Network safety protection device | |
| Elkaffash et al. | Data-Leashing: Towards a Characterization of The Problem and Its Solution | |
| CN118427896A (en) | Storage device data leakage protection system | |
| CN116975855A (en) | Method, system and equipment for realizing sensitive data tracking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |