CN114553554B - Terminal trust management and trusted access system and method - Google Patents
Terminal trust management and trusted access system and method Download PDFInfo
- Publication number
- CN114553554B CN114553554B CN202210173292.3A CN202210173292A CN114553554B CN 114553554 B CN114553554 B CN 114553554B CN 202210173292 A CN202210173292 A CN 202210173292A CN 114553554 B CN114553554 B CN 114553554B
- Authority
- CN
- China
- Prior art keywords
- terminal
- vulnerability
- trust
- information
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000007726 management method Methods 0.000 claims abstract description 40
- 238000005259 measurement Methods 0.000 claims abstract description 26
- 238000006243 chemical reaction Methods 0.000 claims abstract description 11
- 238000012550 audit Methods 0.000 claims abstract description 10
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 36
- 238000004364 calculation method Methods 0.000 claims description 19
- 238000003860 storage Methods 0.000 claims description 4
- 230000008054 signal transmission Effects 0.000 claims description 2
- 230000003044 adaptive effect Effects 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010367 cloning Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a terminal trust management and trusted access system, which relates to the technical field of network security and comprises a terminal, a device information base, a vulnerability database, a vulnerability assessment module, an audit database, a device scanning module, a protocol conversion module, a trusted measurement module, a trust database and a self-adaptive encryption module; the invention discloses a terminal trust management and trusted access method, which comprises the following steps: s100, scanning terminal information; s200, inquiring vulnerability information; s300, calculating risk factors; s400, calculating initial trust; s500, accessing a network; s600, measuring in real time; s700, adaptive encryption transmission. The method and the device verify the equipment in the cloud computing center, process and calculate the data at the network edge, and give consideration to the security and the time delay, thereby solving the problem of trust initial value in the scene with higher security requirements.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a system and a method for terminal trust management and trusted access.
Background
The development and large-scale application of technologies such as mobile internet, internet of things, distributed computing and blockchain not only change the life style of people, but also greatly influence the working mode of enterprises, and the number of users and devices participating in the network is increased dramatically, so that the scale of the network is increased explosively. To date, hundreds of millions of devices are accessed to the internet, and meanwhile, services and applications borne by the internet are continuously increased, and the sharing mode, the running mode, the security management and the application mode of the network of resources are fundamentally transformed.
Taking industrial internet as an example, under the trend of collaboration and openness, devices are interconnected through a network to form a bridge between the physical world and the information world. The digitization of manufacturing resources and capabilities, and the dynamic sharing and collaboration of service modes of devices supporting location distribution and functional isomerism on demand are the development trend of intelligent manufacturing.
Cloud on devices is a necessary trend in the development of industrial internet, but this also means that originally closed devices and data are fully exposed to the internet. The difference of the calculation and storage resources of the heterogeneous devices is larger, and the communication protocols used by the devices of different manufacturers are also different, so that the complexity of the whole network system is increased; meanwhile, various devices are positioned at the network edge, the physical security and the communication security are very weak, the devices are extremely easy to attack such as cloning, counterfeiting, masquerading, interception and eavesdropping, and great potential safety hazards exist.
The device-side deficiency makes it a primary target for hackers. In recent two years, along with the explosion of security events of the edge device, even if manufacturers gradually realize the importance of information security, the limitation of resources, technology and the like of the terminal still restricts the improvement of security protection capability, and the edge access device is still a weak link of system information security so far. However, the current mainstream protection manner of the network information system is to strengthen network boundary protection, such as firewall and intrusion detection technologies, and is not enough to guarantee network space security in face of increasingly complex attack behaviors and advanced attack skills of hackers.
Accordingly, those skilled in the art are working to develop a terminal trust management and trusted access system and method.
Disclosure of Invention
In view of the above-mentioned drawbacks of the prior art, the technical problem to be solved by the present invention is to guarantee the trusted access of the terminal based on cloud-edge collaboration architecture.
The inventor analyzes a method based on trust management and trust measurement, a trust management model adopts a unified method to describe and verify security credentials, a trust relationship is constructed, and authorization of critical operation is completed based on a security policy of a system; the credibility measurement technology is a key in a trust management model and is an important criterion for judging whether nodes in a system are credible. The basic steps of the trusted metric are: (1) initialization of trust; (2) selection and definition of trust attributes; (3) fusion calculation of trust attributes. The inventors have found that the algorithms proposed in the prior art focus mostly on steps (2) and (3), whereas the initialization of trust is a prerequisite for an accurate calculation of the trust value. If the assignment is higher, the node has higher authority, so that the system is easy to be attacked by the newly added node; lower assignments in turn limit the interaction capabilities of the access devices, which can result in poor overall system performance. Especially for scenes with higher safety requirements, such as industrial internet of things. The setting of the initial value is therefore particularly important. The inventor provides a terminal trust management and trusted access system and method based on cloud edge cooperative architecture.
In one embodiment of the present invention, there is provided a terminal trust management and trusted access system, including:
the terminal is used for data acquisition, signal transmission and control execution;
the device information base stores terminal information;
the vulnerability database stores a vulnerability information set which is mined by the terminal;
the vulnerability assessment module calculates a terminal risk factor based on the mined vulnerability information set;
an audit database for storing data of network nodes and running conditions of the network;
the equipment scanning module scans firmware information and communication messages of the terminal;
the protocol conversion module analyzes and converts a protocol used by the terminal into a communication message of a unified protocol during uploading and uploads the communication message to the cloud server; when downloading, the communication message of the cloud server is packaged into a communication message of a protocol used by the terminal, and the communication message is issued to the terminal;
the trusted measurement module is used for calculating an initial trust value according to a device information base and a result returned by the vulnerability assessment module after the terminal is accessed and combining a preset network security level, and calculating a real-time trust value according to network flow and terminal behavior characteristics after the terminal operates;
a trust database for storing real-time trust values of terminals in the network;
the self-adaptive encryption module is used for adaptively selecting an encryption algorithm according to the real-time trust value of the terminal, considering transmission safety and efficiency, encrypting data sent by the terminal and transmitting the encrypted data to the cloud server;
the equipment information base, the vulnerability database, the vulnerability assessment module and the audit database are deployed on the cloud server; the device scanning module, the protocol conversion module, the trusted measurement module, the trust database and the self-adaptive encryption module belong to trusted communication agents and are deployed on the edge server;
responding to the access of the terminal to the network, the equipment scanning module scans the firmware information and the communication message of the terminal and uploads the scanning result to the equipment information base; after the equipment information base identifies the terminal, the terminal model and the function are issued to the equipment scanning module, and the firmware information of the terminal is sent to the vulnerability assessment module; the equipment scanning module sends the terminal model and the function to the trusted measurement module; the vulnerability assessment module searches in a vulnerability database according to the firmware information of the terminal to obtain a vulnerability information set of the corresponding terminal, and sends a calculation result to the trusted measurement module after calculating the risk factor of the terminal; the trusted measurement module gives an initial trust value to the terminal based on the terminal risk factor, the terminal model and function and a preset network security level, and sends the result to a trust database; the terminal starts working after being endowed with an initial trust value, and a trust measurement module calculates the real-time trust value of the terminal in real time based on network flow and terminal behavior characteristics and transmits the result to a trust database for storage; the protocol conversion module analyzes the operation data of the terminal and judges whether the real-time trust value meets a safety threshold, if so, the data is sent to the self-adaptive encryption module, the self-adaptive encryption module selects a corresponding encryption algorithm to encrypt the data according to the real-time trust value, and the data is uploaded to an audit database of the cloud server; and if the safety threshold is not met, discarding the communication message at the time, and disconnecting the terminal.
Optionally, in the above terminal trust management and trusted access system, the terminal information includes hardware information, a software version, and a communication protocol of the terminal.
Optionally, in the terminal trust management and trusted access system in any one of the above embodiments, the mined vulnerability information set includes a vulnerability number, a hazard class, a vulnerability disclosure time, patch information, and CVSS (CommonVulnerabilityScoring System, universal vulnerability scoring system) indicators.
Optionally, in the terminal trust management and trusted access system in any embodiment, the device information base and the vulnerability database are established in advance and updated periodically, so as to ensure the completeness of the information.
Optionally, in the terminal trust management and trusted access system in any of the foregoing embodiments, the terminal is disposed at a network edge layer.
Optionally, in the terminal trust management and trusted access system in any of the above embodiments, the terminal includes a sensor, a controller, and various intelligent terminals.
Based on the terminal trust management and trusted access system of any one of the above embodiments, in another embodiment of the present invention, there is provided a terminal trust management and trusted access method, including the steps of:
s100, scanning terminal information, and responding to the terminal access network, wherein the equipment scanning module scans the terminal information and uploads the terminal information to an equipment information base;
s200, inquiring vulnerability information, identifying a terminal by the equipment information base according to the scanned terminal information, and sending vulnerability information of a corresponding terminal in the vulnerability database to a vulnerability assessment module;
s300, calculating risk factors, and calculating terminal risk factors by a vulnerability assessment module;
s400, calculating initial trust, wherein the trusted measurement module calculates the initial trust of the terminal based on the terminal function, the terminal risk factor and the security level requirement;
s500, accessing to a network, if the initial trust degree of the terminal meets a safety threshold, successfully accessing to the network by the terminal, and starting to work, otherwise, disconnecting the terminal;
s600, real-time measurement, namely calculating a real-time trust value of the terminal in real time according to the network flow and the terminal behavior characteristics;
s700, self-adaptive encryption transmission, wherein if the real-time trust value meets a safety threshold, the self-adaptive encryption module selects an encryption algorithm to encrypt data sent by a terminal and then transmits the encrypted data to a cloud server; otherwise, discarding the communication message and disconnecting the terminal.
Optionally, in the terminal trust management and trusted access method in the above embodiment, the calculation of the terminal risk factor obeys the following rule: the higher the vulnerability level is, the higher the terminal risk factor is; the shorter the vulnerability disclosure time is, the higher the terminal risk factor is; the less the patch information is, the higher the terminal risk factor is; the higher the vulnerability score, the higher the terminal risk factor; the simpler the attack path, the higher the terminal risk factor; the lower the attack complexity, the higher the terminal risk factor; the less authentication is required during attack, the higher the terminal risk factor is; the greater the impact on confidentiality, integrity, availability, the higher the terminal risk factor.
Optionally, in the terminal trust management and trusted access method in any of the foregoing embodiments, a risk factor calculation formula is as follows:
wherein risk is a risk factor, W i The weight of the loopholes i is represented, and num represents the number of loopholes in the loophole information set M; w (w) 1 Weight of attack path, w 2 To weight the complexity of the attack, w 3 Weight, w, of authentication 4 Weight for confidentiality, w 5 Weight for integrity, w 6 Is a weight for availability; patch is patch information, and time is vulnerability disclosure time; score, av, ac, auth, C, I, A is a CVSS indicator, representing vulnerability score, attack path, attack complexity, authentication requirements, confidentiality impact, integrity impact, and availability impact, respectively; k represents a time adjustment factor, λ represents a patch availability factor, and α represents a vulnerability availability factor.
Further, in the terminal trust management and trusted access method in any of the above embodiments, the vulnerability weight W i The calculation formula of (2) is as follows:
wherein m represents a risk level of level i Is a vulnerability number of (2); num represents the number of vulnerabilities in the vulnerability information set M; level (level) i Representing the hazard level of vulnerability i; ρlevel i Representing hazard level levels i Is a weight of (2).
Optionally, in the terminal trust management and trusted access method in any one of the above embodiments, the calculation of the initial trust level obeys the following rules: the more powerful the terminal function is, the lower the initial trust degree is; the higher the terminal risk factor is, the lower the initial trust degree is; the higher the network security level requirements, the lower the initial trust.
Optionally, in the terminal trust management and trusted access method in any of the foregoing embodiments, an initial trust calculation formula is as follows:
wherein ,T0 For initial confidence, v 1 Weight of terminal function, v 2 The weight of the terminal risk factors is that fun is a terminal function, risk is a terminal risk factor, and n is a security level requirement.
The invention provides a terminal trust management and trusted access system and method based on cloud edge cooperation, which responds to a terminal access network, and uploads terminal information to a cloud server after edge scanning, and the cloud server sends a result to the edge server after identification, verification and calculation. The edge server adjacent to the terminal in space ensures the trusted access and dynamic management of the terminal, gives attention to communication delay, and solves the problem of trust initial value in a scene with higher requirements on security and delay.
The conception, specific structure, and technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, features, and effects of the present invention.
Drawings
Fig. 1 is a schematic diagram illustrating a structure of a terminal trust management and trusted access system based on Yun Bian collaboration in accordance with an example embodiment;
fig. 2 is a flowchart illustrating a terminal trust management and trusted access method based on Yun Bian collaboration in accordance with an exemplary embodiment.
Detailed Description
The following description of the preferred embodiments of the present invention refers to the accompanying drawings, which make the technical contents thereof more clear and easy to understand. The present invention may be embodied in many different forms of embodiments and the scope of the present invention is not limited to only the embodiments described herein.
In the drawings, like structural elements are referred to by like reference numerals and components having similar structure or function are referred to by like reference numerals. The dimensions and thickness of each component shown in the drawings are arbitrarily shown, and the present invention is not limited to the dimensions and thickness of each component. The thickness of the components is schematically and appropriately exaggerated in some places in the drawings for clarity of illustration.
The inventor designs a terminal trust management and trusted access system based on cloud edge cooperation, as shown in fig. 1, which comprises:
the terminal comprises a sensor, a controller and various intelligent terminals;
the device information base stores terminal information, wherein the terminal information comprises hardware information, software version and communication protocol of the terminal;
the vulnerability database stores a vulnerability information set which is mined by the terminal;
the vulnerability assessment module calculates terminal risk factors of the terminal based on the mined vulnerability information set, wherein the mined vulnerability information set comprises vulnerability numbers, hazard grades, vulnerability disclosure time, patch information and CVSS (CommonVulnerabilityScoring System, general vulnerability scoring system) indexes;
an audit database for storing data of network nodes and running conditions of the network;
the equipment scanning module scans firmware information and communication messages of the terminal;
the protocol conversion module analyzes and converts a protocol used by the terminal into a communication message of a unified protocol during uploading and uploads the communication message to the cloud server; when downloading, the communication message of the cloud service is packaged into a communication message of a protocol used by the terminal, and the communication message is issued to the terminal;
the trusted measurement module is used for calculating an initial trust value according to a device information base and a result returned by the vulnerability assessment module after the terminal is accessed and combining a preset network security level, and calculating a real-time trust value according to network flow and terminal behavior characteristics after the terminal operates;
a trust database for storing real-time trust values of terminals in the network;
the self-adaptive encryption module is used for adaptively selecting an encryption algorithm according to the real-time trust value of the terminal, considering transmission safety and efficiency, encrypting data sent by the terminal and transmitting the encrypted data to the cloud server;
the device information base, the vulnerability database, the vulnerability assessment module and the audit database are deployed on the cloud server, and the device information base and the vulnerability database are established in advance and updated regularly to ensure the completeness of the information; the device scanning module, the protocol conversion module, the trusted measurement module, the trust database and the self-adaptive encryption module belong to trusted communication agents and are deployed on the edge server;
responding to the access of the terminal to the network, the equipment scanning module scans the firmware information and the communication message of the terminal and uploads the scanning result to the equipment information base; after the equipment information base identifies the terminal, the terminal model and the function are issued to the equipment scanning module, and the firmware information of the terminal is sent to the vulnerability assessment module; the equipment scanning module sends the terminal model and the function to the trusted measurement module; the vulnerability assessment module searches in a vulnerability database according to the firmware information of the terminal to obtain a vulnerability information set of the corresponding terminal, and sends a calculation result to the trusted measurement module after calculating the risk factor of the terminal; the trusted measurement module gives an initial trust value to the terminal based on the terminal risk factor, the terminal model and function and a preset network security level, and sends the result to a trust database; the terminal starts working after being endowed with an initial trust value, and a trust measurement module calculates the real-time trust value of the terminal based on network flow and terminal behavior characteristics and transmits the result to a trust database for storage; the protocol conversion module analyzes the operation data of the terminal and judges whether the real-time trust value meets a safety threshold, if so, the data is sent to the self-adaptive encryption module, the self-adaptive encryption module selects a corresponding encryption algorithm to encrypt the data according to the real-time trust value, and the data is uploaded to an audit database of the cloud server; if the safety threshold is not met, discarding the communication message at the time, and disconnecting the terminal; the terminal is deployed at the network edge layer.
Based on the above embodiments, the present inventors provide a terminal trust management and trusted access method based on cloud edge collaboration, as shown in fig. 2, including:
s100, scanning terminal information, and responding to the terminal access network, wherein the equipment scanning module scans the terminal information and uploads the terminal information to an equipment information base;
s200, inquiring vulnerability information, identifying a terminal by the equipment information base according to the scanned terminal information, and sending vulnerability information of a corresponding terminal in the vulnerability database to a vulnerability assessment module;
s300, calculating a risk factor, wherein the vulnerability assessment module calculates a terminal risk factor, and the calculation of the terminal risk factor obeys the following rules: the higher the vulnerability level is, the higher the terminal risk factor is; the shorter the vulnerability disclosure time is, the higher the terminal risk factor is; the less the patch information is, the higher the terminal risk factor is; the higher the vulnerability score, the higher the terminal risk factor; the simpler the attack path, the higher the terminal risk factor; the lower the attack complexity, the higher the terminal risk factor; the less authentication is required during attack, the higher the terminal risk factor is; the greater the impact on confidentiality, integrity, availability, the higher the terminal risk factor; the terminal risk factor calculation formula is as follows:
wherein risk is a risk factor, W i The weight representing the vulnerability i is calculated as follows:
wherein m represents a risk level of level i Is a vulnerability number of (2); num represents the number of vulnerabilities in the vulnerability information set M; level (level) i Representing the hazard level of vulnerability i;representing hazard level levels i Weights of (2); level (level) j Representing the hazard level of the vulnerability j; />Representing hazard level levels j Weights of (2); w (w) 1 Weight of attack path, w 2 To weight the complexity of the attack, w 3 Weight, w, of authentication 4 Weight for confidentiality, w 5 Weight for integrity, w 6 Is a weight for availability; patch is patch information, and time is vulnerability disclosure time; score, av, ac, auth, C, I, A is a CVSS indicator, representing vulnerability score, attack path, attack complexity, authentication requirements, confidentiality impact, integrity impact, and availability impact, respectively; k represents a time adjustment factor, λ represents a patch availability factor, and α represents a vulnerability availability factor;
s400, calculating initial trust, wherein the trust measurement module calculates the initial trust of the terminal based on the terminal function, the terminal risk factor and the security level requirement, and the calculation of the initial trust obeys the following rules: the more powerful the terminal function is, the lower the initial trust degree is; the higher the terminal risk factor is, the lower the initial trust degree is; the higher the network security level requirement is, the lower the initial trust level is; the initial confidence level calculation formula is as follows:
wherein ,T0 For initial confidence, v 1 Weight of terminal function, v 2 The weight of the terminal risk factors is that fun is a terminal function, risk is a terminal risk factor, and n is a security level requirement;
s500, accessing to a network, if the initial trust degree of the terminal meets a safety threshold, successfully accessing to the network by the terminal, and starting to work, otherwise, disconnecting the terminal;
s600, real-time measurement, namely calculating a real-time trust value of the terminal in real time according to the network flow and the terminal behavior characteristics;
s700, self-adaptive encryption transmission, wherein if the real-time trust value meets a safety threshold, the self-adaptive encryption module selects an encryption algorithm to encrypt data sent by a terminal and then transmits the encrypted data to a cloud server; otherwise, discarding the communication message and disconnecting the terminal.
The foregoing describes in detail preferred embodiments of the present invention. It should be understood that numerous modifications and variations can be made in accordance with the concepts of the invention by one of ordinary skill in the art without undue burden. Therefore, all technical solutions which can be obtained by logic analysis, reasoning or limited experiments based on the prior art by the person skilled in the art according to the inventive concept shall be within the scope of protection defined by the claims.
Claims (10)
1. A terminal trust management and trusted access system comprising:
the terminal is used for data acquisition, signal transmission and control execution;
the equipment information base stores the terminal information;
the vulnerability database stores a vulnerability information set which is mined by the terminal;
the vulnerability assessment module calculates a terminal risk factor based on the mined vulnerability information set;
an audit database for storing data of network nodes and running conditions of the network;
the equipment scanning module scans the firmware information and the communication message of the terminal;
the protocol conversion module analyzes and converts a protocol used by the terminal into a communication message of a unified protocol during uploading and uploads the communication message to the cloud server; when downloading, the communication message of the cloud server is packaged into the communication message of the protocol used by the terminal, and the communication message is issued to the terminal;
the credibility measurement module is used for calculating an initial trust value according to the equipment information base and the returned result of the vulnerability assessment module after the terminal is accessed and combining with a preset network security level, and calculating a real-time trust value according to network flow and terminal behavior characteristics after the terminal is operated;
a trust database for storing real-time trust values of the terminals in the network;
the self-adaptive encryption module is used for adaptively selecting an encryption algorithm according to the real-time trust value of the terminal, considering transmission safety and efficiency, encrypting data sent by the terminal and transmitting the encrypted data to the cloud server;
the equipment information base, the vulnerability database, the vulnerability assessment module and the audit database are deployed on a cloud server; the equipment scanning module, the protocol conversion module, the trusted measurement module, the trust database and the self-adaptive encryption module belong to a trusted communication agent and are deployed on an edge server;
responding to the terminal access network, the equipment scanning module scans the firmware information and communication message of the terminal and uploads the scanning result to the equipment information base; after the equipment information base identifies the terminal, the terminal model and the function are issued to the equipment scanning module, and the firmware information of the terminal is sent to the vulnerability assessment module; the equipment scanning module sends the terminal model and the function to the trusted measurement module; the vulnerability assessment module searches in the vulnerability database according to the firmware information of the terminal to obtain a vulnerability information set of the terminal, calculates the risk factors of the terminal and then sends calculation results to the trusted measurement module; the trusted measurement module gives an initial trust value to the terminal based on the terminal risk factor, the terminal model and function and a preset network security level, and sends a result to the trust database; the terminal starts working after being endowed with the initial trust value, and when in operation, the trusted measurement module calculates the real-time trust value of the terminal in real time based on network flow and the terminal behavior characteristics and transmits the result to the trust database for storage; the protocol conversion module analyzes the operation data of the terminal and judges whether the real-time trust value meets a safety threshold, if so, the protocol conversion module sends the data to the self-adaptive encryption module, and the self-adaptive encryption module selects a corresponding encryption algorithm to encrypt the data according to the real-time trust value and uploads the encrypted data to the audit database of the cloud server; and if the safety threshold is not met, discarding the communication message at the time, and disconnecting the terminal.
2. The terminal trust management and trusted access system of claim 1, wherein the terminal information comprises hardware information, software version, communication protocol of the terminal.
3. The terminal trust management and trusted access system of claim 1, wherein the mined vulnerability information set comprises vulnerability numbers, hazard classes, vulnerability disclosure times, patch information, CVSS (Common Vulnerability Scoring System, universal vulnerability scoring system) indicators.
4. The terminal trust management and trusted access system of claim 1, wherein said device information base and said vulnerability database are established in advance and updated periodically to ensure the completeness of the information.
5. The terminal trust management and trusted access system of claim 1, wherein the terminal is deployed at a network edge layer.
6. A terminal trust management and trusted access method, characterized in that it uses a terminal trust management and trusted access system according to any one of claims 1 to 5, comprising the steps of:
s100, scanning terminal information, and responding to the terminal access network, wherein the equipment scanning module scans the terminal information and uploads the terminal information to the equipment information base;
s200, inquiring vulnerability information, wherein the equipment information base identifies a terminal according to the scanned terminal information and sends vulnerability information of a corresponding terminal in the vulnerability database to the vulnerability assessment module;
s300, calculating a risk factor, wherein the vulnerability assessment module calculates a terminal risk factor;
s400, calculating initial trust, wherein the trusted measurement module calculates the initial trust of the terminal based on the terminal function, the terminal risk factor and the security level requirement;
s500, accessing to a network, if the initial trust degree of the terminal meets a safety threshold, the terminal is successfully accessed to the network to start working, otherwise, the connection of the terminal is disconnected;
s600, measuring in real time, and calculating a real-time trust value of the terminal in real time according to the network flow and the terminal behavior characteristics;
s700, self-adaptive encryption transmission, wherein if the real-time trust value meets a security threshold, the self-adaptive encryption module selects an encryption algorithm to encrypt data sent by the terminal and then transmits the encrypted data to a cloud server; otherwise, discarding the communication message and disconnecting the terminal.
7. The terminal trust management and trusted access method of claim 6, wherein said step of calculating a terminal risk factor is subject to the following rules: the higher the vulnerability level is, the higher the risk factor of the terminal is; the shorter the vulnerability disclosure time is, the higher the risk factor of the terminal is; the less the patch information is, the higher the risk factor of the terminal in the step is; the higher the vulnerability score, the higher the terminal risk factor; the simpler the attack path is, the higher the risk factor of the terminal is; the lower the attack complexity is, the higher the risk factor of the terminal is; the less authentication is required during attack, the higher the terminal risk factor is; the greater the impact on confidentiality, integrity, availability, the higher the step terminal risk factor.
8. The terminal trust management and trusted access method of claim 6, wherein the risk factor calculation formula is as follows:
wherein ,is a risk factor>Representing loopholes->Weight of->Representing vulnerability information set->The number of vulnerabilities in (a);weight of attack path, +.>For the weight of the attack complexity, +.>Weight for authentication, ++>Weight for confidentiality, ++>Weight for integrity, ++>Is a weight for availability; />For patch information->The time is disclosed for the loophole;for CVSS index, respectively representing vulnerability score, attack path, attack complexity, authentication requirement, confidentiality influence, integrity influence and availability influence; />Representing time adjustment factors, +.>Representing the patch availability factor, < >>Representing vulnerability availability factors.
9. The terminal trust management and trusted access method of claim 8, wherein the weight of the vulnerabilityThe calculation formula of (2) is as follows:
wherein ,indicating a risk level of +.>Is a vulnerability number of (2); />Representing vulnerability information set->The number of vulnerabilities in (a);representing loopholes->Is a hazard level of (2); />Representing hazard class +.>Is a weight of (2).
10. The terminal trust management and trusted access method of claim 6, wherein the calculation of the initial trust level is subject to the following rules: the stronger the terminal function is, the lower the initial trust degree is; the higher the terminal risk factor is, the lower the initial trust degree is; the higher the network security level requirement, the lower the initial trust.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210173292.3A CN114553554B (en) | 2022-02-24 | 2022-02-24 | Terminal trust management and trusted access system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210173292.3A CN114553554B (en) | 2022-02-24 | 2022-02-24 | Terminal trust management and trusted access system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553554A CN114553554A (en) | 2022-05-27 |
| CN114553554B true CN114553554B (en) | 2023-09-22 |
Family
ID=81677290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210173292.3A Active CN114553554B (en) | 2022-02-24 | 2022-02-24 | Terminal trust management and trusted access system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553554B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114693193A (en) * | 2022-06-02 | 2022-07-01 | 中国人民解放军海军工程大学 | Equipment scientific research project risk factor evaluation system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107249015A (en) * | 2017-04-28 | 2017-10-13 | 西安财经学院 | Credible cloud service system of selection, cloud system and Cloud Server based on risk assessment |
| CN109951333A (en) * | 2019-03-19 | 2019-06-28 | 中南大学 | Trust evaluation device based on subjective logic in the processing of edge calculations network video |
| CN112351022A (en) * | 2020-10-30 | 2021-02-09 | 新华三技术有限公司 | Security protection method and device for trust zone |
| CN113219895A (en) * | 2021-05-10 | 2021-08-06 | 上海交通大学宁波人工智能研究院 | Device and method for enabling edge controller to be safe and credible |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8261328B2 (en) * | 2008-08-14 | 2012-09-04 | International Business Machines Corporation | Trusted electronic communication through shared vulnerability |
| CN107133520B (en) * | 2016-02-26 | 2021-05-14 | 华为技术有限公司 | Credibility measuring method and device for cloud computing platform |
| US11108557B2 (en) * | 2017-11-30 | 2021-08-31 | Cable Television Laboratories, Inc. | Systems and methods for distributed trust model and framework |
| US20200160455A1 (en) * | 2018-06-29 | 2020-05-21 | Ashwarya Pratap Singh | Methods and systems of a marketplace blockchain-based protocol platform with a trust score |
-
2022
- 2022-02-24 CN CN202210173292.3A patent/CN114553554B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107249015A (en) * | 2017-04-28 | 2017-10-13 | 西安财经学院 | Credible cloud service system of selection, cloud system and Cloud Server based on risk assessment |
| CN109951333A (en) * | 2019-03-19 | 2019-06-28 | 中南大学 | Trust evaluation device based on subjective logic in the processing of edge calculations network video |
| CN112351022A (en) * | 2020-10-30 | 2021-02-09 | 新华三技术有限公司 | Security protection method and device for trust zone |
| CN113219895A (en) * | 2021-05-10 | 2021-08-06 | 上海交通大学宁波人工智能研究院 | Device and method for enabling edge controller to be safe and credible |
Non-Patent Citations (1)
| Title |
|---|
| 基于综合信任的边缘计算资源协同研究;邓晓衡;关培源;万志文;刘恩陆;罗杰;赵智慧;刘亚军;张洪刚;;计算机研究与发展(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114553554A (en) | 2022-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kouicem et al. | Internet of things security: A top-down survey | |
| Jurcut et al. | Introduction to IoT security | |
| EP3584733B1 (en) | System and method of countering an attack on computing devices of users | |
| Wang et al. | STAMP: Enabling privacy-preserving location proofs for mobile users | |
| Pawlick et al. | iSTRICT: An interdependent strategic trust mechanism for the cloud-enabled internet of controlled things | |
| Fung et al. | FACID: A trust-based collaborative decision framework for intrusion detection networks | |
| Li et al. | Surveying trust-based collaborative intrusion detection: state-of-the-art, challenges and future directions | |
| Dhurandher et al. | Cryptography-based misbehavior detection and trust control mechanism for opportunistic network systems | |
| US11477184B2 (en) | Conducting secure interactions utilizing reliability information | |
| Li et al. | BlockCSDN: towards blockchain-based collaborative intrusion detection in software defined networking | |
| CN114553554B (en) | Terminal trust management and trusted access system and method | |
| Saqib et al. | A systematic security assessment and review of Internet of things in the context of authentication | |
| Xie et al. | Machine learning-based security active defence model-security active defence technology in the communication network | |
| Jithish et al. | A game‐theoretic approach for ensuring trustworthiness in cyber‐physical systems with applications to multiloop UAV control | |
| Ge et al. | GAZETA: GAme-Theoretic ZEro-Trust Authentication for Defense Against Lateral Movement in 5G IoT Networks | |
| Hasan et al. | Towards a threat model and privacy analysis for v2p in 5g networks | |
| Pomante et al. | WINSOME: A middleware platform for the provision of secure monitoring services over Wireless Sensor Networks | |
| Walter et al. | Securing wearables through the creation of a personal fog | |
| Makki et al. | Mobile and wireless network security and privacy | |
| CN115002775A (en) | Device network access method and device, electronic device and storage medium | |
| Asadzadeh Kaljahi et al. | TSSL: improving SSL/TLS protocol by trust model | |
| Gil et al. | How Physicality Enables Trust: A New Era of Trust-Centered Cyberphysical Systems | |
| Li et al. | Blockchain Security Threats and Collaborative Defense: A Literature Review | |
| Sicari et al. | Performance comparison of reputation assessment techniques based on self-organizing maps in wireless sensor networks | |
| Bhardwaj et al. | Fortifying home IoT security: A framework for comprehensive examination of vulnerabilities and intrusion detection strategies for smart cities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |