CN112055029B

CN112055029B - User real-time trust degree evaluation method for zero-trust electric power Internet of things equipment

Info

Publication number: CN112055029B
Application number: CN202010975261.0A
Authority: CN
Inventors: 费稼轩; 石聪聪; 张小建; 黄秀丽; 程凯
Original assignee: State Grid Corp of China SGCC; State Grid Hebei Electric Power Co Ltd; Global Energy Interconnection Research Institute; Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Current assignee: State Grid Corp of China SGCC; State Grid Hebei Electric Power Co Ltd; Global Energy Interconnection Research Institute; Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Priority date: 2020-09-16
Filing date: 2020-09-16
Publication date: 2023-04-07
Anticipated expiration: 2040-09-16
Also published as: CN112055029A

Abstract

The invention relates to the technical field of information security, in particular to a user real-time trust degree evaluation method for zero-trust electric power Internet of things equipment, which comprises the steps of obtaining equipment information, user identity information, accessed target object resources and access behavior data of all object resources of target electric power Internet of things equipment; the equipment information comprises equipment identity information and equipment data; performing identity authentication on the target power Internet of things equipment and the user based on the equipment identity information and the user identity information; after the target power Internet of things equipment and the user successfully perform identity authentication, determining the current trust level of the target power Internet of things equipment according to the equipment data and the access behavior data of each object resource; and comparing the current trust with a trust threshold of the target object resource, and determining the authority of the target power Internet of things equipment for accessing the target object resource. By determining the current trust level, the security of the electric power Internet of things system is improved for the fact that the access authority extends from an external network to an internal network.

Description

User real-time trust degree evaluation method for zero-trust power Internet of things equipment

Technical Field

The invention relates to the technical field of information security, in particular to a user real-time trust degree evaluation method for zero-trust electric power Internet of things equipment.

Background

The trust evaluation model analyzes and measures the trust information and the trust degree of the network node, gives a trust level to the node through the numerical value of the trust degree of the node, further realizes access control, authority management and security measurement, and plays an increasingly important role in the security of a network system at present.

Because the hardware and software development of the electric power internet of things system is not mature enough, the quality level of electric power internet of things equipment is not uniform, the safety problem is not emphasized enough, and some electric power internet of things equipment has safety loopholes in the system and software, and once the loopholes are utilized, the electric power internet of things equipment is easily attacked by various means, so that the network system of the electric power internet of things faces greater safety threat. Most of the existing network security protection and trust evaluation systems adopt a security architecture based on boundary protection, the network is divided into an internal network, an external network and other areas according to the position of equipment in the network, the internal network and the external network are isolated at the network boundary, security measures such as a firewall and an intrusion detection system are deployed, a corresponding security strategy is configured, and a boundary protection and trust evaluation system is built.

However, with the development of cloud computing technology, more and more applications and data are deployed in the cloud, and meanwhile, remote access by using a tunnel technology is more and more common, the boundary of a network is more and more fuzzy, and the traditional trust evaluation and security protection method for performing boundary protection according to the position of an access subject in the network encounters more and more challenges. In order to solve the problems, google corporation proposes a zero trust framework, takes identity authentication as a core, and guarantees the security of access resources through continuous authentication and trust evaluation, and the zero trust framework is applied to a security protection and trust evaluation system by more and more enterprises.

However, most of even zero trust frameworks continue to use a partial boundary protection scheme, so that an internal network and an external network are isolated, and a trust rating and access strategy with high trust level is adopted for the internal network, so that the system is easily subjected to internal attack, and the security of the electric power internet of things system is low.

Disclosure of Invention

In view of this, the embodiment of the invention provides a user real-time trust degree evaluation method for zero-trust electric power internet of things equipment, so as to solve the problem of low security of an electric power internet of things system.

According to a first aspect, an embodiment of the present invention provides a method for evaluating a user real-time trust degree of zero-trust power internet of things equipment, including:

acquiring equipment information, user identity information, accessed target object resources and access behavior data of each object resource of target power Internet of things equipment; wherein the device information comprises device identity information and device data;

performing identity authentication on the target power Internet of things equipment and the user based on the equipment identity information and the user identity information;

after the target power Internet of things equipment and the user successfully perform identity authentication, determining the current trust level of the target power Internet of things equipment according to the equipment data and the access behavior data of each object resource;

and comparing the current trust level with a trust level threshold of the target object resource, and determining the authority of the target power Internet of things equipment for accessing the target object resource.

According to the user real-time trust degree evaluation method for the zero-trust electric power Internet of things equipment, after target electric power Internet of things equipment and user identity information are authenticated, the current trust degree of the target electric power Internet of things equipment is determined by using equipment data of the target electric power Internet of things and access behavior data of each object resource, so that the right of accessing the target object resource is determined; namely, the current trust level is comprehensively determined by using the device data of the target power Internet of things and the access behavior data of each object resource, and the determination of the access authority is extended from the external network to the internal network of the power Internet of things, so that the safety of the power Internet of things system is improved.

With reference to the first aspect, in a first implementation manner of the first aspect, the determining a current trust level of the target power internet of things device according to the device data and the access behavior data of each guest resource includes:

calculating the access success rate of all the object resources, the access success rate of a first preset object resource and the access success rate of a second preset object resource based on the access behavior data of all the object resources; the first preset object resource is an object resource with an access success rate lower than a first preset value, and the second preset object resource is an object resource with a trust threshold value exceeding a second preset value;

calculating the current access trust degree of the access behavior by utilizing the access success rate of all the object resources, the access success rate of the first preset object resource and the access success rate of the second preset object resource;

determining the current equipment trust level of the target Internet of things equipment based on the equipment data;

and determining the current trust level of the target power Internet of things equipment according to the current access trust level of the access behavior and the current equipment trust level of the target Internet of things equipment.

According to the user real-time trust degree evaluation method for the zero-trust power Internet of things equipment, the current access trust degree is calculated by utilizing the access success rates of various object resources, the current access trust degree is calculated from the angles of a plurality of object resources, the accuracy of the current access trust degree calculation is improved, and therefore basic guarantee is provided for the accurate determination of the current trust degree of the subsequent target power Internet of things equipment.

With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the following formula is used to calculate the current access trust level of the access behavior:

R＝a ₁ R ₁ +a ₂ R ₂ +a ₃ R ₃ ；

wherein R is the current access trust of the access behavior, R ₁ For all said object resources access success rate, R ₂ Access success rate, R, of first preset object resource ₃ Access success rate of second preset object resource, a ₁ 、a ₂ And a is ₃ Is a coefficient of more than 0 and less than 1, wherein a ₁ +a ₂ +a ₃ ＝1。

With reference to the first implementation manner of the first aspect, in a third implementation manner of the first aspect, the determining, based on the device data, the current device trust level of the target internet of things device includes:

extracting a safety state detection result in the equipment data, wherein the safety state detection result comprises a detection result of at least a detection parameter;

determining the current security trust level of the target Internet of things equipment by using the security state detection result;

extracting static attribute parameters and dynamic attribute parameters in the equipment data, wherein the static attribute parameters comprise at least one of an IP address, an MAC address or a login mode, and the dynamic attribute parameters comprise at least one of uplink flow, downlink flow or a memory state;

determining the current attribute trust level of the target Internet of things equipment based on the static attribute parameters and the dynamic attribute parameters;

and calculating the current equipment trust level of the target Internet of things equipment by using the current security trust level and the current attribute trust level.

According to the user real-time trust degree evaluation method for the zero-trust electric power Internet of things equipment, the current equipment trust degree of the target Internet of things equipment is determined by using the safety state detection result and the static and dynamic attribute parameters in the equipment data, and the accuracy of the current equipment trust degree of the target Internet of things equipment is improved.

With reference to the third implementation manner of the first aspect, in the fourth implementation manner of the first aspect, the current device trust level of the target internet of things device is calculated by using the following formula:

C ₀ ＝w ₁ S+w ₂ d, in the formula, the compound I,

wherein, C ₀ The current equipment trust degree of the target Internet of things equipment, S is the current safety trust degree, D is the current attribute trust degree, w ₁ 、w ₂ Is a constant greater than 0 and less than 1, N is the number of the static attribute parameters, Q _i For the static attribute parameter, M is the dynamic attribute parameter, M _j As the number of the dynamic attribute parameters, b _j 、c _j A constant greater than 0 and less than 1.

With reference to any one of the first to fourth embodiments of the first aspect, in a fifth embodiment of the first aspect, the determining the current trust level of the target power internet of things device according to the current access trust level of the access behavior and the current device trust level of the target internet of things device includes:

calculating a first current trust degree of the target power Internet of things equipment by using the current access trust degree of the access behavior and the current equipment trust degree of the target Internet of things equipment;

acquiring a time attenuation factor and the historical trust degree of the target power Internet of things equipment;

determining the current trust level of the target power Internet of things equipment based on the first current trust level, the time attenuation factor and the historical trust level.

According to the user real-time trust degree evaluation method for the zero-trust electric power Internet of things equipment, the time attenuation factor is introduced into the calculation process of the current trust degree of the target electric power Internet of things equipment, the historical trust degree is combined into the calculation process of the current trust degree, and the reliability of the calculation result of the current trust degree is improved.

With reference to the fifth implementation manner of the first aspect, in a sixth implementation manner of the first aspect, the determining a current trust level of the target power internet of things device based on the first current trust level, the time decay factor, and the historical trust level includes:

calculating a second current trust degree of the target power Internet of things equipment by using the first current trust degree, the time attenuation factor and the historical trust degree;

extracting role influence factors corresponding to the user identity information;

and calculating the current trust degree of the target power Internet of things equipment by using the role influence factor and the second current trust degree.

According to the user real-time trust degree evaluation method for the zero-trust electric power Internet of things equipment, due to the fact that the role of the user has a certain influence on the current trust degree of the target electric power Internet of things equipment, the role influence factor is added in the calculation process of the current trust degree, the accuracy of the calculation of the current trust degree is improved, the current trust degree is subsequently utilized, the authority of the target electric power Internet of things equipment for accessing the target objective resources is determined, and the safety of an electric power Internet of things system is guaranteed.

With reference to the sixth implementation manner of the first aspect, in the seventh implementation manner of the first aspect, the current trust level of the target power internet of things device is calculated by using the following formula:

C＝(1+α)C ₂ in the formula, C ₂ ＝(1-γ)C ₁ +γC ₂ ；

Wherein C is the current trust level of the target Internet of things equipment, and C ₁ Is the first current confidence level, C ₂ And for the second current confidence level, alpha is the role influence factor, the value of alpha is between 0 and 1, gamma is the time attenuation factor, and the value of gamma is between-1 and 1.

With reference to the first aspect, in an eighth implementation manner of the first aspect, the comparing the current trust level with the trust level threshold of the target object resource to determine the authority of the target power internet of things device to access the target object resource includes:

initializing a user role trust level by utilizing the user identity information; wherein the user role trust level is the authority for accessing the target object resource;

judging whether the current trust level is greater than the trust level threshold of the target object resource;

and when the current trust degree is less than or equal to the trust degree threshold value of the target object resource, adjusting the trust level of the user role.

According to the user real-time trust degree evaluation method for the zero-trust electric power Internet of things equipment, when the current trust degree is smaller than or equal to the trust degree threshold value of the target object resource, the authority of the user for accessing the target object resource is adjusted by adjusting the role trust level, the target electric power Internet of things equipment can be guaranteed to access the target object resource, the authority of the target electric power Internet of things equipment for accessing the target object resource is restrained, and the safety of the electric power Internet of things system is improved.

According to a second aspect, an embodiment of the present invention further provides a device for evaluating real-time trust of a user of zero-trust power internet of things equipment, including:

the acquisition module is used for acquiring equipment information, user identity information, accessed target object resources and access behavior data of each object resource of target power Internet of things equipment; wherein the device information comprises device identity information and device data;

the identity authentication module is used for performing identity authentication on the target power Internet of things equipment and the user based on the equipment identity information and the user identity information;

the trust degree determining module is used for determining the current trust degree of the target power Internet of things equipment according to the equipment data and the access behavior data of each object resource after the target power Internet of things equipment and the user successfully perform identity authentication;

and the access authority determining module is used for comparing the current trust level with the trust level threshold of the target object resource and determining the authority of the target power internet of things equipment for accessing the target object resource.

According to the user real-time trust degree evaluation device for the zero-trust electric power Internet of things equipment, after target electric power Internet of things equipment and user identity information are authenticated, the current trust degree of the target electric power Internet of things equipment is determined by using equipment data of the target electric power Internet of things and access behavior data of each object resource, so that the authority of accessing the target object resource is determined; namely, the current trust level is comprehensively determined by using the device data of the target power Internet of things and the access behavior data of each object resource, and the determination of the access authority is extended from the external network to the internal network of the power Internet of things, so that the safety of the power Internet of things system is improved.

According to a third aspect, an embodiment of the present invention provides an electronic device, including: the memory and the processor are connected with each other in a communication mode, the memory stores computer instructions, and the processor executes the computer instructions to execute the method for evaluating the real-time trust degree of the user of the zero-trust electric power internet of things device in the first aspect or any one of the embodiments of the first aspect.

According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing computer instructions, where the computer instructions are configured to cause the computer to execute the method for evaluating real-time user trust of a zero-trust power internet of things device described in the first aspect or any one of the implementation manners of the first aspect.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.

Fig. 1 is a flowchart of a user real-time trust evaluation method for a zero-trust power internet of things device according to an embodiment of the present invention;

fig. 2 is a flowchart of a user real-time trust evaluation method for zero-trust electric power internet of things devices according to an embodiment of the present invention;

FIG. 3 is a flow chart of a user real-time trust level assessment method for a zero-trust power IOT device according to an embodiment of the present invention;

FIG. 4 is a flow chart of a user real-time trust level assessment method for a zero-trust power IOT device according to an embodiment of the present invention;

FIG. 5 is a block diagram of a user real-time trust evaluation apparatus for zero-trust power IOT equipment according to an embodiment of the present invention

Fig. 6 is a block diagram of a user real-time trust level evaluation system for zero-trust power internet of things devices according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the real-time user trust evaluation method for zero-trust power internet of things equipment in the embodiment of the invention runs through the whole access process, and realizes real-time calculation and update of the current trust of target power internet of things equipment.

According to an embodiment of the present invention, there is provided an embodiment of a user real-time trust level evaluation method for zero-trust power internet of things devices, it is noted that the steps illustrated in the flowchart of the drawings may be executed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be executed in an order different from that herein.

In this embodiment, a user real-time trust degree evaluation method for a zero-trust power internet of things device is provided, which may be used for electronic devices such as computers and servers, and fig. 1 is a flowchart of the user real-time trust degree evaluation method for the zero-trust power internet of things device according to the embodiment of the present invention, and as shown in fig. 1, the flowchart includes the following steps:

s11, acquiring equipment information, user identity information, target object resources to be accessed and access behavior data of each object resource of the target power Internet of things equipment.

The device information includes device identity information and device data.

The device identity information and the user identity information are used for verifying the identity of the target power internet of things device and the user, wherein the user corresponds to the target power internet of things device. Specifically, a user accesses a target object resource through a target power internet of things device.

The access behavior data is historical access data of each object resource, such as the access times and the access success times of each object resource. Each object resource also has a corresponding trust threshold, and the object resources can be divided according to the trust threshold, for example, the object resources can be divided into key object resources and non-key object resources.

Optionally, the access behavior data may be further divided into high-risk object resources and low-risk object resources according to the access success rate of each object resource. And subsequently, determining the trust degree of the target power Internet of things equipment by using the access behavior data of each object resource.

The device information, the user identity information and the accessed target object resources can be obtained by the electronic device from the target power internet of things device in real time, and the access behavior data of each object resource can be stored in the electronic device or obtained by the electronic device accessing other databases. The specific way of acquiring the access behavior data of each object resource by the electronic device is not limited at all, and only the electronic device needs to be ensured to acquire the parameters.

And S12, performing identity authentication on the target power Internet of things equipment and the user based on the equipment identity information and the user identity information.

After the electronic equipment acquires the equipment identity information and the user identity information, the electronic equipment verifies the target power Internet of things equipment and the user identity. The specific identity authentication process may be implemented in the electronic device, or the electronic device may implement identity authentication through interaction with the identity authentication platform.

For example, the electronic device may send an identity authentication request to the identity authentication platform, the identity authentication platform sends a certificate reading instruction to the electronic device to obtain a device certificate, queries a corresponding device certificate of the device authentication database, sends a plaintext random number to the electronic device after passing the authentication, the electronic device calls an encryption function, encrypts the plaintext using a private key and sends the plaintext to the identity authentication platform, the identity authentication platform calls a device public key to decrypt the ciphertext, sends a user authentication instruction to the electronic device after passing the authentication to obtain user identity information, calls a Hash value generated by a Hash function, calls a corresponding Hash value in the database to compare, and performs user identity authentication.

After the target power Internet of things equipment and the user successfully perform identity authentication, S13 is executed; otherwise, other operations are performed. The other operations can be reminding the user to input the user identity information again, and can also refuse the target power internet of things equipment to access the target object resource. The specific form of the other operations may be set according to the actual situation, and is not limited in any way here.

And S13, determining the current trust degree of the target power Internet of things equipment according to the equipment data and the access behavior data of each object resource.

After the target power Internet of things equipment and the user identity authentication pass, the electronic equipment calculates the current trust degree of the target power Internet of things equipment by using the equipment data and the access behavior data of each object resource. For example, the electronic device calculates corresponding trust degrees by using the device data and the access behavior data, and then performs weighted summation on all the trust degrees to obtain the current trust degree of the target power internet of things device.

The device data may be device security detection data, or some login information of the device, for example, whether the device has a security hole, whether the device is logged in abnormally, and the like, which will affect the calculation of the current trust level.

In addition, the electronic device can calculate again by combining the historical trust level of the target power internet of things device on the basis of the calculated trust level to obtain the current trust level of the target power internet of things device.

The step will be described in detail below, and will not be described herein again.

S14, comparing the current trust with the trust threshold of the target object resource, and determining the authority of the target power Internet of things equipment for accessing the target object resource.

After the current trust level of the target electronic Internet of things equipment is obtained through calculation, the electronic equipment compares the current trust level with the trust level threshold of the target object resource, and if the current trust level is greater than the trust level threshold of the target object resource, the target electronic Internet of things equipment is determined to be capable of accessing the target object resource; if the trust degree is less than or equal to the threshold value of the trust degree of the target object resource, the access of the target power internet of things equipment can be refused, and other operations can also be executed. This step will be described in detail below.

According to the user real-time trust degree evaluation method for the zero-trust power internet of things equipment, after the target power internet of things equipment and the user identity information are authenticated, the current trust degree of the target power internet of things equipment is determined by using the equipment data of the target power internet of things and the access behavior data of each object resource, so that the authority of accessing the target object resource is determined; namely, the current trust level is comprehensively determined by using the device data of the target power Internet of things and the access behavior data of each object resource, and the determination of the access authority is extended from the external network to the internal network of the power Internet of things, so that the safety of the power Internet of things system is improved.

In this embodiment, a method for evaluating a user real-time trust level of a zero-trust power internet of things device is provided, which may be used for electronic devices such as computers and servers, and fig. 2 is a flowchart of a method for evaluating a user real-time trust level of a zero-trust power internet of things device according to an embodiment of the present invention, and as shown in fig. 2, the flowchart includes the following steps:

s21, acquiring equipment information, user identity information, accessed target object resources and access behavior data of each object resource of the target power Internet of things equipment.

The device information includes device identity information and device data.

Please refer to S11 in fig. 1, which is not repeated herein.

And S22, performing identity authentication on the target power Internet of things equipment and the user based on the equipment identity information and the user identity information.

After the target power Internet of things equipment and the user successfully perform identity authentication, S23 is executed; and if not, executing to refuse the target power Internet of things equipment to access the target object resource.

Please refer to S12 in fig. 1 for details, which are not described herein again.

And S23, determining the current trust level of the target power Internet of things equipment according to the equipment data and the access behavior data of each object resource.

Specifically, the step S23 includes the steps of:

s231, calculating access success rates of all object resources, the first preset object resource, and the second preset object resource based on the access behavior data of each object resource.

The first preset object resource is an object resource with an access success rate lower than a first preset value, and the second preset object resource is an object resource with a trust threshold value exceeding a second preset value.

The electronic equipment calculates the total access success rate and the high-risk access success rate by reading the access behavior data of each object resource, selects a resource access record with a high confidence threshold value, calculates the key resource access success rate, and adds the total access success rate, the first preset object resource (high-risk object resource) access success rate and the second preset object resource (key object resource) access success rate according to the weight according to the parameter configuration weight to generate the current access confidence of the access behavior. In the present embodiment, an object resource with an access success rate lower than 50% is defined as a first preset object resource, that is, a high-risk object resource; and defining the object resource with the trust degree threshold value exceeding 0.9 as a second preset object resource, namely a key object resource.

In specific implementation, the total access success rate is set to be R1, the high-risk access success rate is set to be R2, and the key resource access success rate is set to be R3. The total access request times are N, and the access success times are T; the total access times of all the resources with the access success rate lower than 50% are Nr, and the access success times of all the resources with the access success rate lower than 50% are Tr; the total number of resource access requests with the confidence threshold value exceeding 0.9 is Ne, and the number of successful resource access times with the confidence threshold value exceeding 0.9 is Te.

Then, the total access success rate can be calculated by utilizing N and T; the access success rate of the high-risk object resource can be calculated by utilizing Nr and Tr; the access success rate of the key object resource can be calculated by utilizing Ne and Te.

And S232, calculating the current access trust of the access behavior by using the access success rates of all the object resources, the first preset object resource and the second preset object resource.

Specifically, the following formula may be adopted to calculate the current access trust level of the access behavior:

R＝a ₁ R ₁ +a ₂ R ₂ +a ₃ R ₃ ；

wherein R is the current access trust of the access behavior, R ₁ For all thatSuccess rate of access of object resource, R ₂ Access success rate, R, of first preset object resource ₃ Second Preset Objective resource Access success Rate, a ₁ 、a ₂ And a is ₃ Is a coefficient of more than 0 and less than 1, wherein a ₁ +a ₂ +a ₃ ＝1。

Optionally, the current model essay confidence level is R, and the weights of the total access success rate, the high-risk access success rate and the key resource access success rate are a ₁ 、a ₂ 、a ₃ ，a ₁ 、a ₂ 、a ₃ The parameters can be adjusted according to actual conditions by respectively setting the parameters to 35%, 35% and 30%.

And S233, determining the current equipment trust level of the target Internet of things equipment based on the equipment data.

In this embodiment, the device data includes a security status detection result, a static attribute parameter, and a dynamic attribute parameter. And the electronic equipment calculates corresponding trust degrees by respectively utilizing the equipment data, and then determines the current equipment trust degree of the target Internet of things equipment by utilizing a weighted summation mode.

Specifically, the step S233 includes the steps of:

(1) And extracting a safety state detection result in the equipment data.

The safety state detection result comprises at least a detection result of the detection parameter.

The detection parameters include, but are not limited to, security state detection of devices such as bug patches, system versions, port settings, software installation, and the like, and network security state detection such as network encryption, DNS tampering, phishing networks, false networks, ARP spoofing, DHCP spoofing, and the like.

The safety state detection result of the target power internet of things equipment can be obtained by detecting other equipment, no limitation is made, and only the safety state detection result in the equipment data can be extracted by the electronic equipment.

(2) And determining the current security trust level of the target Internet of things equipment by using the security state detection result.

After the electronic equipment obtains the safety state detection result, the detection result of each detection parameter can be scored according to a preset scoring standard, and the total safety state score of the target power internet of things equipment is obtained. For example, the security status is overall H, with a score between 0 and 100, and a high score represents high confidence.

After obtaining the score values corresponding to the detection parameters, the electronic device may configure weights according to the detection parameters, and add the score values of the detection parameters according to the weights to obtain the current security trust level of the target internet of things device.

For example, the current security trust level of the target internet of things device is S, S = H/100.

(3) And extracting the static attribute parameters and the dynamic attribute parameters in the equipment data.

The static attribute parameters comprise at least one of an IP address, an MAC address or a login mode, and the dynamic attribute parameters comprise at least one of uplink flow, downlink flow or a memory state.

It should be noted that the static attribute parameters and the dynamic attribute parameters are not limited to the above description, and may also be other parameters, and specifically, corresponding settings may be continued according to actual situations.

(4) And determining the current attribute trust degree of the target Internet of things equipment based on the static attribute parameters and the dynamic attribute parameters.

The electronic equipment scores the static attribute parameters of the equipment such as an IP address, an MAC address, a login position, login time and a login mode and the dynamic attribute parameters of the equipment such as uplink flow, downlink flow, TCP connection density, a memory state and a storage state according to the deviation degree of the current attribute parameters of the equipment and the historical attribute parameters of the equipment. And configuring weights according to the attribute parameters, and adding scores of all the equipment static attribute parameters and the equipment dynamic attribute parameters according to the weights to generate the current attribute trust degree of the target Internet of things equipment.

Specifically, the current attribute trust level is set to be D, the device static attribute parameters such as an IP address, a MAC address, a login position, login time, a login manner and the like are respectively Q1, Q2, Q3, Q4 and Q5, each device static attribute parameter is a ratio of the number of times that the current data of the item has appeared in the history data to the total number of the history data, the device dynamic attribute parameters such as an uplink flow, a downlink flow, a TCP connection density, a memory state, a storage state and the like are respectively M1, M2, M3, M4 and M5, the evaluation value of each device dynamic attribute parameter is determined by a relative error of an average value of the current data and the history data of the item, the relative error is 0%, the evaluation value is set to be 1, the relative error exceeds 100%, the evaluation value is set to be 0, and when the relative error is between 0% and 100%, the evaluation value is determined by a monotonic function set by a system administrator. In the concrete implementation, a linear function is adopted, and the weights of static attribute parameters of the equipment such as an IP address, an MAC address, a login position, login time, a login mode and the like are b1, b2, b3, b4 and b5 respectively.

The current attribute trust level D of the target Internet of things equipment can be calculated by adopting the following formula:

n is the number of the static attribute parameters, Q _i For the static attribute parameter, M is the dynamic attribute parameter, M _j As the number of the dynamic attribute parameters, b _j 、c _j Is a constant greater than 0 and less than 1.

For example, as in the above example, b1, b2, b3, b4, and b5 are set to 25%, 15%, and 10%, respectively, and the device dynamic attribute parameters such as uplink traffic, downlink traffic, TCP connection density, memory state, and storage state are set to c1, c2, c3, c4, and c5, respectively, and are set to 20%, 30%, 15%, and 15%, respectively, so that the parameters are adjustable.

(5) And calculating the current equipment trust level of the target Internet of things equipment by using the current security trust level and the current attribute trust level.

And the electronic equipment combines the current security trust degree and the current attribute trust degree obtained by the calculation in the step, and calculates the current equipment trust degree. Specifically, the current device trust level of the target internet of things device is calculated by adopting the following formula:

C ₀ ＝w ₁ S+w ₂ d, in the formula, the compound I,

wherein, C ₀ The current equipment trust degree of the target Internet of things equipment, S is the current safety trust degree, D is the current attribute trust degree, w ₁ 、w ₂ Is a constant greater than 0 and less than 1, N is the number of static attribute parameters, Q _i For the static attribute parameter, M is the dynamic attribute parameter, M _j As the number of the dynamic attribute parameters, b _j 、c _j Is a constant greater than 0 and less than 1.

The current equipment trust degree of the target Internet of things equipment is determined by using the safety state detection result and the static and dynamic attribute parameters in the equipment data, and the accuracy of the current equipment trust degree of the target Internet of things equipment is improved.

And S234, determining the current trust level of the target electric power Internet of things equipment according to the current access trust level of the access behavior and the current equipment trust level of the target Internet of things equipment.

After the current access trust and the current device trust are obtained through calculation, the electronic device can directly use the current access trust and the current device trust to carry out weighted summation calculation, so as to obtain the current trust of the target power internet of things device.

For example, the following formula may be adopted to calculate the current trust level C of the target power internet of things device:

C＝C ₀ +w ₃ R

wherein w ₃ The specific value can be set according to the actual situation.

Of course, the current trust level of the target power internet of things device can be determined by combining other parameters on the basis of the current access trust level and the current device trust level.

As an optional implementation manner of this embodiment, the step S234 includes the following steps:

(1) And calculating the first current trust level of the target power Internet of things equipment by using the current access trust level of the access behavior and the current equipment trust level of the target Internet of things equipment.

Wherein, the first current trust level can be calculated by adopting the formula, namely:

C ₁ ＝C ₀ +w ₃ R

(2) And acquiring a time attenuation factor and the historical trust of the target power Internet of things equipment.

The setting of the time attenuation factor affects the proportion of the historical confidence level, and the specific value of the time attenuation factor can be set correspondingly according to the actual situation, without any limitation. The historical trust degree corresponds to the target power Internet of things equipment, and the current trust degree of the target power Internet of things equipment becomes the historical trust degree in the next calculation along with the time.

(3) And determining the current trust degree of the target power Internet of things equipment based on the first current trust degree, the time attenuation factor and the historical trust degree.

The electronic equipment calculates and determines the current trust degree of the target power Internet of things equipment by directly utilizing the time attenuation factor and the historical trust degree on the basis of the first current trust degree; or the calculation can be carried out by combining other parameters on the basis of the calculation.

For example, the step (3) includes the steps of:

3.1 The first current trust level, the time attenuation factor and the historical trust level are used for calculating a second current trust level of the target power internet of things device.

The second current confidence level may be expressed by the following formula:

C ₂ ＝(1-γ)C ₁ +γC ₂

wherein, C ₂ Is the second current confidence level, C ₁ And gamma is the time attenuation factor and the value of gamma is between-1 and 1 for the first current confidence level.

3.2 Extract role impact factors corresponding to the user identity information.

The role impact factors depend on the user identity information, and the electronic equipment can provide corresponding role impact factors by using the user identity information.

3.3 The role influence factors and the second current trust degree are used for calculating the current trust degree of the target power internet of things device.

Specifically, the current trust level of the target power internet of things device is calculated by adopting the following formula:

C＝(1+α)C ₂ in the formula, C ₂ ＝(1-γ)C ₁ +γC ₂ ；

Time attenuation factors are introduced in the calculation process of the current trust degree of the target power Internet of things equipment, and the historical trust degree is combined in the calculation process of the current trust degree, so that the reliability of the calculation result of the current trust degree is improved.

And S24, comparing the current trust with the trust threshold of the target object resource, and determining the authority of the target power Internet of things equipment for accessing the target object resource.

Please refer to the embodiment S14 shown in fig. 1 in detail, which is not repeated herein.

According to the user real-time trust evaluation method for the zero-trust electric power internet of things equipment, the current access trust is calculated by utilizing the access success rate of various object resources, the current access trust is calculated from the perspective of a plurality of object resources, the accuracy of the current access trust calculation is improved, and therefore basic guarantee is provided for the accurate determination of the current trust of the subsequent target electric power internet of things equipment.

In this embodiment, a method for evaluating a user real-time trust level of a zero-trust power internet of things device is provided, which may be used for electronic devices such as computers and servers, and fig. 3 is a flowchart of a method for evaluating a user real-time trust level of a zero-trust power internet of things device according to an embodiment of the present invention, and as shown in fig. 3, the flowchart includes the following steps:

s31, acquiring equipment information, user identity information, accessed target object resources and access behavior data of each object resource of the target power Internet of things equipment.

The device information includes device identity information and device data.

Please refer to S21 shown in fig. 2, which is not repeated herein.

And S32, performing identity authentication on the target power Internet of things equipment and the user based on the equipment identity information and the user identity information.

Executing S33 after the target power Internet of things equipment and the user successfully perform identity authentication; and if not, the target power Internet of things equipment is refused to access the target object resource.

Please refer to S21 shown in fig. 2, which is not repeated herein.

And S33, determining the current trust degree of the target power Internet of things equipment according to the equipment data and the access behavior data of each object resource.

Please refer to S21 shown in fig. 2 for details, which are not described herein.

And S34, comparing the current trust with the trust threshold of the target object resource, and determining the authority of the target power Internet of things equipment for accessing the target object resource.

Specifically, the step S34 includes the steps of:

s341, the user role trust level is initialized by utilizing the user identity information.

And the user role trust level is the authority for accessing the target object resource.

After the electronic equipment acquires the user identity information, role trust level initialization is carried out on the user identity information.

And S342, judging whether the current trust level is greater than the trust level threshold of the target object resource.

When the current trust level is less than or equal to the trust level threshold of the target object resource, executing S343; otherwise, determining the user role trust level of the target power Internet of things equipment as an initialized user role trust level.

And S343, adjusting the trust level of the user role.

And when the current trust degree is less than or equal to the trust degree threshold value of the target object resource, the electronic equipment adjusts the trust level of the user role. For example, the electronic device may send a role adjustment instruction to the identity authentication platform, lower the trust level of the user role by one step, and then return to S33 to re-determine the current trust level.

The electronic device may set an upper limit of the number of consecutive access failures, for example, 5 times, and when the trust levels of 5 users are continuously adjusted downward and the corresponding current trust level is still less than or equal to the trust level threshold of the target object resource, access to the target object resource is denied.

In some optional implementations of this embodiment, before the step S33, the method may further include: the electronic equipment sends the user identity information and the access request to an access control strategy library, judges whether the current access conforms to the access control strategy, and refuses the access of the target power Internet of things equipment if the current access does not conform to the access control strategy; if the current device conforms to the access control policy, S33 is performed.

According to the user real-time trust degree evaluation method for the zero-trust electric power Internet of things equipment, when the current trust degree is smaller than or equal to the trust degree threshold value of the target object resource, the authority of the user for accessing the target object resource is adjusted by adjusting the trust level for the role, the target electric power Internet of things equipment can be ensured to access the target object resource, the authority of the target electric power Internet of things equipment for accessing the target object resource is restrained, and the safety of the electric power Internet of things system is improved.

As a specific implementation manner of this embodiment, in the following method description process, please refer to the user real-time trust evaluation system for zero-trust power internet of things device shown in fig. 6. The user real-time trust degree evaluation method for the zero-trust electric power internet of things equipment, as shown in fig. 4, mainly comprises the following steps:

(1) initializing a proxy server of the power Internet of things, establishing connection with power Internet of things equipment through a wireless or wired network, acquiring equipment identity authentication information, equipment safety state information and equipment data from the power Internet of things equipment, and starting an internal module function;

(2) the method comprises the steps that an electric power Internet of things proxy server sends an identity authentication request to an identity authentication platform, the identity authentication platform sends a certificate reading instruction to the electric power Internet of things proxy server to obtain an equipment certificate, a corresponding equipment certificate of an equipment authentication database is inquired, a plaintext random number is sent to the electric power Internet of things proxy server after verification is passed, the electric power Internet of things proxy server calls an encryption function, the plaintext is encrypted by using a private key and is sent to the identity authentication platform, the identity authentication platform calls an equipment public key to decrypt a ciphertext, a user authentication instruction is sent to the electric power Internet of things proxy server after verification is passed to obtain a Hash value generated by calling a Hash function by user identity information, the corresponding Hash value in a calling database is compared, if the authentication is passed, the operation is switched to (3), and if the authentication is passed, the operation is ended;

(3) the identity authentication platform calls user role information in the database and initializes the user role;

(4) the electric power internet of things equipment sends an access request to an electric power internet of things proxy server, the electric power internet of things proxy server receives the access request, establishes connection with the access proxy server and forwards the access request to the access proxy server;

(5) the access proxy server sends an access request authorization inquiry to an access control engine, the access control engine sends an inquiry instruction to an identity authentication platform to acquire equipment identity information, user identity information and user role information, the user identity information, the user role information and the access request of an access subject equipment are sent to an access control strategy library, the access control strategy library judges whether the current access meets an access control strategy or not, the judgment result is returned to the access control engine, the access control strategy is set by a system administrator, if the current access meets the access control strategy, the operation is turned into (6), otherwise, the operation is turned into (9);

(6) the access control engine sends a trust level generation instruction to the trust level evaluation module, the trust level evaluation module carries out trust level calculation after receiving the instruction, and the comprehensive trust level is sent to the access control engine;

(7) the access control engine sends a query instruction to the resource trust database to acquire a trust degree threshold of an access object resource, and returns a message of whether to grant the access request authorization to the access proxy server according to the magnitude relation between the trust degree of the equipment user and the resource trust degree threshold;

(8) if the trust degrees of the equipment and the user exceed the trust degree threshold value of the resource, the access control engine returns an authorization approval message to the access proxy server, the access proxy server establishes connection with the resource through an access request of the power Internet of things proxy server to perform resource access operation, otherwise, the access control engine returns an authorization failure message to the access proxy server and sends a role adjusting instruction to the identity authentication platform to perform user role adjustment;

(9) and the access control engine sends the access authorization result to the trust degree evaluation module, the trust degree evaluation module receives and stores the access authorization result, the access proxy server sends a continuous resource access inquiry message to the power Internet of things proxy server, the power Internet of things proxy server returns a continuous resource access response after receiving the inquiry message, if the continuous resource access is selected, the process is switched to (4), otherwise, the process is ended.

According to the user real-time trust degree evaluation method for the zero-trust power internet of things equipment, the state and the information of the power internet of things equipment are continuously acquired, the power internet of things equipment and the user are subjected to real-time trust evaluation according to the security state and the access behavior of the power internet of things equipment and the user, the trust level and the authority of the power internet of things equipment and the user are adjusted through the real-time trust evaluation result of the power internet of things equipment and the user based on a zero-trust framework, and the resource protection capability of a system and the effectiveness and the stability of security threat defense such as internal and external attacks are improved.

The embodiment also provides a user real-time trust evaluation device for the zero-trust electric power internet of things equipment, which is used for implementing the above embodiments and preferred embodiments, and the description of the device is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware or a combination of software and hardware is also possible and contemplated.

The embodiment provides a user real-time trust degree evaluation apparatus for zero-trust power internet of things equipment, as shown in fig. 5, including:

the obtaining module 41 is configured to obtain device information, user identity information, accessed target object resources, and access behavior data of each object resource of the target power internet of things device; wherein the device information comprises device identity information and device data;

the identity authentication module 42 is configured to perform identity authentication on the target power internet of things device and the user based on the device identity information and the user identity information;

the trust level determining module 43 is configured to determine, according to the device data and the access behavior data of each object resource, a current trust level of the target power internet of things device after the target power internet of things device and the user successfully perform identity authentication;

an access permission determining module 44, configured to compare the current trust level with a trust level threshold of the target object resource, and determine a permission that the target power internet of things device accesses the target object resource.

The real-time user trust level evaluation apparatus for zero-trust power internet of things devices in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC circuit, a processor and a memory executing one or more software or fixed programs, and/or other devices capable of providing the above functions.

In the embodiment of the invention, from the aspect of software implementation, the software algorithm is divided into each processing module, and each processing module is divided according to functions to obtain a corresponding processing platform. Specifically, the embodiment of the invention further provides a user real-time trust degree evaluation system for zero-trust power internet of things equipment, and as shown in fig. 6, fig. 6 shows a structural block diagram of the user real-time trust degree evaluation system for zero-trust power internet of things equipment. The various modules and the interaction angles between the various modules in fig. 6 will be described in detail below.

As shown in fig. 6, the power internet of things proxy server 2 according to the present invention includes a certificate authentication module 21, a security status detection module 22, an equipment data collection module 23, a user identity authentication module 24, and a challenge response module 25; in specific implementation, the certificate authentication module 21 sends a certificate reading instruction to the electric power internet of things device 1 to obtain a device certificate, the device certificate is sent to the identity authentication platform 8 in the device identity verification stage, and the identity authentication platform 8 queries the device authentication database 84 to compare the device certificate, so that device certificate authentication is completed; the safety state detection module 22 detects equipment safety detection items such as bug patches, system versions, port settings, and installation software of the electric power internet of things equipment 1 and network safety detection items, stores a safety state detection result of the electric power internet of things equipment 1 in a database, and sends a safety state detection result to the trust evaluation module 9 in a trust evaluation stage for equipment safety state evaluation; the device data collection module 23 sends a device data reading instruction to the electric power internet of things device 1 to obtain static data such as an IP address, an MAC address, a login position, login time, a login mode and the like of the device and dynamic data such as uplink flow, downlink flow, TCP connection density, a memory state, a storage state and the like, and sends device data to the trust evaluation module 9 in a trust evaluation stage for device data evaluation; the user identity authentication module 24 establishes connection with the identity authentication platform 8 in an identity authentication stage, returns a user account, a password and security secret information after receiving a user authentication instruction, and the identity authentication platform 8 queries the user identity database 85 for comparison to complete user identity authentication; the challenge response module 25 returns the ciphertext encrypted by using the device private key after receiving the plaintext random number sent by the identity authentication platform 8 in the challenge response authentication stage, and the identity authentication platform 8 calls a decryption function to decrypt by using the device public key and compares the decryption function with the original text to finish the challenge response authentication.

As shown in fig. 6, the access proxy server 3 establishes connection communication with the power internet of things proxy server 2, all access requests from the power internet of things proxy server 2 are received by the access proxy server 3, the access proxy server 3 sends an access request authorization query to the access control engine 5 after receiving the access request, establishes connection between the power internet of things proxy server 2 and the resource 4 after receiving an access request grant authorization message from the access control engine 5, and sends an access request failure message to the power internet of things proxy server 2 if the access control engine 5 fails to grant the access request.

As shown in fig. 1, the access control engine 5 receives an access request authorization query of the access proxy server 3, invokes the identity authentication platform 8 to check the identity authentication results of the device and the user, receives user role initialization information of the identity authentication platform 8 after the identity authentication is passed, sends an access control policy evaluation instruction to the access control policy repository 7 to obtain an evaluation result of whether the access policy is met, invokes the trust evaluation module 9 to generate the trust of the device and the user after the access policy evaluation, sends a trust threshold reading instruction to the resource trust database 6 to obtain a trust threshold required by the access object resource of the access request, determines whether to grant the access request authorization according to the magnitude relationship between the trust and the trust threshold, and returns the authorization result to the access proxy server 3.

As shown in fig. 6, the resource trust database 6 obtains and stores the trust threshold of all resources from the resource database, the administrator operates to adjust the trust threshold of some resources, periodically receives the access policy adjustment instruction from the access control policy database 7, adjusts the trust threshold of the corresponding resource, and receives the resource trust threshold reading instruction from the access control engine 5 to return the trust threshold of the queried resource in the trust evaluation stage.

The access control strategy base 7 stores an access control strategy and a trust degree evaluation strategy of the dynamic access control system, an administrator adjusts the access control strategy, sends an access strategy adjustment instruction to the resource trust database 6 to adjust the resource trust degree threshold, receives the access control strategy evaluation instruction of the access control engine 5 in the trust evaluation stage, returns an access strategy evaluation result, and sends a role influence factor to the trust degree evaluation module 9 for generating the current trust degree.

The identity authentication platform 8 establishes connection communication with the power internet of things proxy server 2. The authentication system comprises a certificate authentication module 81, a challenge-response module 82, a user identity authentication module 83, a device authentication database 84 and a user identity database 85. In a specific implementation, the certificate authentication module 81 sends a certificate reading instruction to the power internet of things proxy server 2 to obtain an equipment certificate in a certificate authentication stage, and sends a certificate query instruction to the equipment authentication database 84 for comparison to complete equipment certificate authentication; the challenge response module 82 sends a plaintext random number to the power internet-of-things proxy server 2 in a challenge response stage, receives a ciphertext returned by the power internet-of-things proxy server 2, sends a public key query instruction to the device authentication database 84 to obtain a device public key, decrypts the ciphertext, compares the ciphertext with the original text, and completes challenge response authentication; the user identity authentication module 83 sends a user verification instruction to the power internet of things proxy server 2 to obtain a user account, a password and security secret information in the user identity authentication stage, invokes an MD5 algorithm to generate a hash value, sends a query instruction to the user identity database 85 to obtain a corresponding hash value, and compares the corresponding hash value to complete user identity authentication; the device authentication database 84 stores a device certificate and a public key of the power internet of things device, provides the device certificate to the certificate authentication module 81 in the certificate authentication phase, and provides the device public key to the challenge response module 82 in the challenge response phase; the user identity database 85 stores hash values of user accounts, passwords and security secret information, and provides the user identity information hash values to the user identity authentication module in the user identity authentication stage.

The trust degree evaluation module 9 comprises an access behavior evaluation module 91, a security state evaluation module 92, a device data evaluation module 93 and a trust degree generation module 94; in the specific implementation, the access behavior evaluation module 91 reads access records such as access request evaluation results, access object resources, access operations and the like in the access behavior evaluation stage, searches for resources with a low access success rate, evaluates the overall access behavior of the device and the user, the access behavior of key resources and the high-risk access behavior, generates an access behavior evaluation value, and sends the access behavior evaluation value to the trust level generation module 94; the security state evaluation module 92 sends a security state reading instruction to the security state detection module 22 of the electric power internet of things proxy server 2 in a security state evaluation phase to obtain device security state information such as a bug patch, a system version, port setting, software installation and the like and network security state information such as network encryption, DNS tampering, phishing networks, false networks, ARP spoofing, DHCP spoofing and the like, evaluates the device security state and the network security state, generates a security state evaluation value, and sends the security state evaluation value to the trust level generation module 94; the device data evaluation module 93 sends a device data reading instruction to the device data collection module 23 of the power internet of things proxy server 2 to obtain device data in a device data evaluation stage, evaluates static data such as an IP address, an MAC address, a login position, login time, a login mode and the like and dynamic data such as uplink flow, downlink flow, TCP connection density, a memory state, a storage state and the like of the device according to a deviation degree from historical data of the device, generates a device data evaluation value, and sends the device data evaluation value to the trust level generation module 94; the trust level generation module 94 obtains the trust level evaluation policy, the time attenuation factor and the role influence factor from the access control policy library 7 in the trust level generation stage, receives the evaluation values of the access behavior evaluation module 91, the security state evaluation module 92 and the device data evaluation module 93, and generates the comprehensive trust level, that is, the current trust level of the target power internet of things device.

The flow of the calculation of the specific current confidence (i.e., the calculation of the evaluation value) is as follows:

1) Initializing a proxy server of the power internet of things, establishing connection with power internet of things equipment through a wireless local area network, acquiring equipment identity authentication information, equipment safety state information and equipment data from the power internet of things equipment, and starting functions of internal modules;

2) The method comprises the steps that an electric power Internet of things proxy server sends an identity authentication request to an identity authentication platform, the identity authentication platform sends a certificate reading instruction to the electric power Internet of things proxy server to obtain a device certificate, a corresponding device certificate of an equipment authentication database is inquired, a plaintext random number is sent to the electric power Internet of things proxy server after the verification is passed, the electric power Internet of things proxy server calls an RSA algorithm, the plaintext is encrypted by using a private key and is sent to the identity authentication platform, the identity authentication platform calls a device public key to decrypt a ciphertext, a user authentication instruction is sent to the electric power Internet of things proxy server after the verification is passed to obtain user identity information such as a user account, a password, safety secret information and the like, an MD5 algorithm is called to generate a hash value, corresponding hash values in a calling database are compared, an authentication passing or failure message is returned, and authentication is carried out;

3) After the authentication is passed, the identity authentication platform calls user role information and role trust levels in the database, user roles are initialized, a role influence factor is jointly determined by a user role of an access subject and an access object resource, different user roles have different role influence factors for the same access resource, more direct and more close users have larger role influence factors in specific implementation, the role influence factors of the same user role for different access resources are different, and five role trust levels are provided for the same user role: the role influence factor is reduced by the extremely unreliable grade and the extremely unreliable grade, the role influence factor is improved by the credible grade and the extremely reliable grade, and the role influence factor is not influenced by the unknown trust grade;

4) The electric power internet of things equipment sends an access request to an electric power internet of things proxy server, the electric power internet of things proxy server receives the access request, establishes connection with the access proxy server and forwards the access request to the access proxy server;

5) The access proxy server sends an access request authorization inquiry to an access control engine, the access control engine sends an inquiry instruction to an identity authentication platform to acquire equipment identity information, user identity information and user role information, the user identity information, the user role information and the access request of an access subject equipment are sent to an access control strategy library, the access control strategy library judges whether the current access conforms to an access control strategy, and a judgment result of whether the current access conforms to the access control strategy is returned;

6) The access control engine sends a trust level generation instruction to the trust level evaluation module, the trust level evaluation module carries out trust level evaluation after receiving the instruction and sends the generated comprehensive trust level to the access control engine;

7) The access control engine sends a query instruction to the resource trust database to acquire a trust threshold of an access object resource, and sends a message whether to grant the access request to the access proxy server according to the size relationship between the equipment and the user trust and the resource trust threshold;

8) If the access request authorization passes, the electric power internet of things equipment is connected with the resource to perform resource access operation, if the access request authorization does not pass, the access control engine sends a role adjustment instruction to the identity authentication platform, a system administrator sets an upper limit of the continuous access failure times (the upper limit is generally adopted to be 5 times in specific implementation, the times can be adjusted), and the role trust level of the user is reduced by one level;

9) The access control engine sends an access authorization result to the trust degree evaluation module, the trust degree evaluation module receives and stores access information such as access subjects, access object resources, successful access and access operation, the access proxy server sends a request message for continuing resource access to the power internet of things proxy server, and the power internet of things proxy server returns a message for continuing resource access after receiving the request message.

Further functional descriptions of the modules are the same as those of the corresponding embodiments, and are not repeated herein.

An embodiment of the present invention further provides an electronic device, which has the device for evaluating the real-time trust degree of a user for a zero-trust power internet of things device shown in fig. 5.

Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an alternative embodiment of the present invention, and as shown in fig. 7, the electronic device may include: at least one processor 51, such as a CPU (Central Processing Unit), at least one communication interface 53, memory 54, at least one communication bus 52. Wherein a communication bus 52 is used to enable the connection communication between these components. The communication interface 53 may include a Display (Display) and a Keyboard (Keyboard), and the optional communication interface 53 may also include a standard wired interface and a standard wireless interface. The Memory 54 may be a high-speed RAM Memory (volatile Random Access Memory) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The memory 54 may alternatively be at least one memory device located remotely from the processor 51. Wherein the processor 51 may be combined with the apparatus described in fig. 5, the memory 54 stores an application program, and the processor 51 calls the program code stored in the memory 54 for performing any of the above method steps.

The communication bus 52 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus 52 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.

The memory 54 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (e.g., flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory 54 may also comprise a combination of the above types of memories.

The processor 51 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.

The processor 51 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), general Array Logic (GAL), or any combination thereof.

Optionally, the memory 54 is also used to store program instructions. The processor 51 may call a program instruction to implement the method for evaluating the real-time trust level of the user of the zero-trust power internet of things device as shown in the embodiments of fig. 1 to 4 of the present application.

The embodiment of the invention also provides a non-transitory computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions can execute the user real-time trust evaluation method for the zero-trust electric power internet of things equipment in any method embodiment. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk Drive (Hard Disk Drive, abbreviated as HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.

Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims

1. A user real-time trust degree evaluation method for zero-trust electric power Internet of things equipment is characterized by comprising the following steps:

acquiring equipment information, user identity information, accessed target object resources and access behavior data of each object resource of target power Internet of things equipment; the equipment information comprises equipment identity information and equipment data;

determining the current trust level of the target power internet of things device according to the device data and the access behavior data of each object resource, wherein the determining the current trust level of the target power internet of things device comprises:

based on the access behavior data of each object resource, calculating the access success rate of all the object resources, the access success rate of a first preset object resource and the access success rate of a second preset object resource; the first preset object resource is an object resource with an access success rate lower than a first preset value, the second preset object resource is an object resource with a trust threshold value exceeding a second preset value, and the object resource with the access success rate lower than 50% is defined as the first preset object resource, namely a high-risk object resource; defining the object resource with the trust degree threshold value exceeding 0.9 as the second preset object resource, namely the key object resource;

determining the current trust level of the target power Internet of things equipment according to the current access trust level of the access behavior and the current equipment trust level of the target Internet of things equipment;

calculating the current access trust level of the access behavior by adopting the following formula:

R＝a ₁ R ₁ +a ₂ R ₂ +a ₃ R ₃ ；

wherein R is the current access trust of the access behavior, R ₁ For all said object resources access success rate, R ₂ Access success rate, R, of first preset object resource ₃ Access success rate of second preset object resource, a ₁ 、a ₂ And a ₃ Is a coefficient of more than 0 and less than 1, wherein a ₁ +a ₂ +a ₃ ＝1；

And comparing the current trust with a trust threshold of the target object resource, and determining the authority of the target power Internet of things equipment for accessing the target object resource.

2. The method of claim 1, wherein the determining the current device trust level of the target internet of things device based on the device data comprises:

3. The method of claim 2, wherein the current device trust level of the target internet of things device is calculated using the following formula:

C ₀ ＝w ₁ S+w ₂ d, in the formula, the compound I,

wherein, C ₀ The current equipment trust degree of the target Internet of things equipment, S is the current safety trust degree, D is the current attribute trust degree, w ₁ 、w ₂ Is a constant greater than 0 and less than 1, N is the number of the static attribute parameters, Q _i For the static attribute parameter, M is the dynamic attribute parameter, M _j As the number of the dynamic attribute parameters, b _j 、c _j Is a constant greater than 0 and less than 1.

4. The method according to any one of claims 1-3, wherein the determining the current trust level of the target power IOT device according to the current access trust level of the access behavior and the current device trust level of the target IOT device comprises:

calculating a first current trust level of the target power internet of things equipment by using the current access trust level of the access behavior and the current equipment trust level of the target internet of things equipment;

5. The method of claim 4, wherein determining the current level of trust of the target power IOT device based on the first current level of trust, the time decay factor, and the historical level of trust comprises:

calculating a second current trust level of the target power Internet of things equipment by using the first current trust level, the time attenuation factor and the historical trust level;

6. The method according to claim 5, wherein the current trust level of the target power IOT device is calculated by adopting the following formula:

C＝(1+α)C ₂ in the formula, C ₂ ＝(1-γ)C ₁ +γC ₂ ；

7. The method according to claim 1, wherein the comparing the current trust level with the threshold of the trust level of the target object resource to determine the authority of the target power internet of things device to access the target object resource comprises:

initializing a user role trust level by utilizing the user identity information; the user role trust level is the authority for accessing the target object resource;

judging whether the current trust is greater than the trust threshold of the target object resource;

8. A real-time trust degree assessment device of a user for zero-trust electric power Internet of things equipment is characterized by comprising the following components:

the acquisition module is used for acquiring equipment information, user identity information, accessed target object resources and access behavior data of each object resource of the target power Internet of things equipment; the equipment information comprises equipment identity information and equipment data;

wherein the trust level determination module comprises:

calculating the access success rate of all the object resources, the access success rate of a first preset object resource and the access success rate of a second preset object resource based on the access behavior data of all the object resources; the first preset object resource is an object resource with an access success rate lower than a first preset value, the second preset object resource is an object resource with a trust threshold value exceeding a second preset value, and the object resource with the access success rate lower than 50% is defined as the first preset object resource, namely the high-risk object resource; defining the object resource with the trust degree threshold value exceeding 0.9 as the second preset object resource, namely the key object resource;

calculating the current access trust level of the access behavior by utilizing the access success rate of all the object resources, the access success rate of the first preset object resource and the access success rate of the second preset object resource;

determining the current trust degree of the target power Internet of things equipment according to the current access trust degree of the access behavior and the current equipment trust degree of the target Internet of things equipment;

R＝a ₁ R ₁ +a ₂ R ₂ +a ₃ R ₃ ；

wherein R is the current access trust of the access behavior, R ₁ Is all provided withSuccess rate of access of said object resource, R ₂ Access success rate, R, of first preset object resource ₃ Second Preset Objective resource Access success Rate, a ₁ 、a ₂ And a ₃ Is a coefficient of more than 0 and less than 1, wherein a ₁ +a ₂ +a ₃ ＝1；

And the access authority determining module is used for comparing the current trust with the trust threshold of the target object resource and determining the authority of the target power Internet of things equipment for accessing the target object resource.

9. An electronic device, comprising:

a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing therein computer instructions, and the processor executing the computer instructions to perform the user real-time trust evaluation method for the zero-trust power internet of things device according to any one of claims 1 to 7.

10. A computer-readable storage medium storing computer instructions for causing a computer to perform the method for real-time trust evaluation of a user for a zero-trust power internet of things device of any one of claims 1 to 7.