CN112187731A - Industrial Internet access control method, device, equipment and storage medium - Google Patents

Industrial Internet access control method, device, equipment and storage medium Download PDF

Info

Publication number
CN112187731A
CN112187731A CN202010939180.5A CN202010939180A CN112187731A CN 112187731 A CN112187731 A CN 112187731A CN 202010939180 A CN202010939180 A CN 202010939180A CN 112187731 A CN112187731 A CN 112187731A
Authority
CN
China
Prior art keywords
employee
uncertainty
calculating
data history
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010939180.5A
Other languages
Chinese (zh)
Inventor
林凡
周震
张秋镇
黄富铿
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GCI Science and Technology Co Ltd
Original Assignee
GCI Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GCI Science and Technology Co Ltd filed Critical GCI Science and Technology Co Ltd
Priority to CN202010939180.5A priority Critical patent/CN112187731A/en
Publication of CN112187731A publication Critical patent/CN112187731A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an industrial internet access control method, an industrial internet access control device, industrial internet access control equipment and a storage medium, wherein the method comprises the following steps: acquiring employee access behavior information; calculating the uncertainty of the work target of each employee and a work target uncertainty benchmark; calculating the uncertainty of the data history record of each employee and a data history record uncertainty benchmark; comparing the uncertainty of the work target of the employee with a work target uncertainty benchmark to obtain the work target selection risk of the employee, comparing the uncertainty of the data history record of the employee with a data history record uncertainty benchmark to obtain the data history record selection risk of the employee, and calculating the total access risk of the employee; the total risk of access is compared to a preset acceptable risk of access to accept or deny the employee's request for access. The invention can adaptively adjust the access capability of the staff, thereby improving the self-adaptive capability of the access control of the industrial Internet platform and reducing the management cost.

Description

Industrial Internet access control method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to an industrial internet access control method, device, equipment and storage medium.
Background
The industrial internet based on the digital factory brings convenience and potential safety hazards. If the industrial data is managed carelessly, the access right to the large data is abused, and data leakage can be caused, especially if the manager distributes the industrial data access right to the staff. In the big data era, industrial internet platform big data access control based on digital factory faces new challenges, and demands for automation and self-adaptation are provided. Since the formulation of the access control strategy is closely related to the application environment, analysis needs to be performed in combination with the background of industrial internet big data, and certain automation capacity is needed to improve efficiency.
The current mainstream industrial internet access control is based on a multi-stage security access control model. The model estimates the risk generated by reading data by authorized staff based on the security label of an object and the trust of a subject, and provides a risk management method for a multi-level security system. This scheme is tightly coupled to conventional access control schemes and has a close relationship to each other. They extend the employee's access capabilities to enable the employee to access additional resources in an unexpected situation, yet the risk of the employee accessing the same resource does not adjust over time and usage. Meanwhile, the self-adaptive capacity of the scheme is insufficient, higher management cost is needed, and the application value of the scheme is influenced.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present invention is to provide a method, an apparatus, a device and a storage medium for controlling access to an industrial internet, which can adaptively adjust the access capability of employees, thereby improving the adaptive capability of access control of an industrial internet platform and reducing the management cost.
In order to solve the above technical problem, an embodiment of the present invention provides an industrial internet access control method, including:
acquiring employee access behavior information; the access behavior information comprises work target selection information and data historical record access information;
calculating the uncertainty of the working target of each employee according to the employee access behavior information, and calculating a working target uncertainty standard based on the uncertainty of the working target of all the employees;
calculating the uncertainty of the data history record of each employee according to the access behavior information of the employees, and calculating the uncertainty reference of the data history record based on the uncertainty of the data history records of all the employees;
comparing the uncertainty of the work target of the employee with the uncertainty reference of the work target to obtain the work target selection risk of the employee, comparing the uncertainty of the data history of the employee with the uncertainty reference of the data history to obtain the data history selection risk of the employee, and calculating the total access risk of the employee according to the work target selection risk and the data history selection risk;
and comparing the total access risk of the employee with a preset acceptable access risk, and accepting or rejecting the access request of the employee according to the comparison result.
Further, the calculating the uncertainty of the work target of each employee according to the employee access behavior information specifically includes:
and calculating the probability of each work target selected by the staff according to the staff access behavior information, and then calculating the uncertainty of each work target based on the probability of each work target selected by the staff.
Further, the calculating the uncertainty of the data history record of each employee according to the employee access behavior information specifically includes:
for a given work target, calculating the probability of each data history record selected by the employee according to the employee access behavior information, and then calculating the uncertainty of the data history record based on the probability of each data history record selected by the employee.
Further, the probability of the staff selecting each work target is calculated according to the staff access behavior information, and then the uncertainty of the work target is calculated based on the probability of the staff selecting each work target, specifically:
calculating the probability p of each work target selected by the employee according to the employee access behavior informationd(t); wherein the content of the first and second substances,
Figure BDA0002672574480000031
STdrepresenting a multiple set, f (ST), of work targets t comprising the employee d's selectiondT) represents the number of occurrences of the work objective t in the multiple sets of work objectives selected by employee d;
and then selecting a probability p for each work objective based on the employeed(t) calculating to obtain the uncertainty H of the working targetT(d) (ii) a Wherein the content of the first and second substances,
Figure BDA0002672574480000032
further, for a given work objective, the probability of the employee selecting each data history record is calculated according to the employee access behavior information, and then the uncertainty of the data history record is calculated based on the probability of the employee selecting each data history record, specifically:
for a given work target t, calculating the probability P of selecting each data history record by the employee according to the employee access behavior informationd,t(r); wherein the content of the first and second substances,
Figure BDA0002672574480000033
Figure BDA0002672574480000034
indicating that employee d selects data history r for a given job objectiveThe multi-set is a multi-set,
probability P of selecting each data history based on the employeed,t(r) calculating to obtain the uncertainty H of the data history recordR(d, t); wherein the content of the first and second substances,
Figure BDA0002672574480000035
in order to solve the same technical problem, the present invention also provides an industrial internet access control device, including:
the information acquisition module is used for acquiring employee access behavior information; the access behavior information comprises work target selection information and data historical record access information;
the first benchmark calculation module is used for calculating the uncertainty of the working target of each employee according to the employee access behavior information and calculating a working target uncertainty benchmark based on the uncertainty of the working target of all the employees;
the second reference calculation module is used for calculating the uncertainty of the data history record of each employee according to the employee access behavior information and calculating the reference of the uncertainty of the data history record based on the uncertainty of the data history records of all the employees;
the access risk calculation module is used for comparing the working target uncertainty of the employee with the working target uncertainty benchmark to obtain the working target selection risk of the employee, comparing the data history uncertainty of the employee with the data history uncertainty benchmark to obtain the data history selection risk of the employee, and calculating the access total risk of the employee according to the working target selection risk and the data history selection risk;
and the access control module is used for comparing the total access risk of the employee with the preset acceptable access risk and accepting or rejecting the access request of the employee according to the comparison result.
Further, the calculating the uncertainty of the work target of each employee according to the employee access behavior information specifically includes:
and calculating the probability of each work target selected by the staff according to the staff access behavior information, and then calculating the uncertainty of each work target based on the probability of each work target selected by the staff.
Further, the calculating the uncertainty of the data history record of each employee according to the employee access behavior information specifically includes:
for a given work target, calculating the probability of each data history record selected by the employee according to the employee access behavior information, and then calculating the uncertainty of the data history record based on the probability of each data history record selected by the employee.
In order to solve the same technical problem, the present invention further provides a terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the memory is coupled to the processor, and the processor implements any one of the industrial internet access control methods when executing the computer program.
In order to solve the same technical problem, the present invention further provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, and when the computer program runs, the apparatus on which the computer-readable storage medium is located is controlled to execute any one of the industrial internet access control methods.
Compared with the prior art, the invention has the following beneficial effects:
the embodiment of the invention provides an industrial internet access control method, an industrial internet access control device, industrial internet access control equipment and a readable storage medium, wherein the method comprises the following steps: acquiring employee access behavior information; calculating the uncertainty of the work target of each employee, and calculating the uncertainty reference of the work target; calculating the uncertainty of the data history of each employee, and calculating the uncertainty reference of the data history; comparing the uncertainty of the work target of the employee with the uncertainty reference of the work target to obtain the work target selection risk of the employee, comparing the uncertainty of the data history of the employee with the uncertainty reference of the data history to obtain the data history selection risk of the employee, and calculating the total access risk of the employee; and comparing the total access risk of the employee with a preset acceptable access risk, and accepting or rejecting the access request of the employee according to the comparison result. The invention can adaptively adjust the access capability of the staff, thereby improving the self-adaptive capability of the access control of the industrial Internet platform and reducing the management cost.
Drawings
Fig. 1 is a schematic flow chart of an industrial internet access control method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an industrial Internet access control model provided in accordance with an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an industrial internet access control device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, an embodiment of the present invention provides an industrial internet access control method, including:
s1, acquiring employee access behavior information; the access behavior information comprises work target selection information and data history record access information.
And S2, calculating the uncertainty of the work target of each employee according to the employee access behavior information, and calculating the uncertainty reference of the work target based on the uncertainty of the work target of all employees.
Further, the calculating the uncertainty of the work target of each employee according to the employee access behavior information specifically includes:
and calculating the probability of each work target selected by the staff according to the staff access behavior information, and then calculating the uncertainty of each work target based on the probability of each work target selected by the staff.
Further, the probability of the staff selecting each work target is calculated according to the staff access behavior information, and then the uncertainty of the work target is calculated based on the probability of the staff selecting each work target, specifically:
calculating the probability p of each work target selected by the employee according to the employee access behavior informationd(t); wherein the content of the first and second substances,
Figure BDA0002672574480000061
STdrepresenting a multiple set, f (ST), of work targets t comprising the employee d's selectiondT) represents the number of occurrences of the work objective t in the multiple sets of work objectives selected by employee d;
and then selecting a probability p for each work objective based on the employeed(t) calculating to obtain the uncertainty H of the working targetT(d) (ii) a Wherein the content of the first and second substances,
Figure BDA0002672574480000071
and S3, calculating the uncertainty of the data history of each employee according to the employee access behavior information, and calculating a data history uncertainty benchmark based on the uncertainty of the data history of all employees.
Further, the calculating the uncertainty of the data history record of each employee according to the employee access behavior information specifically includes:
for a given work target, calculating the probability of each data history record selected by the employee according to the employee access behavior information, and then calculating the uncertainty of the data history record based on the probability of each data history record selected by the employee.
Further, for a given work objective, the probability of the employee selecting each data history record is calculated according to the employee access behavior information, and then the uncertainty of the data history record is calculated based on the probability of the employee selecting each data history record, specifically:
for a given work target t, calculating the probability P of selecting each data history record by the employee according to the employee access behavior informationd,t(r); wherein the content of the first and second substances,
Figure BDA0002672574480000072
Figure BDA0002672574480000073
indicating that employee d, given a work objective, selects multiple sets of data historians r,
probability P of selecting each data history based on the employeed,t(r) calculating to obtain the uncertainty H of the data history recordR(d, t); wherein the content of the first and second substances,
Figure BDA0002672574480000074
s4, comparing the uncertainty of the work target of the employee with the uncertainty benchmark of the work target to obtain the work target selection risk of the employee, comparing the uncertainty of the data history of the employee with the uncertainty benchmark of the data history to obtain the data history selection risk of the employee, and calculating the total access risk of the employee according to the work target selection risk and the data history selection risk.
And S5, comparing the total access risk of the employee with the preset acceptable access risk, and accepting or rejecting the access request of the employee according to the comparison result.
Referring to fig. 2, it should be noted that, in the embodiment of the present invention, a risk-based industrial internet access control model is provided, which is capable of adaptively adjusting the access capability of an employee. The model is analyzed by utilizing the configuration of the traditional access control model, and the authorization relationship between resources and staff is established by adopting a dynamic learning mode. The employee's accessibility depends on his historical access behavior, and how relevant it is to access the resources and the current job; establishing a competition model according to the difference between the employee in the work target selection and the operation record selection; and (4) finishing the determination of the risk benchmark and the quantification of the risk, and distinguishing the staff in the abnormal state from the staff in the normal state. The invention also provides a risk management method and a scheme for carrying out access control judgment according to risks. The scheme not only improves the self-adaptive capacity of the access control of the industrial Internet platform and reduces the management cost, but also can protect the public data of the industrial Internet platform and the key industrial data of a manager.
Based on the above scheme, in order to better understand the industrial internet access control method provided by the embodiment of the present invention, the following detailed description is made:
1. employee type definition and its behavior pattern assumptions:
1.1) employee type definition:
1.1.1) all managers and their employees in the system have been authorized to access the big data of their plant. The abnormal behavior of the employee is called an abnormal state employee, and the normal behavior of the employee is called a normal state employee. Normal state employees only select a portion of the data as work targets and access industrial data related to the work targets. Besides, the abnormal state staff can forge some working targets to obtain the industrial data related to the working targets (when the staff accesses the data, the staff needs to select the working targets, such as checking whether the water consumption is abnormal, if the staff never checks the data related to the water consumption, the system judges that the working targets are possibly forged according to the history record), or obtain the industrial data unrelated to the working targets when finishing a certain working target, and obtain the privacy of the whole factory data by 2 methods.
1.1.2) symbol definition. D: a set of employees; t: a set of work goals; r: a set of plant data historians; p: a set of managers; dp: the prior distribution of data access reflects the access probability of different factory data in history;
Figure BDA0002672574480000093
a priori distribution of work targets, associated with a priori distribution of data access due to probability of data accessRegularity (obedience distribution D)p) The distribution of the work targets has similar regularity; dθ: a prior distribution of correlations of plant data records and work objectives;
1.2) behavior pattern assumptions:
1.2.1) hypothesis 1: all employees perform their job duties. In an industrial internet platform, it is essential and practical for employees to complete their job duties. That is, for one data viewing, all the work target sets selected by the employees must be relevant to the employees, and the selected data history sets also contain data histories relevant to the work targets. Formally, given piBelongs to P, and
Figure BDA0002672574480000095
a work objective selected for the employee; for tjE is T, order
Figure BDA0002672574480000094
Is a data history record that the employee selected to accomplish the job objective.
1.2.2) hypothesis 2: the behavior of the staff in a normal state meets the following conditions: alternative work scenarios should be associated with the work objective; second, the optional data history should be related to the work objective. These choices do not necessarily fit perfectly in the prior distribution, taking into account possible exceptions. Formally, given piBelongs to P, and
Figure BDA0002672574480000091
and selecting a working target for the staff in a normal state.
1.2.3) hypothesis 3: abnormal status personnel may attempt to obtain data information for more managers of a plant, including attempting more job goals, or attempting to obtain more data histories at the same job goal. Formally, given piE.g. P
Figure BDA0002672574480000092
And selecting a work target for the staff in the abnormal state.
2. Access control model
2.1) Risk benchmarking
2.1.1) are 2 stages respectively (the first stage is: the staff selects the working target; the second stage is: the stage where the employee selects data related to the work objective to complete the task). Recording one-time access behavior information of employees as triples<d,t,Rd>. Wherein D ∈ D, T ∈ T,
Figure BDA0002672574480000109
it is assumed that the access behavior information is arranged in the chronological order of its generation. The following notation is required to be introduced in order to quantify the risk criterion.
f (X, e): the number of occurrences of element e in multiset X.
STd: contains a plurality of sets of work goals selected by employee d.
Figure BDA00026725744800001010
Contains employee d selecting a plurality of sets of data historians r under a given work objective.
2.1.2) calculate the probability that employee d selects the work target t as:
Figure BDA0002672574480000101
wherein f (ST)dAnd t) represents the number of occurrences of the work objective t in the multiple sets containing the work objectives selected by the employee.
2.1.3) calculating the uncertainty H of the working target based on the step (1)T(d) In that respect The work object uncertainty describes the degree of confusion of the work object selected by employee d, formally described below.
Figure BDA0002672574480000102
Respectively calculating the uncertainty H of the work target of i employeesT(di) Remember { HT(d1),HT(d2),....HT(di) The uncertainty of the work target for all employees.
2.1.4) will { HT(d1),HT(d2),....HT(di) As input to the following algorithm, the algorithm processes as follows:
a. existing data { HT(d1),HT(d2),....HT(di) Now, with two Gaussian distributions
Figure BDA0002672574480000103
And
Figure BDA0002672574480000104
modeling the density with parameters of
Figure BDA0002672574480000105
And
Figure BDA0002672574480000106
p represents
Figure BDA0002672574480000107
Mixing ratio, 1-p
Figure BDA0002672574480000108
And (4) mixing proportion.
b. Calculating gammai
Figure BDA0002672574480000111
Wherein, γiPresentation data HT(di) Belong to
Figure BDA0002672574480000112
The probability of (c).
c. The respective parameters are calculated by the formulas (4), (5), (6) and (7):
Figure BDA0002672574480000113
Figure BDA0002672574480000114
Figure BDA0002672574480000115
Figure BDA0002672574480000116
from the above, two Gaussian distributions can be obtained
Figure BDA0002672574480000117
And
Figure BDA0002672574480000118
respectively representing the distribution of uncertainty for normal state employees and for abnormally selected work targets.
2.1.5) calculating a working target uncertainty reference
Figure BDA0002672574480000119
The work target uncertainty benchmark describes a threshold to distinguish class 2 employees from the selection of work targets, formally described as follows:
Figure BDA00026725744800001110
2.1.6) calculate the probability P that employee d selects data historian r for a given work objective td,t(r):
Figure BDA00026725744800001111
Wherein
Figure BDA00026725744800001112
Representing the number of occurrences of the multi-set data history r for employee d at a given work objective t.
2.1.7) calculating data History uncertainty HR(d, t). The data history uncertainty describes the degree of confusion that an employee selects a data history for a particular job objective. Formally described as follows:
Figure BDA0002672574480000121
respectively calculating uncertainty H of data history records of i employeesR(diT), let { H }R(d1,t),HR(d2,t),....HR(diT) } is the data history uncertainty of all employees for a given work target t. In the same way as (2.1.4), will be { HR(d1,t),HR(d2,t),....HR(diT) as input to the (2.1.4) algorithm, 2 gaussian distributions are obtained:
Figure BDA0002672574480000122
and
Figure BDA0002672574480000123
distribution of uncertainty (given work target t) representing the history of the selection data of normal-state employees and abnormal-state employees, respectively, and their proportions
Figure BDA0002672574480000124
Figure BDA0002672574480000125
2.1.8) calculating a data history uncertainty reference
Figure BDA0002672574480000126
Data historian uncertainty benchmarks describe the uncertainty for a given workerTargeting, a threshold that distinguishes class 2 employees from a selection of data histories, formally described as follows:
Figure BDA0002672574480000127
2.2) Risk quantification
2.2.1) calculating the work target selection risk. The work goal selection risk describes the access risk caused by the employee selecting the work goal, and is formally described as follows:
Figure BDA0002672574480000128
by
Figure BDA0002672574480000129
By definition, the uncertainty of a worker's work objective may be higher, lower, or equal to
Figure BDA00026725744800001210
Direct negative values are not processed in the model, so the minimum value of risk is set to 0.
For normal state employees, the uncertainty of the work target is usually less than
Figure BDA00026725744800001211
Occasionally, the number of special cases to be handled is higher than the number of special cases
Figure BDA00026725744800001212
And only then does a risk arise.
For abnormal state employees, the work target uncertainty is usually higher than
Figure BDA00026725744800001213
So that the risk of selecting its working target will always exist and the accumulation will be faster than for normal staff.
2.2.2) calculating data history selection risk. The data history selection risk describes the access risk caused by employee selection of data history for a given work objective, formally described as follows:
Figure BDA0002672574480000131
similar to the operational target selection risk, the model herein considers the minimum data history selection risk to be 0.
At the same time, it can be known that the risk value of an abnormal state employee will generally be higher than that of a normal state employee, and the accumulation speed will also be faster than that of a normal state employee.
2.2.3) calculate the employee total risk of visit totalRisk (t). The staff access total risk describes the total risk caused by staff access behaviors, and is formally described as follows:
Figure BDA0002672574480000132
2.2.4) obtaining total access risk totalRisk (t), comparing the total access risk totalRisk (t) with acceptable access risk aReisk set by the system, and if the aReisk is less than or equal to totalRisk (t), refusing access.
The diversity of the work target selection and the data selection of the staff in the abnormal state cause the risk of the access behavior to be higher than that of the staff in the normal state.
It should be noted that:
1. the adaptivity of the system is mainly embodied in the dynamic calculation of uncertainty.
E.g. employee's work target uncertainty HT(d) Probability p that will select working objective t with employee dd(t) varies (formula (2)).
Working target uncertainty reference
Figure BDA0002672574480000133
But also as the behavior of the i employees changes (equations 3, 4, 5, 6, 7, 8).
When the working target is not determined
Figure BDA0002672574480000134
Under the condition of small change, if the uncertainty H of the working target of the employee is not highT(d) Becomes very large, then the employee's job objective selects Risk Risk, as per equation (12)T(d) Will also become larger (if its working target uncertainty H is large)T(d) Reference beyond working target uncertainty
Figure BDA0002672574480000135
)。
Similarly, the data history selects Risk RiskR(d, t) will also follow the probability P of selecting a data historyd,t(t) varies.
2. Because RiskT(d) And RiskRAnd (d, t) are all dynamically changed, so the total risk is also dynamically changed, and the staff can update after each visit.
Examples illustrate that:
3.1 case 1. Let t be its working target. If t appears multiple times in employee d's work target selection history (i.e., relevant data history is obtained by forging t), while other employees' work target selection history appears very rarely. Then, there should be RiskR(d, t) is comparable to other employees, but RiskR(d, t) and thus totalRisk (d) are larger, and subsequent access by employee d is denied.
3.2 case 2. Suppose there are 4 employees d1,d2,d3,d4Wherein d is1Is a normal state employee and only accesses the resource r1,r2;d2,d3,d4Are all abnormal state employees who will access resource r1,r2,r3,r4. Then the record selection uncertainty for normal state employees is 1 and the record selection uncertainty for abnormal state employees is 2, assuming a uniform selection of records. The risk criterion was closer to low values in the model described herein, and the uncertainty criterion suggested by the model herein was 1.25, more closelyRecord selection uncertainty of staff in a near normal state. Therefore, the staff in the abnormal state can be better distinguished from the staff in the normal state, and the access of the staff in the abnormal state can be refused after the quota is consumed.
Compared with the prior art, the embodiment of the invention analyzes whether the employee excessively accesses public and manager factory data on the platform or not through the access history of the employee. Monitoring and controlling excessive access to data and access requests under special conditions greatly enhances the self-adaptive capacity of the access system. The scheme of the invention solves the problem that the risk of staff accessing the same resource cannot be adjusted along with time and use conditions in the prior art, reduces higher management cost and improves the application range of the staff.
It should be noted that the above method or flow embodiment is described as a series of acts or combinations for simplicity, but those skilled in the art should understand that the present invention is not limited by the described acts or sequences, as some steps may be performed in other sequences or simultaneously according to the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are exemplary embodiments and that no single embodiment is necessarily required by the inventive embodiments.
Referring to fig. 3, in order to solve the same technical problem, the present invention further provides an industrial internet access control device, including:
the information acquisition module 1 is used for acquiring employee access behavior information; the access behavior information comprises work target selection information and data historical record access information;
the first benchmark calculation module 2 is used for calculating the uncertainty of the work target of each employee according to the employee access behavior information and calculating a benchmark of the uncertainty of the work target based on the uncertainty of the work target of all the employees;
the second reference calculation module 3 is used for calculating the uncertainty of the data history of each employee according to the employee access behavior information and calculating a reference of the uncertainty of the data history based on the uncertainty of the data history of all the employees;
the visit risk calculation module 4 is used for comparing the work target uncertainty of the employee with the work target uncertainty benchmark to obtain the work target selection risk of the employee, comparing the data history uncertainty of the employee with the data history uncertainty benchmark to obtain the data history selection risk of the employee, and calculating the visit total risk of the employee according to the work target selection risk and the data history selection risk;
and the industrial internet access control module 5 is used for comparing the total access risk of the employee with the preset acceptable access risk and accepting or rejecting the access request of the employee according to the comparison result.
Further, the calculating the uncertainty of the work target of each employee according to the employee access behavior information specifically includes:
and calculating the probability of each work target selected by the staff according to the staff access behavior information, and then calculating the uncertainty of each work target based on the probability of each work target selected by the staff.
Further, the calculating the uncertainty of the data history record of each employee according to the employee access behavior information specifically includes:
for a given work target, calculating the probability of each data history record selected by the employee according to the employee access behavior information, and then calculating the uncertainty of the data history record based on the probability of each data history record selected by the employee.
It can be understood that the above device item embodiments correspond to the method item embodiments of the present invention, and the industrial internet access control device provided in the embodiments of the present invention can implement the industrial internet access control method provided in any method item embodiment of the present invention.
The invention also provides a terminal device, which comprises a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, wherein the memory is coupled with the processor, and the processor executes the computer program to realize any industrial internet access control method.
The industrial internet access control terminal equipment can be computing equipment such as a desktop computer, a notebook computer, a palm computer and a cloud server. The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. The general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc., and the processor is a control center of the industrial internet access control terminal device and connects various parts of the whole industrial internet access control terminal device by using various interfaces and lines.
The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the mobile phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
In order to solve the same technical problem, the present invention further provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, and when the computer program runs, the apparatus on which the computer-readable storage medium is located is controlled to execute any one of the industrial internet access control methods.
The computer program may be stored in a computer readable storage medium, which when executed by a processor, may implement the steps of the various method embodiments described above. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It should be noted that the above-described device embodiments are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiment of the apparatus provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement it without inventive effort.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (10)

1. An industrial internet access control method, comprising:
acquiring employee access behavior information; the access behavior information comprises work target selection information and data historical record access information;
calculating the uncertainty of the working target of each employee according to the employee access behavior information, and calculating a working target uncertainty standard based on the uncertainty of the working target of all the employees;
calculating the uncertainty of the data history record of each employee according to the access behavior information of the employees, and calculating the uncertainty reference of the data history record based on the uncertainty of the data history records of all the employees;
comparing the uncertainty of the work target of the employee with the uncertainty reference of the work target to obtain the work target selection risk of the employee, comparing the uncertainty of the data history of the employee with the uncertainty reference of the data history to obtain the data history selection risk of the employee, and calculating the total access risk of the employee according to the work target selection risk and the data history selection risk;
and comparing the total access risk of the employee with a preset acceptable access risk, and accepting or rejecting the access request of the employee according to the comparison result.
2. The industrial internet access control method according to claim 1, wherein the calculating of the uncertainty of the work target of each employee according to the employee access behavior information includes:
and calculating the probability of each work target selected by the staff according to the staff access behavior information, and then calculating the uncertainty of each work target based on the probability of each work target selected by the staff.
3. The industrial internet access control method according to claim 1, wherein the calculating of the uncertainty of the data history of each employee according to the employee access behavior information includes:
for a given work target, calculating the probability of each data history record selected by the employee according to the employee access behavior information, and then calculating the uncertainty of the data history record based on the probability of each data history record selected by the employee.
4. The industrial internet access control method according to claim 2, wherein the probability of each work target selected by the employee is calculated according to the employee access behavior information, and then the uncertainty of each work target is calculated based on the probability of each work target selected by the employee, specifically:
calculating the probability p of each work target selected by the employee according to the employee access behavior informationd(t); wherein the content of the first and second substances,
Figure FDA0002672574470000021
STdrepresenting a multiple set, f (ST), of work targets t comprising the employee d's selectiondT) represents the number of occurrences of the work objective t in the multiple sets of work objectives selected by employee d;
and then selecting a probability p for each work objective based on the employeed(t) calculating to obtain the uncertainty H of the working targetT(d) (ii) a Wherein the content of the first and second substances,
Figure FDA0002672574470000022
5. the industrial internet access control method according to claim 3, wherein for a given work objective, the probability of each data history record selected by the employee is calculated according to the employee access behavior information, and then the uncertainty of the data history record is calculated based on the probability of each data history record selected by the employee, specifically:
for a given work target t, calculating the probability P of selecting each data history record by the employee according to the employee access behavior informationd,t(r); wherein the content of the first and second substances,
Figure FDA0002672574470000023
Figure FDA0002672574470000024
indicating that employee d, given a work objective, selects multiple sets of data historians r,
probability P of selecting each data history based on the employeed,t(r) calculating to obtain the uncertainty H of the data history recordR(d, t); wherein the content of the first and second substances,
Figure FDA0002672574470000025
6. an industrial internet access control device, comprising:
the information acquisition module is used for acquiring employee access behavior information; the access behavior information comprises work target selection information and data historical record access information;
the first benchmark calculation module is used for calculating the uncertainty of the working target of each employee according to the employee access behavior information and calculating a working target uncertainty benchmark based on the uncertainty of the working target of all the employees;
the second reference calculation module is used for calculating the uncertainty of the data history record of each employee according to the employee access behavior information and calculating the reference of the uncertainty of the data history record based on the uncertainty of the data history records of all the employees;
the access risk calculation module is used for comparing the working target uncertainty of the employee with the working target uncertainty benchmark to obtain the working target selection risk of the employee, comparing the data history uncertainty of the employee with the data history uncertainty benchmark to obtain the data history selection risk of the employee, and calculating the access total risk of the employee according to the working target selection risk and the data history selection risk;
and the industrial internet access control module is used for comparing the total access risk of the employee with the preset acceptable access risk and accepting or rejecting the access request of the employee according to the comparison result.
7. The device for controlling industrial internet access according to claim 6, wherein the calculating of the uncertainty of the work target of each employee according to the employee access behavior information includes:
and calculating the probability of each work target selected by the staff according to the staff access behavior information, and then calculating the uncertainty of each work target based on the probability of each work target selected by the staff.
8. The device for controlling industrial internet access according to claim 6, wherein the calculating of the uncertainty of the data history of each employee according to the employee access behavior information is specifically:
for a given work target, calculating the probability of each data history record selected by the employee according to the employee access behavior information, and then calculating the uncertainty of the data history record based on the probability of each data history record selected by the employee.
9. A terminal device comprising a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, the memory being coupled to the processor and the processor, when executing the computer program, implementing the industrial internet access control method of any one of claims 1 to 6.
10. A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, and wherein the computer program, when executed, controls an apparatus in which the computer-readable storage medium is located to perform the industrial internet access control method according to any one of claims 1 to 6.
CN202010939180.5A 2020-09-09 2020-09-09 Industrial Internet access control method, device, equipment and storage medium Pending CN112187731A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010939180.5A CN112187731A (en) 2020-09-09 2020-09-09 Industrial Internet access control method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010939180.5A CN112187731A (en) 2020-09-09 2020-09-09 Industrial Internet access control method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112187731A true CN112187731A (en) 2021-01-05

Family

ID=73920061

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010939180.5A Pending CN112187731A (en) 2020-09-09 2020-09-09 Industrial Internet access control method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112187731A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011029253A1 (en) * 2009-09-08 2011-03-17 中兴通讯股份有限公司 Web load balancing method, grid server and system thereof
CN106911697A (en) * 2017-02-28 2017-06-30 北京百度网讯科技有限公司 Access rights method to set up, device, server and storage medium
US20180288063A1 (en) * 2017-03-31 2018-10-04 Oracle International Corporation Mechanisms for anomaly detection and access management
CN111181933A (en) * 2019-12-19 2020-05-19 贝壳技术有限公司 Web crawler detection method and device, storage medium and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011029253A1 (en) * 2009-09-08 2011-03-17 中兴通讯股份有限公司 Web load balancing method, grid server and system thereof
CN106911697A (en) * 2017-02-28 2017-06-30 北京百度网讯科技有限公司 Access rights method to set up, device, server and storage medium
US20180288063A1 (en) * 2017-03-31 2018-10-04 Oracle International Corporation Mechanisms for anomaly detection and access management
CN111181933A (en) * 2019-12-19 2020-05-19 贝壳技术有限公司 Web crawler detection method and device, storage medium and electronic equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
惠榛等: "面向医疗大数据的风险自适应的访问控制模型", 《通信学报》 *
文静等: "跨域云环境下基于动态异构网络的风险访问模型", 《河海大学学报(自然科学版)》 *

Similar Documents

Publication Publication Date Title
US11899808B2 (en) Machine learning for identity access management
US10862913B2 (en) Systems and methods for securing access to resources
US9038134B1 (en) Managing predictions in data security systems
EP2515252A2 (en) System and method for reducing security risk in computer network
EP3446249B1 (en) Rotation of authorization rules in memory of authorization system
EP3549050B1 (en) Method and computer product and methods for generation and selection of access rules
Barth et al. A learning-based approach to reactive security
EP3779737B1 (en) Threshold value determination and identity verification method, threshold value determination and identity verification apparatus, electronic device, and storage medium
US10795738B1 (en) Cloud security using security alert feedback
US20220351207A1 (en) System and method for optimization of fraud detection model
CN110570188A (en) Method and system for processing transaction requests
US20020184406A1 (en) Method and system for handling window-based graphical events
US20230046813A1 (en) Selecting communication schemes based on machine learning model predictions
US8533774B2 (en) Controlled sharing of information in virtual organizations
CN112494935B (en) Cloud game platform pooling method, electronic equipment and storage medium
CN112187731A (en) Industrial Internet access control method, device, equipment and storage medium
US11086643B1 (en) System and method for providing request driven, trigger-based, machine learning enriched contextual access and mutation on a data graph of connected nodes
EP3761197A1 (en) Method and system for producing a scoring model
CN112055010A (en) Two-dimensional code picture intercepting method and device, electronic equipment and storage medium
CN105069336A (en) Distributed security management method based on big data weight dynamic intelligent analysis
CN116451190B (en) Data authority setting method based on Internet medical service system
CN111818107B (en) Network request response method, device, equipment and readable storage medium
JP2023172405A (en) Risk-based authentication system and risk-based authentication method
Houmb et al. Combining disparate information sources when quantifying security risks
CN117879918A (en) Risk identification method and risk identification device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210105