CN112231692A - Security authentication method, device, equipment and storage medium - Google Patents
Security authentication method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112231692A CN112231692A CN202011092761.6A CN202011092761A CN112231692A CN 112231692 A CN112231692 A CN 112231692A CN 202011092761 A CN202011092761 A CN 202011092761A CN 112231692 A CN112231692 A CN 112231692A
- Authority
- CN
- China
- Prior art keywords
- access
- authentication
- terminal
- security
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The embodiment of the invention relates to the technical field of communication, and discloses a security authentication method, a security authentication device, security authentication equipment and a storage medium. In the invention, the safety authentication method comprises the following steps: performing identity authentication on an access request sent by a terminal through an identity authentication platform; when the authentication result is successful, performing risk assessment on the access request based on an access strategy model obtained according to historical data learning; and determining whether to authorize the terminal according to the risk assessment result. By the technical means, multi-dimensional authentication of the access terminal and dynamic security identification of the access request can be realized, so that the security of terminal access is improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a security authentication method, apparatus, device, and storage medium.
Background
With the development of internet technology and the explosive growth of big data, the security protection of the network becomes one of the important links in the network technology. There are many solutions for securing enterprise networks, among which, zero trust model is one of the most popular, zero trust is a security concept, and the central idea is that an enterprise should not automatically trust anyone/things inside or outside, and should verify anyone/things trying to access the enterprise system before authorization. The zero trust model aims to solve the problem inherent in the concept of "establishing trust based on network boundaries". The zero trust model does not establish trust based on network positions, but effectively protects network communication and service access on the premise of not depending on a network transport layer physical security mechanism.
However, the inventor finds that the network security architecture manufactured based on the zero trust model at present often has the following problems: for example, a zero trust system realized based on a node security card has high modification cost and complex firmware upgrading steps; a zero trust system that identifies an IP address as a unique role and performs trust analysis in this way may be at risk of counterfeiting.
Disclosure of Invention
The embodiment of the invention aims to provide a security authentication method, a security authentication device, security authentication equipment and a storage medium, so that the security of terminal access is improved.
To solve the above technical problem, an embodiment of the present invention provides a security authentication method, including: performing identity authentication on an access request sent by a terminal through an identity authentication platform; when the authentication result is successful, performing risk assessment on the access request based on an access strategy model obtained according to historical data learning; and determining whether to authorize the terminal according to the risk assessment result.
An embodiment of the present invention further provides a security authentication apparatus, including: the identity authentication module is used for performing identity authentication on an access request sent by the terminal through the identity authentication platform; the risk assessment module is used for carrying out risk assessment on the access request based on the access strategy model obtained according to the historical data learning when the authentication result is successful; and the request authorization module is used for determining whether to authorize the terminal according to the risk evaluation result.
An embodiment of the present invention further provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the security authentication method.
An embodiment of the present invention further provides a computer-readable storage medium storing a computer program, where the computer program is executed by a processor to implement the above-mentioned security authentication method.
Compared with the prior art, the embodiment of the invention can realize the multi-dimensional authentication of the access terminal and the dynamic security identification of the access request, so that the security of the terminal access is improved.
In addition, the access request and the authentication result are encrypted by an algorithm based on attributes; the identity authentication of the access request sent by the terminal through the identity authentication platform comprises the following steps: decrypting the access request according to a pre-distributed private key to obtain the identity information of the user; the private key carries characteristic information of the terminal; and calling an identity verification platform to authenticate the identity information and acquiring an authentication result. All the flow is encrypted in the process of access request authentication, and an ABE key corresponding to the user terminal is used for encryption and decryption, so that the safety of the user identity authentication process is improved.
In addition, the access policy model comprises a plurality of access policy submodels; the access policy submodel includes: the access strategy submodel of the user dimension, the access strategy submodel of the terminal dimension and the access strategy submodel of the application dimension. And after the access request is evaluated, authorization is carried out through the multi-dimension access strategy submodel, so that the legality of access operation of the access user is more comprehensively measured, and the security of network resources is further improved.
In addition, the access strategy sub-model is an autoregressive moving average model and is generated by the following method: acquiring security data in a preset time window in a network where a terminal is located; and generating an autoregressive moving average model according to the safety data.
Drawings
One or more embodiments are illustrated by the corresponding figures in the drawings, which are not meant to be limiting.
FIG. 1 is a flow chart of a security authentication method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a secure authentication method according to a second embodiment of the present invention;
fig. 3 is a flow chart of a manner of generating an access policy sub-model according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a security authentication apparatus according to a third embodiment of the present invention;
fig. 5 is a functional structure diagram of a zero trust gateway according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a fifth embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that in various embodiments of the invention, numerous technical details are set forth in order to provide a better understanding of the present application. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
A first embodiment of the present invention relates to a security authentication method. The specific process is shown in fig. 1, and comprises the following steps: performing identity authentication on an access request sent by a terminal through an identity authentication platform; when the authentication result is successful, performing risk assessment on the access request based on an access strategy model obtained according to historical data learning; and determining whether to authorize the terminal according to the risk assessment result. In the network to which the security authentication method in this embodiment is applied, when any device accesses protected content in the network, security authentication needs to be performed through the zero trust gateway.
The following describes implementation details of the security authentication method of the present embodiment in detail, and the following is only provided for facilitating understanding of the implementation details and is not necessary for implementing the present embodiment.
The security authentication method in this embodiment is shown in fig. 1, and specifically includes:
Specifically, when a user needs to obtain access right of a certain resource in a network or access a certain application service, an access request is sent to a gateway device, and when the gateway receives the access request initiated by the user through a terminal, an authentication function of an identity verification platform is called to perform problem authentication and physical authentication on an operating user. Wherein, the problem authentication comprises: checking modes such as passwords and verification codes; the physical authentication includes: and human face identification, fingerprint identification and other inspection modes. The user terminal collects the authentication information of the current operation user, encrypts the authentication information through a public key encryption algorithm ABE and an advanced encryption standard AES and then sends the encrypted authentication information to the gateway equipment for processing.
The identity authentication platform may be a third party authentication and identity management tool integrated on or communicatively connected to the gateway device, such as the unified security management platform 4A and the unified identity authentication platform based on the lightweight directory access protocol LDAP.
The public key encryption algorithm ABE can embed attributes of a visitor in a key so that a user or a terminal possessing a specific attribute can access protected content in a network by presetting a series of access policies. For example, specific device characteristics, network addresses, user organization information and other attributes are embedded into the key, so that multi-factor authentication is realized, and all traffic in the process of requesting authentication is encrypted.
In one example, in the process of authenticating the access request of the terminal by the zero-trust gateway, after receiving the access request of the terminal, the identity information carried by the terminal through the access request is obtained after decrypting the access request according to a pre-allocated private key carrying the characteristic information of the terminal. The characteristic information of the terminal mentioned here is a specific attribute embedded in an ABE algorithm adopted for encrypting the traffic of the access request, and may include information such as an IP address, a MAC address, a virtual machine version, and the like of the access terminal. And then the zero trust gateway calls the authentication capability of the 4A platform to authenticate the identity information, and after checking whether the identity information is a legal user, the authentication result of the 4A platform is obtained.
The encryption and decryption process of the ABE algorithm is as follows:
1. generating a public key PK and a master key MK based on the basic security parameters;
2. output master key MK and attribute SetaInformation such as name, IP address, etc., output private key SKa;
3. Export public Key PK, Attribute SetbAnd plaintext data M, outputting ciphertext Cb;
4. Input ciphertext CbAnd a private key SKaIf the corresponding attribute Set is SetaAnd SetbSatisfy decryption requirements, e.g. Seta={group=Admin or ip=172.18.1.12},SetbAnd if the plaintext M is successfully decrypted, outputting the plaintext M, and otherwise, returning decryption failure information.
And 102, when the authentication result is successful, performing risk assessment on the access request based on the access strategy model obtained by learning according to the historical data.
Specifically, after the zero-trust gateway confirms that the identity of the current operation user of the terminal is legal according to the authentication result of the third-party authentication platform, multi-dimensional risk assessment is performed on the access request through the access strategy model. Including user dimensions,
And the access strategy model is obtained by learning according to historical security data in the network. When the zero-trust gateway is initialized and deployed, the security data in the network is imported into a database of the gateway, and a data acquisition process executed at fixed time is set. The security data in this embodiment may include: asset identity data, access logs, threat intelligence and security information in the network, and event management information data. The access log comprises log of application, log of server, operation and audit; for the zero trust network, all assets such as terminals, servers and virtual network modules are identified, and asset identification data is used for representing the assets; data such as threat intelligence, security information, time management information, etc. characterize the overall security event in the network for risk assessment of the assets.
Further, the data acquisition process executed regularly acquires the security data in the latest time period in a preset time length, and the latest acquired security data is used as a learning object to construct an access strategy model, so that the timeliness of risk assessment is ensured.
And 103, determining whether to authorize the terminal according to the risk assessment result.
Specifically, for the safety data mentioned in the above steps, the data of each dimension can be associated through a database, and a multi-dimension combination is used for measuring a specific risk score in risk assessment. For example, a terminal, a user, a specifically requested resource, and a specifically executed operation which currently request a resource are respectively evaluated, risk degrees of multiple dimensions are scored according to a preset risk evaluation strategy, and whether an access request initiated by the terminal is authorized or not is determined according to a result of the final risk evaluation of the scores of the dimensions.
Furthermore, a series of access policies can be preset, corresponding relations are established between the access policies and requests under different situations and different risks, and specific operation permissions or access permissions of resources granted to users and terminals are determined according to the situations and the risk degrees, so that the purpose of safe access is achieved in a finer-grained manner.
It should be noted that the above examples in the present embodiment are only for convenience of understanding, and do not limit the technical scheme of the present invention.
Compared with the prior art, the zero-trust gateway in the embodiment defaults to maintain distrust on all accesses, all traffic in the user identity authentication process is encrypted through an attribute-based encryption algorithm, so that multi-factor identity authentication is realized, and meanwhile, after the user identity authentication is passed, multi-dimensional risk assessment is performed on the access of the terminal based on an access strategy model obtained through data learning, so that the security of the terminal access is further improved.
A second embodiment of the present invention relates to a security authentication method. The second embodiment differs from the first embodiment mainly in that: the access policy model in the second embodiment comprises a plurality of policy sub-models; the access policy submodel includes: the access strategy submodel of the user dimension, the access strategy submodel of the terminal dimension and the access strategy submodel of the application dimension; the access strategy sub-model is an autoregressive moving average model and is generated in the following mode: acquiring security data in a preset time window in a network where a terminal is located; and generating an autoregressive moving average model according to the safety data. Performing risk assessment on the access request based on the access policy model, including: inputting relevant information in the access request into the access strategy submodel to obtain a prediction result; wherein the related information comprises: user information, terminal information, and application information; judging whether the relevant information of the access request is in a confidence interval of a prediction result; and if the relevant information of the access request is in the confidence interval of the prediction result, the result of the risk assessment is passed.
The following describes the security authentication method in this embodiment in detail with reference to the accompanying drawings, where the security authentication method in this embodiment includes:
Step 201 is the same as step 101 in the first embodiment of the present invention, and details of implementation have been specifically described in the first embodiment of the present invention, and are not described herein again.
Specifically, the information related to the access request includes: user information, terminal information, and application information. Wherein, the user information may include: information such as user identity, user operation, account level, organization of user attribution and the like; the terminal information includes: accessing information such as IP address, MAC address, virtual machine version and the like of the terminal; the application information includes: the service currently operated by the access terminal, the application resource requested by the access terminal and other information.
The access policy submodel includes: the access strategy submodel of the user dimension, the access strategy submodel of the terminal dimension and the access strategy submodel of the application dimension. And the access strategy submodel carries out predictive analysis on the access request from different dimensions respectively, so as to evaluate the risks of the access request from different dimensions.
The access strategy sub-model is constructed based on an autoregressive moving average Arima algorithm, and the safety data is analyzed in a windowing mode and a model is established. The following describes the establishment process of the access policy submodel in detail, as shown in fig. 3, including:
Specifically, the original security data has large fluctuation, and the original security data is processed based on time series by using a difference method to obtain stable source data.
Specifically, the model parameters include p and q, where p is an autoregressive term and q is the number of moving average terms. The set of corresponding values is selected using autocorrelation function (ACF) and partial autocorrelation function (PACF) results. Specifically, the parameter determinations are made by the following table:
Specifically, the type of the model is selected based on the Chichi information principle AIC and the Bayesian information principle BIC, wherein the AIC and BIC can also be used for determining model parameters p and q. The formula is as follows:
AIC=2k-2ln(L),BIC=kln(n)-2ln(L)
wherein k is the number of model parameters, n is the number of samples, and L is a likelihood function.
The autoregressive moving average algorithm is used for predicting self by using variable knowledge point historical event data according to the relation between a current value and a historical value, paying attention to the accumulation of errors in the regression process and eliminating random fluctuation in prediction, and the specific formula is as follows:
the autocorrelation function ACF is used to compare the ordered random variables with itself, reflecting the correlation between different time sequence values of the same data sequence, and the formula is as follows:
and step 203, carrying out risk scoring on the access request according to the result of each access strategy submodel.
Specifically, different access policy submodels predict access requests from different dimensions and determine whether the access requests are within a confidence interval of the model. The following describes the prediction of the access policy submodel by taking an operation and maintenance scenario as an example.
Suppose that currently, a certain user logs in through an operation and maintenance account to perform daily operation and maintenance operations, and needs to read log resources. After the identity authentication of the account is performed by the zero-trust gateway, the number of times that the account logs in the host every day, the type and the number of times that the operation and maintenance instruction is executed on the application server every day are used as security data of the user dimension, the security data in the time window is intercepted to construct an Arima model, then the information of the account is input into the model for prediction, and whether the prediction result is in the confidence interval of the model or not is checked.
And 204, if each risk score is within a preset value interval, authorizing the terminal.
Specifically, after the scores of the access strategy submodels are integrated, whether the access request passes risk evaluation is judged, and if the access request passes the risk evaluation, the access of the terminal is authorized.
Further, when the zero trust gateway performs risk assessment on the access request and then finds an abnormality, for example, the current user access position is an unusual position or the current operation is sensitive operation, strong authentication on the user is triggered, and the validity of the identity of the operation user is further determined.
It should be noted that the above examples in the present embodiment are only for easy understanding, and do not limit the technical scheme of the present invention.
Compared with the prior art, the zero-trust gateway in the embodiment defaults to keep distrust on all accesses, all traffic in the user identity authentication process is encrypted through an attribute-based encryption algorithm, so that multi-factor identity authentication is achieved, meanwhile, after the user identity authentication is passed, multi-dimensional risk assessment is performed on the access of the terminal through an access policy model obtained through data learning, the access policy model in the embodiment constructs a plurality of access policy submodels through an Arima algorithm, and strong authentication is triggered when the risk is abnormal through deep learning on historical data and combining with the multi-dimensional risk assessment, so that the security of network access is further improved.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A third embodiment of the present invention relates to a security authentication apparatus, as shown in fig. 4, including:
the identity authentication module 401 is configured to perform identity authentication on an access request sent by a terminal through an identity authentication platform;
a risk evaluation module 402, configured to perform risk evaluation on the access request based on the access policy model when the authentication result is successful;
and a request authorization module 403, configured to determine whether to authorize the terminal according to a result of the risk assessment.
In an example, the identity authentication module 401 is further configured to decrypt the access request according to a pre-allocated private key to obtain identity information of the user; and calling an identity authentication platform to authenticate the identity information and acquiring an authentication result.
In another example, the risk assessment module 402 is further configured to generate a plurality of access policy sub-models; the access strategy sub-model is generated by the following method: acquiring security data in a preset time window in a network where a terminal is located; and generating an autoregressive moving average model according to the safety data.
In one example, the risk assessment module 402 is further configured to input information related to the access request into the access policy submodel to obtain a prediction result; performing risk scoring on the access request according to the result of each access strategy submodel; and if the risk score is within the preset value range, the risk evaluation result is passed.
In practical applications, the zero-trust gateway in this embodiment is specifically implemented by a functional structure as shown in fig. 5, where functional modules in the functional structure include: the system comprises a source data module, a multi-factor identity authentication module, a dynamic analysis and evaluation module, a data synchronization module, a management module and an auxiliary module. Wherein the content of the first and second substances,
and the source data module is used for describing the source data type related to the zero-trust gateway. The access log comprises log of log application and log login, log operation and log audit, and is used for daily audit of an administrator and self-learning of the dynamic analysis and evaluation module; in the zero trust network, all assets are subjected to identity, and generated data user authentication and evaluation are carried out; threat intelligence is used as security background information for asset risk assessment; the access policy is the authority of the user/host to access the corresponding resource.
The multi-factor identity card module is used for providing basic problem checking and physical checking capability and can also be accessed to the existing authentication service of enterprises, such as 4A; the authentication engine supports integration with a standard directory protocol and identity management service, such as a lightweight directory access protocol LDAP, and quickly integrates original data services and services; and combining an ABE identity authentication/encryption module, and realizing signature and authentication capability when a user accesses an application and the application accesses each other by utilizing special capability based on attributes.
A policy engine in the dynamic analysis evaluation module for deciding whether to grant access to a resource to an accessing user/host, the engine using enterprise security policy and input from external sources (e.g., IP blacklist, threat intelligence service) as input to a "trust algorithm" to decide to grant or deny access to the resource; the strategy management is responsible for establishing the connection between the client and the resource; the policy enforcement module is responsible for enabling, monitoring and ultimately accessing the connections between the principal and the enterprise resources; strategy self-learning, namely, combining a trust algorithm and historical data to carry out regression analysis and dynamically adjust the actual access control strategy.
And the data synchronization module is used for providing the interface calling related safety capability. 4A, the authentication synchronization calls the capabilities of authentication, audit, authorization and the like; the SIEM synchronously aggregates the system logs, network traffic, resource authorization and enterprise systems of other events, and provides feedback on the security situation of the enterprise information system; threat intelligence synchronization will be used as a basis for authentication and access control decisions.
The management module is used for processing related data source information and providing data backup capability; the administrator verifies and confirms the self-learned output data through strategy verification; the administrator may obtain relevant access and risk information through the risk alert.
The auxiliary module is used for providing threat information and SIEM for authentication and access control to carry out strategy adjustment; identity authentication management represents authentication capabilities that support access to third parties; the ABE identity authentication/encryption module is used as a technical breakthrough point, the confidentiality and the effectiveness of service access are protected, and a certain degree of traceability can be provided.
It should be understood that the present embodiment is a system embodiment corresponding to the first embodiment and the second embodiment, and the present embodiment can be implemented in cooperation with the first embodiment and the second embodiment. The related technical details mentioned in the first embodiment and the second embodiment are still valid in this embodiment, and are not described herein again to reduce repetition. Accordingly, the related technical details mentioned in the present embodiment can also be applied to the first embodiment and the second embodiment.
It should be noted that, all the modules involved in this embodiment are logic modules, and in practical application, one logic unit may be one physical unit, may also be a part of one physical unit, and may also be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, a unit which is not so closely related to solve the technical problem proposed by the present invention is not introduced in the present embodiment, but this does not indicate that there is no other unit in the present embodiment.
A fourth embodiment of the invention relates to an electronic device, as shown in fig. 6, comprising at least one processor 601; and a memory 602 communicatively coupled to the at least one processor 601; the memory 602 stores instructions executable by the at least one processor 601, and the instructions are executed by the at least one processor 601 to enable the at least one processor 601 to execute the security authentication method in the first or second embodiment.
Where the memory 602 and the processor 601 are coupled by a bus, the bus may comprise any number of interconnected buses and bridges that couple one or more of the various circuits of the processor 601 and the memory 602 together. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 601 is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor 601. The processor 601 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. While memory 602 may be used to store data used by processor 601 in performing operations.
A sixth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific embodiments for practicing the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (10)
1. A method of secure authentication, comprising:
performing identity authentication on an access request sent by a terminal through an identity authentication platform;
when the authentication result is successful, performing risk assessment on the access request based on an access strategy model obtained according to historical safety data learning;
and determining whether to authorize the terminal according to the risk assessment result.
2. The security authentication method of claim 1, wherein the access request and the authentication result are encrypted by an attribute-based algorithm;
the identity authentication of the access request sent by the terminal through the identity authentication platform comprises the following steps:
decrypting the access request according to a pre-distributed private key to obtain the identity information of the user; the private key carries characteristic information of the terminal;
and calling the identity verification platform to authenticate the identity information and acquiring the authentication result.
3. The security authentication method according to claim 2, wherein the feature information includes: IP address, MAC address, virtual machine version.
4. The security authentication method of claim 1, wherein the access policy model comprises a plurality of access policy sub-models;
the access policy submodel includes: the access strategy submodel of the user dimension, the access strategy submodel of the terminal dimension and the access strategy submodel of the application dimension.
5. The security authentication method of claim 4, wherein the access policy submodel is an autoregressive moving average model, and is generated by:
acquiring security data in a preset time window in a network where the terminal is located;
and generating an autoregressive moving average model according to the safety data.
6. The security authentication method of claim 5, wherein the risk assessment of the access request based on the access policy model comprises:
inputting the relevant information of the access request into the access strategy submodel to obtain a prediction result; wherein the related information comprises: user information, terminal information, and application information;
performing risk scoring on the access request according to the result of each access strategy submodel;
and if each risk score is within a preset value interval, the result of the risk assessment is passed.
7. The secure authentication method according to claim 5 or 6, wherein the security data comprises: historical access logs, security event message data, and threat intelligence.
8. A security authentication apparatus, comprising:
the identity authentication module is used for performing identity authentication on an access request sent by the terminal through the identity authentication platform;
the risk evaluation module is used for carrying out risk evaluation on the access request based on an access strategy model when the authentication result is successful;
and the request authorization module is used for determining whether to authorize the terminal according to the risk evaluation result.
9. An electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the secure authentication method of any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the secure authentication method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011092761.6A CN112231692A (en) | 2020-10-13 | 2020-10-13 | Security authentication method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011092761.6A CN112231692A (en) | 2020-10-13 | 2020-10-13 | Security authentication method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112231692A true CN112231692A (en) | 2021-01-15 |
Family
ID=74113317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011092761.6A Pending CN112231692A (en) | 2020-10-13 | 2020-10-13 | Security authentication method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112231692A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112800666A (en) * | 2021-01-18 | 2021-05-14 | 上海派拉软件股份有限公司 | Log behavior analysis training method and identity security risk prediction method |
| CN112804254A (en) * | 2021-02-07 | 2021-05-14 | 成都薯片科技有限公司 | Request detection method and device, electronic equipment and storage medium |
| CN113037728A (en) * | 2021-02-26 | 2021-06-25 | 上海派拉软件股份有限公司 | Risk judgment method, device, equipment and medium for realizing zero trust |
| CN113487218A (en) * | 2021-07-21 | 2021-10-08 | 国网浙江省电力有限公司电力科学研究院 | Internet of things trust evaluation method |
| CN113821425A (en) * | 2021-09-30 | 2021-12-21 | 奇安信科技集团股份有限公司 | Trust risk event tracking method and device, electronic equipment and storage medium |
| CN114389877A (en) * | 2022-01-10 | 2022-04-22 | 河南能睿科技有限公司 | Identity trust evaluation method for zero trust network and related product thereof |
| WO2022183832A1 (en) * | 2021-03-05 | 2022-09-09 | 华为技术有限公司 | User account risk measurement method and related apparatus |
| KR102576357B1 (en) * | 2022-12-22 | 2023-09-11 | 건양대학교 산학협력단 | Zero Trust Security Authentication System |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607388A (en) * | 2013-11-18 | 2014-02-26 | 浪潮(北京)电子信息产业有限公司 | APT threat prediction method and system |
| CN105022964A (en) * | 2015-06-01 | 2015-11-04 | 国家计算机网络与信息安全管理中心 | Behavior prediction control based trusted network group construction method |
| CN107305611A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | The corresponding method for establishing model of malice account and device, the method and apparatus of malice account identification |
| WO2018090839A1 (en) * | 2016-11-16 | 2018-05-24 | 阿里巴巴集团控股有限公司 | Identity verification system, method, device, and account verification method |
| US20180234453A1 (en) * | 2017-02-15 | 2018-08-16 | Cisco Technology, Inc. | Prefetch intrusion detection system |
| CN108667843A (en) * | 2018-05-14 | 2018-10-16 | 桂林电子科技大学 | A kind of information safety protection System and method for for BYOD environment |
| CN109936630A (en) * | 2019-02-27 | 2019-06-25 | 重庆邮电大学 | A kind of Distributed Services access mandate and access control method based on attribute base password |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| US20200042679A1 (en) * | 2018-08-01 | 2020-02-06 | Intuit Inc. | Policy based adaptive identity proofing |
-
2020
- 2020-10-13 CN CN202011092761.6A patent/CN112231692A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607388A (en) * | 2013-11-18 | 2014-02-26 | 浪潮(北京)电子信息产业有限公司 | APT threat prediction method and system |
| CN105022964A (en) * | 2015-06-01 | 2015-11-04 | 国家计算机网络与信息安全管理中心 | Behavior prediction control based trusted network group construction method |
| CN107305611A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | The corresponding method for establishing model of malice account and device, the method and apparatus of malice account identification |
| WO2018090839A1 (en) * | 2016-11-16 | 2018-05-24 | 阿里巴巴集团控股有限公司 | Identity verification system, method, device, and account verification method |
| US20180234453A1 (en) * | 2017-02-15 | 2018-08-16 | Cisco Technology, Inc. | Prefetch intrusion detection system |
| CN108667843A (en) * | 2018-05-14 | 2018-10-16 | 桂林电子科技大学 | A kind of information safety protection System and method for for BYOD environment |
| US20200042679A1 (en) * | 2018-08-01 | 2020-02-06 | Intuit Inc. | Policy based adaptive identity proofing |
| CN109936630A (en) * | 2019-02-27 | 2019-06-25 | 重庆邮电大学 | A kind of Distributed Services access mandate and access control method based on attribute base password |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 刘欢等: "零信任安全架构及应用研究", 《通信技术》 * |
| 杨正权等: ""零信任"在云化业务中的安全技术研究", 《信息安全与通信保密》 * |
| 陈勋等: "基于计算平台安全属性的高效远程证明方案", 《北京工业大学学报》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112800666A (en) * | 2021-01-18 | 2021-05-14 | 上海派拉软件股份有限公司 | Log behavior analysis training method and identity security risk prediction method |
| CN112804254A (en) * | 2021-02-07 | 2021-05-14 | 成都薯片科技有限公司 | Request detection method and device, electronic equipment and storage medium |
| CN112804254B (en) * | 2021-02-07 | 2022-10-28 | 成都薯片科技有限公司 | Request detection method and device, electronic equipment and storage medium |
| CN113037728A (en) * | 2021-02-26 | 2021-06-25 | 上海派拉软件股份有限公司 | Risk judgment method, device, equipment and medium for realizing zero trust |
| CN113037728B (en) * | 2021-02-26 | 2023-08-15 | 上海派拉软件股份有限公司 | Risk judgment method, device, equipment and medium for realizing zero trust |
| WO2022183832A1 (en) * | 2021-03-05 | 2022-09-09 | 华为技术有限公司 | User account risk measurement method and related apparatus |
| CN113487218A (en) * | 2021-07-21 | 2021-10-08 | 国网浙江省电力有限公司电力科学研究院 | Internet of things trust evaluation method |
| CN113821425A (en) * | 2021-09-30 | 2021-12-21 | 奇安信科技集团股份有限公司 | Trust risk event tracking method and device, electronic equipment and storage medium |
| CN113821425B (en) * | 2021-09-30 | 2024-03-08 | 奇安信科技集团股份有限公司 | Tracking method and device for trust risk event, electronic equipment and storage medium |
| CN114389877A (en) * | 2022-01-10 | 2022-04-22 | 河南能睿科技有限公司 | Identity trust evaluation method for zero trust network and related product thereof |
| KR102576357B1 (en) * | 2022-12-22 | 2023-09-11 | 건양대학교 산학협력단 | Zero Trust Security Authentication System |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| US11563567B2 (en) | Secure shared key establishment for peer to peer communications | |
| CN106209749B (en) | Single sign-on method and device, and related equipment and application processing method and device | |
| US9935954B2 (en) | System and method for securing machine-to-machine communications | |
| CA2904748C (en) | Systems and methods for identifying a secure application when connecting to a network | |
| US9172544B2 (en) | Systems and methods for authentication between networked devices | |
| US8532620B2 (en) | Trusted mobile device based security | |
| US20140281503A1 (en) | Certificate grant list at network device | |
| US11526596B2 (en) | Remote processing of credential requests | |
| US10516653B2 (en) | Public key pinning for private networks | |
| US20050027979A1 (en) | Secure transmission of data within a distributed computer system | |
| JP5992535B2 (en) | Apparatus and method for performing wireless ID provisioning | |
| US11811739B2 (en) | Web encryption for web messages and application programming interfaces | |
| CN115996122A (en) | Access control method, device and system | |
| CN107888615B (en) | Safety authentication method for node registration | |
| CN114189380A (en) | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment | |
| CN114091009A (en) | Method for establishing secure link by using distributed identity | |
| US11968302B1 (en) | Method and system for pre-shared key (PSK) based secure communications with domain name system (DNS) authenticator | |
| CN113556365B (en) | Authentication result data transmission system, method and device | |
| US11804969B2 (en) | Establishing trust between two devices for secure peer-to-peer communication | |
| CN116074028A (en) | Access control method, device and system for encrypted traffic | |
| Megala et al. | A Review on Blockchain-Based Device Authentication Schemes for IoT | |
| CN114996770A (en) | Identity recognition method based on host management system | |
| CN116961966A (en) | Security authentication method, device, equipment and storage medium | |
| CN117896081A (en) | MQTT connection authentication method and system for road side equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |