CN112437441B - Internet of things-oriented access control system and method based on intelligent contract - Google Patents

Internet of things-oriented access control system and method based on intelligent contract Download PDF

Info

Publication number
CN112437441B
CN112437441B CN202011137291.0A CN202011137291A CN112437441B CN 112437441 B CN112437441 B CN 112437441B CN 202011137291 A CN202011137291 A CN 202011137291A CN 112437441 B CN112437441 B CN 112437441B
Authority
CN
China
Prior art keywords
access
contract
access control
request
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011137291.0A
Other languages
Chinese (zh)
Other versions
CN112437441A (en
Inventor
李杨
刘建翔
李绍鹏
薛莹
殷艳华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Shanke Safety Technology Co.,Ltd.
Original Assignee
Institute of Automation Shandong Academy of Sciences
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Automation Shandong Academy of Sciences filed Critical Institute of Automation Shandong Academy of Sciences
Priority to CN202011137291.0A priority Critical patent/CN112437441B/en
Publication of CN112437441A publication Critical patent/CN112437441A/en
Application granted granted Critical
Publication of CN112437441B publication Critical patent/CN112437441B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Finance (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Technology Law (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Medical Informatics (AREA)
  • General Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Artificial Intelligence (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The utility model provides an access control system and method based on intelligent contract facing to the Internet of things, comprising: a management module and a plurality of intelligent contracts deployed on a blockchain; the intelligent contract comprises: the agent contract manages the registration information and acquires the access authority from the access control contract; accessing a control contract, managing an access policy, acquiring a permission threshold of the permission management contract, and feeding back an access permission result to the agent contract; the method comprises the following steps of (1) carrying out authority management contract, identifying an access abnormal event, and calling a machine learning algorithm to obtain an access authority threshold value of target sensing equipment; the management module is used for constructing an information link between the sensor and the block chain, allocating an address for the sensor and configuring an initial access policy of an access object for an access control contract; according to the method, malicious nodes or abnormal access requests can be effectively identified through an RBF neural network-based access object credit evaluation mode, and dynamic authority management is achieved.

Description

Internet of things-oriented access control system and method based on intelligent contract
Technical Field
The disclosure relates to the technical field of internet of things, in particular to an access control system and method based on an intelligent contract and oriented to the internet of things.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the rapid development of the internet of things technology, the number of sensors connected to the internet of things is exponentially increased, however, a large number of internet of things devices have bottleneck problems of limited resources, massive connection, poor safety performance and the like, great potential safety hazards are brought to the internet of things, and in recent years, internet of things security attack events frequently occur, and the security privacy of users and the security of basic network environments are seriously threatened. For example, Mirai virus controls a large number of webcams and related DVR recorders through weak password detection, and in the WannaCry event, worm viruses not only try to encrypt data, but also attack linked devices, including hospital devices, school teaching devices, and the like.
The inventor of the present disclosure finds that, a wireless sensor network organizes and combines massive sensor nodes into a multi-hop self-organized network in a free manner through a wireless communication technology, can cooperatively sense, collect and process sensing object information of a network coverage in real time, transmits the information in a wireless manner after processing the information, and sends the information to a user in a multi-hop self-organized manner; generally, a sensor of a wireless sensor network has the characteristics of limited computing and storing capacity, low cost, low security and the like, so that a sensor node is easily invaded by the outside to cause information leakage or sensor network damage, and the traditional access control method cannot be completely suitable for the security access requirements of a large number of existing sensors of the internet of things.
Disclosure of Invention
In order to solve the defects of the prior art, the access control system and method based on the intelligent contract facing the Internet of things realize dynamic and intelligent access authority management facing mass wireless sensors, malicious nodes or abnormal access requests can be effectively identified through an access object credit evaluation mode based on an RBF neural network, and when the credit reaches a credit threshold set by the contract, the access object can obtain matched access authority, so that dynamic authority management is realized.
In order to achieve the purpose, the following technical scheme is adopted in the disclosure:
the first aspect of the disclosure provides an access control system based on an intelligent contract and oriented to the Internet of things.
An internet of things-oriented intelligent contract-based access control system, comprising: a management module and a plurality of intelligent contracts deployed on a blockchain;
the intelligent contract comprises:
a proxy contract configured at least to: managing registration information, and acquiring access authority from an access control contract;
an access control contract configured at least to: managing the access policy, acquiring a permission threshold of the permission management contract, and feeding back an access permission result to the agent contract;
a rights management contract configured at least to: identifying an access abnormal event, and calling a machine learning algorithm to obtain an access authority threshold of the target sensing equipment;
a management module configured at least to: and constructing an information link between the sensor and the block chain, allocating an address for the sensor, and configuring an initial access policy of an access object for an access control contract.
As some possible implementations, the management module is further configured to: and sending a registration request to the agent contract, registering the management module and the sensor, and sending an access permission request to the agent contract.
As some possible implementations, the initial access policy includes: access target resources, access behavior, access permissions, and maximum access time.
As some possible implementation manners, when each contract is successfully deployed in the block chain, three different addresses are respectively obtained, the management module obtains a proxy contract and an authority management contract address, the proxy contract obtains the address of the authority management contract, and the authority management contract obtains the address of the access control contract;
in the initialization phase, the management module is connected to the nearest miners on the block chain, and the miners monitor that the RPC port receives the request sent by the management module at any time.
As some possible implementations, the system registration method includes:
the management module sends a registration request to the agent contract, and generates a pair of keys for the access object, wherein the keys comprise a public key and a private key;
the public key is used as an address on the block chain, a registration transaction is created by signing with the private key, and the public key is broadcasted into the block chain after the registration transaction is created and is added into the block after being verified by miners, so that equipment registration is completed.
As some possible implementations, configuring an initial access policy for an access object for an access control contract includes:
the management module sends a request for adding an initial access policy to the access control contract, encapsulates the access policy into a transaction, broadcasts in a block chain by taking an access object public key as a transaction output address, and adds the transaction into the access control contract after being verified by miners.
A second aspect of the present disclosure provides an access control method based on an intelligent contract for the internet of things.
An access control method facing the Internet of things and based on an intelligent contract comprises the following steps:
the agent contract sends a request for obtaining the access policy to the access control contract;
after the access control contract acquires the request, acquiring whether an access abnormal event occurs from the right management contract, and if the access abnormal event occurs, feeding back the access abnormal event to the agent contract access policy;
if the access control contract is abnormal, the access control contract sends a request for obtaining a credit value to the authority management contract, the authority management contract calls a radial basis function neural network model to self-learn the access record, an access threshold value is generated, and the access history record of the access object is updated;
and the access control contract carries out access decision by combining the credit and the access policy and feeds back the access decision to the proxy contract.
As some possible implementations, the access threshold is generated using a radial basis function neural network model, including:
selecting six types of access characteristics of the access object as evaluation indexes of the access node;
and based on the constructed radial basis function neural network model, the obtained six types of access features are used as input vectors to obtain the credit degree of the access object.
As some possible implementations, the rights management contract invokes the radial basis function neural network model to self-learn about the access record, including:
when the square of the difference between the model output and the actual value is smaller than a preset value, the center and the weight value of the obtained radial basis function are stored;
and writing the obtained center and weight value of the radial basis function into an access control contract in a static variable form, realizing a forward propagation process of a radial basis function neural network model in the access control contract, dynamically adjusting a credit value, and dynamically generating an access object permission threshold.
As some possible implementation modes, an access object sends a CoAP message to an access resource to request access, and a management module compiles the information into an RPC message and then sends the RPC message to a block chain;
the miners immediately respond after receiving the message, and the miners feed back the access authority of the access object sent by the agent contract to the management module after acquiring the access authority;
if the permission is obtained, the management module compiles a CoAP message back to send to the access object, and the access object executes the policy according to the fed back access result.
As some possible implementations, the six types of access characteristics are an illegal request proportion, an unauthorized request proportion, an abnormal request proportion, a prohibited request proportion, a request disallowed proportion, and an access resource non-existent proportion.
Compared with the prior art, the beneficial effect of this disclosure is:
1. the system and the method realize dynamic and intelligent access authority management facing mass wireless sensors by setting a proxy contract, an access control contract, an authority right contract and a management module.
2. According to the system and the method, characteristics of audit, tamper resistance, safety and the like of the block chain are fully utilized, an access control system of the wireless sensor network based on the block chain is built, and a safe and traceable access control solution facing the mass sensor is provided.
3. According to the system and the method, a multi-level intelligent contract model is designed, the functions of registration management, authority management and access control are respectively realized, and the credible and dynamic authority management of the WSNs is realized.
4. The system and the method provided by the disclosure provide a dynamic authority threshold algorithm based on the RBF neural network, train out an access authority threshold dynamic generation network model based on historical access knowledge and data of an access object, and realize intelligent management of access authority.
Advantages of additional aspects of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and are not to limit the disclosure.
Fig. 1 is a schematic structural diagram of an access control system based on an intelligent contract for the internet of things according to embodiment 1 of the present disclosure.
Fig. 2 is a schematic flow diagram of an access control method based on an intelligent contract for the internet of things according to embodiment 2 of the present disclosure.
Fig. 3 is a schematic structural diagram of an RBF neural network model provided in embodiment 2 of the present disclosure.
Detailed Description
The present disclosure is further described with reference to the following drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
In order to solve the problems existing in the background art, the present disclosure:
firstly, a network architecture based on a block chain is set up, and a multi-level intelligent contract framework system is designed;
secondly, a method for dynamically generating an access right threshold value based on a BP neural network is provided, and dynamic and intelligent access right management facing mass wireless sensors is realized.
Example 1:
as shown in fig. 1, an embodiment 1 of the present disclosure provides an access control system facing a wireless sensor network based on an intelligent contract, including: the wireless sensor network WSNs (wireless sensor networks), the management module (Manager), the block chain (Blockchain network) and the intelligent Contract (Smart Contract).
Wireless Sensor Networks (WSNs): the WSNs organize and combine massive sensor nodes into a multi-hop and self-organized network in a free manner through a wireless communication technology, can cooperatively sense, acquire and process sensing object information in a network coverage area in real time, transmit the information in a wireless manner after processing the information, and send the information to users in a multi-hop self-organized manner. Generally, a sensor of the WSN has the characteristics of limited computing and storing capacity, low cost, low security and the like, so that sensor nodes are easily invaded by the outside, and information leakage or sensor network damage is caused.
Management module (Manager): the module is deployed outside a blockchain, has certain calculation and storage capacity, is essentially interface code written by Javascript scripting language, and realizes the functions of:
1) converting CoAP information sent by a sensor into JSON-RPC information which can be identified by a block chain;
2) assigning a unique address to the managed sensor;
3) an initial access policy for accessing an object is added to an Access Control Contract (ACC).
The management module sends a registration request to an Agent Contract (AC) deployed on the blockchain, performs registration of the management module and its managed sensors, and sends an access right request to the AC, and an initial access policy is deployed by Manager, and generally includes access to a target resource (resource), access behavior (action), access permission (permission), maximum access time (time period), and the like.
Blockchain (Blockchain): in this embodiment, an ethernet bay is used for deployment, an ethernet bay virtual machine (EVM) provides an operating environment for an intelligent contract, and a platform provides two types of accounts: external control accounts EOA (explicit controlled accounts) protected by private keys and contract accounts ca (contract accounts) protected by contract codes. The intelligent contract defined function or application program interface abi (application Binary interfaces) is an execution interface for providing each function of system access control.
Smart Contract (Smart Contract): the multiple intelligent contract architectures designed in this embodiment include three contracts, namely, a proxy contract ac (agent contract), a rights Management contract amc (authority Management contract), and an access Control contract acc (access Control contract).
The Agent Contract (AC) is mainly used for managing registration information and acquiring access rights from the access control contract;
the Authority Management Contract (AMC) is used for identifying an access abnormal event, updating access knowledge of an access object, and calling a Machine Learning (ML) algorithm to set an access authority threshold of a target sensing device;
the Access Control Contract (ACC) is used for managing an access policy, obtaining a permission threshold value of the permission management contract and feeding back an access permission result to the AM.
The initial access policy is deployed by Manager, and generally includes accessing a target resource (resource), an access action (action), an access permission (permission), a maximum access time (time period), and the like.
The interactive process between the modules of the system described in this embodiment mainly includes four stages: the method comprises four stages of system initialization, equipment registration, authority dynamic allocation and policy execution.
1) An initialization stage: in the stage, intelligent contracts are mainly deployed, when the contracts are successfully deployed in the block chains, three different addresses are respectively obtained, and any module needing to interact with the intelligent contracts needs to obtain the addresses in advance; for example, the management module (Manager) needs to obtain addresses of a proxy contract (AC) and an authority management contract (ACC), a proxy contract obtains an address of an Authority Management Contract (AMC), an authority management contract obtains an address of an Access Control Contract (ACC), and the like.
In the initialization phase, the management module is connected to the nearest miners on the block chain, and the miners monitor that the RPC port receives the request sent by the management module at any time.
2) A registration stage: the module sends a registration request to an Agent Contract (AC), registers a management module (Manager) and Devices (Devices) managed by the management module, and the process of the management module generates a pair of keys for an access object for the Manager, wherein the keys comprise a public key and a private key, the public key is used as an address on a block chain, a signature is carried out by the private key to create a registration transaction, the registration transaction is broadcasted into the block chain after being created, and the registration transaction is added into the block after being verified by miners to complete device registration.
The process of adding the initial access policy is as follows: the management module sends a request for adding an initial access policy to the ACC module, encapsulates the access policy into a transaction, broadcasts in a block chain by taking an access object key as a transaction output address, and adds the transaction into an ACC contract after being verified by miners.
3) And an access control stage: the method comprises the steps that an Agent Contract (AC) sends an access policy acquisition request to an Access Control Contract (ACC), after the ACC acquires the request, whether an access abnormal event occurs (such as access frequency and address errors) is acquired from a right management contract (AMC), and if the access abnormal event occurs, the access abnormal event is fed back to the AC access policy;
if the access record is abnormal, the ACC sends a request for obtaining the credit value to the authority AMC, the AMC calls an RBF algorithm to self-learn the access record, an access threshold (credit degree) is generated, the access history record of the access object is updated, and the ACC carries out access decision feedback to the AC by combining the credit degree and the access policy.
4) And a policy execution stage: the access object sends a CoAP message to the access resource to request access, the access message is sent through a management module (Manager), the management module Manager compiles the information into an RPC message and sends the RPC message to a block chain, and a Miner (Miner) immediately responds after receiving the message;
because the intelligent contract is not used as a transaction and no cost is generated, a miner acquires the access right of the access object sent by the intelligent contract and feeds the access right back to the Manager, if the permission is acquired, the Manager compiles a CoAP message back to send the CoAP message to the access object, and the access object executes a policy according to the access result fed back.
Example 2:
as shown in fig. 2, an embodiment 2 of the present disclosure provides an access control method based on an intelligent contract for the internet of things, where an AC, an AMC, and an ACC represent a proxy contract, an authority management contract, and an access control contract, respectively, and are deployed on adjacent blocks, including the following steps:
the proxy contract (AC) sending a get access policy request to an Access Control Contract (ACC);
after the access control contract acquires the request, acquiring whether an access abnormal event (such as access frequency, address error and the like) occurs from a right management contract (AMC), and if the access abnormal event occurs, feeding back the access abnormal event to an agent contract access policy;
if the access object is abnormal, the access control contract sends a request for obtaining a credit value to the authority management contract, the authority management contract calls an RBF algorithm to self-learn the access record, an access threshold value (credit degree) is generated, and the access history record of the access object is updated;
and the access control contract carries out access decision feedback by combining the credibility and the access policy to the proxy contract.
The get access rights algorithm is as follows:
Figure BDA0002737141880000101
Figure BDA0002737141880000111
the RBF-based neural network credibility evaluation model is as follows:
the embodiment provides an access object credit rating evaluation method based on an RBF neural network, wherein the credit rating is a credit measurement of an access object, is a credit rating which can be determined to fulfill a contract in a period of time, can effectively identify malicious nodes or abnormal access requests, and when the credit rating reaches a credit threshold set by the contract, the access object can obtain a matched access right, so that dynamic right management is realized.
Firstly, selecting six types of access characteristics of an access object as evaluation indexes of an access node:
1) illegal Request ratio irp (illegal Request reporting): the illegal request refers to the condition that the request sent by the equipment has illegal errors including illegal identity, grammar error, address invalidation and the like, and the proportion of the illegal request to all the requests is X 1
2) Unauthorized Request ratio urp (unauthorized Request preference): the unauthorized means that the identity of the equipment is not authenticated or the system does not have the preset access authority information of the equipment, the error information is submitted for authentication and is identified as an unauthorized request, and the proportion of the unauthorized request to all the requests is X 2
3) Exception Request ratio erp (exception Request preference): the abnormal request represents that the equipment is subjected to security attacks such as viruses, for example, DoS attacks, the equipment sends a large amount of requests to consume system resources and the like to cause abnormal requests and the like, and the proportion X of the abnormal requests to all the requests is taken 3
4) Request prohibited ratio prp (inhibition Request reporting): a prohibit request refers to a device being prohibited from access by the system, indicating that the access rights threshold for the device is low,not credible, taking the ratio X of forbidden requests to all requests 4
5) Request disallowed ratio nafrp (not Allowed for Request delivery): the request non-permission means that the request permission of the equipment exceeds a preset range, the equipment sends a large number of requests and possibly starts denial of service attack, and the ratio of the non-permission requests to all requests is X 5
6) Access resource non-existence ratio narp (no Access Resources progress): the device is characterized in that resources to be accessed by the device are not found or do not exist, a denial of service attack can be possibly launched by sending a large number of requests, and the ratio of the requests without access resources to all the requests is X 6
Secondly, constructing a dynamic authority management model based on the RBF neural network:
designing a three-layer neural network credit rating evaluation model, wherein the number of nodes of an input layer is 6, the six types of access characteristics are taken as input vectors and are recorded as: x ═ X 1 ,x 2 ...x 6 );
The number of hidden layer nodes is 20, and is noted as: b ═ B 1 ,b 2 ,...b 20 );
The output node is Y, represents the trust of the access object, and is represented as: y ═ Y, Y ∈ (0, 1). Wherein, the weight vector from the hidden layer node to the input layer node is expressed as (1):
w=(w 11 ,w 21 ...w 201 ) (1)
the hidden layer is an RBF function and does not need to be connected through weights, and the expression is (2):
Figure BDA0002737141880000131
the output layer is represented as (3):
Figure BDA0002737141880000132
the credit evaluation network model of the access object is shown in fig. 3: the RBF neural network can adjust the center C and each weight of each radial basis function through continuous learning, so that the error is continuously reduced, a back propagation algorithm is adopted for updating the parameters of the model, and the model parameter adjustment formulas are (4) and (5):
Figure BDA0002737141880000133
Figure BDA0002737141880000134
wherein, C i,j Is the center of the radial basis function, W i,1 The weight value from the hidden layer to the output layer, alpha is learning efficiency and is a constant, E is the square of the difference between the model output and the actual value, and the specific calculation formula is as follows:
E=(y i -o i ) 2 (6)
wherein, y i Is the actual output value of the model, o i Is the actual value.
When the error E decreases to a suitable value, the algorithm stops, the center C and the weight value W of the obtained radial basis function are saved at the same time, and the learning process ends.
Compared with the classical neural networks such as BP (back propagation) and the like, the RBF-based neural network algorithm has high learning speed and can meet the real-time requirement. The algorithm is characterized in that the output of a hidden layer unit is utilized to form a group of basis functions, and then an output layer is used for linear combination to complete an approximation function; the RBF neural network converts the nonlinear separable input space into the linear separable characteristic space by using a hidden layer unit, and completes the linear division by using an output layer to realize the classification function.
And writing the center C and the weight value W of the radial basis function obtained by the algorithm into an intelligent contract AMC in the form of a static variable, and realizing the forward propagation process of the RBF neural network in the contract to dynamically adjust the credit value so as to finish the dynamic generation of the access object permission threshold.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (10)

1. An access control method based on an intelligent contract and oriented to the Internet of things is characterized by comprising the following steps:
the agent contract sends a request for obtaining the access policy to the access control contract;
after the access control contract acquires the request, acquiring whether an access abnormal event occurs from the right management contract, and if the access abnormal event occurs, feeding back the access abnormal event to the agent contract access policy;
if the access control contract is abnormal, the access control contract sends a request for obtaining a credit value to the authority management contract, the authority management contract calls a radial basis function neural network model to self-learn the access record, an authority threshold value is generated, and the access history record of the access object is updated; generating an authority threshold value by adopting a radial basis function neural network model, comprising the following steps:
selecting six types of access characteristics of the access object as evaluation indexes of the access node;
based on the constructed radial basis function neural network model, the obtained six types of access characteristics are used as input vectors to obtain the credit degree of the access object;
and the access control contract carries out access decision by combining the credit and the access policy and feeds back the access decision to the proxy contract.
2. The internet-of-things-oriented intelligent contract-based access control method as recited in claim 1, wherein the authority management contract calls a radial basis function neural network model to self-learn the access record, and comprises the following steps:
when the square of the difference between the model output and the actual value is smaller than a preset value, the center and the weight value of the obtained radial basis function are stored;
and writing the obtained center and weight value of the radial basis function into an access control contract in a static variable form, realizing a forward propagation process of a radial basis function neural network model in the access control contract, dynamically adjusting a credit value, and dynamically generating an access object permission threshold.
3. The Internet of things-oriented intelligent contract-based access control method of claim 1,
the access object sends CoAP information to the access resource to request access, and the management module compiles the information into RPC information and sends the RPC information to the block chain;
the miners immediately respond after receiving the message, and the miners feed back the access authority of the access object sent by the agent contract to the management module after acquiring the access authority;
if the permission is obtained, the management module compiles a CoAP message back to send to the access object, and the access object executes the policy according to the fed back access result.
4. The internet-of-things-oriented intelligent contract-based access control method as claimed in claim 1, wherein the six types of access characteristics are an illegal request proportion, an unauthorized request proportion, an abnormal request proportion, a prohibited request proportion, a request disallowed proportion and an access resource nonexistence proportion.
5. An access control system based on intelligent contracts for the internet of things, which is applied to the access control method based on intelligent contracts for the internet of things according to any one of claims 1 to 4, and is characterized by comprising the following steps: a management module and a plurality of intelligent contracts deployed on a blockchain;
the intelligent contract comprises:
a proxy contract configured at least to: managing registration information, and acquiring access authority from an access control contract;
an access control contract configured at least to: managing the access policy, acquiring a permission threshold of the permission management contract, and feeding back an access permission result to the agent contract;
a rights management contract configured at least to: identifying an access abnormal event, and calling a machine learning algorithm to obtain an access authority threshold of the target sensing equipment;
a management module configured at least to: and constructing an information link between the sensor and the block chain, allocating an address for the sensor, and configuring an initial access policy of an access object for an access control contract.
6. The internet of things-oriented smart contract-based access control system of claim 5, wherein the management module is further configured to: and sending a registration request to the agent contract, registering the management module and the sensor, and sending an access permission request to the agent contract.
7. The internet-of-things-oriented smart contract-based access control system of claim 5, wherein the initial access policy comprises: access target resources, access behavior, access permissions, and maximum access time.
8. The Internet of things-oriented smart contract-based access control system of claim 5,
when each contract is successfully deployed in the block chain, three different addresses are respectively obtained, the management module obtains a proxy contract and an authority management contract address, the proxy contract obtains the authority management contract address, and the authority management contract obtains the access control contract address;
in the initialization phase, the management module is connected to the nearest miners on the block chain, and the miners monitor that the RPC port receives the request sent by the management module at any time.
9. The internet-of-things-oriented intelligent contract-based access control system of claim 5, wherein the manner of system registration comprises:
the management module sends a registration request to the agent contract, and generates a pair of keys for the access object, wherein the keys comprise a public key and a private key;
the public key is used as an address on the block chain, a registration transaction is created by signing with the private key, and the public key is broadcasted into the block chain after the registration transaction is created and is added into the block after being verified by miners, so that equipment registration is completed.
10. The internet-of-things-oriented smart contract-based access control system of claim 5, wherein configuring an initial access policy for an access object for an access control contract comprises:
the management module sends a request for adding an initial access policy to the access control contract, encapsulates the access policy into a transaction, broadcasts in a block chain by taking an access object public key as a transaction output address, and adds the transaction into the access control contract after being verified by miners.
CN202011137291.0A 2020-10-22 2020-10-22 Internet of things-oriented access control system and method based on intelligent contract Active CN112437441B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011137291.0A CN112437441B (en) 2020-10-22 2020-10-22 Internet of things-oriented access control system and method based on intelligent contract

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011137291.0A CN112437441B (en) 2020-10-22 2020-10-22 Internet of things-oriented access control system and method based on intelligent contract

Publications (2)

Publication Number Publication Date
CN112437441A CN112437441A (en) 2021-03-02
CN112437441B true CN112437441B (en) 2022-08-05

Family

ID=74695857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011137291.0A Active CN112437441B (en) 2020-10-22 2020-10-22 Internet of things-oriented access control system and method based on intelligent contract

Country Status (1)

Country Link
CN (1) CN112437441B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113067861A (en) * 2021-03-16 2021-07-02 四川大学 Distributed extensible access control authorization system and method based on block chain
CN113114473B (en) * 2021-04-02 2022-03-01 西南石油大学 Credit evaluation system based on agricultural block chain Internet of things perception layer node
CN114465807B (en) * 2022-02-24 2023-07-18 重庆邮电大学 Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning
CN116938986B (en) * 2023-09-19 2024-06-14 广州晟烨信息科技股份有限公司 Intelligent campus management method and system based on Internet of things
CN117540356B (en) * 2024-01-10 2024-03-12 腾讯科技(深圳)有限公司 Block chain-based data processing method, device, equipment and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104735055A (en) * 2015-02-12 2015-06-24 河南理工大学 Cross-domain security access control method based on credibility
CN107786547A (en) * 2017-09-30 2018-03-09 厦门快商通信息技术有限公司 A kind of auth method based on block chain, device and computer-readable recording medium
CN108810073A (en) * 2018-04-05 2018-11-13 西安电子科技大学 A kind of Internet of Things multiple domain access control system and method based on block chain
CN109873825A (en) * 2019-02-26 2019-06-11 重庆大数美联科技有限公司 Car networking distributed access control method and system based on block chain technology
CN110557384A (en) * 2019-08-12 2019-12-10 杭州云象网络技术有限公司 internet of things management control method based on block chain
CN110855637A (en) * 2019-10-28 2020-02-28 西北工业大学 Block chain Internet of things distributed access control method based on attributes
CN110933093A (en) * 2019-12-04 2020-03-27 广西民族大学 Block chain data sharing platform and method based on differential privacy protection technology
CN110941679A (en) * 2019-12-05 2020-03-31 腾讯科技(深圳)有限公司 Contract data processing method, related equipment and medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104735055A (en) * 2015-02-12 2015-06-24 河南理工大学 Cross-domain security access control method based on credibility
CN107786547A (en) * 2017-09-30 2018-03-09 厦门快商通信息技术有限公司 A kind of auth method based on block chain, device and computer-readable recording medium
CN108810073A (en) * 2018-04-05 2018-11-13 西安电子科技大学 A kind of Internet of Things multiple domain access control system and method based on block chain
CN109873825A (en) * 2019-02-26 2019-06-11 重庆大数美联科技有限公司 Car networking distributed access control method and system based on block chain technology
CN110557384A (en) * 2019-08-12 2019-12-10 杭州云象网络技术有限公司 internet of things management control method based on block chain
CN110855637A (en) * 2019-10-28 2020-02-28 西北工业大学 Block chain Internet of things distributed access control method based on attributes
CN110933093A (en) * 2019-12-04 2020-03-27 广西民族大学 Block chain data sharing platform and method based on differential privacy protection technology
CN110941679A (en) * 2019-12-05 2020-03-31 腾讯科技(深圳)有限公司 Contract data processing method, related equipment and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王海勇,潘启青,郭凯璇.基于区块链和用户信用度的访问控制模型.《计算机应用》.2020,第40卷(第2期),第1674-1679页. *

Also Published As

Publication number Publication date
CN112437441A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN112437441B (en) Internet of things-oriented access control system and method based on intelligent contract
Atlam et al. IoT security, privacy, safety and ethics
Abou El Houda et al. Blockchain meets AMI: Towards secure advanced metering infrastructures
Yan et al. Survey on zero-trust network security
Rebbah et al. Intrusion detection in Cloud Internet of Things environment
Alfaqih et al. Internet of things security based on devices architecture
Rekik et al. A cyber-physical threat analysis for microgrids
Iftikhar et al. Security, trust and privacy risks, responses, and solutions for high-speed smart cities networks: A systematic literature review
US20220006791A1 (en) Secured Node Authentication and Access Control Model for IoT Smart City
Adebayo et al. Blockchain Technology: A Panacea for IoT Security Challenge
Annane et al. A new secure proxy-based distributed virtual machines management in mobile cloud computing
Thankachan et al. A survey and vital analysis of various state of the art solutions for web application security
Jena et al. A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment
KN The intelligent information integrity model to ensure the database protection using blockchain in cloud networking
Sun et al. Trust Based lot Access Control Using Blockchain
CN115459901A (en) Building Internet of things data management method based on block chain multi-chain and attribute encryption
Wu et al. Research on computer network information security problems and prevention based on wireless sensor network
Das et al. Smart City Vulnerabilities: An Overview
Shen et al. A trusted computing technology enabled mobile agent system
Alhawamdeh et al. Enabling Security as a Service for IoT Emerging Technologies: A Survey
Bhawna et al. Approaches and Methodologies for Distributed Systems: Threats, Challenges, and Future Directions
Lv et al. Zero-Trust Security Protection Architecture for Power Grid Based on FAHP Algorithm
Bourian et al. SSHCEth: Secure Smart Home Communications based on Ethereum Blockchain and Smart Contract
Tan et al. Blockchain-Based Data Security and Sharing for Resource-Constrained Devices in Manufacturing IoT
Babitha et al. A Review on Data protection and privacy in Fog Computing Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20221227

Address after: 1206, Floor 12, Hanyu Jingu Artificial Intelligence Building, Jinan Area, China (Shandong) Pilot Free Trade Zone, 250000 Shandong Province

Patentee after: Shandong Shanke Safety Technology Co.,Ltd.

Address before: 250014 No. 19, ASTRI Road, Ji'nan, Shandong

Patentee before: INSTITUTE OF AUTOMATION, SHANDONG ACADEMY OF SCIENCES