CN112966245A - Power grid information system access control method and system based on information measurement - Google Patents
Power grid information system access control method and system based on information measurement Download PDFInfo
- Publication number
- CN112966245A CN112966245A CN202110370876.5A CN202110370876A CN112966245A CN 112966245 A CN112966245 A CN 112966245A CN 202110370876 A CN202110370876 A CN 202110370876A CN 112966245 A CN112966245 A CN 112966245A
- Authority
- CN
- China
- Prior art keywords
- trust
- user
- value
- access
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005259 measurement Methods 0.000 title claims abstract description 56
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000013528 artificial neural network Methods 0.000 claims abstract description 16
- 238000012545 processing Methods 0.000 claims abstract description 16
- 230000008859 change Effects 0.000 claims abstract description 10
- 238000007781 pre-processing Methods 0.000 claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 94
- 238000004364 calculation method Methods 0.000 claims description 18
- 238000011156 evaluation Methods 0.000 claims description 12
- 230000003993 interaction Effects 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- CGFFKDRVHZIQHL-UHFFFAOYSA-N 1-but-3-en-2-yl-3-(methylcarbamothioylamino)thiourea Chemical compound CNC(=S)NNC(=S)NC(C)C=C CGFFKDRVHZIQHL-UHFFFAOYSA-N 0.000 claims description 3
- 230000002776 aggregation Effects 0.000 claims description 3
- 238000004220 aggregation Methods 0.000 claims description 3
- 239000006185 dispersion Substances 0.000 claims description 3
- 239000000203 mixture Substances 0.000 claims description 2
- 238000010606 normalization Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 17
- 238000012549 training Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000005611 electricity Effects 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011217 control strategy Methods 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000011423 initialization method Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/048—Activation functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a power grid information system access control method based on information measurement, which comprises the following steps: receiving a login request, performing identity authentication, and successfully accessing the network information system to be authenticated; receiving an access request for a target resource, judging whether a user needs to apply for or change the role, if so, collecting user behavior data, and obtaining user trust degree through operation processing; comparing the user trust with a trust threshold, and if the user trust is greater than or equal to the trust threshold, giving the user the role after application or change; receiving a service access operation initiated by a user terminal, and preprocessing the service access operation by a neural network to obtain a risk value; determining a risk factor according to the risk value and by looking up a table, and modifying the risk limit by combining the risk value and the risk factor; and judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the access, and otherwise, refusing the access. The invention realizes zero trust access control on the power grid information system.
Description
Technical Field
The invention relates to the field of intelligent information systems, in particular to a power grid information system access control method and system based on information measurement.
Background
With the development of economic society, information systems have become an important link of the national energy industry chain. Reliable power supply cannot be kept in normal operation of various industries, so that the stability of an information system is particularly important. Through research and exploration in recent years, the concept of an intelligent information system is developed, and the intelligent information system has the characteristics of high efficiency, cleanness, safety, reliability, interaction and the like. Compared with the traditional information system, the intelligent information system is not only a network for power transportation, but also an information interaction network, and has the advantages that: data interactivity, the intelligent information system can realize bidirectional real-time data interaction, therefore, the intelligent information system can realize dynamic adjustment of electricity price, and thus, the power consumption of families or factories can be effectively reduced. The key equipment monitoring, intelligent information system can through the sensor real-time supervision electricity generation, transmission of electricity, distribution and power equipment. Therefore, the intelligent information system can rapidly solve the power failure and ensure the safety and stability of the information system. Nimble power scheduling, intelligent information system can be according to real-time power consumption condition, and the macro control power transmission can effectively avoid electric power in short supply problem like this. However, due to the openness of intelligent information systems, the enhancement of bidirectional interaction between information systems and users, the increase of various intelligent devices, and the intervention and access of a large number of users with different roles, the problems of authority management of users with different roles and access control of different devices are inevitable. Since users with different roles have different device access requirements and different user access rights of different roles are different, a reliable authentication authorization and access control method is very important in order to avoid various complex situations such as an unauthorized attacker trying to read and tamper data, a user holding an expired authentication ticket accessing information system device, and the like.
Disclosure of Invention
In order to solve at least one technical problem, the invention provides a power grid information system access control method and system based on information measurement.
In order to achieve the above object, a first aspect of the present invention provides a method for controlling access to a grid information system based on information measurement, the method including:
step 1, receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into a power grid information system after the identity authentication is successful;
step 2, receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, performing step 3, otherwise, performing step 6;
step 3, collecting user behavior data, and carrying out operation processing on the user behavior data to obtain user trust;
step 4, comparing the user trust with the trust threshold of the applied or changed role, if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user and entering step 5; otherwise, access is denied;
step 5, receiving a service access operation initiated by the user terminal in the applied or changed role, collecting the user and the attributes in the operation, and inputting the attributes into a BP neural network for preprocessing to obtain a risk value;
step 6, determining corresponding risk factors through a table look-up mode according to the risk values, and modifying the risk amount by combining the risk values and the risk factors;
and 7, judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.
In this scheme, step 3 above specifically includes:
collecting user identity authentication information and calculating a direct trust value, and if the direct trust value is zero, proving that the user belongs to a false identity and quitting the access; if the direct trust value is larger than zero, collecting historical interaction records of the user from the central database, calculating a historical trust value, collecting evaluation records of the user and other third-party users, calculating a recommended trust value of the user by constructing a trust chain, adding the direct trust value and the recommended trust value weight to obtain a comprehensive trust value, and taking the comprehensive trust value as the user trust degree.
In this embodiment, step 3 further includes:
after the access identity of the user is verified, acquiring the historical trust and the initial authority of the user;
calculating user access control function G, and decomposing it into G1And G2Wherein G is1:A→T,T∈[0,1]A represents the user, T represents the trust level; g2:T→R,R∈[0,1]R denotes a role, → denotes a mapping function;
evaluating the user behavior, and analyzing whether a serious violation behavior exists; and if the current trust level exists, directly and forcibly quitting the access, and if the current trust level does not exist, calculating the current trust level and recalculating the user trust level by combining the historical trust level.
In the scheme, the current trust level is calculated, and the user trust level is recalculated by combining the historical trust level, and the method specifically comprises the following steps:
calculating past operationsThe influence of the behavior on the current user trust is influenced by time t, and a trust attenuation function phi (t) is obtained, wherein the calculation formula is as follows: phi (t) ═ e-ptWhere p is a confidence decay value;
recording and processing malicious operation or improper operation of a user, and calculating a punishment item of a certain user a to be expressed as P (a), wherein the calculation formula is as follows:wherein n represents data flow of malicious or improper access to the power grid information system;
for the condition that the user accords with normal operation, the trust degree of the user is increased, a certain reward is given, and a reward item R (a) is calculated, wherein the calculation formula is as follows: r (a) ═ e-(0.2m+4)In the formula, m represents the data flow normally accessed to the power grid information system;
the historical trust level and the current trust level are processed to a certain degree, the weighting calculation is completed, and the user trust level is obtained, wherein the calculation formula is as follows:where History (a) represents the result of historical confidence level, Entiro (R (a), P (a)) represents the result of user's current confidence level,
in the scheme, collected multidimensional network monitoring data are quantitatively mapped into a specific trust metric value by utilizing a cloud fuzzy evaluation theory, wherein the cloud fuzzy evaluation theory comprises cloud droplets and a trust cloud;
the cloud droplets are characterized as: let U be the domain of trust membership, C be a qualitative concept representing w trust levels on U, x1,x2,…,xmThe metric index for describing the behavior trust of each user in the expression theory domain, the trust membership of the trust level described by C is expressed by mu, the trust membership is a group of normal random numbers which tend to be stable, the distribution of the trust membership on U is called normal trust cloud, and the element (X) is used for expressing the trust of each user in the expression theory domaini,μi) Group ofEach element is called a cloud drop;
the trust cloud is characterized by: each normal trust cloud is formally represented as a triplet (Ex, En, He), Ex being an expectation of the trust cloud; en is the entropy of the trust cloud, and reflects the dispersion degree and the value range of cloud droplets in the trust cloud; he represents the hyper-entropy of the trust cloud, reflecting the aggregation degree of the whole trust cloud on the cloud picture.
In this scheme, step 3 above specifically includes:
grading the user trust value according to practical application, and constructing w standard normal trust clouds S by utilizing a cloud generatorCi(Exi,Eni,Hei) I is 1,2, …, w, the trust value is divided into w intervals, and the maximum value and the minimum value of each interval are respectively recorded as aimaxAnd aiminFirstly, dividing the trust value into w levels according to the security intensity requirement and the control granularity of access control, and calculating the expectation, the entropy and the super entropy of w standard normal trust clouds, wherein the calculation formula is as follows:
Hei=w;
then, w standard normal trust clouds are generated by applying an inverse normal cloud generator to generate n cloud droplets (X)i,μi) (ii) a Then by constructing a Gaussian random number Eni=NORE(En,He2) And xi=NORE(Ex,(Eni)2) Calculating
Collecting user behavior data according to preset measurement indexes, selecting a proper sliding window according to actual requirements, setting a reasonable time period, and collecting the measurement indexes of a plurality of time periods in the sliding windowThe actual values are graded one by one, data are normalized, each measurement index has measurement values of z intervals based on user roles according to the requirement of safety intensity, and the higher the measurement value is, the higher the credibility is; note that the minimum and maximum values of the ith interval are aiminAnd aimaxThen the behavior data criteria are quantized to a confidence value, epsilon:
ε=aimax+θ×(ai-aimin);
wherein,when the number of the behavior data in the interval is larger than or equal to the ith interval, the theta is the percentage of the number of the behavior data in the interval to the total number of the measurement data;when the user metric value is smaller than the ith interval, the theta is the percentage of the number of the behavior data in the ith interval to the total number of the metric data;
obtaining quantized actual user behavior data by means of an inverse normal trust sub-cloud generator, and generating expectation, entropy and super-entropy of m normal trust sub-clouds corresponding to m measurement indexes;
utilizing an actual normal trust cloud synthesizer to obtain expectation, entropy, super-entropy and each index weight of m measurement index normal trust sub-cloudsAs a transfusionIn the method, the expectation, the entropy and the super entropy of the actual normal trust cloud are obtained as follows:
and comparing the similarity of the actual normal trust cloud and the standard normal trust cloud, and taking the trust level represented by the standard normal cloud with the highest similarity as the user trust level.
In this scheme, the preset metric indexes include: a network traffic behavior trust metric, a resource access behavior trust metric, and a security characteristic behavior trust metric.
In this scheme, the network traffic behavior trust metric index is: the suspicious behavior is distinguished by collecting the flow characteristics of data packets transmitted and received by a user in a network, and then the user behavior trust value is measured;
the resource access behavior trust measurement index is as follows: recording suspicious behaviors through behavior characteristics of a user when accessing resources, and further measuring the credibility of the user behaviors;
the security characteristic behavior trust metric index is: and selecting an index capable of reflecting obvious attack behavior, and rapidly forbidding illegal users from accessing the network.
The second aspect of the present invention further provides an information measurement-based power grid information system access control system, where the information measurement-based power grid information system access control system includes:
the identity authentication module is used for receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into the power grid information system when the identity authentication is successful;
the trust management module is used for receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, collecting user behavior data, and performing operation processing on the user behavior data to obtain user trust; comparing the user trust with a trust threshold of the applied or changed role, and if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user; otherwise, access is denied;
the risk management module is used for receiving a service access operation initiated by the user terminal in an applied or changed role, collecting attributes of the user and the operation and inputting the attributes into a BP (back propagation) neural network for preprocessing to obtain a risk value; determining a corresponding risk factor through a table look-up mode according to the risk value, and modifying the risk limit by combining the risk value and the risk factor; and judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.
The third aspect of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a program of a power grid information system access control method based on information metric, and when the program of the information system access control method based on zero trust is executed by a processor, the steps of the power grid information system access control method based on information metric as described above are implemented.
According to the power grid information system access control method based on the information measurement, the zero trust access control of the power grid information system is realized through the identity authentication of the user and the evaluation results of the user trust degree and the risk amount, and an unauthorized attacker is effectively prevented from trying to read and tamper the confidential data of the power grid information system.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a flow chart illustrating a method for controlling access to a grid information system based on information measurement according to the present invention;
FIG. 2 is a flowchart illustrating a method for determining whether a risk amount supports authorized access according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for obtaining user confidence according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for obtaining user confidence according to a third embodiment of the present invention;
fig. 5 shows a block diagram of a grid information system access control system based on information metrics according to the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Fig. 1 shows a flowchart of a grid information system access control method based on information measurement according to the present invention.
As shown in fig. 1, a first aspect of the present invention provides a method for controlling access to a grid information system based on information measurement, where the method includes:
step 1, receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into a power grid information system after the identity authentication is successful;
the login request at least comprises identity information of a user, specifically, the identity authentication module acquires the identity information of the user from the login request and matches the identity information with information prestored in an identity database, and if the identity information is matched with the information prestored in the identity database, the identity authentication is successful and the access to a power grid information system is granted; if the matching is not consistent, the identity authentication fails, and the power grid information system is refused to enter;
step 2, receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, performing step 3, otherwise, performing step 6;
step 3, collecting user behavior data, and carrying out operation processing on the user behavior data to obtain user trust;
step 4, comparing the user trust with the trust threshold of the applied or changed role, if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user and entering step 5; otherwise, access is denied;
step 5, receiving a service access operation initiated by the user terminal in the applied or changed role, collecting the user and the attributes in the operation, and inputting the attributes into a BP neural network for preprocessing to obtain a risk value;
step 6, determining corresponding risk factors through a table look-up mode according to the risk values, and modifying the risk amount by combining the risk values and the risk factors;
and 7, judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.
In a specific embodiment of the present invention, the risk factors may be divided into a user basic state, a user access state, and a resource basic state. The user basic state is the analysis of user basic information, and the security level of the user identity can be found; the user access state is that the behavior operation of the user is equivalent to the risk probability in the risk assessment, and the resource basic state describes the importance degree of the object, which is equivalent to the loss in the risk assessment.
The user basic state: a user must have an identity, which is unique and must be secure with respect to the system, as an access object in an access control policy that is allowed by the policy. The basic state of the user belongs to a static state in a short time and mainly comprises an account number, a password, a user duty level, a user reward and punishment and the like.
User access status: the user access state is associated with each access to the target, which is a dynamic state. From user login to access ending, the operation behavior of the user is recorded, and the user behavior preference is a key point for risk quantification. The user access state comprises login time, login location, password login success rate, access target success rate, operation type, target access frequency and the like.
Resource base state: the user is used as a subject, the resource is used as an object, and the importance of the object can reflect the probability of risk occurrence, namely, the more important the resource is, the higher the occurrence probability is. The resource base state includes the importance degree of the resource, the attribute of the resource, and the like.
Risk is a visual judgment of the threat posed to the user during current and future accesses to the system. The risks are classified according to levels, but the output result of the BP neural network is presented in numerical values, so the risk levels need to be classified, and a risk factor alpha is added to accord with the change rule of the risk interpersonal relationship, and the risk factor accords with the effect of slow increase and sudden decrease, namely, the risk amount is decreased more quickly when the risk is higher, and the risk amount is increased more slowly when the risk is not present. The risk amount defaults to 1 when the user registers, the risk amount is consumed by the product of the risk value and the risk factor alpha in the later access request, and when the risk amount is not enough to support the access, the request is rejected. Table 1 shows the risk rating versus risk value and risk factor. In the above step 6, the corresponding risk factor is determined by looking up the table according to the risk value, that is, the corresponding risk factor can be determined by looking up the table 1.
TABLE 1
Risk rating | Value of risk | Risk factor alpha |
Is free of | 0-0.2 | 0.2 |
Is low in | 0.2-0.5 | -0.5 |
Is higher than | 0.5-0.8 | -1 |
Is very high | 0.8-1 | -1.5 |
According to the embodiment of the invention, the risk factors can be used as characteristic input of the BP neural network, and the error analysis can be carried out on the output. The weight value and the threshold value of the neural network are continuously adjusted, and the neural network model is improved, so that the prediction result is more consistent with the real result.
The establishment of the risk assessment model based on the BP neural network can be realized through the following aspects:
(1) determination of input factors
The risk value is influenced by a user basic state, a user access state and a resource basic state, and therefore the risk value is used as the input of the neural network, namely the number of nodes of an input layer of the neural network is determined to be 3. To make the input of the neuron more sensitive between activation functions (-1,1) and improve training efficiency, the input can be normalized by min-max.
(2) Selection of activation function
In the embodiment, a relu function is selected, the relu function is a piecewise linear function, the defect that the gradients of two functions, namely the sigmoid function and the tanh function disappear is overcome, the calculation speed is higher, only the input needs to be judged whether to be greater than 0, and the convergence speed is far higher than that of the sigmoid function and the tanh function. The relu function formula is as follows:
(3) determination of an output value
The input of the BP neural network is a user basic state, a user access state and a resource basic state, the three factors are key factors influencing a user risk value, and therefore an output value is the risk value.
(4) Determination of hidden layer nodes
The number of the nodes of the hidden layer is determined by the number and the disorder degree of the samples, and the method mainly plays a role in searching a specific rule from the sample data and memorizing the rule. Too many nodes increase learning time on the one hand, and on the other hand, the sample data can be over analyzed, which adversely affects the prediction result. Too few nodes may result in failure to learn the sample rule comprehensively. The method can adopt an addition method and a deletion method, the number of nodes is hidden in a given range, and then the training effect is checked. And if the training model is not satisfied, increasing or decreasing the number of the nodes on the basis of keeping other variables unchanged until the training model achieves a satisfactory effect.
(5) Weight determination
The initialization of the weight in the neural network can effectively solve the problems of gradient disappearance and gradient explosion, and has a vital influence on the convergence speed and the performance of the model. In this embodiment, a random initialization method may be adopted to perform initialization setting on the weights.
As shown in fig. 2, in practical application, a user requests access to a target resource in a power grid information system, a risk module collects risk indexes and preprocesses the indexes, a preprocessing result is input into a trained neural network model to obtain a risk value, a risk factor is obtained according to the table 1 to change a risk amount, so as to judge whether the risk amount supports access permission, if the access request is satisfied, the target is allowed to be operated, otherwise, the request is rejected. Further, the user may also specify access request behavior to increase the risk amount to obtain permission to be denied the request.
According to an embodiment of the present invention, the step 3 further includes:
collecting user identity authentication information and calculating a direct trust value, and if the direct trust value is zero, proving that the user belongs to a false identity and quitting the access; if the direct trust value is larger than zero, collecting historical interaction records of the user from the central database, calculating a historical trust value, collecting evaluation records of the user and other third-party users, calculating a recommended trust value of the user by constructing a trust chain, adding the direct trust value and the recommended trust value weight to obtain a comprehensive trust value, and taking the comprehensive trust value as the user trust degree.
It can be understood that each interaction process between each user and the power grid information system is recorded in the central database, so that subsequent processing such as tracing, auditing and the like is facilitated.
According to an embodiment of the present invention, the step 3 further includes:
after the access identity of the user is verified, acquiring the historical trust and the initial authority of the user;
calculating user access control function G, and decomposing it into G1And G2Wherein G is1:A→T,T∈[0,1]A represents the user, T represents the trust level; g2:T→R,R∈[0,1]R represents a role, → represents a mapping function, and is decomposed by the mapping function;
evaluating the user behavior, and analyzing whether a serious violation behavior exists; and if the current trust level exists, directly and forcibly quitting the access, and if the current trust level does not exist, calculating the current trust level and recalculating the user trust level by combining the historical trust level. As shown in fig. 3.
It can be understood that once the current user trust is lower than a certain set trust threshold, the user cannot give a higher level of authority, or even automatically loses the authority for accessing the grid information system.
In this embodiment, calculating the current trust level, and recalculating the user trust level by combining the historical trust level specifically includes:
calculating the influence of the past behavior on the current user confidence, wherein the result is influenced by time t to obtain a confidence attenuation function phi (t), and calculating the publicThe formula is as follows: phi (t) ═ e-ptWhere p is a confidence decay value;
recording and processing malicious operation or improper operation of a user, and calculating a punishment item of a certain user a to be expressed as P (a), wherein the calculation formula is as follows:wherein n represents data flow of malicious or improper access to the power grid information system;
for the condition that the user accords with normal operation, the trust degree of the user is increased, a certain reward is given, and a reward item R (a) is calculated, wherein the calculation formula is as follows: r (a) ═ e-(0.2m+4)In the formula, m represents the data flow normally accessed to the grid information system.
The historical trust level and the current trust level are processed to a certain degree, the weighting calculation is completed, and the user trust level is obtained, wherein the calculation formula is as follows:where History (a) represents the result of historical confidence level, Entiro (R (a), P (a)) represents the result of user's current confidence level,
it should be noted that, in this embodiment, the access control model needs to calculate and evaluate the trust level of the user, and the following factors are mainly considered in the evaluation process:
(1) historical behavior of the user. The past operation condition is recorded and evaluated, the operation data of the user is an important parameter for calculating the trust degree, the evaluation and analysis of the trust degree of the user by the system are directly influenced, and the user does not quit and disappear along with the user.
(2) The current behavior of the user. The operation of the user at the current stage is analyzed, the operation is recorded and monitored, the data result of the operation is analyzed, the data resource and the content of the access and processing system of the operation are analyzed, and the occurrence of malicious operation is avoided to a certain extent.
According to the embodiment of the invention, the access authority of different roles to the resources is different under different trust levels. Although the boundary between the user behavior trust levels is fuzzy and the user behavior has strong randomness, the user behavior approximately follows normal distribution, so the embodiment introduces the normal cloud theory into the measurement of the user behavior trust. Normal cloud theory can achieve an uncertain transformation from a qualitative concept to a quantitative representation.
According to another embodiment of the invention, the collected multidimensional network monitoring data can be quantitatively mapped into a specific trust metric value by using a cloud fuzzy evaluation theory, wherein the cloud fuzzy evaluation theory comprises cloud droplets and a trust cloud;
the cloud droplets are characterized as: let U be the domain of trust membership, C be a qualitative concept representing w trust levels on U, x1,x2,…,xmThe metric index for describing the behavior trust of each user in the expression theory domain, the trust membership of the trust level described by C is expressed by mu, the trust membership is a group of normal random numbers which tend to be stable, the distribution of the trust membership on U is called normal trust cloud, and the element (X) is used for expressing the trust of each user in the expression theory domaini,μi) Composition, each element is called a cloud drop;
the trust cloud is characterized by: each normal trust cloud is formally represented as a triplet (Ex, En, He), Ex being an expectation of the trust cloud; en is the entropy of the trust cloud, and reflects the dispersion degree and the value range of cloud droplets in the trust cloud; he represents the hyper-entropy of the trust cloud, reflecting the aggregation degree of the whole trust cloud on the cloud picture.
Further, step 3 specifically includes:
grading the user trust value according to practical application, and constructing w standard normal trust clouds S by utilizing a cloud generatorCi(Exi,Eni,Hei) I is 1,2, …, w, the trust value is divided into w intervals, and the maximum value and the minimum value of each interval are respectively recorded as aimaxAnd aiminFirstly, dividing the trust value into w levels according to the security intensity requirement and the control granularity of access control, and calculating the expectation, the entropy and the super entropy of w standard normal trust clouds, wherein the calculation formula is as follows:
Hei=w;
then, w standard normal trust clouds are generated by applying an inverse normal cloud generator to generate n cloud droplets (X)i,μi) (ii) a Then by constructing a Gaussian random number Eni=NORE(En,He2) And xi=NORE(Ex,(Eni)2) Calculating
Collecting user behavior data according to preset measurement indexes, selecting a proper sliding window according to actual requirements, setting a reasonable time period, collecting actual values of the measurement indexes of a plurality of time periods in the sliding window, grading each measurement index one by one, simultaneously carrying out normalization processing on data, wherein each measurement index has z intervals of measurement values based on user roles according to the requirement of safety intensity, and the higher the measurement value is, the higher the credibility is; note that the minimum and maximum values of the ith interval are aiminAnd aimaxThen the behavior data criteria are quantized to a confidence value, epsilon:
ε=aimax+θ×(ai-aimin)
wherein,when the number of the behavior data in the interval is larger than or equal to the ith interval, the theta is the percentage of the number of the behavior data in the interval to the total number of the measurement data;when the user metric value is smaller than the ith interval, the theta is the percentage of the number of the behavior data in the ith interval to the total number of the metric data;
by applying the method, in the measurement period, the higher the proportion of the user behavior abnormity is, the lower the trust value is; if the user login failure times trust value range is [0-20], the user login failure times trust value range is divided into four ranges of which the four levels correspond to [0, 5], [5, 10], [10, 15] and [15, 20] respectively; assuming that the measurement times in the selection period are 100 times, wherein the trust values corresponding to the abnormal times are 50 times in the range of [0, 5], 25 times in the range of [5, 10], 15 times in the range of [10, 15] and 10 times in the range of [15, 20 ]; calculating the trust values of each grade to be 2.5, 6.25, 10.75 and 15.5 by using the formula;
obtaining quantized actual user behavior data by means of an inverse normal trust sub-cloud generator, and generating expectation, entropy and super-entropy of m normal trust sub-clouds corresponding to m measurement indexes;
utilizing an actual normal trust cloud synthesizer to obtain expectation, entropy, super-entropy and each index weight of m measurement index normal trust sub-cloudsAs input, the expectation, entropy, and super entropy of the actual normal trust cloud are obtained as follows:
and comparing the similarity of the actual normal trust cloud and the standard normal trust cloud, and taking the trust level represented by the standard normal cloud with the highest similarity as the user trust level.
Further, the preset metric includes: a network traffic behavior trust metric, a resource access behavior trust metric, and a security characteristic behavior trust metric.
It should be noted that the network traffic behavior trust measurement index and the resource access behavior trust measurement index are used for measuring the hidden attack and performing access control on the resource according to the trust level. The security characteristic behavior trust measurement index is used for measuring obvious attack behaviors of the user and rapidly refusing illegal access of the user.
Specifically, the network traffic behavior trust metric index is: the suspicious behavior is distinguished by collecting the flow characteristics of data packets transmitted and received by a user in a network, and then the user behavior trust value is measured;
the resource access behavior trust measurement index is as follows: recording suspicious behaviors through behavior characteristics of a user when accessing resources, and further measuring the credibility of the user behaviors; for example, the APT attack has strong latency, and although the APT attack is difficult to identify from the flow, the abnormal behavior can be discovered through the resource access, such as accessing the core service database of the grid information system;
the security characteristic behavior trust metric index is: and selecting an index capable of reflecting obvious attack behavior, and quickly forbidding illegal users from accessing the network, for example, scanning and sniffing attacks to simultaneously send Ping packets to a plurality of ports, so that the method has obvious aggressivity.
Fig. 5 shows a block diagram of a grid information system access control system based on information metrics according to the present invention.
As shown in fig. 5, the second aspect of the present invention further provides an information metric-based grid information system access control system, including:
the identity authentication module is used for receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into the power grid information system when the identity authentication is successful;
the trust management module is used for receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, collecting user behavior data, and performing operation processing on the user behavior data to obtain user trust; comparing the user trust with a trust threshold of the applied or changed role, and if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user; otherwise, access is denied;
the risk management module is used for receiving a service access operation initiated by the user terminal in an applied or changed role, collecting attributes of the user and the operation and inputting the attributes into a BP (back propagation) neural network for preprocessing to obtain a risk value; determining a corresponding risk factor through a table look-up mode according to the risk value, and modifying the risk limit by combining the risk value and the risk factor; and judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.
The access control strategy of the access control system of the invention relates to the access strategy at two intermediate nodes of user authorization and user access request, and the addition of the trust module ensures that the user not only relies on the prior single user identity authorization at the role stage, but also fully utilizes the prior interactive data of the user. And risk indexes are added in trust, so that the trust measurement is more reasonable and accurate. The addition of the risk module enables the use of the authority by the user to be finer in granularity, the original access control strategy only controls resources which do not conform to the authority of the user, the resources are intercepted through a back-end code, and the behavior of limiting the user due to malicious access of the user is avoided, so that the malicious user can remain in the system for a long time, and the normal operation of the system is not facilitated to be maintained. The addition of the trust management module and the risk management module can enable the system to be flexible and dynamic, and fully guarantee system resources.
In a specific embodiment, the trust management module is mainly responsible for collecting trust attributes of the access user and calculating the weight and the trust value of the trust index, and is used for judging whether a main body bearing a corresponding role reaches a role trust threshold required by the corresponding role or not and whether the corresponding role is allocated. The risk management module is mainly responsible for collecting risk factors of the access users, training the neural network and judging the work of risk values of the users, and is used for judging whether the risk limit of the access requests of the users reaches the authority risk threshold value or not and whether the target resources are allowed to be operated or not.
It should be noted that, the grid information system access control system based on the information metric further includes: the storage comprises a power grid information system access control method program based on information measurement, and the zero trust-based information system access control method program realizes the steps of the power grid information system access control method based on information measurement when being executed by the processor.
It should be noted that the Processor may be a Central Processing Unit (CPU), other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It is understood that the user terminal may be a mobile phone, a PAD, a PC, etc., but is not limited thereto.
The third aspect of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a program of a power grid information system access control method based on information metric, and when the program of the information system access control method based on zero trust is executed by a processor, the steps of the power grid information system access control method based on information metric as described above are implemented.
According to the power grid information system access control method based on the information measurement, the zero trust access control of the power grid information system is realized through the identity authentication of the user and the evaluation results of the user trust degree and the risk amount, and an unauthorized attacker is effectively prevented from trying to read and tamper the confidential data of the power grid information system.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. A power grid information system access control method based on information measurement is characterized by comprising the following steps:
step 1, receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into a power grid information system after the identity authentication is successful;
step 2, receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, performing step 3, otherwise, performing step 6;
step 3, collecting user behavior data, and carrying out operation processing on the user behavior data to obtain user trust;
step 4, comparing the user trust with the trust threshold of the applied or changed role, if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user and entering step 5; otherwise, access is denied;
step 5, receiving a service access operation initiated by the user terminal in the applied or changed role, collecting the user and the attributes in the operation, and inputting the attributes into a BP neural network for preprocessing to obtain a risk value;
step 6, determining corresponding risk factors through a table look-up mode according to the risk values, and modifying the risk amount by combining the risk values and the risk factors;
and 7, judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.
2. The method for controlling access to a grid information system based on information measurement according to claim 1, wherein step 3 further comprises:
collecting user identity authentication information and calculating a direct trust value, and if the direct trust value is zero, proving that the user belongs to a false identity and quitting the access; if the direct trust value is larger than zero, collecting historical interaction records of the user from the central database, calculating a historical trust value, collecting evaluation records of the user and other third-party users, calculating a recommended trust value of the user by constructing a trust chain, adding the direct trust value and the recommended trust value weight to obtain a comprehensive trust value, and taking the comprehensive trust value as the user trust degree.
3. The method for controlling access to a grid information system based on information measurement according to claim 1, wherein step 3 further comprises:
after the access identity of the user is verified, acquiring the historical trust and the initial authority of the user;
calculating user access control function G, and decomposing it into G1And G2Wherein G is1:A→T,T∈[0,1]A represents a userT represents the confidence level; g2:T→R,R∈[0,1]R denotes a role, → denotes a mapping function;
evaluating the user behavior, and analyzing whether a serious violation behavior exists; and if the current trust level exists, directly and forcibly quitting the access, and if the current trust level does not exist, calculating the current trust level and recalculating the user trust level by combining the historical trust level.
4. The power grid information system access control method based on information measurement as claimed in claim 3, wherein the current trust level is calculated, and the user trust level is recalculated in combination with the historical trust level, and specifically further comprising:
calculating the influence of the past operation behavior on the current user confidence level, wherein the result is influenced by time t to obtain a confidence level attenuation function phi (t), and the calculation formula is as follows: phi (t) ═ e-ptWhere p is a confidence decay value;
recording and processing malicious operation or improper operation of a user, and calculating a punishment item of a certain user a to be expressed as P (a), wherein the calculation formula is as follows:wherein n represents data flow of malicious or improper access to the power grid information system;
for the condition that the user accords with normal operation, the trust degree of the user is increased, a certain reward is given, and a reward item R (a) is calculated, wherein the calculation formula is as follows: r (a) ═ e-(0.2m+4)In the formula, m represents the data flow normally accessed to the power grid information system;
the historical trust level and the current trust level are processed to a certain degree, the weighting calculation is completed, and the user trust level is obtained, wherein the calculation formula is as follows:where History (a) represents the result of historical confidence level, Entiro (R (a), P (a)) represents the result of user's current confidence level,
5. the power grid information system access control method based on the information metric, as recited in claim 1, characterized in that the collected multidimensional network monitoring data is quantitatively mapped into a specific trust metric value by using a cloud fuzzy evaluation theory, wherein the cloud fuzzy evaluation theory comprises cloud droplets and a trust cloud;
the cloud droplets are characterized as: let U be the domain of trust membership, C be a qualitative concept representing w trust levels on U, x1,x2,…,xmThe metric index for describing the behavior trust of each user in the expression theory domain, the trust membership of the trust level described by C is expressed by mu, the trust membership is a group of normal random numbers which tend to be stable, the distribution of the trust membership on U is called normal trust cloud, and the element (X) is used for expressing the trust of each user in the expression theory domaini,μi) Composition, each element is called a cloud drop;
the trust cloud is characterized by: each normal trust cloud is formally represented as a triplet (Ex, En, He), Ex being an expectation of the trust cloud; en is the entropy of the trust cloud, and reflects the dispersion degree and the value range of cloud droplets in the trust cloud; he represents the hyper-entropy of the trust cloud, reflecting the aggregation degree of the whole trust cloud on the cloud picture.
6. The method for controlling access to a grid information system based on information measurement according to claim 5, wherein the step 3 specifically further comprises:
grading the user trust value according to practical application, and constructing w standard normal trust clouds S by utilizing a cloud generatorCi(Exi,Eni,Hei) I is 1,2, …, w, the trust value is divided into w intervals, and the maximum value and the minimum value of each interval are respectively recorded as aimaxAnd aiminFirstly, dividing the trust value into w levels according to the security intensity requirement and the control granularity of access control, and calculating the expectation, the entropy and the super entropy of w standard normal trust clouds, wherein the calculation formula is as follows:
Hei=w;
then, w standard normal trust clouds are generated by applying an inverse normal cloud generator to generate n cloud droplets (X)i,μi) (ii) a Then by constructing a Gaussian random number Eni=NORE(En,He2) And xi=NORE(Ex,(Eni)2) Calculating
Collecting user behavior data according to preset measurement indexes, selecting a proper sliding window according to actual requirements, setting a reasonable time period, collecting actual values of the measurement indexes of a plurality of time periods in the sliding window, grading each measurement index one by one, simultaneously carrying out normalization processing on data, wherein each measurement index has z intervals of measurement values based on user roles according to the requirement of safety intensity, and the higher the measurement value is, the higher the credibility is; note that the minimum and maximum values of the ith interval are aiminAnd aimaxThen the behavior data criteria are quantized to a confidence value, epsilon:
ε=aimax+θ×(ai-aimin);
wherein,when the number of the behavior data in the interval is larger than or equal to the ith interval, the theta is the percentage of the number of the behavior data in the interval to the total number of the measurement data;when the measured value of the user is smaller than the ith interval, theta is the number of the behavior data occupying the total measured data number(ii) percent (d);
obtaining quantized actual user behavior data by means of an inverse normal trust sub-cloud generator, and generating expectation, entropy and super-entropy of m normal trust sub-clouds corresponding to m measurement indexes;
utilizing an actual normal trust cloud synthesizer to obtain expectation, entropy, super-entropy and each index weight of m measurement index normal trust sub-cloudsAs input, the expectation, entropy, and super entropy of the actual normal trust cloud are obtained as follows:
and comparing the similarity of the actual normal trust cloud and the standard normal trust cloud, and taking the trust level represented by the standard normal cloud with the highest similarity as the user trust level.
7. The method according to claim 6, wherein the preset metric index includes: a network traffic behavior trust metric, a resource access behavior trust metric, and a security characteristic behavior trust metric.
8. The grid information system access control method based on the information measure according to claim 7, wherein the network flow behavior trust measure index is: the suspicious behavior is distinguished by collecting the flow characteristics of data packets transmitted and received by a user in a network, and then the user behavior trust value is measured;
the resource access behavior trust measurement index is as follows: recording suspicious behaviors through behavior characteristics of a user when accessing resources, and further measuring the credibility of the user behaviors;
the security characteristic behavior trust metric index is: and selecting an index capable of reflecting obvious attack behavior, and rapidly forbidding illegal users from accessing the network.
9. An information metric-based grid information system access control system, comprising:
the identity authentication module is used for receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into the power grid information system when the identity authentication is successful;
the trust management module is used for receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, collecting user behavior data, and performing operation processing on the user behavior data to obtain user trust; comparing the user trust with a trust threshold of the applied or changed role, and if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user; otherwise, access is denied;
the risk management module is used for receiving a service access operation initiated by the user terminal in an applied or changed role, collecting attributes of the user and the operation and inputting the attributes into a BP (back propagation) neural network for preprocessing to obtain a risk value; determining a corresponding risk factor through a table look-up mode according to the risk value, and modifying the risk limit by combining the risk value and the risk factor; and judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a program of a grid information system access control method based on information metric, and when the program of the zero trust based information system access control method is executed by a processor, the steps of the grid information system access control method based on information metric according to any one of claims 1 to 8 are implemented.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110370876.5A CN112966245A (en) | 2021-04-07 | 2021-04-07 | Power grid information system access control method and system based on information measurement |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110370876.5A CN112966245A (en) | 2021-04-07 | 2021-04-07 | Power grid information system access control method and system based on information measurement |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112966245A true CN112966245A (en) | 2021-06-15 |
Family
ID=76281387
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110370876.5A Pending CN112966245A (en) | 2021-04-07 | 2021-04-07 | Power grid information system access control method and system based on information measurement |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112966245A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113824732A (en) * | 2021-10-13 | 2021-12-21 | 成都安恒信息技术有限公司 | Zero trust-based multi-factor authentication method |
CN114070600A (en) * | 2021-11-11 | 2022-02-18 | 上海电气集团数字科技有限公司 | Industrial Internet field identity access control method based on zero trust model |
CN114465807A (en) * | 2022-02-24 | 2022-05-10 | 重庆邮电大学 | Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning |
CN114465777A (en) * | 2021-12-31 | 2022-05-10 | 惠州华阳通用智慧车载系统开发有限公司 | TSP server access control method |
CN114553487A (en) * | 2022-01-22 | 2022-05-27 | 郑州工程技术学院 | Access control method and system based on map |
CN114650184A (en) * | 2022-04-15 | 2022-06-21 | 四川中电启明星信息技术有限公司 | Docker process security access control method based on trust degree |
CN114925394A (en) * | 2022-05-13 | 2022-08-19 | 中国电信股份有限公司 | Request processing method, system, device, product, medium and equipment |
CN114936384A (en) * | 2022-06-21 | 2022-08-23 | 云南财经大学 | Electronic medical record access control method based on intuition fuzzy trust |
CN115051877A (en) * | 2022-08-12 | 2022-09-13 | 国网浙江省电力有限公司杭州供电公司 | Power grid cloud service security access method based on zero trust model |
CN115061656A (en) * | 2022-06-06 | 2022-09-16 | 中国电信股份有限公司 | Random number generation method and device, electronic equipment and storage medium |
CN115426200A (en) * | 2022-11-03 | 2022-12-02 | 北京数盾信息科技有限公司 | Data acquisition processing method and system |
CN115622798A (en) * | 2022-11-22 | 2023-01-17 | 国网湖北省电力有限公司营销服务中心(计量中心) | User authority distribution method of power load management system |
CN115859345A (en) * | 2022-11-10 | 2023-03-28 | 广州益涛网络科技有限公司 | Data access management method and system based on block chain |
CN115913676A (en) * | 2022-11-04 | 2023-04-04 | 上海申石软件有限公司 | Access control method and device for cloud native application, electronic equipment and storage medium |
CN117745080A (en) * | 2024-02-19 | 2024-03-22 | 北京北科融智云计算科技有限公司 | Multi-factor authentication-based data access control and security supervision method and system |
CN118260799A (en) * | 2024-04-15 | 2024-06-28 | 方块云(山东)信息技术有限公司 | Data security privacy protection method, system and device in cloud environment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101719824A (en) * | 2009-11-24 | 2010-06-02 | 北京信息科技大学 | Network behavior detection-based trust evaluation system and network behavior detection-based trust evaluation method |
CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
-
2021
- 2021-04-07 CN CN202110370876.5A patent/CN112966245A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101719824A (en) * | 2009-11-24 | 2010-06-02 | 北京信息科技大学 | Network behavior detection-based trust evaluation system and network behavior detection-based trust evaluation method |
CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
Non-Patent Citations (2)
Title |
---|
文星: "软件定义边界安全模型在电网企业系统中的应用", 《网络与信息安全》 * |
许成山: "基于信任和风险的访问控制模型的研究及应用", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113824732A (en) * | 2021-10-13 | 2021-12-21 | 成都安恒信息技术有限公司 | Zero trust-based multi-factor authentication method |
CN114070600A (en) * | 2021-11-11 | 2022-02-18 | 上海电气集团数字科技有限公司 | Industrial Internet field identity access control method based on zero trust model |
CN114070600B (en) * | 2021-11-11 | 2023-09-29 | 上海电气集团数字科技有限公司 | Industrial Internet domain identity access control method based on zero trust model |
CN114465777A (en) * | 2021-12-31 | 2022-05-10 | 惠州华阳通用智慧车载系统开发有限公司 | TSP server access control method |
CN114465777B (en) * | 2021-12-31 | 2023-06-30 | 惠州华阳通用智慧车载系统开发有限公司 | TSP server access control method |
CN114553487A (en) * | 2022-01-22 | 2022-05-27 | 郑州工程技术学院 | Access control method and system based on map |
CN114465807A (en) * | 2022-02-24 | 2022-05-10 | 重庆邮电大学 | Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning |
CN114465807B (en) * | 2022-02-24 | 2023-07-18 | 重庆邮电大学 | Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning |
CN114650184B (en) * | 2022-04-15 | 2023-05-26 | 四川中电启明星信息技术有限公司 | Docker process security access control method based on trust degree |
CN114650184A (en) * | 2022-04-15 | 2022-06-21 | 四川中电启明星信息技术有限公司 | Docker process security access control method based on trust degree |
CN114925394A (en) * | 2022-05-13 | 2022-08-19 | 中国电信股份有限公司 | Request processing method, system, device, product, medium and equipment |
CN115061656A (en) * | 2022-06-06 | 2022-09-16 | 中国电信股份有限公司 | Random number generation method and device, electronic equipment and storage medium |
CN114936384A (en) * | 2022-06-21 | 2022-08-23 | 云南财经大学 | Electronic medical record access control method based on intuition fuzzy trust |
CN115051877B (en) * | 2022-08-12 | 2022-11-01 | 国网浙江省电力有限公司杭州供电公司 | Zero-trust model-based power grid cloud service security access method |
CN115051877A (en) * | 2022-08-12 | 2022-09-13 | 国网浙江省电力有限公司杭州供电公司 | Power grid cloud service security access method based on zero trust model |
CN115426200A (en) * | 2022-11-03 | 2022-12-02 | 北京数盾信息科技有限公司 | Data acquisition processing method and system |
CN115913676A (en) * | 2022-11-04 | 2023-04-04 | 上海申石软件有限公司 | Access control method and device for cloud native application, electronic equipment and storage medium |
CN115913676B (en) * | 2022-11-04 | 2023-06-02 | 上海申石软件有限公司 | Access control method and device for cloud native application, electronic equipment and storage medium |
CN115859345A (en) * | 2022-11-10 | 2023-03-28 | 广州益涛网络科技有限公司 | Data access management method and system based on block chain |
CN115859345B (en) * | 2022-11-10 | 2023-09-22 | 湖北华中电力科技开发有限责任公司 | Data access management method and system based on block chain |
CN115622798A (en) * | 2022-11-22 | 2023-01-17 | 国网湖北省电力有限公司营销服务中心(计量中心) | User authority distribution method of power load management system |
CN117745080A (en) * | 2024-02-19 | 2024-03-22 | 北京北科融智云计算科技有限公司 | Multi-factor authentication-based data access control and security supervision method and system |
CN117745080B (en) * | 2024-02-19 | 2024-04-26 | 北京北科融智云计算科技有限公司 | Multi-factor authentication-based data access control and security supervision method and system |
CN118260799A (en) * | 2024-04-15 | 2024-06-28 | 方块云(山东)信息技术有限公司 | Data security privacy protection method, system and device in cloud environment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112966245A (en) | Power grid information system access control method and system based on information measurement | |
US9038134B1 (en) | Managing predictions in data security systems | |
CN111953679A (en) | Intranet user behavior measurement method and network access control method based on zero trust | |
Jiang et al. | A medical big data access control model based on fuzzy trust prediction and regression analysis | |
CN116545731A (en) | Zero-trust network access control method and system based on time window dynamic switching | |
CN116633615A (en) | Access control method based on blockchain and risk assessment | |
CN109583056A (en) | A kind of network-combination yarn tool performance appraisal procedure and system based on emulation platform | |
CN116702216B (en) | Multi-level access control method and device for real estate data | |
CN116418568A (en) | Data security access control method, system and storage medium based on dynamic trust evaluation | |
CN118228211B (en) | Software authorization authentication method | |
CN114091042A (en) | Risk early warning method | |
CN114021109A (en) | System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry | |
CN117834304B (en) | Autonomous controllable master control network safety protection system | |
CN118400166A (en) | Information encryption system and method based on cloud computing | |
CN110955908A (en) | Early warning evaluation method and system for confidential files and intelligent terminal | |
CN116915515B (en) | Access security control method and system for industrial control network | |
CN114238885A (en) | User abnormal login behavior identification method and device, computer equipment and storage medium | |
CN117811764A (en) | Zero trust network construction method and system | |
CN115086028B (en) | Block chain-based data security acquisition method | |
CN117494154A (en) | Zero trust-based power big data security management method and system | |
CN113392385B (en) | User trust measurement method and system in cloud environment | |
Yin et al. | A network security situation assessment model based on BP neural network optimized by DS evidence theory | |
Neto et al. | Untrustworthiness: A trust-based security metric | |
Han et al. | Research on Cloud End-User Behavior Trust Evaluation Model Based on Sliding Window | |
CN115587374B (en) | Dynamic access control method and control system based on trust value |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210615 |