CN112966245A

CN112966245A - Power grid information system access control method and system based on information measurement

Info

Publication number: CN112966245A
Application number: CN202110370876.5A
Authority: CN
Inventors: 吕华辉; 樊凯; 杨航; 李慧娟; 张华兵; 付志博; 母天石
Original assignee: China Southern Power Grid Co Ltd; Southern Power Grid Digital Grid Research Institute Co Ltd
Current assignee: China Southern Power Grid Co Ltd; Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date: 2021-04-07
Filing date: 2021-04-07
Publication date: 2021-06-15

Abstract

The invention provides a power grid information system access control method based on information measurement, which comprises the following steps: receiving a login request, performing identity authentication, and successfully accessing the network information system to be authenticated; receiving an access request for a target resource, judging whether a user needs to apply for or change the role, if so, collecting user behavior data, and obtaining user trust degree through operation processing; comparing the user trust with a trust threshold, and if the user trust is greater than or equal to the trust threshold, giving the user the role after application or change; receiving a service access operation initiated by a user terminal, and preprocessing the service access operation by a neural network to obtain a risk value; determining a risk factor according to the risk value and by looking up a table, and modifying the risk limit by combining the risk value and the risk factor; and judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the access, and otherwise, refusing the access. The invention realizes zero trust access control on the power grid information system.

Description

Power grid information system access control method and system based on information measurement

Technical Field

The invention relates to the field of intelligent information systems, in particular to a power grid information system access control method and system based on information measurement.

Background

With the development of economic society, information systems have become an important link of the national energy industry chain. Reliable power supply cannot be kept in normal operation of various industries, so that the stability of an information system is particularly important. Through research and exploration in recent years, the concept of an intelligent information system is developed, and the intelligent information system has the characteristics of high efficiency, cleanness, safety, reliability, interaction and the like. Compared with the traditional information system, the intelligent information system is not only a network for power transportation, but also an information interaction network, and has the advantages that: data interactivity, the intelligent information system can realize bidirectional real-time data interaction, therefore, the intelligent information system can realize dynamic adjustment of electricity price, and thus, the power consumption of families or factories can be effectively reduced. The key equipment monitoring, intelligent information system can through the sensor real-time supervision electricity generation, transmission of electricity, distribution and power equipment. Therefore, the intelligent information system can rapidly solve the power failure and ensure the safety and stability of the information system. Nimble power scheduling, intelligent information system can be according to real-time power consumption condition, and the macro control power transmission can effectively avoid electric power in short supply problem like this. However, due to the openness of intelligent information systems, the enhancement of bidirectional interaction between information systems and users, the increase of various intelligent devices, and the intervention and access of a large number of users with different roles, the problems of authority management of users with different roles and access control of different devices are inevitable. Since users with different roles have different device access requirements and different user access rights of different roles are different, a reliable authentication authorization and access control method is very important in order to avoid various complex situations such as an unauthorized attacker trying to read and tamper data, a user holding an expired authentication ticket accessing information system device, and the like.

Disclosure of Invention

In order to solve at least one technical problem, the invention provides a power grid information system access control method and system based on information measurement.

In order to achieve the above object, a first aspect of the present invention provides a method for controlling access to a grid information system based on information measurement, the method including:

step 1, receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into a power grid information system after the identity authentication is successful;

step 2, receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, performing step 3, otherwise, performing step 6;

step 3, collecting user behavior data, and carrying out operation processing on the user behavior data to obtain user trust;

step 4, comparing the user trust with the trust threshold of the applied or changed role, if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user and entering step 5; otherwise, access is denied;

step 5, receiving a service access operation initiated by the user terminal in the applied or changed role, collecting the user and the attributes in the operation, and inputting the attributes into a BP neural network for preprocessing to obtain a risk value;

step 6, determining corresponding risk factors through a table look-up mode according to the risk values, and modifying the risk amount by combining the risk values and the risk factors;

and 7, judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.

In this scheme, step 3 above specifically includes:

collecting user identity authentication information and calculating a direct trust value, and if the direct trust value is zero, proving that the user belongs to a false identity and quitting the access; if the direct trust value is larger than zero, collecting historical interaction records of the user from the central database, calculating a historical trust value, collecting evaluation records of the user and other third-party users, calculating a recommended trust value of the user by constructing a trust chain, adding the direct trust value and the recommended trust value weight to obtain a comprehensive trust value, and taking the comprehensive trust value as the user trust degree.

In this embodiment, step 3 further includes:

after the access identity of the user is verified, acquiring the historical trust and the initial authority of the user;

calculating user access control function G, and decomposing it into G₁And G₂Wherein G is₁：A→T，T∈[0,1]A represents the user, T represents the trust level; g₂：T→R，R∈[0,1]R denotes a role, → denotes a mapping function;

evaluating the user behavior, and analyzing whether a serious violation behavior exists; and if the current trust level exists, directly and forcibly quitting the access, and if the current trust level does not exist, calculating the current trust level and recalculating the user trust level by combining the historical trust level.

In the scheme, the current trust level is calculated, and the user trust level is recalculated by combining the historical trust level, and the method specifically comprises the following steps:

calculating past operationsThe influence of the behavior on the current user trust is influenced by time t, and a trust attenuation function phi (t) is obtained, wherein the calculation formula is as follows: phi (t) ═ e^-ptWhere p is a confidence decay value;

recording and processing malicious operation or improper operation of a user, and calculating a punishment item of a certain user a to be expressed as P (a), wherein the calculation formula is as follows:

wherein n represents data flow of malicious or improper access to the power grid information system;

for the condition that the user accords with normal operation, the trust degree of the user is increased, a certain reward is given, and a reward item R (a) is calculated, wherein the calculation formula is as follows: r (a) ═ e^-(0.2m+4)In the formula, m represents the data flow normally accessed to the power grid information system;

the historical trust level and the current trust level are processed to a certain degree, the weighting calculation is completed, and the user trust level is obtained, wherein the calculation formula is as follows:

where History (a) represents the result of historical confidence level, Entiro (R (a), P (a)) represents the result of user's current confidence level,

in the scheme, collected multidimensional network monitoring data are quantitatively mapped into a specific trust metric value by utilizing a cloud fuzzy evaluation theory, wherein the cloud fuzzy evaluation theory comprises cloud droplets and a trust cloud;

the cloud droplets are characterized as: let U be the domain of trust membership, C be a qualitative concept representing w trust levels on U, x₁,x₂,…,x_mThe metric index for describing the behavior trust of each user in the expression theory domain, the trust membership of the trust level described by C is expressed by mu, the trust membership is a group of normal random numbers which tend to be stable, the distribution of the trust membership on U is called normal trust cloud, and the element (X) is used for expressing the trust of each user in the expression theory domain_i,μ_i) Group ofEach element is called a cloud drop;

the trust cloud is characterized by: each normal trust cloud is formally represented as a triplet (Ex, En, He), Ex being an expectation of the trust cloud; en is the entropy of the trust cloud, and reflects the dispersion degree and the value range of cloud droplets in the trust cloud; he represents the hyper-entropy of the trust cloud, reflecting the aggregation degree of the whole trust cloud on the cloud picture.

In this scheme, step 3 above specifically includes:

grading the user trust value according to practical application, and constructing w standard normal trust clouds S by utilizing a cloud generator_Ci(Ex_i,En_i,He_i) I is 1,2, …, w, the trust value is divided into w intervals, and the maximum value and the minimum value of each interval are respectively recorded as ai_maxAnd ai_minFirstly, dividing the trust value into w levels according to the security intensity requirement and the control granularity of access control, and calculating the expectation, the entropy and the super entropy of w standard normal trust clouds, wherein the calculation formula is as follows:

He_i＝w；

then, w standard normal trust clouds are generated by applying an inverse normal cloud generator to generate n cloud droplets (X)_i,μ_i) (ii) a Then by constructing a Gaussian random number En_i＝NORE(En,He²) And x_i＝NORE(Ex,(En_i)²) Calculating

Collecting user behavior data according to preset measurement indexes, selecting a proper sliding window according to actual requirements, setting a reasonable time period, and collecting the measurement indexes of a plurality of time periods in the sliding windowThe actual values are graded one by one, data are normalized, each measurement index has measurement values of z intervals based on user roles according to the requirement of safety intensity, and the higher the measurement value is, the higher the credibility is; note that the minimum and maximum values of the ith interval are ai_minAnd ai_maxThen the behavior data criteria are quantized to a confidence value, epsilon:

ε＝ai_max+θ×(ai-ai_min)；

wherein,

when the number of the behavior data in the interval is larger than or equal to the ith interval, the theta is the percentage of the number of the behavior data in the interval to the total number of the measurement data;

when the user metric value is smaller than the ith interval, the theta is the percentage of the number of the behavior data in the ith interval to the total number of the metric data;

obtaining quantized actual user behavior data by means of an inverse normal trust sub-cloud generator, and generating expectation, entropy and super-entropy of m normal trust sub-clouds corresponding to m measurement indexes;

utilizing an actual normal trust cloud synthesizer to obtain expectation, entropy, super-entropy and each index weight of m measurement index normal trust sub-clouds

As a transfusionIn the method, the expectation, the entropy and the super entropy of the actual normal trust cloud are obtained as follows:

and comparing the similarity of the actual normal trust cloud and the standard normal trust cloud, and taking the trust level represented by the standard normal cloud with the highest similarity as the user trust level.

In this scheme, the preset metric indexes include: a network traffic behavior trust metric, a resource access behavior trust metric, and a security characteristic behavior trust metric.

In this scheme, the network traffic behavior trust metric index is: the suspicious behavior is distinguished by collecting the flow characteristics of data packets transmitted and received by a user in a network, and then the user behavior trust value is measured;

the resource access behavior trust measurement index is as follows: recording suspicious behaviors through behavior characteristics of a user when accessing resources, and further measuring the credibility of the user behaviors;

the security characteristic behavior trust metric index is: and selecting an index capable of reflecting obvious attack behavior, and rapidly forbidding illegal users from accessing the network.

The second aspect of the present invention further provides an information measurement-based power grid information system access control system, where the information measurement-based power grid information system access control system includes:

the identity authentication module is used for receiving a login request of a user terminal, performing identity authentication based on the login request, and accessing the user terminal into the power grid information system when the identity authentication is successful;

the trust management module is used for receiving an access request of a user terminal to a target resource, judging whether the user needs to apply for or change the role, if so, collecting user behavior data, and performing operation processing on the user behavior data to obtain user trust; comparing the user trust with a trust threshold of the applied or changed role, and if the user trust is greater than or equal to the trust threshold, giving the applied or changed role to the user; otherwise, access is denied;

the risk management module is used for receiving a service access operation initiated by the user terminal in an applied or changed role, collecting attributes of the user and the operation and inputting the attributes into a BP (back propagation) neural network for preprocessing to obtain a risk value; determining a corresponding risk factor through a table look-up mode according to the risk value, and modifying the risk limit by combining the risk value and the risk factor; and judging whether the modified risk limit exceeds the risk threshold value of the access, if so, allowing the service access operation, otherwise, rejecting the service access operation.

The third aspect of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a program of a power grid information system access control method based on information metric, and when the program of the information system access control method based on zero trust is executed by a processor, the steps of the power grid information system access control method based on information metric as described above are implemented.

According to the power grid information system access control method based on the information measurement, the zero trust access control of the power grid information system is realized through the identity authentication of the user and the evaluation results of the user trust degree and the risk amount, and an unauthorized attacker is effectively prevented from trying to read and tamper the confidential data of the power grid information system.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

FIG. 1 is a flow chart illustrating a method for controlling access to a grid information system based on information measurement according to the present invention;

FIG. 2 is a flowchart illustrating a method for determining whether a risk amount supports authorized access according to an embodiment of the present invention;

FIG. 3 is a flowchart illustrating a method for obtaining user confidence according to a second embodiment of the present invention;

FIG. 4 is a flowchart illustrating a method for obtaining user confidence according to a third embodiment of the present invention;

fig. 5 shows a block diagram of a grid information system access control system based on information metrics according to the present invention.

Detailed Description

In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.

Fig. 1 shows a flowchart of a grid information system access control method based on information measurement according to the present invention.

As shown in fig. 1, a first aspect of the present invention provides a method for controlling access to a grid information system based on information measurement, where the method includes:

the login request at least comprises identity information of a user, specifically, the identity authentication module acquires the identity information of the user from the login request and matches the identity information with information prestored in an identity database, and if the identity information is matched with the information prestored in the identity database, the identity authentication is successful and the access to a power grid information system is granted; if the matching is not consistent, the identity authentication fails, and the power grid information system is refused to enter;

In a specific embodiment of the present invention, the risk factors may be divided into a user basic state, a user access state, and a resource basic state. The user basic state is the analysis of user basic information, and the security level of the user identity can be found; the user access state is that the behavior operation of the user is equivalent to the risk probability in the risk assessment, and the resource basic state describes the importance degree of the object, which is equivalent to the loss in the risk assessment.

The user basic state: a user must have an identity, which is unique and must be secure with respect to the system, as an access object in an access control policy that is allowed by the policy. The basic state of the user belongs to a static state in a short time and mainly comprises an account number, a password, a user duty level, a user reward and punishment and the like.

User access status: the user access state is associated with each access to the target, which is a dynamic state. From user login to access ending, the operation behavior of the user is recorded, and the user behavior preference is a key point for risk quantification. The user access state comprises login time, login location, password login success rate, access target success rate, operation type, target access frequency and the like.

Resource base state: the user is used as a subject, the resource is used as an object, and the importance of the object can reflect the probability of risk occurrence, namely, the more important the resource is, the higher the occurrence probability is. The resource base state includes the importance degree of the resource, the attribute of the resource, and the like.

Risk is a visual judgment of the threat posed to the user during current and future accesses to the system. The risks are classified according to levels, but the output result of the BP neural network is presented in numerical values, so the risk levels need to be classified, and a risk factor alpha is added to accord with the change rule of the risk interpersonal relationship, and the risk factor accords with the effect of slow increase and sudden decrease, namely, the risk amount is decreased more quickly when the risk is higher, and the risk amount is increased more slowly when the risk is not present. The risk amount defaults to 1 when the user registers, the risk amount is consumed by the product of the risk value and the risk factor alpha in the later access request, and when the risk amount is not enough to support the access, the request is rejected. Table 1 shows the risk rating versus risk value and risk factor. In the above step 6, the corresponding risk factor is determined by looking up the table according to the risk value, that is, the corresponding risk factor can be determined by looking up the table 1.

TABLE 1

Risk rating	Value of risk	Risk factor alpha
			Is free of	0-0.2	0.2
Is low in	0.2-0.5	-0.5
			Is higher than	0.5-0.8	-1
Is very high	0.8-1	-1.5

According to the embodiment of the invention, the risk factors can be used as characteristic input of the BP neural network, and the error analysis can be carried out on the output. The weight value and the threshold value of the neural network are continuously adjusted, and the neural network model is improved, so that the prediction result is more consistent with the real result.

The establishment of the risk assessment model based on the BP neural network can be realized through the following aspects:

(1) determination of input factors

The risk value is influenced by a user basic state, a user access state and a resource basic state, and therefore the risk value is used as the input of the neural network, namely the number of nodes of an input layer of the neural network is determined to be 3. To make the input of the neuron more sensitive between activation functions (-1,1) and improve training efficiency, the input can be normalized by min-max.

(2) Selection of activation function

In the embodiment, a relu function is selected, the relu function is a piecewise linear function, the defect that the gradients of two functions, namely the sigmoid function and the tanh function disappear is overcome, the calculation speed is higher, only the input needs to be judged whether to be greater than 0, and the convergence speed is far higher than that of the sigmoid function and the tanh function. The relu function formula is as follows:

(3) determination of an output value

The input of the BP neural network is a user basic state, a user access state and a resource basic state, the three factors are key factors influencing a user risk value, and therefore an output value is the risk value.

(4) Determination of hidden layer nodes

The number of the nodes of the hidden layer is determined by the number and the disorder degree of the samples, and the method mainly plays a role in searching a specific rule from the sample data and memorizing the rule. Too many nodes increase learning time on the one hand, and on the other hand, the sample data can be over analyzed, which adversely affects the prediction result. Too few nodes may result in failure to learn the sample rule comprehensively. The method can adopt an addition method and a deletion method, the number of nodes is hidden in a given range, and then the training effect is checked. And if the training model is not satisfied, increasing or decreasing the number of the nodes on the basis of keeping other variables unchanged until the training model achieves a satisfactory effect.

(5) Weight determination

The initialization of the weight in the neural network can effectively solve the problems of gradient disappearance and gradient explosion, and has a vital influence on the convergence speed and the performance of the model. In this embodiment, a random initialization method may be adopted to perform initialization setting on the weights.

As shown in fig. 2, in practical application, a user requests access to a target resource in a power grid information system, a risk module collects risk indexes and preprocesses the indexes, a preprocessing result is input into a trained neural network model to obtain a risk value, a risk factor is obtained according to the table 1 to change a risk amount, so as to judge whether the risk amount supports access permission, if the access request is satisfied, the target is allowed to be operated, otherwise, the request is rejected. Further, the user may also specify access request behavior to increase the risk amount to obtain permission to be denied the request.

According to an embodiment of the present invention, the step 3 further includes:

It can be understood that each interaction process between each user and the power grid information system is recorded in the central database, so that subsequent processing such as tracing, auditing and the like is facilitated.

calculating user access control function G, and decomposing it into G₁And G₂Wherein G is₁：A→T，T∈[0,1]A represents the user, T represents the trust level; g₂：T→R，R∈[0,1]R represents a role, → represents a mapping function, and is decomposed by the mapping function;

evaluating the user behavior, and analyzing whether a serious violation behavior exists; and if the current trust level exists, directly and forcibly quitting the access, and if the current trust level does not exist, calculating the current trust level and recalculating the user trust level by combining the historical trust level. As shown in fig. 3.

It can be understood that once the current user trust is lower than a certain set trust threshold, the user cannot give a higher level of authority, or even automatically loses the authority for accessing the grid information system.

In this embodiment, calculating the current trust level, and recalculating the user trust level by combining the historical trust level specifically includes:

calculating the influence of the past behavior on the current user confidence, wherein the result is influenced by time t to obtain a confidence attenuation function phi (t), and calculating the publicThe formula is as follows: phi (t) ═ e^-ptWhere p is a confidence decay value;

for the condition that the user accords with normal operation, the trust degree of the user is increased, a certain reward is given, and a reward item R (a) is calculated, wherein the calculation formula is as follows: r (a) ═ e^-(0.2m+4)In the formula, m represents the data flow normally accessed to the grid information system.

it should be noted that, in this embodiment, the access control model needs to calculate and evaluate the trust level of the user, and the following factors are mainly considered in the evaluation process:

(1) historical behavior of the user. The past operation condition is recorded and evaluated, the operation data of the user is an important parameter for calculating the trust degree, the evaluation and analysis of the trust degree of the user by the system are directly influenced, and the user does not quit and disappear along with the user.

(2) The current behavior of the user. The operation of the user at the current stage is analyzed, the operation is recorded and monitored, the data result of the operation is analyzed, the data resource and the content of the access and processing system of the operation are analyzed, and the occurrence of malicious operation is avoided to a certain extent.

According to the embodiment of the invention, the access authority of different roles to the resources is different under different trust levels. Although the boundary between the user behavior trust levels is fuzzy and the user behavior has strong randomness, the user behavior approximately follows normal distribution, so the embodiment introduces the normal cloud theory into the measurement of the user behavior trust. Normal cloud theory can achieve an uncertain transformation from a qualitative concept to a quantitative representation.

According to another embodiment of the invention, the collected multidimensional network monitoring data can be quantitatively mapped into a specific trust metric value by using a cloud fuzzy evaluation theory, wherein the cloud fuzzy evaluation theory comprises cloud droplets and a trust cloud;

the cloud droplets are characterized as: let U be the domain of trust membership, C be a qualitative concept representing w trust levels on U, x₁,x₂,…,x_mThe metric index for describing the behavior trust of each user in the expression theory domain, the trust membership of the trust level described by C is expressed by mu, the trust membership is a group of normal random numbers which tend to be stable, the distribution of the trust membership on U is called normal trust cloud, and the element (X) is used for expressing the trust of each user in the expression theory domain_i,μ_i) Composition, each element is called a cloud drop;

Further, step 3 specifically includes:

He_i＝w；

Collecting user behavior data according to preset measurement indexes, selecting a proper sliding window according to actual requirements, setting a reasonable time period, collecting actual values of the measurement indexes of a plurality of time periods in the sliding window, grading each measurement index one by one, simultaneously carrying out normalization processing on data, wherein each measurement index has z intervals of measurement values based on user roles according to the requirement of safety intensity, and the higher the measurement value is, the higher the credibility is; note that the minimum and maximum values of the ith interval are ai_minAnd ai_maxThen the behavior data criteria are quantized to a confidence value, epsilon:

ε＝ai_max+θ×(ai-ai_min)

wherein,

by applying the method, in the measurement period, the higher the proportion of the user behavior abnormity is, the lower the trust value is; if the user login failure times trust value range is [0-20], the user login failure times trust value range is divided into four ranges of which the four levels correspond to [0, 5], [5, 10], [10, 15] and [15, 20] respectively; assuming that the measurement times in the selection period are 100 times, wherein the trust values corresponding to the abnormal times are 50 times in the range of [0, 5], 25 times in the range of [5, 10], 15 times in the range of [10, 15] and 10 times in the range of [15, 20 ]; calculating the trust values of each grade to be 2.5, 6.25, 10.75 and 15.5 by using the formula;

As input, the expectation, entropy, and super entropy of the actual normal trust cloud are obtained as follows:

Further, the preset metric includes: a network traffic behavior trust metric, a resource access behavior trust metric, and a security characteristic behavior trust metric.

It should be noted that the network traffic behavior trust measurement index and the resource access behavior trust measurement index are used for measuring the hidden attack and performing access control on the resource according to the trust level. The security characteristic behavior trust measurement index is used for measuring obvious attack behaviors of the user and rapidly refusing illegal access of the user.

Specifically, the network traffic behavior trust metric index is: the suspicious behavior is distinguished by collecting the flow characteristics of data packets transmitted and received by a user in a network, and then the user behavior trust value is measured;

the resource access behavior trust measurement index is as follows: recording suspicious behaviors through behavior characteristics of a user when accessing resources, and further measuring the credibility of the user behaviors; for example, the APT attack has strong latency, and although the APT attack is difficult to identify from the flow, the abnormal behavior can be discovered through the resource access, such as accessing the core service database of the grid information system;

the security characteristic behavior trust metric index is: and selecting an index capable of reflecting obvious attack behavior, and quickly forbidding illegal users from accessing the network, for example, scanning and sniffing attacks to simultaneously send Ping packets to a plurality of ports, so that the method has obvious aggressivity.

As shown in fig. 5, the second aspect of the present invention further provides an information metric-based grid information system access control system, including:

The access control strategy of the access control system of the invention relates to the access strategy at two intermediate nodes of user authorization and user access request, and the addition of the trust module ensures that the user not only relies on the prior single user identity authorization at the role stage, but also fully utilizes the prior interactive data of the user. And risk indexes are added in trust, so that the trust measurement is more reasonable and accurate. The addition of the risk module enables the use of the authority by the user to be finer in granularity, the original access control strategy only controls resources which do not conform to the authority of the user, the resources are intercepted through a back-end code, and the behavior of limiting the user due to malicious access of the user is avoided, so that the malicious user can remain in the system for a long time, and the normal operation of the system is not facilitated to be maintained. The addition of the trust management module and the risk management module can enable the system to be flexible and dynamic, and fully guarantee system resources.

In a specific embodiment, the trust management module is mainly responsible for collecting trust attributes of the access user and calculating the weight and the trust value of the trust index, and is used for judging whether a main body bearing a corresponding role reaches a role trust threshold required by the corresponding role or not and whether the corresponding role is allocated. The risk management module is mainly responsible for collecting risk factors of the access users, training the neural network and judging the work of risk values of the users, and is used for judging whether the risk limit of the access requests of the users reaches the authority risk threshold value or not and whether the target resources are allowed to be operated or not.

It should be noted that, the grid information system access control system based on the information metric further includes: the storage comprises a power grid information system access control method program based on information measurement, and the zero trust-based information system access control method program realizes the steps of the power grid information system access control method based on information measurement when being executed by the processor.

It should be noted that the Processor may be a Central Processing Unit (CPU), other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It is understood that the user terminal may be a mobile phone, a PAD, a PC, etc., but is not limited thereto.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A power grid information system access control method based on information measurement is characterized by comprising the following steps:

2. The method for controlling access to a grid information system based on information measurement according to claim 1, wherein step 3 further comprises:

3. The method for controlling access to a grid information system based on information measurement according to claim 1, wherein step 3 further comprises:

calculating user access control function G, and decomposing it into G₁And G₂Wherein G is₁：A→T，T∈[0,1]A represents a userT represents the confidence level; g₂：T→R，R∈[0,1]R denotes a role, → denotes a mapping function;

4. The power grid information system access control method based on information measurement as claimed in claim 3, wherein the current trust level is calculated, and the user trust level is recalculated in combination with the historical trust level, and specifically further comprising:

calculating the influence of the past operation behavior on the current user confidence level, wherein the result is influenced by time t to obtain a confidence level attenuation function phi (t), and the calculation formula is as follows: phi (t) ═ e^-ptWhere p is a confidence decay value;

5. the power grid information system access control method based on the information metric, as recited in claim 1, characterized in that the collected multidimensional network monitoring data is quantitatively mapped into a specific trust metric value by using a cloud fuzzy evaluation theory, wherein the cloud fuzzy evaluation theory comprises cloud droplets and a trust cloud;

6. The method for controlling access to a grid information system based on information measurement according to claim 5, wherein the step 3 specifically further comprises:

He_i＝w；

ε＝ai_max+θ×(ai-ai_min)；

wherein,

when the measured value of the user is smaller than the ith interval, theta is the number of the behavior data occupying the total measured data number(ii) percent (d);

7. The method according to claim 6, wherein the preset metric index includes: a network traffic behavior trust metric, a resource access behavior trust metric, and a security characteristic behavior trust metric.

8. The grid information system access control method based on the information measure according to claim 7, wherein the network flow behavior trust measure index is: the suspicious behavior is distinguished by collecting the flow characteristics of data packets transmitted and received by a user in a network, and then the user behavior trust value is measured;

9. An information metric-based grid information system access control system, comprising:

10. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a program of a grid information system access control method based on information metric, and when the program of the zero trust based information system access control method is executed by a processor, the steps of the grid information system access control method based on information metric according to any one of claims 1 to 8 are implemented.