CN113472778A - Information network safety protection trust system and method - Google Patents
Information network safety protection trust system and method Download PDFInfo
- Publication number
- CN113472778A CN113472778A CN202110735235.5A CN202110735235A CN113472778A CN 113472778 A CN113472778 A CN 113472778A CN 202110735235 A CN202110735235 A CN 202110735235A CN 113472778 A CN113472778 A CN 113472778A
- Authority
- CN
- China
- Prior art keywords
- user
- access
- network
- information
- satellite
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/065—Continuous authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an information network safety protection trust system, which integrates safety protection of a satellite communication network and safety protection of the information communication network, realizes multi-level authentication authorization, dynamic access control, access user trust measurement, risk analysis and the like for users of the satellite communication network according to three-level arrangement of a satellite network access gateway, a regional safety protection center, a headquarters safety protection center and the satellite communication center, and determines two-level service management architectures of a satellite communication center header pipe and the satellite network access gateway by combining with the service management level relation of the current satellite communication network; based on the existing information network security protection system, multi-level security protection is realized in satellite network access, information network regional security protection, information network global security protection and a satellite communication center; according to two specific functions of identity authentication and access control, the interrelation and operation method between each hierarchy are provided.
Description
[ technical field ] A method for producing a semiconductor device
The invention belongs to the technical field of information security, and relates to an information network security protection trust system and method.
[ background of the invention ]
The satellite communication system mainly carries out information transmission in a wireless mode, and is essentially different from a ground wired network transmission mode, so that the requirements of the satellite communication system on safety are different from the requirements of ground network safety, and the adopted safety protection technical means are also different. The method aims at solving the problems that a satellite communication network user is weak in safety control capability, low in information confidentiality strength, and incapable of applying safety protection strategies systematically.
[ summary of the invention ]
Aiming at the problems, the invention provides an information network safety protection trust system and a method, which construct a satellite communication network information safety protection trust system, realize the dynamic regulation and control of user access and the refined management and control of resource access, form a technical clue for information safety threat investigation and damage range control, strengthen the information confidentiality intensity of information sources, provide a typical application mode of the satellite communication network information safety protection trust system, improve the satellite network information safety protection capability, apply the information correlation analysis of user network behaviors, combine a network trust model, form a dynamic defense closed loop based on the use, management, response and evaluation of behavior monitoring, ensure the information safety transmission in a satellite communication network, realize node safety access control and improve the safety protection capability of the satellite communication system, the method has very important practical significance for fully exerting the advantages of satellite communication.
The invention is realized by the following technical scheme, and provides an information network safety protection trust system, which comprises:
the access user information base is used for storing the attribute of the access user of the satellite communication network, the network behavior record and the trust level;
an identity authentication and authorization module, comprising: the identity authentication and authorization sub-module comprises a registration and identity authentication and authorization sub-module for performing user information registration and identity authentication when a new user firstly accesses a satellite communication network, and a secondary identity authentication and authorization sub-module for performing identity authentication and authorization when the new user enters the satellite communication again;
the access gateway is a satellite communication network access gateway and is used for controlling whether an access user can access the satellite communication network or the ground network and monitoring the access authority and range of the access user;
the headquarter safety protection center is used for carrying out network behavior analysis, safety protection strategy determination and issuing, user access authority and range determination and circulation on the access user;
the regional security protection center uploads a security protection strategy to the headquarter security protection center by performing network behavior on the access user, issues the security protection strategy and user access authority and range to the access gateway, and performs network behavior analysis on the access user;
the satellite communication center issues authorization information, access authority and range, access user attribute and trust measurement record and update of an access user accessing the satellite communication network to the access gateway;
a security management module for continuously managing network behavior of an access user, comprising:
a safety control sub-module of the access user for controlling the access user according to the information of the access user and the safety control strategy determined by the satellite communication center,
according to the information of the access user, the safety control strategy determined by the satellite communication center, and an access sub-network safety control sub-module for controlling part or all of the users in the access sub-network,
and the network behavior safety control submodule is used for determining a safety control strategy according to the network behavior detected by the access gateway and controlling the trust value and the control strategy of the access user.
2. The information network security protection trust system of claim 1, wherein the network behavior security management and control sub-module comprises: the safety control submodule is executed firstly and then reported, and the safety control submodule is executed after reporting.
The invention also provides an information network safety protection trust method, which comprises the following steps:
s1, user registration and identity authentication authorization;
s2, when the registered user accesses again, the identity authentication and authorization are carried out;
s3, directly carrying out security management and control on the access user;
s4, when accessing the user to access the sub-network, the safety control is carried out;
s5, the network behavior is subjected to access user safety control of first execution and then reporting;
s6 carries out the access user safety control executed after reporting the safety event or behavior.
Specifically, the S1 is specifically realized by the following method:
s11 when the user accesses the satellite communication network through the satellite channel, the satellite network access gateway forbids all network access behaviors of the user, immediately obtains the basic parameter information of the user terminal, and fills the information into the access user information base;
s12, the access user registers the user identity information by the webpage access mode, the user identity information includes: department, position, login password;
s13, the satellite communication center acquires the basic parameter information of the user terminal, and verifies the user identity information, if the identity information is verified to be correct, S14 is executed; if the identity information is checked to be wrong, the satellite communication network access strategy of the user is rejected and is issued to the satellite network access gateway, and the process is finished;
s14 satellite communication center measures the trust value of access user initially, determines the access authority and range of user, fills the result information into the information base of access user, and issues the access authorization strategy of access user to the satellite network access gateway, so the access user can perform corresponding user authorization operation.
Specifically, the S2 is specifically realized by the following method:
s21 when the registered user accesses the satellite communication network through the satellite channel, the satellite network access gateway forbids all network access behaviors of the user, immediately obtains the terminal basic parameter information of the user, and updates the access information to the access user information base;
s22, the access user registers the user identity information in a webpage access mode, and reports the login password;
s23, the satellite communication center acquires the basic parameter information of the user terminal and verifies the user identity information, if the identity information is checked to be correct, S24 is executed, and if the identity information is checked to be incorrect, the operation is finished;
s24, according to the trust value of the user, judging the access authority and range of the user, if the trust level is higher than the threshold value of the user allowed to access, executing S25; if the trust level is lower than the threshold value of the user allowed to access, the strategy of rejecting the user access is issued to the satellite network access gateway, and the process is finished;
s25, according to the role and trust value of the user, the access authority and scope of the user are determined, the access strategy is issued to the satellite network access gateway, and the access user can perform corresponding user authorization operation.
Specifically, the S3 is specifically realized by the following method:
s31, the satellite communication center adjusts the current access authority and scope of the user according to the security situation of the satellite network, the role, responsibility and task change of the access user, determines a new security control strategy, and issues the new security control strategy to the satellite network access gateway while updating the access user information base;
and S32, the satellite network access gateway performs management and control operation on the access user according to the newly issued security control strategy, and feeds back an operation result to the satellite communication center.
Specifically, the S4 is specifically realized by the following method:
s41, the satellite communication center adjusts the current access authority and scope of partial or all users in the sub-network according to the security situation of the satellite network, the role, responsibility and task of the user group in the access sub-network, determines the new security control strategy, and issues the new security control strategy to the corresponding satellite network access gateway when updating the access user information base;
s42 the access gateway of satellite network carries out management and control operation to some users or all users in the access sub-network according to the new issued security control strategy, and feeds back the operation result to the satellite communication center.
Specifically, the S5 is specifically realized by the following method:
s51, the satellite network access gateway monitors the network behavior and reports the network behavior to the regional security protection center, wherein the network behavior is a security event or behavior;
s52, the regional security protection center analyzes the network behavior, calculates the user trust value according to the network behavior property, and makes a security control strategy;
s53, the regional security protection center issues an execution strategy to the satellite network access gateway and reports the execution strategy to the headquarter security protection center;
s54 the satellite network access gateway carries out the access user management and control operation according to the safety control strategy formulated by S52, and updates the access user information base;
s55, the headquarter safety protection center analyzes the control strategy, if not, modifies the strategy and forwards the strategy to the satellite communication center;
the satellite communication center of S56 analyzes the control strategy issued by S55, determines whether the regulation is needed, if the regulation is needed, modifies the trust value and the control strategy of the user, and issues the trust value and the control strategy to the access gateway;
and S57 the satellite network access gateway executes the control of the access user according to the control strategy adjusted by S56, feeds back the execution result and updates the information of the access user information base.
Specifically, the S6 is specifically realized by the following method:
s61, the satellite network access gateway monitors the network behavior and reports the network behavior to the regional security protection center, wherein the network behavior is a security event or behavior;
s62, the regional security protection center analyzes the network behavior of the access user, if the analysis of the specific network behavior can be completed, the user trust value is calculated according to the network behavior property, a security control strategy is formulated, and the security control strategy is reported to the headquarter security protection center; if the analysis of the specific network behavior cannot be completed, reporting the network behavior condition to a headquarter safety protection center, and executing S63;
s63, the headquarter safety protection center analyzes network behaviors, calculates user trust values and formulates control strategies, and reports the user trust values and the control strategies to the satellite communication center;
s64, the satellite communication center analyzes the calculation of the user trust value and the formulated control strategy, determines whether the adjustment is needed, if the adjustment is needed, the satellite communication center modifies the trust value and the control strategy of the user, and sends the result to the access gateway; if no adjustment is needed, go to S65;
and S65, the satellite network access gateway executes the control of the access user according to the control strategy issued by S64, feeds back the execution result and updates the information of the access user information base.
The invention provides a system and a method for information network safety protection trust, which integrate the safety protection of a satellite communication network and the safety protection of an information communication network into a whole and provide a system for information safety protection trust of the satellite communication network; determining a two-stage service management architecture of a satellite communication center header pipe and a satellite network access gateway by combining the service management hierarchical relation of the current satellite communication network; based on the existing information network security protection system, multi-level security protection is realized in satellite network access, information network regional security protection, information network global security protection and a satellite communication center; according to two specific functions of identity authentication and access control, the interrelation and operation method between each hierarchy are provided.
[ description of the drawings ]
FIG. 1 is a block diagram of an information network security protection trust system of the present invention;
FIG. 2 is a flow chart of user registration and identity authentication authorization in an information network security protection trust method of the present invention;
FIG. 3 is a flowchart of authentication and authorization performed when a registered user re-accesses in the information network security protection trust method of the present invention;
FIG. 4 is a flow chart of security management and control for directly accessing a user in the information network security protection trust method of the present invention;
FIG. 5 is a flow chart of security management and control performed when a user accesses a subnet in the information network security protection trust method of the present invention;
FIG. 6 is a flow chart of access user security management and control for performing a first execution and then reporting on a network behavior in the information network security protection trust method of the present invention;
fig. 7 is a flow chart of access user security management and control performed after reporting a security event or behavior in the information network security protection trust method of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings.
Referring to fig. 1, the present invention provides an information network security protection trust system, which includes:
the access user information base 1 is used for storing the attribute of the access user of the satellite communication network, the record of network behavior and the trust level;
an authentication and authorization module 2 comprising: a registration and identity authentication authorization sub-module 21 for performing user information registration and identity authentication when a new user first accesses the satellite communication network, and a secondary identity authentication authorization sub-module 22 for performing identity authentication and authorization when the new user enters the satellite communication again;
an access gateway 3 for controlling whether an access user can access the satellite communication network or the ground network, and monitoring the access authority and range of the access user;
a headquarter safety protection center 4 which analyzes the network behavior of the access user, determines and issues the safety protection strategy, and determines and transfers the user access authority and range;
the regional security protection center 5 uploads a security protection strategy to the headquarter security protection center 4 by performing network behavior on the access user, issues the security protection strategy and user access authority and range to the access gateway 3, and performs network behavior analysis on the access user;
the satellite communication center 7 is used for issuing authorization information, access authority and range, access user attribute and trust measurement record and update of an access user accessing the satellite communication network to the access gateway;
a security management module 8 for continuously managing network behavior of an access user, comprising:
according to the information of the access user, the security control strategy determined by the satellite communication center 7, the security control sub-module 81 of the access user for controlling the access user,
an access sub-network security control sub-module 82 for controlling part or all of the users in the access sub-network according to the information of the access users, the security control policy determined by the satellite communication center 7,
a network behavior security management and control sub-module 83 for determining a security control policy according to the network behavior detected by the access gateway 3 and managing and controlling the trust value and the management and control policy of the access user, where the network behavior security management and control sub-module 83 includes: a first-execution-then-report security management and control sub-module 831, and a first-report-then-execution security management and control sub-module 832.
Referring to fig. 2-6, the present invention further provides an information network security trust method, which includes the following steps:
s1, when a new user first accesses the satellite communication network, user registration and identity authentication authorization need to be performed, which is specifically implemented by the following method:
s11 when the user accesses the satellite communication network through the satellite channel, the satellite network access gateway forbids all network access behaviors of the user, immediately obtains the basic parameter information of the user terminal, and fills the information into the access user information base;
s12, the access user registers the user identity information by the webpage access mode, the user identity information includes: department, position, login password;
s13, the satellite communication center acquires the basic parameter information of the user terminal, and verifies the user identity information, if the identity information is verified to be correct, S14 is executed; if the identity information is checked to be wrong, the satellite communication network access strategy of the user is rejected and is issued to the satellite network access gateway, and the process is finished;
s14 satellite communication center measures the trust value of access user initially, determines the access authority and range of user, fills the result information into the information base of access user, and issues the access authorization strategy of access user to the satellite network access gateway, so the access user can perform corresponding user authorization operation.
S2, after completing registration and first identity authentication, although the information is saved, the registered user still performs identity authentication and authorization when accessing again, which is specifically implemented by the following method:
s21 when the registered user accesses the satellite communication network through the satellite channel, the satellite network access gateway forbids all network access behaviors of the user, immediately obtains the terminal basic parameter information of the user, and updates the access information to the access user information base;
s22, the access user registers the user identity information in a webpage access mode, and reports the login password;
s23, the satellite communication center acquires the basic parameter information of the user terminal and verifies the user identity information, if the identity information is checked to be correct, S24 is executed, and if the identity information is checked to be incorrect, the operation is finished;
s24, according to the trust value of the user, judging the access authority and range of the user, if the trust level is higher than the threshold value of the user allowed to access, executing S25; if the trust level is lower than the threshold value of the user allowed to access, the strategy of rejecting the user access is issued to the satellite network access gateway, and the process is finished;
s25, according to the role and trust value of the user, the access authority and scope of the user are determined, the access strategy is issued to the satellite network access gateway, and the access user can perform corresponding user authorization operation.
After the authentication and authorization, the satellite communication center, the headquarter safety protection center, the regional safety protection center and the satellite network access gateway in the safety protection trust system perform combined operation according to the role, the trust level, the threat degree of a safety event and the like of the user, and continuously manage and control network behaviors of the access user such as resource access, information transmission and the like. For the security control of the access user, the satellite communication center may directly issue a control policy for control without being triggered by the network behavior and the event of the user terminal, or may process the security control according to the network behavior and the event trigger of the user terminal in a manner of "execute first and then report" and "report first and then execute", and specifically perform the following operations:
s3 directly performs security management and control of the access user, and is specifically implemented by the following method:
s31, the satellite communication center adjusts the current access authority, scope and the like of the user according to the security situation of the satellite network, the role, responsibility, task and the like of the access user, determines a new security control strategy, and issues the new security control strategy to the satellite network access gateway while updating the access user information base;
and S32, the satellite network access gateway performs management and control operation on the access user according to the newly issued security control strategy, and feeds back an operation result to the satellite communication center.
The security control when the S4 accesses the user access subnet is specifically realized by the following method:
s41, the satellite communication center adjusts the current access authority, scope and so on of partial or all users in the sub-network according to the security situation of the satellite network, the role, responsibility, task and so on of the user group in the access sub-network, determines the new security control strategy, and issues the new security control strategy to the corresponding satellite network access gateway when updating the access user information base;
s42 the access gateway of satellite network carries out management and control operation to some users or all users in the access sub-network according to the new issued security control strategy, and feeds back the operation result to the satellite communication center.
S5 performs security management and control on an access user, which is executed first and then reported, on a network behavior, and is specifically implemented by the following method:
s51, the satellite network access gateway monitors the network behavior and reports the network behavior to the regional security protection center, wherein the network behavior is a security event or behavior;
s52, the regional security protection center analyzes the network behavior, calculates the user trust value according to the network behavior property, and makes a security control strategy;
s53, the regional security protection center issues an execution strategy to the satellite network access gateway and reports the execution strategy to the headquarter security protection center;
s54 the satellite network access gateway carries out the access user management and control operation according to the safety control strategy formulated by S52, and updates the access user information base;
s55, the headquarter safety protection center analyzes the control strategy, if not, modifies the strategy and forwards the strategy to the satellite communication center;
the satellite communication center of S56 analyzes the control strategy issued by S55, determines whether the regulation is needed, if the regulation is needed, modifies the trust value and the control strategy of the user, and issues the trust value and the control strategy to the access gateway;
and S57 the satellite network access gateway executes the control of the access user according to the control strategy adjusted by S56, feeds back the execution result and updates the information of the access user information base.
S6 performs access user security management and control on security events or behaviors, which are performed after reporting, and is specifically implemented by the following method:
s61, the satellite network access gateway monitors the network behavior and reports the network behavior to the regional security protection center, wherein the network behavior is a security event or behavior;
s62, the regional security protection center analyzes the network behavior of the access user, if the analysis of the specific network behavior can be completed, the user trust value is calculated according to the network behavior property, a security control strategy is formulated, and the security control strategy is reported to the headquarter security protection center; if the analysis of the specific network behavior cannot be completed, reporting the network behavior condition to a headquarter safety protection center, and executing S63;
s63, the headquarter safety protection center analyzes network behaviors, calculates user trust values and formulates control strategies, and reports the user trust values and the control strategies to the satellite communication center;
s64, the satellite communication center analyzes the calculation of the user trust value and the formulated control strategy, determines whether the adjustment is needed, if the adjustment is needed, the satellite communication center modifies the trust value and the control strategy of the user, and sends the result to the access gateway; if no adjustment is needed, go to S65;
and S65, the satellite network access gateway executes the control of the access user according to the control strategy issued by S64, feeds back the execution result and updates the information of the access user information base.
Claims (9)
1. An information network security protection trust system, characterized by comprising:
an access user information base (1) for storing satellite communication network access user attributes, network behavior records and trust;
an identity authentication and authorization module (2) comprising: a registration and identity authentication authorization sub-module (21) for registering user information and authenticating identity when a new user firstly accesses the satellite communication network, and a secondary identity authentication authorization sub-module (22) for authenticating and authorizing identity when the new user enters the satellite communication again;
the access gateway (3) is used for controlling whether an access user can be in a satellite communication network or a ground network and monitoring the access authority and range of the access user;
a headquarter safety protection center (4) which analyzes the network behavior of the access user, determines and issues safety protection strategies, determines and transfers the user access authority and range;
the regional security protection center (5) uploads a security protection strategy to the headquarter security protection center (4) by performing network behavior on the access user, issues the security protection strategy and user access authority and range to the access gateway (3), and performs network behavior analysis on the access user;
the satellite communication center (7) issues authorization information, access authority and range, access user attribute and trust measurement record and update of an access user accessing the satellite communication network to the access gateway (3);
a security management module (8) for continuously managing network behavior of access users, comprising:
according to the information of the access user, the security control strategy determined by the satellite communication center (7), a security control submodule (81) of the access user for controlling the access user,
according to the information of the access user, the security control strategy determined by the satellite communication center (7), an access sub-network security control sub-module (82) for controlling part or all users in the access sub-network,
and a network behavior security control sub-module (83) for determining a security control strategy according to the network behavior detected by the access gateway (3) and controlling the trust value and the control strategy of the access user.
2. The information network security protection trust system according to claim 1, wherein the network behavior security management and control sub-module (83) comprises: the first-to-execute and then-report security management and control sub-module (831) and the first-to-report and then-execute security management and control sub-module (832).
3. An information network security protection trust method is characterized by comprising the following steps:
s1, user registration and identity authentication authorization;
s2, when the registered user accesses again, the identity authentication and authorization are carried out;
s3, directly carrying out security management and control on the access user;
s4, when accessing the user to access the sub-network, the safety control is carried out;
s5, the network behavior is subjected to access user safety control of first execution and then reporting;
s6 carries out the access user safety control executed after reporting the safety event or behavior.
4. The information network security protection trust system of claim 3, wherein the S1 is specifically implemented by the following method:
s11 when the user accesses the satellite communication network through the satellite channel, the satellite network access gateway forbids all network access behaviors of the user, immediately obtains the basic parameter information of the user terminal, and fills the information into the access user information base;
s12, the access user registers the user identity information by the webpage access mode, the user identity information includes: department, position, login password;
s13, the satellite communication center acquires the basic parameter information of the user terminal, and verifies the user identity information, if the identity information is verified to be correct, S14 is executed; if the identity information is checked to be wrong, the satellite communication network access strategy of the user is rejected and is issued to the satellite network access gateway, and the process is finished;
s14 satellite communication center measures the trust value of access user initially, determines the access authority and range of user, fills the result information into the information base of access user, and issues the access authorization strategy of access user to the satellite network access gateway, so the access user can perform corresponding user authorization operation.
5. The information network security protection trust system of claim 3, wherein the S2 is specifically implemented by the following method:
s21 when the registered user accesses the satellite communication network through the satellite channel, the satellite network access gateway forbids all network access behaviors of the user, immediately obtains the terminal basic parameter information of the user, and updates the access information to the access user information base;
s22, the access user registers the user identity information in a webpage access mode, and reports the login password;
s23, the satellite communication center acquires the basic parameter information of the user terminal and verifies the user identity information, if the identity information is checked to be correct, S24 is executed, and if the identity information is checked to be incorrect, the operation is finished;
s24, according to the trust value of the user, judging the access authority and range of the user, if the trust level is higher than the threshold value of the user allowed to access, executing S25; if the trust level is lower than the threshold value of the user allowed to access, the strategy of rejecting the user access is issued to the satellite network access gateway, and the process is finished;
s25, according to the role and trust value of the user, the access authority and scope of the user are determined, the access strategy is issued to the satellite network access gateway, and the access user can perform corresponding user authorization operation.
6. The information network security protection trust system of claim 3, wherein the S3 is specifically implemented by the following method:
s31, the satellite communication center adjusts the current access authority and scope of the user according to the security situation of the satellite network, the role, responsibility and task change of the access user, determines a new security control strategy, and issues the new security control strategy to the satellite network access gateway while updating the access user information base;
and S32, the satellite network access gateway performs management and control operation on the access user according to the newly issued security control strategy, and feeds back an operation result to the satellite communication center.
7. The information network security protection trust system of claim 3, wherein the S4 is specifically implemented by the following method:
s41, the satellite communication center adjusts the current access authority and scope of partial or all users in the sub-network according to the security situation of the satellite network, the role, responsibility and task of the user group in the access sub-network, determines the new security control strategy, and issues the new security control strategy to the corresponding satellite network access gateway when updating the access user information base;
s42 the access gateway of satellite network carries out management and control operation to some users or all users in the access sub-network according to the new issued security control strategy, and feeds back the operation result to the satellite communication center.
8. The information network security protection trust system of claim 3, wherein the S5 is specifically implemented by the following method:
s51, the satellite network access gateway monitors the network behavior and reports the network behavior to the regional security protection center, wherein the network behavior is a security event or behavior;
s52, the regional security protection center analyzes the network behavior, calculates the user trust value according to the network behavior property, and makes a security control strategy;
s53, the regional security protection center issues an execution strategy to the satellite network access gateway and reports the execution strategy to the headquarter security protection center;
s54 the satellite network access gateway carries out the access user management and control operation according to the safety control strategy formulated by S52, and updates the access user information base;
s55, the headquarter safety protection center analyzes the control strategy, if not, modifies the strategy and forwards the strategy to the satellite communication center;
the satellite communication center of S56 analyzes the control strategy issued by S55, determines whether the regulation is needed, if the regulation is needed, modifies the trust value and the control strategy of the user, and issues the trust value and the control strategy to the access gateway;
and S57 the satellite network access gateway executes the control of the access user according to the control strategy adjusted by S56, feeds back the execution result and updates the information of the access user information base.
9. The information network security protection trust system of claim 3, wherein the S6 is specifically implemented by the following method:
s61, the satellite network access gateway monitors the network behavior and reports the network behavior to the regional security protection center, wherein the network behavior is a security event or behavior;
s62, the regional security protection center analyzes the network behavior of the access user, if the analysis of the specific network behavior can be completed, the user trust value is calculated according to the network behavior property, a security control strategy is formulated, and the security control strategy is reported to the headquarter security protection center; if the analysis of the specific network behavior cannot be completed, reporting the network behavior condition to a headquarter safety protection center, and executing S63;
s63, the headquarter safety protection center analyzes network behaviors, calculates user trust values and formulates control strategies, and reports the user trust values and the control strategies to the satellite communication center;
s64, the satellite communication center analyzes the calculation of the user trust value and the formulated control strategy, determines whether the adjustment is needed, if the adjustment is needed, the satellite communication center modifies the trust value and the control strategy of the user, and sends the result to the access gateway; if no adjustment is needed, go to S65;
and S65, the satellite network access gateway executes the control of the access user according to the control strategy issued by S64, feeds back the execution result and updates the information of the access user information base.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110735235.5A CN113472778B (en) | 2021-06-30 | 2021-06-30 | Information network safety protection trust system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110735235.5A CN113472778B (en) | 2021-06-30 | 2021-06-30 | Information network safety protection trust system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113472778A true CN113472778A (en) | 2021-10-01 |
| CN113472778B CN113472778B (en) | 2023-04-07 |
Family
ID=77874396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110735235.5A Active CN113472778B (en) | 2021-06-30 | 2021-06-30 | Information network safety protection trust system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113472778B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117014203A (en) * | 2023-08-03 | 2023-11-07 | 中国电子信息产业集团有限公司第六研究所 | Satellite network self-adaptive security service system and method |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130042298A1 (en) * | 2009-12-15 | 2013-02-14 | Telefonica S.A. | System and method for generating trust among data network users |
| CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
| CN105827304A (en) * | 2016-03-21 | 2016-08-03 | 南京邮电大学 | Gateway station-based satellite network anonymous authentication method |
| US20170063931A1 (en) * | 2015-08-28 | 2017-03-02 | Convida Wireless, Llc | Service Layer Dynamic Authorization |
| CN107196906A (en) * | 2017-03-31 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of security domain network connection control method and system |
| CN108055263A (en) * | 2017-12-11 | 2018-05-18 | 北京理工大学 | Entity authentication Rights Management System and method in a kind of satellite communication network |
| CN108494729A (en) * | 2018-02-07 | 2018-09-04 | 北京卓讯科信技术有限公司 | A kind of zero trust model realization system |
| US20190273617A1 (en) * | 2018-03-02 | 2019-09-05 | Intertrust Technologies Corporation | Trust and identity management systems and methods |
| CN110855707A (en) * | 2019-11-26 | 2020-02-28 | 成都电科信安科技有限公司 | Internet of things communication pipeline safety control system and method |
| CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112073969A (en) * | 2020-09-07 | 2020-12-11 | 中国联合网络通信集团有限公司 | 5G network security protection method and system |
| CN112118102A (en) * | 2020-10-21 | 2020-12-22 | 国网天津市电力公司 | Dedicated zero trust network system of electric power |
| US20210091976A1 (en) * | 2019-09-24 | 2021-03-25 | Pribit Technology, Inc. | System For Controlling Network Access Of Terminal Based On Tunnel And Method Thereof |
| CN112994775A (en) * | 2021-02-04 | 2021-06-18 | 亚太卫星宽带通信(深圳)有限公司 | Method for fusing GEO satellite access network and 5G core network |
-
2021
- 2021-06-30 CN CN202110735235.5A patent/CN113472778B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130042298A1 (en) * | 2009-12-15 | 2013-02-14 | Telefonica S.A. | System and method for generating trust among data network users |
| CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
| US20170063931A1 (en) * | 2015-08-28 | 2017-03-02 | Convida Wireless, Llc | Service Layer Dynamic Authorization |
| CN105827304A (en) * | 2016-03-21 | 2016-08-03 | 南京邮电大学 | Gateway station-based satellite network anonymous authentication method |
| CN107196906A (en) * | 2017-03-31 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of security domain network connection control method and system |
| CN108055263A (en) * | 2017-12-11 | 2018-05-18 | 北京理工大学 | Entity authentication Rights Management System and method in a kind of satellite communication network |
| CN108494729A (en) * | 2018-02-07 | 2018-09-04 | 北京卓讯科信技术有限公司 | A kind of zero trust model realization system |
| US20190273617A1 (en) * | 2018-03-02 | 2019-09-05 | Intertrust Technologies Corporation | Trust and identity management systems and methods |
| US20210091976A1 (en) * | 2019-09-24 | 2021-03-25 | Pribit Technology, Inc. | System For Controlling Network Access Of Terminal Based On Tunnel And Method Thereof |
| CN110855707A (en) * | 2019-11-26 | 2020-02-28 | 成都电科信安科技有限公司 | Internet of things communication pipeline safety control system and method |
| CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
| CN112073969A (en) * | 2020-09-07 | 2020-12-11 | 中国联合网络通信集团有限公司 | 5G network security protection method and system |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112118102A (en) * | 2020-10-21 | 2020-12-22 | 国网天津市电力公司 | Dedicated zero trust network system of electric power |
| CN112994775A (en) * | 2021-02-04 | 2021-06-18 | 亚太卫星宽带通信(深圳)有限公司 | Method for fusing GEO satellite access network and 5G core network |
Non-Patent Citations (7)
| Title |
|---|
| ZHEFU YU: "A trust-based secure routing protocol for multi-layered satellite networks", 《2012 IEEE INTERNATIONAL CONFERENCE ON INFORMATION SCIENCE AND TECHNOLOGY》 * |
| 于永胜: "卫星网络管理中接入及访问控制机制研究", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 * |
| 刘欢等: "零信任安全架构及应用研究", 《通信技术》 * |
| 尚可龙等: "零信任安全体系设计与研究", 《保密科学技术》 * |
| 秦智超;岳兆娟;田辉;: "应急管理网络信息体系中的内生安全机制设计" * |
| 邵应昭;丁跃利;张建华;张佳鹏;杨鹏飞;李剑桥;: "面向应用的天基嵌入式云服务安全技术研究" * |
| 黄懿: "浅析零信任安全模型在水电集控管理信息大区网络安全中的应用", 《红水河》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117014203A (en) * | 2023-08-03 | 2023-11-07 | 中国电子信息产业集团有限公司第六研究所 | Satellite network self-adaptive security service system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113472778B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114465807B (en) | Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning | |
| US11399045B2 (en) | Detecting fraudulent logins | |
| US8474006B2 (en) | Retrospective policy safety net | |
| DE112017007393T5 (en) | SYSTEM AND METHOD FOR NETWORK DEVICE SAFETY AND TRUST VALUATION | |
| CN113472778B (en) | Information network safety protection trust system and method | |
| CN110519306A (en) | A kind of the equipment access control method and device of Internet of Things | |
| CN110677407B (en) | Safety control method of lightweight block chain platform | |
| CN112115484B (en) | Access control method, device, system and medium for application program | |
| WO2021023388A1 (en) | Configuring network analytics | |
| CN114021109A (en) | System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry | |
| CN117459321B (en) | End-to-end trusted communication method and system | |
| CN105704093B (en) | A kind of firewall access control policy error-checking method, apparatus and system | |
| CN115643573A (en) | Privileged account authentication method and system based on dynamic security environment | |
| CN113839945B (en) | Trusted access control system and method based on identity | |
| CN114338105A (en) | Bastion creating bastion machine system based on zero trust | |
| CN110334499A (en) | Interface authority management-control method, device, computer equipment and storage medium | |
| US20230254302A1 (en) | Authentication of device in network using cryptographic certificate | |
| CN104660436A (en) | Service grade management method and system | |
| CN115695015A (en) | User permission adjusting method and device, electronic equipment and storage medium | |
| CN115941252A (en) | MQTT dynamic access control method based on trust calculation | |
| CN107222394B (en) | User access control method and system for social network | |
| Bradatsch et al. | Zero Trust Score-based Network-level Access Control in Enterprise Networks | |
| CN116032552A (en) | Side-end side equipment interaction real-time continuous trust evaluation method of electric power system | |
| Bravi et al. | Exploiting the DICE specification to ensure strong identity and integrity of IoT devices | |
| WO2022204841A1 (en) | Method, apparatus and system of charging management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |