CN113507463A - Construction method of zero trust network - Google Patents

Construction method of zero trust network Download PDF

Info

Publication number
CN113507463A
CN113507463A CN202110761656.5A CN202110761656A CN113507463A CN 113507463 A CN113507463 A CN 113507463A CN 202110761656 A CN202110761656 A CN 202110761656A CN 113507463 A CN113507463 A CN 113507463A
Authority
CN
China
Prior art keywords
user
access
security
behavior
access behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110761656.5A
Other languages
Chinese (zh)
Inventor
郑超
陆秋文
黄园园
张微
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongdian Jizhi Hainan Information Technology Co Ltd
Original Assignee
Zhongdian Jizhi Hainan Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongdian Jizhi Hainan Information Technology Co Ltd filed Critical Zhongdian Jizhi Hainan Information Technology Co Ltd
Priority to CN202110761656.5A priority Critical patent/CN113507463A/en
Publication of CN113507463A publication Critical patent/CN113507463A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A zero trust network construction method includes that a server bearing a software defined network collects resource information of a user accessing the interior of the network, characterizes the access behavior of the user according to a unique identification code of the user carried in an access request, a server bearing an SDN network control plane receives the access request of the user, performs user access behavior characterization processing according to the information of the resource access request, inputs a user portrait model construction module to calculate a security feature value of the user access behavior after feature data is preprocessed, then compares the security feature value with a security threshold value of an accessed resource, establishes a connection of an access data layer if the security feature value is higher than the security threshold value of the accessed resource, and otherwise, a control layer discards the connection through packet loss processing; the method can effectively prevent the abnormal access attack behavior from inside or outside in the SDN network, avoid the system from suffering important loss, and has higher practical significance.

Description

Construction method of zero trust network
Technical Field
The invention relates to the technical field of internet, in particular to a construction method of a zero trust network.
Background
As more and more enterprises deploy data and applications in the cloud, at the same time, security boundaries partitioned by intranet and extranet become blurred. The mode of placing enterprise application data in a virtual private network and protecting through a firewall is now difficult to continue. The adoption of a border-centric security policy relies on that everything on the internal network can be trusted, however this assumption is no longer secure. The zero trust security model assumes that an attacker may be present in the intranet, and the intranet infrastructure is vulnerable to attack damage and does not have higher trust level, as with other external networks, and faces the same security threat.
Therefore, for the security problem caused by the fact that a user from the network illegally accesses network resources through a legal way, a set of scheme needs to be designed to distinguish the security access behavior from the abnormal access, so that the internal or external security attack behavior can be effectively prevented, and finally the security and the reliability of the zero-trust network or system are improved, so that the security problem is solved.
Disclosure of Invention
In order to overcome the above defects in the prior art, embodiments of the present invention provide a method for constructing a zero trust network, which needs to design a set of methods to avoid these problems, so as to achieve the purpose of distinguishing a security access behavior from an abnormal access, effectively prevent a security attack behavior from inside or outside, and finally improve the security and reliability of the zero trust network or system, so as to solve the problems proposed in the background art.
In order to achieve the purpose, the invention provides the following technical scheme: a server bearing a software defined network collects resource information inside a user access network, characterizes the access behavior of the user according to a unique identification code of the user carried in an access request, inputs the obtained characteristic data of the user access behavior into a trained user image model for intelligent calculation to obtain a security characteristic value of the access behavior characteristic of the user, extracts a historical access security characteristic value of the user from a user image center according to the unique identification code of the user, performs smooth operation on the historical access security characteristic value and a current security characteristic value to obtain a weighted security characteristic value, and compares the weighted security characteristic value with a security access threshold of the accessed resource to obtain the access authority of the resource;
the zero trust network construction device is suitable for a control layer of an SDN (software defined network), and mainly comprises a user access behavior acquisition module, a user portrait model construction module, a user portrait center, a resource management module and a control module, wherein the user access behavior acquisition module is connected with the user portrait model construction module, the user portrait center is respectively connected with the user portrait model construction module, the resource management module and the control module, and the control module is connected with an SDN data layer through an Openflow standard definition interface.
In a preferred embodiment, the user access behavior acquisition module acquires request information carried by each resource access request of each user, including but not limited to a unique identification code of the user, a source IP address, a destination IP address, a terminal type of access, a mode of access, and the like, and obtains information from the access request to characterize the information to form feature data, wherein the feature data includes all user behaviors of the system of the present invention, any user behavior not within a feature data range is prohibited or limited to access, and the size of a feature data set can be deleted according to the security control capability of the system, wherein the feature data table is shown as follows;
Figure RE-GDA0003206007670000021
Figure RE-GDA0003206007670000031
in a preferred embodiment, after the characterization, any access behavior of the user may be considered to come from a certain feature or a combination of certain features in the feature data, the user portrait model building module, the collected different features in the user access resource behavior feature data generally have different data types, and for the features of different data types, the features need to be preprocessed, which is convenient for the user portrait model building module to process, for the feature data of the category type, such as: the method comprises the steps of adopting a single hot coding mode to carry out quantization processing on a login mode, a login device, an IP address and the like, mapping different features to a matrix space to obtain a unique vector corresponding to the features, adopting a word bag model to process feature data of a text type to obtain a corresponding processing result, and adopting a quantization mode to obtain an easily processed numerical value for the feature data of a value continuous distribution type.
In a preferred embodiment, the user resource access behavior is generally a certain characteristic or a combination of certain characteristics, and when constructing the user representation model, the user security access behavior characteristic combination and the security characteristic value of the security behavior characteristic combination are predefined according to the security requirement of a general system, such as: l + S is preset as a safety access behavior characteristic combination, and the characteristic value is 0.9; simultaneously, an illegal access behavior characteristic combination of a user and a security characteristic value of the illegal access characteristic combination of the user are predefined, such as: i + P + R is preset as an illegal access behavior characteristic combination, the characteristic value is 0.1, the more the preset characteristic combinations are, the more accurate the classification of safety and illegal access is after deep learning by the system.
In a preferred embodiment, on the basis of the preset access behavior feature data, a core XGBoost method model in the user portrait model building module is trained, and after the XGBoost method model is trained, the XGBoost method model is used for performing intelligent calculation of security feature values on new user access behaviors to obtain the latest security feature values of the user access behaviors
Figure RE-GDA0003206007670000041
In the case where the training amount is not large, the feature value calculated
Figure RE-GDA0003206007670000042
There may be undesirable situations where it is desirable to perform smoothing operations on the security feature values based on historical records, to obtain more reliable computation results,
Figure RE-GDA0003206007670000043
wherein the content of the first and second substances,
Figure RE-GDA0003206007670000044
is user uiThe smoothed security feature value of the jth access behavior, alpha, is a smoothing factor, is preset according to system experience,
Figure RE-GDA0003206007670000045
is user uiSecurity feature values for the j-1 th access behavior; security feature value of j-1 access behavior of user
Figure RE-GDA0003206007670000046
Searching according to the unique identification code of the user in the user portrait center, if the security feature value of the access behavior of the user exists in the user portrait center, calculating a smooth security feature value according to the formula, otherwise, considering the access behavior of the user as initial access, and during calculation, enabling the user to search according to the unique identification code of the user
Figure RE-GDA0003206007670000047
Is set to 0.
In a preferred embodiment, the user portrait center automatically opens up an independent storage space for each new user, establishes a unique identification code of the user, and stores the access behavior characteristics of the user and the security characteristic value of the access behavior by taking the unique identification code of the user as an index; if the access behavior feature data of the user is not recorded in the user portrait, newly establishing access behavior feature data for the user, and recording the security feature value of the current access behavior, otherwise, adding a piece of user portrait information under the user access behavior feature, such as: the access time and the access time length;
the resource management module classifies and grades the resources in the zero trust network to protect, defines different access authorities for different resource types in the network, and defines different access authorities for the same type and user operation or access behavior to achieve the minimum access authorityFor purposes of limitation, such as: the threshold for deleting a large amount of data of the system is set to be 0.95, the threshold for the resource is updated when the security level changes along with the addition of new resources in the network or the content of the resource, and the control module updates the threshold for the resource according to the calculated characteristic value of the user access behavior
Figure RE-GDA0003206007670000051
And comparing the current value with a preset resource access threshold of the resource management module, if the characteristic value is higher than the access threshold, allowing the connection to be established, and maintaining the connection when the access behavior of the user does not change. If the access threshold is lower than the access threshold, the SDN controller rejects the request and performs packet loss operation, so that a user cannot receive any information from the network, and internal attack can be effectively avoided; furthermore, the method can be applied to various network topologies, and all switches are controlled by SDN no matter how many switch connection devices are used in the network, so that the trust list can be written by software or a dynamic access strategy can be designed to complete the access control of the whole network.
In a preferred embodiment, the specific processing flow of the zero trust network construction method is as follows:
firstly, in an SDN environment, a user initiates a network resource access request, namely, a server bearing an SDN control plane collects user access behaviors, performs characteristic preprocessing on detailed information of the resource access request of the user, and acquires an access feature set of the current access behavior of the user;
and secondly, preprocessing the user access behavior feature set to obtain data which can be processed by the user portrait model building module, designing the user access behavior feature set and a corresponding feature value in advance, training a core XGboost method in the user portrait model building module to obtain a user portrait building model with intelligent deep learning, and then inputting the obtained data of the user access behavior feature set into the intelligent model for calculation to obtain a security feature value of the user access behavior.
In a preferred embodiment, step three, searching whether feature data matched with the user portrait center exists in the user portrait center according to access feature data obtained by the user access behavior and the unique identification code of the user, and if the same feature data exists, performing step four, otherwise, performing step five;
and step four, smoothly calculating the newly calculated safety characteristic value and a safety characteristic value corresponding to the user historical access characteristic data of the user portrait center to obtain a comprehensive safety characteristic value.
In a preferred embodiment, step five, if the comprehensive security feature value is compared with a preset security access threshold of the accessed resource, if the comprehensive security feature value is higher than the resource security access threshold, the user is allowed to access the resource, otherwise, packet loss processing is performed through the control module, and the user access behavior is denied;
and step six, if the user initiates active access termination or the resources change, terminating the user access behavior, storing access characteristic data and a smooth security characteristic value corresponding to the access behavior in a user portrait center, and updating the user portrait.
The invention has the technical effects and advantages that: the invention provides a method, a device and a server for constructing a zero trust network in an SDN environment; a server bearing an SDN network control plane receives an access request of a user, performs user access behavior characterization processing according to information of a resource access request, inputs a user portrait model construction module to calculate a security characteristic value of the user access behavior after preprocessing characteristic data, then compares the security characteristic value with a security threshold value of an accessed resource, if the security characteristic value is higher than the security threshold value, establishes connection of an access data layer, and otherwise, a control layer discards the connection through packet loss processing; therefore, the purpose of controlling the user access behavior in real time is achieved, abnormal access attack behaviors from inside or outside in the SDN can be effectively prevented, the safety and reliability of the zero trust network or the system are effectively improved, the system is prevented from suffering important loss, and the method has high practical significance.
Drawings
FIG. 1 is a block diagram of a zero trust network construction process based on user representation according to the present invention.
FIG. 2 is a schematic overall flow chart of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A server bearing a software defined network collects resource information inside a user access network, characterizes the access behavior of the user according to a unique identification code of the user carried in an access request, inputs the obtained characteristic data of the user access behavior into a trained user image model for intelligent calculation to obtain a security characteristic value of the access behavior characteristic of the user, extracts a historical access security characteristic value of the user from a user image center according to the unique identification code of the user, performs smooth operation with the current security characteristic value to obtain a weighted security characteristic value, and compares the weighted security characteristic value with a security access threshold of an accessed resource to obtain the access authority of the resource;
the zero trust network construction device is suitable for a control layer of an SDN (software defined network), and mainly comprises a user access behavior acquisition module, a user portrait model construction module, a user portrait center, a resource management module and a control module, wherein the user access behavior acquisition module is connected with the user portrait model construction module, the user portrait center is respectively connected with the user portrait model construction module, the resource management module and the control module, and the control module is connected with an SDN data layer through an Openflow standard definition interface.
Preferably, the user access behavior acquisition module acquires request information carried by each resource access request of each user, including but not limited to a unique identification code of the user, a source IP address, a destination IP address, a terminal type of access, an access mode and the like, obtains information from the access request to characterize to form feature data, the feature data comprises all user behaviors of the system, any user behavior not in a feature data range is prohibited or limited to access, the size of a feature data set can be deleted according to the security control capability of the system, and a feature data table is shown as follows;
Figure RE-GDA0003206007670000071
Figure RE-GDA0003206007670000081
preferably, after the characterization processing, any access behavior of the user can be considered to come from a certain feature or a combination of certain features in the feature data, the user portrait model building module, different features in the collected user access resource behavior feature data generally have different data types, and for the features of different data types, the features need to be preprocessed, so that the user portrait model building module can process the features conveniently, for the feature data of the type, such as: the method comprises the steps of adopting a single hot coding mode to carry out quantization processing on a login mode, a login device, an IP address and the like, mapping different features to a matrix space to obtain a unique vector corresponding to the features, adopting a word bag model to process feature data of a text type to obtain a corresponding processing result, and adopting a quantization mode to obtain an easily processed numerical value for the feature data of a value continuous distribution type.
Preferably, the user resource access behavior is generally a combination of some kind of characteristics, and when constructing the user representation model, a predefined user security access behavior characteristic combination and a security characteristic value of the security behavior characteristic combination are firstly performed according to the security requirement of a general system, such as: l + S is preset as a safety access behavior characteristic combination, and the characteristic value is 0.9; simultaneously, an illegal access behavior characteristic combination of a user and a security characteristic value of the illegal access characteristic combination of the user are predefined, such as: i + P + R is preset as an illegal access behavior characteristic combination, the characteristic value is 0.1, the more the preset characteristic combinations are, the more accurate the classification of safety and illegal access is after deep learning by the system.
Preferably, on the basis of the preset access behavior feature data, training a core XGboost method model in the user portrait model building module, and after the XGboost method model is trained, intelligently calculating the security feature value of the new user access behavior to obtain the latest security feature value of the user access behavior
Figure RE-GDA0003206007670000091
In the case where the training amount is not large, the feature value calculated
Figure RE-GDA0003206007670000092
There may be undesirable situations where it is desirable to perform smoothing operations on the security feature values based on historical records, to obtain more reliable computation results,
Figure RE-GDA0003206007670000093
wherein the content of the first and second substances,
Figure RE-GDA0003206007670000094
is user uiThe smoothed security feature value of the jth access behavior, alpha, is a smoothing factor, is preset according to system experience,
Figure RE-GDA0003206007670000095
is user uiSecurity feature values for the j-1 th access behavior; security feature value of j-1 access behavior of user
Figure RE-GDA0003206007670000096
Searching is carried out in the user portrait center according to the unique identification code of the user, and if the security feature value of the access behavior of the user exists in the user portrait center, the smooth security feature is calculated according to the formulaAnd (4) evaluating, otherwise, considering the access behavior of the user as initial access, and calculating the access behavior
Figure RE-GDA0003206007670000097
Is set to 0.
Preferably, the user portrait center automatically opens up an independent storage space for each new user, establishes a unique identification code of the user, and stores the access behavior characteristics of the user and the security characteristic value of the access behavior by taking the unique identification code of the user as an index; if the access behavior feature data of the user is not recorded in the user portrait, newly establishing access behavior feature data for the user, and recording the security feature value of the current access behavior, otherwise, adding a piece of user portrait information under the user access behavior feature, such as: the access time and the access time length;
the resource management module classifies and protects the resources in the zero trust network, defines different access authorities for different resource types in the network, and defines different access authorities for the same type and user operation or access behavior so as to achieve the purpose of minimum access authority, such as: the threshold for deleting a large amount of data of the system is set to be 0.95, the threshold for the resource is updated when the security level changes along with the addition of new resources in the network or the content of the resource, and the control module updates the threshold for the resource according to the calculated characteristic value of the user access behavior
Figure RE-GDA0003206007670000101
And comparing the current value with a preset resource access threshold of the resource management module, if the characteristic value is higher than the access threshold, allowing the connection to be established, and maintaining the connection when the access behavior of the user does not change. If the access threshold is lower than the access threshold, the SDN controller rejects the request and performs packet loss operation, so that a user cannot receive any information from the network, and internal attack can be effectively avoided; furthermore, it can be used in a variety of network topologies, where all switches are SDN controlled regardless of how many switch-connected devices are used in the network, and thus trust lists can be written in software, or dynamic design can be usedAnd accessing the strategy to complete the access control of the whole network.
Preferably, the specific processing flow of the zero trust network construction method is as follows:
firstly, in an SDN environment, a user initiates a network resource access request, namely, a server bearing an SDN control plane collects user access behaviors, performs characteristic preprocessing on detailed information of the resource access request of the user, and acquires an access feature set of the current access behavior of the user;
and secondly, preprocessing the user access behavior feature set to obtain data which can be processed by the user portrait model building module, designing the user access behavior feature set and a corresponding feature value in advance, training a core XGboost method in the user portrait model building module to obtain a user portrait building model with intelligent deep learning, and then inputting the obtained data of the user access behavior feature set into the intelligent model for calculation to obtain a security feature value of the user access behavior.
Preferably, step three, searching whether characteristic data matched with the user portrait center exists in the user portrait center according to access characteristic data obtained by the user access behavior and the unique identification code of the user, if the same characteristic data exists, performing step four, and if not, performing step five;
and step four, smoothly calculating the newly calculated safety characteristic value and a safety characteristic value corresponding to the user historical access characteristic data of the user portrait center to obtain a comprehensive safety characteristic value.
Preferably, in the fifth step, if the comprehensive security feature value is compared with a preset security access threshold of the accessed resource, if the comprehensive security feature value is higher than the resource security access threshold, the user is allowed to access the resource, otherwise, packet loss processing is performed through the control module, and the user access behavior is denied;
and step six, if the user initiates active access termination or the resources change, terminating the user access behavior, storing access characteristic data and a smooth security characteristic value corresponding to the access behavior in a user portrait center, and updating the user portrait.
The working principle of the invention is as follows: the invention provides a method, a device and a server for constructing a zero trust network in an SDN environment; a server bearing an SDN network control plane receives an access request of a user, performs user access behavior characterization processing according to information of a resource access request, inputs a user portrait model construction module to calculate a security characteristic value of the user access behavior after preprocessing characteristic data, then compares the security characteristic value with a security threshold value of an accessed resource, if the security characteristic value is higher than the security threshold value, establishes connection of an access data layer, and otherwise, a control layer discards the connection through packet loss processing; therefore, the purpose of controlling the user access behavior in real time is achieved, abnormal access attack behaviors from inside or outside in the SDN can be effectively prevented, the safety and reliability of the zero trust network or the system are effectively improved, the system is prevented from suffering important loss, and the method has high practical significance.
The points to be finally explained are: first, in the description of the present application, it should be noted that, unless otherwise specified and limited, the terms "mounted," "connected," and "connected" should be understood broadly, and may be a mechanical connection or an electrical connection, or a communication between two elements, and may be a direct connection, and "upper," "lower," "left," and "right" are only used to indicate a relative positional relationship, and when the absolute position of the object to be described is changed, the relative positional relationship may be changed;
secondly, the method comprises the following steps: in the drawings of the disclosed embodiments of the invention, only the structures related to the disclosed embodiments are referred to, other structures can refer to common designs, and the same embodiment and different embodiments of the invention can be combined with each other without conflict;
and finally: the present invention is not limited to the above preferred embodiments, but rather, any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. The invention provides a method for constructing a zero trust network, which is characterized by comprising the following steps: a server bearing a software defined network collects resource information inside a user access network, characterizes the access behavior of the user according to a unique identification code of the user carried in an access request, inputs the obtained characteristic data of the user access behavior into a trained user image model for intelligent calculation to obtain a security characteristic value of the access behavior characteristic of the user, extracts a historical access security characteristic value of the user from a user image center according to the unique identification code of the user, performs smooth operation on the historical access security characteristic value and a current security characteristic value to obtain a weighted security characteristic value, and compares the weighted security characteristic value with a security access threshold of the accessed resource to obtain the access authority of the resource;
the zero trust network construction device is suitable for a control layer of an SDN (software defined network), and mainly comprises a user access behavior acquisition module, a user portrait model construction module, a user portrait center, a resource management module and a control module, wherein the user access behavior acquisition module is connected with the user portrait model construction module, the user portrait center is respectively connected with the user portrait model construction module, the resource management module and the control module, and the control module is connected with an SDN data layer through an Openflow standard definition interface.
2. The method for constructing the zero trust network according to claim 1, wherein: the system comprises a user access behavior acquisition module, a resource access request acquisition module and a characteristic data acquisition module, wherein the user access behavior acquisition module acquires request information carried by each resource access request of each user, including but not limited to a unique identification code of the user, a source IP address, a destination IP address, an accessed terminal type, an accessed mode and the like, the information is acquired from the access request and is characterized to form characteristic data, the characteristic data comprises all user behaviors of the system, any user behavior which is not in a characteristic data range is forbidden or limited to be accessed, the size of a characteristic data set can be deleted and reduced according to the safety control capability of the system, and a characteristic data table is shown as follows;
Figure RE-FDA0003206007660000011
Figure RE-FDA0003206007660000021
3. the method for constructing the zero trust network according to claim 2, wherein: after the characterization processing, any access behavior of the user can be considered to come from a certain feature or a combination of certain features in the feature data, the user portrait model construction module generally collects different features in the user access resource behavior feature data and has different data types, and the features of the different data types need to be preprocessed, so that the user portrait model construction module can process the features conveniently, and for the feature data of the type, such as: the method comprises the steps of adopting a single hot coding mode to carry out quantization processing on a login mode, a login device, an IP address and the like, mapping different features to a matrix space to obtain a unique vector corresponding to the features, adopting a word bag model to process feature data of a text type to obtain a corresponding processing result, and adopting a quantization mode to obtain an easily processed numerical value for the feature data of a value continuous distribution type.
4. The method for constructing the zero trust network according to claim 3, wherein: when constructing a user portrait model, firstly, according to the requirement of general system security, predefining a user security access behavior feature combination and a security feature value of the security behavior feature combination, such as: l + S is preset as a safety access behavior characteristic combination, and the characteristic value is 0.9; simultaneously, an illegal access behavior characteristic combination of a user and a security characteristic value of the illegal access characteristic combination of the user are predefined, such as: i + P + R is preset as an illegal access behavior characteristic combination, the characteristic value is 0.1, the more the preset characteristic combinations are, the more accurate the classification of safety and illegal access is after deep learning by the system.
5. The method for constructing the zero trust network according to claim 4, wherein: training a core XGboost method model in a user portrait model construction module based on the preset access behavior characteristic data, and after the XGboost method model is trained, intelligently calculating the security characteristic value of a new user access behavior to obtain the latest security characteristic value of the user access behavior
Figure RE-FDA0003206007660000031
In the case where the training amount is not large, the feature value calculated
Figure RE-FDA0003206007660000032
There may be undesirable situations where it is desirable to perform smoothing operations on the security feature values based on historical records, to obtain more reliable computation results,
Figure RE-FDA0003206007660000033
wherein the content of the first and second substances,
Figure RE-FDA0003206007660000034
is user uiThe smoothed security feature value of the jth access behavior, alpha, is a smoothing factor, is preset according to system experience,
Figure RE-FDA0003206007660000035
is user uiSecurity feature values for the j-1 th access behavior; security feature value of j-1 access behavior of user
Figure RE-FDA0003206007660000036
Performing a search in the user representation center based on the unique identification of the user if the user's visit exists in the user representation centerIf the security characteristic value of the behavior is asked, calculating the smooth security characteristic value according to the formula, otherwise, considering the access behavior of the user as the initial access, and during calculation, calculating the security characteristic value of the behavior
Figure RE-FDA0003206007660000037
Is set to 0.
6. The method for constructing the zero trust network according to claim 2, wherein: the user portrait center automatically opens up an independent storage space for each new user, establishes a unique identification code of the user, and stores the access behavior characteristics of the user and the security characteristic value of the access behavior by taking the unique identification code of the user as an index; if the access behavior feature data of the user is not recorded in the user portrait, newly establishing access behavior feature data for the user, and recording the security feature value of the current access behavior, otherwise, adding a piece of user portrait information under the user access behavior feature, such as: the access time and the access time length;
the resource management module classifies and protects the resources in the zero trust network, defines different access authorities for different resource types in the network, and defines different access authorities for the same type and user operation or access behavior so as to achieve the purpose of minimum access authority, such as: the threshold for deleting a large amount of data of the system is set to be 0.95, the threshold for the resource is updated when the security level changes along with the addition of new resources in the network or the content of the resource, and the control module updates the threshold for the resource according to the calculated characteristic value of the user access behavior
Figure RE-FDA0003206007660000041
And comparing the current value with a preset resource access threshold of the resource management module, if the characteristic value is higher than the access threshold, allowing the connection to be established, and maintaining the connection when the access behavior of the user does not change. If the access threshold is lower than the access threshold, the SDN controller rejects the request and performs packet loss operation, and the user does not receive any information from the network, so that the situation that the request is subjected to packet loss operation can be effectively avoidedAn attack from inside; furthermore, the method can be applied to various network topologies, and all switches are controlled by SDN no matter how many switch connection devices are used in the network, so that the trust list can be written by software or a dynamic access strategy can be designed to complete the access control of the whole network.
7. The method for constructing the zero trust network according to claim 4, wherein: the specific processing flow of the zero trust network construction method is as follows:
firstly, in an SDN environment, a user initiates a network resource access request, namely, a server bearing an SDN control plane collects user access behaviors, performs characteristic preprocessing on detailed information of the resource access request of the user, and acquires an access feature set of the current access behavior of the user;
and secondly, preprocessing the user access behavior feature set to obtain data which can be processed by the user portrait model building module, designing the user access behavior feature set and a corresponding feature value in advance, training a core XGboost method in the user portrait model building module to obtain a user portrait building model with intelligent deep learning, and then inputting the obtained data of the user access behavior feature set into the intelligent model for calculation to obtain a security feature value of the user access behavior.
8. The method for constructing the zero trust network according to claim 5, wherein: step three, searching whether characteristic data matched with the user portrait center exists in the user portrait center according to access characteristic data obtained by the user access behavior and the unique identification code of the user, if the same characteristic data exists, performing step four, and if not, performing step five;
and step four, smoothly calculating the newly calculated safety characteristic value and a safety characteristic value corresponding to the user historical access characteristic data of the user portrait center to obtain a comprehensive safety characteristic value.
9. The method for constructing the zero trust network of claim 6, wherein: step five, if the comprehensive security characteristic value is compared with a preset security access threshold of the accessed resource, if the comprehensive security characteristic value is higher than the security access threshold of the resource, the user is allowed to access the resource, otherwise, packet loss processing is performed through a control module, and the user is denied access;
and step six, if the user initiates active access termination or the resources change, terminating the user access behavior, storing access characteristic data and a smooth security characteristic value corresponding to the access behavior in a user portrait center, and updating the user portrait.
CN202110761656.5A 2021-07-06 2021-07-06 Construction method of zero trust network Pending CN113507463A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110761656.5A CN113507463A (en) 2021-07-06 2021-07-06 Construction method of zero trust network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110761656.5A CN113507463A (en) 2021-07-06 2021-07-06 Construction method of zero trust network

Publications (1)

Publication Number Publication Date
CN113507463A true CN113507463A (en) 2021-10-15

Family

ID=78011621

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110761656.5A Pending CN113507463A (en) 2021-07-06 2021-07-06 Construction method of zero trust network

Country Status (1)

Country Link
CN (1) CN113507463A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582373A (en) * 2023-07-14 2023-08-11 北京辰尧科技有限公司 User access control method, system and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227712A1 (en) * 2012-02-23 2013-08-29 Accenture Global Services Limited Method and system for resource management based on adaptive risk-based access controls
CN111510473A (en) * 2020-03-13 2020-08-07 北京三快在线科技有限公司 Access request processing method and device, electronic equipment and computer readable medium
CN111756729A (en) * 2020-06-23 2020-10-09 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN112016017A (en) * 2019-05-31 2020-12-01 北京京东尚科信息技术有限公司 Method and device for determining characteristic data
CN112583810A (en) * 2020-12-09 2021-03-30 中电积至(海南)信息技术有限公司 Zero trust method for context-based virtual network
CN112737824A (en) * 2020-12-23 2021-04-30 中电积至(海南)信息技术有限公司 User trust measurement method in zero-trust SDN network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227712A1 (en) * 2012-02-23 2013-08-29 Accenture Global Services Limited Method and system for resource management based on adaptive risk-based access controls
CN112016017A (en) * 2019-05-31 2020-12-01 北京京东尚科信息技术有限公司 Method and device for determining characteristic data
CN111510473A (en) * 2020-03-13 2020-08-07 北京三快在线科技有限公司 Access request processing method and device, electronic equipment and computer readable medium
CN111756729A (en) * 2020-06-23 2020-10-09 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN112583810A (en) * 2020-12-09 2021-03-30 中电积至(海南)信息技术有限公司 Zero trust method for context-based virtual network
CN112737824A (en) * 2020-12-23 2021-04-30 中电积至(海南)信息技术有限公司 User trust measurement method in zero-trust SDN network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
吴云坤等: "一种基于零信任的SDN网络访问控制方法", 《信息网络安全》 *
孙瑞等: "基于多因素认证的零信任网络构建", 《金陵科技学院学报》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582373A (en) * 2023-07-14 2023-08-11 北京辰尧科技有限公司 User access control method, system and electronic equipment
CN116582373B (en) * 2023-07-14 2023-09-22 北京辰尧科技有限公司 User access control method, system and electronic equipment

Similar Documents

Publication Publication Date Title
CN105338123B (en) Methods, devices and systems for parsing domain name in a network
CN104735055B (en) A kind of cross-domain safety access control method based on degree of belief
CN109918924A (en) The control method and system of dynamic access permission
CN108595976B (en) Android terminal sensor information protection method based on differential privacy
CN110519306B (en) Equipment access control method and device of Internet of things
CN101512510A (en) Method and system for providing network management based on defining and applying network administrative intents
CN105989275B (en) Method and system for certification
CN106899561B (en) TNC (network node controller) authority control method and system based on ACL (Access control List)
CN113114656B (en) Infrastructure layout method based on edge cloud computing
CN113435505A (en) Construction method and device for safe user portrait
EP3832483A1 (en) Systems and methods for managing mobile devices based on device location data
CN108712369B (en) Multi-attribute constraint access control decision system and method for industrial control network
CN113614718A (en) Abnormal user session detector
US10515187B2 (en) Artificial intelligence (AI) techniques for learning and modeling internal networks
CN110798353B (en) Network behavior risk perception and defense method based on behavior characteristic big data analysis
RU2746101C2 (en) System and method of network unit definition using rules of inventory
CN113507463A (en) Construction method of zero trust network
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
CN110175437A (en) It is a kind of for access terminal authorization control method, apparatus and host terminal
US20150067784A1 (en) Computer network security management system and method
TWI676115B (en) System and method for managing certification for cloud service system
CN116170806B (en) Smart power grid LWM2M protocol security access control method and system
US20050102505A1 (en) Method for dynamically changing intrusion detection rule in kernel level intrusion detection system
CN115022008A (en) Access risk assessment method, device, equipment and medium
CN106130968A (en) A kind of identity identifying method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211015