CN113783844A - Zero-trust access control method and device and electronic equipment - Google Patents
Zero-trust access control method and device and electronic equipment Download PDFInfo
- Publication number
- CN113783844A CN113783844A CN202110932724.XA CN202110932724A CN113783844A CN 113783844 A CN113783844 A CN 113783844A CN 202110932724 A CN202110932724 A CN 202110932724A CN 113783844 A CN113783844 A CN 113783844A
- Authority
- CN
- China
- Prior art keywords
- access
- behavior
- dynamic
- access control
- credibility measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000005259 measurement Methods 0.000 claims abstract description 101
- 238000012544 monitoring process Methods 0.000 claims abstract description 40
- 238000011217 control strategy Methods 0.000 claims abstract description 37
- 230000000977 initiatory effect Effects 0.000 claims abstract description 15
- 230000006399 behavior Effects 0.000 claims description 145
- 230000009471 action Effects 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 16
- 238000004891 communication Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a zero trust access control method, a device and electronic equipment, wherein the zero trust access control method comprises the following steps: based on the set credibility measurement model, carrying out identity validity authentication on an access subject initiating the access request; monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time; and according to the result of the dynamic credibility measurement, the access control strategy of the access subject is dynamically adjusted, so that the security is increased.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a zero trust access control method and apparatus, and an electronic device.
Background
With the development of computer networks, the networks have high openness and good programmability, so that large-scale and flexible network authentication access is possible, but the flexible access control mechanism enables network attack behaviors to occur more frequently and has lower security.
Disclosure of Invention
Based on the above problems, embodiments of the present application provide a zero trust access control method and apparatus, and an electronic device.
The embodiment of the application discloses the following technical scheme:
a zero trust access control method, comprising:
based on the set credibility measurement model, carrying out identity validity authentication on an access subject initiating the access request;
monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time;
and dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement.
Optionally, in an embodiment of the present application, the dynamically adjusting the access control policy of the access subject according to the result of the dynamic credibility metric includes:
and dynamically adjusting the access control strategy of the access subject by issuing a flow table according to the result of the dynamic credibility measurement.
Optionally, in an embodiment of the present application, the dynamically adjusting the access control policy of the access subject by issuing a flow table according to the result of the dynamic trusted metric includes:
generating the flow table to be issued according to the result of the dynamic credibility measurement, wherein at least one access action is set in the flow table;
and dynamically adjusting the access control strategy of the access subject according to the flow table.
Optionally, in an embodiment of the present application, the monitoring the behavior of the access subject subjected to the validity authentication in real time, and performing dynamic trust measurement according to the behavior monitored in real time includes:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on the set security intensity configuration, and performing dynamic credibility measurement according to the behavior monitored in real time.
Optionally, in an embodiment of the present application, the monitoring the behavior of the access subject subjected to the validity authentication in real time, and performing dynamic trust measurement according to the behavior monitored in real time includes:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on a set time period and a sliding window, and performing dynamic credibility measurement according to the behavior monitored in real time.
A zero trust access control device, comprising:
the validity authentication unit is used for carrying out identity validity authentication on an access subject initiating the access request based on the set credibility measurement model;
the credibility measurement unit is used for monitoring the behavior of the access subject subjected to the legality authentication in real time and carrying out dynamic credibility measurement according to the behavior monitored in real time;
and the dynamic adjusting unit is used for dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement.
Optionally, in an embodiment of the present application, the dynamic adjustment unit is further configured to:
and dynamically adjusting the access control strategy of the access subject by issuing a flow table according to the result of the dynamic credibility measurement.
Optionally, in an embodiment of the present application, the dynamic adjustment unit is further configured to:
generating the flow table to be issued according to the result of the dynamic credibility measurement, wherein at least one access action is set in the flow table;
and dynamically adjusting the access control strategy of the access subject according to the flow table.
An electronic device comprising a memory having stored thereon computer-executable instructions and a processor for executing the computer-executable instructions to perform the method of any embodiment.
A computer storage medium having computer-executable instructions stored thereon that, when executed, implement the method of any embodiment.
In the technical scheme of the embodiment of the application, identity validity authentication is carried out on an access subject initiating an access request based on a set credibility measurement model; monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time; and according to the result of the dynamic credibility measurement, the access control strategy of the access subject is dynamically adjusted, so that the security is increased.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flow chart of a zero-trust access control method in an embodiment of the present application;
fig. 2 is a schematic flow chart of a zero-trust access control method in the second embodiment of the present application;
fig. 3 is a schematic flow chart of a zero-trust access control method in the third embodiment of the present application;
fig. 4 is a schematic structural diagram of a four-zero trust access control apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a wu-zero trust access control apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a sixty-zero trust access control apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device in a seventh embodiment of the present application;
fig. 8 is a schematic hardware structure diagram of an electronic device in an eighth embodiment of the present application;
fig. 9 is a schematic structural diagram of a computer storage medium according to a ninth embodiment of the present application.
Detailed Description
It is not necessary for any particular embodiment of the invention to achieve all of the above advantages at the same time.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the technical scheme of the embodiment of the application, identity validity authentication is carried out on an access subject initiating an access request based on a set credibility measurement model; monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time; and according to the result of the dynamic credibility measurement, the access control strategy of the access subject is dynamically adjusted, so that the security is increased.
Fig. 1 is a schematic flow chart of a zero-trust access control method in an embodiment of the present application; as shown in fig. 1, it includes:
s101, based on a set credibility measurement model, carrying out identity validity authentication on an access subject initiating an access request;
optionally, in this embodiment, the trusted metric model may be a dynamic metric model.
Optionally, based on the set trusted metric model, when performing identity validity authentication on the access subject initiating the access request, the authentication may be performed according to the set identity factor authentication manner. The identity authentication factors are, for example, user name and password, dynamic password, two-dimensional code, and push authentication information, or can be combined with various identity authentication factors such as external human face and voiceprint, so that a multi-factor authentication mode is provided, and the authentication security is improved.
S102, monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time;
optionally, in performing the dynamic trust measurement, a periodic trust measurement may be performed based on the behavior level of the access subject to identify network attack behaviors with long latency and strong imperceptibility, including but not limited to sniff attacks, password attacks, flood attacks, and the like.
Optionally, the behavior of the access subject may include a network traffic behavior, a resource access behavior, and a security characteristic behavior, where the network traffic behavior includes the number of suspicious packets in unit time, the number of times of abnormal throughput rate in unit time, and the average number of bytes of data packets in unit time; the resource access behavior comprises access failure times in unit time, login failure times in unit time, sensitive data access times in unit time and the like; the security characteristic behaviors comprise scanning detection attack behaviors, password detection attack behaviors, direct attack behaviors and the like, so that comprehensive monitoring of access subject behaviors is realized, credible measurement is carried out on the behaviors as comprehensive as possible when dynamic credible measurement is carried out, the objectivity and accuracy of credible measurement results are ensured, and the security is improved.
S103, dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement.
In the embodiment, the network flow behavior, the resource access behavior and the security characteristic behavior of the access subject subjected to the legality authentication are monitored in real time, and accordingly, the obtained credibility measurement result can be graded to obtain the network flow behavior credibility measurement index, the resource access behavior credibility measurement index and the security characteristic behavior credibility measurement index, so that the access control strategy can be adjusted according to the network flow behavior credibility measurement index and the resource access behavior credibility measurement index, hidden attacks are prevented, the access control strategy is adjusted according to the security characteristic behavior credibility measurement index, the access of a user is denied rapidly, and the security is improved.
Fig. 2 is a schematic flow chart of a zero-trust access control method in the second embodiment of the present application; as shown in fig. 2, it includes:
s201, based on a set credibility measurement model, carrying out identity validity authentication on an access subject initiating an access request;
s202, monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time;
in this embodiment, the steps S201 and S202 can be referred to the first description of the above embodiment, respectively.
S203, according to the result of the dynamic credibility measurement, dynamically adjusting the access control strategy of the access subject.
Optionally, in a specific application scenario, the dynamically adjusting the access control policy of the access subject according to the result of the dynamic credibility metric includes:
and dynamically adjusting the access control strategy of the access subject by issuing a flow table according to the result of the dynamic credibility measurement.
Because the access control strategy is dynamically adjusted based on the flow table, the continuity of the adjustment of the access control strategy is ensured, the rapidity of the adjustment is ensured, and the safety is ensured to the maximum extent.
Further, in a specific application scenario, dynamically adjusting the access control policy of the access subject by issuing a flow table according to the result of the dynamic trusted measurement, includes:
s213, generating the flow table to be issued according to the result of the dynamic credibility measurement, wherein at least one access action is set in the flow table;
and S223, dynamically adjusting the access control strategy of the access subject according to the flow table.
Optionally, the flow table may be specifically issued by a packet-out message.
Optionally, the access control policy of the access agent may be dynamically adjusted specifically by a flow-mod message. The flow-mod message defines the definitions of adding, deleting and modifying flow table entries, so as to dynamically adjust the access control policy of the access subject.
Fig. 3 is a schematic flow chart of a zero-trust access control method in the third embodiment of the present application; as shown in fig. 3, it includes:
s301, based on the set credibility measurement model, identity validity authentication is carried out on an access subject initiating an access request;
in this embodiment, please refer to the first embodiment or the second embodiment in step S301.
S302, monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time;
optionally, in a specific application scenario, the monitoring the behavior of the access subject subjected to the validity authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time includes:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on the set security intensity configuration, and performing dynamic credibility measurement according to the behavior monitored in real time.
The safety intensity configuration can be flexibly set according to the application scene, or the application scene is monitored, and the safety intensity configuration is adaptively adjusted. The higher the security strength requirement in the security strength configuration, the more strength the behavior monitoring is, such as finer granularity and higher frequency of the monitored behavior.
Optionally, in a specific application scenario, the configuring, based on the set security strength, performs real-time monitoring on the behavior of the access subject subjected to the validity authentication, and performs dynamic credibility measurement according to the behavior monitored in real time, including:
s312, generating a behavior decision model based on the set security intensity configuration and the trust level of the access subject;
s322, according to the behavior decision model, the behavior of the access subject subjected to the legality authentication is monitored in real time, and dynamic credibility measurement is carried out according to the behavior monitored in real time.
The higher the security strength in the security strength configuration and the lower the trust level, the greater the strength of the behavior monitoring, such as finer granularity and higher frequency. Conversely, the lower the security strength in the security strength configuration, the higher the trust level, and the less the strength of monitoring the behavior, such as the more granular and less frequent the monitored behavior.
In the behavior decision model, the granularity of monitored behaviors and the monitoring frequency are defined.
S303, dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement.
In this embodiment, if the access control policy of the access subject is dynamically adjusted based on the flow table, the behavior decision model specifically generates an adjustment policy, and the adjustment policy is included in the flow table, so that the access control policy of the access subject is quickly implemented based on the flow table, and it is avoided that once a potential safety hazard exists, the access resource can be quickly prohibited or the access right can be quickly limited.
Alternatively, in another application scenario, the monitoring the behavior of the access subject subjected to the validity authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time includes:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on a set time period and a sliding window, and performing dynamic credibility measurement according to the behavior monitored in real time.
Further, the dynamically adjusting the access control policy of the access subject according to the result of the dynamic credibility metric includes: dynamically adjusting an access control policy of the access principal according to a result of the dynamic trust metric and a trust metric index, the trust metric index including: at least one of the network flow behavior trust index, the resource access behavior trust index and the safety characteristic behavior trust index can adjust the access control strategy according to the network flow behavior trust index and the resource access behavior trust index to prevent hidden attacks, and the access control strategy is adjusted according to the safety characteristic behavior trust index to rapidly deny the access of the user, so that the safety is improved.
Optionally, the result of the dynamic trust metric is used as historical behavior metric data, so that when the access subject re-initiates an access request, the initial trust metric of the access subject is predicted according to the historical behavior metric data, and when the access control policy of the access subject is dynamically adjusted according to the result of the dynamic trust metric, the adjustment is performed on the basis of the initial access control policy corresponding to the initial trust metric.
Optionally, in a specific application scenario, dynamically adjusting the access control policy of the access subject according to the result of the dynamic trust metric includes: and dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement and the initial credibility measurement.
Fig. 4 is a schematic structural diagram of a four-zero trust access control apparatus according to an embodiment of the present application; as shown in fig. 4, it includes:
a validity authentication unit 401, configured to perform validity authentication on an identity of an access subject initiating an access request based on a set trusted metric model;
a credibility measurement unit 402, configured to perform real-time monitoring on the behavior of the access subject that is subjected to the validity authentication, and perform dynamic credibility measurement according to the behavior monitored in real time;
a dynamic adjustment unit 403, configured to dynamically adjust an access control policy of the access subject according to a result of the dynamic trust metric.
Optionally, in this embodiment, the trusted metric model may be a dynamic metric model.
Optionally, based on the set trusted metric model, when performing identity validity authentication on the access subject initiating the access request, the authentication may be performed according to the set identity factor authentication manner. The identity authentication factors are, for example, user name and password, dynamic password, two-dimensional code, and push authentication information, or can be combined with various identity authentication factors such as external human face and voiceprint, so that a multi-factor authentication mode is provided, and the authentication security is improved.
Optionally, in performing the dynamic trust measurement, a periodic trust measurement may be performed based on the behavior level of the access subject to identify network attack behaviors with long latency and strong imperceptibility, including but not limited to sniff attacks, password attacks, flood attacks, and the like.
Optionally, the behavior of the access subject may include a network traffic behavior, a resource access behavior, and a security characteristic behavior, where the network traffic behavior includes the number of suspicious packets in unit time, the number of times of abnormal throughput rate in unit time, and the average number of bytes of data packets in unit time; the resource access behavior comprises access failure times in unit time, login failure times in unit time, sensitive data access times in unit time and the like; the security characteristic behaviors comprise scanning detection attack behaviors, password detection attack behaviors, direct attack behaviors and the like, so that comprehensive monitoring of access subject behaviors is realized, credible measurement is carried out on the behaviors as comprehensive as possible when dynamic credible measurement is carried out, the objectivity and accuracy of credible measurement results are ensured, and the security is improved.
In the embodiment, the network flow behavior, the resource access behavior and the security characteristic behavior of the access subject subjected to the legality authentication are monitored in real time, and accordingly, the obtained credibility measurement result can be graded to obtain the network flow behavior credibility measurement index, the resource access behavior credibility measurement index and the security characteristic behavior credibility measurement index, so that the access control strategy can be adjusted according to the network flow behavior credibility measurement index and the resource access behavior credibility measurement index, hidden attacks are prevented, the access control strategy is adjusted according to the security characteristic behavior credibility measurement index, the access of a user is denied rapidly, and the security is improved.
Fig. 5 is a schematic structural diagram of a wu-zero trust access control apparatus according to an embodiment of the present application; as shown in fig. 5, it includes:
a validity authentication unit 501, configured to perform validity authentication on an identity of an access subject initiating an access request based on a set trusted metric model;
a credibility measurement unit 502, configured to perform real-time monitoring on the behavior of the access subject subjected to the validity authentication, and perform dynamic credibility measurement according to the behavior monitored in real time;
a dynamic adjustment unit 503, configured to dynamically adjust an access control policy of the access subject according to a result of the dynamic trust metric.
Optionally, in an application scenario, the dynamic adjustment unit is further configured to:
and dynamically adjusting the access control strategy of the access subject by issuing a flow table according to the result of the dynamic credibility measurement.
Because the access control strategy is dynamically adjusted based on the flow table, the continuity of the adjustment of the access control strategy is ensured, the rapidity of the adjustment is ensured, and the safety is ensured to the maximum extent.
Optionally, in an application scenario, the dynamic adjustment unit is further configured to:
generating the flow table to be issued according to the result of the dynamic credibility measurement, wherein at least one access action is set in the flow table;
and dynamically adjusting the access control strategy of the access subject according to the flow table.
Optionally, the flow table may be specifically issued by a packet-out message.
Optionally, the access control policy of the access agent may be dynamically adjusted specifically by a flow-mod message. The flow-mod message defines the definitions of adding, deleting and modifying flow table entries, so as to dynamically adjust the access control policy of the access subject.
Specifically, in an application scenario, the dynamic adjustment unit includes:
a flow table module 513, configured to generate the flow table to be issued according to the result of the dynamic trust measurement, where at least one access action is set in the flow table;
an adjusting module 523, configured to dynamically adjust an access control policy of the access subject according to the flow table.
Fig. 6 is a schematic structural diagram of a sixty-zero trust access control apparatus according to an embodiment of the present application; as shown in fig. 6, it includes:
a validity authentication unit 601, configured to perform validity authentication on an identity of an access subject initiating an access request based on a set trusted metric model;
a credibility measuring unit 602, configured to perform real-time monitoring on the behavior of the access subject that is subjected to the validity authentication, and perform dynamic credibility measurement according to the behavior monitored in real time;
a dynamic adjustment unit 603, configured to dynamically adjust an access control policy of the access subject according to a result of the dynamic trust metric.
Optionally, in a specific application scenario, the confidence metric unit is further configured to:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on the set security intensity configuration, and performing dynamic credibility measurement according to the behavior monitored in real time.
The safety intensity configuration can be flexibly set according to the application scene, or the application scene is monitored, and the safety intensity configuration is adaptively adjusted. The higher the security strength requirement in the security strength configuration, the more strength the behavior monitoring is, such as finer granularity and higher frequency of the monitored behavior.
Optionally, in a specific application scenario, the confidence metric unit is further configured to:
generating a behavior decision model based on the set security strength configuration and the trust level of the access subject;
and monitoring the behavior of the access subject subjected to the legality authentication in real time according to the behavior decision model, and performing dynamic credibility measurement according to the behavior monitored in real time.
The higher the security strength in the security strength configuration and the lower the trust level, the greater the strength of the behavior monitoring, such as finer granularity and higher frequency. Conversely, the lower the security strength in the security strength configuration, the higher the trust level, and the less the strength of monitoring the behavior, such as the more granular and less frequent the monitored behavior.
In the behavior decision model, the granularity of monitored behaviors and the monitoring frequency are defined.
Optionally, in a specific application scenario, the confidence metric unit includes:
a decision module 612, configured to generate a behavior decision model based on the set security strength configuration and the trust level of the access subject;
and a measuring module 622, configured to perform real-time monitoring on the behavior of the access subject that is subjected to the validity authentication according to the behavior decision model, and perform dynamic credibility measurement according to the behavior monitored in real time.
In this embodiment, if the access control policy of the access subject is dynamically adjusted based on the flow table, the behavior decision model specifically generates an adjustment policy, and the adjustment policy is included in the flow table, so that the access control policy of the access subject is quickly implemented based on the flow table, and it is avoided that once a potential safety hazard exists, the access resource can be quickly prohibited or the access right can be quickly limited.
Optionally, the apparatus further comprises: the association unit is used for taking the result of the dynamic credibility measurement as historical behavior measurement data so as to predict the initial credibility measurement of the access subject according to the historical behavior measurement data when the access subject re-initiates an access request;
the adjusting unit is further configured to dynamically adjust an access control policy of the access subject according to the result of the dynamic confidence metric and the initial confidence metric. And when the access control strategy of the access subject is dynamically adjusted, the adjustment is carried out on the basis of the initial access control strategy corresponding to the initial credibility measurement.
Alternatively, in another application scenario, the credibility measurement unit is further configured to:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on a set time period and a sliding window, and performing dynamic credibility measurement according to the behavior monitored in real time.
Specifically, the adjusting unit is further configured to: dynamically adjusting an access control policy of the access principal according to a result of the dynamic trust metric and a trust metric index, the trust metric index including: at least one of the network flow behavior trust index, the resource access behavior trust index and the safety characteristic behavior trust index can adjust the access control strategy according to the network flow behavior trust index and the resource access behavior trust index to prevent hidden attacks, and the access control strategy is adjusted according to the safety characteristic behavior trust index to rapidly deny the access of the user, so that the safety is improved.
Fig. 7 is a schematic structural diagram of an electronic device in a seventh embodiment of the present application; as shown in fig. 7, it includes: a memory 701 having a computer executable program stored thereon and a processor 702 for executing the computer executable program to implement the method of any of the embodiments of the present application.
Fig. 8 is a schematic hardware structure diagram of an electronic device in an eighth embodiment of the present application; as shown in fig. 8, the hardware structure of the electronic device may include: a processor task parsing unit 801, a communication interface overhead determining unit 802, a computer-readable medium task depicting unit 803 and a communication bus 804;
the processor task analysis unit 801, the communication interface overhead determination unit 802, and the computer-readable medium task depiction unit 803 complete communication with each other through the communication bus 804;
optionally, the communication interface overhead determining unit 802 may be an interface of a communication module, such as an interface of a GSM module;
the processor task parsing unit 801 may be specifically configured to run an executable program stored in the memory, so as to perform all or part of the processing steps of any of the above method embodiments.
The Processor task parsing Unit 801 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
FIG. 9 is a schematic structural diagram of a computer storage medium according to a ninth embodiment of the present application; as shown in fig. 9, the computer storage medium has a computer executable program stored thereon, and the computer executable program is executed to implement the method according to any embodiment of the present application.
An embodiment of the present application further provides a data system, which includes the electronic device according to any embodiment of the present application.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via communication section XXX and/or installed from removable media XXX. The above-described functions defined in the method of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) XXX. It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A zero trust access control method, comprising:
based on the set credibility measurement model, carrying out identity validity authentication on an access subject initiating the access request;
monitoring the behavior of the access subject subjected to the legality authentication in real time, and performing dynamic credibility measurement according to the behavior monitored in real time;
and dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement.
2. The method of claim 1, wherein dynamically adjusting the access control policy of the accessing principal according to the result of the dynamic trustworthiness metric comprises:
and dynamically adjusting the access control strategy of the access subject by issuing a flow table according to the result of the dynamic credibility measurement.
3. The method of claim 1, wherein dynamically adjusting the access control policy of the accessing agent by issuing a flow table according to the result of the dynamic trust metric comprises:
generating the flow table to be issued according to the result of the dynamic credibility measurement, wherein at least one access action is set in the flow table;
and dynamically adjusting the access control strategy of the access subject according to the flow table.
4. The method of claim 1, wherein the monitoring the behavior of the legally authenticated accessing agent in real time and performing dynamic credibility measurement according to the real-time monitored behavior comprises:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on the set security intensity configuration, and performing dynamic credibility measurement according to the behavior monitored in real time.
5. The method according to any one of claims 1-6, wherein the monitoring the behavior of the legally authenticated accessing subject in real time and performing dynamic credibility measurement according to the real-time monitored behavior comprises:
and monitoring the behavior of the access subject subjected to the legality authentication in real time based on a set time period and a sliding window, and performing dynamic credibility measurement according to the behavior monitored in real time.
6. A zero trust access control apparatus, comprising:
the validity authentication unit is used for carrying out identity validity authentication on an access subject initiating the access request based on the set credibility measurement model;
the credibility measurement unit is used for monitoring the behavior of the access subject subjected to the legality authentication in real time and carrying out dynamic credibility measurement according to the behavior monitored in real time;
and the dynamic adjusting unit is used for dynamically adjusting the access control strategy of the access subject according to the result of the dynamic credibility measurement.
7. The apparatus of claim 6, wherein the dynamic adjustment unit is further configured to:
and dynamically adjusting the access control strategy of the access subject by issuing a flow table according to the result of the dynamic credibility measurement.
8. The apparatus of claim 6, wherein the dynamic adjustment unit is further configured to:
generating the flow table to be issued according to the result of the dynamic credibility measurement, wherein at least one access action is set in the flow table;
and dynamically adjusting the access control strategy of the access subject according to the flow table.
9. An electronic device comprising a memory having computer-executable instructions stored thereon and a processor configured to execute the computer-executable instructions to perform the method of any of claims 1-6.
10. A computer storage medium having computer-executable instructions stored thereon that, when executed, implement the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932724.XA CN113783844A (en) | 2021-08-13 | 2021-08-13 | Zero-trust access control method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932724.XA CN113783844A (en) | 2021-08-13 | 2021-08-13 | Zero-trust access control method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113783844A true CN113783844A (en) | 2021-12-10 |
Family
ID=78837769
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110932724.XA Pending CN113783844A (en) | 2021-08-13 | 2021-08-13 | Zero-trust access control method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113783844A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124583A (en) * | 2022-01-27 | 2022-03-01 | 杭州海康威视数字技术股份有限公司 | Terminal control method, system and device based on zero trust |
| CN114866331A (en) * | 2022-05-31 | 2022-08-05 | 新华三信息安全技术有限公司 | Dynamic access authentication method under zero trust network, gateway equipment and storage medium |
| CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
| CN115913696A (en) * | 2022-11-10 | 2023-04-04 | 国网四川省电力公司电力科学研究院 | Virtual network zero trust access control method, device, equipment and medium |
| CN116401658A (en) * | 2023-04-10 | 2023-07-07 | 淳安华数数字电视有限公司 | Smart television sensitive data security control method and system |
| WO2024027328A1 (en) * | 2022-08-05 | 2024-02-08 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Data processing method based on zero-trust data access control system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200236112A1 (en) * | 2019-01-18 | 2020-07-23 | Cisco Technology, Inc. | Machine learning-based application posture for zero trust networking |
| US20200336508A1 (en) * | 2020-07-04 | 2020-10-22 | Kumar Srivastava | Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations |
| CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112087469A (en) * | 2020-09-18 | 2020-12-15 | 全球能源互联网研究院有限公司 | Zero-trust dynamic access control method for power Internet of things equipment and users |
| CN112311768A (en) * | 2020-09-29 | 2021-02-02 | 新华三信息安全技术有限公司 | Policy center, control system, method, medium, and device for non-http protocol application |
| CN112737824A (en) * | 2020-12-23 | 2021-04-30 | 中电积至(海南)信息技术有限公司 | User trust measurement method in zero-trust SDN network |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
-
2021
- 2021-08-13 CN CN202110932724.XA patent/CN113783844A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200236112A1 (en) * | 2019-01-18 | 2020-07-23 | Cisco Technology, Inc. | Machine learning-based application posture for zero trust networking |
| US20200336508A1 (en) * | 2020-07-04 | 2020-10-22 | Kumar Srivastava | Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations |
| CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112087469A (en) * | 2020-09-18 | 2020-12-15 | 全球能源互联网研究院有限公司 | Zero-trust dynamic access control method for power Internet of things equipment and users |
| CN112311768A (en) * | 2020-09-29 | 2021-02-02 | 新华三信息安全技术有限公司 | Policy center, control system, method, medium, and device for non-http protocol application |
| CN112737824A (en) * | 2020-12-23 | 2021-04-30 | 中电积至(海南)信息技术有限公司 | User trust measurement method in zero-trust SDN network |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124583A (en) * | 2022-01-27 | 2022-03-01 | 杭州海康威视数字技术股份有限公司 | Terminal control method, system and device based on zero trust |
| CN114866331A (en) * | 2022-05-31 | 2022-08-05 | 新华三信息安全技术有限公司 | Dynamic access authentication method under zero trust network, gateway equipment and storage medium |
| CN114866331B (en) * | 2022-05-31 | 2024-02-09 | 新华三信息安全技术有限公司 | Dynamic access authentication method and device under zero trust network and storage medium |
| WO2024027328A1 (en) * | 2022-08-05 | 2024-02-08 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Data processing method based on zero-trust data access control system |
| CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
| CN115361186B (en) * | 2022-08-11 | 2024-04-19 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial Internet platform |
| CN115913696A (en) * | 2022-11-10 | 2023-04-04 | 国网四川省电力公司电力科学研究院 | Virtual network zero trust access control method, device, equipment and medium |
| CN115913696B (en) * | 2022-11-10 | 2024-04-26 | 国网四川省电力公司电力科学研究院 | Virtual network zero trust access control method, device, equipment and medium |
| CN116401658A (en) * | 2023-04-10 | 2023-07-07 | 淳安华数数字电视有限公司 | Smart television sensitive data security control method and system |
| CN116401658B (en) * | 2023-04-10 | 2024-02-27 | 淳安华数数字电视有限公司 | Smart television sensitive data security control method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113783844A (en) | Zero-trust access control method and device and electronic equipment | |
| US20210120380A1 (en) | Providing access to applications with varying enrollment levels | |
| US9584547B2 (en) | Statistical security for anonymous mesh-up oriented online services | |
| US11816222B2 (en) | Detecting vulnerabilities in managed client devices | |
| US9537865B1 (en) | Access control using tokens and black lists | |
| US20180077120A1 (en) | Verifying trustworthiness of redirection targets in a tiered web delivery network | |
| US20160173529A1 (en) | Controlled resource access to mitigate economic denial of sustainability attacks against cloud infrastructures | |
| CN110300125B (en) | API access control method and API access agent device | |
| US11050573B2 (en) | Determining trustworthiness of a cryptographic certificate | |
| US10326773B2 (en) | Ensuring the credibility of devices for global attestation | |
| US20170063857A1 (en) | Providing access to applications with varying enrollment levels | |
| US9779250B1 (en) | Intelligent application wrapper | |
| CN111371881A (en) | Service calling method and device | |
| CN112311769A (en) | Method, system, electronic device and medium for security authentication | |
| CN116821869A (en) | Resource access control method, device, medium and electronic equipment | |
| CN114640533B (en) | Method and device for transmitting message, storage medium and electronic equipment | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| EP3337125B1 (en) | Authenticating for an enterprise service | |
| Showail et al. | An internet of secure and private things: A service-oriented architecture | |
| CN110808997A (en) | Method and device for remotely obtaining evidence of server, electronic equipment and storage medium | |
| WO2023020428A1 (en) | Data verification method and apparatus, and storage medium | |
| US20220215098A1 (en) | Program verification method and apparatus, platform, user terminal, and online service system | |
| CN115695218A (en) | Operation and maintenance management method and device based on zero trust mechanism and related equipment | |
| CN111917764A (en) | Service operation method, device, equipment and storage medium | |
| CN114039779A (en) | Method and device for safely accessing network, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211210 |
|
| RJ01 | Rejection of invention patent application after publication |