CN113901499A - Zero-trust access authority control system and method based on trusted computing - Google Patents

Zero-trust access authority control system and method based on trusted computing Download PDF

Info

Publication number
CN113901499A
CN113901499A CN202111212789.3A CN202111212789A CN113901499A CN 113901499 A CN113901499 A CN 113901499A CN 202111212789 A CN202111212789 A CN 202111212789A CN 113901499 A CN113901499 A CN 113901499A
Authority
CN
China
Prior art keywords
user
access
module
security
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111212789.3A
Other languages
Chinese (zh)
Inventor
魏明
阮安邦
陈凯
李飞
陈旭明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Octa Innovations Information Technology Co Ltd
Original Assignee
Beijing Octa Innovations Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Octa Innovations Information Technology Co Ltd filed Critical Beijing Octa Innovations Information Technology Co Ltd
Priority to CN202111212789.3A priority Critical patent/CN113901499A/en
Publication of CN113901499A publication Critical patent/CN113901499A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a zero-trust access authority control system and method based on trusted computing. The access authority control system at least comprises an identity authentication module, a security situation evaluation module and an access authority control module. The identity authentication module can be used for authenticating the identity of the user and generating identity authentication information corresponding to the user. The safety situation evaluation module at least can monitor the safety situation of the user; the access right control module can at least obtain the identity authentication information. And under the condition that the access right control module can acquire the security situation, the access right control module is configured to control the access right of the user based on the identity authentication information and the security situation.

Description

Zero-trust access authority control system and method based on trusted computing
Technical Field
The invention relates to the technical field of authority management and control, in particular to a trusted computing-based zero-trust access authority control system and method.
Background
Traditional safety protection is based on boundaries, and an enterprise safety protection mode is to construct an intranet and ensure an internal safety zone through physical isolation or VPN and other facilities. And today IT borders have been broken. The popularization of technologies such as cloud computing and edge computing, and the wide application of big data and AI, the data flow and the computing environment are remarkably changed, and the IT boundary becomes more and more fuzzy. In addition, the number of upstream and downstream partners and internal employees of the enterprise is increased, the access request of the user is more complicated, and the condition that the enterprise excessively authorizes the user is more common. Epidemic situation promotes the normal state of new office and remote office, and past office habits are broken. Physical isolation undoubtedly stands on the opposite side of a teleoffice, and the basic premise for constructing and deploying a VPN is that an enterprise boundary exists. Obviously, the safety concept of internal and external isolation is inflexible and cannot adapt to new requirements. And zero trust is thus created, the main idea of which is: anyone inside and outside the default enterprise is not credible, and people, things and things trying to access the network and access network resources are continuously verified, so that the border network defense thought is broken, and the method is an idea which is more adaptive to new requirements.
For example, chinese patent document with publication number CN112118102A discloses a zero trust network system dedicated for electric power, which belongs to the technical field of power grids, and includes an access authentication module, an access right control module, a data classification and classification module, and a security situation awareness module, where the access authentication module includes an equipment authentication module and a user authentication module, and the equipment authentication module requires authentication before connection; the user authentication module comprises multi-factor authentication and biological characteristic authentication, and different authentication strengths are implemented according to different application systems and different data; the access authority control module comprises a terminal access agent realized by a trusted terminal at an initiator and a gateway agent realized by a security access gateway; the data classification and classification module classifies and classifies the access resources; and the security situation awareness module comprises a risk and trust evaluation and policy decision model. The invention modifies, upgrades or redeploys the electric power special network through access authentication, access authority control, data classification and security situation perception. However, the invention still has the following technical defects: the invention does not consider benign change factors such as upgrading of related systems/equipment of the user, updating of applications, change of networks and the like; when the above-mentioned variation factor occurs, the authentication information of the user and the access right corresponding to the authentication information may actually vary depending on the above-mentioned variation factor. For example, when upgrading a system related to a user and updating an application, the method can promote the rapid authentication of the identity of the user and possibly correspondingly improve the access right of the user; the invention follows the static access rule defined in advance, and can not adjust the authorization of the access authority according to the change of the user security situation in real time and dynamically. There is therefore a need for improvement in response to the deficiencies of the prior art.
Furthermore, on the one hand, due to the differences in understanding to the person skilled in the art; on the other hand, since the applicant has studied a great deal of literature and patents when making the present invention, but the disclosure is not limited thereto and the details and contents thereof are not listed in detail, it is by no means the present invention has these prior art features, but the present invention has all the features of the prior art, and the applicant reserves the right to increase the related prior art in the background.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a zero-trust access authority control system based on trusted computing. The access right control system at least comprises an identity authentication module, a security situation evaluation module and an access right control module.
The identity authentication module can be used for authenticating the identity of the user and generating identity authentication information corresponding to the user. The identity authentication module can send the identity authentication information to the access authority control module to identify the identity of the user.
The security situation evaluation module can at least monitor the security situation of the user and can send the security situation to the access authority control module, so that the access authority control module can master the change of the security situation of the user in real time.
And the access authority control module at least can acquire the identity authentication information generated by the identity authentication module and the security situation acquired by the security situation evaluation module, and is configured to control the access authority of the user based on the identity authentication information and the security situation under the condition that the access authority control module can acquire the security situation.
Particularly preferably, the access right control module is further capable of screening subsequent users and/or user behaviors based on characteristics of normal users and/or user behaviors. Preferably, the features may be a basic paradigm common to normal users and/or user behavior. For example, the characteristics may be login time, query scope, access rights, average access amount, security or trusted level, etc. of the account of the normal user.
For example, the security posture assessment module may analyze and identify login time, query scope, access rights, average access amount, security or trusted level, etc. of the account of the past normal user. And the access authority control module can also carry out dynamic access control based on the login time, the inquiry range, the access authority, the average access amount, the security or trusted level and the like of the user. For example, when the user abnormally accesses a system, a device, a process and the like beyond the access right of the user outside the use baseline at the normal time of the user, the access right control module automatically degrades the access right of the user according to the abnormal behavior or directly recovers all the access rights according to the identity authentication information of the user.
For another example, when a user accesses a system, a device, a process, etc. that does not match its security or trusted level, the access right control module may also automatically downgrade the access right of the user to match the abnormal behavior or directly recover all the access rights of the user.
By this configuration, the access rights control module may implement a dynamically adaptive capability, i.e., continuously updating its internally stored characteristics of normal users or user behavior over time and with continued changes in normal users and/or user behavior. And once the access right control module obtains the self-adaptive capability, the traditional access control mode that blocking/releasing can be carried out according to the pre-known rule/signature can be avoided, namely, no matter where the user is, the user needs to pass the identity verification or even the equipment verification of the access right control module, and the user can access the specific resource only under the condition of obtaining the dynamic authorization sent by the access right control module based on the security situation of the user.
According to a preferred embodiment, the security posture assessment module comprises at least a normal user behavior generation unit. The normal user behavior generating unit is configured to be capable of generating normal user behaviors matched with the security requirements of the user according to application scenes of different users and/or the security situation monitored by the security situation evaluating module.
According to a preferred embodiment, the security posture assessment module further comprises a user entity behavior analysis unit. The user entity behavior analysis unit is configured to at least monitor and analyze a process or a program in a normal user behavior operated by a user, so as to monitor whether the process or the program in the normal user behavior operated by the user is abnormal or not, and send a monitored security situation of the user to the security situation evaluation module.
According to a preferred embodiment, the normal user behavior generating unit can collect normal user behaviors of a plurality of different users to form a new normal user behavior database, so that the normal user behavior database and the normal user behavior monitored by the user entity behavior analyzing unit in an abnormal state are analyzed and compared.
According to a preferred embodiment, the safety situation assessment module is provided or integrated with a voltage evaluation unit. The voltage analysis unit is configured to monitor at least the voltage and/or the change of the voltage of the user to judge whether the user is attacked by safety related to the voltage change by detecting the voltage and/or the change of the voltage.
According to a preferred embodiment, the security situation assessment module is further provided with or integrated with a data storage unit. The data storage unit at least can acquire and store the data information related to the voltage collected by the voltage analysis unit.
According to a preferred embodiment, the system further comprises a data classification and grading module. The data classification and grading module can classify and grade the access resources of the user.
According to a preferred embodiment, the security situation assessment module comprises a risk and trust assessment unit, which is capable of assessing the risk and trust level of a user and deriving a quantitative risk score to determine whether the trust level of the access behavior is the same or substantially the same as the security level of the resource accessed by the access behavior in connection with the risk score and the current access behavior for trust assessment.
According to a preferred embodiment, the security situation assessment module comprises a policy decision model unit for solving an initial policy, the initial policy comprising an initial policy baseline and a setting of an implicit trust zone.
A zero-trust access authority control method based on trusted computing comprises the following steps:
the identity authentication module authenticates the identity of the user and generates identity authentication information corresponding to the user;
the safety situation evaluation module monitors the safety situation of the user;
the access authority control module acquires the identity authentication information;
and the access authority control module controls the access authority of the user based on the identity authentication information and the security situation.
Drawings
FIG. 1 is a simplified schematic diagram of a preferred embodiment of the present invention.
List of reference numerals
1: an identity authentication module; 2: a security posture assessment module; 3: an access right control module;
201: a normal user behavior generating unit; 202: a user entity behavior analysis unit;
203: a voltage analyzing unit; 204: a data storage unit;
4: and a data classification and grading module.
Detailed Description
The following detailed description is made with reference to the accompanying drawings.
Before describing the system, in order to better understand the technical solution of the present invention, a brief description is given to the relevant contents of trusted computing.
The basic principle of trusted computing is: establishing a trust root which is ensured to be safe and reliable by three aspects of physical security, management security and technical security, and then establishing a reliable trust chain. Which extends throughout the computer system to ensure the trustworthiness of the entire computer system. The measurement authentication is carried out step by step from the trust root, the hardware platform, the whole operating system and the application user, and the trust is carried out step by step, so that the whole computer system runs in a credible state, and a credible computing environment is created for the whole computer system. The trust root, the hardware platform, the operating system and the application user are integrally formed into a trusted computer system.
The credible calculation is to establish an immune system for the computer, and the credible calculation refers to safety protection while calculation is carried out, so that the calculation result is always consistent with expectation, and the whole calculation process can be measured and controlled without interference. Trusted computing operations coexist with safeguards. Has the functions of identity recognition, state measurement, secret storage and the like, and can recognize non-self components in time, thereby destroying and repelling harmful substances entering the organism.
The trusted computing environment hierarchy may be described as:
the method comprises the steps of constructing trusted computing nodes by taking a password as a basis (comprising a password algorithm, a password protocol, certificate management and the like), taking a chip as a support column, taking a mainboard as a flat plate and taking trusted basic support software as a core, enabling a plurality of trusted computing nodes to form a trusted information system based on a network, and further constructing a trusted application support environment based on an application system.
Specifically, the trusted computing environment hierarchy includes several aspects:
1) bottom hardware layer: in the bottom layer hardware level, a trusted cryptography module (TCM/TPM) is added to a basic hardware platform, and a Core Root of Trust (CRTM) is implanted into a BOOT ROM of the hardware platform, so that the bottom layer can be safely and controllably started.
2) Secure operating system level: in the secure operating system level, the provision of trusted services is done by a Trusted Services Module (TSM). The password module in the trusted computing system is used as a software module for supporting the inside of the trusted computing system, so that the adaptation of an operating system and the TCM is realized, and meanwhile, the TCM is reinforced.
3) The application level is as follows: in the application layer, specific application services are realized in the application layer. To ensure that all application services can run in a secure trusted environment, the trusted computing environment architecture must ensure a trusted environment from the underlying hardware to the upper layer applications. The trusted root must be associated with all application services, and the chain of trust is thus authenticated, so that the whole environment is trusted and the secure and stable operation of all services can be realized in the environment.
Fig. 1 shows a trusted computing based zero trust access rights control system. The access authority control system at least comprises an identity authentication module 1, a security situation evaluation module 2 and an access authority control module 3.
The identity authentication module 1 can be used at least to authenticate the identity of a user and generate identity authentication information corresponding to the user.
The security situation assessment module 2 is at least capable of monitoring the security situation of the user.
The access right control module 3 can at least obtain the identity authentication information.
In the case that the access right control module 3 can obtain the security situation, the access right control module 3 is configured to control the access right of the user based on the identity authentication information and the security situation.
Preferably, the identity authentication module 1 is capable of determining an identity authentication factor used in authenticating the identity of the user, and an identity authentication mode. Preferably, the identity authentication module 1 can obtain authenticated data used for authenticating the identity of the user according to the identity authentication factor and classify the authenticated data. Preferably, the identity authentication module 1 is capable of performing multi-mode authentication on the classified authenticated data according to the identity authentication mode. Preferably, the identity authentication module 1 may also use other existing technologies to authenticate the identity of the user.
Preferably, the access right control module 3 may include a terminal access agent implemented by a trusted terminal agent at the initiator, and a gateway agent implemented at the secure access gateway.
Preferably, the users include, but are not limited to: a general user, a terminal or a user side, an application access subject object, and the like.
Preferably, the identity authentication module 1 includes a device authentication module and a user authentication module.
Preferably, the device authentication module requires authentication before connection is allowed.
Preferably, the user authentication module comprises a multi-factor authentication and a biometric authentication.
Preferably, the user authentication module is capable of enforcing different authentication strengths according to different application systems and different data.
Preferably, the identity authentication module 1 is capable of authenticating a user. Preferably, the identity authentication module 1 is capable of authenticating a device to which the user applies for access.
Preferably, the security situation assessment module 2 is capable of monitoring the security situation of the user in a time-sequential manner.
Preferably, the security posture includes at least user system version information. Preferably, the security posture may also include updates of applications used by the user, changes of networks used by the user, and the like. The user server may be a personal computer, a workstation, etc. The system version information may be system version upgrades or downgrades, time and interval to change versions, etc. The applications may be various application software used by the user. Particularly preferably, the security posture assessment module 2 is capable of identifying system version information of the user. The security situation assessment module 2 can also identify updates of applications used by the user and changes of networks used by the user, and determine or rank the security situation of the user based on the updates and/or changes. For example, if the user's server is gradually upgraded over time, the security posture assessment module 2 determines that the user's security posture is benign or the security level is ten. Preferably, the safety level can be flexibly set according to actual requirements. For example, the security level may be set to be between one and twelve, where the security level is one to three and represents that the security situation of the user is the worst, the security level is four to six and represents that the security situation of the user is at a medium level, the security level is seven to nine and represents that the security situation of the user is at a medium level, the security level is ten to twelve and represents that the security situation of the user is the best, and when the server of the user gradually degrades or is unchanged for a long time over time, the security situation evaluation module 2 determines that the security situation of the user is malignant or the security level is one. Preferably, the security posture of the user can be represented by a security level.
Preferably, the security posture assessment module 2 is capable of continuously monitoring the user's behavior.
Particularly preferably, the security situation assessment module 2 may employ user entity behavior analysis techniques (UEBA) to continuously monitor the user's behavior.
Preferably, the access rights control module 3 allows a bidirectional flow of access data when the trust level of the access behaviour is the same as the security level of the resource it accesses.
Preferably, the trust level of the access behavior can be artificially flexibly graded according to actual needs. For example, the trust level of an access behavior may be classified into one to ten levels. When the trust level is one, the trust level of the access behavior is the lowest; and when the trust level is ten, the trust level of the access behavior is highest.
Preferably, the user can only obtain or match access rights that are consistent with the identity authentication information based on the identity authentication information of the user.
Preferably, the security posture assessment module 2 may design the relevant risk assessment model according to the NIST RMF framework, SO2704 FAIR-related risk management framework.
According to a preferred embodiment, the security posture assessment module 2 comprises at least a normal user behavior generation unit 201. The normal user behavior generating unit 201 is configured to be able to generate normal user behaviors matching the security requirements of different users according to application scenarios of the users and/or security situations monitored by the security situation evaluating module 2.
According to a preferred embodiment, the security posture assessment module 2 further comprises a user entity behavior analysis unit 202. The user entity behavior analysis unit 202 is configured to at least monitor and analyze a process or a program in a normal user behavior operated by a user, so as to monitor whether the process or the program in the normal user behavior operated by the user is abnormal, and send a monitored security situation of the user to the security situation evaluation module 2.
Under the condition that the user entity behavior analysis unit 202 can send the monitored abnormal condition to the security situation evaluation module 2, the normal user behavior database unit is configured to be capable of at least collecting normal user behaviors of a plurality of different users to form a normal user behavior database, so that the false alarm rate of the user entity behavior analysis unit 202 is reduced by analyzing and comparing the normal user behavior database with the normal user behavior monitored as an abnormal state by the user entity behavior analysis unit 202.
Preferably, the security situation assessment module 2 is also capable of monitoring the security situation of a user (e.g., a server) in a time-sequential manner. Preferably, the security posture includes at least user system version information. Preferably, the security posture may also include updates of applications used by the user, changes of networks used by the user, and the like. The user server may be a personal computer, a workstation, etc. The system version information may be system version upgrades or downgrades, time and interval to change versions, etc. The applications may be various application software used by the user. Particularly preferably, the security posture assessment module 2 is capable of identifying system version information of the user. The security posture assessment module 2 is also able to identify updates of applications used by the user, changes in the network used by the user. For example, if the server of the user is gradually upgraded over time, the security posture assessment module 2 determines that the security posture of the user is benign. When the security situation of the user is benign, the normal user behavior generation unit 201 is configured to regard the abnormal activity related to the system upgrade, which is found by the user entity behavior analysis unit 202, as a benign abnormality, and add the benign abnormality into the original normal user behavior. And when the server of the user is gradually degraded or is unchanged for a long time as the time goes on, the security situation evaluation module 2 judges that the security situation of the user is malignant. When the security situation of the user is malignant, the normal user behavior generation unit 201 is configured to regard the abnormal activity related to the system upgrade, which is found by the user entity behavior analysis unit 202, as a real abnormality, and send the real abnormality to the security situation evaluation module 2 for early warning or alarm.
The user entity behavior analysis unit 202 is configured to at least monitor and analyze a process or a program that the user runs on a normal user behavior, so as to monitor whether the process or the program that the user runs on the normal user behavior is abnormal, and send the monitored security situation of the user to the security situation evaluation module 2.
According to a preferred embodiment, the normal user behavior generating unit 201 can collect normal user behaviors of a plurality of different users to form a new normal user behavior database, so as to analyze and compare the normal user behavior database with the normal user behavior monitored as an abnormal state by the user entity behavior analyzing unit 202.
Under the condition that the security situation of the user is monitored by the security situation evaluation module 2, the normal user behavior database unit can collect normal user behaviors of a plurality of different users to form a new normal user behavior database, so that the normal user behavior database and the normal user behavior monitored as an abnormal state by the user entity behavior analysis unit 202 are analyzed and compared to reduce the false alarm rate of the user entity behavior analysis unit 202. The trusted normal user behavior in the normal user behavior database is obtained by the normal user behavior database unit solving for the maximum intersection of normal user behaviors of a plurality of different users.
According to a preferred embodiment, the safety situation assessment module 2 is provided or integrated with a voltage analysis unit 203. The voltage analyzing unit 203 is configured to monitor at least the voltage and/or the voltage variation of the user to determine whether the user is attacked by security related to the voltage variation by detecting the voltage and/or the voltage variation.
For example, the user may be a substation, an enterprise, a server, a workstation, etc. Preferably, the security situation assessment module 2 is also able to provide or integrate a user entity behavior analysis unit 202. For example, a security attack related to a voltage change may be: hackers may use security measures against the PC operating system to tamper with the voltage and frequency of the processor, tamper with the internal bits and exploit their manufacturing failures, resulting in total failure of memory encryption and authentication techniques, eventually resulting in sensitive information leakage. For this situation, the voltage analysis unit 203 monitors the voltage and/or the voltage variation of the user terminal in real time and sends the voltage and/or the voltage variation of the user terminal to the user entity behavior analysis unit 202, so as to determine whether the user terminal is subjected to a real active attack (e.g., hacking) or is only a sudden change of the voltage (e.g., voltage sag, voltage swell) through the user entity behavior analysis unit 202. Since the prior art of the user entity behavior analysis can detect and identify sudden voltage changes (e.g., voltage sag, voltage swell) and real active attacks (e.g., hacking attacks), and those skilled in the art can easily obtain the technique, it is not repeated here how the user entity behavior analysis unit 202 distinguishes the sudden voltage changes (e.g., voltage sag, voltage swell) from the real active attacks (e.g., hacking attacks).
According to a preferred embodiment, the security posture assessment module 2 is further provided with or integrated with a data storage unit 204. The data storage unit 204 is configured to at least obtain and store data information related to the voltage collected by the voltage analysis unit 203.
Preferably, the voltage-related data information may include, but is not limited to: amplitude, frequency, phase data information of voltage of CPU or other components, current information of CPU or other components, power of CPU or other components, etc. Preferably, the data storage unit 204 is further capable of acquiring and storing data information other than voltage, such as related data acquired by a plurality of sensors in data connection with a user (e.g., a power company, a substation, etc.), acquired by the voltage analysis unit 203. By this configuration, the data information related to the voltage collected by the voltage analysis unit 203 can be stored for further analysis.
Particularly preferably, the data storage unit 204 is further capable of pre-compressing data transmitted between the user and the voltage analysis unit 203, so as to reduce bandwidth resource occupation and network cost when the user and the voltage analysis unit 203 transmit.
Preferably, the data storage unit 204 can perform multiple acquisition according to the policy of the user sensor network, and the data collection method of single uploading after data aggregation compresses and uploads the data in each uploading period, thereby reducing the transmission volume of each uploading period. Data that the user needs to transmit or interact with the voltage analyzing unit 203 includes but is not limited to: data relating to a user's voltage swell or sag, data relating to the user's respective associated device current, etc. Particularly preferably, the data storage unit 204 is capable of finding out obvious abnormal data caused by voltage changes (such as voltage sag and voltage swell) from the data recorded in the past, preprocessing (data cleaning) the data in a mode of "rebuilding, recovering or discarding", and then determining a transformer which is easily interfered by the voltage sag (or voltage swell) by extracting the data cleaned record afterwards, so as to optimize the arrangement mode of the voltage-stabilized power supply in the user or user side (particularly an enterprise or a large-scale power consumption equipment group). Therefore, the data storage unit 204 is arranged, and the invalid arrangement of the UPS or the diesel generator in the actual operation process of the enterprise can be greatly reduced through the analysis of the data cleaning record of the data storage unit. In addition, the data cleansing records may be given increasing weight in terms of reconstruction, recovery, or discarding, whereby the scale of the voltage sag (e.g., duration, magnitude of voltage drop, and sensors involved and their monitoring objects) may be scaled. The suspected voltage dip information is generated based on the fact that the sensing units contained in the electricity utilization units of the whole line monitor abnormal voltage or abnormal signals and are abnormal in power supply, and the most intuitive and optimal arrangement position suggestion can be provided for the arrangement of the UPS or the diesel generator according to the suspected voltage dip information gathering and analyzing.
According to a preferred embodiment, the system further comprises a data classification and grading module 4, wherein the data classification and grading module 4 can classify and grade the access resources of the user.
The zero trust scheme is a scheme that requires refined resource access control. Refined resource access control requires awareness of the subject and environment of access and a hierarchical control of the classification of the resources accessed. The hierarchical control of access to resources may be generally embodied as a data classification hierarchical control. The classification in the data classification module 4 is to classify the data associated with the user into controllable data and non-controllable data. The control signals include: the control device comprises a switch control signal, a transformer gear control signal, a soft pressing plate control signal and a setting signal. The non-control data includes location information and data information. The classification in the data classification and classification module 4 refers to data type division. The data type definition differs from scene to scene. The grading in the data classification grading module 4 refers to grading the data sensitivity level. For example, sensitivity grading is performed on non-real-time data, office data and external network data, data of different voltage grades need different authorities to be acquired, and data in different safety areas need different authorities.
According to a preferred embodiment, the security posture assessment module 2 comprises a risk and trust assessment unit, which is capable of assessing the risk and trust level of the user and deriving a quantitative risk score to perform a trust assessment in combination with the risk score and the current access behavior to determine whether the trust level of the access behavior is the same as or substantially the same as the security level of the resource accessed by the access behavior.
Preferably, the user may include, but is not limited to: general users, terminals, applications access subject objects, etc.
Preferably, when the trust level of the user access behavior is the same or substantially the same as the security level of the resource accessed by the user, bidirectional flow of access data is allowed.
Preferably, the risk and trust evaluation unit may design the risk evaluation model according to the NIST RMF framework, the SO2704 FAIR-related risk management framework.
Preferably, the risk and trust evaluation unit is capable of evaluating the risk and trust level of the user. The evaluation of the risk and trust of the user is the basis for the access right control module 3 to make dynamic policy decisions.
Preferably, the risk and trust evaluation unit is capable of evaluating the risk and trust level of the user to give a quantitative risk score and performing a trust evaluation in combination with the risk score and the current access behavior to determine whether the trust level of the access behavior is the same as or approximately close to the security level of the resource accessed by the access behavior.
When the trust level of the access behavior is at or near the same level as the security level of the resource it accesses, bidirectional flow of access data is allowed.
Preferably, the risk and trust evaluation unit may be designed according to the NISTRMF framework (SP800-37r2), SO2704FAIR, and other related risk management frameworks when designing the risk evaluation model.
According to a preferred embodiment, the security situation assessment module 2 comprises a policy decision model unit for solving an initial policy, which includes an initial policy baseline and a setting of an implicit trust zone.
Preferably, the policy decision model unit is capable of making decisions based on the risk level or score and the trust level or score derived by the risk and trust assessment model. Through the configuration mode, the policy decision model unit solves the problem of initial policy, wherein the initial policy only accepts access of trusted equipment and the data authority matching of access personnel comprises an initial policy baseline and the setting problem of an implicit trust zone.
Preferably, after the policy baseline configuration is completed, the policy decision model unit needs to configure a risk control policy, that is, by the user requesting service in the system, the access request is redirected to the access agent, and the user equipment needs to provide its device certificate; the access agent cannot recognize the user identity and redirect to the single sign-on system. The user provides the authentication credential of the user, the single sign-on system performs authentication, and sends out the token and redirects to return to the access agent; the access proxy now has a device certificate, a single sign-on token.
Preferably, the access right control module 3 is capable of performing authorization check on each access request of the user to determine the right of the user on the relevant application service, and analyzing the fine-grained right of the user and the device thereof.
Preferably, the access rights control module 3 is able to confirm that the user has a sufficient level of trust.
Preferably, after the access right control module 3 confirms that the user is a trusted user, the access right control module 3 confirms that the user has a sufficient trust level. When all the checks pass, the access request transmits the accessed authority control module 3 to the back-end service; if any of the above checks fails, the access right control module 3 denies the request.
Preferably, the user needs authorization to obtain the access right after passing the identity authentication of the identity authentication module 1. Authorization is obtained by giving authorization information to an access agent through an access control engine, the system can associate the result to a network segment constructed based on specific services after identity authentication, an isolation domain with different security levels is formed by a Pipeline segment (Pipeline) for exchanging data between an external program and an authorization center, and a user must obey a related security policy if the user wants to cross-domain access. A trusted chain is established by a pattern of continuous authentication of the device and the user rights, allowing access to protected services. Through the configuration mode, no matter where the user is, the user must pass identity authentication, even equipment authentication and the like of the access right control module 3, and the user can access specific resources only under the condition of obtaining the authorization of the access right control module 3; in addition, the security situation evaluation module 2 can also continuously monitor and analyze the behavior of the user, and send the analysis condition to the access right control module 3 to dynamically adjust the authorization of the user access right.
The invention also provides a zero trust access authority control method based on trusted computing. The access right control method comprises the following steps:
the identity authentication module 1 authenticates the identity of a user and generates identity authentication information corresponding to the user;
the safety situation evaluation module 2 monitors the safety situation of the user;
the access authority control module 3 acquires the identity authentication information;
and the access authority control module 3 controls the access authority of the user based on the identity authentication information and the security situation.
Preferably, the security situation assessment module 2 is capable of recording and analyzing characteristics of normal users and/or user behavior and sending the characteristics of normal users and/or user behavior to the access right control module 3.
Preferably, the security situation assessment module 2 is capable of analyzing normal users and/or user behaviors based on user entity behavior analysis technology and obtaining characteristics of normal users and/or user behaviors. Since a person skilled in the art can easily obtain the user entity behavior analysis technique and analyze the normal user and/or user behavior to obtain the characteristics of the normal user and/or user behavior, details on how to obtain the characteristics of the normal user and/or user behavior are not described here.
Preferably, the access right control module 3 is further capable of filtering subsequent users and/or user behaviors based on characteristics of normal users and/or user behaviors. Preferably, the features may be a basic paradigm common to normal users and/or user behavior. For example, the characteristics may be login time, query scope, access rights, average access amount, security or trusted level, etc. of the account of the normal user.
For example, the security posture assessment module 2 may analyze and identify the login time, query range, access authority, average access amount, security or trusted level, etc. of the account of the past normal user. And the access right control module 3 can also perform dynamic access control based on the login time, the query range, the access right, the average access amount, the security or trusted level, and the like of the user. For example, when the user abnormally accesses a system, a device, a process, etc. beyond its access right outside the baseline used by the user at normal time, the access right control module 3 automatically downgrades the access right of the user to match the abnormal behavior or directly recovers all the access rights matching the authentication information of the user.
For another example, if a user accesses a system, a device, a process, etc. that does not match its security or trusted level, the access right control module 3 may also automatically downgrade the access right of the user to match the abnormal behavior or directly recover all the access rights of the user.
For example, when the security situation evaluation module 2 finds the sudden change of the daily access of the user, it can determine that there is an abnormality in the behavior of the user.
Preferably, the access right control module 3 is also capable of learning normal users or user behaviors dynamically based on machine learning and continuously updating the characteristics of normal users or user behaviors.
By this configuration, the access rights control module 3 can implement a dynamically adaptive capability, i.e. continuously updating the characteristics of the normal user or user behavior stored therein over time and with continuous changes in normal user and/or user behavior. Once the access right control module 3 has obtained the adaptive capability, it can get rid of the traditional access control mode that can only block/release according to the rule/signature known in advance. In addition, the access right control module 3 is based on a dynamic, automatic and self-adaptive security network, can adapt to the trend of technical development, has obvious effects on 0day attack, APT attack and DDoS attack, is matched with a deception defense type honey net, can enable hackers to have no way to start, really plays an active defense effect, saves a large amount of manpower and time, does not need to check various logs any more, starts work such as an emergency response plan for security events and the like, and has the capability which cannot be provided by traditional security.
Preferably, the access rights control module 3 is able to continuously evaluate the user behavior with various context data, dynamically decide whether to block the user behavior or allow the user behavior, or take an intermediate black and white action, such as one or several of further decision, allow but read-only, allow but audit. Preferably, the user behavior includes, but is not limited to: access behavior, business application invocation, network activity, etc.
And the terminal management database is used for tracking and analyzing network behaviors, virtual addresses and the like in the system to be accessed.
Preferably, all trusted devices need to reference the relevant records in the terminal management database in a uniquely identified manner.
Preferably, the terminal management database may set a certificate to uniquely identify the device, such that the certificate is used as a key to obtain the device information, i.e. representing that the device exists in the device database and the device information is complete and valid.
The user authentication module can perform basic authorization on the user according to the security area, the equipment and the operation authority accessed by the user.
Preferably, the user authentication module may also use multi-factor authentication (MFA) and biometric authentication (e.g., fingerprint, key strokes, etc.).
For example, the user authentication module may perform evaluation and dynamic authorization of the user's operational behavior according to a trust evaluation program. The user authentication module can also carry out different authentication strengths according to different application systems and different data, access to the security I area to the security IV area, the user authentication strengths are different, the access to the security I area and the security II area must realize biological authentication (fingerprint, pupil) and password authentication, and the access to the security III area and the security IV area at least needs to realize password or biological authentication.
Preferably, the access right control module 3 may include a terminal access agent implemented by a trusted terminal agent at the initiator, and a gateway agent implemented at the secure access gateway.
Since the zero trust scheme requires application layer session access control by an access proxy and full traffic encryption, the access right control module 3 can extract useful information of a user or a user side, including normal user behavior information, trusted users, trust levels of devices, and other related information of the devices and users. Whether the user file is a white file or not is judged through a boundary defense technology, proxy of encrypted flow of various different application protocols is achieved, and necessary terminal identification information is carried, so that linkage of the terminal and the access gateway is achieved.
Refined resource access control requires awareness of the subject and environment of access and a hierarchical control of the classification of the resources accessed. The hierarchical control of access to resources may be generally embodied as a data classification hierarchical control. The classification divides the data into controllable data information and non-controllable data information.
For example, the controllable data information can be switch controllable data information, transformer gear controllable data information, soft press plate controllable data information and a setting signal in an internet of things system. The non-control data information may be location information and data information. The classification refers to data type division, namely the data type definitions under different scenes are different; grading refers to a data sensitivity grade, namely sensitivity grading is carried out on power grid centralized control data, non-real-time data, office data and external network data in the Internet of things, for example, data with different voltage grades need different authorities to be obtained, and data in different safety areas need different authorities.
It should be noted that the above-mentioned embodiments are exemplary, and that those skilled in the art, having benefit of the present disclosure, may devise various arrangements that are within the scope of the present disclosure and that fall within the scope of the invention. It should be understood by those skilled in the art that the present specification and figures are illustrative only and are not limiting upon the claims. The scope of the invention is defined by the claims and their equivalents. The present description contains several inventive concepts, such as "preferably", "according to a preferred embodiment" or "optionally", each indicating that the respective paragraph discloses a separate concept, the applicant reserves the right to submit divisional applications according to each inventive concept.

Claims (10)

1. A zero-trust access right control system based on trusted computing, comprising at least:
the identity authentication module (1) at least can be used for authenticating the identity of a user and generating identity authentication information corresponding to the user;
the safety situation evaluation module (2) at least can monitor the safety situation of the user;
an access right control module (3) capable of at least acquiring the identity authentication information,
wherein, in case that the access right control module (3) can obtain the security situation, the access right control module (3) is configured to control the access right of the user based on the identity authentication information and the security situation.
2. Access rights control system according to claim 1, characterized in that the security posture assessment module (2) comprises at least a normal user behavior generation unit (201),
wherein the normal user behavior generating unit (201) is configured to be able to generate normal user behavior matching the security requirements of different users according to application scenarios of the users and/or security situations monitored by the security situation assessment module (2).
3. Access rights control system according to claim 2, characterized in that the security posture assessment module (2) further comprises a user entity behavior analysis unit (202),
the user entity behavior analysis unit (202) is configured to monitor and analyze at least a process or a program in normal user behavior operated by a user, so as to monitor whether the process or the program in the normal user behavior operated by the user is abnormal or not, and send a security situation of the user obtained by monitoring to the security situation evaluation module (2).
4. The access right control system according to claim 3, wherein the normal user behavior generating unit (201) is capable of collecting normal user behaviors of a plurality of different users to form a new normal user behavior database, so as to analyze and compare the normal user behavior database with the normal user behavior monitored as abnormal state by the user entity behavior analyzing unit (202).
5. Access rights control system according to claim 1, characterized in that the security situation assessment module (2) is provided with or integrated with a voltage analysis unit (203),
wherein the voltage analysis unit (203) is configured to be able to monitor at least the voltage and/or the change in voltage of the user to determine whether the user is under a security attack related to the voltage change by detecting the voltage and/or the change in voltage.
6. The access privilege control system according to claim 5, wherein the security situation assessment module (2) is further configured or integrated with a data storage unit (204), wherein the data storage unit (204) is configured to at least be able to obtain and store the voltage-related data information collected by the voltage analysis unit (203).
7. The access privilege control system according to claim 6, further comprising a data classification and ranking module (4), wherein the data classification and ranking module (4) is capable of classifying and ranking the user's access resources.
8. The access privilege control system according to claim 7, wherein the security posture assessment module (2) comprises a risk and trust assessment unit capable of assessing a user's risk and trust level and deriving a quantitative risk score to determine whether the access behavior's trust level is the same or substantially the same as the security level of the resource it accesses in conjunction with a risk score and a current access behavior's trust assessment.
9. The system according to claim 8, characterized in that the security posture assessment module (2) comprises a policy decision model unit for solving an initial policy comprising an initial policy baseline and a setting of an implicit trust zone.
10. A zero-trust access authority control method based on trusted computing is characterized by comprising the following steps:
the identity authentication module (1) authenticates the identity of a user and generates identity authentication information corresponding to the user;
the safety situation evaluation module (2) monitors the safety situation of the user;
the access authority control module (3) acquires the identity authentication information;
and the access right control module (3) controls the access right of the user based on the identity authentication information and the security situation.
CN202111212789.3A 2021-10-18 2021-10-18 Zero-trust access authority control system and method based on trusted computing Pending CN113901499A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111212789.3A CN113901499A (en) 2021-10-18 2021-10-18 Zero-trust access authority control system and method based on trusted computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111212789.3A CN113901499A (en) 2021-10-18 2021-10-18 Zero-trust access authority control system and method based on trusted computing

Publications (1)

Publication Number Publication Date
CN113901499A true CN113901499A (en) 2022-01-07

Family

ID=79192545

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111212789.3A Pending CN113901499A (en) 2021-10-18 2021-10-18 Zero-trust access authority control system and method based on trusted computing

Country Status (1)

Country Link
CN (1) CN113901499A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584405A (en) * 2022-05-07 2022-06-03 国网浙江省电力有限公司电力科学研究院 Electric power terminal safety protection method and system
CN114584341A (en) * 2022-01-14 2022-06-03 苏州浪潮智能科技有限公司 Zero-boundary trusted network architecture system, data processing method and device
CN115065564A (en) * 2022-08-18 2022-09-16 天津天元海科技开发有限公司 Access control method based on zero trust mechanism
CN115496553A (en) * 2022-09-20 2022-12-20 青岛畅联科技有限公司 User credit evaluation system and method based on trusted computing under edge computing
CN115618308A (en) * 2022-12-01 2023-01-17 杭州美创科技股份有限公司 Abnormal behavior detection method and device based on zero trust identity
CN116228167A (en) * 2023-05-04 2023-06-06 南京瑞拷得智慧信息科技有限公司 Intelligent archive borrowing and utilizing platform based on zero trust authority authentication

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584341A (en) * 2022-01-14 2022-06-03 苏州浪潮智能科技有限公司 Zero-boundary trusted network architecture system, data processing method and device
CN114584341B (en) * 2022-01-14 2023-06-16 苏州浪潮智能科技有限公司 Zero-boundary trusted network architecture system, data processing method and device
CN114584405A (en) * 2022-05-07 2022-06-03 国网浙江省电力有限公司电力科学研究院 Electric power terminal safety protection method and system
CN115065564A (en) * 2022-08-18 2022-09-16 天津天元海科技开发有限公司 Access control method based on zero trust mechanism
CN115065564B (en) * 2022-08-18 2022-11-01 天津天元海科技开发有限公司 Access control method based on zero trust mechanism
CN115496553A (en) * 2022-09-20 2022-12-20 青岛畅联科技有限公司 User credit evaluation system and method based on trusted computing under edge computing
CN115496553B (en) * 2022-09-20 2023-10-17 青岛畅联科技有限公司 User credit evaluation system and method based on trusted computing under edge computing
CN115618308A (en) * 2022-12-01 2023-01-17 杭州美创科技股份有限公司 Abnormal behavior detection method and device based on zero trust identity
CN116228167A (en) * 2023-05-04 2023-06-06 南京瑞拷得智慧信息科技有限公司 Intelligent archive borrowing and utilizing platform based on zero trust authority authentication

Similar Documents

Publication Publication Date Title
CN113901499A (en) Zero-trust access authority control system and method based on trusted computing
US8230232B2 (en) System and method for determining a computer user profile from a motion-based input device
CN114584405B (en) Electric power terminal safety protection method and system
US11902307B2 (en) Method and apparatus for network fraud detection and remediation through analytics
EP2515496A1 (en) System and method for generating trust among data network users
CN112118102A (en) Dedicated zero trust network system of electric power
US20080222706A1 (en) Globally aware authentication system
US20110314558A1 (en) Method and apparatus for context-aware authentication
Ahmed et al. Detecting Computer Intrusions Using Behavioral Biometrics.
CN112182519A (en) Computer storage system security access method and access system
CN112766672A (en) Network security guarantee method and system based on comprehensive evaluation
WO2014205148A1 (en) Continuous authentication tool
CN106384027A (en) User identity recognition system and recognition method thereof
CN106446658A (en) Data center security protection method and system
CN113114632B (en) Can peg graft formula intelligence financial auditing platform
Saad et al. Dine and dash: Static, dynamic, and economic analysis of in-browser cryptojacking
CN116938590A (en) Cloud security management method and system based on virtualization technology
CN117527430A (en) Zero-trust network security dynamic evaluation system and method
CN113364744A (en) Method and system for detecting domain user login authentication abnormity based on windows log
Tiwari et al. User-profile-based analytics for detecting cloud security breaches
Yang et al. [Retracted] Computer User Behavior Anomaly Detection Based on K‐Means Algorithm
CN113886782A (en) Identity authentication method and system based on UEBA and credible authentication
CN114745143A (en) Method and device for automatically generating access control strategy
Manoj et al. Secured user behaviour based access framework for web service
CN112153130A (en) Business resource access method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination