CN113923030B - Remote access method based on zero trust, terminal equipment and computer storage medium - Google Patents
Remote access method based on zero trust, terminal equipment and computer storage medium Download PDFInfo
- Publication number
- CN113923030B CN113923030B CN202111183028.XA CN202111183028A CN113923030B CN 113923030 B CN113923030 B CN 113923030B CN 202111183028 A CN202111183028 A CN 202111183028A CN 113923030 B CN113923030 B CN 113923030B
- Authority
- CN
- China
- Prior art keywords
- remote access
- data
- control scheme
- iteration
- remote
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a remote access method, terminal equipment and a computer readable storage medium based on zero trust, wherein the method comprises the following steps: receiving a remote access request of a remote access terminal; analyzing the remote access request to obtain an access control scheme; and transmitting the access control scheme to a zero trust gateway, so that the zero trust gateway respectively transmits the access control scheme and the remote access related data acquired from the remote access terminal to a target remote access terminal, and the target remote access terminal provides remote service for the remote access terminal based on the access control scheme and the remote access related data. The embodiment of the disclosure utilizes the strong defensive characteristic of the zero-trust access mechanism, and simultaneously analyzes and obtains the access control scheme aiming at the remote access request, which can at least effectively improve the security of the remote access.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a remote access method based on zero trust, a terminal device, and a computer readable storage medium.
Background
In daily work, office workers often need to conduct remote office work, i.e. need to remotely access office computers of enterprises in different places. The current remote access control scheme mainly adopts a VPN (Virtual Private Network ) mode, but with the increase of remote access requirements, the unsafe problems generated by the safe modes of VPN 'internal trusted', 'external untrusted' are gradually exposed.
Disclosure of Invention
The disclosure provides a remote access method, terminal equipment and a computer readable storage medium based on zero trust, which realize remote access control based on a zero trust mechanism so as to at least solve the unsafe problem generated by remote access in the current VPN mode.
To achieve the above object, the present disclosure provides a remote access method based on zero trust, including:
receiving a remote access request of a remote access terminal;
analyzing the remote access request to obtain an access control scheme; the method comprises the steps of,
and sending the access control scheme to a zero trust gateway, so that the zero trust gateway respectively sends the access control scheme and the remote access related data acquired from the remote access terminal to a target remote access terminal, and the target remote access terminal provides remote services for the remote access terminal based on the access control scheme and the remote access related data.
In one embodiment, the method further comprises:
acquiring remote access analysis original data;
analyzing the remote access analysis original data by adopting a logistic regression algorithm to obtain remote access analysis data;
the analyzing the remote access request includes:
and analyzing the remote access request based on the remote access analysis data to obtain an access control scheme.
In one embodiment, the method further comprises:
determining optimization parameters of the remote access request, wherein the optimization parameters comprise a data integrity rate and a response delay rate;
analyzing the remote access analysis original data by adopting a logistic regression algorithm to obtain remote access analysis data, wherein the method comprises the following steps:
analyzing the remote access analysis original data by adopting a logistic regression algorithm based on the optimization parameters to obtain remote access analysis data;
the analyzing the remote access analysis data to obtain an access control scheme comprises the following steps:
and analyzing the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme.
In one embodiment, the analyzing the remote access request based on the optimization parameters and the remote access analysis data, to obtain an access control scheme, includes:
performing matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme with optimal matching degree;
judging whether the access control scheme with the optimal matching degree meets a preset evaluation condition or not;
and if the preset evaluation condition is met, selecting the access control scheme with the optimal matching degree as an access control scheme.
In one embodiment, when determining whether the access control scheme with the optimal matching degree meets a preset evaluation condition, the method further includes:
if the preset evaluation condition is not met, judging whether the current iteration number for carrying out the matching degree analysis reaches the maximum iteration number or not;
if the maximum iteration number is not reached, performing supervised learning on the optimization parameters and the remote access analysis data to obtain the optimization parameters and the remote access analysis data with the iteration number added with 1, and returning to execute the step of performing matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data;
and if the maximum iteration times are reached, selecting the access control scheme with the optimal matching degree as an access control scheme.
In one embodiment, the remote access analysis raw data is analyzed by adopting a logistic regression algorithm to obtain remote access analysis data, and the remote access analysis data is obtained according to the following formula:
where i, j and t represent dimensions, where i ε [1, m],j∈[1,n],t∈[1,q]M, n and q respectively represent the maximum value of the dimension;
the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; />
Representing remote access to the parsed raw data; />
Representing the value corresponding to the remote access analysis data at the kth iteration.
In one embodiment, the matching degree analysis is performed on the remote access request based on the optimization parameters and the remote access analysis data, so as to obtain an access control scheme with optimal matching degree, and the access control scheme is obtained according to the following formula:
based on the optimization parameters, based on the optimization parameters
In MinZ k A value corresponding to the access control scheme indicating the optimal matching degree; i. j and t represent dimensions, where i ε [1, m],j∈[1,n],t∈[1,q]M, n and q respectively represent the maximum value of the dimension;
representing the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; c (C) Gmax Representing maximum data integrity rate, E Gmin Representing a minimum data delay rate; />
Representing the value corresponding to the remote access analysis data at the kth iteration, < >>
Indicating the value corresponding to the remote access analysis data when no iteration is performed.
In one embodiment, the determining whether the access control scheme with the optimal matching degree meets a preset evaluation condition is obtained according to the following formula:
in the method, in the process of the invention,
the product probability representing the data integrity rate at the kth iteration,
is the response delay rate product probability at the kth iteration, +.>
Representing the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; />
Representing the value corresponding to the remote access analysis data at the kth iteration, < >>
Indicating the value corresponding to the remote access analysis data when no iteration is performed.
In one embodiment, performing supervised learning on the optimization parameter and the remote access analysis data to obtain the optimization parameter and the remote access analysis data after adding 1 to the iteration number, including:
in the method, in the process of the invention,
the corresponding values representing the optimization parameters at the k+1th iteration number include
Information vector of three aspects, ">
Representing the data integrity rate at the k+1th iteration,/and>
represents the response delay rate at the k+1th iteration count, +.>
Representing the value corresponding to the remote access analysis data when the iteration number is the (k+1) th time, +.>
Representing the reinforcement factor when the iteration number is the k+1th time;
wherein the reinforcement factor is obtained according to the following formula:
wherein C is Gmax Representing maximum data integrity rate, E Gmin Indicating the minimum data delay rate at which the data will be transmitted,
indicating the value corresponding to the remote access analysis data when no iteration is performed.
To achieve the above object, the present disclosure further provides a terminal device, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the remote access method based on zero trust.
To achieve the above object, the present disclosure also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the zero trust based remote access method.
According to the zero trust-based remote access method, the terminal equipment and the computer readable storage medium provided by the disclosure, by receiving a remote access request of a remote access terminal, analyzing the remote access request to obtain an access control scheme; and sending the access control scheme to a zero trust gateway, so that the zero trust gateway respectively sends the access control scheme and the remote access related data acquired from the remote access terminal to a target remote access terminal, and the target remote access terminal provides remote service for the remote access terminal based on the access control scheme and the remote access related data, and meanwhile analyzes a remote access request to acquire the access control scheme by utilizing the strong defensive characteristic of the zero trust access mechanism, so that the security of remote access can be at least effectively improved.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain, without limitation, the disclosed embodiments.
Fig. 1 is a schematic flow chart of a remote access method based on zero trust according to an embodiment of the disclosure;
FIG. 2 is a schematic diagram of an application scenario for enterprise remote access in accordance with an embodiment of the present disclosure;
FIG. 3 is a flow chart of another remote access method based on zero trust provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a multi-layer neuronal network in an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of storing optimization parameters in the form of three-dimensional vectors in accordance with an embodiment of the present disclosure;
FIG. 6 is a flowchart illustrating steps for analyzing the remote access analysis data to obtain an access control scheme according to the embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the following detailed description of the specific embodiments of the present disclosure will be given with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the disclosure, are not intended to limit the disclosure.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order; moreover, embodiments of the present disclosure and features of embodiments may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present disclosure, and are not of specific significance per se. Thus, "module," "component," or "unit" may be used in combination.
With the rapid development of zero trust, the zero trust represents a new generation of network security protection concept, and the key of the zero trust is to break the default 'trust', summarize by a sentence of popular words, namely 'continuous verification and never trust'. Anyone, devices and systems inside and outside the enterprise network are not trusted by default, and the trust basis for access control is reconstructed based on identity authentication and authorization, thereby ensuring identity trust, device trust, application trust and link trust. Based on the zero trust principle, three 'security' of the office system can be ensured: terminal security, link security, and access control security. For zero trust, it shows more obvious advantages and more powerful functions in the practical application process. Zero trust based teleoffice systems and methods are of great significance for rapid and sustained development.
Referring to fig. 1, fig. 1 is a flowchart of a remote access method based on zero trust, which is applied to a zero trust access and control server and provided in an embodiment of the disclosure, and the method includes steps S101-S103.
In step S101, a remote access request of a remote access terminal is received.
Specifically, when the remote access terminal generates the remote access requirement, the remote access terminal respectively sends the remote access request to the zero-trust access and control server and simultaneously sends the remote access data to the target remote access terminal, so that the separation of the data and the control signaling is realized, and the access security is improved.
In this embodiment, the remote access request of the remote access terminal includes authentication information of the remote access terminal, such as device information, application information, etc. of the remote access terminal, and the access requirement of the remote access terminal may include an access data type, an access delay, a security level, etc.
In step S102, the remote access request is analyzed to obtain an access control scheme.
In this embodiment, the zero-trust access and control server analyzes the remote access request, including two analysis processes, the first being a verification analysis process and the second being an access control analysis process. Specifically, the authentication and analysis process is to perform authentication and authorization for the identity of the remote access terminal when the remote access request is received each time, and if the remote access terminal is not trusted, authorization is refused, which relates to the prior art process of identity authentication in the zero trust mechanism, and is not described in detail herein; the access control analysis process is to select an optimal access control scheme for the remote access terminal according to the access requirement of the authorized access terminal, for example, based on the self IP address information provided by the remote access terminal and the IP address information of the target access terminal, acquire a transmissible link according to the IP information to obtain a plurality of access control schemes, and then analyze the access control scheme optimally corresponding to the link according to the determined optimization parameters based on the remote access request, so as to improve the access security of the remote access terminal.
In some preferred embodiments, considering the increase of remote access requirements, the data transmission may generate problems such as static state, long delay, low data integrity rate, etc., and when the optimal access control scheme is selected, the dynamic state, response delay rate and data integrity rate are considered, so as to further improve the efficiency of remote access, which will be described in detail later.
In step S103, the access control scheme is sent to a zero trust gateway, so that the zero trust gateway sends the access control scheme and the remote access related data acquired from the remote access terminal to a target remotely accessed terminal, respectively, and the target remotely accessed terminal provides remote services to the remote access terminal based on the access control scheme and the remote access related data.
It can be understood that the zero trust gateway has a "stealth" function in the zero trust mechanism, and adds a layer of stealth protecting shell for the back-end application resources, i.e. all the back-end resources controlled by the security gateway connection, have no externally exposed service or port, and can access the stealth network resources only by authenticated and authorized users. In this embodiment, the back-end resource of the zero-trust gateway, that is, the enterprise server, the web server, etc. where the remote access terminal requests access, includes the target accessed terminal, and the zero-trust gateway sends the access control scheme and the remote access related data to the target accessed terminal by sending the access control scheme obtained by analysis to the zero-trust gateway, where the remote accessed terminal provides the remote service to the remote access terminal according to the remote access control scheme and the remote access related data.
Specifically, referring to fig. 2, fig. 2 is an application scenario of the present embodiment for remote access control of an enterprise, and is mainly divided into three parts: 1) A remote access portion comprising: the remote access terminal mainly realizes the access request proposal of the remote terminal; 2) A machine room section comprising: zero-trust control and access server, enterprise server, web server, ssh server, multi-portal load balancing server, zero-trust gateway and the like, and zero-trust remote office request access, analysis and feedback are realized; in addition, in combination with practical application, a-3) job site intranet part is also described in an application scene, which comprises: desktop computers, notebooks, etc., to enable access to devices within a job site intranet, in the figures,
(1) the remote access terminal in the remote access part sends a remote access request to a zero trust control and access server of the machine room part;
(2) the remote access terminal in the remote access part forwards the remote access related data to the zero trust gateway through the multi-portal load balancing server;
(3) the zero trust control and access server carries out interactive communication on control information in the remote access request and the zero trust gateway;
(4) the zero trust gateway sends the remote access related data to an enterprise server, a web server, an ssh server and the like, and provides access service of a remote terminal;
(5) the office intranet desktop, notebook computer and the like send the office intranet access request to the zero trust control and access server of the machine room part;
(6) the desktop computers, the notebooks and the like of the job site intranet forward the relevant data of the job site intranet access to the zero trust gateway through the multi-entry load balancing server;
(7) the zero trust control and access server carries out interaction communication between control information in the job site intranet access analysis request and the zero trust gateway;
(8) the zero trust gateway sends the relevant data of the job site intranet access to an enterprise server, a web server, an ssh server and the like, and provides the job site intranet access service.
Referring to fig. 3, fig. 3 is a schematic flow chart of another remote access method based on zero trust provided in the embodiment of the present disclosure, in this embodiment, a logistic regression algorithm, a deep learning algorithm, etc. are adopted to analyze a remote access request to obtain an optimal remote control scheme, so as to optimize remote access security and efficiency. As shown in fig. 3, the method further includes step S301 and step S302, and step S102 is further divided into step S102a.
In step S301, remote access analysis original data is acquired;
in step S302, analyzing the remote access analysis raw data by adopting a logistic regression algorithm to obtain remote access analysis data; taking remote access analysis as an example, where the original data carries IP address information, there are multiple transmissible links between two IP addresses (a remote access terminal and a target remote access terminal), and each transmissible link corresponds to one remote control scheme, that is, includes multiple remote control schemes. In this embodiment, a logistic regression algorithm is used to analyze and calculate schemes corresponding to all transmissible links corresponding to the IP address, so as to obtain access control pre-recommendation information, that is, remote access analysis data entering a subsequent analysis step. In this embodiment, through the process of analyzing the remote access analysis raw data, the problem that the optimal transmission scheme cannot be found due to the dynamic change of the transmissible link can be effectively solved.
In one embodiment, to solve the problem that in consideration of the increase of the remote access requirement, the data transmission may generate a delay time, a low data integrity rate, and the like, the method further includes the following steps: and determining optimization parameters of the remote access request, wherein the optimization parameters comprise a data integrity rate and a response delay rate, and the response delay rate E (=the occupied time amount of remote access invalidation per unit time/the total amount of unit time), and the data integrity rate C (=the transmission information amount of unit data packets/the total information amount of unit data packets).
The method comprises the steps of carrying out iterative analysis on optimization parameters by adopting a logistic regression algorithm and combining algorithms such as a multi-layer neural network, and specifically, the strategy ideas of the multi-layer neural network, matrix decomposition, logistic regression and the like in each iteration are that in a 1,2, L h multidimensional space, a plurality of remote control schemes migrate to the direction determined by an optimization task priority scheme according to the strategy modes such as the multi-layer neural network, the matrix decomposition, the logistic regression and the like. As shown in fig. 4, the multi-layered neuronal network comprises: response delay rate E (=amount of time occupied by remote access invalidation per unit time/total amount of unit time), data integrity rate C (=amount of unit packet transfer information/total amount of unit packet information). The output comprises: remote access analysis data corresponding to pre-recommendation information of the access control scheme.
The step S302 specifically includes: and analyzing the remote access analysis original data by adopting a logistic regression algorithm based on the optimization parameters to obtain remote access analysis data. Further, it is obtained according to the following formula:
where i, j and t represent dimensions, where i ε [1, m],j∈[1,n],t∈[1,q]M, n and q respectively represent the maximum value of the dimension;
the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; />
Representing a value corresponding to the remote access analysis raw data; />
Representing the value corresponding to the remote access analysis data at the kth iteration.
It will be appreciated that, through logistic regression calculations,
the value of (1) is between (0, 1). In this embodiment, as shown in fig. 5, information such as the optimized parameters is stored in the form of a three-dimensional vector.
In step S102a, the remote access request is analyzed based on the remote access analysis data, and an access control scheme is obtained.
In this embodiment, step S102a specifically includes analyzing the remote access request based on the optimization parameter and the remote access analysis data, so as to obtain an access control scheme.
After the remote access analysis data is obtained through logistic regression calculation, the remote access analysis data is used as an optimization parameter to be combined with other optimization parameters (response delay rate, data integrity rate) and the like to further analyze the remote access request, so that an optimal access control scheme is obtained.
Further, the analyzing the remote access analysis data based on the optimization parameters to obtain an access control scheme, as shown in fig. 6, includes:
and step S601, carrying out matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme with optimal matching degree.
In this embodiment, the matching degree analysis adopts a deep learning manner to obtain an access control scheme with optimal matching degree, and it can be understood that the access control scheme corresponding to the remote access request is migrated to the direction of optimizing parameters and optimizing remote access analysis data, so as to obtain the access control scheme with optimal matching degree, specifically, step S601 is obtained according to the following formula:
in MinZ k A value corresponding to the access control scheme indicating the optimal matching degree; i. j and t represent dimensions, where i ε [1, m],j∈[1,n],t∈[1,q]M, n and q respectively represent the maximum value of the dimension;
representing the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; c (C) Gmax Representing maximum data integrity rate, E Gmin Representing a minimum data delay rate;
representing the value corresponding to the remote access analysis data at the kth iteration, < >>
Indicating the value corresponding to the remote access analysis data when no iteration is performed.
Step S602, determining whether the access control scheme with the optimal matching degree meets the preset evaluation condition, if yes, executing step S603, otherwise, executing step S604.
In one embodiment, the step S602 determines whether the condition is satisfied by performing an evaluation test on the access control scheme with the optimal matching degree, where the evaluation test is obtained according to the following formula:
in the method, in the process of the invention,
the product probability representing the data integrity rate at the kth iteration,
is the response delay rate product probability at the kth iteration, +.>
Representing the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; />
Representing the value corresponding to the remote access analysis data at the kth iteration.
Step S603, selecting the access control scheme with the optimal matching degree as the access control scheme.
Step S604, determining whether the current iteration number of the matching degree analysis reaches the maximum iteration number, if so, executing step S605, otherwise, executing step S603.
It can be understood that the current iteration number of performing the matching degree analysis, i.e., the iteration number of performing the matching degree analysis in step S601. The number of iterations can be adaptively set by those skilled in the art in connection with the actual application.
And step 605, performing supervised learning on the optimization parameters and the remote access analysis data to obtain the optimization parameters and the remote access analysis data with the iteration times added with 1, and returning to the step of executing the matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data.
In one embodiment, performing supervised learning on the optimization parameter and the remote access analysis data to obtain the optimization parameter and the remote access analysis data after adding 1 to the iteration number, including:
in the method, in the process of the invention,
the corresponding values representing the optimization parameters at the k+1th iteration number include
Information vector of three aspects, ">
Representing the data integrity rate at the k+1th iteration,/and>
represents the response delay rate at the k+1th iteration count, +.>
Representing the value corresponding to the remote access analysis data when the iteration number is the (k+1) th time, +.>
Representing the reinforcement factor when the iteration number is the k+1th time;
wherein the reinforcement factor is obtained according to the following formula:
wherein C is Gmax Representing maximum data integrity rate, E Gmin Indicating the minimum data delay rate at which the data will be transmitted,
indicating the value corresponding to the remote access analysis data when no iteration is performed.
In the embodiment, a plurality of algorithms such as logistic regression, deep learning and supervised learning are combined to perform dynamic deep analysis on the remote access request, so that the purposes of meeting the dynamic change of a link, having short response delay, having high data integrity rate and the like in remote access are realized.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a terminal device, as shown in fig. 7, where the terminal device includes a memory 71 and a processor 72, where the memory 71 stores a computer program, and when the processor 72 runs the computer program stored in the memory 71, the processor 72 executes the remote access method based on zero trust.
Based on the same technical concept, the embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the zero-trust-based remote access method.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present disclosure, and not for limiting the same; although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present disclosure.
Claims (7)
1. A zero trust based remote access method, comprising:
receiving a remote access request of a remote access terminal, and determining optimization parameters of the remote access request, wherein the optimization parameters comprise a data integrity rate and a response delay rate;
acquiring remote access analysis original data;
analyzing the remote access analysis original data by adopting a logistic regression algorithm based on the optimization parameters to obtain remote access analysis data;
analyzing the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme; the method comprises the steps of,
the access control scheme is sent to a zero trust gateway, so that the zero trust gateway respectively sends the access control scheme and remote access related data acquired from the remote access terminal to a target remote access terminal, and the target remote access terminal provides remote service for the remote access terminal based on the access control scheme and the remote access related data;
the analyzing the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme comprises the following steps:
performing matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme with optimal matching degree;
judging whether the access control scheme with the optimal matching degree meets a preset evaluation condition or not;
if the preset evaluation condition is met, selecting the access control scheme with the optimal matching degree as an access control scheme;
and performing matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data to obtain an access control scheme with optimal matching degree, wherein the access control scheme is obtained according to the following formula:
in MinZ k A value corresponding to the access control scheme indicating the optimal matching degree; i. j and t represent dimensions, where i ε [1, m],j∈[1,n],t∈[1,q]M, n and q respectively represent the maximum value of the dimension;
representing the data integrity rate at the kth iteration;
response delay rate at the kth iteration; c (C) Gmax Representing maximum data integrity rate, E Gmin Representing a minimum data delay rate;
representing the value corresponding to the remote access analysis data at the kth iteration, < >>
Indicating the value corresponding to the remote access analysis data when no iteration is performed.
2. The method according to claim 1, wherein when determining whether the access control scheme with the optimal matching degree meets a preset evaluation condition, further comprising:
if the preset evaluation condition is not met, judging that the current iteration number for carrying out the matching degree analysis is the maximum iteration number;
if the maximum iteration number is not reached, performing supervised learning on the optimization parameters and the remote access analysis data to obtain the optimization parameters and the remote access analysis data with the iteration number added with 1, and returning to execute the step of performing matching degree analysis on the remote access request based on the optimization parameters and the remote access analysis data;
and if the maximum iteration times are reached, selecting the access control scheme with the optimal matching degree as an access control scheme.
3. The method of claim 1, wherein the analyzing the remote access analysis raw data using a logistic regression algorithm yields remote access analysis data according to the following formula:
where i, j and t represent dimensions, where i ε [1, m],j∈[1,n],t∈[1,q]M, n and q respectively represent the maximum value of the dimension;
the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; />
Representing a value corresponding to the remote access analysis raw data; />
Representing the value corresponding to the remote access analysis data at the kth iteration.
4. The method according to claim 1, wherein the determining whether the access control scheme with the optimal matching degree meets a preset evaluation condition is obtained according to the following formula:
in the method, in the process of the invention,
the product probability representing the data integrity rate at the kth iteration,
is the response delay rate product probability at the kth iteration, +.>
Representing the data integrity rate at the kth iteration; />
Response delay rate at the kth iteration; />
Representing the value corresponding to the remote access analysis data at the kth iteration.
5. The method according to claim 2, wherein performing supervised learning on the optimization parameters and the remote access analysis data to obtain the optimization parameters and the remote access analysis data with the iteration number added to 1 comprises:
in the method, in the process of the invention,
the corresponding values representing the optimization parameters at the k+1th iteration number include
Information vector of three aspects, ">
Representing the data integrity rate at the k+1th iteration,/and>
represents the response delay rate at the k+1th iteration count, +.>
Representing the value corresponding to the remote access analysis data when the iteration number is the (k+1) th time, +.>
Represents the enhancement factor when the iteration number is the k+1th time, and mu represents the weighting coefficient;
wherein the reinforcement factor is obtained according to the following formula:
wherein C is Gmax Representing maximum data integrity rate, E Gmin Indicating the minimum data delay rate at which the data will be transmitted,
remote access when no iteration is performed analyzes the value corresponding to the data.
6. A terminal device comprising a memory and a processor, the memory having stored therein a computer program, which when executed by the processor performs the zero trust based remote access method according to any one of claims 1 to 5.
7. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs a zero trust based remote access method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111183028.XA CN113923030B (en) | 2021-10-11 | 2021-10-11 | Remote access method based on zero trust, terminal equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111183028.XA CN113923030B (en) | 2021-10-11 | 2021-10-11 | Remote access method based on zero trust, terminal equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113923030A CN113923030A (en) | 2022-01-11 |
| CN113923030B true CN113923030B (en) | 2023-06-23 |
Family
ID=79239219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111183028.XA Active CN113923030B (en) | 2021-10-11 | 2021-10-11 | Remote access method based on zero trust, terminal equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923030B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10659434B1 (en) * | 2019-09-24 | 2020-05-19 | Pribit Technology, Inc. | Application whitelist using a controlled node flow |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112364365A (en) * | 2020-11-23 | 2021-02-12 | 中国联合网络通信集团有限公司 | Industrial data encryption method, edge server and computer readable storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11416825B2 (en) * | 2019-11-01 | 2022-08-16 | Microsoft Technology Licensing, Llc | Managed rooms backbone |
| US11190493B2 (en) * | 2019-12-16 | 2021-11-30 | Vmware, Inc. | Concealing internal applications that are accessed over a network |
| US20210117249A1 (en) * | 2020-10-03 | 2021-04-22 | Intel Corporation | Infrastructure processing unit |
-
2021
- 2021-10-11 CN CN202111183028.XA patent/CN113923030B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10659434B1 (en) * | 2019-09-24 | 2020-05-19 | Pribit Technology, Inc. | Application whitelist using a controlled node flow |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112364365A (en) * | 2020-11-23 | 2021-02-12 | 中国联合网络通信集团有限公司 | Industrial data encryption method, edge server and computer readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 基于零信任架构的远程移动办公安全体系及应用研究;左英男;张泽洲;;保密科学技术(第03期);全文 * |
| 基于零信任的远程办公系统安全模型研究与实现;魏小强;;信息安全研究(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113923030A (en) | 2022-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| An et al. | Sample selected extreme learning machine based intrusion detection in fog computing and MEC | |
| CN105247529A (en) | Synchronizing credential hashes between directory services | |
| US20230171285A1 (en) | Edge network-based account protection service | |
| US20220247786A1 (en) | Security policy generation and enforcement for device clusters | |
| CN107925663B (en) | Techniques for anonymous context attestation and threat analytics | |
| CN112437441B (en) | Internet of things-oriented access control system and method based on intelligent contract | |
| US8887280B1 (en) | Distributed denial-of-service defense mechanism | |
| Santos et al. | Clustering and reliability-driven mitigation of routing attacks in massive IoT systems | |
| Gupta et al. | Data security and privacy in cloud computing: concepts and emerging trends | |
| US11930020B2 (en) | Detection and mitigation of security threats to a domain name system for a communication network | |
| Maharaja et al. | A hybrid fog-cloud approach for securing the Internet of Things | |
| Li et al. | Design and verification of secure communication scheme for industrial IoT intelligent production line system with multi-path redundancy and collaboration | |
| Cao et al. | A blockchain-based virtual network embedding algorithm for secure software defined networking | |
| CN113923030B (en) | Remote access method based on zero trust, terminal equipment and computer storage medium | |
| CN112364365A (en) | Industrial data encryption method, edge server and computer readable storage medium | |
| US11985171B2 (en) | Aggregated networking subsystem station move control system | |
| Ali et al. | Trust‐aware task load balancing in multi‐access edge computing based on blockchain and a zero trust security capability framework | |
| US20200344057A1 (en) | Cybersecurity guard for core network elements | |
| US20230130705A1 (en) | Platform for privacy preserving decentralized learning and network event monitoring | |
| Zhu et al. | Privacy‐Aware Online Task Offloading for Mobile‐Edge Computing | |
| CN114116638A (en) | Resource acquisition method and zero-trust access control equipment | |
| US11422845B2 (en) | Native cloud live traffic migration to counter suspected harmful traffic | |
| Merdassi et al. | Surveying and analyzing security issues in mobile cloud computing | |
| Apiecionek et al. | Harmonizing IoT-Architectures with Advanced Security Features-A Survey and Case Study. | |
| Priyadarshini | A novel technique for IDS in distributed data environment using merkel based security mechanism for secure user allocation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |