CN114095189B - Configuration method and device for equipment permission - Google Patents
Configuration method and device for equipment permission Download PDFInfo
- Publication number
- CN114095189B CN114095189B CN202010757319.4A CN202010757319A CN114095189B CN 114095189 B CN114095189 B CN 114095189B CN 202010757319 A CN202010757319 A CN 202010757319A CN 114095189 B CN114095189 B CN 114095189B
- Authority
- CN
- China
- Prior art keywords
- value
- parameter
- current
- surprise
- trust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000003860 storage Methods 0.000 claims abstract description 16
- 230000000875 corresponding effect Effects 0.000 claims description 38
- 230000006870 function Effects 0.000 claims description 13
- 238000009826 distribution Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 3
- 230000002596 correlated effect Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 7
- 238000011156 evaluation Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000011076 safety test Methods 0.000 description 2
- 239000013598 vector Substances 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005315 distribution function Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure relates to a configuration method and device for equipment permission and a computer storage medium, and relates to the technical field of network security. The configuration method for the device rights comprises the following steps: determining a corresponding initial device trust value, a plurality of device trust value intervals and authority levels corresponding to each device trust value interval according to the authentication result aiming at the device; obtaining at least one authentication data for the device, each authentication data comprising a current parameter value of at least one parameter; determining a current device trust value of the device according to the current parameter value of each parameter of each authentication data and the initial device trust value; determining that the authority level corresponding to the equipment trust value interval in which the current equipment trust value is located is the authority level of the equipment; and configuring the authority of the equipment according to the authority level. According to the method and the device, the risk of unauthorized access of the device can be reduced, and the security of the network architecture can be improved.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to a configuration method and device for equipment authority and a computer storage medium.
Background
With the increasing variety of network threats, zero trust network architectures have grown. In a zero trust network architecture, anyone, thing or thing inside or outside is not automatically trusted, and any person, thing or thing attempting to access the system should be subjected to prior to authorization.
In the related art, after authenticating an identity of a device of an access system by using data related to the device, the authenticated device performs an authorization operation.
Disclosure of Invention
The inventors consider that: in the related art, identity authentication of a device is used to verify validity of the device, but security of access of the device may change over time, so that risk of unauthorized access is generated, and security of a network architecture cannot be guaranteed.
Aiming at the technical problems, the disclosure provides a solution, which can reduce the risk of unauthorized access of equipment and can improve the security of a network architecture.
According to a first aspect of the present disclosure, there is provided a configuration method for device rights, including: determining a corresponding initial device trust value, a plurality of device trust value intervals and authority levels corresponding to each device trust value interval according to the authentication result aiming at the device; obtaining at least one authentication data for the device, each authentication data comprising a current parameter value of at least one parameter; determining a current device trust value of the device according to the current parameter value of each parameter of each authentication data and the initial device trust value; determining that the authority level corresponding to the equipment trust value interval in which the current equipment trust value is located is the authority level of the equipment; and configuring the authority of the equipment according to the authority level.
In some embodiments, determining the current device trust value for the device comprises: for each parameter of each authentication data, determining a current surprise value from the current parameter value, the current surprise value characterizing a likelihood that the current parameter value belongs to a correct parameter value, the current surprise value being inversely related to the likelihood; and determining the current device trust value of the device according to the current surprise value and the standard surprise value of each parameter of each authentication data and the initial device trust value.
In some embodiments, determining the current device trust value for the device based on the current and standard surprise values for each parameter of each authentication data, the initial device trust value comprises: determining a data trust value of each authentication data according to the current surprise value and the standard surprise value of the at least one parameter and the initial equipment trust value; and determining the current equipment trust value of the equipment according to the data trust value of the at least one authentication data.
In some embodiments, determining the data trust value for each authentication data based on the current surprise value and the standard surprise value for the at least one parameter, and the initial device trust value comprises: for each parameter, determining a deviation probability of a first frequency of occurrence of the current surprise value relative to a second frequency of occurrence of the standard surprise value by using a normal distribution probability density function about surprise values, wherein the deviation probability is a probability that a surprise value is in a specific surprise value interval, the specific surprise value interval is a surprise value interval corresponding to a frequency interval in which the surprise value occurs more than the first frequency and less than the second frequency, and a desired value of the normal distribution probability density function is the standard surprise value; determining the parameter trust value of each parameter according to the deviation probability and the initial equipment trust value, wherein the parameter trust value of each parameter is inversely related to the deviation probability; and carrying out weighting operation on the parameter trust value of the at least one parameter to obtain the data trust value of each authentication data.
In some embodiments, the parameter trust value for each of the parameters is positively correlated with the initial device trust value.
In some embodiments, the parameters are a plurality of, and the weighting the parameter trust value of the at least one parameter comprises: according to the service requirement, determining the parameter weight value of each parameter; and carrying out weighting operation on the parameter trust values of the multiple parameters according to the parameter weight value of each parameter.
In some embodiments, the parameter has a plurality of parameter values, the plurality of parameter values including the current parameter value, and determining the current surprise value based on the current parameter value comprises: determining the frequency of the current parameter value in the plurality of parameter values according to the current parameter value by utilizing the corresponding relation between the parameter value of the parameter and the frequency of the parameter value in the plurality of parameter values; determining the current surprise value according to the frequency of occurrence of the current parameter value in the plurality of parameter values, wherein the current surprise value is inversely related to the frequency of occurrence of the current parameter value in the plurality of parameter values.
In some embodiments, determining the current device trust value for the device based on the data trust value for the at least one authentication data comprises: and carrying out weighting operation on the data trust value of the at least one authentication data to obtain the current equipment trust value of the equipment.
In some embodiments, the authentication data is a plurality of types, and the weighting the data trust value of the at least one authentication data includes: determining a data weight value of each authentication data according to the service requirement; and weighting the data trust values of the plurality of authentication data according to the data weight value of each authentication data.
In some embodiments, obtaining at least one authentication data for the device comprises: and acquiring at least one authentication data for the equipment according to the service requirement.
According to a second aspect of the present disclosure, there is provided a configuration apparatus for device rights, comprising: the first determining module is configured to determine a corresponding initial device trust value, a plurality of device trust value intervals and a permission level corresponding to each device trust value interval according to an authentication result for the device; an acquisition module configured to acquire at least one authentication data for the device, each authentication data comprising a current parameter value of at least one parameter; a second determining module configured to determine a current device trust value for the device based on the current parameter value for each parameter of each authentication data, the initial device trust value; a third determining module configured to determine that a permission level corresponding to a device trust value interval in which the current device trust value is located is a permission level of the device; and the configuration module is configured to configure the authority of the equipment according to the authority level.
According to a third aspect of the present disclosure, there is provided a configuration apparatus for device rights, comprising: a memory; and a processor coupled to the memory, the processor configured to perform the configuration method for device permissions described in any of the embodiments above based on instructions stored in the memory.
According to a fourth aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement a configuration method for device rights according to any of the embodiments described above.
In the embodiment, the risk of unauthorized access of the equipment can be reduced, and the security of the network architecture can be improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a flow chart illustrating a configuration method for device permissions according to some embodiments of the present disclosure;
FIG. 2 is a flow chart illustrating determining a current device trust value for a device according to some embodiments of the present disclosure;
FIG. 3 is a block diagram illustrating a configuration apparatus for device permissions according to some embodiments of the present disclosure;
FIG. 4 is a block diagram illustrating configuration apparatus for device rights according to further embodiments of the present disclosure;
FIG. 5 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless it is specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective parts shown in the drawings are not drawn in actual scale for convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
Fig. 1 is a flow chart illustrating a configuration method for device permissions according to some embodiments of the present disclosure.
As shown in fig. 1, the configuration method for device rights includes steps S110 to S150. For example, the configuration method for the device right is performed by the configuration apparatus for the device right. In some embodiments, the above configuration method may be set to be performed at a fixed time daily or weekly to achieve continuous trust evaluation.
In step S110, according to the authentication result for the device, a corresponding initial device trust value, a plurality of device trust value intervals, and a permission level corresponding to each device trust value interval are determined. For example, the authentication result of the device is a device fingerprint authentication result.
In some embodiments, the initial device trust value is a first value if the authentication result of the device is authentication pass. And under the condition that the authentication result of the equipment is authentication failure, the initial equipment trust value is a second value. The first value is greater than the second value. For example, the first value is 100 and the second value is 60.
Taking the initial device trust value as 100 as an example, the plurality of device trust value intervals may include (0,60), (60, 80), (80, 100), (0,60) being a low confidence level, (60, 80) being a medium confidence level, and (80, 100) being a high confidence level.
Different device trust value intervals correspond to different permission levels. For example, the permission levels corresponding to the device trust value intervals (0,60), (60, 80), and (80, 100) are low, medium, and high, respectively.
In some embodiments, the corresponding relationship among the authentication result, the initial device trust value, the multiple device trust value intervals, and the multiple permission levels of the device may be preset according to the service requirement, and stored in a corresponding relationship table. The correspondence table may be stored in a memory or database, for example.
In step S120, at least one authentication data for the device is acquired. At least one authentication data for the device is obtained, for example, according to the traffic demand. The configuration device for the device authority can store the corresponding relation between different service requirements and different authentication data, so that at least one type of authentication data aiming at the device can be obtained according to the service requirements.
Each authentication data includes a current parameter value of at least one parameter.
In some embodiments, the authentication data includes hardware information, system information, user operation information, process and port information, etc. in the implicit identifier. For example, the hardware information includes parameters such as the operating platform, the type of MCU (Micro Controller Unit, micro control unit), and the device manufacturer; the system information comprises parameters such as a system program list, a system version, the size of a built-in storage space and the like; the user operation information comprises parameters such as wifi connection information, automatic time zone time setting, user time zone and the like; the process and port information includes parameters such as executing process information and open port information. For example, the authentication data may also include firmware information or the like.
In other embodiments, the authentication data may also include an interaction port between the device and the gateway in the interaction traffic data between the device and the proxy gateway, an information protocol, a source address of the device, a destination address of the device, a packet size, a time to send the request, and so on. In general, in a scene with high equipment security requirement and small service variation (such as a monitoring camera scene), the interactive flow data is adopted as authentication data.
Taking authentication data as hardware information and parameters as an operation platform as an example, assume that the current parameter value of the operation platform is Android.
In step S130, a current device trust value of the device is determined from the current parameter value, the initial device trust value, of each parameter of each authentication data.
The determination of the current device trust value of the device in step S130 is achieved, for example, in the manner shown in fig. 2.
Fig. 2 is a flow chart illustrating determining a current device trust value for a device according to some embodiments of the present disclosure.
As shown in fig. 2, determining the current device trust value of the device includes steps S131-S132.
In step S131, for each parameter of each authentication data, a current surprise value is determined according to the current parameter value. The current surprise value characterizes the likelihood that the current parameter value belongs to the correct parameter value. The current surprise value is inversely related to the likelihood. The surprise value refers to information brought about by a specific time occurrence, the size of the information is related to the probability of a random event, and the smaller the probability, the larger the amount of information generated by occurrence of the event. Based on this, the surprise value can display the variation of the information of the device, and if the device is falsified or tampered with, the probability that the current parameter value belongs to the correct parameter value will be smaller, and a great surprise value is generated.
In some embodiments, each of the above parameters has a plurality of parameter values. The plurality of parameter values includes a current parameter value.
First, according to a current parameter value, determining the frequency of the current parameter value in a plurality of parameter values by using the corresponding relation between the parameter value of the parameter and the frequency of the parameter value in the plurality of parameter values.
For example, from a large number of test data obtained by performing a test in a safety test environment, frequencies of occurrence of different parameter values of each parameter among all parameter values are determined, and correspondence relations between the parameter values and the frequencies of occurrence of the parameter values are established as shown in table 1. Taking 1 ten thousand tests in a safety test environment as an example, the frequency of occurrence of a certain parameter value of a certain parameter divided by 1 ten thousand times is the frequency of occurrence of the parameter value. The large amount of test under the security test environment refers to authentication data reported by equipment in the security environment when equipment identity authentication is performed. The authentication data for each test includes parameter values for at least one parameter.
Table 1 correspondence between parameter values and frequencies of occurrence of the parameter values
| Parameter value | Frequency of occurrence of parameter values |
| Android | 0.9833 |
| IOS | 0.0067 |
| Windows | 0.01 |
Table 1 shows the frequencies at which each of the three parameter values Android, IOS, windows of this parameter of the operating platform occur. The frequency of occurrence of the parameter value Android is 0.9833, the frequency of occurrence of the parameter value IOS is 0.0067, and the frequency of occurrence of the parameter value Windows is 0.01.
The current surprise value is then determined based on the frequency with which the current parameter value appears among the plurality of parameter values. The current surprise value is inversely related to the frequency with which the current parameter value appears among the plurality of parameter values.
The process of determining the current surprise value will be described in detail below using Android as an example of the current parameter value.
The current surprise value is determined using the formula I (p) = -log 2 (F (p)). In the formula, p is the current parameter value, and F (p) is the frequency at which the current parameter value appears in all parameter values.
According to the above formula, when the current parameter value p is Android, the current surprise value corresponding to the current parameter value is I (Android) = -log 2(F(Android))=-log2 (0.9833).
In step S132, a current device trust value of the device is determined based on the current surprise value and the standard surprise value of each parameter of each authentication data, the initial device trust value. For each parameter, there are a number of current and standard frightening values for how many parameter values the parameter has.
For example, the standard surprise value for each parameter is the surprise value expectation for that parameter value. The surprise value is expected to be also obtained from a large number of test data obtained by performing a large number of tests in a safe test environment. Taking 1 ten thousand sets of tests as an example, each set is subjected to 1 ten thousand tests, the frequency of occurrence of the respective parameter values of each parameter of each authentication data in each set is calculated, and the surprise value of each parameter value is determined according to the calculated frequency. Thus, the surprise value expectations for each parameter value are calculated as standard surprise values based on the frequency with which the different surprise values for each parameter value occur.
In the above embodiment, by introducing the surprise value in the process of determining the trust value of the current device, the quantification of trust evaluation on the device can be realized, and the accuracy of trust evaluation is improved, so that the authority of the device can be accurately configured, the override risk is further reduced, and the security of the system architecture is improved.
In some embodiments, determining the current device trust value for the device based on the current and standard surprise values for each parameter, the initial device trust value comprises: determining a data trust value of each authentication data according to the current surprise value, the standard surprise value and the initial equipment trust value of at least one parameter; and determining the current device trust value of the device according to the data trust value of the at least one authentication data.
Determining the data trust value for each type of authentication data is accomplished, for example, as follows.
First, for each parameter, the probability of deviation of the first frequency of occurrence of the current surprise value from the second frequency of occurrence of the standard surprise value is determined using a normal distribution probability density function with respect to the surprise value. The deviation probability is the probability that the surprise value is within a certain surprise value interval. The specific surprise value interval is an surprise value interval corresponding to a frequency interval in which the frequency of occurrence of the surprise value is greater than the first frequency and less than the second frequency. The expected value of the normal distribution probability density function is a standard surprise value.
Taking 1 ten thousand sets of tests as an example, by calculating the surprise value of each parameter of each authentication data and utilizing a function fitting mode, a normal probability density function f (x) corresponding to each parameter value of each parameter and related to the surprise value can be obtained. Assuming that for one type of authentication data, the number of parameters is N, N being a positive integer, noting that the surprise value of the nth parameter is expected to be I n, the current surprise value is I n, and N being a positive integer less than or equal to N.
From the symmetry of the normal distribution function, a specific surprising value interval is known as [ i n,2In-in ]. The deviation probability is
Then, a parameter trust value for each parameter is determined based on the deviation probability and the initial device trust value. The parameter confidence value for each parameter is inversely related to the deviation probability. In some embodiments, the parameter trust value for each parameter is positively correlated with the initial device trust value.
In some embodiments, a difference of 1 and the deviation probability is calculated and the product of the initial device trust value and the difference is determined as a parameter trust value for each parameter. The initial equipment trust value is recorded as A 0, and the parameter trust value of the parameter is
And finally, carrying out weighting operation on the parameter trust value of at least one parameter to obtain the data trust value of each authentication data.
In some embodiments, the parameters of the authentication data are multiple. I.e. the authentication data comprises a plurality of parameters. According to the service requirement, determining the parameter weight value of each parameter; and weighting the parameter trust values of the various parameters according to the parameter weight value of each parameter.
For example, the parameter weight value of the nth parameter is determined to be Qn according to the service requirement. The sum of the N parameter weight values is 1. The data trust value of the authentication data is The parameter weight can be manually analyzed, and the weighting can be realized by designing algorithms according to factors such as whether each parameter is changeable, the change range, easy to be tampered and the like according to the service scene.
The criterion of importance of the parameters is business-dependent. The weighting algorithm is quite different for different security requirements.
Determining the current device trust value of the device based on the data trust value of the at least one authentication data is achieved, for example, by: and weighting the data trust value of at least one authentication data to obtain the current equipment trust value of the equipment.
In some embodiments, the authentication data is a plurality. Determining a data weight value of each authentication data according to the service requirement; and weighting the data trust values of the plurality of authentication data according to the data weight value of each authentication data.
For example, the number of authentication data is M, which is a positive integer. And determining that the data weight value of the mth authentication data is W m according to the service requirement, wherein M is a positive integer less than or equal to M. The sum of the M data weight values is 1. The current device trust value A is the sum of the products of the data weight values of M authentication data and the corresponding data trust values. Recording the data trust value of the mth authentication data as A m, and then recording the current equipment trust valueFor example, the current device trust value a is calculated to be 90.
For example, from the security perspective, human analysis is performed, and considering that hardware information is not variable (if deviation occurs, the device is hijacked or the information is tampered), system information may deviate (system update, memory change, etc.), user operation has flexibility (wifi change, time zone adjustment, etc.), process and port are related to business security, and the four authentication data can be respectively weighted by 0.4, 0.2, 0.1 and 0.3.
For example, the current parameter value and the standard parameter value of each parameter may be converted into word vectors, and the deviation degree of the current parameter value relative to the standard parameter value is determined through word vector comparison, so as to determine the current device trust value of the device according to the deviation degree.
Returning to fig. 1, in step S140, it is determined that the permission level corresponding to the device trust value interval in which the current device trust value is located is the permission level of the device.
Taking the example that the multiple device trust value intervals can include (0,60 ], (60, 80), and (80, 100), the device trust value interval where the current device trust value is located is (80, 100), (80, 100) and the corresponding authority level is high.
In step S150, the rights of the device are configured according to the rights level.
For example, according to the authority level, the authority content of the device is acquired from the correspondence between the authority level and the authority content stored in the memory or the database, thereby configuring the authority of the device according to the authority content. The authority content is business authority.
For example, for monitoring systems of office buildings, rights content includes, but is not limited to, live broadcast, save video to local, save video to cloud disk, read local video, read Yun Pan video, and the like. After trust evaluation is carried out on remote equipment accessed into the monitoring system, all service authorities can be opened for high-trust-level equipment, only two service authorities of live broadcast and local storage are opened for the medium-trust-level equipment, and all service authorities are closed for low-trust-level equipment.
In the embodiment, the trust evaluation is performed on the device to obtain the current device trust value of the device, and the permission of the device is configured according to the permission level corresponding to the current device trust value, so that the risk of unauthorized access of the device can be reduced, and the security of the network architecture can be improved. In addition, the method can effectively prevent the equipment from being hijacked by a person and from launching an attack from the inside of the network in the normal process of authentication and business through trust evaluation and permission configuration, and improves the security of a business system.
Fig. 3 is a block diagram illustrating a configuration apparatus for device rights according to some embodiments of the present disclosure.
As shown in fig. 3, the configuration apparatus 3 for device rights includes a first determination module 31, an acquisition module 32, a second determination module 33, a third determination module 34, and a configuration module 35.
The first determining module 31 is configured to determine, according to the authentication result for the device, a corresponding initial device trust value, a plurality of device trust value intervals, and a permission level corresponding to each device trust value interval, for example, to perform step S110 shown in fig. 1.
The acquisition module 32 is configured to acquire at least one authentication data for the device, each authentication data comprising a current parameter value of at least one parameter, for example performing step S120 as shown in fig. 1.
The second determining module 33 is configured to determine a current device trust value of the device based on the initial device trust value, the current parameter value of each parameter of each authentication data, e.g. to perform step S130 as shown in fig. 1.
The third determining module 34 is configured to determine that the permission level corresponding to the device trust value interval in which the current device trust value is located is the permission level of the device, for example, performing step S140 shown in fig. 1.
The configuration module 35 is configured to configure the rights of the device according to the rights level, for example to perform step S150 as shown in fig. 1.
Fig. 4 is a block diagram illustrating configuration apparatus for device rights according to further embodiments of the present disclosure.
As shown in fig. 4, the configuration means 4 for device rights includes a memory 41; and a processor 42 coupled to the memory 41. The memory 41 is used for storing instructions for executing corresponding embodiments of the configuration method for device rights. The processor 42 is configured to execute the configuration method for device rights in any of the embodiments of the present disclosure based on instructions stored in the memory 41.
FIG. 5 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
As shown in FIG. 5, computer system 50 may be in the form of a general purpose computing device. Computer system 50 includes a memory 510, a processor 520, and a bus 500 that connects the various system components.
Memory 510 may include, for example, system memory, non-volatile storage media, and the like. The system memory stores, for example, an operating system, application programs, boot Loader (Boot Loader), and other programs. The system memory may include volatile storage media, such as Random Access Memory (RAM) and/or cache memory. The non-volatile storage medium stores, for example, instructions for performing a corresponding embodiment of at least one of the configuration methods for device permissions. Non-volatile storage media include, but are not limited to, disk storage, optical storage, flash memory, and the like.
Processor 520 may be implemented as discrete hardware components such as a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gates or transistors, and the like. Accordingly, each of the modules, such as the judgment module and the determination module, may be implemented by a Central Processing Unit (CPU) executing instructions of the corresponding steps in the memory, or may be implemented by a dedicated circuit that performs the corresponding steps.
Bus 500 may employ any of a variety of bus architectures. For example, bus structures include, but are not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, and a Peripheral Component Interconnect (PCI) bus.
Computer system 50 may also include input-output interface 530, network interface 540, storage interface 550, and the like. These interfaces 530, 540, 550, and memory 510 and processor 520 may be connected by bus 500. The input output interface 530 may provide a connection interface for input output devices such as a display, mouse, keyboard, etc. Network interface 540 provides a connection interface for various networking devices. The storage interface 550 provides a connection interface for external storage devices such as floppy disks, usb disks, SD cards, and the like.
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable apparatus to produce a machine, such that the instructions, which execute via the processor, create means for implementing the functions specified in the flowchart and/or block diagram block or blocks.
These computer readable program instructions may also be stored in a computer readable memory that can direct a computer to function in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture including instructions which implement the function specified in the flowchart and/or block diagram block or blocks.
The present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects.
By the configuration method and the device for the device authority and the computer storage medium in the embodiment, the risk of unauthorized access of the device can be reduced, and the security of a network architecture can be improved.
Thus far, the configuration method and apparatus for device rights, and the computer-readable medium according to the present disclosure have been described in detail. In order to avoid obscuring the concepts of the present disclosure, some details known in the art are not described. How to implement the solutions disclosed herein will be fully apparent to those skilled in the art from the above description.
Claims (10)
1. A configuration method for device rights, comprising:
Determining a corresponding initial device trust value, a plurality of device trust value intervals and authority levels corresponding to each device trust value interval according to the authentication result aiming at the device;
obtaining at least one authentication data for the device, each authentication data comprising a current parameter value of at least one parameter;
Determining a current device trust value of the device according to the current parameter value of each parameter of each authentication data and the initial device trust value, including:
For each parameter of each authentication data, determining a current surprise value from the current parameter value, the current surprise value characterizing a likelihood that the current parameter value belongs to a correct parameter value, the current surprise value being inversely related to the likelihood;
Determining a current device trust value for the device based on the current and standard surprise values for each parameter of each authentication data, the initial device trust value, comprising: determining a data trust value of each authentication data according to the current surprise value and the standard surprise value of the at least one parameter and the initial equipment trust value; determining a current device trust value for the device according to the data trust value for the at least one authentication data, comprising: for each parameter, determining a deviation probability of a first frequency of occurrence of the current surprise value relative to a second frequency of occurrence of the standard surprise value by using a normal distribution probability density function about surprise values, wherein the deviation probability is a probability that a surprise value is in a specific surprise value interval, the specific surprise value interval is a surprise value interval corresponding to a frequency interval in which the surprise value occurs more than the first frequency and less than the second frequency, and a desired value of the normal distribution probability density function is the standard surprise value; determining the parameter trust value of each parameter according to the deviation probability and the initial equipment trust value, wherein the parameter trust value of each parameter is inversely related to the deviation probability; weighting the parameter trust value of the at least one parameter to obtain a data trust value of each authentication data;
determining that the authority level corresponding to the equipment trust value interval in which the current equipment trust value is located is the authority level of the equipment;
And configuring the authority of the equipment according to the authority level.
2. The method for configuring device rights as claimed in claim 1, wherein the parameter trust value of each parameter is positively correlated with the initial device trust value.
3. The method for configuring device permissions according to claim 1, wherein the parameters are plural, and weighting the parameter trust value of the at least one parameter includes:
According to the service requirement, determining the parameter weight value of each parameter;
and carrying out weighting operation on the parameter trust values of the multiple parameters according to the parameter weight value of each parameter.
4. The method of configuring device permissions of claim 1, wherein the parameter has a plurality of parameter values, the plurality of parameter values including the current parameter value, determining a current surprise value from the current parameter value comprises:
Determining the frequency of the current parameter value in the plurality of parameter values according to the current parameter value by utilizing the corresponding relation between the parameter value of the parameter and the frequency of the parameter value in the plurality of parameter values;
Determining the current surprise value according to the frequency of occurrence of the current parameter value in the plurality of parameter values, wherein the current surprise value is inversely related to the frequency of occurrence of the current parameter value in the plurality of parameter values.
5. The method of configuring device permissions of claim 1, wherein determining a current device trust value for the device from the data trust value for the at least one authentication data comprises:
and carrying out weighting operation on the data trust value of the at least one authentication data to obtain the current equipment trust value of the equipment.
6. The method for configuring device permissions of claim 5, wherein the authentication data is of a plurality of types, and weighting the data trust value of the at least one authentication data comprises:
determining a data weight value of each authentication data according to the service requirement;
And weighting the data trust values of the plurality of authentication data according to the data weight value of each authentication data.
7. The method of configuring device rights according to claim 1, wherein obtaining at least one authentication data for the device comprises:
And acquiring at least one authentication data for the equipment according to the service requirement.
8. A configuration apparatus for device rights, comprising:
the first determining module is configured to determine a corresponding initial device trust value, a plurality of device trust value intervals and a permission level corresponding to each device trust value interval according to an authentication result for the device;
An acquisition module configured to acquire at least one authentication data for the device, each authentication data comprising a current parameter value of at least one parameter;
A second determining module configured to determine a current device trust value for the device based on the initial device trust value and the current parameter value for each parameter for each authentication data, comprising: for each parameter of each authentication data, determining a current surprise value from the current parameter value, the current surprise value characterizing a likelihood that the current parameter value belongs to a correct parameter value, the current surprise value being inversely related to the likelihood; determining a current device trust value for the device based on the current and standard surprise values for each parameter of each authentication data, the initial device trust value, comprising: determining a data trust value of each authentication data according to the current surprise value and the standard surprise value of the at least one parameter and the initial equipment trust value; determining a current device trust value for the device according to the data trust value for the at least one authentication data, comprising: for each parameter, determining a deviation probability of a first frequency of occurrence of the current surprise value relative to a second frequency of occurrence of the standard surprise value by using a normal distribution probability density function about surprise values, wherein the deviation probability is a probability that a surprise value is in a specific surprise value interval, the specific surprise value interval is a surprise value interval corresponding to a frequency interval in which the surprise value occurs more than the first frequency and less than the second frequency, and a desired value of the normal distribution probability density function is the standard surprise value; determining the parameter trust value of each parameter according to the deviation probability and the initial equipment trust value, wherein the parameter trust value of each parameter is inversely related to the deviation probability; weighting the parameter trust value of the at least one parameter to obtain a data trust value of each authentication data;
A third determining module configured to determine that a permission level corresponding to a device trust value interval in which the current device trust value is located is a permission level of the device;
And the configuration module is configured to configure the authority of the equipment according to the authority level.
9. A configuration apparatus for device rights, comprising:
A memory; and
A processor coupled to the memory, the processor configured to perform the configuration method for device permissions of any of claims 1 to 7 based on instructions stored in the memory.
10. A computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement a configuration method for device rights according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010757319.4A CN114095189B (en) | 2020-07-31 | 2020-07-31 | Configuration method and device for equipment permission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010757319.4A CN114095189B (en) | 2020-07-31 | 2020-07-31 | Configuration method and device for equipment permission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114095189A CN114095189A (en) | 2022-02-25 |
| CN114095189B true CN114095189B (en) | 2024-09-03 |
Family
ID=80295077
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010757319.4A Active CN114095189B (en) | 2020-07-31 | 2020-07-31 | Configuration method and device for equipment permission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095189B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791286A (en) * | 2016-03-01 | 2016-07-20 | 上海海事大学 | Abnormity detection and processing method of cloud virtual environment |
| CN110851819A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Multi-application access authority control method and device and electronic equipment |
| CN111131176A (en) * | 2019-12-04 | 2020-05-08 | 北京北信源软件股份有限公司 | Resource access control method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005085154A (en) * | 2003-09-10 | 2005-03-31 | Ricoh Co Ltd | Network system and terminal device |
-
2020
- 2020-07-31 CN CN202010757319.4A patent/CN114095189B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791286A (en) * | 2016-03-01 | 2016-07-20 | 上海海事大学 | Abnormity detection and processing method of cloud virtual environment |
| CN110851819A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Multi-application access authority control method and device and electronic equipment |
| CN111131176A (en) * | 2019-12-04 | 2020-05-08 | 北京北信源软件股份有限公司 | Resource access control method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114095189A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11418513B2 (en) | Multilayer access control for connected devices | |
| AU2016273890B2 (en) | Controlling physical access to secure areas via client devices in a networked environment | |
| CN110912938B (en) | Access verification method and device for network access terminal, storage medium and electronic equipment | |
| US11539701B2 (en) | Network access point | |
| US9509688B1 (en) | Providing malicious identity profiles from failed authentication attempts involving biometrics | |
| US11489693B2 (en) | Home network access | |
| US20220086166A1 (en) | Access Control Based on Combined Multi-System Authentication Factors | |
| CN106034149B (en) | A kind of account recognition methods and device | |
| US20160241576A1 (en) | Detection of anomalous network activity | |
| EP3549050B1 (en) | Method and computer product and methods for generation and selection of access rules | |
| CN113076376B (en) | Multi-party asynchronous sampling consensus method, system and device based on block chain and medium | |
| AU2017254084A1 (en) | Rotation of authorization rules in memory of authorization system | |
| US10671730B2 (en) | Controlling configuration data storage | |
| CN112367338A (en) | Malicious request detection method and device | |
| CN114095189B (en) | Configuration method and device for equipment permission | |
| CN112115507B (en) | Cloud service interaction method and big data platform based on cloud computing and information digitization | |
| CN103139136A (en) | Method and device for managing passwords | |
| CN113381891A (en) | Internet of things configuration information processing method | |
| CN114973468B (en) | Gate control method, device, equipment and storage medium | |
| CN112989318B (en) | Authentication detection method and system | |
| US20230237164A1 (en) | Monitoring file sharing commands between network equipment to identify adverse conditions | |
| CN112562164A (en) | Object management method and object management system | |
| CN118509470A (en) | Method, device, equipment and computer storage medium for determining target user | |
| CN118401948A (en) | Automatic model loading and search-based optimization | |
| CN115114603A (en) | Base station equipment data management method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |