CN114430350A - Network security communication system based on block chain intelligent contract - Google Patents
Network security communication system based on block chain intelligent contract Download PDFInfo
- Publication number
- CN114430350A CN114430350A CN202210338074.0A CN202210338074A CN114430350A CN 114430350 A CN114430350 A CN 114430350A CN 202210338074 A CN202210338074 A CN 202210338074A CN 114430350 A CN114430350 A CN 114430350A
- Authority
- CN
- China
- Prior art keywords
- module
- sentinel
- network
- voting
- administrator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
- H04L2209/463—Electronic voting
Abstract
The invention discloses a network security communication system based on a block chain intelligent contract, and belongs to the technical field of digital information transmission. The system comprises a network isolation module, a custom configuration module, an authorized access module, an intelligent contract module, a certificate management module, an automatic deployment module and a sentinel verification module; network isolation is carried out by adopting an ebpf network firewall through a network isolation module by utilizing a differential section technology; configuring the custom resources and the authorization rules on the platform and initiating voting by a system administrator of the custom configuration module; an authorized access module is used for leading an administrator to vote and manage management events through trusteeship and security contracts on a block chain; inquiring the contract through an intelligent contract module to obtain the corresponding state change; generating a CA certificate by using a certificate management module; automatically deploying clients and guard soldiers of service teams by utilizing an automatic deployment module according to the CA certificate information injection; and accessing the designated interface by using the sentinel verification module.
Description
Technical Field
The invention relates to the technical field of digital information transmission, in particular to a network security communication system based on a block chain intelligent contract.
Background
The traditional security model is gradually improved based on a boundary model, and the traditional network security architecture based on the boundary carries out heavy protection on the boundary of an enterprise network through boundary security products/schemes such as a firewall, a WAF and an IPS. The boundary model focuses on defending the boundary, keeping the attacker as far outside as possible, while the inside has no protective measures. In the existing service architecture, the boundary-based network access security model gradually fails, and the access authority cannot be flexibly controlled.
With the development of services, the increase of traffic, resistance to external/internal risks, increase of availability, and balance between security and availability become problems which need to be solved at present, how to further subdivide networks in a region and control the flow of traffic in the north-south and east-west directions, how to break the boundary mode of the network by using a zero-trust network, flexibly combine network functions and upper-layer applications, and how to map fine grains of user, equipment, services, applications and data identifications to security contents in various aspects such as network sessions and the like.
Disclosure of Invention
The present invention is directed to a network security communication system based on a block chain intelligent contract, so as to solve the problems in the background art.
In order to solve the technical problems, the invention provides the following technical scheme:
the network security communication system based on the block chain intelligent contract comprises a network isolation module, a custom configuration module, an authorized access module, an intelligent contract module, a certificate management module, an automatic deployment module and a sentinel verification module;
the network isolation module is used for carrying out network isolation through an ebpf network firewall by utilizing a differential section technology; the user-defined configuration module is used for a system administrator to configure user-defined resources and authorization rules on the platform and initiate voting; the authorized access module is used for voting and managing management events by an administrator through a hosting and security contract on a block chain, and authorizing an internal program and an external program to access sensitive information; the intelligent contract module is used for inquiring contracts by the management platform and acquiring corresponding state changes; the certificate management module is used for generating a CA certificate by the management platform; the automatic deployment module is used for injecting according to CA certificate information and automatically deploying clients and guard soldiers in service teams; the sentinel verification module is used for external services or personnel to access the designated interface through the client-side sentinel.
According to the above technical solution, the network isolation module includes:
an administrator configures security rules and service security groups on a control surface, persistently stores the security rules and the service security groups in Mysql, generates rule definitions of micro-segments through the binding of the security rules and the service security groups, and controls the flow of services;
assembling the service identification number unique _ id into a data format of cilium, and applying the rule definition of micro-segmentation to the inside of k8s through an interface provided by k8 s;
the Cilium-Agent will sense the rule of the differential section and apply the rule to the ebpf network firewall rule, thereby realizing the safe isolation of the ebpf differential section. The zero trust security model is realized, the attacked surface can be reduced, an attacker and abnormal data are prevented from moving in the east-west direction, and the internal security is ensured.
According to the above technical solution, the custom configuration module includes:
a system administrator configures resource definition and authorization rules through a control surface;
the control plane sends the authorization rules to the chain through the interface of the block chain.
According to the above technical solution, the authorized access module includes:
after receiving the authorization rule information of the control plane, the block chain contract initiates a voting event;
the administrator votes and manages the management affairs through the trusteeship and the security contract on the chain;
when the vote passes, the control plane of each available area is informed by the callback address configured by the contract, and corresponding vote ID is returned.
According to the technical scheme, the authorization access module further comprises a voting verification sub-module;
the voting verification sub-module is used for verifying the compliance of the administrator in voting for the management events;
the verification comprises the following steps:
obtaining the feedback time of token in the voting of the history manager and recording as a set(ii) a WhereinRespectively representing the feedback time of token in each administrator voting;
because if abnormal intrusion occurs in the voting of the administrator or the administrator is replaced, the voting result is greatly influenced, and information leakage is caused, so that the feedback time is predicted and controlled, and once an abnormal program occurs, the feedback time is influenced.
Will be assembledThe method comprises the steps of dividing a training sample set and a test sample set in a 9:1 mode, and normalizing the training sample set and the test sample set to obtain a normalized training sample set V and a normalized test sample set T;
and (3) constructing an LSTM network according to the normalized training sample set V:
wherein the content of the first and second substances,representing the output of the forgetting gate, determines the state of the cell at the previous timePreserving the state of the cell to the current timeThe fraction of (A);
is a weight matrix for a forgetting gate;indicating handleTwo vectors are connected into a longer vector;is a biased term for a forgetting gate;representing a sigmoid function;
representing the output of the input gate, determining the input at the current timeRemain to cell stateThe fraction of (A);
representing the output of the output gate, controlling the state of the cell at the present timeCurrent output value to LSTM;
according to the formula:
inputting the test sample set T into the generated LSTM network, acquiring the predicted feedback time of token in the administrator voting, and calculating a deviation value according to an actual value:
wherein the content of the first and second substances,representing a deviation value;represents the output value of the LSTM network;represents an actual value;
solving the average value of all deviation values, wherein the average value is used as a prediction deviation value and is recorded as;
Obtaining the predicted value of the feedback time of token in the administrator voting at the current moment through the LSTM network, and recording the predicted value asThen the final output prediction value is;
The verifying further comprises:
acquiring a confirmation click mode:
the click confirmation mode is a click position in the voting process of the administrator;
acquiring a scatter diagram of a click position according to historical data, and constructing a click area P;
if the click mode is not in the click area, marking is carried out, and the minimum distance between the click mode and the click area is obtained;
acquiring an IP address of an administrator;
and inquiring the IP address of the administrator in the current-time administrator voting, and feeding back the IP address to the system.
According to the above technical solution, the verifying further comprises:
constructing a verification probability value:
wherein, the first and the second end of the pipe are connected with each other,representing a verification probability value;setting a threshold value representing the feedback time of the token in the administrator vote;representing the average value of the minimum distances between all marked click modes and the click area when the click modes are not in the click area;representing the times that the click mode is not in the click area;representing a constant value, taken when the administrator IP address in the administrator's vote is not at the set address at the present time(ii) a Taking out the rest;Are all set values;、、respectively representing weight values;
constructing a validation probability threshold(ii) a If it isExceedanceAnd sending out warning information, temporarily stopping the voting work, and continuing the work after the voting initiator confirms.
According to the above technical solution, the intelligent contract module includes:
the management platform calls a voting interface provided by the block chain to inquire the authorization rule data on the chain through the voting ID;
the control plane needs to determine whether to deploy a server or a client by combining the available area where the control plane is located and the available area of the authorization rule.
According to the above technical solution, the certificate management module includes:
the control plane encapsulates data of each end, generates a private key through an SDk provided by a CA center, and automatically generates a CSR according to SPIFFE IDG;
at the moment, the CA center requests the CA Server to obtain the certificate of the sentinel at the Server end and the CA certificate of the sentinel at the client end according to the CSR, the connection information of the sentinel at the client end and the sentinel at the Server end and the SNI identification.
According to the above technical solution, the automated deployment module includes:
sending mirror image construction of a server sentinel and a client sentinel through a CI function of Devops, and inputting certificate information into an environment variable of a mirror image corresponding to the certificate information, wherein a control surface can periodically cycle CI service and inquire the construction state of the mirror image;
the control plane is assembled into a corresponding data structure through a deployment interface provided by the woker service, and the image is submitted to the k8s for deployment.
According to the technical scheme, the sentinel verification module comprises:
the external service or personnel access, and the client-side sentry firstly carries out TLS handshake with the service-side sentry public network service;
the client sentry sends a WS request to the server sentry, wherein the WS request comprises a self certificate and other access authority information;
the server-side sentry can verify the client-side sentry certificate and the access strategy, and after the verification is passed, the server-side sentry synchronously responds to the client-side sentry with the self certificate;
after the client-side sentinel verifies the server-side sentinel certificate, the server-side sentinel accesses the target service according to the target service information provided by the client-side sentinel.
Compared with the prior art, the invention has the following beneficial effects:
by using the ebpf differential section technology to isolate the network, the network in the region is further subdivided, the flow in the south, north and east directions of the flow is controlled, and the safety is enhanced. The zero trust network is utilized to break the boundary mode of the network, the network function and the upper layer application combine the maneuver, and the fine granularity of the user, the equipment, the service, the application and the data identification is mapped to the network session, so that the bottom layer equipment can be flexibly applied to deal with richer protection strategies. The zero trust security system can protect the internal information security, the flow of the key part of the system is proxied by a sentinel, and the corresponding data can be accessed only by obtaining the authorization. The flow management behavior of the sentinel is regulated and controlled by the platform, and the management behavior of the platform is driven by block chain hosting and security affair contract data. Data of the block link contract is managed by relevant managers through voting, the voting process is subjected to whole-process management verification, and the overall safety is extremely high.
Meanwhile, the contracts are written into the block chains in a digital form, data cannot be deleted or modified due to the characteristics of the block chains, only new data can be added, the whole process is transparent and trackable, and the historical traceability is guaranteed; the behavior is permanently recorded, so that interference of malicious behavior on the normal execution of the contract can be avoided to the maximum extent; decentralization avoids the influence of centralization factors and improves the advantages of intelligent contracts in the aspect of cost efficiency; when the contract content is met, the code of the intelligent contract is automatically started, so that the manual process is avoided, and meanwhile, the condition that the issuer cannot default is guaranteed; a set of state machine system is constructed by a block chain self-contained consensus algorithm, so that the intelligent contract can run efficiently.
The zero trust network breaks the old-style border protection thinking, which is focused on the defense border. Provide strong protection for applications and data, whether they are in the cloud or locally; reducing the service exposure surface; the access authority is dynamically adjusted, and the access behavior is controllable; periodic terminal security check; by closing security breaches and controlling lateral movement on the network, risks may be better reduced.
The data center service units are grouped according to a certain rule, and then strategies are deployed among the groups to realize flow control; have more meticulous, flexible safety isolation: the micro-segment can be grouped based on discrete IP, MAC, VM name and other definitions, and the corresponding security domain is more finely and flexibly divided; meanwhile, micro-segmentation realizes a zero-trust security model by performing segmentation management on service resources and strictly controlling the inter-service access relationship by adopting a minimum authority principle, can narrow an attacked surface, prevents an attacker and abnormal data from moving in the east-west direction, and ensures internal security.
The distributed safety control scheme is realized through the differential section scheme, the safety filtering is realized nearby the service flow in the access switch, the east-west flow is not required to be intensively forwarded to the firewall and then is safely isolated, the consumption of network bandwidth is reduced, and the centralized control point can be prevented from becoming a flow bottleneck.
The key data source of the basic cluster can be protected through the security sentry agent, the communication flow between the sentries is encrypted, the universal flow is borne, and meanwhile, the client sentry authority is uniformly controlled by a master site (trusted site).
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow diagram of a network security communication system based on a blockchain intelligent contract according to the present invention;
FIG. 2 is a schematic flow diagram of a network isolation module in an embodiment of the network security communication system based on the blockchain intelligent contract;
FIG. 3 is a block chain intelligent contract-based flow diagram of an authorized access module in an embodiment of the network security communication system of the present invention;
FIG. 4 is a schematic diagram of an identity identifier in an embodiment of a network security communication system based on a blockchain intelligent contract according to the present invention;
FIG. 5 is a block chain intelligent contract-based certificate management module flow diagram in an embodiment of the network security communication system of the present invention;
FIG. 6 is a block chain intelligent contract-based flow diagram of an automated deployment module in an embodiment of the network security communication system of the present invention;
fig. 7 is a schematic flow diagram of a sentinel verification module in an embodiment of the network security communication system based on the blockchain intelligent contract.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1 to 7, in the present embodiment:
the case of taking Redis access information as the secure communication of the zero trust network is proposed:
since data is transmitted through the network, the data can be intercepted in the transmission process or enter the database through an extraordinary means, so that the security of the database is very important. Redis is a data caching storage facility for services, the security of which determines the security of the entire service. By using the platform and the method, the safety of the Redis service is effectively controlled.
After the administrator controls the configuration of the security group and the service security group, the ebpf network firewall is used for carrying out service network isolation by using a differential section technology. And then, the administrator configures the self-defined resources and the authorization rules in the sentinel module and invokes the block chaining contract to initiate a voting mechanism. And calling back a platform interface after the block chain intelligent contract is authorized, and generating a sentry and a certificate which take Redis service as a service end by the platform according to rules. The MSP control surface serves as a client side, and finally accesses the Redis server side in a mode that a sentinel of the client side carries a certificate. The method achieves safe communication of Redis service through layer-by-layer encryption and rule verification. The detailed process of the implementation case is described in detail as follows:
the control plane abstracts out security groups and binding functions between security groups and services. Firstly, a user creates a security group suitable for self service on a platform side through a control plane, wherein the security group comprises a series of in-out network policies, including an IP section and a DNS-based access policy, and relevant fields are shown in the following tables 1 and 2:
when the user adds some listed networking strategies of a certain security group through the control surface, the control surface can persistently store the data of the security group in Mysql and wait for being applied to a certain service;
the user adds the unique identification number of the self service in the service security group configuration module, and selects the security group to be applied, and the relevant fields are shown in table 3:
after receiving data submitted by a user, the control plane firstly checks the validity of the data, including whether a security group exists or not, whether an access policy exists or not under the security group, and the like. The control plane queries all access policies under the security group according to the submitted security group ID, combines the identification number unique _ ID of the service to assemble a data format of cilium, and applies the data format to the k8s through an interface provided by k8 s;
the Cilium-Agent of the k8s node will sense the rule and apply the rule to the ebpf firewall rule. Network isolation of services is controlled by the system kernel and the Network, as shown in fig. 2.
The user firstly adds resources on the platform side, fills in the resource name, selects the resource type, and the target address and port of the current resource, and the parameter field is shown in table 4:
and submitting Redis service resource data to a control plane, returning success after validity check, representing successful establishment of the current resource, and persisting the resource data in Mysql. Meanwhile, the control plane generates a unique uuid for the resource, and globally identifies the resource.
After the resources are successfully established, a user needs to establish an authorization rule for the resources, declare a Redis service as a service end available area, declare an MSP service as a client end available area, and simultaneously determine the authorized timeliness (default 30 days) and the port of a client sentry exposed to an access party, wherein parameter fields are shown in table 5:
and when the user finishes filling in necessary information, submitting the data to the control plane, and after the control plane checks the validity of the data, persisting the data in Redis. And simultaneously, the control plane sends all data of the authorization rule to the chain through an interface of the block chain and waits for voting. The newVote method is called when a voting request is initiated, creating a new vote for "_ metadata". The parameter _ executesIfDecided is to determine whether to execute the newly created vote immediately, the parameter _ executionScript is executed when the EVM transaction pin is examined and approved, the parameter _ metadata is the actual voting content, and the parameter _ native marks whether to execute dynamically.
After the block chain contract receives the submitted voting request, the person holding the organization token has the voting right, actually selects whether to support or not, and calls the token contract to take the voting right limit.
When the vote passes, the control plane of each available area is notified by the callback address configured by the contract, and the corresponding vote ID is returned, as shown in fig. 3.
And after receiving the callback event of successful voting, the control plane calls a voting interface provided by the block chain to inquire the authorization rule data on the chain through the returned voting ID. And the control plane judges that the current available area is the client and the Redis service is the server by combining the available area where the control plane is located and the available area of the authorization rule.
The control plane encapsulates data of each end, firstly generates a private key through an SDK provided by a CA center, automatically generates a CSR according to SPIFFE IDG, and defines an identity as a standard for mutual identity recognition among a set of services according to SPIFFE. The identity mark mainly comprises the following contents: cluster domain ID and service identification ID, as shown in fig. 4.
At the moment, the CA center requests the CA Server to obtain the certificate of the sentinel at the Server end and the CA certificate of the sentinel at the client end according to the CSR, the extension information of the sentinel at the client end and the sentinel at the Server end and the SNI identification. The server sentinel certificate and the client sentinel certificate generate different identity and extension fields.
The extension information of the server-side sentinel certificate is shown in table 6, and the extension information of the client-side sentinel certificate is shown in table 7:
the trusted CA certificate is mounted on the Sidecar of each service within the cluster. As information such as the identity of the certificate, it may be verified whether the certificate is the cluster certificate, whether the certificate is legal, and the like according to the related identification information, as shown in fig. 5.
After the certificates of each end are generated, the control plane can trigger mirror image construction of the sentry at the service end and the sentry at the client end through the CI function of the Devops, and drives the certificate information into the environment variable of the mirror image corresponding to the certificate information, waits for the mirror image construction to construct the power control plane, will periodically and circularly CI service, inquires the construction state of the mirror image, and when the result of successful construction is obtained, the mirror image is ready to wait for deployment, as shown in FIG. 6.
When the control surface obtains a server-side sentinel or a client-side sentinel mirror image which needs to be deployed, the mirror image can be assembled into a corresponding data structure through a deployment interface provided by the Worker service, and the mirror image is submitted to k8s for deployment. Meanwhile, the control plane can cycle the deployment result and synchronize in real time.
The method comprises the steps that micro-services in an available area of an MSP control surface initiate TCP connection requests of client-side sentinels in the available area, TCP connection is established after three-way handshake, connection Redis requests are sent, the client-side sentinels are disguised as resource instances, flow of the micro-services is forwarded to the server-side sentinels in a follow-up original mode, and the micro-services are insensitive.
And the client sentry in the usable region of the MSP control surface establishes TCP connection with the Redis server sentry according to the server sentry information stored in the certificate of the client sentry. After the client-side sentinel and the server-side sentinel complete the TCP handshake stage, the client-side sentinel and the server-side sentinel establish a TLS encrypted tunnel and send a private protocol to inform the server-side sentinel of the resource identification information required to be connected.
And (3) the resource verification is carried out after the Redis server sentry receives the resource identifier which is required to be connected by the client sentry: firstly, whether resources exist is verified, and secondly, whether the identity of a sentinel at a client is legal is verified. And after the legitimacy verification of the sentinel at the server side is successful, responding to a protocol packet of the client side for the sentinel private protocol authentication success. And the client-side sentinel transmits the original resource connection request sent by the micro-service to the server-side sentinel through the encrypted tunnel. And the sentry at the service end is disguised as a client end to establish connection with the internal resources of the available region according to the original request data of the microservice.
The Redis database responds to the connection information to the service-side sentinel. The server-side sentry forwards the resource response data to the client-side sentry through the encryption tunnel, forwards the original response data to the micro-service, and subsequently the client-side sentry and the server-side sentry mutually forward the encrypted interactive data of the micro-service and the resource, as shown in fig. 7.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. The network security communication system based on the block chain intelligent contract is characterized in that: the system comprises a network isolation module, a custom configuration module, an authorized access module, an intelligent contract module, a certificate management module, an automatic deployment module and a sentinel verification module;
the network isolation module is used for carrying out network isolation through an ebpf network firewall by utilizing a differential section technology; the user-defined configuration module is used for a system administrator to configure user-defined resources and authorization rules on the platform and initiate voting; the authorized access module is used for voting and managing management events by an administrator through a hosting and security contract on a block chain, and authorizing an internal program and an external program to access sensitive information; the intelligent contract module is used for inquiring contracts by the management platform and acquiring corresponding state changes; the certificate management module is used for generating a CA certificate by the management platform; the automatic deployment module is used for injecting according to CA certificate information and automatically deploying clients and guard soldiers in service teams; the sentinel verification module is used for external services or personnel to access the designated interface through the client-side sentinel.
2. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the network isolation module comprises:
an administrator configures security rules and service security groups on a control surface, persistently stores the security rules and the service security groups in Mysql, generates rule definitions of micro-segments through the binding of the security rules and the service security groups, and controls the flow of services;
assembling the service identification number unique _ id into a data format of cilium, and applying the rule definition of micro-segmentation to the inside of k8s through an interface provided by k8 s;
the Cilium-Agent will sense the rule of the differential section and apply the rule to the ebpf network firewall rule, thereby realizing the safe isolation of the ebpf differential section.
3. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the custom configuration module comprises:
a system administrator configures resource definition and authorization rules through a control surface;
the control plane sends the authorization rules to the chain through the interface of the block chain.
4. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the authorized access module includes:
after receiving the authorization rule information of the control plane, the block chain contract initiates a voting event;
the administrator votes and manages the management affairs through the trusteeship and the security contract on the chain;
when the vote passes, the control plane of each available area is informed by the callback address configured by the contract, and corresponding vote ID is returned.
5. The network security communication system based on the blockchain intelligent contract of claim 4, wherein: the authorized access module further comprises a voting verification sub-module;
the voting verification sub-module is used for verifying the compliance of the administrator in voting for the management events;
the verification comprises:
obtaining the feedback time of token in the voting of the history manager and recording as a set(ii) a WhereinRespectively representing the feedback time of the token in each administrator voting;
will be collectedThe method comprises the steps of dividing a training sample set and a test sample set in a 9:1 mode, and normalizing the training sample set and the test sample set to obtain a normalized training sample set V and a normalized test sample set T;
and (3) constructing an LSTM network according to the normalized training sample set V:
wherein the content of the first and second substances,representing the output of the forgetting gate, determines the state of the cell at the previous timePreserving the state of the cell to the current timeThe fraction of (A);
is a weight matrix for a forgetting gate;indicating handleTwo vectors are connected into a longer vector;is a biased term for a forgetting gate;representing a sigmoid function;
representing the output of the input gate, determining the input at the current timeRemain to cell stateThe fraction of (A);
representing the output of the output gate, controlling the state of the cell at the present timeCurrent output value to LSTM;
according to the formula:
wherein, the first and the second end of the pipe are connected with each other,representative point multiplication;
inputting the test sample set T into the generated LSTM network, obtaining the predicted feedback time of token in the administrator voting, and calculating a deviation value according to an actual value:
wherein the content of the first and second substances,representing a deviation value;represents the output value of the LSTM network;represents an actual value;
solving the average value of all deviation values, wherein the average value is used as a prediction deviation value and is recorded as;
Obtaining the predicted value of the feedback time of the token in the administrator voting at the current moment through the LSTM network, and recording the predicted value asThen the final output prediction value is;
The verifying further comprises:
acquiring a confirmation click mode:
the click confirmation mode is a click position in the voting process of the administrator;
acquiring a scatter diagram of a click position according to historical data, and constructing a click area P;
if the click mode is not in the click area, marking is carried out, and the minimum distance between the click mode and the click area is obtained;
acquiring an IP address of an administrator;
and inquiring the IP address of the administrator in the administrator voting at the current moment, and feeding back the IP address to the system.
6. The network security communication system based on the blockchain intelligent contract of claim 5, wherein: the verifying further comprises:
constructing a verification probability value:
wherein the content of the first and second substances,representing a verification probability value;setting a threshold value representing the feedback time of the token in the administrator vote;representing the average value of the minimum distances between all marked click modes and the click area when the click modes are not in the click area;representing the times that the click mode is not in the click area;representing a constant value, taken when the administrator IP address in the administrator's vote is not at the set address at the present time(ii) a Taking out the rest;Are all set values;、、respectively representing weight values;
7. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the intelligent contract module comprises:
the management platform calls a voting interface provided by the block chain to inquire the authorization rule data on the chain through the voting ID;
the control plane needs to determine whether to deploy a server or a client by combining the available area where the control plane is located and the available area of the authorization rule.
8. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the certificate management module comprises:
the control plane encapsulates data of each end, generates a private key through an SDk provided by a CA center, and automatically generates a CSR according to SPIFFE IDG;
at the moment, the CA center requests the CA Server to obtain the certificate of the sentinel at the Server end and the CA certificate of the sentinel at the client end according to the CSR, the connection information of the sentinel at the client end and the sentinel at the Server end and the SNI identification.
9. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the automated deployment module comprises:
sending mirror image construction of a server sentinel and a client sentinel through a CI function of Devops, and inputting certificate information into an environment variable of a mirror image corresponding to the certificate information, wherein a control surface can periodically cycle CI service and inquire the construction state of the mirror image;
the control plane is assembled into a corresponding data structure through a deployment interface provided by the woker service, and the image is submitted to the k8s for deployment.
10. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the sentinel verification module includes:
the external service or personnel access, and the client-side sentry firstly carries out TLS handshake with the service-side sentry public network service;
the client sentry sends a WS request to the server sentry;
the server-side sentry can verify the client-side sentry certificate and the access strategy, and after the verification is passed, the server-side sentry synchronously responds to the client-side sentry with the self certificate;
after the client-side sentinel verifies the server-side sentinel certificate, the server-side sentinel accesses the target service according to the target service information provided by the client-side sentinel.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210338074.0A CN114430350B (en) | 2022-04-01 | 2022-04-01 | Network security communication system based on block chain intelligent contract |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210338074.0A CN114430350B (en) | 2022-04-01 | 2022-04-01 | Network security communication system based on block chain intelligent contract |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114430350A true CN114430350A (en) | 2022-05-03 |
CN114430350B CN114430350B (en) | 2022-06-24 |
Family
ID=81314478
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210338074.0A Active CN114430350B (en) | 2022-04-01 | 2022-04-01 | Network security communication system based on block chain intelligent contract |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114430350B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111950036A (en) * | 2020-08-21 | 2020-11-17 | 交通银行股份有限公司 | Inter-block chain interaction system and method based on trusted distributed application |
CN114900372A (en) * | 2022-07-07 | 2022-08-12 | 南京智人云信息技术有限公司 | Resource protection system based on zero trust security sentinel system |
CN116319082A (en) * | 2023-05-17 | 2023-06-23 | 富算科技(上海)有限公司 | Processing method, system, equipment and medium of configuration data based on block chain |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190394242A1 (en) * | 2012-09-28 | 2019-12-26 | Rex Wig | System and method of a requirement, active compliance and resource management for cyber security application |
CN112087413A (en) * | 2019-06-14 | 2020-12-15 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
CN112671580A (en) * | 2020-12-23 | 2021-04-16 | 厦门大学 | QAR data management method based on block chain technology |
CN112671808A (en) * | 2021-03-16 | 2021-04-16 | 北京顺谋科技有限公司 | Internet data transmission anti-tampering sentinel system and internet data transmission system |
CN113094730A (en) * | 2021-04-16 | 2021-07-09 | 杭州卓健信息科技有限公司 | Medical data safety management platform based on internet |
US20210352139A1 (en) * | 2017-09-13 | 2021-11-11 | Vijay Madisetti | Service meshes and smart contracts for zero-trust systems |
CN114024704A (en) * | 2020-10-28 | 2022-02-08 | 北京八分量信息科技有限公司 | Certificate distribution method in zero trust architecture |
-
2022
- 2022-04-01 CN CN202210338074.0A patent/CN114430350B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190394242A1 (en) * | 2012-09-28 | 2019-12-26 | Rex Wig | System and method of a requirement, active compliance and resource management for cyber security application |
US20210352139A1 (en) * | 2017-09-13 | 2021-11-11 | Vijay Madisetti | Service meshes and smart contracts for zero-trust systems |
CN112087413A (en) * | 2019-06-14 | 2020-12-15 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
CN114024704A (en) * | 2020-10-28 | 2022-02-08 | 北京八分量信息科技有限公司 | Certificate distribution method in zero trust architecture |
CN112671580A (en) * | 2020-12-23 | 2021-04-16 | 厦门大学 | QAR data management method based on block chain technology |
CN112671808A (en) * | 2021-03-16 | 2021-04-16 | 北京顺谋科技有限公司 | Internet data transmission anti-tampering sentinel system and internet data transmission system |
CN113094730A (en) * | 2021-04-16 | 2021-07-09 | 杭州卓健信息科技有限公司 | Medical data safety management platform based on internet |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111950036A (en) * | 2020-08-21 | 2020-11-17 | 交通银行股份有限公司 | Inter-block chain interaction system and method based on trusted distributed application |
CN111950036B (en) * | 2020-08-21 | 2023-11-14 | 交通银行股份有限公司 | Inter-block chain interaction system and method based on trusted distributed application |
CN114900372A (en) * | 2022-07-07 | 2022-08-12 | 南京智人云信息技术有限公司 | Resource protection system based on zero trust security sentinel system |
CN116319082A (en) * | 2023-05-17 | 2023-06-23 | 富算科技(上海)有限公司 | Processing method, system, equipment and medium of configuration data based on block chain |
Also Published As
Publication number | Publication date |
---|---|
CN114430350B (en) | 2022-06-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114430350B (en) | Network security communication system based on block chain intelligent contract | |
EP3788523B1 (en) | System and method for blockchain-based cross-entity authentication | |
US11057393B2 (en) | Microservice architecture for identity and access management | |
US20200396214A1 (en) | Trusted communication session and content delivery | |
CN110572398B (en) | Block chain network control method, device, equipment and storage medium | |
CN104823196B (en) | Hardware based device authentication | |
Ertaul et al. | Security Challenges in Cloud Computing. | |
US9420457B2 (en) | Multiple-persona on mobile devices | |
US20170237747A1 (en) | Digital asset protection policy using dynamic network attributes | |
US11683213B2 (en) | Autonomous management of resources by an administrative node network | |
US10425465B1 (en) | Hybrid cloud API management | |
CN110351228A (en) | Remote entry method, device and system | |
EP3292475B1 (en) | Secure container platform for resource access and placement on unmanaged and unsecured devices | |
US20090254968A1 (en) | Method, system, and computer program product for virtual world access control management | |
KR20110040691A (en) | Apparatus and methods for managing network resources | |
JP2016530814A (en) | Gateway device to block a large number of VPN connections | |
US11652637B2 (en) | Enforcing a segmentation policy using cryptographic proof of identity | |
CN113992402B (en) | Access control method, system and medium based on zero trust policy | |
EP1353470B1 (en) | Method for deployment of a workable public key infrastructure | |
CN116032533A (en) | Remote office access method and system based on zero trust | |
Chae et al. | A study on secure user authentication and authorization in OAuth protocol | |
Pathak et al. | TABI: Trust-based ABAC mechanism for edge-IoT using blockchain technology | |
CN109067729A (en) | A kind of authentication method and device | |
CN116260656B (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
CN114024767B (en) | Method for constructing password definition network security system, system architecture and data forwarding method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |