CN114430350A - Network security communication system based on block chain intelligent contract - Google Patents

Network security communication system based on block chain intelligent contract Download PDF

Info

Publication number
CN114430350A
CN114430350A CN202210338074.0A CN202210338074A CN114430350A CN 114430350 A CN114430350 A CN 114430350A CN 202210338074 A CN202210338074 A CN 202210338074A CN 114430350 A CN114430350 A CN 114430350A
Authority
CN
China
Prior art keywords
module
sentinel
network
voting
administrator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210338074.0A
Other languages
Chinese (zh)
Other versions
CN114430350B (en
Inventor
李彪
陶圣
罗浩
徐元昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Zhirenyun Information Technology Co ltd
Original Assignee
Nanjing Zhirenyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Zhirenyun Information Technology Co ltd filed Critical Nanjing Zhirenyun Information Technology Co ltd
Priority to CN202210338074.0A priority Critical patent/CN114430350B/en
Publication of CN114430350A publication Critical patent/CN114430350A/en
Application granted granted Critical
Publication of CN114430350B publication Critical patent/CN114430350B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem
    • H04L2209/463Electronic voting

Abstract

The invention discloses a network security communication system based on a block chain intelligent contract, and belongs to the technical field of digital information transmission. The system comprises a network isolation module, a custom configuration module, an authorized access module, an intelligent contract module, a certificate management module, an automatic deployment module and a sentinel verification module; network isolation is carried out by adopting an ebpf network firewall through a network isolation module by utilizing a differential section technology; configuring the custom resources and the authorization rules on the platform and initiating voting by a system administrator of the custom configuration module; an authorized access module is used for leading an administrator to vote and manage management events through trusteeship and security contracts on a block chain; inquiring the contract through an intelligent contract module to obtain the corresponding state change; generating a CA certificate by using a certificate management module; automatically deploying clients and guard soldiers of service teams by utilizing an automatic deployment module according to the CA certificate information injection; and accessing the designated interface by using the sentinel verification module.

Description

Network security communication system based on block chain intelligent contract
Technical Field
The invention relates to the technical field of digital information transmission, in particular to a network security communication system based on a block chain intelligent contract.
Background
The traditional security model is gradually improved based on a boundary model, and the traditional network security architecture based on the boundary carries out heavy protection on the boundary of an enterprise network through boundary security products/schemes such as a firewall, a WAF and an IPS. The boundary model focuses on defending the boundary, keeping the attacker as far outside as possible, while the inside has no protective measures. In the existing service architecture, the boundary-based network access security model gradually fails, and the access authority cannot be flexibly controlled.
With the development of services, the increase of traffic, resistance to external/internal risks, increase of availability, and balance between security and availability become problems which need to be solved at present, how to further subdivide networks in a region and control the flow of traffic in the north-south and east-west directions, how to break the boundary mode of the network by using a zero-trust network, flexibly combine network functions and upper-layer applications, and how to map fine grains of user, equipment, services, applications and data identifications to security contents in various aspects such as network sessions and the like.
Disclosure of Invention
The present invention is directed to a network security communication system based on a block chain intelligent contract, so as to solve the problems in the background art.
In order to solve the technical problems, the invention provides the following technical scheme:
the network security communication system based on the block chain intelligent contract comprises a network isolation module, a custom configuration module, an authorized access module, an intelligent contract module, a certificate management module, an automatic deployment module and a sentinel verification module;
the network isolation module is used for carrying out network isolation through an ebpf network firewall by utilizing a differential section technology; the user-defined configuration module is used for a system administrator to configure user-defined resources and authorization rules on the platform and initiate voting; the authorized access module is used for voting and managing management events by an administrator through a hosting and security contract on a block chain, and authorizing an internal program and an external program to access sensitive information; the intelligent contract module is used for inquiring contracts by the management platform and acquiring corresponding state changes; the certificate management module is used for generating a CA certificate by the management platform; the automatic deployment module is used for injecting according to CA certificate information and automatically deploying clients and guard soldiers in service teams; the sentinel verification module is used for external services or personnel to access the designated interface through the client-side sentinel.
According to the above technical solution, the network isolation module includes:
an administrator configures security rules and service security groups on a control surface, persistently stores the security rules and the service security groups in Mysql, generates rule definitions of micro-segments through the binding of the security rules and the service security groups, and controls the flow of services;
assembling the service identification number unique _ id into a data format of cilium, and applying the rule definition of micro-segmentation to the inside of k8s through an interface provided by k8 s;
the Cilium-Agent will sense the rule of the differential section and apply the rule to the ebpf network firewall rule, thereby realizing the safe isolation of the ebpf differential section. The zero trust security model is realized, the attacked surface can be reduced, an attacker and abnormal data are prevented from moving in the east-west direction, and the internal security is ensured.
According to the above technical solution, the custom configuration module includes:
a system administrator configures resource definition and authorization rules through a control surface;
the control plane sends the authorization rules to the chain through the interface of the block chain.
According to the above technical solution, the authorized access module includes:
after receiving the authorization rule information of the control plane, the block chain contract initiates a voting event;
the administrator votes and manages the management affairs through the trusteeship and the security contract on the chain;
when the vote passes, the control plane of each available area is informed by the callback address configured by the contract, and corresponding vote ID is returned.
According to the technical scheme, the authorization access module further comprises a voting verification sub-module;
the voting verification sub-module is used for verifying the compliance of the administrator in voting for the management events;
the verification comprises the following steps:
obtaining the feedback time of token in the voting of the history manager and recording as a set
Figure 84117DEST_PATH_IMAGE001
(ii) a Wherein
Figure 317652DEST_PATH_IMAGE002
Respectively representing the feedback time of token in each administrator voting;
because if abnormal intrusion occurs in the voting of the administrator or the administrator is replaced, the voting result is greatly influenced, and information leakage is caused, so that the feedback time is predicted and controlled, and once an abnormal program occurs, the feedback time is influenced.
Will be assembled
Figure 757992DEST_PATH_IMAGE003
The method comprises the steps of dividing a training sample set and a test sample set in a 9:1 mode, and normalizing the training sample set and the test sample set to obtain a normalized training sample set V and a normalized test sample set T;
and (3) constructing an LSTM network according to the normalized training sample set V:
Figure 938438DEST_PATH_IMAGE004
Figure 397101DEST_PATH_IMAGE005
Figure 4800DEST_PATH_IMAGE006
wherein the content of the first and second substances,
Figure 428041DEST_PATH_IMAGE007
representing the output of the forgetting gate, determines the state of the cell at the previous time
Figure 146598DEST_PATH_IMAGE008
Preserving the state of the cell to the current time
Figure 459768DEST_PATH_IMAGE009
The fraction of (A);
Figure 238368DEST_PATH_IMAGE010
is a weight matrix for a forgetting gate;
Figure 653300DEST_PATH_IMAGE011
indicating handle
Figure 175548DEST_PATH_IMAGE012
Two vectors are connected into a longer vector;
Figure 608804DEST_PATH_IMAGE013
is a biased term for a forgetting gate;
Figure 558305DEST_PATH_IMAGE014
representing a sigmoid function;
Figure 116325DEST_PATH_IMAGE015
representing the output of the input gate, determining the input at the current time
Figure 816166DEST_PATH_IMAGE016
Remain to cell state
Figure 979294DEST_PATH_IMAGE009
The fraction of (A);
Figure 224331DEST_PATH_IMAGE017
a weight matrix representing the input gate;
Figure 738488DEST_PATH_IMAGE018
an offset term representing an input gate;
Figure 212326DEST_PATH_IMAGE019
representing the output of the output gate, controlling the state of the cell at the present time
Figure 229961DEST_PATH_IMAGE009
Current output value to LSTM
Figure 911478DEST_PATH_IMAGE020
Figure 444090DEST_PATH_IMAGE021
A weight matrix representing the input gate;
Figure 111832DEST_PATH_IMAGE022
an offset term representing an input gate;
according to the formula:
Figure 360804DEST_PATH_IMAGE023
wherein the content of the first and second substances,
Figure 823010DEST_PATH_IMAGE024
representative point multiplication;
inputting the test sample set T into the generated LSTM network, acquiring the predicted feedback time of token in the administrator voting, and calculating a deviation value according to an actual value:
Figure 170814DEST_PATH_IMAGE025
wherein the content of the first and second substances,
Figure 376668DEST_PATH_IMAGE026
representing a deviation value;
Figure 165632DEST_PATH_IMAGE027
represents the output value of the LSTM network;
Figure 939684DEST_PATH_IMAGE028
represents an actual value;
solving the average value of all deviation values, wherein the average value is used as a prediction deviation value and is recorded as
Figure DEST_PATH_IMAGE029
Obtaining the predicted value of the feedback time of token in the administrator voting at the current moment through the LSTM network, and recording the predicted value as
Figure 712468DEST_PATH_IMAGE030
Then the final output prediction value is
Figure 722013DEST_PATH_IMAGE031
The verifying further comprises:
acquiring a confirmation click mode:
the click confirmation mode is a click position in the voting process of the administrator;
acquiring a scatter diagram of a click position according to historical data, and constructing a click area P;
if the click mode is not in the click area, marking is carried out, and the minimum distance between the click mode and the click area is obtained;
acquiring an IP address of an administrator;
and inquiring the IP address of the administrator in the current-time administrator voting, and feeding back the IP address to the system.
According to the above technical solution, the verifying further comprises:
constructing a verification probability value:
Figure 208226DEST_PATH_IMAGE032
wherein, the first and the second end of the pipe are connected with each other,
Figure 12234DEST_PATH_IMAGE033
representing a verification probability value;
Figure 334631DEST_PATH_IMAGE034
setting a threshold value representing the feedback time of the token in the administrator vote;
Figure 679025DEST_PATH_IMAGE035
representing the average value of the minimum distances between all marked click modes and the click area when the click modes are not in the click area;
Figure 645844DEST_PATH_IMAGE036
representing the times that the click mode is not in the click area;
Figure DEST_PATH_IMAGE037
representing a constant value, taken when the administrator IP address in the administrator's vote is not at the set address at the present time
Figure 699382DEST_PATH_IMAGE038
(ii) a Taking out the rest
Figure 509075DEST_PATH_IMAGE039
Figure 860422DEST_PATH_IMAGE040
Are all set values;
Figure 478485DEST_PATH_IMAGE041
Figure 284284DEST_PATH_IMAGE042
Figure 191060DEST_PATH_IMAGE043
respectively representing weight values;
constructing a validation probability threshold
Figure 939573DEST_PATH_IMAGE044
(ii) a If it is
Figure 880984DEST_PATH_IMAGE033
Exceedance
Figure 73062DEST_PATH_IMAGE044
And sending out warning information, temporarily stopping the voting work, and continuing the work after the voting initiator confirms.
According to the above technical solution, the intelligent contract module includes:
the management platform calls a voting interface provided by the block chain to inquire the authorization rule data on the chain through the voting ID;
the control plane needs to determine whether to deploy a server or a client by combining the available area where the control plane is located and the available area of the authorization rule.
According to the above technical solution, the certificate management module includes:
the control plane encapsulates data of each end, generates a private key through an SDk provided by a CA center, and automatically generates a CSR according to SPIFFE IDG;
at the moment, the CA center requests the CA Server to obtain the certificate of the sentinel at the Server end and the CA certificate of the sentinel at the client end according to the CSR, the connection information of the sentinel at the client end and the sentinel at the Server end and the SNI identification.
According to the above technical solution, the automated deployment module includes:
sending mirror image construction of a server sentinel and a client sentinel through a CI function of Devops, and inputting certificate information into an environment variable of a mirror image corresponding to the certificate information, wherein a control surface can periodically cycle CI service and inquire the construction state of the mirror image;
the control plane is assembled into a corresponding data structure through a deployment interface provided by the woker service, and the image is submitted to the k8s for deployment.
According to the technical scheme, the sentinel verification module comprises:
the external service or personnel access, and the client-side sentry firstly carries out TLS handshake with the service-side sentry public network service;
the client sentry sends a WS request to the server sentry, wherein the WS request comprises a self certificate and other access authority information;
the server-side sentry can verify the client-side sentry certificate and the access strategy, and after the verification is passed, the server-side sentry synchronously responds to the client-side sentry with the self certificate;
after the client-side sentinel verifies the server-side sentinel certificate, the server-side sentinel accesses the target service according to the target service information provided by the client-side sentinel.
Compared with the prior art, the invention has the following beneficial effects:
by using the ebpf differential section technology to isolate the network, the network in the region is further subdivided, the flow in the south, north and east directions of the flow is controlled, and the safety is enhanced. The zero trust network is utilized to break the boundary mode of the network, the network function and the upper layer application combine the maneuver, and the fine granularity of the user, the equipment, the service, the application and the data identification is mapped to the network session, so that the bottom layer equipment can be flexibly applied to deal with richer protection strategies. The zero trust security system can protect the internal information security, the flow of the key part of the system is proxied by a sentinel, and the corresponding data can be accessed only by obtaining the authorization. The flow management behavior of the sentinel is regulated and controlled by the platform, and the management behavior of the platform is driven by block chain hosting and security affair contract data. Data of the block link contract is managed by relevant managers through voting, the voting process is subjected to whole-process management verification, and the overall safety is extremely high.
Meanwhile, the contracts are written into the block chains in a digital form, data cannot be deleted or modified due to the characteristics of the block chains, only new data can be added, the whole process is transparent and trackable, and the historical traceability is guaranteed; the behavior is permanently recorded, so that interference of malicious behavior on the normal execution of the contract can be avoided to the maximum extent; decentralization avoids the influence of centralization factors and improves the advantages of intelligent contracts in the aspect of cost efficiency; when the contract content is met, the code of the intelligent contract is automatically started, so that the manual process is avoided, and meanwhile, the condition that the issuer cannot default is guaranteed; a set of state machine system is constructed by a block chain self-contained consensus algorithm, so that the intelligent contract can run efficiently.
The zero trust network breaks the old-style border protection thinking, which is focused on the defense border. Provide strong protection for applications and data, whether they are in the cloud or locally; reducing the service exposure surface; the access authority is dynamically adjusted, and the access behavior is controllable; periodic terminal security check; by closing security breaches and controlling lateral movement on the network, risks may be better reduced.
The data center service units are grouped according to a certain rule, and then strategies are deployed among the groups to realize flow control; have more meticulous, flexible safety isolation: the micro-segment can be grouped based on discrete IP, MAC, VM name and other definitions, and the corresponding security domain is more finely and flexibly divided; meanwhile, micro-segmentation realizes a zero-trust security model by performing segmentation management on service resources and strictly controlling the inter-service access relationship by adopting a minimum authority principle, can narrow an attacked surface, prevents an attacker and abnormal data from moving in the east-west direction, and ensures internal security.
The distributed safety control scheme is realized through the differential section scheme, the safety filtering is realized nearby the service flow in the access switch, the east-west flow is not required to be intensively forwarded to the firewall and then is safely isolated, the consumption of network bandwidth is reduced, and the centralized control point can be prevented from becoming a flow bottleneck.
The key data source of the basic cluster can be protected through the security sentry agent, the communication flow between the sentries is encrypted, the universal flow is borne, and meanwhile, the client sentry authority is uniformly controlled by a master site (trusted site).
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow diagram of a network security communication system based on a blockchain intelligent contract according to the present invention;
FIG. 2 is a schematic flow diagram of a network isolation module in an embodiment of the network security communication system based on the blockchain intelligent contract;
FIG. 3 is a block chain intelligent contract-based flow diagram of an authorized access module in an embodiment of the network security communication system of the present invention;
FIG. 4 is a schematic diagram of an identity identifier in an embodiment of a network security communication system based on a blockchain intelligent contract according to the present invention;
FIG. 5 is a block chain intelligent contract-based certificate management module flow diagram in an embodiment of the network security communication system of the present invention;
FIG. 6 is a block chain intelligent contract-based flow diagram of an automated deployment module in an embodiment of the network security communication system of the present invention;
fig. 7 is a schematic flow diagram of a sentinel verification module in an embodiment of the network security communication system based on the blockchain intelligent contract.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1 to 7, in the present embodiment:
the case of taking Redis access information as the secure communication of the zero trust network is proposed:
since data is transmitted through the network, the data can be intercepted in the transmission process or enter the database through an extraordinary means, so that the security of the database is very important. Redis is a data caching storage facility for services, the security of which determines the security of the entire service. By using the platform and the method, the safety of the Redis service is effectively controlled.
After the administrator controls the configuration of the security group and the service security group, the ebpf network firewall is used for carrying out service network isolation by using a differential section technology. And then, the administrator configures the self-defined resources and the authorization rules in the sentinel module and invokes the block chaining contract to initiate a voting mechanism. And calling back a platform interface after the block chain intelligent contract is authorized, and generating a sentry and a certificate which take Redis service as a service end by the platform according to rules. The MSP control surface serves as a client side, and finally accesses the Redis server side in a mode that a sentinel of the client side carries a certificate. The method achieves safe communication of Redis service through layer-by-layer encryption and rule verification. The detailed process of the implementation case is described in detail as follows:
the control plane abstracts out security groups and binding functions between security groups and services. Firstly, a user creates a security group suitable for self service on a platform side through a control plane, wherein the security group comprises a series of in-out network policies, including an IP section and a DNS-based access policy, and relevant fields are shown in the following tables 1 and 2:
Figure 263872DEST_PATH_IMAGE045
Figure 284918DEST_PATH_IMAGE046
when the user adds some listed networking strategies of a certain security group through the control surface, the control surface can persistently store the data of the security group in Mysql and wait for being applied to a certain service;
the user adds the unique identification number of the self service in the service security group configuration module, and selects the security group to be applied, and the relevant fields are shown in table 3:
Figure 877573DEST_PATH_IMAGE047
after receiving data submitted by a user, the control plane firstly checks the validity of the data, including whether a security group exists or not, whether an access policy exists or not under the security group, and the like. The control plane queries all access policies under the security group according to the submitted security group ID, combines the identification number unique _ ID of the service to assemble a data format of cilium, and applies the data format to the k8s through an interface provided by k8 s;
the Cilium-Agent of the k8s node will sense the rule and apply the rule to the ebpf firewall rule. Network isolation of services is controlled by the system kernel and the Network, as shown in fig. 2.
The user firstly adds resources on the platform side, fills in the resource name, selects the resource type, and the target address and port of the current resource, and the parameter field is shown in table 4:
Figure 207929DEST_PATH_IMAGE048
and submitting Redis service resource data to a control plane, returning success after validity check, representing successful establishment of the current resource, and persisting the resource data in Mysql. Meanwhile, the control plane generates a unique uuid for the resource, and globally identifies the resource.
After the resources are successfully established, a user needs to establish an authorization rule for the resources, declare a Redis service as a service end available area, declare an MSP service as a client end available area, and simultaneously determine the authorized timeliness (default 30 days) and the port of a client sentry exposed to an access party, wherein parameter fields are shown in table 5:
Figure 89298DEST_PATH_IMAGE049
and when the user finishes filling in necessary information, submitting the data to the control plane, and after the control plane checks the validity of the data, persisting the data in Redis. And simultaneously, the control plane sends all data of the authorization rule to the chain through an interface of the block chain and waits for voting. The newVote method is called when a voting request is initiated, creating a new vote for "_ metadata". The parameter _ executesIfDecided is to determine whether to execute the newly created vote immediately, the parameter _ executionScript is executed when the EVM transaction pin is examined and approved, the parameter _ metadata is the actual voting content, and the parameter _ native marks whether to execute dynamically.
After the block chain contract receives the submitted voting request, the person holding the organization token has the voting right, actually selects whether to support or not, and calls the token contract to take the voting right limit.
When the vote passes, the control plane of each available area is notified by the callback address configured by the contract, and the corresponding vote ID is returned, as shown in fig. 3.
And after receiving the callback event of successful voting, the control plane calls a voting interface provided by the block chain to inquire the authorization rule data on the chain through the returned voting ID. And the control plane judges that the current available area is the client and the Redis service is the server by combining the available area where the control plane is located and the available area of the authorization rule.
The control plane encapsulates data of each end, firstly generates a private key through an SDK provided by a CA center, automatically generates a CSR according to SPIFFE IDG, and defines an identity as a standard for mutual identity recognition among a set of services according to SPIFFE. The identity mark mainly comprises the following contents: cluster domain ID and service identification ID, as shown in fig. 4.
At the moment, the CA center requests the CA Server to obtain the certificate of the sentinel at the Server end and the CA certificate of the sentinel at the client end according to the CSR, the extension information of the sentinel at the client end and the sentinel at the Server end and the SNI identification. The server sentinel certificate and the client sentinel certificate generate different identity and extension fields.
The extension information of the server-side sentinel certificate is shown in table 6, and the extension information of the client-side sentinel certificate is shown in table 7:
Figure 445193DEST_PATH_IMAGE050
Figure 361196DEST_PATH_IMAGE051
the trusted CA certificate is mounted on the Sidecar of each service within the cluster. As information such as the identity of the certificate, it may be verified whether the certificate is the cluster certificate, whether the certificate is legal, and the like according to the related identification information, as shown in fig. 5.
After the certificates of each end are generated, the control plane can trigger mirror image construction of the sentry at the service end and the sentry at the client end through the CI function of the Devops, and drives the certificate information into the environment variable of the mirror image corresponding to the certificate information, waits for the mirror image construction to construct the power control plane, will periodically and circularly CI service, inquires the construction state of the mirror image, and when the result of successful construction is obtained, the mirror image is ready to wait for deployment, as shown in FIG. 6.
When the control surface obtains a server-side sentinel or a client-side sentinel mirror image which needs to be deployed, the mirror image can be assembled into a corresponding data structure through a deployment interface provided by the Worker service, and the mirror image is submitted to k8s for deployment. Meanwhile, the control plane can cycle the deployment result and synchronize in real time.
The method comprises the steps that micro-services in an available area of an MSP control surface initiate TCP connection requests of client-side sentinels in the available area, TCP connection is established after three-way handshake, connection Redis requests are sent, the client-side sentinels are disguised as resource instances, flow of the micro-services is forwarded to the server-side sentinels in a follow-up original mode, and the micro-services are insensitive.
And the client sentry in the usable region of the MSP control surface establishes TCP connection with the Redis server sentry according to the server sentry information stored in the certificate of the client sentry. After the client-side sentinel and the server-side sentinel complete the TCP handshake stage, the client-side sentinel and the server-side sentinel establish a TLS encrypted tunnel and send a private protocol to inform the server-side sentinel of the resource identification information required to be connected.
And (3) the resource verification is carried out after the Redis server sentry receives the resource identifier which is required to be connected by the client sentry: firstly, whether resources exist is verified, and secondly, whether the identity of a sentinel at a client is legal is verified. And after the legitimacy verification of the sentinel at the server side is successful, responding to a protocol packet of the client side for the sentinel private protocol authentication success. And the client-side sentinel transmits the original resource connection request sent by the micro-service to the server-side sentinel through the encrypted tunnel. And the sentry at the service end is disguised as a client end to establish connection with the internal resources of the available region according to the original request data of the microservice.
The Redis database responds to the connection information to the service-side sentinel. The server-side sentry forwards the resource response data to the client-side sentry through the encryption tunnel, forwards the original response data to the micro-service, and subsequently the client-side sentry and the server-side sentry mutually forward the encrypted interactive data of the micro-service and the resource, as shown in fig. 7.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. The network security communication system based on the block chain intelligent contract is characterized in that: the system comprises a network isolation module, a custom configuration module, an authorized access module, an intelligent contract module, a certificate management module, an automatic deployment module and a sentinel verification module;
the network isolation module is used for carrying out network isolation through an ebpf network firewall by utilizing a differential section technology; the user-defined configuration module is used for a system administrator to configure user-defined resources and authorization rules on the platform and initiate voting; the authorized access module is used for voting and managing management events by an administrator through a hosting and security contract on a block chain, and authorizing an internal program and an external program to access sensitive information; the intelligent contract module is used for inquiring contracts by the management platform and acquiring corresponding state changes; the certificate management module is used for generating a CA certificate by the management platform; the automatic deployment module is used for injecting according to CA certificate information and automatically deploying clients and guard soldiers in service teams; the sentinel verification module is used for external services or personnel to access the designated interface through the client-side sentinel.
2. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the network isolation module comprises:
an administrator configures security rules and service security groups on a control surface, persistently stores the security rules and the service security groups in Mysql, generates rule definitions of micro-segments through the binding of the security rules and the service security groups, and controls the flow of services;
assembling the service identification number unique _ id into a data format of cilium, and applying the rule definition of micro-segmentation to the inside of k8s through an interface provided by k8 s;
the Cilium-Agent will sense the rule of the differential section and apply the rule to the ebpf network firewall rule, thereby realizing the safe isolation of the ebpf differential section.
3. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the custom configuration module comprises:
a system administrator configures resource definition and authorization rules through a control surface;
the control plane sends the authorization rules to the chain through the interface of the block chain.
4. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the authorized access module includes:
after receiving the authorization rule information of the control plane, the block chain contract initiates a voting event;
the administrator votes and manages the management affairs through the trusteeship and the security contract on the chain;
when the vote passes, the control plane of each available area is informed by the callback address configured by the contract, and corresponding vote ID is returned.
5. The network security communication system based on the blockchain intelligent contract of claim 4, wherein: the authorized access module further comprises a voting verification sub-module;
the voting verification sub-module is used for verifying the compliance of the administrator in voting for the management events;
the verification comprises:
obtaining the feedback time of token in the voting of the history manager and recording as a set
Figure 336819DEST_PATH_IMAGE001
(ii) a Wherein
Figure 457222DEST_PATH_IMAGE002
Respectively representing the feedback time of the token in each administrator voting;
will be collected
Figure 348211DEST_PATH_IMAGE003
The method comprises the steps of dividing a training sample set and a test sample set in a 9:1 mode, and normalizing the training sample set and the test sample set to obtain a normalized training sample set V and a normalized test sample set T;
and (3) constructing an LSTM network according to the normalized training sample set V:
Figure 946682DEST_PATH_IMAGE004
Figure 354530DEST_PATH_IMAGE005
Figure 645834DEST_PATH_IMAGE006
wherein the content of the first and second substances,
Figure 257075DEST_PATH_IMAGE007
representing the output of the forgetting gate, determines the state of the cell at the previous time
Figure 924817DEST_PATH_IMAGE008
Preserving the state of the cell to the current time
Figure 187171DEST_PATH_IMAGE009
The fraction of (A);
Figure 649376DEST_PATH_IMAGE010
is a weight matrix for a forgetting gate;
Figure 246448DEST_PATH_IMAGE011
indicating handle
Figure 452302DEST_PATH_IMAGE012
Two vectors are connected into a longer vector;
Figure 241266DEST_PATH_IMAGE013
is a biased term for a forgetting gate;
Figure 264586DEST_PATH_IMAGE014
representing a sigmoid function;
Figure 975053DEST_PATH_IMAGE015
representing the output of the input gate, determining the input at the current time
Figure 594384DEST_PATH_IMAGE016
Remain to cell state
Figure 706697DEST_PATH_IMAGE009
The fraction of (A);
Figure 369759DEST_PATH_IMAGE017
a weight matrix representing the input gate;
Figure 567522DEST_PATH_IMAGE018
an offset term representing an input gate;
Figure 486150DEST_PATH_IMAGE019
representing the output of the output gate, controlling the state of the cell at the present time
Figure 452969DEST_PATH_IMAGE009
Current output value to LSTM
Figure 818091DEST_PATH_IMAGE020
Figure 237571DEST_PATH_IMAGE021
A weight matrix representing the input gate;
Figure 385656DEST_PATH_IMAGE022
a bias term representing an input gate;
according to the formula:
Figure 82348DEST_PATH_IMAGE023
wherein, the first and the second end of the pipe are connected with each other,
Figure 493737DEST_PATH_IMAGE024
representative point multiplication;
inputting the test sample set T into the generated LSTM network, obtaining the predicted feedback time of token in the administrator voting, and calculating a deviation value according to an actual value:
Figure 525147DEST_PATH_IMAGE025
wherein the content of the first and second substances,
Figure 414606DEST_PATH_IMAGE026
representing a deviation value;
Figure 464339DEST_PATH_IMAGE027
represents the output value of the LSTM network;
Figure 46630DEST_PATH_IMAGE028
represents an actual value;
solving the average value of all deviation values, wherein the average value is used as a prediction deviation value and is recorded as
Figure 565336DEST_PATH_IMAGE029
Obtaining the predicted value of the feedback time of the token in the administrator voting at the current moment through the LSTM network, and recording the predicted value as
Figure 258486DEST_PATH_IMAGE030
Then the final output prediction value is
Figure 585562DEST_PATH_IMAGE031
The verifying further comprises:
acquiring a confirmation click mode:
the click confirmation mode is a click position in the voting process of the administrator;
acquiring a scatter diagram of a click position according to historical data, and constructing a click area P;
if the click mode is not in the click area, marking is carried out, and the minimum distance between the click mode and the click area is obtained;
acquiring an IP address of an administrator;
and inquiring the IP address of the administrator in the administrator voting at the current moment, and feeding back the IP address to the system.
6. The network security communication system based on the blockchain intelligent contract of claim 5, wherein: the verifying further comprises:
constructing a verification probability value:
Figure 214121DEST_PATH_IMAGE032
wherein the content of the first and second substances,
Figure 95489DEST_PATH_IMAGE033
representing a verification probability value;
Figure 451384DEST_PATH_IMAGE034
setting a threshold value representing the feedback time of the token in the administrator vote;
Figure 101808DEST_PATH_IMAGE035
representing the average value of the minimum distances between all marked click modes and the click area when the click modes are not in the click area;
Figure 137154DEST_PATH_IMAGE036
representing the times that the click mode is not in the click area;
Figure 505818DEST_PATH_IMAGE037
representing a constant value, taken when the administrator IP address in the administrator's vote is not at the set address at the present time
Figure 665404DEST_PATH_IMAGE038
(ii) a Taking out the rest
Figure 435914DEST_PATH_IMAGE039
Figure 406275DEST_PATH_IMAGE040
Are all set values;
Figure 262235DEST_PATH_IMAGE041
Figure 225512DEST_PATH_IMAGE042
Figure 584949DEST_PATH_IMAGE043
respectively representing weight values;
constructing a validation probability threshold
Figure 224747DEST_PATH_IMAGE044
(ii) a If it is
Figure 302424DEST_PATH_IMAGE033
Exceedance
Figure 272655DEST_PATH_IMAGE044
And sending out warning information, temporarily stopping the voting work, and continuing the work after the voting initiator confirms.
7. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the intelligent contract module comprises:
the management platform calls a voting interface provided by the block chain to inquire the authorization rule data on the chain through the voting ID;
the control plane needs to determine whether to deploy a server or a client by combining the available area where the control plane is located and the available area of the authorization rule.
8. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the certificate management module comprises:
the control plane encapsulates data of each end, generates a private key through an SDk provided by a CA center, and automatically generates a CSR according to SPIFFE IDG;
at the moment, the CA center requests the CA Server to obtain the certificate of the sentinel at the Server end and the CA certificate of the sentinel at the client end according to the CSR, the connection information of the sentinel at the client end and the sentinel at the Server end and the SNI identification.
9. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the automated deployment module comprises:
sending mirror image construction of a server sentinel and a client sentinel through a CI function of Devops, and inputting certificate information into an environment variable of a mirror image corresponding to the certificate information, wherein a control surface can periodically cycle CI service and inquire the construction state of the mirror image;
the control plane is assembled into a corresponding data structure through a deployment interface provided by the woker service, and the image is submitted to the k8s for deployment.
10. A network security communication system based on a blockchain intelligent contract according to claim 1, wherein: the sentinel verification module includes:
the external service or personnel access, and the client-side sentry firstly carries out TLS handshake with the service-side sentry public network service;
the client sentry sends a WS request to the server sentry;
the server-side sentry can verify the client-side sentry certificate and the access strategy, and after the verification is passed, the server-side sentry synchronously responds to the client-side sentry with the self certificate;
after the client-side sentinel verifies the server-side sentinel certificate, the server-side sentinel accesses the target service according to the target service information provided by the client-side sentinel.
CN202210338074.0A 2022-04-01 2022-04-01 Network security communication system based on block chain intelligent contract Active CN114430350B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210338074.0A CN114430350B (en) 2022-04-01 2022-04-01 Network security communication system based on block chain intelligent contract

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210338074.0A CN114430350B (en) 2022-04-01 2022-04-01 Network security communication system based on block chain intelligent contract

Publications (2)

Publication Number Publication Date
CN114430350A true CN114430350A (en) 2022-05-03
CN114430350B CN114430350B (en) 2022-06-24

Family

ID=81314478

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210338074.0A Active CN114430350B (en) 2022-04-01 2022-04-01 Network security communication system based on block chain intelligent contract

Country Status (1)

Country Link
CN (1) CN114430350B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111950036A (en) * 2020-08-21 2020-11-17 交通银行股份有限公司 Inter-block chain interaction system and method based on trusted distributed application
CN114900372A (en) * 2022-07-07 2022-08-12 南京智人云信息技术有限公司 Resource protection system based on zero trust security sentinel system
CN116319082A (en) * 2023-05-17 2023-06-23 富算科技(上海)有限公司 Processing method, system, equipment and medium of configuration data based on block chain

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190394242A1 (en) * 2012-09-28 2019-12-26 Rex Wig System and method of a requirement, active compliance and resource management for cyber security application
CN112087413A (en) * 2019-06-14 2020-12-15 张长河 Network attack intelligent dynamic protection and trapping system and method based on active detection
CN112671580A (en) * 2020-12-23 2021-04-16 厦门大学 QAR data management method based on block chain technology
CN112671808A (en) * 2021-03-16 2021-04-16 北京顺谋科技有限公司 Internet data transmission anti-tampering sentinel system and internet data transmission system
CN113094730A (en) * 2021-04-16 2021-07-09 杭州卓健信息科技有限公司 Medical data safety management platform based on internet
US20210352139A1 (en) * 2017-09-13 2021-11-11 Vijay Madisetti Service meshes and smart contracts for zero-trust systems
CN114024704A (en) * 2020-10-28 2022-02-08 北京八分量信息科技有限公司 Certificate distribution method in zero trust architecture

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190394242A1 (en) * 2012-09-28 2019-12-26 Rex Wig System and method of a requirement, active compliance and resource management for cyber security application
US20210352139A1 (en) * 2017-09-13 2021-11-11 Vijay Madisetti Service meshes and smart contracts for zero-trust systems
CN112087413A (en) * 2019-06-14 2020-12-15 张长河 Network attack intelligent dynamic protection and trapping system and method based on active detection
CN114024704A (en) * 2020-10-28 2022-02-08 北京八分量信息科技有限公司 Certificate distribution method in zero trust architecture
CN112671580A (en) * 2020-12-23 2021-04-16 厦门大学 QAR data management method based on block chain technology
CN112671808A (en) * 2021-03-16 2021-04-16 北京顺谋科技有限公司 Internet data transmission anti-tampering sentinel system and internet data transmission system
CN113094730A (en) * 2021-04-16 2021-07-09 杭州卓健信息科技有限公司 Medical data safety management platform based on internet

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111950036A (en) * 2020-08-21 2020-11-17 交通银行股份有限公司 Inter-block chain interaction system and method based on trusted distributed application
CN111950036B (en) * 2020-08-21 2023-11-14 交通银行股份有限公司 Inter-block chain interaction system and method based on trusted distributed application
CN114900372A (en) * 2022-07-07 2022-08-12 南京智人云信息技术有限公司 Resource protection system based on zero trust security sentinel system
CN116319082A (en) * 2023-05-17 2023-06-23 富算科技(上海)有限公司 Processing method, system, equipment and medium of configuration data based on block chain

Also Published As

Publication number Publication date
CN114430350B (en) 2022-06-24

Similar Documents

Publication Publication Date Title
CN114430350B (en) Network security communication system based on block chain intelligent contract
EP3788523B1 (en) System and method for blockchain-based cross-entity authentication
US11057393B2 (en) Microservice architecture for identity and access management
US20200396214A1 (en) Trusted communication session and content delivery
CN110572398B (en) Block chain network control method, device, equipment and storage medium
CN104823196B (en) Hardware based device authentication
Ertaul et al. Security Challenges in Cloud Computing.
US9420457B2 (en) Multiple-persona on mobile devices
US20170237747A1 (en) Digital asset protection policy using dynamic network attributes
US11683213B2 (en) Autonomous management of resources by an administrative node network
US10425465B1 (en) Hybrid cloud API management
CN110351228A (en) Remote entry method, device and system
EP3292475B1 (en) Secure container platform for resource access and placement on unmanaged and unsecured devices
US20090254968A1 (en) Method, system, and computer program product for virtual world access control management
KR20110040691A (en) Apparatus and methods for managing network resources
JP2016530814A (en) Gateway device to block a large number of VPN connections
US11652637B2 (en) Enforcing a segmentation policy using cryptographic proof of identity
CN113992402B (en) Access control method, system and medium based on zero trust policy
EP1353470B1 (en) Method for deployment of a workable public key infrastructure
CN116032533A (en) Remote office access method and system based on zero trust
Chae et al. A study on secure user authentication and authorization in OAuth protocol
Pathak et al. TABI: Trust-based ABAC mechanism for edge-IoT using blockchain technology
CN109067729A (en) A kind of authentication method and device
CN116260656B (en) Main body trusted authentication method and system in zero trust network based on blockchain
CN114024767B (en) Method for constructing password definition network security system, system architecture and data forwarding method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant