CN114760136A - Safety early warning system and method based on micro-isolation - Google Patents
Safety early warning system and method based on micro-isolation Download PDFInfo
- Publication number
- CN114760136A CN114760136A CN202210412948.2A CN202210412948A CN114760136A CN 114760136 A CN114760136 A CN 114760136A CN 202210412948 A CN202210412948 A CN 202210412948A CN 114760136 A CN114760136 A CN 114760136A
- Authority
- CN
- China
- Prior art keywords
- policy
- point
- access
- execution
- shadow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000002955 isolation Methods 0.000 title claims abstract description 22
- 238000012795 verification Methods 0.000 claims description 17
- 238000011156 evaluation Methods 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 abstract description 6
- 230000006870 function Effects 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 1
- 239000003181 biological factor Substances 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 210000000697 sensory organ Anatomy 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a security early warning system and a method based on micro-isolation, relating to the technical field of network security, wherein the system comprises a policy control center, a policy execution point and a plurality of shadow execution points, wherein the policy execution point and the plurality of shadow execution points are arranged on a host machine; the shadow execution point is obtained virtually based on the strategy execution point; the system comprises a policy enforcement point and each shadow enforcement point, wherein the policy enforcement point and each shadow enforcement point are respectively used for acquiring the authentication factor of an access subject and the security level of a host machine based on the access request of the access subject to resources and sending respective acquisition results to a policy control center; the acquisition results sent by different execution points are not completely the same; and the policy control center is used for determining whether to grant the access authority of the access subject to the resource or not based on the acquisition results respectively sent by the execution points, sending the determination result to the policy execution point, and determining whether to establish the access connection of the access subject to the resource or not by the policy execution point according to the determination result. According to the scheme, the accuracy of threat detection can be improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a security early warning system and method based on micro-isolation.
Background
APT attacks have become a very important means of attack to replace traditional hacking and present an ever increasing situation. Under the condition that the traditional network security model is gradually invalid, zero trust security increasingly becomes a new framework of network security in a new era.
In a zero trust architecture, all assets must first be authenticated and authorized to initiate communication with another asset. Software Defined Perimeter (SDP) is a zero trust implementation framework that applies zero trust security concepts in networks by creating trust relationships between assets using micro-isolation. SDP can be used as an effective network security control measure, so that an organization can resist traditional network security attacks.
When the existing micro-isolation framework detects the APT attack, the problem of low detection accuracy still exists.
Disclosure of Invention
The embodiment of the invention provides a security early warning system and method based on micro-isolation, which can improve the accuracy of threat detection.
In a first aspect, an embodiment of the present invention provides a security early warning system based on micro-isolation, including: the system comprises a policy control center, a policy execution point and a plurality of shadow execution points, wherein the policy execution point and the plurality of shadow execution points are installed on a host machine; the shadow execution point is derived virtually based on the policy execution point;
The policy enforcement point and each shadow enforcement point are respectively used for acquiring the authentication factor of the access subject and the security level of the host machine based on the access request of the access subject to the resource, and sending the respective acquisition result to the policy control center; the acquisition results sent by different execution points are not completely the same;
the strategy control center is used for receiving the acquisition results respectively sent by each execution point and comprehensively judging the acquisition results to obtain comprehensive verification factors for representing the access subject and the real security level of the host machine; adjusting a security policy according to the real security level of the host, performing trust evaluation on the comprehensive verification factor based on the adjusted security policy to determine whether to grant the access authority of the access subject to the resource, sending the determination result to the policy execution point, and determining whether to establish the access connection of the access subject to the resource by the policy execution point according to the determination result.
Preferably, the states of the execution points are different; the state of an execution point is characterized by the contents of the component units included in the architecture layer forming the execution point; the architecture layer forming the execution point comprises a data layer, a software layer, a resource layer and a network layer; each architecture layer includes a plurality of building units.
Preferably, the state of each shadow execution point is obtained by multiplying a random matrix by a state matrix generated by the strategy execution point;
the state matrix includes: 4 x n elements, wherein the element at the (i, j) th position is used for representing the content of the j th building unit in the ith framework layer, i is an integer in [1,4], and j is an integer in [1, n ]; n is the maximum number of the building units in each architecture layer; and if the number of the building units corresponding to the ith architecture layer is less than n, expanding by using null elements.
Preferably, the authentication factors include: at least two of knowledge factors, occupancy factors, intrinsic factors, and stealth attributes.
Preferably, the policy control center is specifically configured to merge the authentication factors acquired by each enforcement point for the access subject, and determine the merged authentication factors as the comprehensive authentication factors.
Preferably, the policy enforcement point receives an access request of the access subject to a resource, and sends the access request to each shadow enforcement point.
Preferably, the policy enforcement point and each shadow enforcement point receive access requests of the access subject to resources respectively.
Preferably, the execution point is an Agent plug-in.
In a second aspect, an embodiment of the present invention provides a security early warning method based on micro-isolation, which is applied to a policy control center in a security early warning system, where the system further includes: a policy enforcement point and a plurality of shadow enforcement points installed on the host; the shadow execution point is derived virtually based on the policy execution point; the method comprises the following steps:
receiving the acquisition results respectively sent by each execution point; the acquisition result comprises: an authentication factor of the accessing subject and a security level of the host; the acquisition results sent by different execution points are not completely the same;
comprehensively judging each acquisition result to obtain a comprehensive verification factor for representing the access subject and a real security level of the host machine;
adjusting a security policy according to the real security level of the host, and performing trust evaluation on the comprehensive verification factor based on the adjusted security policy to determine whether to grant the access authority of the access subject to the resource; and sending the decision result to the strategy execution point, and determining whether to establish the access connection of the access subject to the resource by the strategy execution point according to the decision result.
In a third aspect, an embodiment of the present invention provides a policy control center, including: a memory in which a computer program is stored, and a processor which, when executing the computer program, implements the method as described above.
The embodiment of the invention provides a security early warning system and a security early warning method based on micro-isolation, wherein a policy execution point is installed on a host, a plurality of shadow execution points can be obtained by virtualizing the policy execution point on the host, when an access subject accesses other resources in a micro-isolation framework, the policy execution point and the shadow execution points respectively acquire information, can obtain incompletely same acquisition results, and send the acquisition results to a policy control center, and the policy control center can comprehensively judge the acquisition results, so that comprehensive verification factors for representing the access subject and the real security level of the host can be obtained, and further trust evaluation is carried out. Therefore, in the scheme, different execution points independently acquire information, and the acquisition results are not completely the same, so that the acquisition results are more perfect, the real results can be represented, and the accuracy of threat detection can be improved.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the embodiments or technical solutions in the prior art are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a structural diagram of a security early warning system based on micro-isolation according to an embodiment of the present invention;
fig. 2 is a flowchart of a security early warning method based on micro-isolation according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, it is obvious that the described embodiments are some, but not all embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
The collection results of hosts with different architectures are different when information collection is carried out, and the collection results are related to the business capability of the hosts. For example, the information collected by the hosts of different operating systems is not exactly the same. In the micro-isolation architecture, although the access subject can be authenticated by adopting a zero trust mode to further realize early warning, the acquisition of the authentication factor of the access subject is executed by a single client, so that the problem of incomplete acquisition information exists in the acquisition process, and the authentication result can be influenced. Based on this, it can be considered that a plurality of practical clients respectively perform information acquisition to perfect information acquisition results.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a security early warning system based on micro-isolation, including: a policy control center 10, and a policy enforcement point 11 and a plurality of shadow enforcement points 12 installed on a host; the shadow enforcement point 12 is virtually derived based on the policy enforcement point 11;
the policy enforcement point 11 and each shadow enforcement point 12 are respectively configured to acquire an authentication factor of an access subject and a security level of the host based on an access request of the access subject to a resource, and send respective acquisition results to the policy control center 10; the acquisition results sent by different execution points are not completely the same;
The policy control center 10 is configured to receive the acquisition results respectively sent by each execution point, and comprehensively determine each acquisition result to obtain a comprehensive verification factor for representing the access subject and a real security level of the host; adjusting a security policy according to the real security level of the host, performing trust evaluation on the comprehensive verification factor based on the adjusted security policy to determine whether to grant the access authority of the access subject to the resource, sending the determination result to the policy enforcement point 11, and determining whether to establish the access connection of the access subject to the resource by the policy enforcement point 11 according to the determination result.
In the embodiment of the present invention, the host may be a server host, a virtual machine, or other similar nodes, and the other similar nodes may be a Docker, a virtual service node, and the like. In the embodiment of the invention, the scheme is described in the aspect of taking a host machine as a server.
A Policy Enforcement Point (PEP), which may be an Agent plug-in installed on a server, may be installed on the host. Correspondingly, each shadow execution point virtually derived based on the strategy execution point is also an Agent plug-in installed on the server.
The strategy execution point, the plurality of shadow execution points and the strategy control center form a new micro-isolation framework. The micro-isolation is a finer-grained network isolation technology, mainly oriented to virtualized data centers, and mainly used for preventing horizontal (east-west direction) translation of an attack after the attack enters the enterprise data center network. When the access subject breaks a certain server in the intranet and attacks other servers (resources) in the intranet, identity verification is carried out on the access subject through a micro-isolation framework in a zero trust mode so as to determine whether to grant the access subject access authority to the resources.
Wherein, the tactics control center can include: a Policy Engine (PE) and a Policy Administrator (PA). The policy engine and the policy manager together implement the functionality of the policy control center. The policy engine and the policy manager may be deployed on the same device or may be deployed separately.
In order to ensure that the acquisition results of different execution points are not completely the same, in one embodiment of the invention, the states of the execution points are different; the state of an execution point is characterized by the contents of the component units included in the architecture layer forming the execution point; the architecture layer forming the execution point comprises a data layer, a software layer, a resource layer and a network layer; each architecture layer includes a plurality of building units.
Since the role of the execution point needs to collect the authentication factor of the access subject and the security level of the host, the collected information affects the final evaluation result, and the evaluation result is related to the resource security, the state of the execution point is characterized by the contents of the data layer, the software layer, the resource layer and the network layer. Wherein, the data layer can comprise at least one building unit of a database management system, a database and data; the software layer comprises at least one building unit in a software program instruction sequence, an instruction format and an internal data structure layout; the resource layer comprises at least one building unit in an operating system, a storage system and a virtual machine instance; the network layer includes at least one of a protocol, an address, and a port. The content of each building unit forms the state of the execution point.
In the embodiment of the invention, the service capabilities of the execution points are different when the execution points acquire information, so that different acquisition results are acquired, the acquisition results are more perfect, the real state can be represented, and the accuracy of threat detection is further improved on the basis of improving the trust evaluation result.
Further, when the state heterogeneity between execution points is larger, the heterogeneity of the acquisition result is also larger. In one embodiment of the invention, the state of each shadow execution point is obtained by multiplying a random matrix by a state matrix generated by the strategy execution point; the state matrix includes: 4 x n elements, wherein the element at the (i, j) th position is used for representing the content of the j th building unit in the ith framework layer, i is an integer in [1,4], and j is an integer in [1, n ]; n is the maximum number of the building units in each architecture layer; and if the number of the building units corresponding to the ith architecture layer is less than n, expanding by using null elements. Wherein, the random matrix comprises 1 x m elements, and m is the number of the shadow execution points; and the values of the elements in the random matrix are different from each other.
The state matrix T can be characterized as follows:
wherein x ismnThe contents of the nth building block for the mth architectural level.
In the embodiment of the invention, the shadow execution point can be exposed to the outside together with the strategy execution point, or the shadow execution point can not be exposed to the outside.
When the shadow execution point and the strategy execution point are exposed to the outside together, the shadow execution point and the strategy execution point respectively correspond to different IP addresses, the access main body initiates an access request to the resource, and the strategy execution point and each shadow execution point respectively receive the access request of the access main body to the resource.
When the shadow execution point does not expose the resources, the access main body initiates an access request to the resources, and the strategy execution point receives the access request of the access main body to the resources and sends the access request to each shadow execution point.
When the execution point is exposed to the outside, the execution point is easy to be attacked, so that the execution point can not acquire effective information. The shadow execution point and the strategy execution point have the same function, so that the probability of being completely broken is low, and the effectiveness of the acquisition result can be ensured. In addition, when the shadow execution point does not expose to the outstorm, the attack can be avoided more easily, and therefore the effectiveness of the collection result received by the strategy control center is guaranteed.
In an embodiment of the present invention, when the execution point collects the authentication factor of the access subject, the authentication factor may include: knowledge factors, occupancy factors, intrinsic factors, and stealth properties. Wherein the knowledge factor is a factor known to the access subject, including but not limited to a password, a PIN, and a body. Occupancy factors are factors owned by the accessing principal, including but not limited to certificates, software, hardware passwords. Intrinsic factors are characteristics of the accessing subject including, but not limited to, biological factors (such as fingerprints, five sense organs, voice), behavioral factors (such as typing speed, habit of using a mouse). Stealth attributes may include, but are not limited to, geographic location, device characteristics, and the like.
The inherent factors and the invisible attributes can acquire the incompletely same acquisition results based on the execution points in different states during information acquisition.
The access agent is a combination of a user, a device, and an application.
Correspondingly, when the policy control center comprehensively judges each acquisition result to obtain a comprehensive verification factor for representing the access subject, the policy control center specifically includes: and collecting the authentication factors of the access subject for each execution point, merging the authentication factors, and determining the merged authentication factors as the comprehensive authentication factors.
The merging mode can be a merging set, and the identity authentication factors after the merging set is taken as comprehensive authentication factors; the combination mode may also be to determine the identity verification factors with the maximum repetition number and the set number as the comprehensive verification factors by using the acquired repetition number.
Further, the enforcement point needs to collect the security level of the host in addition to the authentication factor of the accessing subject. Since the access subject takes the host as a springboard after attacking the host to initiate access to the resources in the east-west direction of the internal network belonging to the same host as the host, it is necessary to determine whether the host is broken by the access subject or not based on the security level of the host, or to determine the security degree of the host, so as to comprehensively determine whether the access subject accesses the resources safely or not.
Similarly, when the execution point collects the security level of the host, the collected security data for determining the security level of the host may also be different due to different states, and thus different security levels may be obtained.
Correspondingly, when the policy control center comprehensively judges each acquisition result to obtain the real security level of the host machine, the policy control center specifically comprises: and (4) counting the security levels in the acquisition results, and determining the maximum number of security levels as the real security level of the host machine.
When the host machine corresponds to different real security levels, different security policies are required to be used for trust evaluation, so that the accuracy of trust evaluation results and the security of resources are ensured. Therefore, the strategy control center can actively and dynamically adjust the security strategy, and the detection accuracy is improved.
Referring to fig. 2, an embodiment of the present invention further provides a security early warning method based on micro-isolation, which is applied to a policy control center in the security early warning system, and the system further includes: a policy enforcement point and a plurality of shadow enforcement points installed on the host; the shadow enforcement point is virtually derived based on the strategy enforcement point; the method comprises the following steps:
204, adjusting a security policy according to the real security level of the host, and performing trust evaluation on the comprehensive verification factor based on the adjusted security policy to determine whether to grant the access authority of the access subject to the resource; and sending the decision result to the strategy execution point, and determining whether to establish the access connection of the access subject to the resource by the strategy execution point according to the decision result.
The scheme in the embodiment and the system can be correspondingly referred to.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a policy control center, including: a memory in which a computer program is stored, and a processor which, when executing the computer program, implements the method as described above.
Corresponding to the above method embodiments, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program causes the processor to execute a mimicry quantity adjustment method in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the embodiments described above are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, optical disks (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the embodiments described above.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in the process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps of implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer-readable storage medium, and when executed, executes the steps including the method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic or optical disks, etc. that can store program codes.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A safety precaution system based on little isolation, its characterized in that includes: the system comprises a policy control center, a policy execution point and a plurality of shadow execution points, wherein the policy execution point and the plurality of shadow execution points are installed on a host machine; the shadow enforcement point is virtually derived based on the strategy enforcement point;
The policy enforcement point and each shadow enforcement point are respectively used for acquiring the authentication factor of an access subject and the security level of the host machine based on the access request of the access subject to resources, and sending respective acquisition results to the policy control center; the acquisition results sent by different execution points are not completely the same;
the strategy control center is used for receiving the acquisition results respectively sent by each execution point and comprehensively judging the acquisition results to obtain comprehensive verification factors for representing the access subject and the real security level of the host machine; adjusting a security policy according to the real security level of the host, performing trust evaluation on the comprehensive verification factor based on the adjusted security policy to determine whether to grant the access authority of the access subject to the resource, sending a determination result to the policy enforcement point, and determining whether to establish the access connection of the access subject to the resource by the policy enforcement point according to the determination result.
2. The system of claim 1, wherein the state of each execution point is different; the state of an execution point is characterized by the contents of the component units included in the architecture layer forming the execution point; the architecture layer forming the execution point comprises a data layer, a software layer, a resource layer and a network layer; each architecture layer includes a plurality of building units.
3. The system of claim 2, wherein the state of each shadow enforcement point is derived by multiplying a random matrix with a state matrix generated by the policy enforcement point;
the state matrix includes: 4 x n elements, wherein the element at the (i, j) th position is used for representing the content of the j (th) building unit in the ith framework layer, the value of i is an integer in [1,4], and the value of j is an integer in [1, n ]; n is the maximum number of the building units in each architecture layer; if the number of the building units corresponding to the ith architecture layer is less than n, the building units are expanded by using null elements.
4. The system of claim 1, wherein the authentication factors comprise: knowledge factors, occupancy factors, intrinsic factors, and stealth properties.
5. The system according to claim 1, wherein the policy control center is specifically configured to merge authentication factors collected by each enforcement point for the access subject, and determine the merged authentication factors as the comprehensive authentication factors.
6. The system of any of claims 1-5, wherein the policy enforcement point receives an access request from the access principal for a resource and sends the access request to each of the shadow enforcement points.
7. The system of any of claims 1-5, wherein the policy enforcement point and each of the shadow enforcement points receive requests for access to resources by the access principal, respectively.
8. The system of any one of claims 1-5, wherein the execution point is an Agent plugin.
9. A safety early warning method based on micro-isolation is characterized in that the method is applied to a strategy control center in a safety early warning system, and the system further comprises the following steps: a policy enforcement point and a plurality of shadow enforcement points installed on the host; the shadow enforcement point is virtually derived based on the strategy enforcement point; the method comprises the following steps:
receiving acquisition results respectively sent by each execution point; the acquisition result comprises: an authentication factor of the accessing subject and a security level of the host; the acquisition results sent by different execution points are not completely the same;
comprehensively judging each acquisition result to obtain a comprehensive verification factor for representing the access subject and a real security level of the host machine;
adjusting a security policy according to the real security level of the host, and performing trust evaluation on the comprehensive verification factor based on the adjusted security policy to determine whether to grant the access authority of the access subject to the resource; and sending the decision result to the strategy execution point, and determining whether to establish the access connection of the access subject to the resource by the strategy execution point according to the decision result.
10. A policy control center, comprising: a memory having a computer program stored therein and a processor that, when executed, implements the method of claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210412948.2A CN114760136B (en) | 2022-04-20 | 2022-04-20 | Safety early warning system and method based on micro-isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210412948.2A CN114760136B (en) | 2022-04-20 | 2022-04-20 | Safety early warning system and method based on micro-isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760136A true CN114760136A (en) | 2022-07-15 |
| CN114760136B CN114760136B (en) | 2024-03-08 |
Family
ID=82330317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210412948.2A Active CN114760136B (en) | 2022-04-20 | 2022-04-20 | Safety early warning system and method based on micro-isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760136B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100037304A1 (en) * | 2008-08-05 | 2010-02-11 | International Business Machines Corporation | User-centric resource architecture |
| CN101867569A (en) * | 2009-04-20 | 2010-10-20 | 惠普开发有限公司 | Policy provisioning |
| CN111464487A (en) * | 2019-01-22 | 2020-07-28 | 华为技术有限公司 | Access control method, device and system |
| CN113132326A (en) * | 2019-12-31 | 2021-07-16 | 华为技术有限公司 | Access control method, device and system |
| CN113507462A (en) * | 2021-07-05 | 2021-10-15 | 中国联合网络通信集团有限公司 | Zero-trust data monitoring and early warning method, device, system and storage medium |
| CN114338701A (en) * | 2021-12-29 | 2022-04-12 | 四川启睿克科技有限公司 | Block chain-based zero-trust system and access method for Internet of things |
-
2022
- 2022-04-20 CN CN202210412948.2A patent/CN114760136B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100037304A1 (en) * | 2008-08-05 | 2010-02-11 | International Business Machines Corporation | User-centric resource architecture |
| CN101867569A (en) * | 2009-04-20 | 2010-10-20 | 惠普开发有限公司 | Policy provisioning |
| CN111464487A (en) * | 2019-01-22 | 2020-07-28 | 华为技术有限公司 | Access control method, device and system |
| CN113132326A (en) * | 2019-12-31 | 2021-07-16 | 华为技术有限公司 | Access control method, device and system |
| CN113507462A (en) * | 2021-07-05 | 2021-10-15 | 中国联合网络通信集团有限公司 | Zero-trust data monitoring and early warning method, device, system and storage medium |
| CN114338701A (en) * | 2021-12-29 | 2022-04-12 | 四川启睿克科技有限公司 | Block chain-based zero-trust system and access method for Internet of things |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760136B (en) | 2024-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109698819B (en) | Threat disposal management method and system in network | |
| US20200252429A1 (en) | Deceiving Attackers Accessing Network Data | |
| RU2536663C2 (en) | System and method of protecting cloud infrastructure from illegal use | |
| RU2494453C2 (en) | Method for distributed performance of computer security tasks | |
| US7779470B2 (en) | Server denial of service shield | |
| US8806629B1 (en) | Automatic generation of policy-driven anti-malware signatures and mitigation of DoS (denial-of-service) attacks | |
| CN112055029A (en) | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method | |
| US20110185408A1 (en) | Security based on network environment | |
| US20050278775A1 (en) | Multifactor device authentication | |
| US20050283831A1 (en) | Security system and method using server security solution and network security solution | |
| CN111131176B (en) | Resource access control method, device, equipment and storage medium | |
| KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| KR102324361B1 (en) | Apparatus and method for detecting malicious devices based on a swarm intelligence | |
| CN106899561B (en) | TNC (network node controller) authority control method and system based on ACL (Access control List) | |
| JP2002342279A (en) | Filtering device, filtering method and program for making computer execute the method | |
| CN103916406A (en) | System and method for detecting APT attacks based on DNS log analysis | |
| JP2010026547A (en) | Firewall load balancing method and firewall load balancing system | |
| CN101562558A (en) | Method, system and device for terminal grade classification | |
| US20230110049A1 (en) | Limiting the security impact of compromised endpoint computing devices in a distributed malware detection system | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| CN115065564B (en) | Access control method based on zero trust mechanism | |
| CN115242546A (en) | Industrial control system access control method based on zero trust architecture | |
| KR102611045B1 (en) | Various trust factor based access control system | |
| CN112583841B (en) | Virtual machine safety protection method and system, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |