CN115208597B - Abnormal equipment determining method, device, equipment and computer storage medium - Google Patents

Abnormal equipment determining method, device, equipment and computer storage medium Download PDF

Info

Publication number
CN115208597B
CN115208597B CN202110384537.2A CN202110384537A CN115208597B CN 115208597 B CN115208597 B CN 115208597B CN 202110384537 A CN202110384537 A CN 202110384537A CN 115208597 B CN115208597 B CN 115208597B
Authority
CN
China
Prior art keywords
field
fields
devices
zero
trust network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110384537.2A
Other languages
Chinese (zh)
Other versions
CN115208597A (en
Inventor
高琛
刘冬岩
徐金阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Liaoning Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110384537.2A priority Critical patent/CN115208597B/en
Publication of CN115208597A publication Critical patent/CN115208597A/en
Application granted granted Critical
Publication of CN115208597B publication Critical patent/CN115208597B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/289Phrasal analysis, e.g. finite state techniques or chunking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The application discloses an abnormal device determining method, an abnormal device determining device, abnormal device determining equipment and a computer storage medium. The method comprises the following steps: transmitting the plurality of first fields to different devices in the first set of devices; decrypting the plurality of encrypted fields to generate a plurality of verification fields; splicing the plurality of verification fields into a second field; comparing the second field with the target field to determine the credibility of the fourth device set; updating any device except the second device to be the second device, and updating any device except the updated second device to be the third device; returning to send the plurality of first fields to different devices in the first device set to obtain the credibility of the plurality of fourth device sets; and screening all fourth equipment sets with the credibility lower than a second preset threshold value to determine abnormal equipment. By adopting the scheme of the embodiment of the application, the abnormal equipment can be determined, the abnormal equipment can be modified and prevented conveniently, and the loss of a user caused by access errors is avoided.

Description

Abnormal equipment determining method, device, equipment and computer storage medium
Technical Field
The application belongs to the technical field of network security, and particularly relates to a method, a device, equipment and a computer storage medium for determining abnormal equipment.
Background
Along with the gradual popularization of the Internet, the cloud office and remote office demands are gradually normalized, the zero-trust network is rapidly developed around the world, and the zero-trust network is mainly applied to solving the problem of remote access application to replace the traditional remote access virtual private network. With the development of the fifth generation mobile communication technology and the internet of things technology in the future, the application of the zero-trust network is necessarily wider, and compared with the traditional network security means, the zero-trust network is more focused on creating an encrypted totally-enclosed data access channel based on a private protocol from a user side to an application side.
At present, in order to ensure the access safety of an application side, only legal users can access the application side, zero trust equipment enforces a verification before connection model, verifies the identity of equipment or users before allowing the network to access related system components through a lightweight security protocol, encrypts and verifies information of a connection request in a single network message, and makes protected services invisible to the outside through configuration of a default discarded firewall policy. All users are granted access to the service only after authentication and authorization.
However, for an integrally closed internal network, based on the consideration of zero trust, even if the device at the user side works normally, any device in the internal network may cause access errors and cause security problems as long as the network security problem occurs.
Disclosure of Invention
The embodiment of the application provides a method, a device, equipment and a computer storage medium for determining abnormal equipment, which can at least solve the problem of access error caused by potential safety hazard of equipment in a zero trust network in the prior art.
In a first aspect, an embodiment of the present application provides a method for determining an abnormal device, where the method is applied to a zero-trust network, where the zero-trust network includes a first device set, a second device and a third device, where the second device is any device in the zero-trust network, and the third device is any device in the zero-trust network except for the second device, and the first device set includes all devices in the zero-trust network except for the second device and the third device, where the method includes:
the second device sends a plurality of first fields to different devices in the first device set, so that the different devices in the first device set encrypt the received first fields according to an encryption mode corresponding to a target field in a preset field table to generate a plurality of encrypted fields, the target field is disassembled to obtain the plurality of first fields, the number of the first fields is not less than three and not more than the total number of the devices in the first device set, and each first field corresponds to different devices in the first device set one by one;
The third device decrypts the plurality of encrypted fields sent by different devices in the first device set to generate a plurality of verification fields;
the third device concatenates the plurality of verification fields into a second field;
the third device compares the second field with the target field to determine the credibility of a fourth device set, wherein the fourth device set comprises the second device, the third device and all devices for encrypting the subfields;
updating any device except the second device in the zero trust network to be the second device, and updating any device except the updated second device in the zero trust network to be the third device;
returning to the second device after updating and the third device after updating, and sending a plurality of first fields to different devices in the first device set by the second device until the updating times reach a first preset threshold value, so as to obtain the credibility of a plurality of fourth device sets;
and screening all fourth equipment sets with the credibility lower than a second preset threshold value to determine abnormal equipment.
In an alternative embodiment, the third device compares the second field with the target field, and determines the credibility of the fourth device set, which specifically includes:
Inputting the second field into a trained long-term memory model LSTM model to obtain a plurality of first class labels;
matching the plurality of first class labels with a plurality of second class labels one by one, and determining the matching degree, wherein the second class labels are labels obtained by extracting keywords of the target field and classifying the keywords;
and taking the matching degree as the credibility.
In an alternative embodiment, before said inputting said second field into the trained long-term memory model LSTM model, the method further comprises:
inputting all the fields in the preset field table and third category labels into an LSTM model, training the LSTM model to obtain the trained LSTM model, wherein the third category labels are labels obtained by extracting keywords of all the fields in the preset field table and classifying the keywords of all the fields.
In an alternative embodiment, the third device compares the second field with the target field to determine the trustworthiness of a fourth device set, including:
Converting the second field into a first field set and converting the target field into a second field set;
comparing the fields in the first field set with the fields in the second field set one by adopting Jacaded similarity coefficients, and determining the similarity;
and taking the similarity as the credibility.
In an alternative embodiment, the third device compares the second field with the target field to determine the trustworthiness of a fourth device set, including:
converting the second field into a third field having the same format as the target field;
calculating the Euclidean distance between the third field and the target field;
and comparing the Euclidean distance with a third preset threshold value to determine the credibility.
In an alternative embodiment, the method further comprises:
the same preset field table is established for all the devices in the zero trust network, wherein the preset field table comprises time periods, fields and encryption modes, different time periods correspond to different fields, and different fields correspond to different encryption modes.
In a second aspect, an embodiment of the present application provides an abnormal device determining apparatus, where the apparatus is applied to a zero-trust network, where the zero-trust network includes a first device set, a second device and a third device, where the second device is any device in the zero-trust network, and the third device is any device in the zero-trust network except for the second device, and the first device set includes all devices in the zero-trust network except for the second device and the third device, where the apparatus includes:
The second device is configured to send a plurality of first fields to different devices in the first device set, so that the different devices in the first device set encrypt the received first fields according to an encryption mode corresponding to a target field in a preset field table, and generate a plurality of encrypted fields, wherein the plurality of first fields are obtained by disassembling the target field, the number of the first fields is not less than three and not more than the total number of devices in the first device set, and each first field corresponds to different devices in the first device set one by one;
the third device is used for decrypting the plurality of encrypted fields sent by different devices in the first device set to generate a plurality of verification fields;
a third device for concatenating the plurality of verification fields into a second field;
a third device for comparing the second field with the target field, determining the trustworthiness of a fourth device set, the fourth device set including the second device, the third device, and all devices encrypting the subfields;
the updating module is used for updating any device except the second device in the zero trust network into the second device and updating any device except the updated second device in the zero trust network into the third device;
A sending module, configured to return, to the second device after updating and the third device after updating, to send a plurality of first fields to different devices in the first device set, until the number of updating times reaches a first preset threshold, to obtain credibility of a plurality of fourth device sets;
and the screening module is used for screening all the fourth equipment sets with the credibility lower than a second preset threshold value and determining abnormal equipment.
In an alternative embodiment, the third device specifically includes:
an input sub-module, configured to input the second field into a trained long-term memory model LSTM model, to obtain a plurality of first class labels;
the matching sub-module is used for matching the plurality of first class labels with the plurality of second class labels one by one, determining the matching degree, wherein the second class labels are labels obtained by extracting keywords of the target field and classifying the keywords;
and the first determining submodule is used for taking the matching degree as the credibility.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory storing computer program instructions;
The processor, when executing the computer program instructions, implements the abnormal device determination method as shown in any embodiment of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer storage medium having stored thereon computer program instructions which, when executed by a processor, implement the abnormal device determination method shown in any one of the embodiments of the first aspect.
According to the abnormal equipment determining method, device, equipment and computer storage medium, through information interaction among a plurality of equipment in the zero trust network, the target field is disassembled, encrypted, decrypted and spliced, the finally obtained second field is compared with the target field, the credibility of a fourth equipment set is determined, through multiple information interaction among the plurality of equipment in the zero trust network, the credibility of the plurality of fourth equipment sets is determined, all fourth equipment sets with credibility lower than a second preset threshold are screened, abnormal equipment can be determined, workers can modify and prevent the abnormal equipment, and loss caused by access errors is avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described, and it is possible for a person skilled in the art to obtain other drawings according to these drawings without inventive effort.
FIG. 1 is a flow diagram illustrating a method of abnormal device determination, according to an exemplary embodiment;
FIG. 2 is a flow chart illustrating another abnormal device determination method according to an exemplary embodiment;
FIG. 3 is a flowchart illustrating yet another abnormal device determination method according to an exemplary embodiment
Fig. 4 is a schematic structural view of an abnormal device determination apparatus according to an exemplary embodiment;
fig. 5 is a schematic diagram of an electronic device according to an exemplary embodiment.
Detailed Description
Features and exemplary embodiments of various aspects of the present application are described in detail below to make the objects, technical solutions and advantages of the present application more apparent, and to further describe the present application in conjunction with the accompanying drawings and the detailed embodiments. It should be understood that the specific embodiments described herein are intended to be illustrative of the application and are not intended to be limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by showing examples of the present application.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
Fig. 1 is a schematic flow chart of a method for determining an abnormal device according to an embodiment of the present application.
As shown in fig. 1, the abnormal device determining method is applied to a zero-trust network, where the zero-trust network includes a first device set, a second device and a third device, and specifically may include the following steps:
S110, the second device sends a plurality of first fields to different devices in the first device set, so that the different devices in the first device set encrypt the received first fields according to an encryption mode corresponding to a target field in a preset field table, and a plurality of encrypted fields are generated;
s120, the third device decrypts the plurality of encrypted fields sent by different devices in the first device set to generate a plurality of verification fields;
s130, the third device splices the verification fields into a second field;
s140, the third device compares the second field with the target field to determine the credibility of the fourth device set;
s150, any device except the second device in the zero trust network is updated to be the second device, and any device except the updated second device in the zero trust network is updated to be the third device;
s160, returning to the second equipment after updating and the third equipment after updating, and sending a plurality of first fields to different equipment in the first equipment set by the second equipment until the updating times reach a first preset threshold value, so as to obtain the credibility of a plurality of fourth equipment sets;
s170, screening all fourth equipment sets with the credibility lower than a second preset threshold value to determine abnormal equipment.
Therefore, multiple suspicious device groups are determined through multiple information interaction among multiple devices in the zero trust network, then the multiple suspicious device groups are screened, abnormal devices are determined, the abnormal devices can be rectified and prevented, and loss caused by access errors of users is avoided.
The following describes the above steps in detail, as follows:
regarding S110, in the embodiment of the present application, the zero-trust network may include a first device set, a second device and a third device, where the second device may be any device in the zero-trust network, and the third device may be any device in the zero-trust network except for the second device, and the first device set may include all devices in the zero-trust network except for the second device and the third device. The plurality of first fields can be obtained by disassembling the target field, the number of the first fields is not less than three and not more than the total number of devices in the first device set, and each first field corresponds to different devices in the first device set one by one.
For example, in an internal network, there are multiple devices: the device 1 to the device n, the second device may be the device 1, the third device may be the device 2, the first device set may include the device 3 to the device n, the device 1 shakes and fetches a random number, the random number should be greater than 2 and less than or equal to (n-2), assuming that the random number is 5, the device 1 may disassemble a target field, such as the field 1, into 5 first fields, and send the 5 first fields to any 5 devices in the device 3 to the device n (assuming that n is greater than or equal to 7), each device receives only 1 first field, and the 5 devices that receive the first fields encrypt the received first fields according to the encryption mode 1 corresponding to the field 1 in the preset field table, so as to generate 5 encrypted fields.
With respect to S120, the verification field may be a field resulting from decrypting the encrypted field, which may be used to splice into a second field. For example, the 5 devices that receive the first field send the encrypted 5 encrypted fields to device 2, and device 2 decrypts the received 5 encrypted fields to obtain 5 verification fields.
With respect to S130, the second field may be a field spliced from a plurality of verification fields, which may be used to compare with the target field to determine the trustworthiness of the fourth set of devices. For example, the device 2 decrypts the received 5 encrypted fields to obtain 5 verification fields, and then concatenates the 5 verification fields to obtain the second field.
With respect to S140, the fourth device set may include the second device, the third device, and all devices encrypting the sub-fields. For example, device 2 determines the trustworthiness of device 1, device 2, and the 5 devices encrypting the 5 first fields by comparing the second field to field 1.
In an alternative embodiment, S140 may specifically include:
inputting the second field into a trained long-term memory model LSTM model to obtain a plurality of first class labels;
Matching the plurality of first class labels with the plurality of second class labels one by one to determine the matching degree;
and taking the matching degree as the credibility.
Here, the first class tag may be a tag corresponding to the second field, and the second class tag may be a tag obtained by extracting a keyword of the target field and classifying the keyword, where the second class tag may be used to match the first class tag and determine the matching degree. The trained long-term memory model LSTM model may be a model that is capable of outputting a corresponding first class label upon receiving input of the second field.
In a specific example, the second field is input into a trained long-term memory model LSTM model to obtain a plurality of first class labels, keywords of the field 1 are extracted, the keywords are classified to obtain a plurality of second class labels, the plurality of first class labels and the plurality of second class labels are matched one by one, each time one first class label and one second class label are successfully matched, a counter is added with 1, all the labels are compared to obtain a count value, the matching degree is calculated through a matching degree calculation formula, and the matching degree is used as the credibility of a fourth device set. The matching degree calculation formula is as follows:
C=count/key size
Wherein, C is the matching degree of a plurality of first class labels and a plurality of second class labels, count is the number of successful matching of the first class labels and the second class labels, and key size is the total number of the second class labels.
In this way, the matching degree is determined by matching the category labels of the second field and the target field, so that whether the devices in the fourth device set are trusted or not can be conveniently determined.
Based on this, in an alternative embodiment, before inputting the second field into the trained long-term memory model LSTM model, the method further comprises:
inputting all fields in a preset field table and the third category labels into the LSTM model, and training the LSTM model to obtain a trained LSTM model.
Here, the third category label may be a label obtained by extracting keywords of all fields in the preset field table and classifying the keywords of all fields, and the third category label may be used for training the LSTM model. The trained LSTM model may be used to output a plurality of first class labels corresponding to the entered second field.
In a specific example, all fields in the preset field table and the corresponding third category labels may be input into the LSTM model, and the LSTM model may be trained.
Therefore, after the LSTM model is trained, a plurality of first class labels corresponding to the second field can be identified by using the trained LSTM model, so that the LSTM model can be matched with the second class labels conveniently.
In another alternative embodiment, S140 may specifically further include:
converting the second field into a first field set and converting the target field into a second field set;
comparing the fields in the first field set with the fields in the second field set one by adopting Jacaded similarity coefficients, and determining the similarity;
the similarity is taken as the credibility.
Here, the first field set may be a field set obtained by performing format conversion on the second field, and the second field set may be a field set obtained by performing format conversion on the target field, where the first field set and the second field set may be used to perform one-to-one comparison on the fields in the sets, and determine the similarity. The Jacquard similarity coefficient is mainly used for calculating the similarity between individuals of a symbol measurement or a Boolean value measurement, and because the characteristic attributes of the individuals are marked by the symbol measurement or the Boolean value, the magnitude of a specific difference value cannot be measured, and only a result of 'same or not' can be obtained, so that the Jacquard similarity coefficient only concerns whether the characteristics shared between the individuals are consistent or not. And determining the similarity, namely the credibility of the fourth equipment set according to the ratio of the number of the same fields in the two sets to the total number of the fields in the second field set.
In a specific example, the second field may be converted into the first field set, the field 1 may be converted into the second field set, the fields in the sets are compared one by using a jaccard similarity coefficient, and the similarity, that is, the reliability of the fourth device set, is determined according to the ratio of the number of the same fields in the two sets to the total number of the fields in the second field set.
In this way, by comparing the fields in the set one-to-one by the Jacquard similarity coefficients, it can be determined whether the devices in the fourth set of devices are trusted.
In addition, in an alternative embodiment, S140 may specifically further include:
converting the second field into a third field having the same format as the target field;
calculating the Euclidean distance between the third field and the target field;
and comparing the Euclidean distance with a third preset threshold value to determine the credibility.
Here, the third field may be a second field in the same format as the target field, and the third field may be used to calculate the euclidean distance between the third field and the target field. The third preset threshold may be a threshold set according to a rule and an encryption manner of the preset field table, and the third preset threshold may be used to compare with the calculated euclidean distance to determine the reliability of the fourth device set.
In a specific example, the second field is synchronized to a format of standardized definition of the preset field table, that is, the second field is converted to a third field identical to the format of field 1 through dimension standardization processing, that is, a standardized value, and the euclidean distance between the third field and field 1 is calculated.
The Euclidean distance is calculated as follows:
wherein E is Euclidean distance, n is field number, x 1k For the value before normalization, x 2k Is the mean value of the components, s k Is the standard deviation of the components.
In this way, by comparing the Euclidean distance with a third preset threshold, it can be determined whether the devices in the fourth set of devices are trusted.
With regard to S150, the second device and the third device are updated to other devices. For example, the original device 1 is the second device, and the device 2 is the third device, and at this time, the device 2 may be updated to be the second device, and the device 3 may be updated to be the third device, so as to determine a new fourth device set.
With regard to S160, based on the updated second device and third device, S110-S150 are performed until the number of updates reaches a first preset threshold, at which time the trustworthiness of the plurality of fourth device sets may be obtained. For example, when the number of updates reaches 5, the trustworthiness of 5 fourth device sets is obtained.
Regarding S170, the abnormal device may be a device that determines that there is an abnormality, and the fourth device set with all the credibility lower than the second preset threshold may be input into a preset screening model to perform screening, so as to determine the abnormal device. Because of the frequent interaction of the devices, a large number of suspicious devices of different groups, namely a fourth device set, can be generated, and abnormal devices can be found by screening the suspicious devices of different groups.
In addition, in addition to the above S110-S170, in one possible embodiment, as shown in fig. 2, the method may further include:
s100, the same preset field table is established for all devices in the zero trust network.
Here, the preset field table includes a time period, a field, and an encryption mode, where different time periods correspond to different fields, and different fields correspond to different encryption modes.
In a specific example, as shown in table 1, if the access operation is performed at 05:00, the target field of the second device tear down is field 2, and the encryption mode adopted by the device that receives the first field in the first device set is encryption mode 2. In actual use, a smaller time interval, such as 5 seconds or 10 seconds, may be used.
TABLE 1 preset fields table
Time period Fields Encryption method
00:00-03:59 Field 1 Encryption scheme 1
04:00-07:59 Field 2 Encryption scheme 2
08:00-11:59 Field 3 Encryption scheme 3
12:00-15:59 Field 4 Encryption scheme 4
16:00-19:59 Field 5 Encryption scheme 5
20:00-23:59 Field 6 Encryption scheme 6
Therefore, different time periods in the preset field table correspond to different fields, and different fields correspond to different encryption modes, so that the unpredictability of the detection process is higher, and the reliability of the detection result is higher.
To better describe the entire scheme, based on the above embodiments, as a specific example, as shown in fig. 3, the abnormal device determination method may include S301 to S303, which will be explained in detail below.
S301, establishing rules.
Specifically, in an internal network, there are a plurality of devices: all of the devices 1 to n are communicated with the outside, and any device can access other devices after passing authentication after receiving an external request. In the authentication process, a rule needs to be established first, in the rule, a preset field table needs to be established on each device, in the preset field table, different time periods correspond to different fields, different fields correspond to different encryption modes, and the preset field table can be shown in table 1. In practical use, a shorter time interval, such as 5 seconds or 10 seconds, may be used.
S302, equipment authentication.
Specifically, the device authentication can be divided into three processes of field disassembly, field splicing and field comparison.
Firstly, field disassembly is performed, and it is assumed that the device 1, i.e. the second device, needs to access the device 2, i.e. the third device, and at this time, the random number should be greater than 2 and less than or equal to n-2, and according to the random number, the field corresponding to the current moment, i.e. the target field, is disassembled into the random number subfield, i.e. the first field.
Secondly, the field is spliced, the device 1 randomly transmits the subfields to the devices other than the device 1 and the device 2 in the internal network, each subfield is ensured to be transmitted to different devices, and the device receiving the subfields encrypts the subfields through a corresponding encryption mode and then forwards the subfields to the device 2. The device 2 decrypts all the received subfields and then performs splicing to generate a verification subfield, namely a second field, and the device 2 compares the verification subfield with a target field in a preset field table to determine the credibility of all the devices participating in the whole authentication process, namely a fourth device set. And taking the fourth device set with the credibility lower than the second preset threshold value as a suspicious device group.
S303, screening equipment.
Specifically, due to the frequent interaction of the devices, a large number of different suspicious device groups, that is, a fourth device set with reliability lower than the second preset threshold, are generated, and at this time, abnormal devices can be found by screening the different suspicious device groups.
In practical use, common attacks such as domain name hijacking refer to resolving a domain name resolution request of a host to an incorrect internet protocol (Internet Protocol, IP) address, so that a user cannot normally access a target website, and the incorrect IP address points to a phishing website, a Trojan website and the like, thereby threatening privacy and property of the user.
By adopting the abnormal equipment determining method, if any equipment is hijacked, the correct second field cannot be directly fed back, the error times of the equipment are more and more along with the continuation of interaction, and the abnormal equipment can be screened out through multiple screening. Meanwhile, based on the zero trust principle, any in-network equipment needs to be screened, the screening process is completely random, and the hijacked equipment cannot acquire the access right in an authentication mode, so that the security of the zero trust network is improved.
Based on the same inventive concept, the application also provides an abnormal equipment determining device. The abnormal device determination apparatus provided in the embodiment of the present application is described in detail below with reference to fig. 4.
Fig. 4 is a block diagram showing a configuration of an abnormal device determination apparatus according to an exemplary embodiment.
As shown in fig. 4, the abnormal device determining apparatus is applied to a zero-trust network, where the zero-trust network includes a first device set, a second device and a third device, the second device is any device in the zero-trust network, the third device is any device except the second device in the zero-trust network, the first device set includes all devices except the second device and the third device in the zero-trust network, and the abnormal device determining apparatus may include:
the second device 401 is configured to send a plurality of first fields to different devices in the first device set, so that the different devices in the first device set encrypt the received first fields according to an encryption manner corresponding to a target field in a preset field table, and generate a plurality of encrypted fields, where the plurality of first fields are obtained by disassembling the target field, and the number of the first fields is not less than three and not more than the total number of devices in the first device set, and each first field corresponds to different devices in the first device set one by one;
A third device 402, configured to decrypt a plurality of encrypted fields sent by different devices in the first device set, and generate a plurality of verification fields;
a third device 402 for concatenating the plurality of verification fields into a second field;
a third device 402, configured to compare the second field with the target field, and determine the trustworthiness of a fourth device set, where the fourth device set includes the second device, the third device, and all devices that encrypt the sub-fields;
an updating module 403, configured to update any device in the zero-trust network other than the second device to the second device, and update any device in the zero-trust network other than the updated second device to the third device;
a sending module 404, configured to return, for the updated second device and the updated third device, the second device to send the plurality of first fields to different devices in the first device set until the number of updates reaches a first preset threshold
Obtaining the credibility of a plurality of fourth equipment sets;
and a screening module 405, configured to screen all the fourth device sets with the reliability lower than the second preset threshold, and determine an abnormal device.
In one embodiment, the third device 402 may specifically include:
An input sub-module for inputting the second field into a trained long-term memory model LSTM model to obtain a plurality of first class labels;
the matching sub-module is used for matching the plurality of first class labels with the plurality of second class labels one by one, determining the matching degree, wherein the second class labels are labels obtained by extracting keywords of target fields and classifying the keywords;
and the first determining submodule is used for taking the matching degree as the credibility.
In one embodiment, the third device 402 may specifically further include:
the training unit is used for inputting all the fields in the preset field table and third category labels into the LSTM model, training the LSTM model to obtain a trained LSTM model, and the third category labels are labels obtained by extracting keywords of all the fields in the preset field table and classifying the keywords of all the fields.
In one embodiment, the third device 402 may specifically further include:
the first conversion sub-module is used for converting the second field into a first field set and converting the target field into a second field set;
the first comparison submodule is used for comparing the fields in the first field set with the fields in the second field set one by adopting the Jacquard similarity coefficient to determine the similarity;
And the second determination submodule is used for taking the similarity as the credibility.
In one embodiment, the third device 402 may specifically further include:
the second conversion sub-module is used for converting the second field into a third field with the same format as the target field;
a calculation sub-module for calculating the Euclidean distance between the third field and the target field;
and the second comparison sub-module is used for comparing the Euclidean distance with a third preset threshold value to determine the credibility.
In one embodiment, the apparatus may further include:
the establishing module 406 is configured to establish the same preset field table for all devices in the zero trust network, where the preset field table includes a time period, a field, and an encryption mode, different time periods correspond to different fields, and different fields correspond to different encryption modes.
Therefore, multiple suspicious device groups are determined through multiple information interaction among multiple devices in the zero trust network, then the multiple suspicious device groups are screened, abnormal devices are determined, the abnormal devices can be rectified and prevented, and loss caused by access errors of users is avoided.
Fig. 5 is a schematic diagram of an electronic device according to an exemplary embodiment.
As shown in fig. 5, the electronic device 5 is capable of implementing a structural diagram of an exemplary hardware architecture of the electronic device according to the abnormal device determination method and the abnormal device determination apparatus in the embodiment of the present application. The electronic device may refer to an electronic device in an embodiment of the present application.
The electronic device 5 may comprise a processor 501 and a memory 502 storing computer program instructions.
In particular, the processor 501 may include a Central Processing Unit (CPU), or an application specific integrated circuit (application specific integrated circuit, ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 502 may include mass storage for information or instructions. By way of example, and not limitation, memory 502 may comprise a Hard Disk Drive (HDD), floppy disk drive, flash memory, optical disk, magneto-optical disk, magnetic tape, or universal serial bus (universal serial bus, USB) drive, or a combination of two or more of these. Memory 502 may include removable or non-removable (or fixed) media, where appropriate. The memory 502 may be internal or external to the integrated gateway device, where appropriate. In a particular embodiment, the memory 502 is a non-volatile solid state memory. In a particular embodiment, the memory 502 includes Read Only Memory (ROM). The ROM may be mask programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory, or a combination of two or more of these, where appropriate.
The processor 501 reads and executes the computer program instructions stored in the memory 502 to implement the method in the embodiment shown in fig. 1 or fig. 2, and achieve the corresponding technical effects, which are not described herein for brevity.
In one embodiment, the electronic device 5 may also include a transceiver 503 and a bus 504. As shown in fig. 5, the processor 501, the memory 502, and the transceiver 503 are connected to each other via the bus 504 and perform communication with each other.
Bus 504 includes hardware, software, or both. By way of example, and not limitation, the buses may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a micro channel architecture (MCa) bus, a Peripheral Control Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus, or a combination of two or more of the above. Bus 504 may include one or more buses, where appropriate. Although embodiments of the present application describe and illustrate a particular bus, the present application contemplates any suitable bus or interconnect.
The embodiment of the application also provides a computer storage medium, wherein the computer storage medium stores computer executable instructions for realizing the abnormal equipment determination method described in the embodiment of the application.
In some possible embodiments, various aspects of the methods provided herein may also be implemented in the form of a program product comprising program code for causing a computer device to carry out the steps of the methods described herein above according to various exemplary embodiments of the present application, when the program product is run on the computer device, e.g. the computer device may carry out the abnormal device determination method as described in the examples herein.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable information processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable information processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable information processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable information processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. An abnormal device determination method, wherein the method is applied to a zero-trust network, the zero-trust network includes a first device set, a second device and a third device, wherein the second device is any device in the zero-trust network, the third device is any device except the second device in the zero-trust network, and the first device set includes all devices except the second device and the third device in the zero-trust network, the method includes:
The second device sends a plurality of first fields to different devices in the first device set, so that the different devices in the first device set encrypt the received first fields according to an encryption mode corresponding to a target field in a preset field table to generate a plurality of encrypted fields, the target field is disassembled to obtain the plurality of first fields, the number of the first fields is not less than three and not more than the total number of the devices in the first device set, and each first field corresponds to different devices in the first device set one by one;
the third device decrypts the plurality of encrypted fields sent by different devices in the first device set to generate a plurality of verification fields;
the third device concatenates the plurality of verification fields into a second field;
the third device compares the second field with the target field to determine the credibility of a fourth device set, wherein the fourth device set comprises the second device, the third device and all devices for encrypting sub-fields;
updating any device except the second device in the zero trust network to be the second device, and updating any device except the updated second device in the zero trust network to be the third device;
Returning to the second device after updating and the third device after updating, and sending a plurality of first fields to different devices in the first device set by the second device until the updating times reach a first preset threshold value, so as to obtain the credibility of a plurality of fourth device sets;
and screening all fourth equipment sets with the credibility lower than a second preset threshold value to determine abnormal equipment.
2. The method of claim 1, wherein the third device comparing the second field with the target field to determine the trustworthiness of a fourth set of devices, comprising:
inputting the second field into a trained long-term memory model LSTM model to obtain a plurality of first class labels;
matching the plurality of first class labels with a plurality of second class labels one by one, and determining the matching degree, wherein the second class labels are labels obtained by extracting keywords of the target field and classifying the keywords;
and taking the matching degree as the credibility.
3. The method of claim 2, wherein prior to said entering the second field into the trained long-term memory model LSTM model, obtaining a plurality of first class labels, the method further comprises:
Inputting all the fields in the preset field table and third category labels into an LSTM model, training the LSTM model to obtain the trained LSTM model, wherein the third category labels are labels obtained by extracting keywords of all the fields in the preset field table and classifying the keywords of all the fields.
4. The method of claim 1, wherein the third device comparing the second field with the target field to determine the trustworthiness of a fourth set of devices, comprising:
converting the second field into a first field set and converting the target field into a second field set;
comparing the fields in the first field set with the fields in the second field set one by adopting Jacaded similarity coefficients, and determining the similarity;
and taking the similarity as the credibility.
5. The method of claim 1, wherein the third device comparing the second field with the target field to determine the trustworthiness of a fourth set of devices, comprising:
converting the second field into a third field having the same format as the target field;
Calculating the Euclidean distance between the third field and the target field;
and comparing the Euclidean distance with a third preset threshold value to determine the credibility.
6. The method according to claim 1, wherein the method further comprises:
the same preset field table is established for all the devices in the zero trust network, wherein the preset field table comprises time periods, fields and encryption modes, different time periods correspond to different fields, and different fields correspond to different encryption modes.
7. An abnormal device determining apparatus, wherein the apparatus is applied to a zero-trust network, the zero-trust network including a first device set, a second device, and a third device, wherein the second device is any device in the zero-trust network, the third device is any device in the zero-trust network except for the second device, and the first device set includes all devices in the zero-trust network except for the second device and the third device, the apparatus comprising:
the second device is configured to send a plurality of first fields to different devices in the first device set, so that the different devices in the first device set encrypt the received first fields according to an encryption mode corresponding to a target field in a preset field table, and generate a plurality of encrypted fields, wherein the plurality of first fields are obtained by disassembling the target field, the number of the first fields is not less than three and not more than the total number of devices in the first device set, and each first field corresponds to different devices in the first device set one by one;
The third device is used for decrypting the plurality of encrypted fields sent by different devices in the first device set to generate a plurality of verification fields;
a third device for concatenating the plurality of verification fields into a second field;
a third device for comparing the second field with the target field, determining the trustworthiness of a fourth device set, the fourth device set including the second device, the third device and all devices encrypting sub-fields;
the updating module is used for updating any device except the second device in the zero trust network into the second device and updating any device except the updated second device in the zero trust network into the third device;
a sending module, configured to return, to the second device after updating and the third device after updating, to send a plurality of first fields to different devices in the first device set, until the number of updating times reaches a first preset threshold, to obtain credibility of a plurality of fourth device sets;
and the screening module is used for screening all the fourth equipment sets with the credibility lower than a second preset threshold value and determining abnormal equipment.
8. The apparatus of claim 7, wherein the third device comprises:
an input sub-module, configured to input the second field into a trained long-term memory model LSTM model, to obtain a plurality of first class labels;
the matching sub-module is used for matching the plurality of first class labels with the plurality of second class labels one by one, determining the matching degree, wherein the second class labels are labels obtained by extracting keywords of the target field and classifying the keywords;
and the determining submodule is used for taking the matching degree as the credibility.
9. An electronic device, the device comprising: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements the abnormal device determination method of any of claims 1-6.
10. A computer storage medium having stored thereon computer program instructions which, when executed by a processor, implement the abnormal device determination method of any of claims 1-6.
CN202110384537.2A 2021-04-09 2021-04-09 Abnormal equipment determining method, device, equipment and computer storage medium Active CN115208597B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110384537.2A CN115208597B (en) 2021-04-09 2021-04-09 Abnormal equipment determining method, device, equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110384537.2A CN115208597B (en) 2021-04-09 2021-04-09 Abnormal equipment determining method, device, equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN115208597A CN115208597A (en) 2022-10-18
CN115208597B true CN115208597B (en) 2023-07-21

Family

ID=83571639

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110384537.2A Active CN115208597B (en) 2021-04-09 2021-04-09 Abnormal equipment determining method, device, equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN115208597B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347807A (en) * 2018-09-20 2019-02-15 北京计算机技术及应用研究所 A kind of differentiation intrusion prevention method based on degree of belief
CN109660609A (en) * 2018-12-07 2019-04-19 北京海泰方圆科技股份有限公司 A kind of device identification method and device and storage medium
CN110392032A (en) * 2018-04-23 2019-10-29 华为技术有限公司 Detect the method, apparatus and storage medium of exception URL
CN110602248A (en) * 2019-09-27 2019-12-20 腾讯科技(深圳)有限公司 Abnormal behavior information identification method, system, device, equipment and medium
CN111984990A (en) * 2020-09-07 2020-11-24 青岛大学 Matrix multiplication task outsourcing method supporting privacy protection based on edge calculation

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9954903B2 (en) * 2015-11-04 2018-04-24 Monico Monitoring, Inc. Industrial network security translator
US10649919B2 (en) * 2017-01-16 2020-05-12 Panasonic Intellectual Property Corporation Of America Information processing method and information processing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392032A (en) * 2018-04-23 2019-10-29 华为技术有限公司 Detect the method, apparatus and storage medium of exception URL
CN109347807A (en) * 2018-09-20 2019-02-15 北京计算机技术及应用研究所 A kind of differentiation intrusion prevention method based on degree of belief
CN109660609A (en) * 2018-12-07 2019-04-19 北京海泰方圆科技股份有限公司 A kind of device identification method and device and storage medium
CN110602248A (en) * 2019-09-27 2019-12-20 腾讯科技(深圳)有限公司 Abnormal behavior information identification method, system, device, equipment and medium
CN111984990A (en) * 2020-09-07 2020-11-24 青岛大学 Matrix multiplication task outsourcing method supporting privacy protection based on edge calculation

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Chunzhen Yang ; Jingquan Liu ; Yuyun Zeng ; Guangyao Xie.Real-time condition monitoring and fault detection of compinents based on machine-learning reconstruction model.《Renewable Energy》.2019,第133卷全文. *
Qigui Yao ; Qi Wang ; Xiaojian Zhang ; Jiaxuan Fei.Dynamic Access Control and Authorization System based on Zero-trust architecture.《Proceedings of the 2020 1st International Conference on Control, Robotics and Intelligent System》.2020,全文. *
基于信任的网络群体异常行为发现;李乔; 何慧; 方滨兴; 张宏莉; 王雅山;《计算机学报》;第37卷(第01期);全文 *
基于深度信念网络的异常点集间的匹配算法;李舫; 张挺;《计算机应用》;第38卷(第12期);全文 *

Also Published As

Publication number Publication date
CN115208597A (en) 2022-10-18

Similar Documents

Publication Publication Date Title
US10216923B2 (en) Dynamically updating CAPTCHA challenges
US11531766B2 (en) Systems and methods for attributing security vulnerabilities to a configuration of a client device
CN101227468B (en) Method, device and system for authenticating user to network
EP3062541A1 (en) Automating internet of things security provisioning
US10708256B1 (en) Identification of trusted certificates
EP3258374A1 (en) Systems and methods for detecting and reacting to malicious activity in computer networks
US10834117B2 (en) Enhanced data security through uniqueness checking
US9225728B2 (en) Method and device for anonymous entity identification
US20180316661A1 (en) Method and apparatus for providing client-side score-based authentication
US20140230039A1 (en) Barcode authentication for resource requests
US20070061885A1 (en) System and method for managing security testing
US20170180384A1 (en) Controlling access to online resources using device validations
TW201439809A (en) Method and system for distinguishing humans from machines and for controlling access to network services
EP4242891A2 (en) Systems and methods for securing login access
US11159566B2 (en) Countering phishing attacks
CN115208597B (en) Abnormal equipment determining method, device, equipment and computer storage medium
US9930031B2 (en) Multi-factor user authentication based on user credentials and entry timing
CN110830507A (en) Resource access method, device, electronic equipment and system
US20240022428A1 (en) Method for multi-party authentication using distributed identities
US20210258141A1 (en) Method for recognizing expression of opinion capable of ensuring anonymity and preventing sybil attacks, method for registering that stores user?s identification information, and method for authenticating the user
CN110879876A (en) System and method for issuing certificates
CN114117388A (en) Device registration method, device registration apparatus, electronic device, and storage medium
CN114466358B (en) User identity continuous authentication method and device based on zero trust
US11916895B1 (en) Certificate authority breach detection for network-connected devices
CN117454437B (en) Transaction processing method, storage medium and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant