Background
With the continuous innovation of access control technology, on the basic framework of RBAC and ABAC, some new elements of access control security are introduced, and various aspects of access control resource security in a cloud computing distributed environment are considered more comprehensively, wherein the common aspects comprise trust degree evaluation, user behavior evaluation and cross-domain access.
Trust or degree of trust is a concept derived from sociology, represents a dependency, is a very abstract concept, and is not defined in detail. The credit degree is a subjective judgment after the behavior of the entity object is quantified, and good trust can be realized only under the condition that the behavior is well developed. In the access control process, credit is an abstract concept, but in order to evaluate and measure trust, trust must be quantized into a trust value, i.e. a trust degree, and the trust is intuitive, and the interval value of a set range and the specific size can be set according to an actual application scene. And the value of the trust level is changed according to the change of the environment, and the operation of the user is closely related to the change of the trust level. The trust level is often accompanied by real-time performance, that is, the behavior or operation change of the user is accompanied by the timely degree, and if the user behavior cannot be reflected in real time, the trust level cannot well reflect the user behavior.
In a cloud computing distributed environment, in order to prevent the idle or waste of resources, resources or services in the cloud may provide services to users in other domains, and then when access control operation is performed, two types of local domain operation and cross-domain operation occur. Taking the OpenStack cloud computing management platform as an example, when cross-domain access operation is implemented, in addition to user authentication of a user, namely user name and password verification, other security evaluation conditions need to be added, for example, the user trust degree mentioned above and the like, by using records of resource access operations of the user in other domains as references, the cross-domain operation provides effective data, and meanwhile, similarity between domains can be judged according to environmental characteristics between the domains, so that evaluation and evaluation weighting of the cross-domain access operation are weighted mutually with influence between time domains and domains, and access operations of the user in a non-local domain can also influence credit values of the user in an original domain, so that access control is finer in granularity, and evaluation is more accurate.
In the prior art, openStack only implements a basic RBAC model, that is, simply associates a user with a role and a basic mapping relationship between the role and an authority, and obviously, this access control model cannot meet the access control requirement in a cloud computing distributed environment. There are several major problems:
(1) Cross domain problem
The distributed characteristic of cloud computing determines that the access operation of a user cannot be singly completed only in a certain domain, the user logs in and operates resources in the cloud after completing user authentication in the certain domain, and according to resource scheduling and allocation of a cloud platform, the user can possibly access resources in other domains after logging in a local domain, so that cross-domain operation needs to be considered.
(2) Single standard of monitoring
Each role in the OpenStack native role-based access control has a corresponding authority, and the system gives the corresponding role to the user according to the information of the user, so that the user has the corresponding access authority, but the access control is simple, and cannot well process access operation in a complex cloud environment.
(3) Keystone object attribute singleness
The object attributes in the OpenStack are only role, user, group, domain and project, and the attributes are single, so that the monitoring of access operation with finer granularity cannot be realized.
Therefore, it is necessary to add a field related to a user trust level attribute, to monitor the user trust level in a coordinated manner, and to increase monitoring of user operation behavior and protect security of resources.
Disclosure of Invention
Based on the above problems, the invention discloses a dynamic access control method and a control system based on a trust value.
In order to achieve the purpose, the invention provides the following technical scheme:
a dynamic access control method based on a trust value comprises the following steps:
s1, user U i The kth time, an access request is provided to the system, and the system verifies the identity of the user;
s2, the system obtains the initial trust value TA (ui) of the user k The initial confidence value TA (ui) k Including cross-domain direct trust value T ak inter-and-Domain Trust value T bk ;
S3, judging whether the following conditions are met: TA (ui) k The TA (rs) is a trust value threshold, if the TA (rs) is not met, the user is refused to continue accessing, if the TA (rs) is not met, the user is allowed to access, and the step S3 is entered;
s4, judging the initial trust value TA (ui) k The initial trust level is assigned, and a user function access authority is given according to the initial trust level;
s5, the system monitors the operation behavior of the user in real time, obtains the behavior evidence of the user, and calculates the current trust value TA (rt) of the user k Determining the current trust level of a user in real time, and distributing operation and access authority according to the current trust level;
s6, after the user carries out safe and complete access operation once, the system acquires the current trust value and defines the current trust value as the final trust value TA (fi) of the user k The user exits the access operation, wherein T is the time T +1 the access request is made to the system ak+1 =TA(fi) k 。
Preferably, the user's current trust value TA (rt) is the user's current trust value at the time the user performs the access operation k The calculation method comprises the following steps:
acquiring user behaviors, dividing the user behaviors into n characteristics, wherein each characteristic comprises a plurality of evidences, and taking m as the maximum value of the number of corresponding evidences in the characteristics;
standardizing all evidence types and establishing a fuzzy matrix A = { a = { (a) ij } n×m Wherein 0 is not less than a ij ≤1;
Obtaining an initial judgment matrix EQ = (EQ) by adopting a nine-level measurement method ij ) mm ;
Converting the initial judgment matrix EQ into a fuzzy consistent matrix Q = (Q) ij ) m×m Wherein
Computing a weight vector W = (W) for m evidences of the ith feature 1 ,w 2 ,…,w m ) T ;
According to the evidence matrix E = (E) ij ) n×m And weight matrix W = (W) ij ) n Calculate B = E × W T Acquiring values on the diagonal of the matrix B, and establishing a characteristic evaluation value matrix F = (F) 1 ,f 2 ,…,f n );
Calculating the current trust value TA (rt) of the user k ,
Preferably, the characteristics include at least risk characteristics and performance characteristics, the risk characteristics including at least guest resources, resource vulnerabilities and threat behaviors.
Preferably, the threat behaviors at least include abnormal behaviors, default behaviors and malicious behaviors, the threat level of the threat behaviors is judged according to the danger severity of user operation, and the threat behaviors of the user are subjected to standardized value taking according to the operation threat level;
the evidence data form of the performance characteristic comprises a percentage form and a fixed value form, and the normalization method comprises the following steps: aiming at the evidence data form in the percentage form, taking the original value from the standardized value;
and aiming at the evidence data form of the determined numerical form, distinguishing the evidence data form into positive evidence, negative evidence, fixed evidence and interval evidence, and respectively standardizing the evidence data form.
Preferably, the inter-domain trust value T bk The calculating method comprises the following steps:
acquiring all cloud service providers C = { C) visited by user 1 ,c 2 ,…,c s J, wherein the j-th cloud service provider is opposite to the user U i Has a final trust value of T (c) j ,U i ) Then, then
Wherein T is j The number of times of successful access in the jth cloud service provider.
Preferably, the initial trust value TA (ui) k The calculation method comprises the following steps:
TA(ui) k =α×T ak +β×T bk
wherein, alpha + beta =1, alpha and beta represent the proportion of the cross-domain trust value and the inter-domain trust value respectively.
Preferably, trust level G = (1,2, …, q) is set if t m ≤TA(ui) k ≤t m+1 In which
t m 、t m+1 And (q-1 is more than or equal to 1 and less than or equal to m) is the minimum value and the maximum value of a level trust value interval, and the trust level of the user is m.
Preferably, if the user U i If no access requirement is provided, the user has basic reference authority.
The present invention also provides a trust value-based dynamic access control system,
the system comprises an authentication sub-module, a user behavior monitoring sub-module and a trust management sub-module;
the authentication sub-module is used for verifying the identity of the user according to the initial trust value TA (ui) of the user k And a current trust value TA (rt) k Judging whether a trust value threshold is met, and giving a user function access authority and an allocation operation authority;
the user behavior monitoring submodule is used for monitoring the access behavior and operation of a user, acquiring a user behavior evidence and carrying out standardized processing;
and the trust management submodule is used for calculating and updating the initial trust value and the current trust value of the user according to the user behavior evidence.
Preferably, the trust management sub-module includes an evidence database, an operation center and a user management database, the evidence database is used for obtaining the user behavior evidence from the user behavior monitoring sub-module, the operation center is used for calculating and updating the initial trust value and the current trust value of the user, and the user management database is used for storing the current trust level of the user in different time sub-segments.
Compared with the prior art, the invention has the following advantages:
the invention provides a dynamic access control method based on a trust value, which can perform credit weighting calculation according to user information and the previous trust of a user after the user logs in a system, not only monitors the trust of the user in dynamic monitoring, but also increases the monitoring of user operation behaviors and implements multi-standard monitoring of user behaviors. Once the high-risk behavior is monitored, the user is directly forced to exit the system, the safety of resources is protected, and the traditional method still can do credit accumulation, so that the multi-standard monitoring in the text has higher safety and real-time performance.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, in order to facilitate understanding of the embodiment of the present invention, a general design concept of the technical solution is introduced:
after a user logs in an OpenStack platform, the system determines whether the user has the authority to operate the resources applying for access according to the user credit, if the authority is insufficient, the user is prompted to quit, if the authority is satisfied, the user can perform corresponding access operation on the object resources, in the operation process, the system can dynamically monitor the user behavior and calculate the real-time credit, and when the user behavior or the user credit does not meet the requirement, the user is forced to quit the system. After each operation is finished, the system can carry out comprehensive judgment according to the initial credit degree of the user, the inter-domain reference trust degree and the historical trust degree, calculate the final credit degree of the user, and store and use the final credit degree as the user credit degree when the user logs in next time.
As shown in fig. 1, the present invention discloses a dynamic access control method and a control system based on a trust value, and the complete access flow is:
s1, user U i The kth time, an access request is provided for the system, and the system verifies the identity of the user;
s2, the system obtains the initial trust value TA (ui) of the user k The initial confidence value TA (ui) k Including cross-domain direct trust value T ak And inter-domain trust value T bk ;
Wherein the cross-domain direct trust value T ak Is actually the final trust value TA (fi) of the last access completion k-1 (ii) a The inter-domain trust value T bk The calculation method comprises the following steps:
acquiring all cloud service providers C = { C) visited by user 1 ,c 2 ,…,c s J, wherein the j-th cloud service provider is opposite to the user U i Has a final trust value of T (c) j ,U i ) Then, then
Wherein T is j The number of times of successful access in the jth cloud service provider.
S3, judging whether the following conditions are met: TA (ui) k The TA (rs) is a trust value threshold, if the TA (rs) is not met, the user is refused to continue accessing, if the TA (rs) is not met, the user is allowed to access, and the next step is carried out;
s4, judging the initial trust value TA (ui) k The initial trust level is assigned, and a user function access authority is given according to the initial trust level;
s5, the system monitors the operation behavior of the user in real time, obtains the behavior evidence of the user, and calculates the current trust value TA (rt) of the user k Determining the current trust level of a user in real time, and distributing operation and access authority according to the current trust level;
when the user performs the access operation, the current trust value TA (rt) of the user k The calculation method comprises the following steps:
acquiring user behaviors, dividing the user behaviors into n characteristics, wherein each characteristic comprises a plurality of user behavior evidences, each item of evidence can be acquired through software and hardware detection, and m is defined as the maximum value of the number of corresponding evidences in the characteristics;
standardizing all evidence types and establishing a fuzzy matrix A = { a = { (a) ij } n×m Wherein 0 is not less than a ij ≤1;
Obtaining an initial judgment matrix EQ = (EQ) by adopting a nine-level measurement method ij ) mm (ii) a To obtain the initial decision matrix EQ = (EQ) ij ) mm Constructing a comparison matrix between each two elements, determining relative weights in the targets,
converting the initial judgment matrix EQ into a fuzzy consistent matrix Q = (Q) ij ) m×m Wherein
Computing a weight vector W = (W) for m evidences of the ith feature 1 ,w 2 ,…,w m ) T Wherein, in the process,
according to the evidence matrix E = (E) ij ) n×m And weight matrix W = (W) ij ) n Calculate B = E × W T Acquiring values on the diagonal of the matrix B, and establishing a characteristic evaluation value matrix F = (F) 1 ,f 2 ,…,f n );
Calculating the current trust value TA (rt) of the user k ,
Wherein W f =(w f1 ,w f2 ,…,w fn ) Is a weight of the user behavior characteristics.
At present, methods for acquiring user behavior evidence mainly include: by utilizing the existing intrusion detection systems such as RealSecur, snort and the like, which have the functions of intrusion detection, behavior audit, flow statistics and the like, malicious behaviors such as hacker intrusion, waxy insect attack, port scanning and the like can be detected, and behavior evidences such as illegal connection times of users, illegal override times of attempts, important port times of scanning, average times of attacking other users and the like are obtained. The existing network flow detection tools such as Band-width and the like can be used for detecting the IP abnormal rate of the user and checking the behavior evidences such as the network state of the user. By using special network data acquisition tools such as the NetFlow Tracker of flash, behavior evidences such as the network bandwidth occupancy rate of the user, the average virus number carried by the user and the like can be acquired in real time. The system event records generated by the auditing and tracking system of the server, such as auditing records, system logs, various data packets intercepted by network management logs, application program logs, corresponding behavior operation records and the like.
The characteristics include at least risk characteristics and performance characteristics, wherein the risk characteristics include at least object resources, resource vulnerabilities, and threat behaviors, and the performance characteristics include at least memory occupancy, response time, and transmission speed.
Aiming at the risk characteristics, the evaluated user behavior evidence is object resources, resource vulnerability and threat behavior; the value of the object resources in the cloud service provider represents the importance of the object resources, and is in direct proportion to the grade of the object resources, and the higher the importance is, the higher the grade is. The guest resource level specification is shown in tables 1 and 2:
TABLE 1 guest resource class List
Object resource level
|
Importance of object resources
|
Quantized value
|
V1
|
Of general importance
|
0-0.1
|
V2
|
Of importance
|
0.2-0.3
|
V3
|
Is of greater importance
|
0.4-0.5
|
V4
|
Is very important
|
0.6-0.7
|
V5
|
Is very important
|
0.8-0.9 |
TABLE 2 table of object resource categories
Grade
|
Kind of resource
|
Description of the preferred embodiment
|
1
|
Portal resource
|
Daily information such as announcements in the portal, page displays, etc
|
2
|
Application software
|
Daily software of player, calendar, notepad, etc
|
3
|
Sharing resources
|
Data resource shared between users or tenants
|
4
|
System resource
|
Databases, networks, operating systems, and the like
|
5
|
Infrastructure
|
Infrastructure of storage resource pool, server resource pool and so on |
The resource vulnerability mainly represents potential safety hazards of software or application in the cloud platform, a system backdoor and the like. The higher the level of the object resource is, the more serious the threat to the resource is, and the specific situations are shown in tables 3 and 4:
TABLE 3 table of vulnerability classes of object resources
Level of vulnerability of object resources
|
Vulnerability of guest resources
|
Quantized value
|
W1
|
Is very fragile and weak
|
0-0.1
|
W2
|
Is very weak
|
0.2-0.3
|
W3
|
Is relatively weak
|
0.4-0.5
|
W4
|
Flimsy
|
0.6-0.7
|
W5
|
Are generally vulnerable to
|
0.8-0.9 |
TABLE 4 table describing the vulnerability class of object resources
Grade
|
Description of the invention
|
1
|
The threat to the resource is small and can be ignored
|
2
|
Has little harm to resources
|
3
|
The harm to resources is generally serious
|
4
|
The harm to resources is very serious
|
5
|
The harm to resources is very serious |
The threat behaviors of the user to the object resource mainly include abnormal behaviors, default behaviors and malicious behaviors, and the more serious the threat behaviors are, the higher the level is, which is specifically shown in table 5 and table 6.
TABLE 5 operational threat level Table
Operational hazard class
|
Severity of threat
|
Quantized value
|
A1
|
Is very serious
|
0-0.1
|
A2
|
Is very serious
|
0.2-0.3
|
A3
|
Is more serious
|
0.4-0.5
|
A4
|
Has little influence on
|
0.6-0.7
|
A5
|
Can be ignored
|
0.8-0.9 |
TABLE 6 user behavior type Table
Quantized value
|
Type of user behavior
|
Quantized value
|
0-0.3
|
Malicious behavior
|
Unsafe operations such as high order request of resources, DNS attack of network and the like
|
0.4-0.6
|
Breach of contract
|
Violating agreed behaviors in SLA cooperation of user and cloud service merchant
|
0.7-0.9
|
Abnormal behavior
|
Mainly behavioral anomalies, e.g. landing, IP, nonlearned behavior, etc |
The performance characteristics at least comprise memory occupancy rate, response time, transmission speed and the like, wherein the performance characteristics comprise two evidence data forms of percentage and determined value.
Assume that the obtained initial behavior evidence vector is a = (a) 1 ,a 2 ,a 3 ,…,a n ) The normalized behavior evidence vector is E = (E) 1 ,e 2 ,…,e n ) The normalization rule is as follows:
for evidence data form in percentage form, such as memory occupancy, etc., since the data is already in [0,1 ]]Within the range, e is directly defined i =a i ;
For the evidence data form of the determined numerical form, such as response time, transmission speed and the like, distinguishing the evidence data form into positive evidence, negative evidence, fixed evidence and interval evidence; the greater the value, the better the syndromeThe data is said to be positive evidence, the evidence with smaller value and better value is called negative evidence, and the value is closer to a certain fixed value (set as mu) i ) The better the index, called the fixed-form evidence; the closer the value is to or falls within a certain fixed interval (set as [ D ] i1 ,D i2 ]) The better index, called interval-type evidence, is normalized by the formula:
initial trust value TA (ui) k The calculation method comprises the following steps:
TA(ui) k =α×T ak +β×T bk
wherein alpha + beta =1, and alpha and beta represent the proportion of the cross-domain trust value and the inter-domain trust value respectively.
Setting trust level G = (1,2, …, q), if t m ≤TA(ui) k ≤t m+1 In which
t m 、t m+1 (m is more than or equal to 1 and less than or equal to q-1) is the minimum value and the maximum value of a level trust value interval, and the trust level of the user is m.
If the user U i If the access requirement is not provided, the user has basic reference authority and can refer to resources which can be checked by a common user.
S6, after the user carries out safe and complete access operation once, the system acquires the current trust value and defines the current trust value as the final trust value TA (fi) of the user k The user exits the access operation, wherein T is the time T +1 the access request is made to the system ak+1 =TA(fi) k 。
The invention also provides a dynamic access control system based on the trust value, which comprises an authentication submodule, a user behavior monitoring submodule and a trust management submodule;
the authentication sub-module is used for verifying the identity of the user according to the initial trust value TA (ui) of the user k And a current trust value TA (rt) k Judging whether the trust value threshold is met, and giving the user function access authority and distribution operationA permission; the user behavior monitoring submodule is used for monitoring the access behavior and operation of a user, acquiring the user behavior evidence and carrying out standardized processing, and dynamically judging whether the user behavior is default behavior or malicious behavior when the user behavior monitoring submodule monitors the user behavior, and if so, directly forcing the user to quit the access operation. If not, continuing monitoring; and the trust management submodule is used for calculating and updating the initial trust value and the current trust value of the user according to the user behavior evidence.
The trust management submodule comprises an evidence database, an operation center and a user management database, wherein the evidence database is used for acquiring user behavior evidence from the user behavior monitoring submodule, the operation center is used for calculating and updating an initial trust value and a current trust value of the user, and the user management database is used for storing the current trust degrees of the user in different time sub-segments.
The invention provides an improved access control method and a control device based on trust degree, which comprises the following steps: and recording the credit degree of the user after the user performs the access operation in the non-local domain. And combining the relationship between the domains, adding the credibility of the non-local domain through the inter-domain credibility correlation coefficient, and taking the added credibility as a recommended credibility parameter of the user in the historical credibility calculation of the domain. After the user logs in the system, different values are distributed according to the previous credibility of the user to carry out credibility weighted calculation, namely under the condition of safe operation, the credibility accumulation is slower when the credibility is smaller than the initial credibility of the user, and the normal credibility accumulation is not given until the credibility is higher than the initial credibility, so that the credibility accumulation is slower compared with the traditional method; when the user operation is dynamically monitored, different behavior levels are determined according to the user behavior, different credit weighting values are given to the behavior levels, the higher the operation risk is, the faster the trust attenuation is, and meanwhile, the shorter the monitoring time slice is. During dynamic monitoring, the user trust is monitored, meanwhile, monitoring of user operation behaviors is increased, and multi-standard monitoring of the user behaviors is implemented. Once the high-risk behavior is monitored, the user is directly forced to exit the system, the safety of resources is protected, and the traditional method still can do credit accumulation, so that the multi-standard monitoring in the text has higher safety and real-time performance.
The above are merely embodiments of the present invention, which are described in detail and with particularity, and therefore should not be construed as limiting the scope of the invention. It should be noted that, for those skilled in the art, various changes and modifications can be made without departing from the spirit of the present invention, and these changes and modifications are within the scope of the present invention.