CN115664693A - Resource access system, method, electronic device, and storage medium - Google Patents
Resource access system, method, electronic device, and storage medium Download PDFInfo
- Publication number
- CN115664693A CN115664693A CN202211001377.XA CN202211001377A CN115664693A CN 115664693 A CN115664693 A CN 115664693A CN 202211001377 A CN202211001377 A CN 202211001377A CN 115664693 A CN115664693 A CN 115664693A
- Authority
- CN
- China
- Prior art keywords
- access
- center
- identity
- user
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 87
- 238000012795 verification Methods 0.000 claims abstract description 70
- 238000011217 control strategy Methods 0.000 claims abstract description 37
- 230000006399 behavior Effects 0.000 claims description 225
- 239000003795 chemical substances by application Substances 0.000 claims description 49
- 230000008569 process Effects 0.000 claims description 48
- 238000004891 communication Methods 0.000 claims description 42
- 238000004458 analytical method Methods 0.000 claims description 30
- 239000013543 active substance Substances 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 23
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000008447 perception Effects 0.000 claims description 10
- 239000000284 extract Substances 0.000 claims description 7
- 230000001131 transforming effect Effects 0.000 claims 1
- 230000008859 change Effects 0.000 description 11
- 201000009032 substance abuse Diseases 0.000 description 10
- 238000002955 isolation Methods 0.000 description 8
- 230000009286 beneficial effect Effects 0.000 description 6
- 230000004044 response Effects 0.000 description 6
- 230000007613 environmental effect Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 210000001503 joint Anatomy 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000003032 molecular docking Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Abstract
In the system, a host device is used for receiving and responding to a first operation of a user accessing an object device and sending an access request to a proxy center; the agent center is used for sending an identity verification request to the identity authentication center according to the access request; the identity authentication center is used for carrying out identity authentication on the user according to the identity authentication request to obtain an identity authentication result and sending the identity authentication result to the agent center; the agent center is used for sending an authority acquisition request to the control center when the identity is legal; the control center is used for sending the access control strategy of the user to the agent center according to the authority acquisition request; and the agent center is used for opening the target access port to the user according to the access control strategy. By carrying out identity authentication on the user, when the identity is legal, the target access port is opened for the user, so that malicious intrusion and access permission abuse can be reduced, and the safety of the system is improved.
Description
Technical Field
The present application relates to communications technologies, and in particular, to a resource access system, a resource access method, an electronic device, and a storage medium.
Background
With the development of industrial informatization, digitization and intellectualization, the integration of the internet and industry into the industrial internet becomes a development trend. Since industrial control systems are concerned with stable operation of important infrastructure, safety of industrial resources in industrial control systems is of paramount importance.
Currently, most of the demands for industrial resources lie in access and use, and neglect of security risks existing in an access process causes risks of access right abuse and malicious intrusion of an industrial control system.
Disclosure of Invention
The application provides a resource access system, a resource access method, electronic equipment and a storage medium, which are used for solving the problems of access permission abuse and malicious intrusion in an industrial control system.
In a first aspect, the present application provides a resource access system, which includes a host device, a control center, an identity authentication center, an agent center, and an object device. The agent center is in communication connection with the subject device, the control center, the identity authentication center and the object device.
The host device is used for receiving a first operation of a user accessing the object device.
And the main body equipment is used for responding to the first operation and sending an access request to the agent center.
And the proxy center is used for sending an identity verification request to the identity authentication center according to the access request.
And the identity authentication center is used for carrying out identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality or identity legality.
And the identity authentication center is used for sending the identity verification result to the agent center.
And the agent center is used for sending the authority acquisition request to the control center when the identity verification result is that the identity is legal.
And the control center is used for sending the access control strategy of the user to the agent center according to the authority acquisition request.
And the agent center is used for establishing a session with the main equipment according to the access control strategy and opening the target access port to the user.
Optionally, the control center includes a resource access list and a behavior feature library.
And the agent center is specifically used for processing the access request, extracting the identity information of the user and the access behavior information of the user, and sending an identity verification request carrying the identity information to the identity authentication center.
The identity authentication center is specifically used for performing identity authentication on the user according to the identity information to obtain an identity authentication result.
And the agent center is specifically used for receiving the identity verification result sent by the identity authentication center and sending identity information and access behavior information to the control center when the identity verification result is that the identity is legal.
And the control center is specifically used for matching the resources in the resource access list according to the identity information to obtain a first resource access right.
And the control center is specifically used for matching the behavior rules in the behavior feature library according to the access behavior information to obtain a first behavior authority.
And the control center is specifically used for obtaining an access control strategy according to the first resource access authority and the first action authority, and sending the access control strategy to the agent center.
Optionally, the identity information includes one or more of the following: password, short message verification code and biological identification code.
The identity authentication center is specifically used for carrying out multi-factor authentication on the identity of the user according to the password, the short message authentication code and/or the biological identification code to obtain an identity authentication result.
Optionally, the agent center includes an active agent module, a passive agent module, and a private exchange module, and the active agent module and the passive agent module are in communication connection through the private exchange module.
The private exchange module is used for carrying out Hash calculation on the identity information of the user, the access behavior information of the user and the digital certificate of the user to obtain a label; wherein the tag is used to identify the user.
And the active agent module is used for distributing the label to the user.
And the passive agent module is used for opening the target access port to the user according to the label and the access control strategy.
Optionally, the control center includes an environment sensing module and a behavior analysis module.
And the environment perception module is used for periodically acquiring the network environment information of the user in the process of accessing the object equipment by the user. The network environment information includes configuration carrier attributes, system security attributes, and subject behavior attributes.
And the environment perception module is used for obtaining an environment trust value of the user according to the configuration carrier attribute, the system security attribute and the main body behavior attribute and sending the environment trust value to the control center.
The behavior analysis module is used for periodically collecting operation behavior information of the user in the process that the user accesses the object equipment; the operational behavior information includes obtaining a contextual behavior log, authentication credential information, and other linkage device information.
And the behavior analysis module is used for obtaining a behavior trust value of the user according to the context behavior log, the authentication certificate information and other linkage equipment information and sending the behavior trust value to the control center.
And the control center is used for obtaining the access trust value according to the environment trust value and the behavior trust value.
And the control center is used for sending the access trust value to the agent center.
And the agent center is used for adjusting the session according to the access trust value.
Optionally, the passive agent module is specifically configured to close the target access port and lock a session between the host device and the object device when the access trust value is smaller than the first threshold.
Optionally, the private exchange module is specifically configured to disconnect a communication connection between the active agent module and the passive agent module, and cut off a session between the host device and the object device, when the authentication result of the user becomes that the identity is illegal.
Optionally, the passive agent module is specifically configured to periodically transform the target access port according to the industrial protocol type during the session.
And the host device is specifically used for accessing the object device through the converted target access port. Wherein the access rights of the user are not changed.
Optionally, the behavior feature library is configured to record and update the access behavior rule of the user according to the access behavior information.
In a second aspect, the present application provides a resource access method, applied to a resource access system, including:
the subject device receives a first operation of a user accessing the object device.
The subject device transmits an access request to the agent center in response to the first operation.
And the agent center sends an identity verification request to the identity authentication center according to the access request.
And the identity authentication center performs identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality or identity legality.
And the identity authentication center sends an identity verification result to the agent center.
And when the identity verification result is that the identity is legal, the agent center sends an authority acquisition request to the control center.
And the control center sends the access control strategy of the user to the agent center according to the permission acquisition request.
And the agent center establishes a session with the main equipment according to the access control strategy and opens a target access port to the user.
Optionally, the control center includes a resource access list and a behavior feature library.
The agent center processes the access request, extracts the identity information of the user and the access behavior information of the user, and sends an identity verification request carrying the identity information to the identity authentication center.
And the identity authentication center performs identity authentication on the user according to the identity information to obtain an identity authentication result.
And the agent center receives the identity verification result sent by the identity authentication center, and sends identity information and access behavior information to the control center when the identity verification result is that the identity is legal.
And the control center matches the resources in the resource access list according to the identity information to obtain a first resource access authority.
And the control center matches the behavior rules in the behavior feature library according to the access behavior information to obtain a first behavior authority.
And the control center obtains an access control strategy according to the first resource access authority and the first action authority, and sends the access control strategy to the agent center.
Optionally, the identity information includes one or more of the following: password, short message verification code and biological identification code.
And the identity authentication center performs multi-factor authentication on the identity of the user according to the password, the short message authentication code and/or the biological identification code to obtain an identity authentication result.
Optionally, the agent center includes an active agent module, a passive agent module, and a private exchange module, and the active agent module and the passive agent module are in communication connection through the private exchange module.
The private exchange module is used for carrying out Hash calculation on the identity information of the user, the access behavior information of the user and the digital certificate of the user to obtain a label; wherein the tag is used to identify the user.
And the active agent module is used for distributing the label to the user.
And the passive agent module opens the target access port to the user according to the label and the access control strategy.
Optionally, the resource access system further includes a context awareness module and a behavior analysis module.
In the process of accessing the object device by the user, the environment sensing module periodically collects the network environment information of the user. The network environment information comprises configuration carrier attributes, system security attributes and main body behavior attributes.
And the environment perception module obtains an environment trust value of the user according to the configuration carrier attribute, the system security attribute and the main body behavior attribute, and sends the environment trust value to the control center.
In the process that a user accesses the object equipment, a behavior analysis module periodically collects operation behavior information of the user; the operational behavior information includes obtaining a contextual behavior log, authentication credential information, and other linkage device information.
And the behavior analysis module obtains a behavior trust value of the user according to the context behavior log, the authentication certificate information and other linkage equipment information, and sends the behavior trust value to the control center.
And the control center obtains an access trust value according to the environment trust value and the behavior trust value.
The control center sends the access trust value to the agent center.
And the agent center adjusts the session according to the access trust value.
Optionally, when the access trust value is smaller than the first threshold, the passive agent module closes the target access port, and locks a session between the host device and the object device.
Optionally, when the authentication result of the user becomes that the identity is illegal, the private exchange module disconnects the communication connection between the active agent module and the passive agent module, and cuts off the session between the host device and the object device.
Optionally, during the session, the passive agent module periodically changes the destination access port according to the industrial protocol type.
And the host equipment accesses the object equipment through the converted target access port. Wherein the access rights of the user are not changed.
Optionally, the behavior feature library records and updates the behavior rule of the user in the session process according to the access behavior information.
In a third aspect, the present application provides an electronic device, comprising: a memory and a processor;
a memory for storing a computer program.
And a processor, configured to read the computer program stored in the memory, and execute, according to the computer program in the memory, the steps executed by the main device in the second aspect, or execute the steps executed by the proxy center in the second aspect, or execute the steps executed by the identity authentication center in the second aspect, or execute the steps executed by the control center in the second aspect.
In a fourth aspect, the present application provides a readable storage medium, on which a computer program is stored, where the computer program stores computer-executable instructions, and the computer-executable instructions, when executed by a processor, are used to implement the steps executed by the main apparatus in the second aspect, or execute the steps executed by the broker center in the second aspect, or execute the steps executed by the identity authentication center in the second aspect, or execute the steps executed by the control center in the second aspect.
In a fifth aspect, an embodiment of the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps performed by the main device in the second aspect, or implements the steps performed by the proxy center in the second aspect, or implements the steps performed by the identity authentication center in the second aspect, or implements the steps performed by the control center in the second aspect.
The resource access system comprises a host device, a control center, an identity authentication center, an agent center and an object device, wherein the agent center is in communication connection with the host device, the control center, the identity authentication center and the object device. The host device is used for receiving a first operation of accessing the object device by a user; the main body equipment is used for responding to the first operation and sending an access request to the agent center; the agent center is used for sending an identity verification request to the identity authentication center according to the access request; the identity authentication center is used for carrying out identity authentication on the user according to the identity authentication request to obtain an identity authentication result, and the identity authentication result comprises identity legality or identity legality; the identity authentication center is used for sending an identity verification result to the agent center; the agent center is used for sending a permission acquisition request to the control center when the identity verification result is that the identity is legal; the control center is used for sending the access control strategy of the user to the agent center according to the authority acquisition request; and the agent center is used for establishing a session with the main equipment according to the access control strategy and opening the target access port to the user. In the system, the user is subjected to identity authentication, and when the identity authentication result is that the identity is legal, the target access port is opened to the user according to the access control strategy, so that the risks of malicious intrusion and access permission abuse can be reduced, and the safety of the system is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic structural diagram of a resource access system according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a resource access method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of example in the drawings and will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
The technical scheme provided by the embodiment of the application can be applied to the process of resource access, and particularly can be applied to the scene of accessing industrial resources in an industrial control system. An industrial resource can include, among other things, data, applications, systems, networks, interfaces, functions, or devices.
Since the business system carried by the industrial control system is related to the stable operation of important infrastructure, the safety of industrial resources such as data, applications, systems, networks and the like in the industrial control system is of great importance. At present, there are various protection means for the security of the industrial control system at home and abroad, such as deep defense or endogenous security, but more demands for industrial resources are on access and use, and the security risk existing in the access process is ignored, so that the industrial control system has the risk of access permission abuse and malicious intrusion.
Based on the above problems, the present application provides a resource access system, a method, an electronic device, and a storage medium, where the resource access system includes a host device, a control center, an identity authentication center, an agent center, and an object device. The host device is used for receiving a first operation of accessing the object device by a user; the main body equipment is used for responding to the first operation and sending an access request to the agent center; the agent center is used for sending an identity verification request to the identity authentication center according to the access request; the identity authentication center is used for carrying out identity authentication on the user according to the identity authentication request to obtain an identity authentication result, and the identity authentication result comprises identity legality or identity legality; the identity authentication center is used for sending an identity verification result to the agent center; the agent center is used for sending a permission acquisition request to the control center when the identity verification result is that the identity is legal; the control center is used for sending the access control strategy of the user to the agent center according to the authority acquisition request; and the agent center is used for establishing a session with the main equipment according to the access control strategy and opening the target access port to the user. In the system, the user is authenticated, and when the authentication result is that the identity is legal, the target access port is opened to the user according to the access control strategy, so that the risks of malicious intrusion and abuse of access authority can be reduced, and the safety of the system is improved.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a resource access system 100 according to an embodiment of the present application, and as shown in fig. 1, the resource access system 100 includes: a subject device 101, a control center 102, an authentication center 103, an agent center 104, and a guest device 105. The agent center 104 is in communication connection with the host device 101, the control center 102, the authentication center 103, and the guest device 105.
In this embodiment, the main device 101 may be a terminal device, such as a mobile phone, a tablet computer, a notebook computer, and the like. The control center 102, the authentication center 103, the proxy center 104, and the object device 105 may be servers.
In this embodiment, the control center 102 may grant access rights according to an access subject identity (e.g., a user, a role, an organization, or an Application, etc.), an access object (e.g., an Application or Application Program Interface (API), etc.), a grouping configuration, a historical behavior rule characteristic, etc., and issue an access control policy to the agent center 103. And in the access process, establishing a trust evaluation degree model, and outputting an access trust value as a session adjusting basis according to the environment trust value, the behavior trust value and other parameters.
In the embodiment of the present application, the identity authentication center 103 may verify the identity information of the user, for example, the identity authentication center 103 may integrate a multi-factor authentication manner to form a unified identity authentication system to verify the identity information of the user.
In this embodiment, the broker center 104 may receive an access request initiated by an access agent, and extract identity information and access behavior information according to an access request packet, where the access behavior information includes: source address, destination address, access type, industry control protocol type, and/or operation type (I/O), etc. It should be noted that the parameters in the access behavior information of the user may determine the access behavior characteristics of the user.
In this embodiment, the object device 105 may be an access object, and the object device 105 may include an industrial resource. An industrial resource can include, among other things, a device, data, an application, an interface, or a function.
It should be noted that the communication connection between the agent center 104 and each of the host device 101, the control center 102, the authentication center 103, and the object device 105 may utilize a network, and may include various types of wired and wireless networks, such as but not limited to: the internet, local area networks, WIFI, WLAN, cellular communication networks (GPRS, CDMA, 2G/3G/4G/5G cellular networks), satellite communication networks, and so forth.
In one possible implementation, the host device 101 is configured to receive a first operation of accessing the object device 105 by a user; a main device 101 for sending an access request to the broker center 104 in response to a first operation; the agent center 104 is used for sending an identity verification request to the identity authentication center 103 according to the access request; the identity authentication center 103 is used for performing identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality or identity legality; identity authentication center 103, for sending the identity verification result to agent center 104; the agent center 104 is used for sending an authority acquisition request to the control center 102 when the identity verification result is that the identity is legal; the control center 102 is used for sending the access control strategy of the user to the agent center 104 according to the authority obtaining request; and the proxy center 104 is configured to establish a session with the main device 101 according to the access control policy, and open a target access port to a user.
In the embodiment of the present application, the first operation may be understood as an operation in which the user applies for access to the object device 105 through the host device 101. The access request may be understood as a request for access to the object device 105 by the user through the host device 101. An identity authentication request may be understood as a request for applying for authentication of a user identity. The right acquisition request may be understood as a request for acquiring the access right of the user. An access control policy may be understood as a specific access right granted to the user's access, e.g., the access control policy may include areas that the user may access and/or operations that the user may perform, etc. The target access port can be understood as an access port set according to the access authority of the user, the user can access resources within the authority and execute behaviors within the authority, resources outside the authority cannot be accessed, and behaviors outside the authority cannot be executed.
Illustratively, the host device 101 receives a first operation of a user accessing the object device 105, and in response to the first operation, sends an access request to the proxy center 104, the proxy center 104 sends an authentication request to the authentication center 103 according to the access request, the authentication center 103 performs authentication on the user according to the authentication request to obtain an authentication result, the authentication result includes identity legitimacy or identity non-legitimacy, the authentication center 103 sends an authentication result to the proxy center 104, when the authentication result is identity legitimacy, the proxy center 104 sends an authority acquisition request to the control center 102, and the control center 102 sends an access control policy of the user to the proxy center 104 according to the authority acquisition request; the agent center 104 establishes a session with the host device 101 according to the access control policy, and opens a target access port to the user, and the user can use the host device 101 and access the object device 105 through the target access port. When the identity authentication result is that the identity is illegal, the agent center 104 rejects the access request of the user.
In the resource access system 100 provided in the embodiment of the present application, the resource access system 100 includes a subject device 101, a control center 102, an identity authentication center 103, an agent center 104, and an object device 105. A host device 101 configured to receive a first operation of a user accessing an object device; a main device 101 for sending an access request to the broker center 104 in response to a first operation; the agent center 104 is used for sending an identity verification request to the identity authentication center 103 according to the access request; the identity authentication center 103 is used for performing identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality or identity legality; the identity authentication center 103 is used for sending an identity verification result to the agent center 104; the agent center 104 is used for sending an authority acquisition request to the control center 102 when the identity verification result is that the identity is legal; the control center 102 is used for sending the access control strategy of the user to the agent center 104 according to the authority obtaining request; and the proxy center 104 is configured to establish a session with the main device 101 according to the access control policy, and open a target access port to a user. In the system 100, after receiving an operation that a user applies for accessing the object device 105, the user is authenticated, and when the authentication result is that the identity is legal, a target access port is opened to the user according to an access control policy, so that risks of malicious intrusion and access right abuse can be reduced, and the security of the system is improved.
In the embodiment of the application, factors such as an unsafe network environment, a fuzzy network boundary, a remote operation and maintenance operation, traditional identity authentication, east-west resource opening and the like easily cause the risk of abuse of access rights and malicious intrusion. In addition, the traditional identity authentication and access control method has the problems of difficult maintenance, insufficient strength, poor real-time performance and the like, dynamic evolution cannot be carried out according to the change of industrial resource business requirements, and the consequences of control failure, influence on application development and the like can be generated.
In addition, the access relation in the industrial internet has certain characteristics: the active access request links are few, the access relation is relatively fixed, and compared with the complex access of the general Internet, the access in the industrial Internet has a rule. Therefore, the access to the industrial resource should establish a trusted data transmission channel in the untrusted network environment based on the access rule characteristics of the industrial resource access system, so as to realize the secure access to the industrial resource. Based on this, the system further includes, on the basis of the above embodiment:
illustratively, the control center 102 includes a resource access list 1021 and a behavior feature library 1022. The agent center 104 is specifically configured to process the access request, extract the identity information of the user and the access behavior information of the user, and send an identity verification request carrying the identity information to the identity authentication center 103; the identity authentication center 103 is specifically configured to perform identity authentication on the user according to the identity information to obtain an identity authentication result; the agent center 104 is specifically configured to receive an identity verification result sent by the identity authentication center 103, and send identity information and access behavior information to the control center 102 when the identity verification result is that the identity is legal; the control center 102 is specifically configured to match the resources in the resource access list 1021 according to the identity information, and obtain a first resource access right; the control center 102 is specifically configured to match the behavior rules in the behavior feature library 1022 according to the access behavior information, and obtain a first behavior permission; the control center 102 is specifically configured to obtain an access control policy according to the first resource access right and the first behavior right, and send the access control policy to the agent center 104.
In this embodiment, the resource access list 1021 may be configured to determine, according to the identity information of the user, the right of the user to access the resource, and the behavior feature library 1022 may be configured to determine, according to the access behavior information of the user, the right of the user to perform the relevant behavior.
Illustratively, the agent center 104 processes the access request, extracts the identity information of the user and the access behavior information of the user, sends an identity verification request carrying the identity information to the identity authentication center 103, the identity authentication center 103 verifies the identity of the user according to the identity information to obtain an identity verification result, the agent center 104 receives the identity verification result sent by the identity authentication center 103, and sends the identity information and the access behavior information to the control center 102 when the identity verification result is that the identity is legal, the control center 102 judges whether the access meets the resource list and the historical behavior rules according to the identity information and the access behavior information of the user, specifically, the resource in the resource access list 1021 is matched according to the identity information to obtain a first resource access right, the control center 102 matches the behavior rules in the behavior feature library 1022 according to the access behavior information to obtain a first behavior right, the control center 102 obtains an access control policy according to the first resource access right and the first behavior right, and sends the access control policy to the agent center 104.
Illustratively, after determining that the user has the right to access the resource and has the right to execute the related behavior, the agent center 104 establishes a session with the main device 101, and opens an access port to the user; upon determining that the user does not have the right to access the resource and does not have the right to perform the associated action, the broker center 104 denies the user's access request.
In the embodiment of the application, after the identity of the user is legal, the authentication of the identity, the resource authority and the behavior authority is realized by acquiring the resource access authority and the behavior authority of the user, and the identity credibility, the resource authority legality, the behavior authority compliance and the session channel safety are ensured, so that the safety protection of industrial resources can be realized, the abuse of the authority is avoided, and the safety protection level of a resource access system is improved.
Illustratively, the identity information includes one or more of: password, short message verification code and biological identification code. The identity authentication center is specifically used for performing multi-factor authentication on the identity of the user according to the password, the short message authentication code and/or the biological identification code to obtain an identity authentication result.
In the embodiment of the present application, the integrated multi-factor authentication method includes: and the password, the short message verification code and/or the biological identification code and the like carry out multi-factor verification on the identity of the user to obtain an identity verification result. The distributed authentication service modes are integrated in a butt joint mode, the multi-factor authentication combination is flexibly customized, a unified identity authentication management system is built, unsafe multidimensional authentication paths are reduced, and the identity authentication efficiency is improved.
It should be noted that the integrated multi-factor authentication method can determine the uniqueness of the identity.
Illustratively, the broker 104 includes an active broker module 1041, a passive broker module 1042 and a private exchange module 1043, and the active broker module 1041 and the passive broker module 1042 are communicatively connected through the private exchange module 1043. The active agent module 1041, configured to perform hash calculation on the identity information of the user, the access behavior information of the user, and the digital certificate of the user to obtain a label, and assign the label to the user; and the passive agent module 1042 is configured to open a target access port to the user according to the tag and the access control policy.
In the embodiment of the application, the tag can be used for identifying the user and also can be used for identifying the session of the user so as to be used for recording the session, and the security and the uniqueness of the session are ensured. A digital certificate is understood to mean a digital certificate that identifies the identity of each user.
In this embodiment, the broker center 104 establishes a secure access channel by using a private protocol in a private exchange module based on a dual-machine heterogeneous mode of the active broker module 1041 and the passive broker module 1042, where the active broker module 1041 brokers an access subject, the passive broker module 1042 brokers an access object, and different modules broker the access subject and the access object to cut off a direct access path.
Illustratively, the broker 104 may pre-grant digital certificates to each user. In the process of accessing by the user, the private exchange module 1043 may perform hash calculation on the digital certificate of the user, the identity information of the user, and the access behavior information of the user to obtain the label of the user.
Illustratively, the active agent module 1041 may replace an access subject, and the passive agent module 1042 may replace an access object, so as to cut off a conventional direct access path and protect industrial resources more securely. Wherein, the active agent module 1041 assigns the label to the access subject with the access right; the passive agent module 1042 implements resource isolation in the same area, hides an access object, opens a minimum port to shield an illegal link, protects security of the access object, and opens a target access port (e.g., port 1-65535) to receive an access request in a specific time period according to industrial protocol characteristics, implements a secure session in a secure channel, and accesses the access object on demand.
In this embodiment of the application, the active agent module 1041 allocates a tag identifying a user to the user, the passive agent module 1042 opens a target access port to the user according to the tag and an access control policy, protects the security of an access object, hides resources according to an unnecessary access principle, solves the problem of exposure of the access object, and solves the problem of opening the access object in the east-west direction by using a micro-isolation principle.
In the embodiment of the application, because the mode of directly accessing the access object has the problems of overlarge exposed surface, uncontrollable access operation and the like, the access subject can not directly access the object through the dual-computer heterogeneous mode, the passive agent module can be in single-point docking with the access object, and the access subject is only a necessary minimized interface for access, so that the minimized influence is realized.
Illustratively, the resource access system 100 further includes a context awareness module 106 and a behavior analysis module 107. The environment sensing module 106 is configured to periodically collect network environment information of the user during a process in which the user accesses the object device 105; the environment sensing module 106 is configured to obtain an environment trust value of the user according to the configuration carrier attribute, the system security attribute and the main body behavior attribute, and send the environment trust value to the control center 102; a behavior analysis module 107, configured to periodically collect operation behavior information of the user in a process that the user accesses the object device 105; the behavior analysis module 107 is configured to obtain a behavior trust value of the user according to the context behavior log, the authentication credential information, and the information of the other linkage devices, and send the behavior trust value to the control center 102; the control center 102 is used for obtaining an access trust value according to the environment trust value and the behavior trust value; the control center 102 is used for sending the access trust value to the agent center 104; and the agent center 104 is used for adjusting the session according to the access trust value.
In an embodiment of the present application, the network environment information includes a configuration carrier attribute, a system security attribute, and a body behavior attribute. The configuration carrier attribute may include an IP address of the access subject, important process information, and/or configuration baseline information; the system security attributes can include patch update information, malicious code prevention information and/or network environment change information and the like; the subject behavior attributes may include system account and/or geographic location information, and the like. The operational behavior information includes obtaining a contextual behavior log, authentication credential information, and other linkage device information.
In the embodiment of the present application, the environment sensing module 106 and the behavior analysis module 107 are in an agent-less manner, and the agent-less manner may be understood that the environment sensing module 106 and the behavior analysis module 107 are part of the control center 102, and do not need a bottom layer device and an upper layer agent module to assist work.
In the embodiment of the present application, the environment awareness module 106 and the behavior analysis module 107 have edge computing capability. Specifically, the edge computing capability may be understood as an open platform with core capabilities of network, computing, storage, and/or application integrated on a side close to the subject or the object (e.g., industrial resource) to be accessed, so as to provide a near-end service nearby, and may generate a faster response, improve processing efficiency, and reduce a load of the control center.
It should be noted that the object targeted by the context awareness module 106 is an access subject (e.g., a user), and the network context information of the access subject may be acquired. The behavior analysis module 107 is directed to the object of the passive agent module 1042, and does not directly face the object device 105, the access object is hidden from all access subjects, and all the subject devices 101 are in conversation with the object device 105 through the passive agent module 1042. The behavior analysis module 107 may acquire information of the operation behavior performed by the user during the session.
Illustratively, in the process that a user accesses the object device 105 through the host device 101, the environment sensing module 106 periodically collects network environment information of the user side, obtains an environment trust value of the user according to the network environment information, and sends the environment trust value to the control center 102, the behavior analysis module 107 periodically collects operation behavior information of the user, obtains a behavior trust value of the user according to the operation behavior information, and sends the behavior trust value to the control center 102, the control center 102 obtains an access trust value through a formula (1) according to the environment trust value, the behavior trust value, and respective corresponding weight values of the environment trust value and the behavior trust value, and sends the access trust value to the agent center 104, and the agent center 104 adjusts a session according to the access trust value. Equation (1) can be expressed as:
C=w 1 N 1 +w 2 N 2 (1)
in equation (1), C may represent an access trust value, N 1 Can represent an environmental trust value, N 2 May represent a behavioral confidence value, w 1 Weight, w, which may represent an environmental trust value 2 A weight of the environment trust value may be represented.
For example, if the environment trust value and the behavior trust value are 80 and 60, respectively, and the weighting values corresponding to the environment trust value and the behavior trust value are 0.6 and 0.4, respectively, then the access trust value is 72.
Illustratively, the control center 102 may also obtain the access trust value through the trust evaluation degree model according to the environment trust value, the behavior trust value and other parameters in the session process. The trust evaluation degree model is a model which is trained in advance by the control center 102 according to the historical environment trust value, the historical behavior trust value and other parameters in the historical conversation process.
In a possible implementation, the agent center 104 is further configured to send an instruction for acquiring network environment information of the user side to the environment sensing module 106 when the identity verification result is that the identity is legal; the environment sensing module 106 is further configured to respond to the instruction and collect network environment information of the user side; the control center 102 is further configured to obtain an access control policy of the user according to the identity information, the network environment information, and the access behavior information of the user.
In the embodiment of the present application, on one hand, the agent center 104 adjusts the session process in real time according to the access trust value by adopting the concept of never trust and continuous authentication. On the other hand, the edge calculation concept is adopted, the node calculation capacity is improved, the calculation pressure of the control center is reduced, and the problem that the control center is bloated can be solved. In addition, the system can also realize identity authentication, access authorization, environment perception and behavior analysis in a distributed mode and a progressive mode.
Illustratively, the passive agent module 1042 is specifically configured to close the target access port and lock a session between the host device 101 and the guest device 105 when the access trust value is smaller than the first threshold.
In the embodiment of the present application, the locking session may be understood as an interface where the access interface of the user stays when the target access port is closed, and other operations cannot be performed.
It should be noted that the first threshold may be set according to practical situations or experience, for example, the first threshold may be set to 60, and the embodiment of the present application is not limited herein for the specific value of the first threshold.
For example, the first threshold is set to 60 in advance, and when the access trust value is 55 and the access trust value is smaller than the first threshold, the target access port is closed, and the session between the host device 101 and the guest device 105 is locked.
In this embodiment of the application, when the access trust value is smaller than the first threshold, for example, the network environment security is not satisfactory or the operation behavior of the access subject is abnormal, the target access port is closed, and the session between the subject device 101 and the object device 105 is locked, so that the security of the system can be improved, and the resource leakage can be prevented.
Illustratively, the private exchange module 1043 is specifically configured to disconnect the communication connection between the active agent module 1041 and the passive agent module 1042 when the identity verification result of the user becomes that the identity is illegal, and cut off the session between the host device 101 and the guest device 105.
In this embodiment of the present application, the agent center 104 may preset an open duration of the target access port, for example, the open duration of the target access port of the user a is set to 60 minutes, and when the access time of the user a reaches 60 minutes, the authentication result of the user becomes an identity illegal.
In the embodiment of the present application, the session disconnection may be understood as that the user is forced to exit the access interface for the access object, and cannot acquire the access object resource in the object device 105 any more.
For example, when the authentication result of the user becomes that the identity is illegal, the private exchange module 1043 disconnects the communication connection between the active proxy module 1041 and the passive proxy module 1042, closes the secure access channel, and cuts off the session between the host device 101 and the guest device 104, thereby improving the security of the system and preventing resource leakage.
Illustratively, the passive agent module is specifically configured to periodically switch the destination access port according to the type of the industrial protocol during a session; the host device is specifically used for accessing the object device through the converted target access port; wherein the access rights of the user are not changed.
In the embodiment of the application, the industrial protocol type may include a Modbus communication protocol, an RS-232 communication protocol, an RS-485 communication protocol, a HART communication protocol, an MPI communication or a serial communication, etc.
For example, in the session process, the passive agent module 1042 may periodically change the target access port according to different industrial protocol types, for example, the open time of the target access port of the user a is set to 40 minutes, the industrial protocol type is changed every 20 minutes, the RS-232 communication protocol is used in the first 20 minutes, the RS-485 communication protocol is used in the last 20 minutes, the port corresponding to the RS-232 communication protocol is used in the first 20 minutes, and the port corresponding to the RS-485 communication protocol is used in the last 20 minutes.
It should be noted that the target access port changes with the change of the protocol, but the access authority of the user does not change with the change of the type of the industrial protocol, and when the host device 101 accesses the object device 105 through the converted target access port, the resource of the access object that can be acquired is the same as the resource of the access object before the conversion of the target access port.
In the embodiment of the application, the target access port is periodically changed according to the type of the industrial protocol in the session process, but the process is kept public and transparent to an access subject, so that malicious eavesdropping and intrusion can be prevented.
In one possible implementation, the broker center 104 includes an active broker module 1041, a passive broker module 1042, and a private exchange module 1043. Specifically, the active proxy module 1041 is specifically configured to: the method comprises the steps of receiving an access request initiated by an access subject, extracting identity information and access behavior information according to a request message, requesting to call a plurality of authentication factors of an identity authentication center 103 for identity authentication, sending an instruction for acquiring network environment information of a user side to an environment sensing module 106 after the identity of the user is confirmed to be legal, and sending the access behavior information to a control center 102. A private exchange module, specifically configured to: establishing a private access channel between the active agent module 1041 and the passive agent module 1042 based on conditions of identity credibility, authority legality, behavior compliance, environment security, and the like, thereby establishing a session between the subject device and the object device and establishing a label for the session; and receiving an access control strategy sent by the control center 102, adjusting the session in real time, and when detecting that the authority of the access subject no longer supports the access to the access object and the credible identity is invalid, closing the secure access channel and cutting off the session. The passive agent module is specifically configured to: realizing resource isolation in the same area, hiding industrial resources to be accessed, and opening a minimum access port; and when the access trust value is detected to be reduced below a first threshold value, if the environmental security is not in accordance with the requirement or the operation behavior of the access subject is abnormal, closing the target access port and locking the session.
In the embodiment of the application, the identity information of the access subject is verified, resources are hidden according to a non-necessary non-access principle, the problem of exposure of the access object is solved, the security of the access object is protected, the problem that the access object is open to the east and west is solved by adopting a micro-isolation principle, and the conversation process is adjusted in real time by adopting a never-trusted and continuous authentication concept.
Illustratively, the behavior feature library 107 is used for recording and updating the behavior rules of the user according to the access behavior information.
In this embodiment of the present application, after a session process is finished, the control center 102 may perform behavior analysis on the user according to the access behavior information, determine whether the behavior rule of the user in the behavior feature library needs to be updated, and record and update the behavior rule of the user in the session process if the behavior rule needs to be updated.
In the embodiment of the present application, by recording and updating the behavior rule of the user, when the user accesses the next time, the behavior rule in the behavior feature library 107 can be matched according to the access behavior information of the user, so as to obtain the behavior right when the user accesses the next time.
Fig. 2 is a flowchart illustrating a resource access method according to an embodiment of the present application, where the resource access method may be applied to the resource access system shown in fig. 1, and the resource access method may be executed by a software and/or hardware device. For example, referring to fig. 2, the resource access method may include:
s201, the main device receives a first operation of a user for accessing the object device.
In this embodiment, the host device may be a terminal device, such as a mobile phone, a tablet computer, a notebook computer, and the like, and the object device may be a server. The first operation may be understood as an operation in which the user applies for access to the object device through the host device.
S202, the main device responds to the first operation and sends an access request to the agent center.
In this embodiment of the application, the proxy center may be a server, and the access request may be understood as a request for the user to access the object device through the host device.
S203, the agent center sends an identity verification request to the identity authentication center according to the access request.
In this embodiment, the identity authentication center may be a server, and is configured to verify identity information of a user. An identity authentication request may be understood as a request for applying for authentication of a user identity.
And S204, the identity authentication center performs identity authentication on the user according to the identity authentication request to obtain an identity authentication result.
In the embodiment of the present application, the identity verification result may include that the identity is legal or illegal.
S205, the identity authentication center sends an identity verification result to the agent center.
S206, when the identity verification result is that the identity is legal, the agent center sends an authority acquisition request to the control center.
In the embodiment of the application, the control center can grant access rights according to the grouping configuration of the access subject identity (such as a user, a role, an organization or an application, etc.), the access object (such as an application or an API), the historical behavior rule characteristics, and the like. The right acquisition request may be understood as a request for acquiring the access right of the user.
And S207, the control center sends the access control strategy of the user to the agent center according to the permission acquisition request.
In the embodiment of the present application, the access control policy may be understood as a specific access right granted to the access of the user, for example, the access control policy may include an area accessible by the user and/or an operation that the user may perform, and the like.
S208, the agent center establishes a session with the main device according to the access control strategy, and opens the target access port to the user.
In the embodiment of the present application, the target access port may be understood as an access port set according to an access right of a user, the user may access a resource within the right and execute a behavior within the right, a resource outside the right may not be accessed, and a behavior outside the right may not be executed.
The resource access method provided by the embodiment of the application is applied to a resource access system. The method comprises the following steps: the method comprises the steps that a host device receives a first operation of a user for accessing an object device; the main equipment responds to the first operation and sends an access request to the agent center; the agent center sends an identity verification request to the identity authentication center according to the access request; the identity authentication center performs identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality or identity legality; the identity authentication center sends an identity verification result to the agent center; when the identity verification result is that the identity is legal, the agent center sends an authority acquisition request to the control center; the control center sends the access control strategy of the user to the agent center according to the authority acquisition request; and the agent center establishes a session with the main equipment according to the access control strategy and opens a target access port to the user. In the method, the user is authenticated, and when the authentication result is that the identity is legal, the target access port is opened to the user according to the access control strategy, so that the risks of malicious intrusion and abuse of access authority can be reduced, and the safety of the system is improved.
Illustratively, the control center includes a resource access list and a behavior feature library. The method comprises the steps that an agent center processes an access request, extracts identity information of a user and access behavior information of the user, sends an identity verification request carrying the identity information to an identity authentication center, the identity authentication center conducts identity verification on the user according to the identity information to obtain an identity verification result, the agent center receives the identity verification result sent by the identity authentication center, when the identity verification result is that the identity is legal, the identity information and the access behavior information are sent to a control center, the control center matches resources in a resource access list according to the identity information to obtain a first resource access authority, the control center matches behavior rules in a behavior feature library according to the access behavior information to obtain a first behavior authority, and the control center obtains an access control strategy according to the first resource access authority and the first behavior authority and sends the access control strategy to the agent center.
In the embodiment of the application, the resource access list can be used for determining the authority of the user for accessing the resource according to the identity information of the user, and the behavior feature library can be used for determining the authority of the user for executing the related behavior according to the access behavior information of the user.
Illustratively, after determining that the user has the right to access the resource and the right to execute the related behavior, the agent center establishes a session with the main device, and opens an access port to the user; after determining that the user does not have the right to access the resource and does not have the right to perform the associated action, the broker center denies the user's access request.
In the embodiment of the application, after the identity of the user is legal, the resource access authority and the behavior authority of the user are obtained, so that the identity, the resource authority and the behavior authority are authenticated, the identity credibility, the legal resource authority, the compliance of the behavior authority and the safety of a session channel are ensured, the safety protection of industrial resources can be realized, the abuse of the authority is avoided, and the safety protection level of a resource access system is improved.
Illustratively, the identity information includes one or more of: password code, short message verification code and biological identification code. And the identity authentication center performs multi-factor authentication on the identity of the user according to the password, the short message authentication code and/or the biological identification code to obtain an identity authentication result.
In the embodiment of the present application, the integrated multi-factor authentication method includes: and the password, the short message verification code and/or the biological identification code and the like perform multi-factor verification on the identity of the user to obtain an identity verification result. The distributed authentication service modes are integrated in a butt joint mode, the multi-factor authentication combination is flexibly customized, a unified identity authentication management system is built, unsafe multidimensional authentication paths are reduced, and the identity authentication efficiency is improved.
It should be noted that the integrated multi-factor authentication method can determine the uniqueness of the identity.
Illustratively, the agent center comprises an active agent module, a passive agent module and a private exchange module, and the active agent module and the passive agent module are in communication connection through the private interaction module. The private exchange module carries out Hash calculation on the identity information of the user, the access behavior information of the user and the digital certificate of the user to obtain a label, the active agent module distributes the label to the user, and the passive agent module opens a target access port to the user according to the label and an access control strategy.
In the embodiment of the application, the tag can be used for identifying the user and also can be used for identifying the session of the user so as to be used for recording the session, and the security and the uniqueness of the session are ensured. A digital certificate is understood to mean a digital certificate that identifies the identity information of each user.
In the embodiment of the application, the proxy center establishes the secure access channel by using the private protocol in the private exchange module based on the dual-machine heterogeneous mode of the active proxy module and the passive proxy module, the active proxy module proxies the access subject, the passive proxy module proxies the access object, different modules proxies the access subject and the access object, and the direct access path is cut off.
For example, the broker center may give each user a digital certificate in advance. In the process of user access, the private exchange module can perform hash calculation through the digital certificate of the user, the identity information of the user and the access behavior information of the user to obtain the label of the user.
Illustratively, the access subject can be replaced by the active agent module, the access object is replaced by the passive agent module, the traditional direct access path is cut off, and industrial resources are protected more safely. Wherein, the active agent module distributes the label to the access subject with the access right; the passive agent module realizes the resource isolation in the same area, hides the access object, opens a minimum port to shield illegal links, protects the security of the access object, and opens a target access port (for example, port 1-65535) to receive an access request in a specific time period according to the characteristics of an industrial protocol, thereby realizing the security session in a security channel and the on-demand access to the access object.
In the embodiment of the application, the active agent module allocates the label for identifying the user to the user, the passive agent module opens a target access port to the user according to the label and the access control strategy, the security of the access object is protected, resources are hidden according to an unnecessary access principle, the exposure problem of the access object is solved, and the problem that the east and west are opened to the access object is solved by adopting a micro-isolation principle.
In the embodiment of the application, because the mode of directly accessing the access object has the problems of overlarge exposed surface, uncontrollable access operation and the like, the access subject can not directly access the object through the dual-computer heterogeneous mode, the passive agent module can be in single-point docking with the access object, and the access subject is only a necessary minimized interface for access, so that the minimized influence is realized.
Illustratively, the resource access system further includes a context awareness module and a behavior analysis module. In the process that a user accesses an object device, an environment perception module periodically collects network environment information of the user, obtains an environment trust value of the user according to configuration carrier attributes, system security attributes and subject behavior attributes, and sends the environment trust value to a control center, a behavior analysis module periodically collects operation behavior information of the user, obtains a behavior trust value of the user according to context behavior logs, authentication certificate information and other linkage device information, and sends the behavior trust value to the control center, the control center obtains an access trust value according to the environment trust value and the behavior trust value, and sends the access trust value to an agent center, and the agent center adjusts a session according to the access trust value.
In the embodiment of the application, the network environment information comprises configuration carrier attributes, system security attributes and subject behavior attributes. The configuration carrier attribute may include an IP address of the access subject, important process information, and/or configuration baseline information; the system security attributes can include patch update information, malicious code prevention information and/or network environment change information and the like; the subject behavior attributes may include system account and/or geographic location information, and the like. The operational behavior information includes obtaining a contextual behavior log, authentication credential information, and other linkage device information.
In the embodiment of the application, the environment sensing module and the behavior analysis module are in a proxy-free mode, and the proxy-free mode can be understood that the environment sensing module and the behavior analysis module are part of the control center, and do not need a bottom layer device and an upper layer proxy module to assist in work.
In the embodiment of the application, the environment perception module and the behavior analysis module have edge computing capability. Specifically, the edge computing capability may be understood as an open platform with core capabilities of network, computing, storage, and/or application integrated on a side close to the subject or the object (e.g., industrial resource) to be accessed, so as to provide a near-end service nearby, and may generate a faster response, improve processing efficiency, and reduce a load of the control center.
It should be noted that, the object targeted by the context awareness module is an access subject (e.g., a user), and the network context information of the access subject may be obtained. The behavior analysis module aims at an object which is a passive agent module and does not directly face the object device, the access object is hidden from all access subjects, and all the subject devices are in conversation with the object device through the passive agent module. The behavior analysis module can acquire the operation behavior information performed by the user in the session process.
Illustratively, in the process that a user accesses an object device through a host device, an environment sensing module periodically collects network environment information of a user side, obtains an environment trust value of the user according to the network environment information and sends the environment trust value to a control center, a behavior analysis module periodically collects operation behavior information of the user, obtains a behavior trust value of the user according to the operation behavior information and sends the behavior trust value to the control center, the control center obtains an access trust value through a formula (1) according to the environment trust value, the behavior trust value and weighted values corresponding to the environment trust value and the behavior trust value, and sends the access trust value to a proxy center, and the proxy center adjusts a session according to the access trust value. Equation (1) can be expressed as:
C=w 1 N 1 +w 2 N 2 (1)
in equation (1), C may represent an access trust value, N 1 Can represent an environmental trust value, N 2 May represent a behavioral confidence value, w 1 Weight, w, which may represent an environmental trust value 2 Can represent environment informationWeight of any value.
For example, if the environment trust value and the behavior trust value are 80 and 60, respectively, and the weighting values corresponding to the environment trust value and the behavior trust value are 0.6 and 0.4, respectively, then the access trust value is 72.
Illustratively, the control center can also obtain the access trust value through the trust evaluation degree model according to the environment trust value, the behavior trust value and other parameters in the session process. The trust evaluation degree model is a model which is trained in advance by the control center according to the historical environment trust value, the historical behavior trust value and other parameters in the historical conversation process.
In one possible implementation, the agent center is further configured to send an instruction for acquiring network environment information of the user side to the environment sensing module when the identity verification result is that the identity is legal; the environment perception module is also used for responding to the instruction and acquiring network environment information of the user side; and the control center is also used for obtaining the access control strategy of the user according to the identity information, the network environment information and the access behavior information of the user.
In the embodiment of the application, on one hand, the never-trusted and continuous authentication concept is adopted, and the agent center adjusts the session process in real time according to the access trust value. On the other hand, the edge calculation concept is adopted, the node calculation capacity is improved, the calculation pressure of the control center is reduced, and the problem that the control center is bloated can be solved. In addition, the system can also realize identity authentication, access authorization, environment perception and behavior analysis in a distributed mode and a progressive mode.
Illustratively, when the access trust value is smaller than the first threshold, the passive agent module closes the target access port and locks the session between the subject device and the guest device.
In the embodiment of the present application, the locking session may be understood as an interface where the access interface of the user stays when the target access port is closed, and other operations cannot be performed.
It should be noted that the first threshold may be set according to practical situations or experience, for example, the first threshold may be set to 60, and the embodiment of the present application is not limited herein for the specific value of the first threshold.
For example, a first threshold value is set to 60 in advance, and when the access trust value is 55 and the access trust value is smaller than the first threshold value, the target access port is closed, and the session between the subject device and the guest device is locked.
In the embodiment of the application, when the access trust value is smaller than the first threshold, for example, the network environment security does not meet the requirement or the operation behavior of the access subject is abnormal, the target access port is closed, and the session between the subject device and the object device is locked, so that the security of the system can be improved, and the resource leakage can be prevented.
Illustratively, when the authentication result of the user becomes that the identity is illegal, the private exchange module disconnects the communication connection between the active agent module and the passive agent module, and cuts off the session between the host device and the object device.
In this embodiment of the present application, the agent center may preset an open duration of the target access port, for example, the open duration of the target access port of the user a is set to 60 minutes, and when the access time of the user a reaches 60 minutes, the identity verification result of the user becomes an identity illegal.
In the embodiment of the present application, the session disconnection may be understood as that the user is forced to exit the access interface for the access object, and cannot acquire the access object resource in the object device any more.
Illustratively, when the identity verification result of the user becomes that the identity is illegal, the private exchange module disconnects the communication connection between the active agent module and the passive agent module, closes the secure access channel, and cuts off the session between the host device and the object device, thereby improving the security of the system and preventing the resource leakage.
Illustratively, in the session process, the passive agent module periodically transforms the target access port according to the industrial protocol type, and the host device accesses the object device through the transformed target access port. Wherein the access rights of the user are not changed.
In the embodiment of the application, the industrial protocol type may include a Modbus communication protocol, an RS-232 communication protocol, an RS-485 communication protocol, a HART communication protocol, an MPI communication or a serial communication, etc.
For example, in the session process, the passive agent module may periodically change the target access port according to different industrial protocol types, for example, the open duration of the target access port of the user a is set to 40 minutes, the industrial protocol type is changed every 20 minutes, the RS-232 communication protocol is used for the first 20 minutes, the RS-485 communication protocol is used for the last 20 minutes, the port corresponding to the RS-232 communication protocol is used for the first 20 minutes, and the port corresponding to the RS-485 communication protocol is used for the last 20 minutes.
It should be noted that the target access port changes with the change of the protocol, but the access authority of the user does not change with the change of the type of the industrial protocol, and when the host device accesses the object device through the converted target access port, the resource of the access object that can be acquired is the same as the resource of the access object before the conversion of the target access port.
In the embodiment of the application, the target access port is periodically changed according to the type of the industrial protocol in the session process, but the process is kept public and transparent to an access subject, so that malicious eavesdropping and intrusion can be prevented.
In one possible implementation, the active agent module receives an access request initiated by an access subject, extracts identity information and access behavior information according to a request message, and requests to call a plurality of authentication factors of an identity authentication center for identity authentication, after the identity of a user is determined to be legal, the active agent module sends an instruction for acquiring network environment information of the user side to the environment sensing module, and sends the access behavior information to the control center, and the control center obtains an access control strategy of the user according to the identity information, the network environment information and the access behavior information of the user. The private exchange module establishes a private access channel between the active agent module and the passive agent module based on conditions of identity credibility, authority legitimacy, behavior compliance, environment security and the like, so as to establish a session between the subject device and the object device, establish a label for the session, receive an access control policy sent by the control center, and adjust the session in real time, for example, adjusting the session may include establishing the session or cutting off the session and the like. And the passive agent module realizes the resource isolation of the same region, hides the industrial resource to be accessed, and opens or closes the target access port of the user according to the authentication result of the user.
In the embodiment of the application, the identity information of the access subject is verified, resources are hidden according to a non-necessary non-access principle, the problem of exposure of the access object is solved, the security of the access object is protected, the problem that the access object is opened by the east and west is solved by adopting a micro-isolation principle, and the conversation process is adjusted in real time by adopting a never-trusted and continuous authentication concept.
Illustratively, the behavior feature library records and updates the behavior rules of the user in the session process according to the access behavior information.
In the embodiment of the application, after a session process is finished, the control center can perform behavior analysis on the user according to the access behavior information, judge whether the behavior rule of the user in the behavior feature library needs to be updated, and record and update the behavior rule of the user in the session process if the behavior rule needs to be updated.
In the embodiment of the application, by recording and updating the behavior rules of the user, the behavior rules in the behavior feature library can be matched according to the access behavior information of the user when the user accesses the next time, so that the behavior permission when the user accesses the next time can be obtained.
Fig. 3 is a schematic structural diagram of an electronic device 30 according to an embodiment of the present application, for example, please refer to fig. 3, where the electronic device 30 may include a processor 301 and a memory 302; wherein the content of the first and second substances,
a memory 302 for storing a computer program.
The processor 301 is configured to read the computer program stored in the memory 302, and execute the resource access method in the above embodiments according to the computer program in the memory 302.
Alternatively, the memory 302 may be separate or integrated with the processor 301. When the memory 302 is a device separate from the processor 301, the electronic device 30 may further include: a bus for connecting the memory 302 and the processor 301.
Optionally, this embodiment further includes: a communication interface that may be connected to the processor 301 through a bus. The processor 301 may control the communication interface to implement the above-described functions of acquisition and transmission of the electronic device 30.
For example, in the embodiment of the present application, the electronic device 30 may be a terminal or a server, and may be specifically configured according to actual needs.
The electronic device 30 shown in the embodiment of the present application may execute the technical solution of the resource access method in the foregoing embodiment, and the implementation principle and the beneficial effect of the electronic device are similar to those of the resource access method, and reference may be made to the implementation principle and the beneficial effect of the resource access method, which is not described herein again.
An embodiment of the present application further provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when a processor executes the computer-executable instructions, the technical solution of the resource access method in the foregoing embodiments is implemented, and implementation principles and beneficial effects of the method are similar to those of the resource access method, and reference may be made to the implementation principles and beneficial effects of the resource access method, which are not described herein again.
The embodiment of the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the technical solution of the resource access method in the foregoing embodiments is implemented, and the implementation principle and the beneficial effect of the computer program are similar to those of the resource access method, which can be referred to as the implementation principle and the beneficial effect of the resource access method, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the above-described modules is merely a logical division, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts shown as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated module implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present application.
It should be understood that the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor, or in a combination of the hardware and software modules within the processor.
The Memory may include a Random Access Memory (RAM), a Non-Volatile Memory (NVM), for example, at least one disk Memory, and may also be a usb disk, a removable hard disk, a read-only Memory, a magnetic disk or an optical disk.
The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.
The computer-readable storage medium may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random-Access Memory (SRAM), electrically Erasable Programmable Read-Only Memory (EEPROM), erasable Programmable Read-Only Memory (EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (13)
1. A resource access system is characterized by comprising a subject device, a control center, an identity authentication center, an agent center and an object device; the agent center is in communication connection with the subject device, the control center, the identity authentication center and the object device;
the host device is used for receiving a first operation of a user for accessing the object device;
the main body equipment is used for responding to the first operation and sending an access request to the agent center;
the agent center is used for sending an identity verification request to the identity authentication center according to the access request;
the identity authentication center is used for carrying out identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality or identity legality;
the identity authentication center is used for sending the identity verification result to the agent center;
the agent center is used for sending a permission acquisition request to the control center when the identity verification result is that the identity is legal;
the control center is used for sending the access control strategy of the user to the agent center according to the permission acquisition request;
and the agent center is used for establishing a session with the main body equipment according to the access control strategy and opening a target access port to the user.
2. The system of claim 1, wherein the control center comprises a resource access list and a behavior feature library;
the agent center is specifically configured to process the access request, extract the identity information of the user and the access behavior information of the user, and send an identity verification request carrying the identity information to the identity authentication center;
the identity authentication center is specifically used for performing identity authentication on the user according to the identity information to obtain the identity authentication result;
the agent center is specifically configured to receive the identity verification result sent by the identity authentication center, and send the identity information and the access behavior information to the control center when the identity verification result is that the identity is legal;
the control center is specifically configured to match the resources in the resource access list according to the identity information to obtain a first resource access permission;
the control center is specifically used for matching the behavior rules in the behavior feature library according to the access behavior information to obtain a first behavior authority;
the control center is specifically configured to obtain the access control policy according to the first resource access right and the first behavior right, and send the access control policy to the proxy center.
3. The system of claim 2, wherein the identity information comprises one or more of: password, short message verification code and biological identification code;
the identity authentication center is specifically used for performing multi-factor authentication on the identity of the user according to the password, the short message verification code and/or the biological identification code to obtain the identity authentication result.
4. The system according to claim 1, wherein the agent center comprises an active agent module, a passive agent module and a private exchange module, and the active agent module and the passive agent module are in communication connection through the private exchange module;
the private exchange module is used for performing hash calculation on the identity information of the user, the access behavior information of the user and the digital certificate of the user to obtain a label; wherein the tag is used to identify the user;
the active agent module is used for distributing the label to the user;
and the passive agent module is used for opening the target access port to the user according to the label and the access control strategy.
5. The system of claim 4, wherein the resource access system further comprises a context awareness module and a behavior analysis module;
the environment perception module is used for periodically acquiring the network environment information of the user in the process that the user accesses the object equipment; the network environment information comprises a configuration carrier attribute, a system security attribute and a main body behavior attribute;
the environment perception module is used for obtaining an environment trust value of the user according to the configuration carrier attribute, the system security attribute and the main body behavior attribute and sending the environment trust value to the control center;
the behavior analysis module is used for periodically acquiring the operation behavior information of the user in the process that the user accesses the object equipment; the operation behavior information comprises a context behavior log, authentication credential information and other linkage equipment information;
the behavior analysis module is used for obtaining a behavior trust value of the user according to the context behavior log, the authentication voucher information and the information of other linkage equipment and sending the behavior trust value to the control center;
the control center is used for obtaining an access trust value according to the environment trust value and the behavior trust value;
the control center is used for sending the access trust value to the agent center;
and the agent center is used for adjusting the conversation according to the access trust value.
6. The system of claim 5, comprising:
the passive agent module is specifically configured to close the target access port and lock a session between the host device and the object device when the access trust value is smaller than a first threshold.
7. The system of claim 5, comprising:
the private exchange module is specifically configured to disconnect a communication connection between the active agent module and the passive agent module, and cut off a session between the host device and the object device, when the authentication result of the user becomes that the identity is illegal.
8. The system of claim 6, comprising:
the passive agent module is specifically used for periodically transforming the target access port according to the type of an industrial protocol in a session process;
the host device is specifically configured to access the object device through the transformed target access port; wherein the access rights of the user are not changed.
9. The system according to any one of claims 1-8, comprising:
and the behavior characteristic library is used for recording and updating the behavior rules of the user according to the access behavior information.
10. A resource access method is applied to a resource access system and comprises the following steps:
the method comprises the steps that a host device receives a first operation of a user for accessing an object device;
the main device responds to the first operation and sends an access request to a proxy center;
the agent center sends an identity verification request to an identity authentication center according to the access request;
the identity authentication center carries out identity authentication on the user according to the identity authentication request to obtain an identity authentication result, wherein the identity authentication result comprises identity legality and identity legality;
the identity authentication center sends the identity verification result to the agent center;
the agent center sends an authority acquisition request to the control center when the identity verification result is that the identity is legal;
the control center sends the access control strategy of the user to the agent center according to the permission acquisition request;
and the agent center establishes a session with the main body equipment according to the access control strategy and opens a target access port to the user.
11. An electronic device, comprising: a memory and a processor;
the memory for storing a computer program;
the processor is configured to read the computer program stored in the memory, and execute the steps performed by the main device in claim 10, or execute the steps performed by the broker center in claim 10, or execute the steps performed by the identity authentication center in claim 10, or execute the steps performed by the control center in claim 10, according to the computer program in the memory.
12. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, is adapted to carry out the steps performed by the main apparatus of claim 10, or the steps performed by the broker center of claim 10, or the steps performed by the identity authentication center of claim 10, or the steps performed by the control center of claim 10.
13. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, is adapted to carry out the steps performed by the subject device of claim 10, or the steps performed by the broker center of claim 10, or the steps performed by the identity verification center of claim 10, or the steps performed by the control center of claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211001377.XA CN115664693A (en) | 2022-08-19 | 2022-08-19 | Resource access system, method, electronic device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211001377.XA CN115664693A (en) | 2022-08-19 | 2022-08-19 | Resource access system, method, electronic device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115664693A true CN115664693A (en) | 2023-01-31 |
Family
ID=84984320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211001377.XA Pending CN115664693A (en) | 2022-08-19 | 2022-08-19 | Resource access system, method, electronic device, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664693A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116010999A (en) * | 2023-03-24 | 2023-04-25 | 云南馥茛互联网科技有限公司 | Internet data security protection method and system based on artificial intelligence algorithm |
| CN117155649A (en) * | 2023-08-31 | 2023-12-01 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
-
2022
- 2022-08-19 CN CN202211001377.XA patent/CN115664693A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116010999A (en) * | 2023-03-24 | 2023-04-25 | 云南馥茛互联网科技有限公司 | Internet data security protection method and system based on artificial intelligence algorithm |
| CN116010999B (en) * | 2023-03-24 | 2024-02-06 | 天翼安全科技有限公司 | Internet data security protection method and system based on artificial intelligence algorithm |
| CN117155649A (en) * | 2023-08-31 | 2023-12-01 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
| CN117155649B (en) * | 2023-08-31 | 2024-03-22 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11263305B2 (en) | Multilayered approach to protecting cloud credentials | |
| EP3090525B1 (en) | System and method for biometric protocol standards | |
| CN115664693A (en) | Resource access system, method, electronic device, and storage medium | |
| CN113596009B (en) | Zero trust access method, system, zero trust security proxy, terminal and medium | |
| CN115001870B (en) | Information security protection system, method and storage medium | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| US20210160237A1 (en) | Secure Controlled Access To Protected Resources | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN111885031B (en) | Fine-grained access control method and system based on session process | |
| CN109995769A (en) | A kind of trans-regional full actual time safety management-control method of multi-tier Heterogeneous | |
| CN111385794B (en) | Mobile communication network privacy protection method and system for industry users | |
| Feng et al. | A dual-layer zero trust architecture for 5G industry MEC applications access control | |
| US8726335B2 (en) | Consigning authentication method | |
| US9467448B2 (en) | Consigning authentication method | |
| CN116260656B (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
| CN115134175B (en) | Security communication method and device based on authorization strategy | |
| KR20220121045A (en) | Edge computing system and method for controlling network access thereof | |
| KR101207320B1 (en) | Network system and method for applying security policy using the same | |
| CN116049860B (en) | Access control method, device, computer equipment and storage medium | |
| CN115696332B (en) | 5G edge computing security access control system and method based on cross-layer zero trust | |
| WO2023284549A1 (en) | User data management method and related device | |
| CN117650920A (en) | Zero trust safety protection method and system for evolution of power monitoring system | |
| US20180331919A1 (en) | Obtain network address of one or more network device for use in authentication | |
| Zhou et al. | Sucurity Protection Framework for Power 5G Services Based on Zero-Trust Model | |
| CN114513366A (en) | Access control device facing zero trust model and implementation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 3203, Block D1, Phase 1, Innovation Park, No. 1, Weiyi Road, Keyuan, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant after: Haiheng digital technology (Qingdao) Co.,Ltd. Applicant after: Kaos Digital Technology (Qingdao) Co.,Ltd. Applicant after: Canos Digital Technology (Beijing) Co.,Ltd. Address before: Room 3203, Block D1, Phase 1, Innovation Park, No. 1, Weiyi Road, Keyuan, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant before: Haiheng digital technology (Qingdao) Co.,Ltd. Country or region before: China Applicant before: Haier digital technology (Qingdao) Co.,Ltd. Applicant before: Haier digital technology (Beijing) Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240207 Address after: 3003, Building D1, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Laoshan District, Qingdao City, Shandong Province, 266100 Applicant after: Kaos Digital Technology (Qingdao) Co.,Ltd. Country or region after: China Applicant after: Canos Digital Technology (Beijing) Co.,Ltd. Address before: Room 3203, Block D1, Phase 1, Innovation Park, No. 1, Weiyi Road, Keyuan, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant before: Haiheng digital technology (Qingdao) Co.,Ltd. Country or region before: China Applicant before: Kaos Digital Technology (Qingdao) Co.,Ltd. Applicant before: Canos Digital Technology (Beijing) Co.,Ltd. |
|
| TA01 | Transfer of patent application right |