CN115908045A - Dynamic link access control method and device applied to power distribution network of power system - Google Patents
Dynamic link access control method and device applied to power distribution network of power system Download PDFInfo
- Publication number
- CN115908045A CN115908045A CN202211413006.2A CN202211413006A CN115908045A CN 115908045 A CN115908045 A CN 115908045A CN 202211413006 A CN202211413006 A CN 202211413006A CN 115908045 A CN115908045 A CN 115908045A
- Authority
- CN
- China
- Prior art keywords
- trusted
- credible
- component
- platform
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000005540 biological transmission Effects 0.000 claims abstract description 58
- 238000012795 verification Methods 0.000 claims abstract description 39
- 238000011160 research Methods 0.000 claims abstract description 13
- 238000012360 testing method Methods 0.000 claims description 16
- 238000012546 transfer Methods 0.000 claims description 14
- 238000010276 construction Methods 0.000 claims description 7
- 238000012937 correction Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 12
- 238000005259 measurement Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 231100000817 safety factor Toxicity 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/50—Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a dynamic link access control method and a dynamic link access control device applied to a power distribution network of a power system, wherein the method comprises the following steps: according to the collected credible root data of the platform credible root and the component data of all platform components, the platform credible root is used as a credible main line starting point, and a primary credible chain model is constructed and obtained by combining a credible chain control direction and a credible chain expansion rule, wherein the primary credible chain model is used for executing credible verification operation on each platform component; and determining a credibility level corresponding to each platform component according to the component data, and combining the credibility level of each platform component and the determined data control flow according to the primary credibility chain model to construct a secondary credibility chain model serving as a target credibility chain model for executing data credibility verification operation and data transmission research and judgment operation on the access data. Therefore, the access control can be dynamically adjusted according to the real-time authority state of the access terminal, and the control safety of network access control is improved.
Description
Technical Field
The invention relates to the technical field of link access control, in particular to a dynamic link access control method and device applied to a power distribution network of a power system.
Background
The existing control is controlled based on the existing and established security policy, and when the state of the terminal is changed, the dynamic adjustment of access control cannot be performed according to the real-time dynamic state of the terminal. Therefore, the potential safety hazard exists in the prior art: when a secure terminal sends a request, after authentication is passed, if the secure terminal is infected by virus or hacked, the terminal at this time is not a secure terminal, however, the authentication result of the terminal can be used to indicate that the terminal is trusted and secure. The intruder can realize the infection or intrusion to the whole network based on the infected or intruded terminal. The access security when safely accepting massive requests is reduced. It is therefore important to provide a method for improving the security of network access control.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a dynamic link access control method and apparatus applied to a power distribution network of an electric power system, which can dynamically adjust access control according to the real-time dynamics of an access terminal, and is beneficial to improving the control security of network access control.
In order to solve the technical problem, a first aspect of the present invention discloses a dynamic link access control method applied to a power distribution network of an electric power system, where the method includes:
the method comprises the steps that credible root data corresponding to a platform credible root and component data corresponding to all platform components are collected, the platform credible root and all the platform components are used for building a credible chain model, and the credible chain model is used for executing preset credible verification operation on all components to be verified in a platform credible boundary so as to verify the credibility of each component to be verified;
according to the credible root data and the component data, a platform credible root is taken as a credible main line starting point, a preset credible chain control direction and a credible chain expansion rule are combined, and a primary credible chain model is constructed and obtained, and the primary credible chain model is used for executing credible verification operation on each platform component;
and determining a credibility level corresponding to each platform component according to the component data, and constructing a secondary credible chain model according to the credibility level corresponding to each platform component and the data control flow determined by combining the primary credible chain model, wherein the secondary credible chain model is used as a target credible chain model for performing data credibility verification operation and data transmission research and judgment operation on access data.
As an optional implementation manner, in the first aspect of the present invention, the constructing, according to the root of trust and the component data, a primary trust chain model by using the platform root of trust as a trust main line starting point and combining a preset trust chain management and control direction and a trust chain expansion rule includes:
determining a trusted control division sequence of each platform component according to the trusted root data and the component data and a preset trusted chain control direction, wherein the more the trusted control division sequence of each platform component is, the earlier the trusted control division sequence is, a preset trusted control operation is executed on the platform component;
sequentially executing the trusted control operation on each platform component according to the trusted control division sequence of each platform component and the trusted chain control direction by taking the platform root of trust as a trusted main line starting point to obtain a trusted control result corresponding to each platform component, wherein the trusted control result corresponding to each platform component is used for determining whether the platform component is a trusted component meeting a preset trusted chain expansion rule or not;
and determining all platform components of which the credible control results in all the platform components indicate that the platform components meet preset credible chain expansion rules as credible components, and constructing to obtain a primary credible chain model according to the platform credible roots, all the credible components, the credible chain control directions and the credible chain expansion rules.
As an optional implementation manner, in the first aspect of the present invention, the performing, by using the platform root of trust as a starting point of a main trust line, the trust management and control operation on each platform component in sequence according to a trust management and control division sequence of each platform component and the trust chain management and control direction to obtain a trust management and control result corresponding to each platform component includes:
for each platform component, according to a preset trusted control component and the trusted control sequence, executing the trusted control operation on the platform component to obtain an initial trusted control result corresponding to the platform component; when the platform component is ranked in the trusted management sequence in the first order, the trusted management component is the platform root of trust, and each trusted management component is a component meeting the requirement of a preset component complete parameter;
judging whether a trusted control result corresponding to the platform component indicates that the platform component meets the requirement of the complete parameter of the component, and if so, generating a trust identification for the platform component as a trusted control result corresponding to the platform component, wherein the trust identification is used for adding the platform component corresponding to the trust identification to the trust mainline as a trusted chain component of a primary trusted chain model to be constructed;
and when the judgment result is negative, generating a failure mark which represents that the platform component does not meet the requirement of the complete parameter of the component, wherein the failure mark is used as a credible control result corresponding to the platform component, and the failure mark is used for representing that the credible value of the component of the platform component corresponding to the failure mark is lower than a preset credible threshold value.
As an optional implementation manner, in the first aspect of the present invention, the determining, according to the component data, a trust level corresponding to each of the platform components includes:
determining the total number of the components of the platform components and a credible right corresponding to each platform component according to the component data, wherein the credible right corresponding to each platform component comprises a component type of the platform component, and the component type comprises a system component type corresponding to a platform where the platform component is located as the system platform or an application component type corresponding to a platform where the platform component is located as the application platform;
and determining the credibility grade corresponding to each platform component according to the total number of the components of the platform component and the component type corresponding to each platform component.
As an optional implementation manner, in the first aspect of the present invention, the constructing a secondary trusted chain model according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model includes:
determining a transmission studying and judging parameter corresponding to the data control flow according to the determined data control flow, wherein the transmission studying and judging parameter is used for executing preset data transmission studying and judging operation on the data control flow, and the transmission studying and judging parameter comprises a system initialization parameter before the data transmission studying and judging operation is executed on the data control flow;
and constructing a secondary credible chain model by combining the credibility grade corresponding to each platform component, the primary credible chain model, the data control flow and the transmission studying and judging parameters on the basis of the data transmission studying and judging flow corresponding to the data control flow.
As an optional implementation manner, in the first aspect of the present invention, after the secondary trusted chain model is constructed and obtained according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model, the method further includes:
according to a pre-generated initialization control instruction, performing parameter initialization operation on the secondary trusted chain model, and inputting a preset test data stream into the secondary trusted chain model, wherein the test data stream comprises a plurality of components to be tested, and all the components to be tested comprise standard components to be tested with a trust level greater than or equal to a standard trust level corresponding to the secondary trusted chain model and a component to be tested with loss of credit with a trust level less than the standard trust level;
obtaining a credible output result correspondingly output after each component to be tested is input into the secondary credible chain model;
judging whether the to-be-corrected components exist in the credible output results corresponding to all the to-be-detected components, and when judging that the to-be-corrected components do not exist in the credible output results corresponding to all the to-be-detected components, determining that the model credibility grade corresponding to the secondary credible chain model meets the requirement of a preset model credibility threshold; and the part to be corrected is the part to be subjected to loss of credit, and the output result corresponding to the part to be subjected to loss of credit represents that the credibility grade of the part to be subjected to loss of credit is greater than or equal to the standard credibility grade.
As an optional implementation manner, in the first aspect of the present invention, when it is determined that the to-be-corrected component exists in the trusted output results corresponding to all the components to be tested, the method further includes:
analyzing a credible output result corresponding to each part to be corrected to obtain a misjudgment parameter corresponding to the situation that each part to be corrected is misjudged in the secondary credible chain model to be that the credible grade of the part to be corrected is greater than or equal to the standard credible grade, wherein the transmission studying and judging parameter comprises the misjudgment parameter;
and performing parameter correction operation on the transfer studying and judging parameters in the secondary credible chain model according to the credible output result corresponding to each part to be corrected, the actual credible grade corresponding to each part to be corrected and the misjudging parameters corresponding to each part to be corrected so as to update the secondary credible chain model.
The second aspect of the present invention discloses a dynamic link access control device applied to a power distribution network of a power system, the device comprising:
the system comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring credibility root data corresponding to a platform credible root and component data corresponding to all platform components, the platform credible root and all platform components are used for constructing a credible chain model, and the credible chain model is used for implementing a preset credible verification operation on all components to be verified in a platform credible boundary so as to verify the credibility of each component to be verified;
the first construction module is used for constructing a primary credible chain model by taking the platform credible root as a credible main line starting point and combining a preset credible chain control direction and a credible chain expansion rule according to the credible root data and the component data, and the primary credible chain model is used for executing credible verification operation on each platform component;
the determining module is used for determining the corresponding credibility grade of each platform component according to the component data;
and the second construction module is used for constructing a secondary credible chain model according to the credibility grade corresponding to each platform component and the data control flow determined by combining the primary credible chain model, and the secondary credible chain model is used as a target credible chain model for executing data credibility verification operation and data transmission research and judgment operation on the access data.
As an optional implementation manner, in the second aspect of the present invention, a manner that the first building module builds, according to the root-of-trust data and the component data, a primary trust chain model by using the platform root-of-trust as a trust main line starting point and combining a preset trust chain management and control direction and a trust chain expansion rule specifically includes:
determining a trusted control division sequence of each platform component according to the trusted root data and the component data and a preset trusted chain control direction, wherein the more the trusted control division sequence of each platform component is, the earlier the trusted control division sequence is, a preset trusted control operation is executed on the platform component;
sequentially executing the trusted control operation on each platform component by taking the platform trusted root as a starting point of a trusted main line according to the trusted control division sequence of each platform component and the trusted chain control direction to obtain a trusted control result corresponding to each platform component, wherein the trusted control result corresponding to each platform component is used for determining whether the platform component is a trusted component meeting a preset trusted chain expansion rule;
and determining all platform components of which the credible control results in all the platform components indicate that the platform components meet preset credible chain expansion rules as credible components, and constructing to obtain a primary credible chain model according to the platform credible roots, all the credible components, the credible chain control directions and the credible chain expansion rules.
As an optional implementation manner, in the second aspect of the present invention, a manner that the first building module uses the platform root of trust as a starting point of a trust thread, and sequentially executes the trust management and control operation on each platform component according to the trust management and control division sequence of each platform component and the trust chain management and control direction, so as to obtain a trust management and control result corresponding to each platform component specifically includes:
for each platform component, according to a preset trusted control component and the trusted control sequence, executing the trusted control operation on the platform component to obtain an initial trusted control result corresponding to the platform component; when the platform component is ranked in the trusted management sequence in the first order, the trusted management component is the platform root of trust, and each trusted management component is a component meeting the requirement of a preset component complete parameter;
judging whether a trusted control result corresponding to the platform component indicates that the platform component meets the requirement of the complete parameter of the component, and if so, generating a trust identifier for the platform component as a trusted control result corresponding to the platform component, wherein the trust identifier is used for adding the platform component corresponding to the trust identifier to the trust mainline as a trusted chain component of a primary trusted chain model to be constructed;
and when the judgment result is negative, generating a failure mark which represents that the platform component does not meet the requirement of the complete parameter of the component, wherein the failure mark is used as a credible control result corresponding to the platform component, and the failure mark is used for representing that the credible value of the component of the platform component corresponding to the failure mark is lower than a preset credible threshold value.
As an optional implementation manner, in the second aspect of the present invention, the manner in which the determining module determines, according to the component data, the trust level corresponding to each of the platform components specifically includes:
determining the total number of the components of the platform components and a credible right corresponding to each platform component according to the component data, wherein the credible right corresponding to each platform component comprises a component type of the platform component, and the component type comprises a system component type corresponding to a platform where the platform component is located as the system platform or an application component type corresponding to a platform where the platform component is located as the application platform;
and determining the credibility grade corresponding to each platform component according to the total number of the components of the platform component and the component type corresponding to each platform component.
As an optional implementation manner, in the second aspect of the present invention, the manner that the second building module builds the secondary trust chain model according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trust chain model specifically includes:
determining a transmission studying and judging parameter corresponding to the data control flow according to the determined data control flow, wherein the transmission studying and judging parameter is used for executing preset data transmission studying and judging operation on the data control flow, and the transmission studying and judging parameter comprises a system initialization parameter before the data transmission studying and judging operation is executed on the data control flow;
and constructing a secondary credible chain model by combining the credible grade corresponding to each platform component, the primary credible chain model, the data control flow and the transmission studying and judging parameters on the basis of the data transmission studying and judging flow corresponding to the data control flow.
As an optional embodiment, in the second aspect of the present invention, the apparatus further comprises:
the model testing module is used for performing parameter initialization operation on the secondary trusted chain model according to a pre-generated initialization control instruction after the second building module builds a secondary trusted chain model according to the trusted level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model, and inputting a preset test data flow into the secondary trusted chain model, wherein the test data flow comprises a plurality of components to be tested, and all the components to be tested comprise standard components to be tested, the trusted level of which is greater than or equal to the standard trusted level corresponding to the secondary trusted chain model, and untrusted components to be tested, the trusted level of which is less than the standard trusted level;
the acquisition module is used for acquiring a credible output result correspondingly output after each part to be detected is input into the secondary credible chain model;
the judging module is used for judging whether the to-be-corrected component exists in the credible output results corresponding to all the to-be-detected components, and when the to-be-corrected component does not exist in the credible output results corresponding to all the to-be-detected components, determining that the model credibility grade corresponding to the secondary credible chain model meets the requirement of a preset model credibility threshold; and the part to be corrected is the part to be subjected to loss of credit, and the output result corresponding to the part to be subjected to loss of credit represents that the credibility grade of the part to be subjected to loss of credit is greater than or equal to the standard credibility grade.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further comprises:
the analysis module is configured to, when the determination module determines that the to-be-corrected component exists in the trusted output results corresponding to all the to-be-corrected components, analyze the trusted output result corresponding to each to-be-corrected component to obtain a misjudgment parameter, where the confidence level of each to-be-corrected component in the secondary trusted chain model is greater than or equal to the misjudgment parameter corresponding to the standard confidence level, and the transfer lap judgment parameter includes the misjudgment parameter;
and the correcting module is used for performing parameter correction operation on the transfer studying and judging parameters in the secondary credible chain model according to the credible output result corresponding to each part to be corrected, the actual credible grade corresponding to each part to be corrected and the misjudgment parameters corresponding to each part to be corrected so as to update the secondary credible chain model.
The third aspect of the present invention discloses another dynamic link access control device applied to a power distribution network of a power system, where the device includes:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program codes stored in the memory to execute the dynamic link access control method applied to the power distribution network of the power system disclosed by the first aspect of the invention.
The fourth aspect of the present invention discloses a computer storage medium, where the computer storage medium stores computer instructions, and when the computer instructions are called, the computer instructions are used to execute the dynamic link access control method applied to the power distribution network of the power system disclosed in the first aspect of the present invention.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
the embodiment of the invention provides a dynamic link access control method applied to a power distribution network of a power system, which comprises the following steps: the method comprises the steps that credible root data corresponding to a platform credible root and component data corresponding to all platform components are collected, the platform credible root and all platform components are used for building a credible chain model, and the credible chain model is used for executing preset credible verification operation on all components to be verified in a platform credible boundary so as to verify the credibility of each component to be verified; according to the credible root data and the component data, a platform credible root is used as a credible main line starting point, a primary credible chain model is established and obtained by combining a preset credible chain control direction and a credible chain expansion rule, and the primary credible chain model is used for executing credible verification operation on each platform component; and determining the credibility level corresponding to each platform component according to the component data, and combining the determined data control flow according to the credibility level corresponding to each platform component and the primary credibility chain model to construct a secondary credibility chain model serving as a target credibility chain model for executing data credibility verification operation and data transmission research and judgment operation on the access data. By the method, the credible root data of the credible root of the platform and the component data of all platform components can be intelligently collected, and a primary credible chain model is preliminarily constructed by combining the preset credible chain control direction and credible chain expansion rule; and then on the basis of the first-level credible chain model, a second-level credible chain model is intelligently constructed by combining the determined credible grade and the data control flow of each platform component, and the finally constructed second-level credible chain model can realize data transmission and research and judgment operations on input data input into the second-level credible chain model, further increases the research and judgment flow of dynamic credible numerical values of the input data, realizes research and judgment of the dynamic credible numerical values of the real-time state of each access request of the access terminal, and improves the access control safety and reliability when any terminal carries out network access.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a dynamic link access control method applied to a power distribution network of an electric power system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of another dynamic link access control method applied to a power distribution network of an electric power system according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a dynamic link access control device applied to a power distribution network of an electric power system according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another dynamic link access control device applied to a power distribution network of an electric power system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another dynamic link access control apparatus applied to a power distribution network of an electric power system according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a process for constructing a trusted chain according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a data transfer flow of a trusted chain and a control chain according to an embodiment of the disclosure;
FIG. 8 is a flowchart illustrating a confidence level measurement process according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a relationship between a trusted chain and a trusted level corresponding relationship, which is disclosed in the embodiment of the present invention;
fig. 10 is a schematic flow chart of dynamic access control disclosed in the embodiment of the present invention.
The reference numbers illustrate:
an acquisition module: 301; a first building block: 302; the determining module: 303; a second building block: 304; a model testing module: 305; an acquisition module: 306; a judgment module: 307; an analysis module: 308; a correction module: 309; a memory: 401; a processor: 402.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
The terms "first," "second," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The invention discloses a dynamic link access control method and a dynamic link access control device applied to a power distribution network of a power system, which can intelligently acquire root-of-trust data of a platform root-of-trust and component data of all platform components, and preliminarily construct and obtain a primary chain-of-trust model by combining a preset chain-of-trust control direction and a chain-of-trust expansion rule; and then on the basis of the first-level credible chain model, a second-level credible chain model is intelligently constructed by combining the determined credible grade and the data control flow of each platform component, and the finally constructed second-level credible chain model can realize data transmission and research and judgment operations on input data input into the second-level credible chain model, further increases the research and judgment flow of dynamic credible numerical values of the input data, realizes research and judgment of the dynamic credible numerical values of the real-time state of each access request of the access terminal, and improves the access control safety and reliability when any terminal carries out network access. The following are detailed descriptions.
Example one
Referring to fig. 1 and fig. 6, fig. 1 is a schematic flow chart illustrating a dynamic link access control method applied to a power distribution network of an electrical power system according to an embodiment of the present invention; fig. 6 is a schematic diagram of a process for constructing a trusted chain according to an embodiment of the present invention. The dynamic link access control method applied to the power distribution network of the power system and described in fig. 1 may be applied to a dynamic link access control device applied to the power distribution network of the power system, which is not limited in the embodiment of the present invention. As shown in fig. 1, the dynamic link access control method applied to the power distribution network of the power system may include the following operations:
101. and collecting credible root data corresponding to the platform credible root and component data corresponding to all platform components, wherein the platform credible root and all platform components are used for constructing a credible chain model.
In the embodiment of the invention, the constructed trusted chain model is used for implementing the execution of the preset trusted verification operation on all the components to be verified in the platform trusted boundary so as to verify the credibility of each component to be verified.
102. According to the credible root data and the component data, a platform credible root is used as a credible main line starting point, and a primary credible chain model is constructed and obtained by combining a preset credible chain control direction and a credible chain expansion rule.
In the embodiment of the invention, the constructed primary trusted chain model is used for executing trusted verification operation on each platform component.
In the embodiment of the present invention, referring to fig. 6, a method for constructing a primary trust chain model by using a platform trust root as a trust main line starting point and combining a preset trust chain control direction and a trust chain expansion rule according to trust root data and component data in step 102 may specifically include the following operations:
determining a trusted control division sequence of each platform component according to the trusted root data and the component data and a preset trusted chain control direction, wherein the more the trusted control division sequence of each platform component is, the more the platform component is, a preset trusted control operation is executed on the platform component;
sequentially executing trusted control operation on each platform component by taking a platform trusted root as a trusted main line starting point according to the trusted control division sequence and the trusted chain control direction of each platform component to obtain a trusted control result corresponding to each platform component, wherein the trusted control result corresponding to each platform component is used for determining whether the platform component is a trusted component meeting a preset trusted chain expansion rule or not;
and determining all platform components of which the credible control results indicate that the platform components meet preset credible chain expansion rules in all platform components as credible components, and constructing to obtain a primary credible chain model according to the platform credible root, all credible components and the credible chain control direction and the credible chain expansion rules.
In an embodiment of the present invention, further optionally, the method for sequentially performing the trusted control operation on each platform component according to the trusted control division sequence and the trusted chain control direction of each platform component with the platform root of trust as the starting point of the trust mainline may specifically include the following operations:
for each platform component, according to a preset trusted control component and a trusted control sequence, executing trusted control operation on the platform component to obtain an initial trusted control result corresponding to the platform component; the trusted control component is a previous platform component of the platform component in the trusted control sequence, when the platform component is sequenced in the trusted control sequence for the first time, the trusted control component is a platform trusted root, and each trusted control component is a component meeting the requirement of a preset component complete parameter;
judging whether a trusted control result corresponding to the platform component indicates that the platform component meets the requirement of the complete parameter of the component, and when the judgment result is yes, generating a trust identifier for the platform component as the trusted control result corresponding to the platform component, wherein the trust identifier is used for adding the platform component corresponding to the trust identifier to a trust mainline as a trusted chain component of a primary trusted chain model to be constructed;
and when the judgment result is negative, generating a failure mark which indicates that the platform component does not meet the component complete parameter requirement, and taking the failure mark as a credible control result corresponding to the platform component, wherein the failure mark is used for indicating that the component credible numerical value of the platform component corresponding to the failure mark is lower than a preset credible threshold value.
In the embodiment of the present invention, reference may be made to fig. 6 when a primary trusted chain model is constructed in the above steps, where each arrow in fig. 6 corresponds to 2 execution actions: 1. the integrity of the next-stage component to be detected is verified by the preceding-stage trust source; 2. and after integrity verification, the trust is transferred, and the checked components are incorporated into the trusted chain to complete the extension of the trusted chain.
In the embodiment of the present invention, it should be noted that the arrow sequence of the function main line in fig. 6 represents the transfer of the platform control right. In the process of 2 main line transmission and trusted chain expansion, the following 4 basic rules are followed:
(1) All components are considered untrusted until they have not been measured; only components that are measured by trust and that meet a predefined state can be classified into a chain of trust.
(2) The platform does not allow component entities outside the trusted chain to run, and only components within the trusted boundary can obtain control of the corresponding platform.
(3) Only components within the trusted chain may act as verification agents, and integrity verification may be performed on non-verified components.
(4) If the integrity of the trusted measurement of one component does not pass in the trusted chain transmission process, the trusted main line is ended, and the trusted chain and the measurement result of the terminal are returned; while control rights transfer based on control flow continues.
103. And determining the corresponding credibility level of each platform component according to the component data.
104. And according to the credibility grade corresponding to each platform component and the data control flow determined by combining the primary credibility chain model, constructing to obtain a secondary credibility chain model.
In the embodiment of the invention, the constructed secondary credible chain model is used as a target credible chain model for executing data credibility verification operation and data transmission research and judgment operation on the access data.
As can be seen, by implementing the dynamic link access control method applied to the power distribution network of the power system and described in fig. 1, the trusted root data of the platform trusted root and the component data of all platform components can be intelligently acquired, and a primary trusted chain model is preliminarily constructed and obtained by combining a preset trusted chain control direction and a trusted chain expansion rule; and then on the basis of the primary credible chain model, a secondary credible chain model is intelligently constructed by combining the determined credible grade and data control flow of each platform component, and the finally constructed secondary credible chain model can realize data transmission and study and judgment operations on input data input into the secondary credible chain model, further increases the study and judgment flow of dynamic credible values of the input data, realizes study and judgment on the dynamic credible values of real-time states of each access request of the access terminal, and improves the access control safety and reliability when any terminal carries out network access.
Example two
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating another dynamic link access control method applied to a power distribution network of an electric power system according to an embodiment of the present invention. The dynamic link access control method applied to the power distribution network of the power system described in fig. 2 may be applied to a dynamic link access control device applied to the power distribution network of the power system, and the embodiment of the present invention is not limited thereto. As shown in fig. 2, the method for managing and controlling dynamic link access applied to a power distribution network of a power system may include the following operations:
201. and collecting credible root data corresponding to the platform credible root and component data corresponding to all platform components, wherein the platform credible root and all platform components are used for constructing a credible chain model.
202. And according to the credible root data and the component data, a platform credible root is used as a credible main line starting point, and a primary credible chain model is constructed and obtained by combining a preset credible chain control direction and a credible chain expansion rule.
203. And determining the corresponding credibility grade of each platform component according to the component data.
204. And according to the credibility grade corresponding to each platform component and the data control flow determined by combining the primary credibility chain model, constructing to obtain a secondary credibility chain model.
In the embodiment of the present invention, please refer to other specific descriptions of step 101 to step 104 in the first embodiment for other descriptions of step 201 to step 204, which is not described again in the embodiment of the present invention.
205. And according to a pre-generated initialization control instruction, performing parameter initialization operation on the secondary trusted chain model, and inputting a preset test data stream into the secondary trusted chain model.
In the embodiment of the invention, the test data stream comprises a plurality of to-be-tested components, and all to-be-tested components comprise standard to-be-tested components with the credibility grade more than or equal to the standard credibility grade corresponding to the secondary credibility chain model and untrusted to-be-tested components with the credibility grade less than the standard credibility grade.
206. And obtaining a credible output result which is correspondingly output after each component to be tested is input into the secondary credible chain model.
207. And judging whether the components to be corrected exist in the credible output results corresponding to all the components to be detected.
In the embodiment of the invention, the output result of the part to be corrected corresponding to the component to be tested after the loss of credit shows that the credibility grade of the component to be tested after the loss of credit is greater than or equal to the standard credibility grade.
208. And when judging that the parts to be corrected do not exist in the credible output results corresponding to all the parts to be detected, determining that the model credibility grade corresponding to the secondary credible chain model meets the requirement of a preset model credibility threshold.
In the embodiment of the present invention, optionally, when it is determined that components to be corrected exist in the trusted output results corresponding to all components to be measured, the method may further include the following operations:
analyzing the credible output result corresponding to each part to be corrected to obtain a misjudgment parameter corresponding to the situation that each part to be corrected is misjudged to be the credible grade of the part to be corrected in the secondary credible chain model, wherein the transfer study parameter comprises the misjudgment parameter;
and according to the credible output result corresponding to each part to be corrected, the actual credible grade corresponding to each part to be corrected and the misjudgment parameter corresponding to each part to be corrected, performing parameter correction operation on the transfer studying and judging parameter in the secondary credible chain model so as to update the secondary credible chain model.
In the embodiment of the present invention, it should be noted that, the secondary judging model constructed in the above step 204 performs a data credibility verification operation on the input data and an operation flow corresponding to the data transmission judging operation, please refer to fig. 7, and the following is further described with reference to fig. 7:
(1) After determining that the system is powered on, TCM initialization is performed.
(2) And establishing connection between the main board and the TCM, after the platform is powered on, measuring an integrity value of the BIOS by a boot module of the BIOS, storing the integrity value on the TCM, checking the integrity of the BIOS, finishing trusted transmission if a check error occurs, returning a current trusted chain and a measured result, and reading BootLoader to the TCM regardless of a check result.
(3) The TCM checks the integrity of BootLoader in the BIOS. And (3) calculating the hash value of the BootLoader by the TCM, comparing the hash value with a reference value, entering the step (4) after the verification is passed, ending the trusted transmission if the verification is wrong, returning the current trusted chain and the measured result, and handing control over to the BootLoader regardless of the verification result.
(4) And starting the BootLoader, finishing basic operations such as initializing a memory, interrupting, peripheral equipment and the like, and copying a second-stage code of the BootLoader from the BIOS into the initialized external RAM for continuous execution.
(5) The BootLoader calls a TCM interface command, calculates the hash value of the BootLoader and carries out integrity check, if the check is wrong, the trusted transmission is finished, and the current trusted chain and the measured result are returned; and finishing the expansion of the trusted chain if the verification is passed. Regardless of the verification result, control is given to the operating system, and the next step is performed.
(6) After the trusted platform is started, the trusted operating system starts to run, the subsequent trusted chain transmission work is controlled and executed by the operating system, the integrity of the operating system is verified, if the verification is wrong, the trusted transmission is finished, and the current trusted chain and the measured result are returned; and finishing the expansion of the trusted chain if the verification is passed. An operating system and an application program call related security functions of the TCM by using various information security authentication mechanisms to realize verification of security applications and trusted applications.
(7) The control right is controlled by an operating system, the integrity of the security application and the trusted application is verified, if the verification is wrong, the trusted transmission is finished, and the current trusted chain and the measured result are returned; and finishing the expansion of the trusted chain if the verification is passed.
It can be seen that after the entire trusted chain transfer process of the model is completed, the control flow and the trusted flow of the model are relatively independent through process analysis and the restriction of the flow schematic diagram of fig. 7, and although the trusted flow depends on the transfer of the control flow, when the integrity check of the trusted flow fails, the control flow can continue to be performed, so that the normal start of a general system is ensured, the terminal cannot be started due to the failure of the trusted authentication, and the normal start of a general terminal is ensured.
In an embodiment of the present invention, optionally, the determining, according to the component data, the trust level corresponding to each platform component may specifically include the following operations:
determining the total number of the components of the platform component and a credible right corresponding to each platform component according to the component data, wherein the credible right corresponding to each platform component comprises the component type of the platform component, and the component type comprises a system component type corresponding to a platform where the platform component is located as a system platform or an application component type corresponding to a platform where the platform component is located as an application platform;
and determining the credibility grade corresponding to each platform component according to the total number of the components of the platform component and the component type corresponding to each platform component.
In an embodiment of the present invention, optionally, the constructing and obtaining the secondary trusted chain model according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model may specifically include the following operations:
determining a transmission studying and judging parameter corresponding to the data control flow according to the determined data control flow, wherein the transmission studying and judging parameter is used for executing preset data transmission studying and judging operation on the data control flow, and the transmission studying and judging parameter comprises a system initialization parameter before the data transmission studying and judging operation is executed on the data control flow;
and constructing to obtain a secondary credible chain model by combining the credible grade, the primary credible chain model, the data control flow and the transmission studying and judging parameters corresponding to each platform component on the basis of the data transmission studying and judging flow corresponding to the data control flow.
Further, referring to fig. 8, fig. 8 is a schematic diagram of a process of measuring a trust level according to an embodiment of the present invention, where a system trusted platform and an application trusted platform respectively correspond to a determined trust weight ratio, and a sum of the two trust weight ratios is 1. The method is realized based on a trusted chain, and in the process of establishing the trusted chain, measurement is carried out by taking TCM, BIOS, bootLoader, an operating system, security application and trusted application as trusted components of the trusted chain. Therefore, in the attributes of the trusted platform of the system, TCM, BIOS, bootLoader and an operating system are selected as platform security factors; and selecting antivirus software, a firewall and an access client as application safety factors in the attributes of the trusted platform of the application program.
In the embodiment of the present invention, since the generation of the trusted level is based on the trusted chain, the security factor of the trusted level only calculates the security factor included in the actual trusted chain, and the specific correspondence relationship is shown in fig. 9. In the prior network access control, the prior network access control is based on port authentication, a user does not have access authority before authentication, and after the user passes the authentication, the user is endowed with specific internet access authority, but when the safety state of the user changes, a system can not make dynamic access authority change according to the change, and the original authentication authority is still endowed to the user. Therefore, the dynamic access control can adjust the access authority of the user or refuse the access according to the change of the security state of the user, so as to achieve the self-adaption of the access control of the user. That is, different access rights can be assigned to different VLANs (virtual local area networks) according to different trust levels.
In the embodiment of the present invention, specifically, with reference to the actual application process and the effect diagram of the constructed secondary trusted chain model, reference may be made to fig. 10, and the following description is made with reference to the process of fig. 10:
(1) The user initiates an access request, and the identity of the user is authenticated firstly.
(2) If the user authentication is successful, judging whether the access terminal has a trusted TCM chip, if so, entering the step (3); if not, the user is dynamically allocated to Guest-VLAN and has visitor access authority; and if the user authentication fails, the terminal is refused to access.
(3) After the user passes the identity authentication, measuring the security attribute of the user, authenticating the platform credibility of the access terminal, and if the security credibility authentication is successful, evaluating the credibility level of the terminal platform; if the safe and credible authentication fails, the user is dynamically allocated to the VLAN40, and the access terminal is isolated and repaired.
(4) After the credibility level is evaluated, the low credibility terminal is dynamically allocated to the VLAN30 and has multiple limited access rights (E-mail limitation, WEB limitation and subnet limitation); the medium trusted terminal is dynamically allocated to VLAN20 and has limited access authority (limited WEB and limited subnet); the highly trusted terminal is dynamically assigned to VLAN10, specifically without restricted access rights.
(5) And when the credibility state of the terminal changes, the credibility state of the user is evaluated again, and the credibility grade is divided.
It can be seen that, by implementing the dynamic link access control method applied to the power distribution network of the power system described in fig. 2, after the secondary judging model is constructed, the model reliability of the secondary judging model can be intelligently verified through the test data stream, and for the case that the to-be-corrected component exists in the trusted output results corresponding to all the to-be-detected components, the parameter correction operation is automatically performed on the transfer judging parameter in the secondary trusted chain model according to the trusted output result corresponding to each to-be-corrected component, the actual trusted level corresponding to each to-be-corrected component, and the misjudgment parameter corresponding to each to-be-corrected component, so that the model reliability and accuracy of the finally determined secondary trusted chain model are improved.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic structural diagram of a dynamic link access control device applied to a power distribution network of an electric power system according to an embodiment of the present invention. The dynamic link access control device applied to the power distribution network of the power system may be a dynamic link access control terminal applied to the power distribution network of the power system, a dynamic link access control device applied to the power distribution network of the power system, a dynamic link access control system applied to the power distribution network of the power system, or a dynamic link access control server applied to the power distribution network of the power system, where the dynamic link access control server applied to the power distribution network of the power system may be a local server, a remote server, or a cloud server (also called a cloud server), and when the dynamic link access control server applied to the power distribution network of the power system is a non-cloud server, the non-cloud server may be in communication connection with the cloud server, which is not limited in the embodiment of the present invention. As shown in fig. 3, the dynamic link access control apparatus applied to the power distribution network of the power system may include an acquisition module 301, a first construction module 302, a determination module 303, and a second construction module 304, where:
the acquisition module 301 is configured to acquire root-of-trust data corresponding to a platform root of trust and component data corresponding to all platform components, where the platform root of trust and all platform components are used to construct a trust chain model, and the trust chain model is used to implement a preset trust verification operation on all components to be verified in a platform trust boundary, so as to verify the trust of each component to be verified.
The first building module 302 is configured to build a primary trusted chain model according to the trusted root data and the component data, with the platform trusted root as a trusted main line starting point, and by combining a preset trusted chain control direction and a trusted chain expansion rule, where the primary trusted chain model is used to execute a trusted verification operation on each platform component.
A determining module 303, configured to determine, according to the component data, a trust level corresponding to each platform component.
The second building module 304 is configured to build a second-level trusted chain model according to the trust level corresponding to each platform component and the data control flow determined by combining the first-level trusted chain model, and use the second-level trusted chain model as a target trusted chain model for performing data trust verification operation and data transmission study and judgment operation on the access data.
In this embodiment of the present invention, optionally, the method for constructing and obtaining the first-level trusted chain model by the first construction module 302 according to the trusted root data and the component data, with the platform trusted root as the starting point of the trust mainline, and combining the preset trusted chain control direction and the trusted chain expansion rule specifically includes:
determining a trusted control division sequence of each platform component according to the trusted root data and the component data and a preset trusted chain control direction, wherein the more the trusted control division sequence of each platform component is, the more the platform component is, a preset trusted control operation is executed on the platform component;
sequentially executing trusted control operation on each platform component by taking a platform trusted root as a starting point of a trusted main line according to a trusted control division sequence and a trusted chain control direction of each platform component to obtain a trusted control result corresponding to each platform component, wherein the trusted control result corresponding to each platform component is used for determining whether the platform component is a trusted component meeting a preset trusted chain expansion rule or not;
and determining all platform components of which the credible control results indicate that the platform components meet preset credible chain expansion rules in all platform components as credible components, and constructing to obtain a primary credible chain model according to the platform credible root, all credible components and the credible chain control direction and the credible chain expansion rules.
In this embodiment of the present invention, optionally, the manner that the first building module 302 uses the platform root of trust as the starting point of the trust mainline, and sequentially executes the trust management and control operation on each platform component according to the trust management and control division sequence and the trust chain management and control direction of each platform component to obtain the trust management and control result corresponding to each platform component specifically includes:
for each platform component, according to a preset trusted control component and a trusted control sequence, executing trusted control operation on the platform component to obtain an initial trusted control result corresponding to the platform component; the trusted control component is a previous platform component of the platform component in the trusted control sequence, when the platform component is sequenced in the trusted control sequence for the first time, the trusted control component is a platform trusted root, and each trusted control component is a component meeting the requirement of a preset component complete parameter;
judging whether a trusted control result corresponding to the platform component indicates that the platform component meets the requirement of the complete parameters of the component, and if so, generating a trust identification for the platform component as the trusted control result corresponding to the platform component, wherein the trust identification is used for adding the platform component corresponding to the trust identification into a trust mainline as a trusted chain component of a primary trusted chain model to be constructed;
and when the judgment result is negative, generating a lattice losing identifier which represents that the platform component does not meet the requirement of the complete parameter of the component, wherein the lattice losing identifier is used as a credible control result corresponding to the platform component and is used for representing that the component credible value of the platform component corresponding to the lattice losing identifier is lower than a preset credible threshold value.
In this embodiment of the present invention, optionally, the determining module 303 determines, according to the component data, a manner of determining the trust level corresponding to each platform component specifically includes:
determining the total number of the components of the platform component and a credible right corresponding to each platform component according to the component data, wherein the credible right corresponding to each platform component comprises the component type of the platform component, and the component type comprises a system component type corresponding to a platform where the platform component is located as a system platform or an application component type corresponding to an application platform where the platform component is located;
and determining the credibility grade corresponding to each platform component according to the total number of the components of the platform component and the component type corresponding to each platform component.
In the embodiment of the present invention, optionally, the manner in which the second building module 304 builds the secondary trusted chain model according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model specifically includes:
determining a transmission studying and judging parameter corresponding to the data control flow according to the determined data control flow, wherein the transmission studying and judging parameter is used for executing preset data transmission studying and judging operation on the data control flow, and the transmission studying and judging parameter comprises a system initialization parameter before the data transmission studying and judging operation is executed on the data control flow;
and constructing to obtain a secondary credible chain model by combining the credible grade, the primary credible chain model, the data control flow and the transmission studying and judging parameters corresponding to each platform component on the basis of the data transmission studying and judging flow corresponding to the data control flow.
As can be seen, by implementing the dynamic link access control device applied to the power distribution network of the power system as described in fig. 3, the trusted root data of the platform trusted root and the component data of all platform components can be intelligently collected, and a primary trusted chain model is preliminarily constructed and obtained by combining a preset trusted chain control direction and a trusted chain expansion rule; and then on the basis of the primary credible chain model, a secondary credible chain model is intelligently constructed by combining the determined credible grade and data control flow of each platform component, and the finally constructed secondary credible chain model can realize data transmission and study and judgment operations on input data input into the secondary credible chain model, further increases the study and judgment flow of dynamic credible numerical values of the input data, realizes study and judgment on the dynamic credible numerical values of real-time states of each access request of the access terminal, and improves the access control safety and reliability when any terminal carries out network access
In an alternative embodiment, as shown in fig. 4, the apparatus may further include a model testing module 305, an obtaining module 306, and a determining module 307, where:
the model testing module 305 is configured to, after the second building module 304 combines the determined data control flow according to the trust level corresponding to each platform component and the primary trust chain model to build a secondary trust chain model, execute parameter initialization operation on the secondary trust chain model according to a pre-generated initialization control instruction, and input a preset test data flow into the secondary trust chain model, where the test data flow includes multiple components to be tested, and all the components to be tested include standard components to be tested having a trust level greater than or equal to a standard trust level corresponding to the secondary trust chain model and untrusted components to be tested having a trust level less than the standard trust level.
The obtaining module 306 is configured to obtain a trusted output result that is correspondingly output after each component to be tested is input into the secondary trusted chain model.
The judging module 307 is configured to judge whether the to-be-corrected component exists in the trusted output results corresponding to all the to-be-detected components, and when it is judged that the to-be-corrected component does not exist in the trusted output results corresponding to all the to-be-detected components, determine that the model trust level corresponding to the secondary trusted chain model meets the requirement of a preset model trust threshold; and the output result of the part to be corrected corresponding to the component to be detected for losing the information shows that the credibility grade of the component to be detected for losing the information is greater than or equal to the standard credibility grade.
In this optional embodiment, optionally, as shown in fig. 4, the apparatus may further include an analysis module 308 and a modification module 309, where:
the analyzing module 308 is configured to, when the determining module 307 determines that the to-be-corrected component exists in the trusted output results corresponding to all the to-be-corrected components, analyze the trusted output result corresponding to each to-be-corrected component to obtain a misjudgment parameter corresponding to the fact that each to-be-corrected component is misjudged in the secondary trusted chain model that the confidence level of the to-be-corrected component is greater than or equal to the standard confidence level, and transmit the misjudgment parameter including the misjudgment parameter.
The correcting module 309 is configured to perform a parameter correcting operation on the transfer trial parameters in the secondary trusted chain model according to the trusted output result corresponding to each component to be corrected, the actual trusted level corresponding to each component to be corrected, and the misjudgment parameters corresponding to each component to be corrected, so as to update the secondary trusted chain model.
It can be seen that, with the implementation of the dynamic link access control device applied to the power distribution network of the power system as described in fig. 4, after the secondary study model is constructed, the model reliability of the secondary study model can be intelligently verified through the test data stream, and for the case that the to-be-corrected component exists in the trusted output results corresponding to all the to-be-detected components, the parameter correction operation is automatically performed on the transfer study parameter in the secondary trusted chain model according to the trusted output result corresponding to each to-be-corrected component, the actual trusted level corresponding to each to-be-corrected component, and the misjudgment parameter corresponding to each to-be-corrected component, so that the model reliability and accuracy of the finally determined secondary trusted chain model are improved.
Example four
Referring to fig. 5, fig. 5 is a schematic structural diagram of another dynamic link access control device applied to a power distribution network of an electric power system according to an embodiment of the present invention. As shown in fig. 5, the dynamic link access control apparatus applied to the power distribution network of the power system may include:
a memory 401 storing executable program code;
a processor 402 coupled with the memory 401;
the processor 402 calls the executable program code stored in the memory 401 to execute the steps of the dynamic link access control method applied to the power distribution network of the power system described in the first embodiment or the second embodiment of the present invention.
EXAMPLE five
The embodiment of the invention discloses a computer storage medium, which stores computer instructions, and when the computer instructions are called, the computer instructions are used for executing the steps of the dynamic link access control method applied to the power distribution network of the power system, which are described in the first embodiment or the second embodiment of the invention.
Example six
The embodiment of the invention discloses a computer program product, which comprises a non-transitory computer storage medium storing a computer program, wherein the computer program is operable to make a computer execute the steps of the dynamic link access control method applied to the power distribution network of the power system described in the first embodiment or the second embodiment.
The above-described embodiments of the apparatus are only illustrative, and the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above detailed description of the embodiments, those skilled in the art will clearly understand that the embodiments may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer storage medium, wherein the storage medium includes a Read-only memory (ROM), a Random Access Memory (RAM), a programmable Read-only memory (PROM), an erasable programmable Read-only memory (EPROM), a One-time programmable Read-only memory (OTPROM), an Electrically erasable rewritable Read-only memory (EEPROM), a Read-only optical disk (compact-Read-only memory-on-ROM, CD-ROM) or other optical disk storage, a magnetic disk storage, a tape storage, or any other computer capable of carrying or storing data.
Finally, it should be noted that: the dynamic link access control method and device applied to the power distribution network of the power system disclosed in the embodiments of the present invention are only disclosed in the preferred embodiments of the present invention, and are only used for illustrating the technical solutions of the present invention, not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art; the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A dynamic link access control method applied to a power distribution network of a power system is characterized by comprising the following steps:
the method comprises the steps that trusted root data corresponding to a platform trusted root and component data corresponding to all platform components are collected, the platform trusted root and all the platform components are used for building a trusted chain model, and the trusted chain model is used for executing preset trusted verification operation on all to-be-verified components in a platform trusted boundary so as to verify the credibility of each to-be-verified component;
according to the credible root data and the component data, a platform credible root is taken as a credible main line starting point, a preset credible chain control direction and a credible chain expansion rule are combined, and a primary credible chain model is constructed and obtained, and the primary credible chain model is used for executing credible verification operation on each platform component;
and determining a credibility level corresponding to each platform component according to the component data, and constructing a secondary credible chain model according to the credibility level corresponding to each platform component and the data control flow determined by combining the primary credible chain model, wherein the secondary credible chain model is used as a target credible chain model for performing data credibility verification operation and data transmission research and judgment operation on access data.
2. The dynamic link access control method applied to the power distribution network of the power system according to claim 1, wherein the step of constructing a primary trust chain model by using the platform root of trust as a trust main line starting point and combining a preset trust chain control direction and a trust chain expansion rule according to the root of trust data and the component data comprises:
determining a trusted control division sequence of each platform component according to the trusted root data and the component data and a preset trusted chain control direction, wherein the more the trusted control division sequence of each platform component is, the earlier the trusted control division sequence is, a preset trusted control operation is executed on the platform component;
sequentially executing the trusted control operation on each platform component by taking the platform trusted root as a starting point of a trusted main line according to the trusted control division sequence of each platform component and the trusted chain control direction to obtain a trusted control result corresponding to each platform component, wherein the trusted control result corresponding to each platform component is used for determining whether the platform component is a trusted component meeting a preset trusted chain expansion rule;
and determining all platform components of which the credible control results in all the platform components indicate that the platform components meet preset credible chain expansion rules as credible components, and constructing to obtain a primary credible chain model according to the platform credible roots, all the credible components, the credible chain control directions and the credible chain expansion rules.
3. The dynamic link access control method applied to the power distribution network of the power system according to claim 2, wherein the step of sequentially performing the trusted control operation on each platform component according to the trusted control division sequence of each platform component and the trusted chain control direction by using the platform trusted root as a trusted main line starting point to obtain the trusted control result corresponding to each platform component includes:
for each platform component, according to a preset trusted control component and the trusted control sequence, executing the trusted control operation on the platform component to obtain an initial trusted control result corresponding to the platform component; when the platform component is ranked in the trusted management and control sequence in a first order, the trusted management and control component is the platform root of trust, and each trusted management and control component is a component meeting a preset component complete parameter requirement;
judging whether a trusted control result corresponding to the platform component indicates that the platform component meets the requirement of the complete parameter of the component, and if so, generating a trust identification for the platform component as a trusted control result corresponding to the platform component, wherein the trust identification is used for adding the platform component corresponding to the trust identification to the trust mainline as a trusted chain component of a primary trusted chain model to be constructed;
and when the judgment result is negative, generating a failure mark which represents that the platform component does not meet the requirement of the complete parameter of the component, wherein the failure mark is used as a credible control result corresponding to the platform component, and the failure mark is used for representing that the credible value of the component of the platform component corresponding to the failure mark is lower than a preset credible threshold value.
4. The method for dynamic link access control applied to the power distribution network of the power system according to any one of claims 1 to 3, wherein the determining the trust level corresponding to each of the platform components according to the component data comprises:
determining the total number of the components of the platform component and a credible right corresponding to each platform component according to the component data, wherein the credible right corresponding to each platform component comprises a component type of the platform component, and the component type comprises a system component type corresponding to a platform where the platform component is located as a system platform or an application component type corresponding to an application platform where the platform component is located;
and determining the credibility grade corresponding to each platform component according to the total number of the components of the platform component and the component type corresponding to each platform component.
5. The dynamic link access control method applied to the power distribution network of the power system according to any one of claims 1 to 3, wherein a secondary trusted chain model is constructed and obtained according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model, and the method comprises the following steps:
determining a transmission studying and judging parameter corresponding to the data control flow according to the determined data control flow, wherein the transmission studying and judging parameter is used for executing preset data transmission studying and judging operation on the data control flow, and the transmission studying and judging parameter comprises a system initialization parameter before the data transmission studying and judging operation is executed on the data control flow;
and constructing a secondary credible chain model by combining the credible grade corresponding to each platform component, the primary credible chain model, the data control flow and the transmission studying and judging parameters on the basis of the data transmission studying and judging flow corresponding to the data control flow.
6. The dynamic link access control method applied to the power distribution network of the power system according to claim 5, wherein after a secondary trusted chain model is constructed and obtained according to the trust level corresponding to each platform component and the data control flow determined by combining the primary trusted chain model, the method further comprises:
according to a pre-generated initialization control instruction, performing parameter initialization operation on the secondary trusted chain model, and inputting a preset test data stream into the secondary trusted chain model, wherein the test data stream comprises a plurality of components to be tested, and all the components to be tested comprise standard components to be tested with the trusted level being greater than or equal to a standard trusted level corresponding to the secondary trusted chain model and lost-credit components to be tested with the trusted level being less than the standard trusted level;
obtaining a credible output result correspondingly output after each component to be tested is input into the secondary credible chain model;
judging whether the to-be-corrected components exist in the credible output results corresponding to all the to-be-detected components, and when judging that the to-be-corrected components do not exist in the credible output results corresponding to all the to-be-detected components, determining that the model credibility grade corresponding to the secondary credible chain model meets the requirement of a preset model credibility threshold; and the part to be corrected is the part to be subjected to loss of credit, and the output result corresponding to the part to be subjected to loss of credit represents that the credibility grade of the part to be subjected to loss of credit is greater than or equal to the standard credibility grade.
7. The dynamic link access control method applied to the power distribution network of the power system according to claim 6, wherein when it is determined that the to-be-corrected component exists in the trusted output results corresponding to all the components to be detected, the method further includes:
analyzing a credible output result corresponding to each part to be corrected to obtain a misjudgment parameter corresponding to the situation that each part to be corrected is misjudged in the secondary credible chain model to be that the credible grade of the part to be corrected is greater than or equal to the standard credible grade, wherein the transmission studying and judging parameter comprises the misjudgment parameter;
and according to the credible output result corresponding to each part to be corrected, the actual credible grade corresponding to each part to be corrected and the misjudgment parameter corresponding to each part to be corrected, performing parameter correction operation on the transfer grinding and judging parameter in the secondary credible chain model so as to update the secondary credible chain model.
8. A dynamic link access control device applied to a power distribution network of a power system is characterized by comprising:
the system comprises an acquisition module, a trust module and a trust module, wherein the acquisition module is used for acquiring trusted root data corresponding to a platform trusted root and component data corresponding to all platform components, the platform trusted root and all the platform components are used for constructing a trusted chain model, and the trusted chain model is used for implementing preset trusted verification operation on all components to be verified in a platform trusted boundary so as to verify the credibility of each component to be verified;
the first construction module is used for constructing a primary credible chain model by taking the platform credible root as a credible main line starting point according to the credible root data and the component data and combining a preset credible chain control direction and a credible chain expansion rule, wherein the primary credible chain model is used for executing credible verification operation on each platform component;
the determining module is used for determining the corresponding credibility grade of each platform component according to the component data;
and the second construction module is used for constructing a secondary credible chain model according to the credibility grade corresponding to each platform component and the data control flow determined by combining the primary credible chain model, and the secondary credible chain model is used as a target credible chain model for executing data credibility verification operation and data transmission research and judgment operation on the access data.
9. A dynamic link access control device applied to a power distribution network of a power system is characterized by comprising:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the dynamic link access control method applied to the power distribution network of the power system according to any one of claims 1 to 7.
10. A computer storage medium storing computer instructions for executing the method according to any one of claims 1 to 7 when being invoked, for dynamic link access control applied to an electric power distribution network of an electric power system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211413006.2A CN115908045A (en) | 2022-11-11 | 2022-11-11 | Dynamic link access control method and device applied to power distribution network of power system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211413006.2A CN115908045A (en) | 2022-11-11 | 2022-11-11 | Dynamic link access control method and device applied to power distribution network of power system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115908045A true CN115908045A (en) | 2023-04-04 |
Family
ID=86494975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211413006.2A Pending CN115908045A (en) | 2022-11-11 | 2022-11-11 | Dynamic link access control method and device applied to power distribution network of power system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115908045A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117970907A (en) * | 2024-04-01 | 2024-05-03 | 西安热工研究院有限公司 | Trusted DCS controller trusted function test method, electronic equipment and storage medium |
-
2022
- 2022-11-11 CN CN202211413006.2A patent/CN115908045A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117970907A (en) * | 2024-04-01 | 2024-05-03 | 西安热工研究院有限公司 | Trusted DCS controller trusted function test method, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11151232B2 (en) | User authentication by endpoint device using local policy engine and endpoint data | |
| CN107624238A (en) | To the safe access control of the application based on cloud | |
| CN103581203A (en) | Trusted network connection method based on trusted computing | |
| CN113434866B (en) | Unified risk quantitative evaluation method for instrument function safety and information safety strategies | |
| US10885162B2 (en) | Automated determination of device identifiers for risk-based access control in a computer network | |
| CN112653714A (en) | Access control method, device, equipment and readable storage medium | |
| CN115908045A (en) | Dynamic link access control method and device applied to power distribution network of power system | |
| CN111177703A (en) | Method and device for determining data integrity of operating system | |
| KR102213460B1 (en) | System and method for generating software whistlist using machine run | |
| CN111309978A (en) | Transformer substation system safety protection method and device, computer equipment and storage medium | |
| CN114499922A (en) | Intelligent zero-trust dynamic authorization method | |
| CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
| CN111814181B (en) | System authority authorization method and device, electronic equipment and storage medium | |
| CN114978651B (en) | Privacy calculation evidence-storing method and device, electronic equipment and storage medium | |
| US10896251B2 (en) | Method for authenticating software | |
| CN110932898B (en) | Intelligent network management system and method | |
| CN116567083A (en) | Service data processing method, device, equipment and medium | |
| CN113949578A (en) | Automatic detection method and device for unauthorized vulnerability based on flow and computer equipment | |
| CN112995325A (en) | Service debugging method, debugging service, electronic device, and computer storage medium | |
| CN112035844A (en) | System and method for acquiring trust state of terminal and computer equipment | |
| CN105763575A (en) | Loophole control method based on loophole states | |
| CN102739690B (en) | Safety data exchange process monitoring method and system | |
| CN112347456B (en) | Program verification method and device, platform, user terminal and online service system | |
| CN105007283B (en) | A kind of network safety protection method | |
| CN115883184A (en) | Credibility measuring method, device and system for terminal in power monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |