CN116015769A - Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning - Google Patents

Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning Download PDF

Info

Publication number
CN116015769A
CN116015769A CN202211589093.7A CN202211589093A CN116015769A CN 116015769 A CN116015769 A CN 116015769A CN 202211589093 A CN202211589093 A CN 202211589093A CN 116015769 A CN116015769 A CN 116015769A
Authority
CN
China
Prior art keywords
trust
user
degree
fuzzy
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211589093.7A
Other languages
Chinese (zh)
Inventor
张保稳
刘岳林
银鹰
朱贇
李建华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN202211589093.7A priority Critical patent/CN116015769A/en
Publication of CN116015769A publication Critical patent/CN116015769A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

A zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning obtains fuzzy classes and corresponding membership degrees of main body information through fuzzy class and membership degree initialization modules according to preset classification and membership degree functions; the session security fuzzy reasoning module calculates the main body session security fuzzy class through fuzzy reasoning; performing defuzzification on the session security fuzzy class through a zero trust session security calculation module to calculate a session security value of the session security fuzzy class; and comparing the comprehensive security value with the requirements of the user for applying resources through the zero trust main credit dynamic adjustment module, issuing access credentials for the user according to a comparison result, and carrying out trust degree rewarding and punishing on the user in the security hidden danger and high-risk operation in the user access process. The invention introduces a fuzzy reasoning mechanism into a zero trust architecture to process quantitative security elements; the historical data of the access subject trust level is effectively introduced into the trust evaluation to serve as a trust reference, the trust level is dynamically adjusted according to the security dynamic state of the user access process, and the dynamic adjustment and quantitative evaluation of the zero trust system access security are realized.

Description

Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning
Technical Field
The invention relates to a technology in the field of information security, in particular to a zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning.
Background
The architecture of the current zero trust system is paid more attention to in domestic and foreign researches, and the trust evaluation method of the current zero trust system mainly focuses on the trust judgment process of a single access subject, so that on one hand, the measurement problem of quantitative security factors cannot be effectively solved, and on the other hand, the evaluation process is not combined with the historical trust condition of the access subject, so that the evaluation result lacks sustainability.
Disclosure of Invention
Aiming at the defect that the prior zero trust evaluation technology is not combined with the historical trust data of the access subject and cannot give a quantitative evaluation result, the invention provides a zero trust system subject trust degree dynamic evaluation system based on fuzzy reasoning, which introduces a fuzzy reasoning mechanism into a zero trust architecture and processes quantitative security elements; the historical data of the access subject trust level is effectively introduced into the trust evaluation to serve as a trust reference, the trust level is dynamically adjusted according to the security dynamic state of the user access process, and the dynamic adjustment and quantitative evaluation of the zero trust system access security are realized.
The invention is realized by the following technical scheme:
the invention relates to a zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning, which comprises: the system comprises a fuzzy class and membership degree initializing module, a session security fuzzy reasoning module, a zero trust session security calculating module and a zero trust main body trust dynamic adjusting module, wherein: the fuzzy class and membership degree initializing module calculates the fuzzy class and corresponding membership degree of the main body information according to preset classification and membership degree function; the session security fuzzy reasoning module calculates the main body session security fuzzy class through fuzzy reasoning; the zero trust session security calculation module defuzzifies the session security fuzzy class to calculate the session security value; the zero trust main credit dynamic adjustment module compares the comprehensive security value with the requirement of the user for applying resources, issues access credentials for the user according to the comparison result, and performs trust degree rewarding and punishing on the security hidden danger and high-risk operation in the user access process.
The invention relates to a trust degree dynamic evaluation method based on fuzzy reasoning and based on the system, which comprises the following steps:
step 1) initializing an access subject fuzzy class according to user, equipment and program information to obtain a safe fuzzy class and membership of the user, the equipment and the program;
step 2) according to the safety fuzzy class of the user, the equipment and the program, reasoning based on the conversation fuzzy class rule to obtain the conversation fuzzy class and the membership degree thereof;
step 3) according to the fuzzy classification result and membership degree of the user application initiated session, performing session security calculation to obtain a defuzzified session comprehensive security value;
and 4) carrying out dynamic adjustment on the trust level according to the current trust level of the user and the alarm information of the zero trust security module to obtain the trust level after carrying out dynamic rewarding or punishment on the trust level of the user.
Technical effects
In the invention, in the process of evaluating the trust of a zero trust system access main body, historical trust data of a user is introduced, and the trust of the main body of the user is dynamically adjusted according to the security situation of the access process; the quantitative user main body trust degree, the equipment security information and the application program security information are subjected to fuzzy processing, and the quantitative evaluation of the zero trust system access security is realized by adopting fuzzy reasoning rules, so that the accuracy of the zero trust system security evaluation result is improved in a quantitative mode.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a schematic diagram of an example relationship under the zero trust system of the present invention;
fig. 3 is a graph of experimental data change of the dynamic evaluation result of the trust level of the zero-trust user.
Detailed Description
As shown in fig. 1, this embodiment relates to a zero trust body security dynamic assessment system based on fuzzy reasoning, including: the system comprises a fuzzy class and membership degree initializing module, a session security fuzzy reasoning module, a zero trust session security calculating module and a zero trust main body trust dynamic adjusting module, wherein: the fuzzy class and membership degree initializing module calculates the fuzzy class and corresponding membership degree of the main body information according to preset classification and membership degree function; the session security fuzzy reasoning module calculates the main body session security fuzzy class through fuzzy reasoning; the zero trust session security calculation module defuzzifies the session security fuzzy class to calculate the session security value; the zero trust main credit dynamic adjustment module compares the comprehensive security value with the requirement of the user for applying resources, issues access credentials for the user according to the comparison result, and performs trust degree rewarding and punishing on the security hidden danger and high-risk operation in the user access process.
The fuzzy class and membership initializing module comprises: the device comprises a user trust degree fuzzification unit, a device security fuzzification unit and an application security fuzzification unit, wherein: the user trust degree fuzzification unit performs fuzzification processing by using a membership function according to the user trust degree data to obtain fuzzification class and membership degree of the user trust degree; the equipment safety degree fuzzification unit performs fuzzification processing by using a membership function according to the equipment safety degree data to obtain fuzzification class and membership degree of the equipment safety degree; and the application program security fuzzification unit performs fuzzification processing by using a membership function according to the application program security data to obtain the fuzzification class and membership of the application program security.
The session security fuzzy inference module comprises: the system comprises a session safety fuzzy inference unit and a session safety fuzzy class membership calculation unit, wherein: the session fuzzy reasoning unit performs fuzzy reasoning according to the fuzzy class and the information output by the membership degree initialization module and the fuzzy reasoning rule set to obtain the session security fuzzy class; and the session security fuzzy class membership calculation unit is used for processing according to the membership of the user trust degree, the equipment security degree and the application security degree by a minimum value method to obtain the membership of the session security fuzzy class.
The zero trust session security calculation module comprises: the system comprises a session security fuzzy membership merging unit and a session security calculating unit, wherein: the conversation safety fuzzy membership merging unit respectively sums the membership values of different conversation safety fuzzy classes according to the output result of the fuzzy reasoning module to obtain the overall membership of the different conversation safety fuzzy classes; and the conversation safety degree calculating unit processes the conversation safety fuzzy class and the overall membership degree by using a centroid calculating method according to the conversation safety fuzzy class and the overall membership degree, so as to obtain a quantitative result of the conversation safety degree.
The zero trust body credit dynamic adjustment module comprises: the system comprises a user normalized trust calculation unit, a user trust reward unit and a user trust penalty unit, wherein: the user normalized trust level calculation unit retrieves the current value of the user trust level, the maximum value and the minimum value of the historical trust level, and performs minimum and maximum normalization processing to obtain the user normalized trust level. And the user trust degree rewarding unit calculates a trust degree rewarding value obtained after the user successfully accesses according to the obtained normalized trust degree of the user, and increases the rewarding value to the current trust degree to obtain the user trust degree after dynamic adjustment. And the user trust degree punishment unit is used for calculating the trust degree punishment value after the user fails to acquire access or the risk occurs in the access process according to the obtained normalized trust degree of the user, subtracting the punishment value from the current trust degree, and obtaining the user trust degree after dynamic adjustment.
As shown in fig. 2, this embodiment uses three user entities user1, user2, and user3 as examples. user1 initiates an access to resource1 using app1 and device 1. app1 is subject to system verification, and its security is set to 50 because its version is older. And setting the trust degree of the user1 to be 60 according to the historical interaction condition. device1 was set as an intranet device, and its security was set to 100. The resource1 security requirement of the application is 50.user2 initiates an access to resource1 using app2 and device 2. The resource1 security requirement of the application is 50.app2 is subject to system verification, and its security is set to 50 because its version is older. According to the historical interaction condition, the trust degree of the user2 is set to be 80, the highest trust degree of the history is 85, and the lowest trust degree is 20.device2 was used as an intranet device, and the security was set to 100.user3 initiates an access to resource2 using app3 and device 3. The security requirement of resource2 of the application is 30.app3 is subjected to system verification, and the security degree is set to be 100. According to the historical interaction condition, the trust degree of the user3 is set to be 75, the highest trust degree of the history is 90, and the lowest trust degree is 20.device3 was set as an intranet device, and its security was set to 100.
The embodiment relates to a trust degree dynamic evaluation method based on fuzzy reasoning of the system, which comprises the following steps:
step 1) initializing an access subject fuzzy class according to user, equipment and program information to obtain the security fuzzy class and membership of the user, the equipment and the program; the safety of the equipment is divided into two types, namely an unsafe type and a safe type; the security of the program is divided into two categories, namely an unsecure category and a safe category, respectively, and an unsafe category and An Quanlei, respectively.
The step 1 specifically comprises the following steps:
step 1.1) calculating the user belonging to the fuzzy trust class and the membership degree according to the user trust degree, wherein the method specifically comprises the following steps:
Figure BDA0003993203970000041
wherein: and x is the trust degree of the user, and the trust degree ranges from 0 to 100.
Specifically, by combining the embodiment, the security fuzzy class of the user1 is two classes of medium and high, the membership degree of the medium is 0.8, and the membership degree of the high is 0.2. The security fuzzy class of the user2 is two classes of medium and high, the membership degree of the user2 belonging to the medium is 0.4, and the membership degree of the user2 belonging to the high is 0.6. The security fuzzy class of the user3 is two classes of medium and high, the membership degree of the user3 is 0.5, and the membership degree of the user3 is 0.5.
Step 1.2) calculating and obtaining the equipment belonging to the fuzzy security class and membership according to the security degree of the equipment, wherein the method specifically comprises the following steps:
Figure BDA0003993203970000042
wherein: x is the safety of the device, which ranges from 0 to 100 in the closed interval.
Specifically, the security ambiguity class of device1 obtained in this embodiment is a safe class, and the membership degree is 1. The security fuzzy class of device2 is safe class, and the membership degree is 1. The security fuzzy class of device3 is safe class, and the membership degree is 1.
Step 1.3) calculating and obtaining the program belonging to the fuzzy security class and the membership degree according to the security degree of the program, wherein the method specifically comprises the following steps:
Figure BDA0003993203970000043
wherein: x is the safety of the application, which ranges from 0 to 100 in the closed interval.
Specifically, the app1 obtained by combining the embodiment has two types of security fuzzy classes, namely, un-security class and security class, wherein the membership degree of the un-security class is 0.5, and the membership degree of the security class is 0.5. The app2 has two types of security fuzzy, namely, un-safe and safe, wherein the membership of the un-safe is 0.5, and the membership of the safe is 0.5. The safe fuzzy class of app3 is safe class, and the membership degree is 1.
And 2) carrying out reasoning based on the conversation fuzzy rule according to the safety fuzzy class of the user, the equipment and the program to obtain the conversation fuzzy class and the membership degree thereof.
The session ambiguity rules include UserClass, devClass, appClass, ambiguity class of user, device and program, and An Quanlei of SessionClass for user to apply for initiating session, as shown in Table 1.
Table 1 Session fuzzy class inference rule set
Figure BDA0003993203970000051
The step 2 specifically comprises the following steps:
step 2.1) combining the user subject trust degree, the equipment safety degree and the fuzzy class of the application safety degree of the current access subject triplet, namely UserClass, deviceClass, appClass, selecting a fuzzy rule in a session fuzzy class reasoning rule set, and implementing fuzzy reasoning to obtain a corresponding session fuzzy classification result (SessionClass).
For example: for the session of the user1 application, four rule reasoning relations can be obtained according to the first table:
the user security class is media, the device security class is safe, the program security class is unsafety, and the session belongs to the unsafety class.
The user security class is media, the device security class is safe, and the program security class is safe, and the session belongs to the unsafety class.
The user security class is high, the security class of the device is safe, the security class of the program is unsesafe, and the session belongs to the safe class.
The user security class is high, the security class of the equipment is safe, the security class of the program is safe, and the session belongs to the safe class.
For access of user2, four rule reasoning relations can be obtained according to the above categories:
the user security class is media, the device security class is safe, the program security class is unsafety, and the session belongs to the unsafety class.
The user security class is media, the device security class is safe, and the program security class is safe, and the session belongs to the unsafety class.
The user security class is high, the security class of the device is safe, the security class of the program is unsesafe, and the session belongs to the safe class.
The user security class is high, the security class of the equipment is safe, the security class of the program is safe, and the session belongs to the safe class.
For access by user3, two rule-based reasoning relationships can be obtained according to the above categories:
the user security class is media, the device security class is safe, and the program security class is safe, and the session belongs to the unsafety class.
The user security class is high, the security class of the equipment is safe, the security class of the program is safe, and the session belongs to the safe class.
Step 2.2) calculating the membership degree of the obtained session fuzzy class, namely the minimum value of the membership degree of the user fuzzy class, the membership degree of the equipment fuzzy class and the membership degree of the program fuzzy class according to the fuzzy rule selected in step 2.1, wherein the minimum value is specifically as follows:
μ(Session∈SessionClass)=min[μ(user∈UserClass),μ(device∈DeviceClass),μ(app∈AppClass)],
wherein: mu (user E user class) refers to the membership of a user belonging to the current user fuzzy class, mu (device E DeviceClass) refers to the membership of a device belonging to the current device fuzzy class, mu (app E Appclass) refers to the membership of a program belonging to the current program fuzzy class, and mu (Session E Sessionclass) refers to the membership of a Session belonging to the current Session fuzzy class.
Taking the above parameters as an example, in this embodiment, two mapping membership degrees of session1 belonging to unsafe are respectively 0.5 and 0.5, and two mapping membership degrees of session1 belonging to safe class are respectively 0.2,0.2.
The two mapping membership degrees of session2 belonging to the unsafe are respectively 0.4 and 0.4, and the two mapping membership degrees of session2 belonging to the safe class are respectively 0.5 and 0.5.
Two mapping membership degrees of session3 belonging to unsafe are 0.5 and 0.5.
Step 3) according to the fuzzy classification result and membership degree of the user application initiated session, calculating the session security to obtain a defuzzified session comprehensive security value, which specifically comprises the following steps:
step 3.1) combining the reasoning results of a plurality of fuzzy rules to combine membership degrees of the same session fuzzy class, wherein the membership degrees are specifically as follows:
Figure BDA0003993203970000061
wherein: the session is a Unsafe and Safe, namely an Unsafe class and a Safe class, and the membership degrees of the two classes are respectively combined to obtain the total membership degree of each class.
For example: the total membership of session1 belonging to the unsafe class is 1, and the total membership of session belonging to safe is 0.4.
The total membership of session2 belonging to the unsafe class is 0.8, and the total membership of session2 belonging to the safe class is 1.
Session3 belongs to safe class only, and the membership is 1.
Step 3.2) combining various membership degrees, calculating a Safety value by utilizing a centroid method, and when the session Safety value is divided into Unsafety classes with the centroid Safety value of 0-50, the centroid Safety value is divided into Safe classes with the centroid Safety value of 51-100, and the centroid Safety value is divided into Safe classes with the centroid Safety value of 75. After the sum of all kinds of membership degrees is obtained, the conversation safety can be calculated from the integral angle by introducing a centroid method, and the conversation safety is standardized according to the total membership degrees and the centroid safety of all kinds, and then the total membership degrees are divided to obtain the comprehensive safety value of the conversation, which is specifically as follows:
Figure BDA0003993203970000071
for example:
the integrated security value of session1 is (1×25+0.4×75)/(1+0.4) =39.3
The integrated security value of session2 is (0.8×25+1×75)/(1+0.8) =52.8
The integrated security value of session3 is 1×75=75
Step 4) carrying out dynamic adjustment on the trust level according to the current trust level of the user and the alarm information of the zero trust security module to obtain the trust level after carrying out dynamic rewarding or punishment on the trust level of the user, which comprises the following steps:
and 4.1) comparing the session security value Sesson_center_security output in the step 3.2 with a security value required by a service which is applied to be accessed by a user, and when the session security value is higher than or equal to the security value requirement of the service, providing the corresponding service for the user by the zero trust system, otherwise refusing the access.
For example: the security value of session1 is lower than resource1, denying access thereto.
The security value of session2 is higher than resource1, allowing access.
The security value of session3 is higher than resource2, allowing access.
Step 4.2) when the user access is allowed in step 4.1, retrieving and obtaining the maximum and minimum values of the past trust degree of the user from the user history trust degree database, and calculating the normalized trust degree, wherein the normalized trust degree is specifically as follows:
Figure BDA0003993203970000072
wherein: the user_normal_trust is the trust degree obtained by carrying out minimum and maximum normalization on the user, wherein max (user_trust) is the maximum value of the past trust degree of the user, min (user_trust) is the minimum value of the past trust degree of the user, and user_trust is the current user trust value.
For the user2 and the user3 which are allowed to access, calculating the normalized trust according to the trust history condition.
The current user trust of the user2 of session2 is 80, the highest historical trust is 85, the lowest trust is 20, and the normalized trust is 0.078.
The current user trust of the user3 of session3 is 75, the highest historical trust is 90, the lowest trust is 20, and the normalized trust is 0.214.
Step 4.3) in the stage of accessing the system by the user, dynamically adjusting the trust according to the security dynamic state in the process of accessing the user: when the security risk alarm does not occur in the user access process, firstly calculating the rewarding value of the user trust degree increase by the following formula, namely
Figure BDA0003993203970000081
Wherein: lambda is a reward and punishment coefficient, the range is between 0 and 1, and the speed of trust dynamic reward and punishment is determined by customizing lambda; and dynamically updating the current trust value of the user: user_trust=user_trust+re-hard_trust; correspondingly, when security risk alarm occurs in the user access process, calculating a punishment value for reducing the user trust degree, and dynamically updating the current trust value according to the punishment value, wherein the punishment value comprises the following specific steps: />
Figure BDA0003993203970000082
user_trust=user_trust-punishment_trust。
In the access process of the user2, security risk alarms are not found, and the user is awarded with trust on the basis of the current trust of the user, so that the trust is improved. Setting the reward coefficient to be 0.03 according to the system condition, and setting the reward trust degree to be:
reward_trust=0.03*100*(80*e^0.078/100-1)=2.59
user_trust=user_trust+reward_trust=80+2.59=82.59
in the access process of the user3, security risk warning is found to exist, punishment and withdrawal of the trust degree are given to the user on the basis of the current trust degree of the user, and the trust is reduced. The punishment coefficient is set to be 0.03 according to the system condition, and the punishment trust degree is as follows:
punishment_trust=0.03*100((100-75)*e^0.214/100-1)=0.93
user_trust=user_trust–punishment_trust=50–0.93=49.07
step 4.4) writing the user trust level dynamically updated in the step 4.3 into a user trust level historical database.
In this embodiment, the updated trust 82.59 of user2 and the updated trust 49.07 of user3 are written into the user history database, respectively.
Through specific practical experiments, in a software and hardware environment of a Windows 10 system, the CPU model is Intel i5-1135 G7, 2000 times of simulation calculation are performed on three different users by using configuration parameters with an initial trust value of 0.2 and a punishment coefficient of 0.01, and the obtained trust data change curve is shown in figure 3.
Compared with the prior art, the method has the advantages that through introducing the historical data record of the user trust degree and carrying out dynamic punishment and punishment adjustment according to the security situation of the user access process, the zero trust main body trust security judgment process has better sustainability and stability, and the judgment result has stronger practicability.
The foregoing embodiments may be partially modified in numerous ways by those skilled in the art without departing from the principles and spirit of the invention, the scope of which is defined in the claims and not by the foregoing embodiments, and all such implementations are within the scope of the invention.

Claims (10)

1. A zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning is characterized by comprising: the system comprises a fuzzy class and membership degree initializing module, a session security fuzzy reasoning module, a zero trust session security calculating module and a zero trust main body trust dynamic adjusting module, wherein: the fuzzy class and membership degree initializing module calculates the fuzzy class and corresponding membership degree of the main body information according to preset classification and membership degree function; the session security fuzzy reasoning module calculates the main body session security fuzzy class through fuzzy reasoning; the zero trust session security calculation module defuzzifies the session security fuzzy class to calculate the session security value; the zero trust main credit dynamic adjustment module compares the comprehensive security value with the requirement of the user for applying resources, issues access credentials for the user according to the comparison result, and performs trust degree rewarding and punishing on the security hidden danger and high-risk operation in the user access process.
2. The fuzzy inference-based dynamic trust level evaluation system for zero trust system bodies according to claim 1, wherein the fuzzy class and membership initialization module comprises: the device comprises a user trust degree fuzzification unit, a device security fuzzification unit and an application security fuzzification unit, wherein: the user trust degree fuzzification unit performs fuzzification processing by using a membership function according to the user trust degree data to obtain fuzzification class and membership degree of the user trust degree; the equipment safety degree fuzzification unit performs fuzzification processing by using a membership function according to the equipment safety degree data to obtain fuzzification class and membership degree of the equipment safety degree; and the application program security fuzzification unit performs fuzzification processing by using a membership function according to the application program security data to obtain the fuzzification class and membership of the application program security.
3. The fuzzy inference-based dynamic trust level evaluation system for a zero trust system body according to claim 1, wherein the session security fuzzy inference module comprises: the system comprises a session safety fuzzy inference unit and a session safety fuzzy class membership calculation unit, wherein: the session fuzzy reasoning unit performs fuzzy reasoning according to the fuzzy class and the information output by the membership degree initialization module and the fuzzy reasoning rule set to obtain the session security fuzzy class; and the session security fuzzy class membership calculation unit is used for processing according to the membership of the user trust degree, the equipment security degree and the application security degree by a minimum value method to obtain the membership of the session security fuzzy class.
4. The fuzzy inference-based dynamic trust level evaluation system of zero trust system bodies according to claim 1, wherein the zero trust session security calculation module comprises: the system comprises a session security fuzzy membership merging unit and a session security calculating unit, wherein: the conversation safety fuzzy membership merging unit respectively sums the membership values of different conversation safety fuzzy classes according to the output result of the fuzzy reasoning module to obtain the overall membership of the different conversation safety fuzzy classes; and the conversation safety degree calculating unit processes the conversation safety fuzzy class and the overall membership degree by using a centroid calculating method according to the conversation safety fuzzy class and the overall membership degree, so as to obtain a quantitative result of the conversation safety degree.
5. The fuzzy inference-based dynamic trust level evaluation system of zero trust system bodies according to claim 1, wherein the dynamic trust level adjustment module of zero trust system bodies comprises: the system comprises a user normalized trust calculation unit, a user trust reward unit and a user trust penalty unit, wherein: the user normalized trust level calculation unit retrieves the current value of the user trust level, the maximum value and the minimum value of the historical trust level, and performs minimum and maximum normalization processing to obtain the user normalized trust level; the user trust degree rewarding unit calculates a trust degree rewarding value obtained after the user successfully accesses according to the obtained user normalized trust degree and increases the rewarding value to the current trust degree to obtain the user trust degree after dynamic adjustment; and the user trust degree punishment unit is used for calculating the trust degree punishment value after the user fails to acquire access or the risk occurs in the access process according to the obtained normalized trust degree of the user, subtracting the punishment value from the current trust degree, and obtaining the user trust degree after dynamic adjustment.
6. A fuzzy inference-based trust dynamic assessment method based on the system of any one of claims 1-5, comprising the steps of:
step 1) initializing an access subject fuzzy class according to user, equipment and program information to obtain a safe fuzzy class and membership of the user, the equipment and the program;
step 2) according to the safety fuzzy class of the user, the equipment and the program, reasoning based on the conversation fuzzy class rule to obtain the conversation fuzzy class and the membership degree thereof;
step 3) according to the fuzzy classification result and membership degree of the user application initiated session, performing session security calculation to obtain a defuzzified session comprehensive security value;
and 4) carrying out dynamic adjustment on the trust level according to the current trust level of the user and the alarm information of the zero trust security module to obtain the trust level after carrying out dynamic rewarding or punishment on the trust level of the user.
7. The method for dynamically evaluating the trust level according to claim 6, wherein the step 1 specifically comprises:
step 1.1) calculating the user belonging to the fuzzy trust class and the membership degree according to the user trust degree, wherein the method specifically comprises the following steps:
Figure FDA0003993203960000021
wherein: x is the trust degree of the user, and the trust degree ranges from 0 to 100;
step 1.2) calculating and obtaining the equipment belonging to the fuzzy security class and membership according to the security degree of the equipment, wherein the method specifically comprises the following steps:
Figure FDA0003993203960000031
wherein: x is the safety degree of the equipment, and the safety degree is in a closed range of 0 to 100;
step 1.3) calculating and obtaining the program belonging to the fuzzy security class and the membership degree according to the security degree of the program, wherein the method specifically comprises the following steps:
Figure FDA0003993203960000032
wherein: x is the safety of the application, which ranges from 0 to 100 in the closed interval.
8. The method for dynamically evaluating the trust level according to claim 6, wherein the step 2 specifically comprises:
step 2.1) combining the user main body trust degree, the equipment security degree and the application security degree of the current access main body triplet, namely UserClass, deviceClass, appClass, selecting a fuzzy rule in a session fuzzy type reasoning rule set, and implementing fuzzy reasoning to obtain a corresponding session fuzzy classification result (SessionClass);
step 2.2) calculating the membership degree of the obtained session fuzzy class, namely the minimum value of the membership degree of the user fuzzy class, the membership degree of the equipment fuzzy class and the membership degree of the program fuzzy class according to the fuzzy rule selected in step 2.1, wherein the minimum value is specifically as follows: μ (Session e Session class) =min [ μuser e UserClass), μ (device e DeviceClass), μ (app e AppClass) ], wherein: mu (user E user class) refers to the membership of a user belonging to the current user fuzzy class, mu (device E DeviceClass) refers to the membership of a device belonging to the current device fuzzy class, mu (app E Appclass) refers to the membership of a program belonging to the current program fuzzy class, and mu (Session E Sessionclass) refers to the membership of a Session belonging to the current Session fuzzy class.
9. The method for dynamically evaluating the trust level according to claim 6, wherein the step 3 specifically comprises:
step 3.1) combining the reasoning results of a plurality of fuzzy rules to combine the membership degree of the same session fuzzy class, wherein the fuzzy rule has the following characteristics ofThe body is as follows:
Figure FDA0003993203960000033
wherein: the session is a Unsafe and Safe, namely an Unsafe class and a Safe class, and the membership degrees of the two classes are respectively combined to obtain the total membership degree of each class;
step 3.2) combining various membership degrees, calculating a Safety value by utilizing a centroid method, and when the session Safety value is divided into Unsafety classes with the centroid Safety value of 0-50 and the centroid Safety value of 25, dividing the session Safety value into Safe classes with the centroid Safety value of 51-100 and the centroid Safety value of 75; after the sum of all kinds of membership degrees is obtained, the conversation safety can be calculated from the integral angle by introducing a centroid method, and the conversation safety is standardized according to the total membership degrees and the centroid safety of all kinds, and then the total membership degrees are divided to obtain the comprehensive safety value of the conversation, which is specifically as follows:
Figure FDA0003993203960000041
10. the method for dynamically evaluating the trust level according to claim 6, wherein the step 4) specifically comprises:
step 4.1), according to the session security value Sesson_center_security output in step 3.2, comparing with the security value required by the service to which the user applies to access, when the session security value is higher than or equal to the security value requirement of the service, the zero trust system provides the corresponding service for the session, otherwise refusing the access;
step 4.2) when the user access is allowed in step 4.1, retrieving and obtaining the maximum and minimum values of the past trust degree of the user from the user history trust degree database, and calculating the normalized trust degree, wherein the normalized trust degree is specifically as follows:
Figure FDA0003993203960000042
wherein: user_normal_trust is obtained by carrying out minimum and maximum normalization on the userConfidence, wherein max (user_trust) is the maximum value of the past confidence of the user, min (user_trust) is the minimum value of the past confidence of the user, and user_trust is the current user confidence value;
step 4.3) in the stage of accessing the system by the user, dynamically adjusting the trust according to the security dynamic state in the process of accessing the user: when the security risk alarm does not occur in the user access process, firstly calculating the rewarding value of the user trust degree increase by the following formula, namely
Figure FDA0003993203960000043
Wherein: lambda is a reward and punishment coefficient, the range is between 0 and 1, and the speed of trust dynamic reward and punishment is determined by customizing lambda; and dynamically updating the current trust value of the user: user_trust=user_trust+re-hard_trust; correspondingly, when security risk alarm occurs in the user access process, calculating a punishment value for reducing the user trust degree, and dynamically updating the current trust value according to the punishment value, wherein the punishment value comprises the following specific steps: />
Figure FDA0003993203960000044
user_trust=user_trust-punishment_trust:
Step 4.4) writing the user trust level dynamically updated in the step 4.3 into a user trust level historical database.
CN202211589093.7A 2022-12-12 2022-12-12 Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning Pending CN116015769A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211589093.7A CN116015769A (en) 2022-12-12 2022-12-12 Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211589093.7A CN116015769A (en) 2022-12-12 2022-12-12 Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning

Publications (1)

Publication Number Publication Date
CN116015769A true CN116015769A (en) 2023-04-25

Family

ID=86023915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211589093.7A Pending CN116015769A (en) 2022-12-12 2022-12-12 Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning

Country Status (1)

Country Link
CN (1) CN116015769A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116546498A (en) * 2023-05-30 2023-08-04 哈尔滨工程大学 Underwater wireless sensor network trust evaluation method based on variable membership function

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116546498A (en) * 2023-05-30 2023-08-04 哈尔滨工程大学 Underwater wireless sensor network trust evaluation method based on variable membership function
CN116546498B (en) * 2023-05-30 2024-01-26 哈尔滨工程大学 Underwater wireless sensor network trust evaluation method based on variable membership function

Similar Documents

Publication Publication Date Title
US11899808B2 (en) Machine learning for identity access management
US10055566B2 (en) Using biometric user-specific attributes
US8479302B1 (en) Access control via organization charts
US8584219B1 (en) Risk adjusted, multifactor authentication
US9038134B1 (en) Managing predictions in data security systems
Atlam et al. An efficient security risk estimation technique for Risk-based access control model for IoT
TW202004606A (en) Identity verification method and apparatus
US20210160247A1 (en) Real-time entity anomaly detection
CN116015769A (en) Zero trust system main body trust degree dynamic evaluation system based on fuzzy reasoning
US20210042581A1 (en) Systems and methods for incremental learning and autonomous model reconfiguration in regulated ai systems
US20230281337A1 (en) Interrupting receipt of sensitive information
CN114861224A (en) Medical data system based on risk and UCON access control model
Zhao et al. An ANN based sequential detection method for balancing performance indicators of IDS
Chen et al. XACML and risk-aware access control
CN105262719A (en) Credit evaluation method of user behavior in Web environment
Jiang et al. Medical big data access control model based on UPHFPR and evolutionary game
CN111967046B (en) Self-adaptive access control method for big data resources
CN113205871A (en) Medical data access control model based on fuzzy trust prediction and regression analysis
CN109886005A (en) A kind of authorized user's methods of risk assessment and system for Web collaboration
WO2023239930A1 (en) Systems and methods for risk aware outbound communication scanning
Eremenko et al. Use of machine learning methods for solving problem of user identifying by keyboard handwriting
Iltaf et al. A mathematical approach towards trust based security in pervasive computing environment
Manoj et al. Secured user behaviour based access framework for web service
Mazhelis et al. Combining One-Class Classifiers for Mobile-User Substitution Detection.
CN116170154A (en) Access behavior control method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination