CN116566691A - General access control method and system based on PBAC and risk assessment - Google Patents
General access control method and system based on PBAC and risk assessment Download PDFInfo
- Publication number
- CN116566691A CN116566691A CN202310562283.8A CN202310562283A CN116566691A CN 116566691 A CN116566691 A CN 116566691A CN 202310562283 A CN202310562283 A CN 202310562283A CN 116566691 A CN116566691 A CN 116566691A
- Authority
- CN
- China
- Prior art keywords
- user
- access
- risk
- preset
- baseline
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012502 risk assessment Methods 0.000 title claims abstract description 47
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000006399 behavior Effects 0.000 claims abstract description 66
- 238000012795 verification Methods 0.000 claims abstract description 51
- 238000011156 evaluation Methods 0.000 claims abstract description 20
- 230000004931 aggregating effect Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 10
- 238000013475 authorization Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 239000008186 active pharmaceutical agent Substances 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011217 control strategy Methods 0.000 description 2
- YSMRWXYRXBRSND-UHFFFAOYSA-N TOTP Chemical compound CC1=CC=CC=C1OP(=O)(OC=1C(=CC=CC=1)C)OC1=CC=CC=C1C YSMRWXYRXBRSND-UHFFFAOYSA-N 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a general access control method and a general access control system based on PBAC and risk assessment, which belong to the technical field of network access control, wherein the method acquires baseline data of a user and learns a user behavior baseline, and determines a historical habit baseline of the user; acquiring and analyzing an access request of a user, and acquiring access rights, network security conditions and access behaviors of the user; based on the historical habit base line and a preset access security policy, performing access risk assessment on the access authority, the network security condition and the access behavior of the user to obtain an access control assessment result; determining the access risk of the user according to the access control evaluation result, if the access risk is the risk access user, calling a preset verification mode to verify the user, and controlling the access request of the user according to the verification result; and if the user is maliciously accessed, calling a preset disposal mode to seal the user. According to the access control method and the access control device, the user history habit base line is combined with the preset access security policy to achieve user access control, and the security of access control is improved.
Description
Technical Field
The application belongs to the technical field of network access control, and particularly relates to a universal access control method and system based on combination of a PBAC model and a risk assessment method.
Background
Access control systems within enterprises generally use RBAC (Role-Based Access Control) models, translated into Role-based access control, which is a way of access control, primarily based on Role-based operational authorization of resources. In the RBAC model, users are assigned roles that are related to their responsibilities, and the corresponding roles are granted access to resources. These roles typically represent positions or tasks in an organization, such as administrators, financial staff, technical support staff, etc. The RBAC model has the following drawbacks:
1. it is difficult to accommodate complex scenarios: the RBAC model is difficult to deal with complex access control scenarios such as audit policies, behavior monitoring, etc.
2. It is difficult to achieve access control at the resource level: the RBAC model is based primarily on role-level access control, lacks the ability to adapt to resource-level access control policies, and is therefore less suitable for applications requiring more detailed access control.
3. Dynamic authorization is difficult: authorization of roles and permissions by the RBAC model is typically done at system initialization, while dynamic authorization is difficult and may require redesign of the entire system.
4. It is difficult to grant precisely: the RBAC model may be difficult to qualify for precise access control to precisely match the user's personal and resource characteristics, as it is primarily role-based access control.
Disclosure of Invention
Therefore, the general access control method and system based on PBAC and risk assessment are beneficial to solving the problems that when the access control is carried out by the existing RBAC model, the complex application scene is difficult to adapt, and dynamic accurate access authorization and resource-level access control are difficult to realize.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, the present application provides a general access control method based on PBAC and risk assessment, including:
acquiring baseline data of a user, learning a user behavior baseline, and determining a historical habit baseline of the user;
acquiring and analyzing an access request of a user, and acquiring access rights, network security conditions and access behaviors of the user;
based on the historical habit base line and a preset access security policy, performing access risk assessment on the access authority, the network security condition and the access behavior of the user to obtain an access control assessment result;
determining the access risk type of the user according to the access control evaluation result, if the user is a risk access user, invoking a preset verification mode to verify the user, and controlling the user access request according to the verification result; and if the user is a malicious access user, invoking a preset disposal mode to seal the user.
Further, the acquiring the baseline data of the user, learning the user behavior baseline, and determining the historical habit baseline of the user specifically includes:
reading an application log of an enterprise internal system, and extracting baseline data required by user behavior risk assessment from the application log; the baseline data comprise daily operation habits of the user roles, access frequency and access equipment;
and carrying out user behavior baseline learning according to the baseline data of the user, and aggregating the user behavior baseline learning results to obtain a historical habit baseline of the user.
Further, based on the history habit baseline and a preset access security policy, performing access risk assessment on access rights, network security conditions and access behaviors of the user to obtain an access control assessment result, which specifically includes:
judging the access authority of the user to the requested resource in the current time period based on a preset access security policy in the wind control engine, and determining the resource access authority of the user;
based on a preset access security policy in the wind control engine, performing risk assessment on the network security condition of the user, and determining the network where the user is located, the geographic position and the access risk of the access equipment;
based on a historical habit baseline obtained by the wind control engine learning, carrying out consistency comparison on the current access behaviors of the user, and determining the access behavior safety of the user;
and taking the resource access rights of the user, the network where the user is located, the geographic position, the access risk of the access equipment and the access behavior security of the user as access control evaluation results.
Further, determining the access risk of the user according to the access control evaluation result, if the user is the risk access user, invoking a preset verification mode to verify the user, and controlling the access request of the user according to the verification result; if the user is maliciously accessed, a preset disposal mode is called to seal the user, and the method specifically comprises the following steps:
determining the access risk of the user according to the access control evaluation result, if the user does not have the access risk, determining the user as a safe user, and allowing the user to access the request resource;
if the user has access risk, determining that the user is a risk user, calling a preset verification mode to verify the user, and allowing the user to access the request resource after the verification is passed; and if the verification is not passed, calling a preset disposal mode to seal the user.
In a second aspect, the present application provides a universal access control system based on PBAC and risk assessment, comprising:
the behavior learning module is used for acquiring baseline data of the user to learn a user behavior baseline and determining a historical habit baseline of the user;
the request access module is used for acquiring and analyzing an access request of a user and acquiring the access right, the network security condition and the access behavior of the user;
the risk assessment module is used for carrying out access risk assessment on the access authority, the network security condition and the access behavior of the user based on the historical habit base line and a preset access security policy to obtain an access control assessment result;
the access control module is used for determining the access risk of the user according to the access control evaluation result, if the access risk is the risk access user, invoking a preset verification mode to verify the user, and controlling the access request of the user according to the verification result; and if the user is maliciously accessed, calling a preset disposal mode to seal the user.
Further, the system further comprises: the security management module is used for configuring and releasing a preset access security policy and maintaining the security operation of the system.
The application adopts the technical scheme, possesses following beneficial effect at least:
according to the general access control method based on PBAC and risk assessment, baseline data of a user are obtained, the user behavior baseline is learned, and the historical habit baseline of the user is determined; acquiring and analyzing an access request of a user, and acquiring access rights, network security conditions and access behaviors of the user; based on the historical habit base line and a preset access security policy, performing access risk assessment on the access authority, the network security condition and the access behavior of the user to obtain an access control assessment result; determining the access risk type of the user according to the access control evaluation result, if the user is a risk access user, invoking a preset verification mode to verify the user, and controlling the user access request according to the verification result; and if the user is a malicious access user, invoking a preset disposal mode to seal the user. According to the method and the system, the baseline data of the user are acquired to conduct behavior baseline learning, the historical habit baseline of the user is acquired, the historical habit baseline is combined with the preset access security policy, comprehensive access risk assessment is conducted on the access authority, the network security condition and the access behavior of the user, potential threats and vulnerabilities in the system and the access request information of the user are identified, and the risk level of the user and the access authority of the user is determined based on the access control assessment result, so that the security of the system and the data can be better protected, and unauthorized access and potential risks are avoided. Meanwhile, according to the risk level, the user is verified or blocked by calling the preset verification mode or the preset disposal mode, namely, the identity of the user is ensured to be fully verified, the risk of being attacked or misused is reduced, the security of access control is further improved, the protection of the system on unauthorized access is improved, the dynamic accurate access authorization and the access control of the resource level are realized, and the method and the device can be suitable for various complex application scenes.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
FIG. 1 is a flowchart illustrating a general access control method based on PBAC and risk assessment, according to an exemplary embodiment;
FIG. 2 is a diagram of a general access control system architecture based on PBAC and risk assessment, according to an exemplary embodiment;
FIG. 3 is a schematic diagram of a system framework shown according to an exemplary embodiment.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail below.
PBAC is a short for Policy-based access control (Policy-Based Access Control), which is a common access control model. It manages the user's access rights to resources by defining roles, rights, constraints, etc. In PBAC, a user obtains a corresponding access right by being granted to a certain character, instead of directly granting a certain right. The model can better control and manage the access rights in the system, and reduce the security risk caused by the excessive grant of the rights.
In PBAC, risk assessment refers to the assessment of each role and authority to identify their relationship to potential threats and vulnerabilities of the system and data. The evaluation results would assign a risk level to each role and authority, which level could be used in access decisions, e.g. requiring additional authorization or authentication etc. By combining risk assessment with access control, the security of the system and data can be better protected from unauthorized access and potential risk.
In an access control environment, a risk control system refers to measures that reduce the potential threats and risks faced by the system through risk assessment and access control policies. And (3) determining the relation between each role and the system and the data by carrying out risk assessment on each role and each right, thereby formulating a corresponding access control strategy to control the access right. Meanwhile, the system is continuously monitored, and the risk assessment is updated in time so as to adjust the access control strategy in time. By such a control system, the security of the system and data can be better protected from unauthorized access and potential risks.
MFA (multiple authentication) can be used to improve security of access control. When a user needs to access a role or right, the MFA may require the user to provide various authentication information, such as passwords, smart cards, or biometric information. Thus, the identity of the user can be ensured to be fully verified, and the risk of being attacked or misused is reduced. The MFA is applied to the PBAC, so that the security of access control can be further improved, and the protection of the system against unauthorized access can be increased.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating a general access control method based on PBAC and risk assessment, the method comprising:
s1: acquiring baseline data of a user, learning a user behavior baseline, and determining a historical habit baseline of the user;
s2: acquiring and analyzing an access request of a user, and acquiring access rights, network security conditions and access behaviors of the user;
s3: based on the historical habit base line and a preset access security policy, performing access risk assessment on the access authority, the network security condition and the access behavior of the user to obtain an access risk assessment result;
s4: determining the access risk of the user according to the access control evaluation result, if the access risk is the risk access user, calling a preset verification mode to verify the user, and controlling the access request of the user according to the verification result; and if the user is maliciously accessed, calling a preset disposal mode to seal the user.
Further, in one embodiment, the acquiring baseline data of the user, learning the user behavior baseline, and determining the historical habit baseline of the user specifically includes:
reading an application log of an enterprise internal system, and extracting baseline data required by user behavior risk assessment from the application log; the baseline data comprise daily operation habits of the user roles, access frequency and access equipment;
and carrying out user behavior baseline learning according to the baseline data of the user, and aggregating the user behavior baseline learning results to obtain a historical habit baseline of the user.
The user behavior baseline learning is realized through a wind control engine, and the wind control engine is roughly divided into three types: a rules engine, a model engine, and a decision engine. The rule engine is the output of expert experience, various conditional rules are formed, and the model engine runs various models under machine learning, such as LR, decision tree and neural network model. And the decision engine is the combination of the two.
In a specific practice process, the wind control engine used in the method has the functions of a real-time decision API, a log stream decision service, a timing decision service and the like. The real-time decision API processes the API flow accessed by the enterprise internal application system and the application gateway by calling the log flow decision service and the timing decision service, and outputs corresponding real-time decisions. For example, when the wind control engine monitors an API flow in an access enterprise through a real-time decision API, and when the log flow decision service is called and the timing decision service judges that the access request of the user has risks, a preset verification function or a preset disposal function is started according to the magnitude of the risks to process the access request of the user, such as adding face verification to the user with risks or blocking malicious users.
The log stream decision service mainly collects application logs of each application system in the enterprise, including log streams such as Kakfa, elasticsearch, rocketMQ and Clickhouse. And acquiring baseline data required in the risk assessment of the user behavior from the acquired log stream, and learning the baseline of the user behavior. And e.g. learning the base lines such as daily operation habits and access frequency of users and roles from the Kakfa log stream, storing the finally learned aggregate data, and performing access control decision on the user access behavior when the real-time decision API monitors the user access request.
The timing decision service is mainly used for setting a timing access rule of resources in an enterprise, for example, a non-management layer user can not access an A resource in a certain period, and the non-management layer user can access the A resource after passing verification outside the period.
Further, in one embodiment, the access risk assessment is performed on the access right, the network security condition and the access behavior of the user based on the historical habit baseline and the preset access security policy, and specifically includes the following three judgment processes:
judging the access authority of the user to the requested resource in the current time period based on a preset access security policy in the wind control engine, and determining the resource access authority of the user;
based on a preset access security policy in the wind control engine, performing risk assessment on the network security condition of the user, and determining the network where the user is located, the geographic position and the access risk of the access equipment;
based on the historical habit base line obtained by the wind control engine, consistency comparison is carried out on the current access behaviors of the user, and the access behavior safety of the user is determined.
Further, in an embodiment, the access risk of the user is determined according to the access control evaluation result obtained in the access risk evaluation and judgment process, if the user is at risk, a preset verification mode is called to verify the user, and the user access request is controlled according to the verification result; if the user is maliciously accessed, a preset disposal mode is called to seal the user, and the method specifically comprises the following steps:
determining the access risk of the user according to the access control evaluation result, if the user does not have the access risk, determining the user as a safe user, and allowing the user to access the request resource;
if the user has access risk, determining that the user is a risk user, calling a preset verification mode to verify the user, and allowing the user to access the request resource after the verification is passed; and if the verification is not passed, calling a preset disposal mode to seal the user.
The process of determining the user access risk according to the access control evaluation result specifically comprises the following steps:
if the user has the resource access authority, has no access risk and is safe in access behavior, the user is evaluated as a safe user, and the user is allowed to access the requested resource;
if the user has the resource access rights, the access behavior is safe, but there is an access risk, or,
the user has resource access authority, no access risk exists, but the access behavior is unsafe, the user is estimated to be a risk user, a preset verification mode is called to verify the user, the user is allowed to access the request resource after the verification is passed, and the user access request is refused if the verification is not passed;
if the user does not have the resource access right, does not have the access risk and has safe access behaviors, the user is evaluated to be a safe user, a preset verification mode is called to verify the user, the user is allowed to access the request resource after the verification is passed, and the user access request is refused if the verification is not passed;
meanwhile, if the access control evaluation result of the user only meets one of the requirements in the three access risk evaluation judging processes, namely only meets one of the access rights of resources, no access risk and access behavior safety, the user is determined to be a high-risk user, a preset verification mode is called to carry out multiple verification on the user, the user is allowed to access the request resource after the verification is passed, and the access request of the user is refused if the verification is not passed.
If the user does not have the resource access authority, the access risk exists and the access behavior is unsafe, the user is determined to be a malicious access user, and a preset disposal mode is called to seal the user.
In a specific practical process, the preset verification modes comprise verification modes such as a slide block verification code, a short message verification code, an APP TOTP, a face verification and the like. The preset treatment modes comprise IP blocking, user account blocking, access blocking, malicious access information reporting and the like.
When multiple authentication is performed on the user, the application is implemented by adopting an MFA (multiple identity authentication) mode, and implementing the MFA makes it more difficult for a threat participant to obtain access rights to a service location and an information system (such as a remote access technology, an email and a charging system), even if a password or a PIN is threatened by phishing attack or other modes.
Referring to fig. 2, the present application further provides a general access control system based on PBAC and risk assessment, the system comprising:
the behavior learning module is used for acquiring baseline data of the user, learning a user behavior baseline and determining a historical habit baseline of the user;
the request access module is used for acquiring and analyzing an access request of a user and acquiring the access right, the network security condition and the access behavior of the user;
the risk assessment module is used for carrying out access risk assessment on the access authority, the network security condition and the access behavior of the user based on the historical habit base line and a preset access security policy to obtain an access control assessment result;
the access control module is used for determining the access risk of the user according to the access control evaluation result, if the access risk is the risk access user, invoking a preset verification mode to verify the user, and controlling the access request of the user according to the verification result; and if the user is maliciously accessed, calling a preset disposal mode to seal the user.
Further, in one embodiment, the system further comprises: the security management module is used for configuring and releasing a preset access security policy and maintaining the security operation of the system.
Referring to fig. 3, in one embodiment, the system provided in the present application is divided from a system framework, and may be divided into an access layer, a wind control engine, an application log storage, a data service layer, a challenge platform, a disposition platform, and a security management functional architecture. The access layer comprises an application system and an application gateway inside the enterprise. The application log storage function is used for collecting and storing log stream data such as Kakfa, elasticsearch, rocketMQ and Clickhouse. The data service layer is used for storing attribute data of the user, aggregate data of the behavior base line and general data of the system. The attribute data includes user account numbers, access devices, applications used by the user, user names, APIs, WIFI, and the like. The general data of the system comprises a list base, computing system operation data of enterprises and the like.
The security management function comprises two parts of policy management and security operation, wherein the policy management comprises task management, decision policy setting, policy debugging and policy issuing of the system. The security operation part comprises list management, a security log center, a security large disc and event tracing.
According to the method and the system, the behavior baseline learning is carried out by acquiring the baseline data of the user, the historical habit baseline of the user is acquired, the historical habit baseline is combined with the preset access security policy, comprehensive access risk assessment is carried out on the access authority, the network security condition and the access behavior of the user through the wind control engine, potential threats and vulnerabilities in the system and the access request information of the user are identified, and the risk level of the user and the access authority thereof is determined based on the access control assessment result, so that the security of the system and the data can be better protected, and unauthorized access and potential risks are avoided. Meanwhile, according to the risk level, the user is verified or blocked by calling the preset verification mode or the preset disposal mode, namely, the identity of the user is ensured to be fully verified, the risk of being attacked or misused is reduced, the security of access control is further improved, the protection of the system on unauthorized access is improved, the dynamic accurate access authorization and the access control of the resource level are realized, and the method and the device can be suitable for various complex application scenes.
It is to be understood that the same or similar parts in the above embodiments may be referred to each other, and that in some embodiments, the same or similar parts in other embodiments may be referred to.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Although embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.
Claims (6)
1. A universal access control method based on PBAC and risk assessment, comprising:
acquiring baseline data of a user, learning a user behavior baseline, and determining a historical habit baseline of the user;
acquiring and analyzing an access request of a user, and acquiring access rights, network security conditions and access behaviors of the user;
based on the historical habit base line and a preset access security policy, performing access risk assessment on the access authority, the network security condition and the access behavior of the user to obtain an access control assessment result;
determining the access risk type of the user according to the access control evaluation result, if the user is a risk access user, invoking a preset verification mode to verify the user, and controlling the user access request according to the verification result; and if the user is a malicious access user, invoking a preset disposal mode to seal the user.
2. The universal access control method based on PBAC and risk assessment according to claim 1, wherein the steps of obtaining baseline data of the user, learning the user behavior baseline, and determining the historical habit baseline of the user comprise:
reading an application log of an enterprise internal system, and extracting baseline data required by user behavior risk assessment from the application log; the baseline data comprise daily operation habits of the user roles, access frequency and access equipment;
and carrying out user behavior baseline learning according to the baseline data of the user, and aggregating the user behavior baseline learning results to obtain a historical habit baseline of the user.
3. The general access control method based on PBAC and risk assessment according to claim 1, wherein the access risk assessment is performed on the access rights, network security conditions and access behaviors of the user based on the history habit base line and a preset access security policy, and an access control assessment result is obtained, which specifically includes:
judging the access authority of the user to the requested resource in the current time period based on a preset access security policy in the wind control engine, and determining the resource access authority of the user;
based on a preset access security policy in the wind control engine, performing risk assessment on the network security condition of the user, and determining the network where the user is located, the geographic position and the access risk of the access equipment;
based on a historical habit baseline obtained by the wind control engine learning, carrying out consistency comparison on the current access behaviors of the user, and determining the access behavior safety of the user;
and taking the resource access rights of the user, the network where the user is located, the geographic position, the access risk of the access equipment and the access behavior security of the user as access control evaluation results.
4. The universal access control method based on the PBAC and the risk assessment according to claim 1, wherein the user access risk is determined according to the access control assessment result, if the user access risk is the risk access user, a preset verification mode is called to verify the user, and the user access request is controlled according to the verification result; if the user is maliciously accessed, a preset disposal mode is called to seal the user, and the method specifically comprises the following steps:
determining the access risk of the user according to the access control evaluation result, if the user does not have the access risk, determining the user as a safe user, and allowing the user to access the request resource;
if the user has access risk, determining that the user is a risk user, calling a preset verification mode to verify the user, and allowing the user to access the request resource after the verification is passed; and if the verification is not passed, calling a preset disposal mode to seal the user.
5. A universal access control system based on PBAC and risk assessment, comprising:
the behavior learning module is used for acquiring baseline data of the user, learning a user behavior baseline and determining a historical habit baseline of the user;
the request access module is used for acquiring and analyzing an access request of a user and acquiring the access right, the network security condition and the access behavior of the user;
the risk assessment module is used for carrying out access risk assessment on the access authority, the network security condition and the access behavior of the user based on the historical habit base line and a preset access security policy;
the access control module is used for determining the access risk of the user according to the access control evaluation result, if the access risk is the risk access user, invoking a preset verification mode to verify the user, and controlling the access request of the user according to the verification result; and if the user is maliciously accessed, calling a preset disposal mode to seal the user.
6. The PBAC and risk assessment based universal access control system of claim 5, further comprising: the security management module is used for configuring and releasing a preset access security policy and maintaining the security operation of the system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310562283.8A CN116566691A (en) | 2023-05-18 | 2023-05-18 | General access control method and system based on PBAC and risk assessment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310562283.8A CN116566691A (en) | 2023-05-18 | 2023-05-18 | General access control method and system based on PBAC and risk assessment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116566691A true CN116566691A (en) | 2023-08-08 |
Family
ID=87492792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310562283.8A Pending CN116566691A (en) | 2023-05-18 | 2023-05-18 | General access control method and system based on PBAC and risk assessment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116566691A (en) |
-
2023
- 2023-05-18 CN CN202310562283.8A patent/CN116566691A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Braun et al. | Security and privacy challenges in smart cities | |
| AU2019206006B2 (en) | System and method for biometric protocol standards | |
| Bailey et al. | Self-adaptive authorization framework for policy based RBAC/ABAC models | |
| CN112115484B (en) | Access control method, device, system and medium for application program | |
| Xiaopeng et al. | A zero trust method based on BLP and BIBA model | |
| CN114338105B (en) | Zero trust based system for creating fort | |
| CN116418568A (en) | Data security access control method, system and storage medium based on dynamic trust evaluation | |
| Telo | Privacy and cybersecurity concerns in Smart governance systems in developing countries | |
| CN117729057A (en) | Method for accessing zero trust based on identity security | |
| Tsai et al. | Strategy for implementing of zero trust architecture | |
| CN117708880A (en) | Intelligent security processing method and system for banking data | |
| Madsen | Zero-trust–An Introduction | |
| CN116089970A (en) | Power distribution operation and maintenance user dynamic access control system and method based on identity management | |
| KR20210026710A (en) | Trust-Aware Role-based System in Public Internet-of-Things | |
| CN116566691A (en) | General access control method and system based on PBAC and risk assessment | |
| CN112000953A (en) | Big data terminal safety protection system | |
| Althebyan et al. | A knowledgebase insider threat mitigation model in the cloud: a proactive approach | |
| Rosado et al. | Comparison of security patterns | |
| CN117390708B (en) | Privacy data security protection method and system | |
| CN117978556B (en) | Data access control method, network switching subsystem and intelligent computing platform | |
| CN114650184B (en) | Docker process security access control method based on trust degree | |
| US9774446B1 (en) | Managing use of security keys | |
| WO2024007096A1 (en) | Privacy data protection method for android system | |
| CN115883140A (en) | Data security model architecture and data security system | |
| Haber et al. | Privileged Access Management (PAM) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |