CN117272262A - Zero trust data security operation and maintenance system and method - Google Patents
Zero trust data security operation and maintenance system and method Download PDFInfo
- Publication number
- CN117272262A CN117272262A CN202311536661.1A CN202311536661A CN117272262A CN 117272262 A CN117272262 A CN 117272262A CN 202311536661 A CN202311536661 A CN 202311536661A CN 117272262 A CN117272262 A CN 117272262A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- authentication
- security
- maintenance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012423 maintenance Methods 0.000 title claims abstract description 119
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000012795 verification Methods 0.000 claims abstract description 59
- 238000013500 data storage Methods 0.000 claims abstract description 27
- 238000013475 authorization Methods 0.000 claims abstract description 14
- 238000007726 management method Methods 0.000 claims abstract description 14
- 238000011176 pooling Methods 0.000 claims description 9
- 238000013136 deep learning model Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 6
- 238000013527 convolutional neural network Methods 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 4
- 238000012935 Averaging Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 2
- 238000012550 audit Methods 0.000 abstract description 3
- 238000013461 design Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000007704 transition Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
- G06N3/0455—Auto-encoder networks; Encoder-decoder networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a zero-trust data security operation and maintenance system and a method, which relate to the technical field of data operation and maintenance and comprise an access request module, a data storage module, an identity verification module, a security authentication module, an approval authorization module, a data recording module and a data refreshing module. According to the zero trust data security operation and maintenance system and method, verification data and authentication data are generated through each access, historical data are removed, historical verification and authentication marks are removed, default 'trust' is broken, a zero trust management mode is strictly followed, data security is enhanced through eliminating implicit trust and implementing strict user and equipment identity verification in the whole network, in addition, the security of data operation and maintenance is greatly improved through double guarantee of identity verification and security authentication, the security authentication comprises terminal security authentication, link security authentication and access control security authentication, the purpose of comprehensive audit can be achieved, security authentication standards are improved, and accordingly security is improved.
Description
Technical Field
The invention relates to the technical field of data operation and maintenance, in particular to a zero-trust data security operation and maintenance system and method.
Background
The data operation and maintenance refers to a series of services such as software installation, configuration optimization, backup strategy selection and implementation, data recovery, data migration, fault removal, preventive inspection and the like which are performed on a user database. The existing data operation and maintenance is usually directly connected with a database to modify data, and needs to be operated by professional operation and maintenance personnel, so that the data operation and maintenance efficiency is low, the related data quantity is too large, the interactive relationship between various data is complex, the data operation and maintenance are easy to make mistakes, the accurate and efficient data operation and maintenance cannot be performed, and the operation and maintenance requirements are met.
For example, patent document 202111433739.8 discloses a data operation and maintenance system and method, which combines different operation and maintenance scenes to construct a corresponding data storage frame, associates each sub-node in the frame to form a complete data storage frame, and after the frame construction is completed, imports data acquired in real time into each corresponding storage sub-node in the corresponding data storage frame to store, so that the corresponding data can be quickly and accurately extracted based on the storage sub-nodes, and abnormal data can be found out, so that quick data operation and maintenance can be performed.
However, existing data operation and maintenance systems and methods similar to the above application still have the following disadvantages:
the existing data operation and maintenance system and method can form a boundary around the network, so that the user and the equipment after identity verification can easily pass through the network and easily access resources, the implicit trust seriously affects the normal execution of the user and the equipment identity verification, obvious security holes exist, and the security operation and maintenance of the data can be affected because the user and the equipment identity verification are not strictly carried out on lawbreakers.
Therefore, there is an urgent need to improve this shortcoming, and the present invention is directed to the deficiencies of the prior art, and provides a system and method for secure operation and maintenance of zero trust data.
Disclosure of Invention
The invention aims to provide a zero trust data security operation and maintenance system and method, which are used for solving the problems in the background technology.
In order to achieve the above purpose, the present invention provides the following technical solutions: the system is characterized in that the access request module is connected with the identity verification module, the identity verification module is simultaneously connected with the data storage module, the security verification module and the data refreshing module and inputs data into the security verification module in a centralized manner, the data types recorded by the data recording module comprise verification data, authentication data, access data and operation data, the verification data and the authentication data are formatted through the data refreshing module, data clearing work is completed, and the access data and the operation data are stored into corresponding storage nodes of a system database through the data storage module; the access request module is used for receiving a data access request of an operation and maintenance person and receiving operation application information submitted by the operation and maintenance person;
the data storage module is used for executing data storage operation and storing operation logic data, storage frame data, operation and maintenance control data and safe operation and maintenance data which maintain the normal operation of the system, wherein the storage frame consists of storage nodes and node association;
the identity verification module is used for verifying the identity information of the operation and maintenance personnel;
the security authentication module authenticates the operation and maintenance security based on an access trust basis provided by identity verification, and judges whether data access operation is allowed or not according to an authentication result;
the approval authorization module is used for approving operation application information submitted by operation staff and granting operation authority to user data;
the data recording module is used for recording all operations and related data thereof after operation and maintenance personnel finish operation and maintenance of the database, and standardizes flow management so that data security accidents occur and effective responsibility-pursuing and responsibility-defining are achieved;
and the data refreshing module is used for refreshing the identity verification module and the security authentication module and removing the historical data through formatting.
Further, the operation application information includes, but is not limited to, operation time, target data, operation objects, and operation contents.
Further, the security authentication module comprises terminal security authentication, link security authentication and access control security authentication, wherein the terminal security authentication is used for authenticating equipment trust, application trust and terminal management, the link security authentication is used for authenticating link trust and link stability, and the access control security authentication is used for authenticating identity trust, authority management and malicious blocking.
Further, the security authentication module judges whether the authentication passes or not according to the authentication passing conditions of the terminal security authentication, the link security authentication and the access control security authentication, if the terminal security authentication, the link security authentication and the access control security authentication pass, the authentication passing is judged, and the access of operation and maintenance personnel is allowed, and if the authentication passing does not pass, the authentication passing is judged, and the access of the operation and maintenance personnel is refused.
Furthermore, the approval authorization module automatically generates a white list policy after approval passes, only performs specified operation on a specified database or table at specified time applied by operation and maintenance personnel, cannot execute any non-applied operation, and fails a timeout account, and simultaneously supports approval of only tables and data of sensitive objects and sensitive SQL commands in a blacklist mode.
Further, the data types recorded by the data recording module comprise verification data, authentication data, access data and operation data, the verification data and the authentication data are formatted through the data refreshing module, data clearing work is completed, and the access data and the operation data are stored into corresponding storage nodes of the system database through the data storage module.
A zero trust data security operation and maintenance method comprises the following specific steps:
s1, an access request stage:
the operation and maintenance personnel send a data access request through the server, upload and submit operation application information, and the operation application information is required to be filled in strictly according with standard format requirements so as to quickly identify the content of the operation application information;
s2, identity verification:
after the identity verification module receives the request, verifying the identity information of the operation and maintenance personnel according to the algorithm logic stored by the data storage module, and providing an access trust basis;
s3, a security authentication stage:
after the identity of the operation and maintenance personnel passes the authentication, the access request and the operation application information are sent to a security authentication module, terminal security authentication, link security authentication and access control security authentication are sequentially carried out, a security authentication result is obtained, and the access request can be continuously transmitted after all the authentication passes;
s4, approval authorization stage:
the operation application information submitted by the operation and maintenance personnel is approved, and the data operation authority is granted to the operation and maintenance personnel in combination with the operation application information, so that the operation and maintenance personnel can perform the appointed operation on an appointed database or table in the appointed time of the application;
s5, operation and maintenance resetting:
and automatically recording all operation data of operation and maintenance personnel, storing access data and operation and maintenance data in the operation and maintenance personnel into corresponding storage nodes in a system database, formatting verification data and authentication data, clearing historical data, and erasing historical verification and authentication traces.
Further, in the step S2, the token algorithm is adopted for authentication of the identity information, and the authentication logic of the token algorithm is as follows: the server verifies whether login information input by operation and maintenance personnel is correct or not, the signed token is returned, the token is stored in the client, all subsequent requests add the token into a request header, then the server decodes the JWT composed of the header, the load and the signature, if the token is valid, the request is accepted, once a user logs off, the token is destroyed at the client, and the back-end server does not need to store the token.
Further, in the step S4, the information approval performs the tasks of text detection and text recognition through the deep learning model, and extracts the key content in the operation application information.
Further, the deep learning model comprises a perceptron model, a convolutional neural network model and a self-encoder model,
the formula of the perceptron model is:the method comprises the steps of carrying out a first treatment on the surface of the Wherein x represents an input feature, w is a weight vector, and b is a bias;
the formula of the convolutional neural network model includes:
convolution formula:the method comprises the steps of carrying out a first treatment on the surface of the Wherein x represents an input value, ck is a convolution kernel, and b is a bias term;
pooling formula: maximum pooling: output = max (input);
averaging and pooling: output = sum (input)/count (input);
the formula of the self-encoder model is:the method comprises the steps of carrying out a first treatment on the surface of the Wherein h represents a hidden layer, f represents a mapping function, x represents input data, L (x, y) represents a reconstruction error, that is, a difference between the input data x and the output data y, min L (x, y) represents an objective function of the self-encoder, R (h) represents a regularization term, and λ represents a regularization parameter.
The invention provides a zero trust data security operation and maintenance system and a method, which have the following beneficial effects:
1. the invention formats verification data and authentication data generated by each access, clears history data, erases history verification and authentication trace, breaks default trust, strictly follows a zero trust management mode, enhances the capability of compliance audit, and enhances data security by eliminating implicit trust and implementing strict user and equipment identity verification in the whole network; meanwhile, in the development of a software system, the repeated utilization of each functional module is considered, so that the complexity of system expansion is reduced; the adoption of the componentization design concept, the whole system adopts the componentization design, and by adopting the unified standard interface specification, the software system can be conveniently expanded and other subsystems can be added in the future, and the maintainability and the expandability of the product are improved; the characteristics of long service cycle and high performance index of the built system are ensured.
2. The invention greatly improves the security of data operation and maintenance through double guarantees of identity verification and security authentication, screens out access requests with different identity information by using the identity verification, effectively reduces the burden of the security authentication, and the security authentication comprises terminal security authentication, link security authentication and access control security authentication, can achieve the purpose of comprehensive audit, and improves the security authentication standard, thereby improving the security; the initial weight and the threshold value of the whole recognition module are encoded on the design of the deep learning model algorithm of the perceptron model, the convolution neural network model and the self-encoder model, and the multi-dimensional data are mapped to a lower-dimensional data space, so that the self-adaptive normalization of the subsequent characteristic data is ensured, and the complexity of system expansion is reduced; by setting thresholds of different submodules, momentum factors are introduced to solve the problems that the traditional algorithm is slow in convergence and easy to fall into local optimum; the entire system can smoothly transition into the new system after upgrade.
Drawings
FIG. 1 is a schematic diagram of an overall architecture of a zero trust data security operation and maintenance system according to the present invention;
FIG. 2 is a schematic diagram of a data storage module of a zero trust data security operation and maintenance system according to the present invention;
FIG. 3 is a schematic diagram of a security authentication module of the zero trust data security operation and maintenance system according to the present invention;
FIG. 4 is a schematic diagram of a data recording module of a zero trust data security operation and maintenance system according to the present invention;
fig. 5 is a schematic diagram of the overall operation flow of a zero trust data security operation and maintenance method according to the present invention.
Detailed Description
Embodiments of the present invention are described in further detail below with reference to the accompanying drawings and examples. The following examples are illustrative of the invention but are not intended to limit the scope of the invention.
1-4, a zero trust data security operation and maintenance system comprises an access request module, a data storage module, an identity verification module, a security authentication module, an approval authorization module, a data recording module and a data refreshing module, and is characterized in that the access request module is connected with the identity verification module, the identity verification module is simultaneously connected with the data storage module, the security authentication module and the data refreshing module and inputs data into the security authentication module in a centralized manner, the data types recorded by the data recording module comprise verification data, authentication data, access data and operation data, the verification data and the authentication data are formatted through the data refreshing module, data clearing work is completed, and the access data and the operation data are stored into corresponding storage nodes of a system database through the data storage module;
the access request module is used for receiving a data access request of an operation and maintenance person and receiving operation application information submitted by the operation and maintenance person; the operation application information comprises, but is not limited to, operation time, target data, operation objects and operation content;
the data storage module is used for executing data storage operation and storing operation logic data, storage frame data, operation and maintenance control data and safety operation and maintenance data for maintaining the normal operation of the system, wherein the storage frame consists of storage nodes and node association;
the identity verification module is used for verifying the identity information of the operation and maintenance personnel;
the security authentication module authenticates the operation and maintenance security based on an access trust basis provided by identity verification, and judges whether data access operation is allowed or not according to an authentication result;
the security authentication module comprises terminal security authentication, link security authentication and access control security authentication, wherein the terminal security authentication is used for authenticating equipment credibility, application credibility and terminal management, the link security authentication is used for authenticating link credibility and link stability, and the access control security authentication is used for authenticating identity credibility, authority management and malicious blocking;
the security authentication module judges whether the authentication passes or not according to the authentication conditions of the terminal security authentication, the link security authentication and the access control security authentication, if the terminal security authentication, the link security authentication and the access control security authentication pass, the authentication is judged to pass, and the operation and maintenance personnel are allowed to access, if the terminal security authentication, the link security authentication and the access control security authentication pass, the operation and maintenance personnel are not judged to pass, and the operation and maintenance personnel are refused to access;
the approval authorization module is used for approving the operation application information submitted by the operation staff and granting the user data operation authority;
the approval authorization module automatically generates a white list policy after approval passes, only performs specified operation on a specified database or table at specified time applied by operation and maintenance personnel, cannot be executed any non-applied operation, has invalid timeout account, and simultaneously supports approval on only tables and data of sensitive objects and sensitive SQL commands in a blacklist mode;
the data recording module is used for recording all operations and related data thereof after operation and maintenance personnel finish operation and maintenance operations on the database, and standardizes flow management so that data security accidents occur and effective responsibility-pursuing and responsibility-defining are achieved;
the data types recorded by the data recording module comprise verification data, authentication data, access data and operation data, the verification data and the authentication data are formatted through the data refreshing module, the data clearing work is completed, and the access data and the operation data are stored into corresponding storage nodes of the system database through the data storage module;
and the data refreshing module is used for refreshing the identity verification module and the security authentication module and removing the historical data through formatting.
As shown in fig. 5, a method for operating and maintaining zero trust data security includes the following specific steps:
s1, an access request stage:
the operation and maintenance personnel send a data access request through the server, upload and submit operation application information, and the operation application information is required to be filled in strictly according with standard format requirements so as to quickly identify the content of the operation application information;
s2, identity verification:
after the identity verification module receives the request, verifying the identity information of the operation and maintenance personnel according to the algorithm logic stored by the data storage module, and providing an access trust basis;
s3, a security authentication stage:
after the identity of the operation and maintenance personnel passes the authentication, the access request and the operation application information are sent to a security authentication module, terminal security authentication, link security authentication and access control security authentication are sequentially carried out, a security authentication result is obtained, and the access request can be continuously transmitted after all the authentication passes;
s4, approval authorization stage:
the operation application information submitted by the operation and maintenance personnel is approved, and the data operation authority is granted to the operation and maintenance personnel in combination with the operation application information, so that the operation and maintenance personnel can perform the appointed operation on an appointed database or table in the appointed time of the application;
s5, operation and maintenance resetting:
automatically recording all operation data of operation and maintenance personnel, storing access data and operation and maintenance data in the operation and maintenance personnel into corresponding storage nodes in a system database, formatting verification data and authentication data, clearing historical data, and wiping out historical verification and authentication traces;
in step S2, the token algorithm is adopted for authentication of the identity information, and the authentication logic of the token algorithm is as follows: verifying whether login information input by operation and maintenance personnel is correct or not through a server, returning a signed token, storing the token in a client, adding the token to a request header by a later request, decoding a JWT (joint transmission line) consisting of a header, a load and a signature through the server, accepting the request if the token is valid, destroying the token at the client once a user logs off, and saving the token by a back-end server;
in step S4, the information approval executes text detection and text recognition tasks through the deep learning model, and key contents in the operation application information are extracted;
the deep learning model includes a perceptron model, a convolutional neural network model and a self-encoder model,
the formula of the perceptron model is:the method comprises the steps of carrying out a first treatment on the surface of the Wherein x represents an input feature, w is a weight vector, and b is a bias;
the formula of the convolutional neural network model includes:
convolution formula:the method comprises the steps of carrying out a first treatment on the surface of the Wherein x represents an input value, ck is a convolution kernel, and b is a bias term;
pooling formula: maximum pooling: output = max (input);
averaging and pooling: output = sum (input)/count (input);
the formula of the self-encoder model is:the method comprises the steps of carrying out a first treatment on the surface of the Wherein h represents a hidden layer, f represents a mapping function, x represents input data, L (x, y) represents a reconstruction error, that is, a difference between the input data x and the output data y, min L (x, y) represents an objective function of the self-encoder, R (h) represents a regularization term, and λ represents a regularization parameter. By setting thresholds of different submodules, momentum factors are introduced to solve the problems that the traditional algorithm is slow in convergence and easy to fall into local optimum; the entire system can smoothly transition into the new system after upgrade.
In summary, as shown in fig. 1-5, the working principle of the zero trust data security operation and maintenance system and method is as follows:
the access request module is used for receiving a data access request of an operation and maintenance person and receiving operation application information submitted by the operation and maintenance person; the operation application information comprises, but is not limited to, operation time, target data, operation objects and operation contents;
the data storage module is used for executing data storage operation and storing operation logic data, storage frame data, operation and maintenance control data and safety operation and maintenance data for maintaining the normal operation of the system, wherein the storage frame consists of storage nodes and node association;
the identity verification module is used for verifying the identity information of the operation and maintenance personnel;
the security authentication module authenticates the operation and maintenance security based on an access trust basis provided by identity verification, and judges whether data access operation is allowed or not according to an authentication result; the security authentication module comprises terminal security authentication, link security authentication and access control security authentication, wherein the terminal security authentication is used for authenticating equipment credibility, application credibility and terminal management, the link security authentication is used for authenticating link credibility and link stability, and the access control security authentication is used for authenticating identity credibility, authority management and malicious blocking; the security authentication module judges whether the authentication passes or not according to the authentication conditions of the terminal security authentication, the link security authentication and the access control security authentication, if the terminal security authentication, the link security authentication and the access control security authentication pass, the authentication is judged to pass, and the operation and maintenance personnel are allowed to access, if the terminal security authentication, the link security authentication and the access control security authentication pass, the operation and maintenance personnel are not judged to pass, and the operation and maintenance personnel are refused to access;
the approval authorization module is used for approving the operation application information submitted by the operation staff and granting the user data operation authority; the approval authorization module automatically generates a white list policy after approval passes, only performs specified operation on a specified database or table at specified time applied by operation and maintenance personnel, cannot be executed any non-applied operation, and has invalid timeout account, and meanwhile, only performs approval on the table and data of a sensitive object and a sensitive SQL command in a blacklist mode;
the data recording module is used for recording all operations and related data thereof after operation and maintenance personnel finish operation and maintenance operations on the database, and standardizes flow management so that data security accidents occur and effective responsibility-pursuing and responsibility-defining are achieved; the data type recorded by the data recording module comprises verification data, authentication data, access data and operation data, the verification data and the authentication data are formatted through the data refreshing module, the data clearing work is completed, and the access data and the operation data are stored into corresponding storage nodes of the system database through the data storage module;
and the data refreshing module is used for refreshing the identity verification module and the security authentication module and removing the historical data through formatting. Meanwhile, in the development of a software system, the repeated utilization of each functional module is considered, so that the complexity of system expansion is reduced; the adoption of the componentization design concept, the whole system adopts the componentization design, and by adopting the unified standard interface specification, the software system can be conveniently expanded and other subsystems can be added in the future, and the maintainability and the expandability of the product are improved; the characteristics of long service cycle and high performance index of the built system are ensured.
The initial weight and the threshold value of the integral identification module are coded, and multidimensional data are mapped to a lower-dimension data space, so that the self-adaptive normalization of the subsequent characteristic data is ensured, and the complexity of system expansion is reduced; by setting thresholds of different submodules, momentum factors are introduced to solve the problems that the traditional algorithm is slow in convergence and easy to fall into local optimum; the entire system can smoothly transition into the new system after upgrade.
The embodiments of the invention have been presented for purposes of illustration and description, and are not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (10)
1. The zero trust data security operation and maintenance system comprises an access request module, a data storage module, an identity verification module, a security authentication module, an approval authorization module, a data recording module and a data refreshing module, and is characterized in that the access request module is connected with the identity verification module, the identity verification module is simultaneously connected with the data storage module, the security authentication module and the data refreshing module and inputs data into the security authentication module in a centralized manner, the data types recorded by the data recording module comprise verification data, authentication data, access data and operation and maintenance data, the verification data and the authentication data are formatted through the data refreshing module, data clearing work is completed, and the access data and the operation and maintenance data are stored into corresponding storage nodes of a system database through the data storage module.
2. The zero trust data security operation and maintenance system of claim 1, comprising:
the access request module is used for receiving a data access request of an operation and maintenance person and receiving operation application information submitted by the operation and maintenance person;
the data storage module is used for executing data storage operation and storing operation logic data, storage frame data, operation and maintenance control data and safe operation and maintenance data which maintain the normal operation of the system, wherein the storage frame consists of storage nodes and node association;
the identity verification module is used for verifying the identity information of the operation and maintenance personnel;
the security authentication module authenticates the operation and maintenance security based on an access trust basis provided by identity verification, and judges whether data access operation is allowed or not according to an authentication result;
the approval authorization module is used for approving operation application information submitted by operation staff and granting operation authority to user data;
the data recording module is used for recording all operations and related data thereof after operation and maintenance personnel finish operation and maintenance of the database, and standardizes flow management so that data security accidents occur and effective responsibility-pursuing and responsibility-defining are achieved;
and the data refreshing module is used for refreshing the identity verification module and the security authentication module and removing the historical data through formatting.
3. The zero trust data security operation and maintenance system of claim 1, wherein the security authentication module comprises a terminal security authentication, a link security authentication and an access control security authentication, and wherein the terminal security authentication is used to authenticate device trust, application trust and terminal management, and the link security authentication is used to authenticate link trust and link stability, and the access control security authentication is used to authenticate identity trust, rights management and malicious blocking.
4. A zero trust data security operation and maintenance system according to claim 3, wherein the security authentication module judges whether the authentication is passed or not based on the terminal security authentication, the link security authentication and the access control security authentication, if the terminal security authentication, the link security authentication and the access control security authentication are all passed, the authentication is judged to be passed, and the operation and maintenance personnel is allowed to access, and if the authentication is not passed, the authentication is judged to be failed, and the operation and maintenance personnel is refused to access.
5. The system according to claim 1, wherein the approval authorization module automatically generates a whitelist policy after approval, and only performs an operation of designating a designated database or table at a designated time applied by an operator, any operation not applied cannot be performed, and a timeout account fails, and also supports approval of only tables and data of sensitive objects and sensitive SQL commands in a blacklist manner.
6. The zero trust data security operation and maintenance system according to claim 2, wherein the operation application information includes, but is not limited to, operation time, target data, operation object, and operation content.
7. The zero trust data security operation and maintenance method is characterized by comprising the following specific steps:
s1, an access request stage:
the operation and maintenance personnel send a data access request through the server, upload and submit operation application information, and the operation application information is required to be filled in strictly according with standard format requirements so as to quickly identify the content of the operation application information;
s2, identity verification:
after the identity verification module receives the request, verifying the identity information of the operation and maintenance personnel according to the algorithm logic stored by the data storage module, and providing an access trust basis;
s3, a security authentication stage:
after the identity of the operation and maintenance personnel passes the authentication, the access request and the operation application information are sent to a security authentication module, terminal security authentication, link security authentication and access control security authentication are sequentially carried out, a security authentication result is obtained, and the access request can be continuously transmitted after all the authentication passes;
s4, approval authorization stage:
the operation application information submitted by the operation and maintenance personnel is approved, and the data operation authority is granted to the operation and maintenance personnel in combination with the operation application information, so that the operation and maintenance personnel can perform the appointed operation on an appointed database or table in the appointed time of the application;
s5, operation and maintenance resetting:
and automatically recording all operation data of operation and maintenance personnel, storing access data and operation and maintenance data in the operation and maintenance personnel into corresponding storage nodes in a system database, formatting verification data and authentication data, clearing historical data, and erasing historical verification and authentication traces.
8. The method according to claim 7, wherein in the step S2, the token algorithm is used for authentication of the identity information, and the token algorithm has the following authentication logic: the server verifies whether login information input by operation and maintenance personnel is correct or not, the signed token is returned, the token is stored in the client, all subsequent requests add the token into a request header, then the server decodes the JWT composed of the header, the load and the signature, if the token is valid, the request is accepted, once a user logs off, the token is destroyed at the client, and the back-end server does not need to store the token.
9. The method according to claim 7, wherein in step S4, the information approval performs text detection and text recognition tasks through a deep learning model, and extracts key contents in the operation application information.
10. The method of claim 9, wherein the deep learning model comprises a perceptron model, a convolutional neural network model, and a self-encoder model,
the formula of the perceptron model is:the method comprises the steps of carrying out a first treatment on the surface of the Wherein x represents an input value, ck is a convolution kernel, and b is a bias term;
pooling formula: maximum pooling: output = max (input);
averaging and pooling: output = sum (input)/count (input);
the formula of the self-encoder model is:the method comprises the steps of carrying out a first treatment on the surface of the Wherein h represents a hidden layer, f represents a mapping function, x represents input data, L (x, y) represents a reconstruction error, that is, a difference between the input data x and the output data y, min L (x, y) represents an objective function of the self-encoder, R (h) represents a regularization term, and λ represents a regularization parameter.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311536661.1A CN117272262A (en) | 2023-11-17 | 2023-11-17 | Zero trust data security operation and maintenance system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311536661.1A CN117272262A (en) | 2023-11-17 | 2023-11-17 | Zero trust data security operation and maintenance system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117272262A true CN117272262A (en) | 2023-12-22 |
Family
ID=89204862
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311536661.1A Pending CN117272262A (en) | 2023-11-17 | 2023-11-17 | Zero trust data security operation and maintenance system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117272262A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6055637A (en) * | 1996-09-27 | 2000-04-25 | Electronic Data Systems Corporation | System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential |
CN112165461A (en) * | 2020-09-10 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Zero-trust dynamic authorization method and device and computer equipment |
CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
CN115695218A (en) * | 2022-09-26 | 2023-02-03 | 中国电信股份有限公司 | Operation and maintenance management method and device based on zero trust mechanism and related equipment |
CN116545731A (en) * | 2023-05-29 | 2023-08-04 | 中科天御(苏州)科技有限公司 | Zero-trust network access control method and system based on time window dynamic switching |
WO2023159994A1 (en) * | 2022-02-28 | 2023-08-31 | 华为技术有限公司 | Operation and maintenance processing method, and terminal device |
-
2023
- 2023-11-17 CN CN202311536661.1A patent/CN117272262A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6055637A (en) * | 1996-09-27 | 2000-04-25 | Electronic Data Systems Corporation | System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential |
CN112165461A (en) * | 2020-09-10 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Zero-trust dynamic authorization method and device and computer equipment |
CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
WO2023159994A1 (en) * | 2022-02-28 | 2023-08-31 | 华为技术有限公司 | Operation and maintenance processing method, and terminal device |
CN115695218A (en) * | 2022-09-26 | 2023-02-03 | 中国电信股份有限公司 | Operation and maintenance management method and device based on zero trust mechanism and related equipment |
CN116545731A (en) * | 2023-05-29 | 2023-08-04 | 中科天御(苏州)科技有限公司 | Zero-trust network access control method and system based on time window dynamic switching |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110598376B (en) | Copyright authentication method, device and equipment based on block chain and storage medium | |
US8955040B2 (en) | Provisioning authorization claims using attribute-based access-control policies | |
US7690032B1 (en) | Method and system for confirming the identity of a user | |
US11899808B2 (en) | Machine learning for identity access management | |
US9823639B2 (en) | Control program management system and method for changing control program | |
CN110910555A (en) | Safety management method for intelligent operation ticket | |
US10726141B2 (en) | Dynamically constructed capability for enforcing object access order | |
CN104683362A (en) | Access control system and access control method of fine-grained privacy security | |
CN115146598B (en) | File collaborative editing method and device, network disk and storage medium | |
CN115086075A (en) | Mandatory access control method and device with credible behaviors | |
CN104079569A (en) | BLP improved model integrated with credibility level and authentication access method | |
CN111597269A (en) | Block chain-based contract implementation method, device and equipment | |
CN117272262A (en) | Zero trust data security operation and maintenance system and method | |
EP2254093A1 (en) | Method and system for confirming the identity of a user background of the invention | |
Huai et al. | Construction of Social Security Fund Cloud Audit Platform Based on Fuzzy Data Mining Algorithm | |
CN112733165B (en) | File access control method, device and medium | |
CN111083118B (en) | Network security protection system, device and method for cloud service of power system | |
CN116167025A (en) | Multi-factor user identity dynamic authentication system and method thereof | |
TWI688872B (en) | System and method for voice control iot device | |
Bonatti et al. | Comparing rule-based policies | |
CN111563269A (en) | Sensitive data security protection method and system based on shadow system | |
CN109948360B (en) | Multi-control-domain security kernel construction method and system for complex scene | |
CN112163234B (en) | SQL authority control method based on service system database | |
Zhou | Industrial internet sensor node construction and system construction based on blockchain technology | |
KR20230027789A (en) | MSA Framework Module Converging Virtual OPC And Messaging Event Processing Technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |