WO2021114582A1 - Endogenous security user access authentication management system and method - Google Patents

Endogenous security user access authentication management system and method Download PDF

Info

Publication number
WO2021114582A1
WO2021114582A1 PCT/CN2020/094473 CN2020094473W WO2021114582A1 WO 2021114582 A1 WO2021114582 A1 WO 2021114582A1 CN 2020094473 W CN2020094473 W CN 2020094473W WO 2021114582 A1 WO2021114582 A1 WO 2021114582A1
Authority
WO
WIPO (PCT)
Prior art keywords
mimic
output
input
authentication management
judgment
Prior art date
Application number
PCT/CN2020/094473
Other languages
French (fr)
Chinese (zh)
Inventor
冯海生
谢光伟
周世通
刘斌
Original Assignee
南京红阵网络安全技术研究院有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京红阵网络安全技术研究院有限公司 filed Critical 南京红阵网络安全技术研究院有限公司
Publication of WO2021114582A1 publication Critical patent/WO2021114582A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the technical field of user access authentication management systems, in particular to an endogenously safe user access authentication management system and method.
  • BRAS system Broadband Access Server/Broadband Remote Access Server
  • IP/ATM network a user access service device set at the network convergence layer, which is located at the edge of the backbone network Layer, can complete the data access of the user bandwidth IP/ATM network (currently the access method is mainly based on xDSL/Cable Modem/high-speed Ethernet technology (LAN)/wireless broadband data access (WLAN), etc.), realizing commercial buildings and Broadband Internet access for residents of the community, IP VPN services based on IPSec (IP Security Protocol), construction of intranets within the enterprise, and support for applications such as ISP wholesale business to users.
  • Broadband access server mainly completes two functions:
  • Network bearer function Responsible for processing the user's PPPoE (Point-to-Point Protocol Over Ethernet, which is a way to transmit PPP sessions on the Ethernet) to connect and aggregate user traffic.
  • PPPoE Point-to-Point Protocol Over Ethernet, which is a way to transmit PPP sessions on the Ethernet
  • Control realization function cooperate with authentication system, billing system, customer management system and service strategy control system to realize user access authentication, billing and management functions.
  • BRAS The basic function of BRAS is to realize the management features and business initiation functions of broadband users, including user identification, authentication, billing, IP address management, security management, etc.
  • User access system Receive the connection request initiated by the user terminal, extract the user name, password, physical location and other information from it, send the information to the AAA management system for authentication, and allow or deny the user to go online according to the authentication result.
  • AAA management system According to conditions such as access restrictions, determine whether to allow users to access, and if allowed, authentication and authorization will be performed according to the AAA scheme.
  • IP Address allocation system Assign IP addresses to access users.
  • Business management system After the user goes online, the business management system and the AAA system work together to control the services used by the user, such as billing and QOS.
  • BRAS plays a pivotal role in operator networks, especially in China, where fixed-line broadband services stand out and continue to grow globally.
  • the present invention provides a new endogenously safe user access authentication management system and method.
  • the present invention provides an endogenously safe user access authentication management system, which is characterized in that it includes an input message discrimination distributor, a mimic input agent and distributor, a set of mimic judgment function executive bodies, a non-mimic judgment function executive body, and mimics An arbitration module, a mimic output proxy module, and an output message combiner, the set of mimic arbitration function executive bodies includes a plurality of functionally equivalent heterogeneous access authentication management system executive bodies;
  • the input message discriminating distributor is used to discriminate the message type of the received input incentive information to determine whether mimic judgment is required.
  • the input incentive information is directly sent to Non-mimic judgment function executive body processing, when the input incentive information is a message that needs mimic judgment, the input incentive information is sent to the mimic input agent and distributor;
  • the mimic input agent and distributor are used for copying and distributing to a designated access authentication management system executive body according to a distribution strategy
  • the specified access authentication management system executive body is used to execute parallel processing operations, and output the execution result to the mimic judgment module;
  • the mimic judgment module is used to run a credible result discrimination algorithm to calculate a credible output based on each execution result, and send the credible output to the mimic output proxy module;
  • the output message combiner is used to receive the trusted output or the output of the non-mimic judgment function executive sent by the mimic output agent module and perform external output response.
  • the user access authentication management system further includes a negative feedback controller, and the mimic judgment module is used to send the mimic judgment result to the negative feedback controller, and when it is found that the trusted output is an untrusted operation result, the The corresponding event is reported to the alarm processing in the negative feedback controller.
  • the negative feedback controller is used to record the result of statistical mimicry judgment, and according to the control parameters and ruling parameters set by the user, determine the dynamic scheduling of the executive body of the access authentication management system, and perform the execution of the executive body of the access authentication management system. Shutdown, reorganization, reconfiguration and initialization operations.
  • the present invention also provides an endogenously safe user access authentication management method, which is characterized in that it includes the following steps:
  • the input message discrimination distributor judges the message type of the received input incentive information to determine whether mimic judgment is required. If the input excitation information is a message that does not require mimic judgment, then step S6 is entered. If incentive information is input If it is a message that needs to be mimicked, then go to step S2;
  • the input incentive information is sent to the mimic input agent and distributor, and the mimic input agent and distributor are copied and distributed to the designated access authentication management system executive body according to the distribution strategy;
  • the designated access authentication management system executive body executes parallel processing operations, and outputs the execution result to the mimic judgment module;
  • the mimic judgment module runs the credible result discrimination algorithm to calculate the credible output according to each execution result, and sends the credible output to the mimetic output agent module;
  • the mimic output proxy module sends the trusted output to the output message combiner, and then goes to step S7;
  • step S6 Directly send the input incentive information to the non-mimicry adjudication function executive body for processing, and proceed to step S7;
  • the message combiner receives the trusted output sent by the mimic output agent module or the output of the non-mimic judgment function executive body and responds to external output.
  • the mimic judgment module sends the mimic judgment result to the negative feedback controller, and reports the corresponding event to the negative feedback controller for alarm processing when the credible output is found to be an untrusted operation result.
  • the negative feedback controller records the statistical mimic ruling results, and determines the dynamic scheduling of the access authentication management system executive body according to the control parameters and ruling parameters set by the user, and closes and reorganizes the access authentication management system executive body , Reconfiguration and initialization operations.
  • the present invention provides an endogenously safe BRAS control system. Compared with the existing control system, it has stronger anti-attack ability. If a single control system has loopholes, it is set to be untrustworthy through a mimic ruling algorithm. The output results of the two control systems, thereby defending against attacks.
  • the invention enables users to access the authentication management system with an endogenous safety mechanism, and reduces or even solves the problems of vulnerability and vulnerability of the overall system caused by network security threat factors such as loopholes/backdoors.
  • network security threat factors such as loopholes/backdoors.
  • Figure 1 is a system diagram of an existing user access authentication management system
  • FIG. 2 is a structural diagram of the user access authentication management system with endogenous security corresponding to the present invention
  • Fig. 3 is a flowchart of a user access authentication management method with endogenous security corresponding to the present invention.
  • this embodiment provides an endogenously secure user access authentication management system, which includes an input message discrimination distributor, a mimic input agent and distributor, a set of mimic judgment function executive bodies, and a non-mimic judgment function execution
  • the set of mimic judgment function executive bodies includes multiple functionally equivalent heterogeneous access authentication management system executive bodies, such as a mimic judgment module, a mimic output proxy module, an output message combiner, and a negative feedback controller.
  • the access authentication management system executive body 1 the access authentication management system executive body 2, ... the access authentication management system executive body N in FIG.
  • the input message discriminating distributor is used to discriminate the message type of the received input incentive information to determine whether mimic judgment is required.
  • the input incentive information is directly sent to
  • the non-mimic judgment function executes body processing, and when the input incentive information is a message that requires mimic judgment, the input incentive information is sent to the mimic input agent and distributor.
  • the mimic input agent and distributor are used for copying and distributing to the designated access authentication management system executive body according to the distribution strategy.
  • the specified access authentication management system executive body is used to execute parallel processing operations and output the execution result to the mimic judgment module.
  • the mimic judgment module is used to run a credible result discrimination algorithm to calculate a credible output according to each execution result, and send the credible output to the mimic output proxy module.
  • the output message combiner is used to receive the trusted output or the output of the non-mimic adjudication function executive sent by the mimic output agent module and perform external output response.
  • the mimic judgment module is used to send the mimic judgment result to the negative feedback controller, and report the corresponding event to the negative feedback controller for alarm processing when the credible output is found to be an untrusted operation result.
  • the negative feedback controller is used to record the results of statistical mimicry ruling, and according to the control parameters and ruling parameters set by the user, determine the dynamic scheduling of the access authentication management system executive body, and close, reorganize, and reorganize the access authentication management system executive body. Reconfiguration and initialization operations.
  • the first deployment form retains part of the BRAS control system's functions in the access authentication management system non-mimesis adjudication function set, and does not use mimetic control. Another part of the function adopts the framework of mimicry technology to deploy.
  • Input incentives are typed in the "input message discrimination distributor". If the corresponding one does not require mimic judgment, enter the "access authentication management system non-mimic judgment function executive body" processing, and after processing, pass the "output message combination ⁇ ” output. Another part of the function adopts mimic judgment, which is distributed to multiple functionally equivalent heterogeneous “access authentication management system executive bodies” through the “mimic input agent and distributor” for parallel processing, and the “mimic judgment” module collects the judgment results of the executive bodies. After arbitration, it will be output to the "Mimic Output Agent” module, and finally output through the "Output Message Combiner".
  • BRAS functions are implemented using mimic technology. That is, the input incentive is directly cut to the "mime input agent and distributor” in the “input message discrimination distributor", and it is distributed to multiple functionally equivalent heterogeneous "access authentication management system executive bodies” for parallel processing.
  • the mimic judgment module collects the judgment result of the executive body, and outputs it to the mimic output agent module after judgment, and finally outputs it through the “output message combiner”.
  • This embodiment provides an endogenously secure user access authentication management method, which includes the following steps:
  • the input message discrimination distributor judges the message type of the received input excitation information to determine whether mimic judgment is required. If the input excitation information is a message that does not require mimic judgment, then go to step S6, if incentive information is input If it is a message that needs to be mimicked, then go to step S2;
  • the input incentive information is sent to the mimic input agent and distributor, and the mimic input agent and distributor are copied and distributed to the designated access authentication management system executive body according to the distribution strategy;
  • the designated access authentication management system executive body executes parallel processing operations, and outputs the execution result to the mimic judgment module;
  • the mimic judgment module runs the credible result discrimination algorithm to calculate the credible output according to each execution result, and sends the credible output to the mimetic output agent module;
  • the mimic output proxy module sends the trusted output to the output message combiner, and then goes to step S7;
  • step S6 Directly send the input incentive information to the non-mimicry adjudication function executive body for processing, and proceed to step S7;
  • the message combiner receives the trusted output sent by the mimic output proxy module or the output of the non-mimic arbitration function executive body and makes an external output response.
  • the output stimulus first judges the message type in the "input message discrimination distributor" to determine whether a mimic judgment is required.
  • Access authentication management system executive bodies 1, 2...k are functionally equivalent heterogeneous executive bodies.
  • the heterogeneity can be multi-level heterogeneity, such as CPU instruction system heterogeneity, X86, ARM, PPC, or
  • the heterogeneity of the operating system level such as windows, ubuntu, centos, etc., can also be the heterogeneity of coding languages and compilers.
  • the results are output to the "Mimic Judgment" module to run the credible result discrimination algorithm (the specific algorithm can be different during implementation, for example, different weights can be assigned to each control system, and the operation result The weighting is based on the weight, or simply according to the principle that the minority obeys the majority), and according to the output results of each executive body, the discriminant algorithm calculates the credible output.
  • the specific algorithm can be different during implementation, for example, different weights can be assigned to each control system, and the operation result The weighting is based on the weight, or simply according to the principle that the minority obeys the majority)
  • the discriminant algorithm calculates the credible output.
  • the mimic judgment module sends the trusted output to the "mimic output agent” module, and the output agent sends it to the "output message combiner" for external output response.
  • the "Mimic Judgment” module sends the mimic judgment result to the "Negative Feedback Controller". If an untrusted calculation result is found, the corresponding event (corresponding control system information, message information, etc.) is reported to the "Negative Feedback Control" Alarm handling in the "device”.
  • the "negative feedback controller” records the statistical mimic judgment results, and according to the control parameters and judgment parameters set by the user, determines the dynamic scheduling of the executive body, and performs operations such as shutdown, reorganization, reconfiguration, and initialization of the executive body.
  • Heterogeneity Deploy different types of heterogeneous software and hardware at different levels.
  • Redundancy For the same request, multiple different software and hardware are used to execute the request at the same time, and the result is voted to achieve redundancy operation.
  • Dynamic According to scheduling strategy or feedback from threat perception, convergently replace the heterogeneous executors in the current service set, increasing the uncertainty of the system operation scenario.
  • the invention enables users to access the authentication management system with an endogenous safety mechanism, and reduces or even solves the problems of vulnerability and vulnerability of the overall system caused by network security threat factors such as loopholes/backdoors.
  • network security threat factors such as loopholes/backdoors.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides an endogenous security user access authentication management system and method, comprising: an input message discrimination distributor discriminates the message type of input incentive information to determine whether mimic arbitration is required, and if mimic arbitration is not required, directly sends the input incentive information to a non-mimic arbitration function executor for processing, and if mimic arbitration is required, sends the input incentive information to a mimic input agent and distributor; the mimic input agent and distributor copies and distributes same to a specified access authentication management system executor according to a distribution strategy; the specified executor executes parallel processing operations and outputs execution results to a mimic arbitration module; the mimic arbitration module runs a credible result discrimination algorithm according to the execution results to calculate credible output and sends the credible output to a mimic output agent module; an output message combiner is configured to receive the credible output sent by the mimic output agent module or the output from the non-mimic arbitration function executor and give an output response to the outside.

Description

一种内生安全的用户接入认证管理系统及方法Endogenously safe user access authentication management system and method 技术领域Technical field
本发明涉及用户接入认证管理系统技术领域,特别是涉及一种内生安全的用户接入认证管理系统及方法。The present invention relates to the technical field of user access authentication management systems, in particular to an endogenously safe user access authentication management system and method.
背景技术Background technique
用户接入认证管理系统BRAS系统(宽带接入服务器,Broadband Access Server/Broadband Remote Access Server)属于网路通讯设备,是一种设置在网络汇聚层的用户接入服务设备,它位于骨干网的边缘层,可以完成用户带宽的IP/ATM网的数据接入(目前接入手段主要基于xDSL/Cable Modem/高速以太网技术(LAN)/无线宽带数据接入(WLAN)等),实现商业楼宇及小区住户的宽带上网、基于IPSec(IP Security Protocol)的IP VPN服务、构建企业内部Intranet、支持ISP向用户批发业务等应用。宽带接入服务器主要完成两方面功能:User access authentication management system BRAS system (Broadband Access Server/Broadband Remote Access Server) is a network communication device, a user access service device set at the network convergence layer, which is located at the edge of the backbone network Layer, can complete the data access of the user bandwidth IP/ATM network (currently the access method is mainly based on xDSL/Cable Modem/high-speed Ethernet technology (LAN)/wireless broadband data access (WLAN), etc.), realizing commercial buildings and Broadband Internet access for residents of the community, IP VPN services based on IPSec (IP Security Protocol), construction of intranets within the enterprise, and support for applications such as ISP wholesale business to users. Broadband access server mainly completes two functions:
一、网络承载功能:负责处理用户的PPPoE(Point-to-Point Protocol Over Ethernet,是一种以太网上传送PPP会话的方式)连接、汇聚用户的流量功能。1. Network bearer function: Responsible for processing the user's PPPoE (Point-to-Point Protocol Over Ethernet, which is a way to transmit PPP sessions on the Ethernet) to connect and aggregate user traffic.
二、控制实现功能:与认证系统、计费系统和客户管理系统及服务策略控制系统相配合实现用户接入的认证、计费和管理功能。2. Control realization function: cooperate with authentication system, billing system, customer management system and service strategy control system to realize user access authentication, billing and management functions.
BRAS的基本功能是实现宽带用户的管理特性和业务发起功能,包括用户识别、认证、计费、IP地址管理、安全性管理等内容。The basic function of BRAS is to realize the management features and business initiation functions of broadband users, including user identification, authentication, billing, IP address management, security management, etc.
用户接入系统:接收用户终端发起的连接请求,从中提取出用户名、密码、物理位置等信息,将信息发给AAA管理系统要求认证,并根据认证结果允许或者拒绝用户上线。User access system: Receive the connection request initiated by the user terminal, extract the user name, password, physical location and other information from it, send the information to the AAA management system for authentication, and allow or deny the user to go online according to the authentication result.
AAA管理系统:根据接入限制等条件,判断是否允许用户接入,如果允许,则将根据AAA方案进行认证和授权。AAA management system: According to conditions such as access restrictions, determine whether to allow users to access, and if allowed, authentication and authorization will be performed according to the AAA scheme.
地址分配系统:为接入用户分配IP地址。Address allocation system: Assign IP addresses to access users.
业务管理系统:用户上线后,业务管理系统和AAA系统一起,对用户使用的业务进行计费、QOS等控制。Business management system: After the user goes online, the business management system and the AAA system work together to control the services used by the user, such as billing and QOS.
BRAS在运营商网络中具有举足轻重的地位,尤其在中国,固网宽带业务一枝独秀,全球持续增长。BRAS plays a pivotal role in operator networks, especially in China, where fixed-line broadband services stand out and continue to grow globally.
每年的新增份额,及存量数据表明,中国宽带业务具有巨大市场空间。而BRAS作为命门设备,对运营商来说至关重要。The new share each year and the stock data show that China's broadband business has a huge market space. The BRAS, as a life gate device, is of vital importance to operators.
当前已有用户接入认证管理,位置比较重要,但是不能保证系统的安全问题,也无法保证没有漏洞后门。At present, there are users accessing authentication management, and the location is more important, but it cannot guarantee the security of the system, nor can it guarantee that there is no loophole backdoor.
发明内容Summary of the invention
本发明针对现有技术存在的问题和不足,提供一种新型的内生安全的用户接入认证管理系统及方法。In view of the problems and deficiencies in the prior art, the present invention provides a new endogenously safe user access authentication management system and method.
本发明是通过下述技术方案来解决上述技术问题的:The present invention solves the above technical problems through the following technical solutions:
本发明提供一种内生安全的用户接入认证管理系统,其特点在于,其包括输入消息判别分发器、拟态输入代理与分配器、拟态裁决功能执行体集合、非拟态裁决功能执行体、拟态裁决模块、拟态输出代理模块、以及输出消息合路器,所述拟态裁决功能执行体集合包括多个功能等价的异构的接入认证管理系统执行体;The present invention provides an endogenously safe user access authentication management system, which is characterized in that it includes an input message discrimination distributor, a mimic input agent and distributor, a set of mimic judgment function executive bodies, a non-mimic judgment function executive body, and mimics An arbitration module, a mimic output proxy module, and an output message combiner, the set of mimic arbitration function executive bodies includes a plurality of functionally equivalent heterogeneous access authentication management system executive bodies;
所述输入消息判别分发器用于对收到的输入激励信息进行消息类型的判别,以决定是否需要进行拟态裁决,在输入激励信息是不需要进行拟态裁决的消息时,将输入激励信息直接送至非拟态裁决功能执行体处理,在输入激励信息是需要进行拟态裁决的消息时,将输入激励信息送到拟态输入代理 与分配器;The input message discriminating distributor is used to discriminate the message type of the received input incentive information to determine whether mimic judgment is required. When the input incentive information is a message that does not require mimic judgment, the input incentive information is directly sent to Non-mimic judgment function executive body processing, when the input incentive information is a message that needs mimic judgment, the input incentive information is sent to the mimic input agent and distributor;
所述拟态输入代理与分配器用于根据分配策略复制分发到指定的接入认证管理系统执行体;The mimic input agent and distributor are used for copying and distributing to a designated access authentication management system executive body according to a distribution strategy;
所述指定的接入认证管理系统执行体用于执行并行处理操作,并输出执行结果至拟态裁决模块;The specified access authentication management system executive body is used to execute parallel processing operations, and output the execution result to the mimic judgment module;
所述拟态裁决模块用于根据各个执行结果,运行可信结果判别算法计算出可信输出,并将可信输出发送至拟态输出代理模块;The mimic judgment module is used to run a credible result discrimination algorithm to calculate a credible output based on each execution result, and send the credible output to the mimic output proxy module;
所述输出消息合路器用于接收拟态输出代理模块送来的可信输出或非拟态裁决功能执行体的输出并进行对外输出响应。The output message combiner is used to receive the trusted output or the output of the non-mimic judgment function executive sent by the mimic output agent module and perform external output response.
较佳地,所述用户接入认证管理系统还包括负反馈控制器,所述拟态裁决模块用于将拟态裁决结果发送至负反馈控制器,在发现可信输出为非可信运算结果时将对应的事件上报负反馈控制器中告警处理。Preferably, the user access authentication management system further includes a negative feedback controller, and the mimic judgment module is used to send the mimic judgment result to the negative feedback controller, and when it is found that the trusted output is an untrusted operation result, the The corresponding event is reported to the alarm processing in the negative feedback controller.
较佳地,所述负反馈控制器用于记录统计拟态裁决结果,并根据用户设定的控制参数和裁决参数,决定接入认证管理系统执行体的动态调度,对接入认证管理系统执行体进行关闭、重组、重配和初始化操作。Preferably, the negative feedback controller is used to record the result of statistical mimicry judgment, and according to the control parameters and ruling parameters set by the user, determine the dynamic scheduling of the executive body of the access authentication management system, and perform the execution of the executive body of the access authentication management system. Shutdown, reorganization, reconfiguration and initialization operations.
本发明还提供一种内生安全的用户接入认证管理方法,其特点在于,其包括以下步骤:The present invention also provides an endogenously safe user access authentication management method, which is characterized in that it includes the following steps:
S1、输入消息判别分发器对收到的输入激励信息进行消息类型的判别,以决定是否需要进行拟态裁决,若输入激励信息是不需要进行拟态裁决的消息,则进入步骤S6,若输入激励信息是需要进行拟态裁决的消息,则进入步骤S2;S1. The input message discrimination distributor judges the message type of the received input incentive information to determine whether mimic judgment is required. If the input excitation information is a message that does not require mimic judgment, then step S6 is entered. If incentive information is input If it is a message that needs to be mimicked, then go to step S2;
S2、将输入激励信息送到拟态输入代理与分配器,拟态输入代理与分配器根据分配策略复制分发到指定的接入认证管理系统执行体;S2. The input incentive information is sent to the mimic input agent and distributor, and the mimic input agent and distributor are copied and distributed to the designated access authentication management system executive body according to the distribution strategy;
S3、指定的接入认证管理系统执行体执行并行处理操作,并输出执行结果至拟态裁决模块;S3. The designated access authentication management system executive body executes parallel processing operations, and outputs the execution result to the mimic judgment module;
S4、拟态裁决模块根据各个执行结果,运行可信结果判别算法计算出可信输出,并将可信输出发送至拟态输出代理模块;S4. The mimic judgment module runs the credible result discrimination algorithm to calculate the credible output according to each execution result, and sends the credible output to the mimetic output agent module;
S5、拟态输出代理模块将可信输出送至输出消息合路器,进入步骤S7;S5. The mimic output proxy module sends the trusted output to the output message combiner, and then goes to step S7;
S6、将输入激励信息直接送至非拟态裁决功能执行体处理,进入步骤S7;S6. Directly send the input incentive information to the non-mimicry adjudication function executive body for processing, and proceed to step S7;
S7、消息合路器接收拟态输出代理模块送来的可信输出或非拟态裁决功能执行体的输出并进行对外输出响应。S7. The message combiner receives the trusted output sent by the mimic output agent module or the output of the non-mimic judgment function executive body and responds to external output.
较佳地,拟态裁决模块将拟态裁决结果发送至负反馈控制器,在发现可信输出为非可信运算结果时将对应的事件上报负反馈控制器中告警处理。Preferably, the mimic judgment module sends the mimic judgment result to the negative feedback controller, and reports the corresponding event to the negative feedback controller for alarm processing when the credible output is found to be an untrusted operation result.
较佳地,负反馈控制器记录统计拟态裁决结果,并根据用户设定的控制参数和裁决参数,决定接入认证管理系统执行体的动态调度,对接入认证管理系统执行体进行关闭、重组、重配和初始化操作。Preferably, the negative feedback controller records the statistical mimic ruling results, and determines the dynamic scheduling of the access authentication management system executive body according to the control parameters and ruling parameters set by the user, and closes and reorganizes the access authentication management system executive body , Reconfiguration and initialization operations.
在符合本领域常识的基础上,上述各优选条件,可任意组合,即得本发明各较佳实例。On the basis of conforming to common knowledge in the field, the above-mentioned preferred conditions can be combined arbitrarily to obtain preferred embodiments of the present invention.
本发明的积极进步效果在于:The positive and progressive effects of the present invention are:
本发明提供了一种内生安全的BRAS控制系统,相对于当前已有的控制系统,抗攻击能力更强,如果单个控制系统存在漏洞,通过拟态裁决算法,将其置位不可信,采用另外两个控制系统的输出结果,从而抵御攻击。The present invention provides an endogenously safe BRAS control system. Compared with the existing control system, it has stronger anti-attack ability. If a single control system has loopholes, it is set to be untrustworthy through a mimic ruling algorithm. The output results of the two control systems, thereby defending against attacks.
本发明通过采用拟态技术原理,使用户接入认证管理系统具备内生安全机制,降低甚至解决漏洞/后门等网络安全威胁因素导致整体系统的脆弱性和易被攻击性的问题。当某一执行体控制系统存在网络安全风险时,用户接入认证管理整体系统保持稳定可靠,不受影响。在降低单一执行体网络安全风险的同时,提升整体系统的可靠性。By adopting the principle of mimicry technology, the invention enables users to access the authentication management system with an endogenous safety mechanism, and reduces or even solves the problems of vulnerability and vulnerability of the overall system caused by network security threat factors such as loopholes/backdoors. When a certain executive body control system has network security risks, the overall system of user access authentication management remains stable and reliable, and will not be affected. While reducing the network security risks of a single executive body, it also improves the reliability of the overall system.
附图说明Description of the drawings
图1为现有的用户接入认证管理系统系统图;Figure 1 is a system diagram of an existing user access authentication management system;
图2为本发明对应的具备内生安全的用户接入认证管理系统的架构图;2 is a structural diagram of the user access authentication management system with endogenous security corresponding to the present invention;
图3为本发明对应的具备内生安全的用户接入认证管理方法的流程图。Fig. 3 is a flowchart of a user access authentication management method with endogenous security corresponding to the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
如图2所示,本实施例提供一种内生安全的用户接入认证管理系统,其包括输入消息判别分发器、拟态输入代理与分配器、拟态裁决功能执行体集合、非拟态裁决功能执行体、拟态裁决模块、拟态输出代理模块、输出消息合路器、以及负反馈控制器,所述拟态裁决功能执行体集合包括多个功能等价的异构的接入认证管理系统执行体,如图2中的接入认证管理系统执行体1、接入认证管理系统执行体2、…接入认证管理系统执行体N。As shown in Figure 2, this embodiment provides an endogenously secure user access authentication management system, which includes an input message discrimination distributor, a mimic input agent and distributor, a set of mimic judgment function executive bodies, and a non-mimic judgment function execution The set of mimic judgment function executive bodies includes multiple functionally equivalent heterogeneous access authentication management system executive bodies, such as a mimic judgment module, a mimic output proxy module, an output message combiner, and a negative feedback controller. The access authentication management system executive body 1, the access authentication management system executive body 2, ... the access authentication management system executive body N in FIG.
所述输入消息判别分发器用于对收到的输入激励信息进行消息类型的判别,以决定是否需要进行拟态裁决,在输入激励信息是不需要进行拟态裁决的消息时,将输入激励信息直接送至非拟态裁决功能执行体处理,在输入激励信息是需要进行拟态裁决的消息时,将输入激励信息送到拟态输入代理与分配器。The input message discriminating distributor is used to discriminate the message type of the received input incentive information to determine whether mimic judgment is required. When the input incentive information is a message that does not require mimic judgment, the input incentive information is directly sent to The non-mimic judgment function executes body processing, and when the input incentive information is a message that requires mimic judgment, the input incentive information is sent to the mimic input agent and distributor.
所述拟态输入代理与分配器用于根据分配策略复制分发到指定的接入认证管理系统执行体。The mimic input agent and distributor are used for copying and distributing to the designated access authentication management system executive body according to the distribution strategy.
所述指定的接入认证管理系统执行体用于执行并行处理操作,并输出执行结果至拟态裁决模块。The specified access authentication management system executive body is used to execute parallel processing operations and output the execution result to the mimic judgment module.
所述拟态裁决模块用于根据各个执行结果,运行可信结果判别算法计算出可信输出,并将可信输出发送至拟态输出代理模块。The mimic judgment module is used to run a credible result discrimination algorithm to calculate a credible output according to each execution result, and send the credible output to the mimic output proxy module.
所述输出消息合路器用于接收拟态输出代理模块送来的可信输出或非拟态裁决功能执行体的输出并进行对外输出响应。The output message combiner is used to receive the trusted output or the output of the non-mimic adjudication function executive sent by the mimic output agent module and perform external output response.
所述拟态裁决模块用于将拟态裁决结果发送至负反馈控制器,在发现可信输出为非可信运算结果时将对应的事件上报负反馈控制器中告警处理。The mimic judgment module is used to send the mimic judgment result to the negative feedback controller, and report the corresponding event to the negative feedback controller for alarm processing when the credible output is found to be an untrusted operation result.
所述负反馈控制器用于记录统计拟态裁决结果,并根据用户设定的控制参数和裁决参数,决定接入认证管理系统执行体的动态调度,对接入认证管理系统执行体进行关闭、重组、重配和初始化操作。The negative feedback controller is used to record the results of statistical mimicry ruling, and according to the control parameters and ruling parameters set by the user, determine the dynamic scheduling of the access authentication management system executive body, and close, reorganize, and reorganize the access authentication management system executive body. Reconfiguration and initialization operations.
第一种部署形式,如图3所示,将部分BRAS控制系统的功能保留到接入认证管理系统非拟态裁决功能集合中,不采用拟态控制。另外一部分功能采用拟态技术的架构进行部署。The first deployment form, as shown in Figure 3, retains part of the BRAS control system's functions in the access authentication management system non-mimesis adjudication function set, and does not use mimetic control. Another part of the function adopts the framework of mimicry technology to deploy.
输入激励在“输入消息判别分发器“中进行类型判别,如果是对应的不需要拟态裁决的,进入“接入认证管理系统非拟态裁决功能执行体”处理,处理完后通过“输出消息合路器”输出。另外一部分功能采用拟态裁决,通过“拟态输入代理与分配器”分发至多个功能等价的异构的“接入认证管理系统执行体”进行并行处理,“拟态裁决”模块收集执行体的裁决结果,经过裁决后输出至“拟态输出代理”模块,最终通过“输出消息合路器”输出。Input incentives are typed in the "input message discrimination distributor". If the corresponding one does not require mimic judgment, enter the "access authentication management system non-mimic judgment function executive body" processing, and after processing, pass the "output message combination器” output. Another part of the function adopts mimic judgment, which is distributed to multiple functionally equivalent heterogeneous “access authentication management system executive bodies” through the “mimic input agent and distributor” for parallel processing, and the “mimic judgment” module collects the judgment results of the executive bodies. After arbitration, it will be output to the "Mimic Output Agent" module, and finally output through the "Output Message Combiner".
另外一种部署形式,将全部BRAS的功能使用拟态技术来实现。即输入激励在“输入消息判别分发器“中直接切到“拟态输入代理与分配器”,将其分发至多个功能等价的异构的“接入认证管理系统执行体”进行并行处理,“拟态裁决”模块收集执行体的裁决结果,经过裁决后输出至“拟态输出代理”模块,最终通过“输出消息合路器”输出。In another form of deployment, all BRAS functions are implemented using mimic technology. That is, the input incentive is directly cut to the "mime input agent and distributor" in the "input message discrimination distributor", and it is distributed to multiple functionally equivalent heterogeneous "access authentication management system executive bodies" for parallel processing. The mimic judgment module collects the judgment result of the executive body, and outputs it to the mimic output agent module after judgment, and finally outputs it through the “output message combiner”.
本实施例提供一种内生安全的用户接入认证管理方法,其包括以下步骤:This embodiment provides an endogenously secure user access authentication management method, which includes the following steps:
S1、输入消息判别分发器对收到的输入激励信息进行消息类型的判别,以决定是否需要进行拟态裁决,若输入激励信息是不需要进行拟态裁决的消息,则进入步骤S6,若输入激励信息是需要进行拟态裁决的消息,则进入步骤S2;S1. The input message discrimination distributor judges the message type of the received input excitation information to determine whether mimic judgment is required. If the input excitation information is a message that does not require mimic judgment, then go to step S6, if incentive information is input If it is a message that needs to be mimicked, then go to step S2;
S2、将输入激励信息送到拟态输入代理与分配器,拟态输入代理与分配器根据分配策略复制分发到指定的接入认证管理系统执行体;S2. The input incentive information is sent to the mimic input agent and distributor, and the mimic input agent and distributor are copied and distributed to the designated access authentication management system executive body according to the distribution strategy;
S3、指定的接入认证管理系统执行体执行并行处理操作,并输出执行结果至拟态裁决模块;S3. The designated access authentication management system executive body executes parallel processing operations, and outputs the execution result to the mimic judgment module;
S4、拟态裁决模块根据各个执行结果,运行可信结果判别算法计算出可信输出,并将可信输出发送至拟态输出代理模块;S4. The mimic judgment module runs the credible result discrimination algorithm to calculate the credible output according to each execution result, and sends the credible output to the mimetic output agent module;
S5、拟态输出代理模块将可信输出送至输出消息合路器,进入步骤S7;S5. The mimic output proxy module sends the trusted output to the output message combiner, and then goes to step S7;
S6、将输入激励信息直接送至非拟态裁决功能执行体处理,进入步骤S7;S6. Directly send the input incentive information to the non-mimicry adjudication function executive body for processing, and proceed to step S7;
S7、消息合路器接收拟态输出代理模块送来的可信输出或非拟态裁决功能执行体的输出并进行对外输出响应。S7. The message combiner receives the trusted output sent by the mimic output proxy module or the output of the non-mimic arbitration function executive body and makes an external output response.
具体消息拟态处理流程请参考图3。Please refer to Figure 3 for the specific message mimicry processing flow.
输出激励首先在“输入消息判别分发器”进行消息类型的判别,决定是否需要进行拟态裁决。The output stimulus first judges the message type in the "input message discrimination distributor" to determine whether a mimic judgment is required.
如果是不需要进行拟态裁决的消息,直接送至接入认证管理系统非拟态裁决功能执行体处理。If it is a message that does not require mimicry ruling, it is directly sent to the non-mimicking ruling function executive body of the access authentication management system for processing.
如果是需要进行拟态裁决的消息送到“输入代理与分配器”,根据分配策略复制分发到指定的执行体处理。If it is a message that requires mimicry judgment, it is sent to the "input agent and distributor", and is copied and distributed to the designated executive body for processing according to the distribution strategy.
接入认证管理系统执行体1,2...k是功能等价的异构执行体,异构可以是多层次的异构,例如CPU指令体系异构、X86、ARM、PPC,也可以是操作系统级别的异构,例如windows、ubuntu、centos等,也可以是编码语言 和编译器的异构。Access authentication management system executive bodies 1, 2...k are functionally equivalent heterogeneous executive bodies. The heterogeneity can be multi-level heterogeneity, such as CPU instruction system heterogeneity, X86, ARM, PPC, or The heterogeneity of the operating system level, such as windows, ubuntu, centos, etc., can also be the heterogeneity of coding languages and compilers.
功能等价的异构执行体并行处理完成后,输出结果到“拟态裁决”模块,运行可信结果判别算法(具体算法在实施时可以不同,例如可以给各控制系统分配不同的权重,运行结果根据权重来加权,也可以简单的按照少数服从多数的原则),根据各个执行体的输出结果,判别算法计算出可信输出。After the parallel processing of functionally equivalent heterogeneous executors is completed, the results are output to the "Mimic Judgment" module to run the credible result discrimination algorithm (the specific algorithm can be different during implementation, for example, different weights can be assigned to each control system, and the operation result The weighting is based on the weight, or simply according to the principle that the minority obeys the majority), and according to the output results of each executive body, the discriminant algorithm calculates the credible output.
拟态裁决模块把可信输出发送至“拟态输出代理”模块,输出代理送至“输出消息合路器”,进行对外输出响应。The mimic judgment module sends the trusted output to the "mimic output agent" module, and the output agent sends it to the "output message combiner" for external output response.
同时,“拟态裁决”模块,将拟态裁决结果发送至“负反馈控制器”,如果发现非可信运算结果,将对应的事件(对应的控制系统信息,消息信息等内容)上报“负反馈控制器”中的告警处理。At the same time, the "Mimic Judgment" module sends the mimic judgment result to the "Negative Feedback Controller". If an untrusted calculation result is found, the corresponding event (corresponding control system information, message information, etc.) is reported to the "Negative Feedback Control" Alarm handling in the "device".
“负反馈控制器”记录统计拟态裁决结果,并根据用户设定的控制参数和裁决参数,决定执行体的动态调度,对执行体进行关闭、重组、重配、初始化等操作。The "negative feedback controller" records the statistical mimic judgment results, and according to the control parameters and judgment parameters set by the user, determines the dynamic scheduling of the executive body, and performs operations such as shutdown, reorganization, reconfiguration, and initialization of the executive body.
本发明的用户接入认证管理系统具备如下特征:The user access authentication management system of the present invention has the following characteristics:
1、异构性:在不同层面部署不同种类的异构软件和硬件。1. Heterogeneity: Deploy different types of heterogeneous software and hardware at different levels.
2、冗余:对于同一请求,采用多个不同的软件和硬件同时执行该请求,并对结果表决,实现多余度操作。2. Redundancy: For the same request, multiple different software and hardware are used to execute the request at the same time, and the result is voted to achieve redundancy operation.
3、动态性:根据调度策略或者来自威胁感知的反馈,收敛式的更换当前服务集中的异构执行体,增加系统运行场景的不确定性。3. Dynamic: According to scheduling strategy or feedback from threat perception, convergently replace the heterogeneous executors in the current service set, increasing the uncertainty of the system operation scenario.
本发明通过采用拟态技术原理,使用户接入认证管理系统具备内生安全机制,降低甚至解决漏洞/后门等网络安全威胁因素导致整体系统的脆弱性和易被攻击性的问题。当某一执行体控制系统存在网络安全风险时,用户接入认证管理整体系统保持稳定可靠,不受影响。在降低单一执行体网络安全风险的同时,提升整体系统的可靠性。By adopting the principle of mimicry technology, the invention enables users to access the authentication management system with an endogenous safety mechanism, and reduces or even solves the problems of vulnerability and vulnerability of the overall system caused by network security threat factors such as loopholes/backdoors. When a certain executive body control system has a network security risk, the overall system of user access authentication management remains stable and reliable, and will not be affected. While reducing the network security risk of a single executive body, it also improves the reliability of the overall system.
虽然以上描述了本发明的具体实施方式,但是本领域的技术人员应当理 解,这些仅是举例说明,本发明的保护范围是由所附权利要求书限定的。本领域的技术人员在不背离本发明的原理和实质的前提下,可以对这些实施方式做出多种变更或修改,但这些变更和修改均落入本发明的保护范围。Although the specific embodiments of the present invention are described above, those skilled in the art should understand that these are only examples, and the protection scope of the present invention is defined by the appended claims. Those skilled in the art can make various changes or modifications to these embodiments without departing from the principle and essence of the present invention, but these changes and modifications all fall within the protection scope of the present invention.

Claims (6)

  1. 一种内生安全的用户接入认证管理系统,其特征在于,其包括输入消息判别分发器、拟态输入代理与分配器、拟态裁决功能执行体集合、非拟态裁决功能执行体、拟态裁决模块、拟态输出代理模块、以及输出消息合路器,所述拟态裁决功能执行体集合包括多个功能等价的异构的接入认证管理系统执行体;An endogenously secure user access authentication management system, which is characterized in that it includes an input message discrimination distributor, a mimic input agent and distributor, a set of mimic judgment function executive bodies, a non-mimic judgment function executive body, a mimic judgment module, A mimic output proxy module and an output message combiner, the set of mimic adjudication function executive bodies includes a plurality of functionally equivalent heterogeneous access authentication management system executive bodies;
    所述输入消息判别分发器用于对收到的输入激励信息进行消息类型的判别,以决定是否需要进行拟态裁决,在输入激励信息是不需要进行拟态裁决的消息时,将输入激励信息直接送至非拟态裁决功能执行体处理,在输入激励信息是需要进行拟态裁决的消息时,将输入激励信息送到拟态输入代理与分配器;The input message discriminating distributor is used to discriminate the message type of the received input incentive information to determine whether mimic judgment is required. When the input incentive information is a message that does not require mimic judgment, the input incentive information is directly sent to Non-mimic judgment function executive body processing, when the input incentive information is a message that needs mimic judgment, the input incentive information is sent to the mimic input agent and distributor;
    所述拟态输入代理与分配器用于根据分配策略复制分发到指定的接入认证管理系统执行体;The mimic input agent and distributor are used for copying and distributing to a designated access authentication management system executive body according to a distribution strategy;
    所述指定的接入认证管理系统执行体用于执行并行处理操作,并输出执行结果至拟态裁决模块;The specified access authentication management system executive body is used to execute parallel processing operations, and output the execution result to the mimic judgment module;
    所述拟态裁决模块用于根据各个执行结果,运行可信结果判别算法计算出可信输出,并将可信输出发送至拟态输出代理模块;The mimic judgment module is used to run a credible result discrimination algorithm to calculate a credible output based on each execution result, and send the credible output to the mimic output proxy module;
    所述输出消息合路器用于接收拟态输出代理模块送来的可信输出或非拟态裁决功能执行体的输出并进行对外输出响应。The output message combiner is used to receive the trusted output or the output of the non-mimic judgment function executive sent by the mimic output agent module and perform external output response.
  2. 如权利要求1所述的内生安全的用户接入认证管理系统,其特征在于,所述用户接入认证管理系统还包括负反馈控制器,所述拟态裁决模块用于将拟态裁决结果发送至负反馈控制器,在发现可信输出为非可信运算结果时将对应的事件上报负反馈控制器中告警处理。The endogenously secure user access authentication management system according to claim 1, wherein the user access authentication management system further comprises a negative feedback controller, and the mimic judgment module is used to send the mimic judgment result to The negative feedback controller reports the corresponding event to the negative feedback controller for alarm processing when it finds that the credible output is an uncredible calculation result.
  3. 如权利要求2所述的内生安全的用户接入认证管理系统,其特征在于,所述负反馈控制器用于记录统计拟态裁决结果,并根据用户设定的控制 参数和裁决参数,决定接入认证管理系统执行体的动态调度,对接入认证管理系统执行体进行关闭、重组、重配和初始化操作。The endogenously secure user access authentication management system according to claim 2, wherein the negative feedback controller is used to record statistical mimicry ruling results, and determine the access based on the control parameters and ruling parameters set by the user The dynamic scheduling of the executive body of the authentication management system is to close, reorganize, reconfigure and initialize the executive body of the access authentication management system.
  4. 一种内生安全的用户接入认证管理方法,其特征在于,其包括以下步骤:An endogenously safe user access authentication management method, which is characterized in that it includes the following steps:
    S1、输入消息判别分发器对收到的输入激励信息进行消息类型的判别,以决定是否需要进行拟态裁决,若输入激励信息是不需要进行拟态裁决的消息,则进入步骤S6,若输入激励信息是需要进行拟态裁决的消息,则进入步骤S2;S1. The input message discrimination distributor judges the message type of the received input excitation information to determine whether mimic judgment is required. If the input excitation information is a message that does not require mimic judgment, then go to step S6, if incentive information is input If it is a message that needs to be mimicked, then go to step S2;
    S2、将输入激励信息送到拟态输入代理与分配器,拟态输入代理与分配器根据分配策略复制分发到指定的接入认证管理系统执行体;S2. The input incentive information is sent to the mimic input agent and distributor, and the mimic input agent and distributor are copied and distributed to the designated access authentication management system executive body according to the distribution strategy;
    S3、指定的接入认证管理系统执行体执行并行处理操作,并输出执行结果至拟态裁决模块;S3. The designated access authentication management system executive body executes parallel processing operations, and outputs the execution result to the mimic judgment module;
    S4、拟态裁决模块根据各个执行结果,运行可信结果判别算法计算出可信输出,并将可信输出发送至拟态输出代理模块;S4. The mimic judgment module runs the credible result discrimination algorithm to calculate the credible output according to each execution result, and sends the credible output to the mimetic output agent module;
    S5、拟态输出代理模块将可信输出送至输出消息合路器,进入步骤S7;S5. The mimic output proxy module sends the trusted output to the output message combiner, and then goes to step S7;
    S6、将输入激励信息直接送至非拟态裁决功能执行体处理,进入步骤S7;S6. Directly send the input incentive information to the non-mimicry adjudication function executive body for processing, and proceed to step S7;
    S7、消息合路器接收拟态输出代理模块送来的可信输出或非拟态裁决功能执行体的输出并进行对外输出响应。S7. The message combiner receives the trusted output sent by the mimic output proxy module or the output of the non-mimic arbitration function executive body and makes an external output response.
  5. 如权利要求4所述的内生安全的用户接入认证管理方法,其特征在于,拟态裁决模块将拟态裁决结果发送至负反馈控制器,在发现可信输出为非可信运算结果时将对应的事件上报负反馈控制器中告警处理。The endogenously secure user access authentication management method according to claim 4, wherein the mimic judgment module sends the mimic judgment result to the negative feedback controller, and when it finds that the trusted output is an untrusted operation result, it will correspond to The event is reported to the alarm processing in the negative feedback controller.
  6. 如权利要求5所述的内生安全的用户接入认证管理方法,其特征在于,负反馈控制器记录统计拟态裁决结果,并根据用户设定的控制参数和裁 决参数,决定接入认证管理系统执行体的动态调度,对接入认证管理系统执行体进行关闭、重组、重配和初始化操作。The endogenously secure user access authentication management method of claim 5, wherein the negative feedback controller records the statistical mimic judgment result, and decides to access the authentication management system according to the control parameters and the ruling parameters set by the user The dynamic scheduling of the executive body is to close, reorganize, reconfigure and initialize the executive body of the access authentication management system.
PCT/CN2020/094473 2019-12-11 2020-06-04 Endogenous security user access authentication management system and method WO2021114582A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911262835.3A CN110691107B (en) 2019-12-11 2019-12-11 Endogenous safety user access authentication management system and method
CN201911262835.3 2019-12-11

Publications (1)

Publication Number Publication Date
WO2021114582A1 true WO2021114582A1 (en) 2021-06-17

Family

ID=69117778

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/094473 WO2021114582A1 (en) 2019-12-11 2020-06-04 Endogenous security user access authentication management system and method

Country Status (2)

Country Link
CN (1) CN110691107B (en)
WO (1) WO2021114582A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110691107B (en) * 2019-12-11 2020-04-21 南京红阵网络安全技术研究院有限公司 Endogenous safety user access authentication management system and method
CN111010410B (en) * 2020-03-09 2020-06-16 南京红阵网络安全技术研究院有限公司 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN112367288B (en) * 2020-05-25 2023-06-20 河南信大网御科技有限公司 Single mimicry bracket device, method, readable storage medium, and mimicry defense architecture
CN111884996B (en) * 2020-06-12 2022-04-08 中国人民解放军战略支援部队信息工程大学 Mimicry switch arbitration system and method based on credibility measurement
CN111859390B (en) * 2020-07-06 2022-07-26 河南信大网御科技有限公司 Mimicry bracket device, defense method and defense architecture
CN111885016B (en) * 2020-07-06 2023-06-16 河南信大网御科技有限公司 Method, system and architecture for quickly judging based on data message
CN111885014B (en) * 2020-07-06 2022-04-26 河南信大网御科技有限公司 Mimic bracket device with master-slave switching function, mimic defense method and architecture
CN111859391B (en) * 2020-07-09 2023-08-04 河南信大网御科技有限公司 Trusted executor, mimicry escape rapid identification method and mimicry defense architecture
CN112406892B (en) * 2020-11-03 2022-11-18 上海大学 Intelligent networking automobile perception decision module function safety and network safety endogenous guarantee method
CN112511317A (en) * 2020-12-31 2021-03-16 河南信大网御科技有限公司 Input distribution method, input agent and mimicry distributed storage system
CN114338552B (en) * 2021-12-31 2023-07-07 河南信大网御科技有限公司 System for determining delay mimicry
CN114629705B (en) * 2022-03-15 2023-09-08 河南信大网御科技有限公司 Method and system for license authorization configuration of mimicry system
CN115499322B (en) * 2022-11-14 2023-03-24 网络通信与安全紫金山实验室 Management system and method of mimicry equipment cluster and electronic equipment
CN116471116A (en) * 2023-05-15 2023-07-21 嵩山实验室 Endophytic security cloud platform and construction method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753370A (en) * 2008-12-08 2010-06-23 中兴通讯股份有限公司 System and method for detecting usability of certification process for broadband access user
US10270755B2 (en) * 2011-10-03 2019-04-23 Verisign, Inc. Authenticated name resolution
CN110177084A (en) * 2019-04-04 2019-08-27 上海红阵信息科技有限公司 Distributed memory system meta-service structure, construction method and system architecture for defending against network attacks
CN110545260A (en) * 2019-08-05 2019-12-06 上海拟态数据技术有限公司 Cloud management platform construction method based on mimicry structure
CN110691107A (en) * 2019-12-11 2020-01-14 南京红阵网络安全技术研究院有限公司 Endogenous safety user access authentication management system and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411937B (en) * 2016-11-15 2017-12-29 中国人民解放军信息工程大学 Zero-day attacks detection, analysis and response system and its method based on mimicry defence framework
CN107454082A (en) * 2017-08-07 2017-12-08 中国人民解放军信息工程大学 Secure cloud service construction method and device based on mimicry defence
WO2020093201A1 (en) * 2018-11-05 2020-05-14 北京大学深圳研究生院 Security modeling quantisation method for cyberspace mimic defence based on gspn and martingale theory

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753370A (en) * 2008-12-08 2010-06-23 中兴通讯股份有限公司 System and method for detecting usability of certification process for broadband access user
US10270755B2 (en) * 2011-10-03 2019-04-23 Verisign, Inc. Authenticated name resolution
CN110177084A (en) * 2019-04-04 2019-08-27 上海红阵信息科技有限公司 Distributed memory system meta-service structure, construction method and system architecture for defending against network attacks
CN110545260A (en) * 2019-08-05 2019-12-06 上海拟态数据技术有限公司 Cloud management platform construction method based on mimicry structure
CN110691107A (en) * 2019-12-11 2020-01-14 南京红阵网络安全技术研究院有限公司 Endogenous safety user access authentication management system and method

Also Published As

Publication number Publication date
CN110691107A (en) 2020-01-14
CN110691107B (en) 2020-04-21

Similar Documents

Publication Publication Date Title
WO2021114582A1 (en) Endogenous security user access authentication management system and method
US8001610B1 (en) Network defense system utilizing endpoint health indicators and user identity
US5940591A (en) Apparatus and method for providing network security
US7788366B2 (en) Centralized network control
US8424072B2 (en) Behavior-based security system
EP0606401B1 (en) Apparatus and method for providing network security
CN104219218B (en) A kind of method and device of active safety defence
US10425419B2 (en) Systems and methods for providing software defined network based dynamic access control in a cloud
WO2018148058A9 (en) Network application security policy enforcement
US11252196B2 (en) Method for managing data traffic within a network
CN101159630B (en) Flux monitoring method, system and broadband accessing server
US8272043B2 (en) Firewall control system
CN108965297A (en) A kind of access control equipment management system
CN101562558A (en) Method, system and device for terminal grade classification
CN115065564B (en) Access control method based on zero trust mechanism
US10554480B2 (en) Systems and methods for maintaining communication links
JP5598604B2 (en) Consignment type authentication method
JP2013529822A (en) Consignment type authentication method
KR102576357B1 (en) Zero Trust Security Authentication System
US10574659B2 (en) Network security management system
CN110191158A (en) A kind of cloud desktop services method and system
US20070140268A1 (en) Network with distributed authentication control
EP1280315B1 (en) Apparatus and method for providing network security
WO2012163587A1 (en) Distributed access control across the network firewalls
CN117319212B (en) Multi-tenant isolated password resource automatic scheduling system and method in cloud environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20900329

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20900329

Country of ref document: EP

Kind code of ref document: A1