WO2023159994A1 - Operation and maintenance processing method, and terminal device - Google Patents

Operation and maintenance processing method, and terminal device Download PDF

Info

Publication number
WO2023159994A1
WO2023159994A1 PCT/CN2022/127819 CN2022127819W WO2023159994A1 WO 2023159994 A1 WO2023159994 A1 WO 2023159994A1 CN 2022127819 W CN2022127819 W CN 2022127819W WO 2023159994 A1 WO2023159994 A1 WO 2023159994A1
Authority
WO
WIPO (PCT)
Prior art keywords
maintenance
user
risk
data
terminal
Prior art date
Application number
PCT/CN2022/127819
Other languages
French (fr)
Chinese (zh)
Inventor
韩科科
郭志强
韩东
焦成伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023159994A1 publication Critical patent/WO2023159994A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Definitions

  • the present application relates to the technical field of computer networks, and in particular to an operation and maintenance processing method and terminal equipment.
  • the operation and maintenance management plane is the core network hub of the operator's network infrastructure.
  • the operator's network can be managed, such as going online and configuring new equipment, changing the existing infrastructure, and monitoring the running equipment. or modification of the service, etc.
  • the operation and maintenance management plane has become the primary target of malicious attacks by attackers to disrupt the operation of the operator's network. Attackers use the operation and maintenance management plane to launch potential attacks, which may cause great security risks to the operator's business.
  • the identity of the operation and maintenance user needs to be authenticated.
  • the user is granted the corresponding operation and maintenance operation authority according to the role, and the operation and maintenance user can log in to the network management system and network elements. Perform corresponding operation and maintenance operations.
  • the static authorization of operation and maintenance users can include, for example: when the operation and maintenance users log in to the network management system or network elements, the user identity is authenticated in the form of user name and password. certified. Faced with an increasingly complex network environment, the current static authorization scheme for operation and maintenance users has a problem of high network security risks.
  • Embodiments of the present application provide an operation and maintenance processing method and a terminal device, which are used to reduce security risks of operation and maintenance users.
  • the embodiment of the present application provides an operation and maintenance processing method.
  • the method includes: receiving a service access request sent by an operation and maintenance user through an operation and maintenance terminal; Identity authentication: after the operation and maintenance user passes the multi-factor identity authentication, obtain the work order task of the operation and maintenance user to be executed from the work order system, and obtain the identity of the operation and maintenance user from the identity authentication management system data, and obtain the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain the service security data from the service provision system; according to the work order task, the identity data, the terminal risk data and the service
  • the security data conducts a trust assessment on the operation and maintenance user to obtain a trust assessment result; an access control policy is generated according to the trust assessment result.
  • multi-factor identity authentication is performed on the operation and maintenance user according to the business access request; after the operation and maintenance user passes the multi-factor authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, and
  • the management system obtains the identity data of the operation and maintenance user, obtains the terminal risk data of the operation and maintenance terminal from the terminal risk perception system, and obtains the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business security data
  • the access control policies include the control methods for operation and maintenance operations of operation and maintenance users, so that the operation and maintenance operations of operation and maintenance users can be accurately controlled To ensure the safe access of operation and maintenance users and reduce the security risks of operation and maintenance users.
  • the method further includes: performing dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
  • dynamic access control is performed on the operation and maintenance operations performed by the operation and maintenance users according to the access control policy, which can ensure the safe access of the operation and maintenance users and reduce the security risks of the operation and maintenance users.
  • the performing dynamic access control on the operation and maintenance operation performed by the operation and maintenance user according to the access control policy includes: For each session, an authorization instruction is generated according to the access control policy and the work order task, and the authorization instruction is used to instruct the operation and maintenance user to perform the task content according to the authorization set and prohibit the operation and maintenance user from executing the work order. Task content other than a single task; perform authority monitoring on the operation and maintenance operations performed by the operation and maintenance user according to the authorization instruction.
  • the policy execution point monitors the task content of the operation and maintenance user in each session and the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction, so that the operation and maintenance user performs the task content according to the authorization set, and Operation and maintenance users are prohibited from performing tasks other than work order tasks to ensure safe access of operation and maintenance users and reduce security risks for operation and maintenance users.
  • the authorization set includes at least one of the following: the account of the operation and maintenance user, the role of the operation and maintenance user to perform operation and maintenance operations, and the role of the operation and maintenance user to perform operation and maintenance operations.
  • time the operation instruction for the operation and maintenance user to perform the operation and maintenance operation
  • the operation and maintenance user has the authority to access the service provision system.
  • the authorization set can control roles, time, instructions, permissions, etc., so that the operation and maintenance users can only perform specific tasks according to the authorization set.
  • Execution time, user, type of NE and operation command in the order. The policy execution point starts the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
  • the method further includes: generating the access control policy to a policy enforcement point, so that the operation and maintenance operation performed by the policy enforcement point on the operation and maintenance user according to the access control policy Perform dynamic access control.
  • the policy decision point can send the access control policy to the policy enforcement point through the transmission channel between the policy decision point and the policy enforcement point, so that the policy enforcement point can implement the operation and maintenance operation performed by the operation and maintenance user according to the access control policy. Dynamic access control.
  • the trust assessment is performed on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and a trust assessment result is obtained, including : Generate a trust evaluation model of the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data; acquire the abnormal behavior of the operation and maintenance user according to the trust evaluation model ; determining the operation and maintenance operation risk parameters of the operation and maintenance user according to the abnormal behavior of the operation and maintenance user and the predetermined user historical behavior baseline; generating the trust evaluation result according to the operation and maintenance operation risk parameters.
  • the operation and maintenance operation risk parameters can be used as the trust evaluation result, or the operation and maintenance users can be scored according to the operation and maintenance operation risk parameters, so as to generate the trust evaluation result .
  • the policy decision point can identify the abnormal behavior of the operation and maintenance user through the trust evaluation model, and generate the trust evaluation result of the operation and maintenance user through the abnormal behavior and the user's historical behavior baseline, which can realize accurate evaluation of the operation and maintenance user and improve The evaluation accuracy and evaluation efficiency of operation and maintenance users.
  • the access control policy includes: a user risk level and a corresponding access control method; wherein, when the user risk level is a low-level risk, the corresponding access control method includes at least one of the following : bubbling reminder, report alarm; or, when the user risk level is a medium level risk, the corresponding access control method includes at least one of the following: secondary identity authentication, prohibiting execution of high-risk operations; or, when the user risk level The level is high-level risk, and the corresponding access control methods include at least one of the following: forced logout of users, deactivation of users.
  • access control policies are dynamically generated based on the trust evaluation results of operation and maintenance users, such as the trust score and risk level for each access session of operation and maintenance users, combined with context information, different levels of risk correspond to different levels of Access control methods to achieve precise control over O&M operations.
  • the service security data includes: operation and maintenance security logs, operation logs, and security events of the service provision system.
  • the service provision system can provide service access functions to operation and maintenance users, and the service provision system can also record service security data when providing service access.
  • the operation and maintenance security logs, operation logs and security events of the service provision system can all be As business security data, it depends on the application scenario.
  • the service providing system includes at least one of the following: a network management and control unit, and a service access network element.
  • the service provision system has multiple implementation methods for different types of services performed by the operation and maintenance users.
  • the network management and control unit can provide service access functions to the operation and maintenance users. Provide business access functions to operation and maintenance users.
  • the embodiment of the present application also provides an operation and maintenance processing method, the method comprising: obtaining an access control policy from a policy decision point; performing dynamic access to the operation and maintenance operation performed by the operation and maintenance user according to the access control policy control.
  • the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy.
  • the access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
  • the dynamic access control of the operation and maintenance operation performed by the operation and maintenance user according to the access control policy includes: obtaining the work order task to be executed by the operation and maintenance user; For each session generated when the operation and maintenance user performs the operation and maintenance operation, an authorization instruction is generated according to the access control policy and the work order task, and the authorization instruction is used to instruct the operation and maintenance user to execute according to the authorization set The content of the task and prohibit the operation and maintenance user from performing the task content other than the task of the work order; perform authority monitoring on the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction.
  • the policy execution point monitors the task content of the operation and maintenance user in each session and the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction, so that the operation and maintenance user performs the task content according to the authorization set, and Operation and maintenance users are prohibited from performing tasks other than work order tasks to ensure safe access of operation and maintenance users and reduce security risks for operation and maintenance users.
  • the authorization set includes at least one of the following: the account of the operation and maintenance user, the role of the operation and maintenance user to perform operation and maintenance operations, and the role of the operation and maintenance user to perform operation and maintenance operations. time, the operation instruction for the operation and maintenance user to perform the operation and maintenance operation, and the operation and maintenance user has the authority to access the service provision system.
  • the access control policy includes: a user risk level and a corresponding access control method; wherein, when the user risk level is a low-level risk, the corresponding access control method includes at least one of the following : bubbling reminder, report alarm; or, when the user risk level is a medium level risk, the corresponding access control method includes at least one of the following: secondary identity authentication, prohibiting execution of high-risk operations; or, when the user risk level
  • the level is high-level risk
  • the corresponding access control methods include at least one of the following: forced logout of users, deactivation of users.
  • the authorization set can control roles, time, instructions, permissions, etc., so that the operation and maintenance users can only perform specific tasks according to the authorization set. Execution time, user, type of NE and operation command in the order. The policy execution point starts the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
  • the embodiment of the present application further provides a terminal device, where the terminal device is specifically a policy decision point, and the terminal device includes:
  • the receiving module is used to receive the service access request sent by the operation and maintenance user through the operation and maintenance terminal;
  • An authentication module configured to perform multi-factor identity authentication on the operation and maintenance user according to the service access request
  • An acquisition module configured to acquire the work order tasks of the operation and maintenance user from the work order system after the operation and maintenance user passes the multi-factor identity authentication, and acquire the operation and maintenance user from the identity authentication management system identity data, and obtain terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain service security data from the service provision system;
  • An evaluation module configured to perform trust evaluation on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and obtain a trust evaluation result
  • a policy generating module configured to generate an access control policy according to the trust evaluation result.
  • the component modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the component modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the component modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the embodiment of the present application further provides a terminal device, the terminal device is specifically a policy enforcement point, and the terminal device includes:
  • An acquisition module configured to acquire an access control policy from a policy decision point
  • a control module configured to perform dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations.
  • the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores instructions, and when it is run on a computer, the computer executes the above-mentioned first aspect or the second aspect. described method.
  • the embodiment of the present application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the method described in the first aspect above.
  • the embodiment of the present application provides a communication device, which may include entities such as terminal equipment or chips, and the communication device includes: a processor and a memory; the memory is used to store instructions; the processor is used to Executing the instructions in the memory causes the communication device to execute the method as described in any one of the aforementioned first aspect or second aspect.
  • the present application provides a chip system
  • the chip system includes a processor, used to support the policy decision point or the policy execution point to realize the functions involved in the above aspects, for example, send or process the information involved in the above method data and/or information.
  • the chip system further includes a memory, and the memory is used for storing necessary program instructions and data of a policy decision point or a policy execution point.
  • the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
  • multi-factor identity authentication is performed on the operation and maintenance user according to the service access request; after the operation and maintenance user passes the multi-factor identity authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, and from The identity authentication management system obtains the identity data of the operation and maintenance user, obtains the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtains the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business The security data evaluates the trust of the operation and maintenance users, and generates an access control policy based on the trust evaluation results. Within the scope of control, the safe access of operation and maintenance users is guaranteed, and the security risk of operation and maintenance users is reduced.
  • the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy.
  • the access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
  • FIG. 1 is a schematic diagram of the composition and structure of an operation and maintenance processing system provided by an embodiment of the present application
  • FIG. 2 is a schematic diagram of an interaction flow between a policy decision point and a policy enforcement point provided in an embodiment of the present application
  • FIG. 3 is a schematic diagram of a scene where an operation and maintenance user accesses a network management and control unit according to an embodiment of the present application;
  • FIG. 4 is a schematic diagram of a scene where an operation and maintenance user accesses a network element provided by an embodiment of the present application
  • FIG. 5 is a schematic diagram of a scene for preventing an attacker from impersonating an administrator provided by an embodiment of the present application
  • FIG. 6 is a schematic diagram of a scenario for preventing hidden attacks provided by the embodiment of the present application.
  • FIG. 7 is a schematic diagram of the scene of preventing human misoperation accidents provided by the embodiment of the present application.
  • FIG. 8 is a schematic diagram of a scenario for preventing near-end access bypassing management and control loopholes provided by the embodiment of the present application.
  • FIG. 9 is a schematic diagram of the composition and structure of a policy decision point provided by the embodiment of the present application.
  • FIG. 10 is a schematic diagram of the composition and structure of a policy enforcement point provided by the embodiment of the present application.
  • FIG. 11 is a schematic diagram of the composition and structure of another policy decision point provided by the embodiment of the present application.
  • FIG. 12 is a schematic diagram of the composition and structure of another policy enforcement point provided by the embodiment of the present application.
  • Embodiments of the present application provide an operation and maintenance processing method and a terminal device, which are used to reduce security risks of operation and maintenance users.
  • the operation and maintenance processing system can be used to operate and maintain the operator network.
  • the operation and maintenance processing system Being the target of malicious attacks by attackers to disrupt the operation of the operator's network may cause great security risks to the operator's business, including long-term impacts on the availability and confidentiality of its key services.
  • Operation and maintenance users can control the operation and maintenance terminal, remotely access the operator's network through the local management network or from the Internet through a virtual private network (virtual private network, VPN), and perform operation and maintenance tasks.
  • the operation and maintenance user can operate and maintain the service access network element (referred to as the network element) by accessing the network management and control unit (referred to as the network management unit), or the operation and maintenance user can directly log in to the network element to perform operation and maintenance.
  • the embodiment of this application provides an operation and maintenance processing system, which adopts More flexible and diverse ways to establish new logical boundaries for dynamically changing users, terminals, and systems to ensure safe access and safe access operations for operation and maintenance users.
  • the embodiment of the present application provides an operation and maintenance processing system 100.
  • the operation and maintenance processing system 100 can perform dynamic access control on the operation and maintenance operations of the operation and maintenance users, so as to reduce the security risks of the operation and maintenance users.
  • the operation and maintenance processing system 100 includes: a policy decision point (policy decision point, PDP) 101 and a policy enforcement point (policy enforcement point, PEP) 102, and the policy decision point 101 and the policy enforcement point 102 can communicate.
  • the operation and maintenance user sends a service access request through the operation and maintenance terminal, and the policy decision point 101 can perform multi-factor authentication on the operation and maintenance user according to the service access request, so as to ensure that the identity of the operation and maintenance user is safe and reliable.
  • the policy decision point 101 can also collect various data, such as collecting operation and maintenance user, terminal, environment, behavior and other data, so that the policy decision point 101 can continue to conduct trust evaluation, and then generate access control policies, policy decision point 101 can send the access control policy to the policy enforcement point 102, and the policy enforcement point 102 updates the policy based on the access control policy, and accurately authorizes the access operation of the operation and maintenance user to realize dynamic access control and ensure the security of the operation and maintenance user's access and access believable.
  • various data such as collecting operation and maintenance user, terminal, environment, behavior and other data, so that the policy decision point 101 can continue to conduct trust evaluation, and then generate access control policies, policy decision point 101 can send the access control policy to the policy enforcement point 102, and the policy enforcement point 102 updates the policy based on the access control policy, and accurately authorizes the access operation of the operation and maintenance user to realize dynamic access control and ensure the security of the operation and maintenance user's access and access believable.
  • the policy decision point can also be connected to the work order system, the identity authentication management system, the terminal risk perception system and the service provision system, so during the access process of the operation and maintenance user, the policy decision point can be connected to the work order system , the identity authentication management system, the terminal risk perception system and the service provision system obtain a variety of security-related data, so that dynamic trust evaluation can be performed based on the above-mentioned various security-related data to generate access control policies.
  • Policies can be used to indicate how to control the O&M operations of O&M users.
  • the above-mentioned work order system, identity authentication management system, terminal risk awareness system and service provision system can all be called third-party systems.
  • work order tasks are stored in the work order system, and operation and maintenance users need to perform operation and maintenance operations according to work order tasks.
  • the identity authentication management system provides the identity data of operation and maintenance users.
  • the identity authentication management system may be an authentication authorization audit (Authentication Authorization Audit, 3A) or an authentication authorization audit account (Authentication Authorization Audit Account, 4A) server.
  • the terminal risk awareness system can be used to provide terminal risk data of the operation and maintenance terminal, which can also be called terminal security data, and the terminal risk data can include the environmental security data of the operation and maintenance terminal logged in by the operation and maintenance user.
  • the service provision system can provide service access functions to operation and maintenance users, and the service provision system can also record service security data when providing service access.
  • the content of the business security data can be various, and the examples are as follows.
  • the business security data includes: operation and maintenance security logs, operation logs and security events of the service provision system.
  • the service provision system can provide service access functions to operation and maintenance users.
  • the service provision system includes at least one of the following: a network management and control unit, and a service access network element.
  • the service provision system has various implementation methods for different types of operations performed by operation and maintenance users.
  • the network management and control unit can provide service access functions to operation and maintenance users. Users provide business access functions. The specific operation and maintenance operations performed by the operation and maintenance user in the embodiment of the present application are not limited.
  • the policy decision point and the policy execution point may be set on the same device, or the policy decision point and the policy execution point may be set on different devices.
  • the operation and maintenance user can access the network management and control unit through the operation and maintenance terminal. Both the policy decision point and the policy enforcement point can be set on the network management and control unit.
  • the policy decision point can generate an access control policy, and the policy enforcement point is based on the access control policy Perform dynamic access control on the operation and maintenance operations of operation and maintenance users.
  • the operation and maintenance users can access the service access network element through the operation and maintenance terminal
  • the policy decision point can be set on the network management and control unit
  • the policy execution point can be set on the service access network element
  • the policy decision point can generate access control policies
  • policy The execution point performs dynamic access control on the operation and maintenance operations of the operation and maintenance users according to the access control policy.
  • the operation and maintenance processing method provided by the embodiment of the present application is introduced next. As shown in Figure 2, it mainly includes the interaction process between the policy decision point and the policy execution point. Specifically, it may include the following steps :
  • the policy decision point receives a service access request sent by an operation and maintenance user through an operation and maintenance terminal.
  • the operation and maintenance user can control the operation and maintenance terminal to generate a service access request, and the operation and maintenance terminal can send the service access request, for example, the operation and maintenance terminal sends a service access request to the policy execution point,
  • the policy enforcement point sends the service access request to the policy decision point, so that the policy decision point can receive the service access request.
  • the embodiment of the present application does not limit the specific content of the service access initiated by the operation and maintenance user.
  • the policy decision point performs multi-factor identity authentication on the operation and maintenance user according to the service access request.
  • the policy decision point After the policy decision point receives the service access request, it needs to perform identity authentication on the operation and maintenance user who initiates the service access request, so as to confirm that the identity of the operation and maintenance user is credible.
  • the policy decision point needs to perform multi-factor identity authentication on the operation and maintenance user according to the business access request, and the security of identity authentication can be improved through the multi-factor identity authentication.
  • multi-factor identity authentication has multiple implementation methods.
  • the policy decision-making point uses identity as the cornerstone to construct a logical boundary, and adopts multi-factor identity authentication, such as user password, digital certificate, SMS verification code, fingerprint and other technologies.
  • the user performs mandatory identity authentication, and the identity authentication result is used as the basis of access control trust to ensure that the identity of the operation and maintenance user is credible. If the identity of the operation and maintenance user is feasible, the subsequent step 203 is triggered, and if the identity of the operation and maintenance user is untrustworthy, the service access request of the operation and maintenance user is rejected, that is, the subsequent step 203 is not executed.
  • the policy decision point obtains the work order task to be executed by the operation and maintenance user from the work order system, obtains the identity data of the operation and maintenance user from the identity authentication management system, and obtains the operation and maintenance user's identity data from the terminal risk
  • the perception system obtains the terminal risk data of the operation and maintenance terminal, and obtains the service security data from the service provision system.
  • the operation and maintenance user performs multi-factor identity authentication according to the service access request through the aforementioned step 202. After the operation and maintenance user passes the multi-factor identity authentication, the aforementioned step 203 can be executed. If the operation and maintenance user does not pass the multi-factor identity authentication, Then step 203 cannot be executed.
  • the strategic decision point can obtain a variety of security-related data. Based on the above description of the connection relationship of the strategic decision point, it can be seen that the strategic decision point can also be connected to the work order system and the identity authentication management system. , terminal risk awareness system and service provision system, the policy decision point can obtain relevant security data from the above systems respectively. Specifically, the policy decision point can conduct continuous trust assessment for the operation and maintenance users. In the embodiment of this application, the access and access of all operation and maintenance users is untrusted by default. User trust assessment and dynamic policies can be constructed on the policy decision point Management capabilities that enable the policy decision point to perform one or more of the various data acquisition functions:
  • the service security data is obtained from the service providing system.
  • the work order system stores a variety of work order tasks.
  • the work order system can send the work order tasks to be executed by the operation and maintenance user to the policy decision point.
  • the policy decision point analyzes the input work order tasks and analyzes the work order tasks Execution time, execution user, NE type and operation command.
  • the identity authentication management system can send the identity data of the operation and maintenance user to the policy decision point, so that the policy decision point can continuously authenticate the identity data of the operation and maintenance user.
  • the terminal risk awareness system can send the terminal risk data of the operation and maintenance terminal to the policy decision point, and the policy decision point can continuously monitor and evaluate the security environment of the operation and maintenance terminal through the terminal risk data, such as OS patches, terminal registration information, browser security status, etc.
  • the service provision system can send service security data to the policy decision point, and the policy decision point can perform security detection on the service provision system that the operation and maintenance user will access based on the service security data.
  • the policy decision point can obtain the network management and control unit and network element Operation and maintenance operation logs, security events of network management and control units, etc.
  • the policy decision point evaluates the trust of the operation and maintenance user according to the work order task, identity data, terminal risk data, and business security data, and obtains a trust evaluation result.
  • the policy decision point after the policy decision point obtains work order tasks, identity data, terminal risk data, and business security data, the policy decision point can comprehensively analyze the above data, evaluate the security level of the operation and maintenance user through the above data, and the policy decision point can generate A trust assessment result, the trust assessment result may include security level information obtained after trust assessment is performed on the operation and maintenance user.
  • the content of the trust evaluation result is related to the work order task, identity data, terminal risk data, and business security data, and the specific content of the trust evaluation result is not limited in this embodiment of the application.
  • the policy decision point in step 204 conducts a trust assessment on the operation and maintenance user according to the work order task, identity data, terminal risk data and business security data, and obtains the trust assessment result, including:
  • A1 Generate a trust evaluation model for operation and maintenance users based on work order tasks, identity data, terminal risk data, and business security data.
  • the policy decision point can obtain multi-dimensional data such as work order tasks, identity data, terminal risk data, and business security data, and continuously and comprehensively evaluate the security credibility of operation and maintenance users.
  • the policy decision point can input work order tasks, identity data, terminal risk data, and business security data into the attack chain model, and combine the actual operation and maintenance business scenarios to generate a trust evaluation model, which can identify users behavior trajectory.
  • the abnormal behavior of the operation and maintenance user is identified through the trust evaluation model.
  • the abnormal behavior of the operation and maintenance user can be the request to perform tasks other than work order tasks, or the abnormal behavior of the operation and maintenance user has risky data on the operation and maintenance terminal, or the abnormal behavior of the operation and maintenance user Yuan generates security incidents, etc.
  • A3. Determine the operation risk parameters of the operation and maintenance users according to the abnormal behavior of the operation and maintenance users and the pre-determined user historical behavior baseline.
  • the policy decision point can pre-determine the user's historical behavior baseline, and the user's historical behavior can be used as a reference. After identifying the abnormal behavior of the operation and maintenance user, the policy decision point generates the operation and maintenance operation risk parameters of the operation and maintenance user, and the operation and maintenance operation
  • the risk parameter can indicate the risk level corresponding to the operation and maintenance operation performed by the operation and maintenance user.
  • the policy decision point is based on comprehensive factors such as the stage of the abnormal behavior of the operation and maintenance user, context information, occurrence times, risk and impact, etc., to carry out risk discrimination, and Refer to the user's historical behavior baseline, and finally obtain the operation and maintenance operation risk parameters of the operation and maintenance user.
  • the operation and maintenance operation risk parameters can be used as the trust evaluation result, or the operation and maintenance users can be scored according to the operation and maintenance operation risk parameters to generate the trust evaluation results.
  • the policy decision point can identify the abnormal behavior of the operation and maintenance user through the trust evaluation model, and generate the trust evaluation result of the operation and maintenance user through the abnormal behavior and the user's historical behavior baseline, which can realize accurate evaluation of the operation and maintenance user and improve The evaluation accuracy and evaluation efficiency of operation and maintenance users.
  • the policy decision point is untrustworthy by default for the access and access of all operation and maintenance users.
  • Build user trust evaluation and dynamic policy management capabilities on the policy decision point specifically:
  • Analyze the work order tasks entered by the work order system realize precise authorization of users based on work order tasks, perform fine-grained authorization through account, role, time, operation instructions and other elements, and prohibit users from performing high-risk operations other than work order tasks Unexpected results occur, avoiding the risk of human misoperation and illegal access; analyze the input work order task, analyze the execution time, execution user, network element type of operation and operation command in the work order. Start the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
  • the security environment of the login terminal is continuously monitored and evaluated, such as OS patches, terminal registration information, browser security status, etc., once an abnormality is found Immediately lower user trust levels and dynamically adjust access rights to prevent attackers from pretending to be administrators or attacking by infecting operation and maintenance terminals. For example, there are vulnerabilities in the terminal operating system that have not been patched, security vulnerabilities in browser-related components have not been patched, illegal or pirated software is installed on the terminal, and viruses and Trojan horses are installed on the terminal, etc. If there is a security problem at the software level, the operation and maintenance terminal will be identified as abnormal.
  • the operation and maintenance operation based on the multi-dimensional data such as user identity data input by the identity authentication management system, operation and maintenance operation logs of network management and control units and network elements, and security events of network management and control units, all access to operation and maintenance users
  • the operation conducts continuous security monitoring and evaluation. For abnormal behaviors and threat events that deviate from the daily access baseline, once an abnormality is found, the user's trust level is immediately reduced and access rights are dynamically adjusted to minimize the impact of intrusion.
  • the policy decision point generates an access control policy according to the trust evaluation result.
  • the policy decision point evaluates the trust of the operation and maintenance users
  • the policy decision point generates an access control policy according to the trust assessment results.
  • the operation and maintenance operations are within the precise and controllable range to ensure the safe access of operation and maintenance users.
  • the access control policy includes: user risk levels and corresponding access control methods
  • the corresponding access control method includes at least one of the following: bubbling reminder, reporting an alarm; or,
  • the corresponding access control methods include at least one of the following: secondary identity authentication, prohibiting high-risk operations; or,
  • the corresponding access control methods include at least one of the following: forced logout of the user, deactivation of the user.
  • the access control policy is dynamically generated based on the trust evaluation results of operation and maintenance users, such as the trust score and risk level for each access session of operation and maintenance users, combined with context information, different levels of risk correspond to different levels of access Control methods, so as to achieve precise control of operation and maintenance operations.
  • “bubble reminder” and “report to alarm” are used for low-level risks.
  • bubble reminder refers to sending a reminder box through bubbling, so that users can receive reminders of low-level risks.
  • “secondary identity authentication” and “prohibition of high-risk operations” are adopted, and for high-risk risks, strategies such as "forced logout of users” and “deactivation of users” are adopted.
  • different user risk levels are combined with corresponding access control methods, so that the safe access of operation and maintenance users can be guaranteed and the security risk of operation and maintenance users can be reduced.
  • the network management and control unit can also generate access control After the policy, perform the following steps:
  • the network management and control unit performs dynamic access control on the operation and maintenance operations performed by the operation and maintenance users according to the access control policy.
  • the network management and control unit can perform the aforementioned steps 201 to 205. After the network management and control unit generates the access control policy, if the operation and maintenance user needs to access the network management and control unit, the network management and control unit performs the operation and maintenance of the operation and maintenance user according to the access control policy. Dynamic access control for operations can ensure the safe access of operation and maintenance users and reduce the security risks of operation and maintenance users.
  • the policy decision point generates an access control policy to the policy execution point.
  • the policy decision point can send the access control policy to the policy enforcement point through the transmission channel between the policy decision point and the policy enforcement point, so that the policy enforcement point executes the operation and maintenance user according to the access control policy Dynamic access control for O&M operations.
  • the policy enforcement point executes the operation and maintenance user according to the access control policy Dynamic access control for O&M operations.
  • the specific method of execution by the policy enforcement point refer to the descriptions of subsequent steps 207 and 208.
  • the policy enforcement point obtains the access control policy from the policy decision point.
  • the policy enforcement point can receive the access control policy through the transmission channel between the policy decision point and the policy enforcement point, and the policy enforcement point can analyze the access control policy, so as to obtain the control mode of the operation and maintenance operation of the operation and maintenance user.
  • the policy enforcement point performs dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
  • the policy enforcement point performs dynamic access control on the operation and maintenance operations of the operation and maintenance users. Secure access for operation and maintenance users.
  • the policy enforcement point in step 208 performs dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy, including:
  • the policy enforcement point generates an authorization instruction for each session generated when the operation and maintenance user performs the operation and maintenance operation according to the access control policy and the work order task.
  • Dimension users perform tasks other than work order tasks.
  • the policy enforcement point determines each session generated when the operation and maintenance user performs the operation and maintenance operation, and the policy enforcement point determines the authorization set for the operation and maintenance user to perform tasks in the session according to the access control policy, and an authorization instruction can be generated for the session.
  • the policy execution point monitors the authority of the operation and maintenance operations performed by the operation and maintenance users according to the authorization instructions.
  • the policy execution point monitors the task content of the operation and maintenance user in each session and the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction, so that the operation and maintenance user performs the task content according to the authorization set, and prohibits the operation and maintenance Users perform tasks other than work order tasks to ensure safe access for operation and maintenance users and reduce security risks for operation and maintenance users.
  • the authorization set includes at least one of the following: the account of the operation and maintenance user, the role of the operation and maintenance user to perform the operation and maintenance operation, the time when the operation and maintenance user performs the operation and maintenance operation, and the time when the operation and maintenance user performs the operation and maintenance operation.
  • Operational instructions and operation and maintenance users have the authority to access the service provision system.
  • the authorization set can control roles, time, instructions, permissions, etc., so that the operation and maintenance users can only perform specific tasks according to the authorization set.
  • Time user performing the operation, type of network element and operation command.
  • the policy execution point starts the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
  • multi-factor identity authentication is performed on the operation and maintenance user according to the service access request; after the operation and maintenance user passes the multi-factor identity authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, And obtain the identity data of the operation and maintenance user from the identity authentication management system, obtain the terminal risk data of the operation and maintenance terminal from the terminal risk perception system, and obtain the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business security data to evaluate the trust of operation and maintenance users, and generate an access control policy based on the trust evaluation results.
  • the controllable range the safe access of operation and maintenance users is guaranteed, and the security risk of operation and maintenance users is reduced.
  • the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy.
  • the access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
  • FIG. 3 it is a schematic diagram of a scene where an operation and maintenance user accesses a network management and control unit provided in the embodiment of the present application.
  • the operation and maintenance user sends a service access request to the network management unit (referred to as network management) through the operation and maintenance terminal, and the network management and control unit performs multi-factor identity authentication on the operation and maintenance user according to the service access request, and obtains the information from the third party.
  • the system acquires multi-dimensional third-party data, and generates an access control policy based on the above-mentioned multi-dimensional third-party data; according to the access control policy, dynamic access control is performed on the operation and maintenance operations of the operation and maintenance user.
  • the operation and maintenance user can access the network management and control unit applications and data, or access network elements.
  • Network elements include: wireless base stations, routers, switches, and cloud network elements.
  • the operation and maintenance terminal has a risk-aware agent function, and the operation and maintenance terminal sends a service access request to the network management and control unit, and the service access request is untrustworthy to the network management and control unit.
  • the risk awareness agent can be either a personal computer terminal or a mobile terminal, which is not limited here.
  • Network management and control unit including: policy decision point, policy enforcement point, application and data.
  • the operation and maintenance user When the operation and maintenance user logs in to the network management and control unit, the operation and maintenance user sends a service access request to the policy enforcement point in the network management and control unit through the operation and maintenance terminal, and the policy decision point in the network management and control unit can force multi-factor authentication on the operation and maintenance user , to identify the legal identity of the user, such as through user password, SMS verification code, digital certificate, etc., if the user fails to pass the authentication, he cannot log in to the network management and control unit.
  • the third-party system includes at least one of the following: a work order system, an identity authentication management system, and a terminal risk awareness system.
  • Third-party systems can provide data query functions to policy decision points.
  • the work order system provides work order tasks
  • the identity authentication management system provides the identity data of operation and maintenance users
  • the terminal risk awareness system provides terminal risk data of operation and maintenance terminals.
  • the policy decision point obtains the work order tasks to be executed by the operation and maintenance user from the work order system, obtains the identity data of the operation and maintenance user from the identity authentication management system, and obtains the operation and maintenance user’s identity data from the terminal risk awareness system Obtain the terminal risk data of the operation and maintenance terminal.
  • the policy decision point can also obtain service security data, for example, the service security data includes: security logs, operation logs, security events and other data of the network management and network elements.
  • the policy decision point evaluates the trust of operation and maintenance users based on work order tasks, identity data, terminal risk data, and business security data, obtains the trust evaluation results, and generates access control policies based on the trust evaluation results.
  • Policy decision point in the process of user operation and maintenance, realizes precise authorization based on work order tasks, and based on security logs, operation logs, and security events of network management and network elements, as well as terminal risk data and user identity data input by third parties Continuously and comprehensively evaluate the security credibility of access users and access objects (including network management and control units and network elements), form user credibility scores, and generate access control policies for users based on credibility scores. Examples are as follows:
  • Precise authorization based on work order tasks In the process of performing O&M tasks in the carrier network, the work order application process is involved, and the work order tasks can only be executed as planned after being inspected and approved by all parties. On the network management and control unit, through the analysis of the input work order tasks, a specific authorization set is formed to grant user permissions, and precise authorization is performed through factors such as account number, role, time, operation instructions, and whether they have access to the network management and control unit. Operations within the scope of the task cannot be performed.
  • Continuous evaluation of user trust and dynamic policies Set up policy decision points on the network management and control unit, collect multi-dimensional data such as operation logs, security logs, and security events of the network management and control unit, as well as terminal risk data and user identity risk information input by third-party systems, Conduct continuous and comprehensive evaluation of the security credibility of access users and access objects (network management and control units).
  • the policy decision point identifies the user's behavior track based on the user's behavior log (including security log, operation log, etc.), terminal risk log, and security event input, combined with the attack chain model. Combined with actual operation and maintenance business scenarios, a trust evaluation model is formed.
  • the trust evaluation model conducts risk discrimination based on comprehensive factors such as the stage of the attack behavior trajectory, context information, occurrence times, risks, and impacts, and refers to historical behavior over a period of time to finally obtain a trust score for each user access session.
  • the access control policy is dynamically generated based on the trust score and risk level of each user's access session, combined with context information. Different levels of risk correspond to different levels of access control methods. For example, “bubble reminder" and “up report For medium-risk risks, “secondary identity authentication” and “prohibition of high-risk operations” are adopted, and for high-risk risks, strategies such as “forced logout of users” and “deactivation of users” are adopted.
  • the policy decision point also supports sending the trust evaluation result to the third-party trust evaluation engine, so that the third-party trust evaluation engine can perform trust evaluation.
  • the operational risk assessment method based on user portraits is explained. Starting from the dimensions of user login and operation and maintenance operations, comprehensive security logs, security events, work order tasks, business security data and other multi-dimensional data, construct user portraits, learn the historical behavior baseline of users and user groups, and multi-dimensional correlation analysis deviate from the normal behavior baseline Abnormal user behavior, timely detection of operational risks, and a trust score for the user's operation and maintenance operations based on the risk.
  • the user group includes multiple users with the same role.
  • the generation method of the trust evaluation model is explained.
  • evaluate user risks based on security events and obtain event risk coefficients, attack stage coefficients, and attack times.
  • the event risk coefficient, attack stage coefficient, and attack times the user risk degree is obtained.
  • the event risk coefficient includes multiple risk levels, such as low risk, medium risk, high risk, and urgent risk.
  • the attack chain corresponding to the attack stage coefficient includes: reconnaissance, infiltration, intrusion, implantation, diffusion, and destruction.
  • Specific user risk assessment methods include:
  • the initial value of the security event risk coefficient is related to the event threat level, which is divided into 5 levels. The higher the threat level, the greater the initial risk factor.
  • the risk factor is affected by the attack stage of the incident, and there are 6 attack stages in total. Attackers will follow the behavior track to carry out continuous and in-depth attacks (lateral movement) until they finally achieve the purpose of stealing data and so on. Therefore, on the behavior trajectory, the later behavior is more risky than the previous one.
  • the event risk coefficient is affected by the number of events, and the risk coefficient increases with the increase of the number of events. When the risk coefficient is close to 1, the growth rate will slow down and tend to 1.
  • the current threat rate of the user is related to the threat rate before the event, and the threat rate is the highest when the user is abnormal for the first time during the evaluation period.
  • An example is as follows. Firstly, the credibility rate of the current user and the credibility rate of the previous moment are obtained. Each behavior has a corresponding abnormal probability, which is used to indicate the possibility that this behavior is a real attack. Although the abnormal probability of each behavior is determined by the risk level of the event, the threat level of the event is different in different attack stages. Attackers will follow the behavior track to carry out continuous and in-depth attacks (lateral movement) until they finally achieve the purpose of stealing data and so on. Therefore, on the behavior trajectory, the later behavior is more risky than the previous one. In order to distinguish different attack stages, a kill-chain coefficient is introduced, which is the abnormal probability of events occurring following the user behavior trajectory.
  • a failed authentication may be an accidental password input error by the user, and a risk factor of 0.1 can be assigned.
  • a risk factor of 0.1 can be assigned.
  • the risk factor should be increased accordingly, such as 0.7. It can be seen from the previous examples that the risk coefficient is related to the number of repetitions of abnormal events, and the higher the number of times, the higher the risk coefficient.
  • user operation behaviors and user behavior baselines are obtained, for example, user behavior baselines are established based on user operation logs. Then, according to the user behavior baseline, the proportion of abnormal behavior and the abnormal degree of a single behavior can be calculated. Next, calculate the risk degree of a single behavior according to the proportion of abnormal behavior and the degree of abnormal behavior. Finally, the user risk is calculated based on the single behavior risk and historical risk.
  • the policy enforcement unit After the policy enforcement unit generates the access policy in the above manner, it can send the access control policy to the policy enforcement point.
  • the policy enforcement point controls all business access requests of operation and maintenance users based on the access control policy generated by the policy decision point, such as deciding whether to issue an access token or execute other policies according to the access control policy.
  • the policy decision point generates an access control policy according to the trust evaluation result, and the access control policy includes the control mode for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user can be accurately controlled.
  • the safe access of operation and maintenance users is guaranteed, and the security risks of operation and maintenance users are reduced.
  • FIG. 4 it is a schematic diagram of a scenario where an operation and maintenance user accesses a network element provided in the embodiment of the present application.
  • the access scenario for an operation and maintenance user to access a network element is similar to the access scenario for accessing a network management and control unit.
  • the operation and maintenance user sends a service access request to the network element through the operation and maintenance terminal, and the network element requests the network management and control unit to perform multi-factor authentication on the operation and maintenance user according to the service access request, and the network management and control unit obtains multi-dimensional third-party data from the third-party system, Generate access control policies based on the above-mentioned multi-dimensional third-party data; network elements perform dynamic access control on the operation and maintenance operations of operation and maintenance users according to the access control policies generated by the network management and control unit, for example, operation and maintenance users can access network elements.
  • Network elements include: wireless base stations, routers, switches, and cloud network elements.
  • the operation and maintenance terminal has a risk-aware proxy function, and the operation and maintenance terminal sends a service access request to the policy enforcement point in the network element, and the service access request is untrustworthy to the network element.
  • the risk awareness agent can be either a personal computer terminal or a mobile terminal, which is not limited here.
  • Fig. 4 four policy enforcement points are deployed on network elements as an example for illustration.
  • Network management and control unit including: policy decision point, policy enforcement point, application and data.
  • the operation and maintenance user When the operation and maintenance user logs in to the network element, the operation and maintenance user sends a service access request to the policy enforcement point in the network element through the operation and maintenance terminal, and the policy enforcement point triggers the policy decision point in the network management and control unit to force the multi-factor identity of the operation and maintenance user Authentication, to identify the legal identity of the user, such as through user password, SMS verification code, digital certificate, etc. If the user fails to pass the authentication, he cannot log in to the network management and control unit.
  • the third-party system includes at least one of the following: a work order system, an identity authentication management system, and a terminal risk awareness system.
  • Third-party systems can provide data query functions to policy decision points.
  • the work order system provides work order tasks
  • the identity authentication management system provides the identity data of operation and maintenance users
  • the terminal risk awareness system provides terminal risk data of operation and maintenance terminals.
  • the policy decision point obtains the work order tasks to be executed by the operation and maintenance user from the work order system, obtains the identity data of the operation and maintenance user from the identity authentication management system, and obtains the operation and maintenance user’s identity data from the terminal risk awareness system Obtain the terminal risk data of the operation and maintenance terminal.
  • the policy decision point can also obtain service security data, for example, the service security data includes: security logs, operation logs, security events and other data of the network management and network elements.
  • the policy decision point evaluates the trust of operation and maintenance users based on work order tasks, identity data, terminal risk data, and business security data, obtains the trust evaluation results, and generates access control policies based on the trust evaluation results.
  • Policy decision point in the process of user operation and maintenance, realizes precise authorization based on work order tasks, and based on security logs, operation logs, and security events of network management and network elements, as well as terminal risk data and user identity data input by third parties Continuously and comprehensively evaluate the security credibility of access users and access objects (including network management and control units and network elements), form user credibility scores, and generate access control policies for users based on credibility scores.
  • Precise authorization based on work order tasks On the network management and control unit, through the analysis of the input work order tasks, a specific authorization set is formed to grant network element user rights, through account number, role, time, operation instructions, and whether they have access to network elements. Precise authorization is carried out on such factors as operations that are not within the scope of work order tasks cannot be performed.
  • Continuous evaluation of user trust and dynamic policies set policy decision points on the network management and control unit, collect network element operation and maintenance operation logs, security logs, network element operation and maintenance operation security detection events, and terminal risk data input by third-party systems, user Multi-dimensional data such as identity data, continuously and comprehensively evaluate user risks, and support user trust evaluation based on user historical behavior, evaluate and form user trust score, and dynamically generate access control policies based on user trust score, such as "bubble reminder”, “ Report to the police”, “Second identity authentication”, “Prohibition of performing high-risk operations”, “Forced logout of users”, “Deactivation of users”, etc.
  • Different levels of risk correspond to different levels of access control methods, such as “bubble reminder” and “report to alarm” for low-level risks, and “secondary identity authentication” and “prohibit high-risk operations” for medium-risk risks.
  • access control methods such as “bubble reminder” and “report to alarm” for low-level risks, and “secondary identity authentication” and “prohibit high-risk operations” for medium-risk risks.
  • secondary identity authentication and “prohibit high-risk operations” for medium-risk risks.
  • For high-risk risks use “forced logout of users", “deactivation of users”, etc.
  • the policy enforcement unit After the policy enforcement unit generates the access policy in the above manner, it can send the access control policy to the policy enforcement point.
  • the policy enforcement point controls all business access requests of operation and maintenance users based on the access control policy generated by the policy decision point, such as deciding whether to issue an access token or execute other policies according to the access control policy.
  • the dynamic access control capability based on the zero trust architecture is built on the network management and control unit and network elements.
  • Trust evaluation, real-time policy update and precise authorization based on trust level realize dynamic access control, ensure safe and reliable operation and maintenance user access and access, and effectively alleviate various risks of operators' network operation and maintenance management, such as the risk of external advanced penetration attacks , users' illegal access to resources and the risk of insider ghosts, etc.
  • the legality of user identities is verified through multi-factor authentication, and the OS patches, terminal registration information, and browser security status of login terminals are continuously checked.
  • authorization By minimizing authorization, it can effectively avoid the risk of human misoperation or external intrusion caused by excessive user authorization.
  • FIG. 5 it is a schematic diagram of the scenario of preventing an attacker from pretending to be an administrator provided by the embodiment of the present application.
  • the attacker logs in as an administrator, such as obtaining the Network administrator ID and password information, or obtain administrator identity information by attacking terminal devices.
  • the embodiment of the present application can achieve the following technical effects.
  • a user logs in, by continuously sensing the security risk of the terminal device, preventing the terminal from entering the network with a disease, and identifying the user through multi-factor authentication, the attacker only obtains the password of the administrator account, It is also impossible to log in to the system without providing other auxiliary identity information such as biometrics.
  • FIG. 6 it is a schematic diagram of a scenario of preventing hidden attacks provided by the embodiment of the present application.
  • APT advanced threats
  • attackers have successfully passed terminal and identity verification, penetrated into the target system and launched malicious operations.
  • the embodiment of the present application can achieve the following technical effects.
  • Through continuous risk perception and trust evaluation of the user's operation behavior when it is found that the user's operation behavior deviates from the daily behavior baseline, there is an exception. For example, the user requests to execute command x, and the access at this moment deviates from the daily If the behavior baseline is not met, access will be denied, relevant access control will be carried out in a timely manner, and user permissions will be controlled in a timely manner to prevent a major impact on the business.
  • FIG. 7 it is a schematic diagram of a scene for preventing human misoperation accidents provided by the embodiment of the present application.
  • the network management and control unit connects to the work order task, analyzes the work order task, and accurately authorizes the user according to the authority applied in the work order.
  • the user uses account a and executes command x during period b, If the user does not have the work order task during this period, the access will be denied, and the user can only execute the authority within the scope of the work order task, so as to avoid human misoperation accidents.
  • FIG. 8 it is a schematic diagram of a scenario of preventing local access bypassing management and control loopholes provided by the embodiment of the present application.
  • the attacker obtains the network element login account password, accesses the network element through local login (network cable directly connected to the management port or serial port), and performs malicious operations.
  • the embodiment of the present application can achieve the following technical effects: on the network management and control unit, continuous risk perception and trust assessment are performed on the operation behavior of the network element login user, and when the user's operation behavior is found to be abnormal, a control strategy is generated and delivered to the network element , carry out relevant access control in a timely manner, control the authority of network element users in a timely manner, and prevent major impacts on services.
  • the terminal device is specifically a policy decision point 900, and may include: a receiving module 901, an authentication module 902, an acquisition module 903, an evaluation module 904, and a policy generation module 905, of which,
  • the receiving module is used to receive the service access request sent by the operation and maintenance user through the operation and maintenance terminal;
  • An authentication module configured to perform multi-factor identity authentication on the operation and maintenance user according to the service access request
  • An acquisition module configured to acquire the work order tasks of the operation and maintenance user from the work order system after the operation and maintenance user passes the multi-factor identity authentication, and acquire the operation and maintenance user from the identity authentication management system identity data, and obtain terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain service security data from the service provision system;
  • An evaluation module configured to perform trust evaluation on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and obtain a trust evaluation result
  • a policy generating module configured to generate an access control policy according to the trust evaluation result.
  • multi-factor identity authentication is performed on the operation and maintenance user according to the service access request; after the operation and maintenance user passes the multi-factor identity authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, and from The identity authentication management system obtains the identity data of the operation and maintenance user, obtains the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtains the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business The security data evaluates the trust of the operation and maintenance users, and generates an access control policy based on the trust evaluation results. Within the scope of control, the safe access of operation and maintenance users is guaranteed, and the security risk of operation and maintenance users is reduced.
  • the terminal device is specifically a policy enforcement point 1000, and may include: an acquisition module 1001 and a control module 1002, wherein,
  • An acquisition module configured to acquire an access control policy from a policy decision point
  • a control module configured to perform dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
  • the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy.
  • the access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
  • the embodiment of the present application also provides a computer storage medium, wherein the computer storage medium stores a program, and the program executes some or all of the steps described in the above method embodiments.
  • the policy decision point 1100 includes:
  • a receiver 1101, a transmitter 1102, a processor 1103, and a memory 1104 (the number of processors 1103 in the policy decision point 1100 can be one or more, one processor is taken as an example in FIG. 11 ).
  • the receiver 1101 , the transmitter 1102 , the processor 1103 and the memory 1104 may be connected through a bus or in other ways, wherein connection through a bus is taken as an example in FIG. 11 .
  • the memory 1104 may include read-only memory and random-access memory, and provides instructions and data to the processor 1103 .
  • a part of the memory 1104 may also include a non-volatile random access memory (non-volatile random access memory, NVRAM).
  • NVRAM non-volatile random access memory
  • the memory 1104 stores operating systems and operating instructions, executable modules or data structures, or their subsets, or their extended sets, wherein the operating instructions may include various operating instructions for implementing various operations.
  • the operating system may include various system programs for implementing various basic services and processing hardware-based tasks.
  • the processor 1103 controls the operation of the policy decision point, and the processor 1103 may also be called a central processing unit (central processing unit, CPU).
  • CPU central processing unit
  • various components of the policy decision point are coupled together through a bus system, where the bus system may include not only a data bus, but also a power bus, a control bus, and a status signal bus.
  • the various buses are referred to as bus systems in the figures.
  • the methods disclosed in the foregoing embodiments of the present application may be applied to the processor 1103 or implemented by the processor 1103 .
  • the processor 1103 may be an integrated circuit chip and has a signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the processor 1103 or instructions in the form of software.
  • the above-mentioned processor 1103 may be a general-purpose processor, a digital signal processor (digital signal processing, DSP), an application specific integrated circuit (application specific integrated circuit, ASIC), a field-programmable gate array (field-programmable gate array, FPGA) or Other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 1104, and the processor 1103 reads the information in the memory 1104, and completes the steps of the above method in combination with its hardware.
  • the receiver 1101 can be used to receive input digital or character information, and generate signal input related to the relevant setting of policy decision points and function control.
  • the transmitter 1102 can include a display device such as a display screen, and the transmitter 1102 can be used to output through an external interface. Numeric or character information.
  • the processor 1103 is configured to execute the operation and maintenance processing method performed by the policy decision point shown in FIG. 2 of the foregoing embodiment.
  • the policy enforcement point 1200 includes:
  • a receiver 1201, a transmitter 1202, a processor 1203, and a memory 1204 (the number of processors 1203 in the policy enforcement point 1200 may be one or more, one processor is taken as an example in FIG. 12 ).
  • the receiver 1201 , the transmitter 1202 , the processor 1203 and the memory 1204 may be connected through a bus or in other ways, wherein connection through a bus is taken as an example in FIG. 12 .
  • the memory 1204 may include read-only memory and random-access memory, and provides instructions and data to the processor 1203 . A portion of memory 1204 may also include NVRAM.
  • the memory 1204 stores operating systems and operating instructions, executable modules or data structures, or their subsets, or their extended sets, wherein the operating instructions may include various operating instructions for implementing various operations.
  • the operating system may include various system programs for implementing various basic services and processing hardware-based tasks.
  • the processor 1203 controls the operation of the policy enforcement point, and the processor 1203 may also be called a CPU.
  • various components of the policy enforcement point are coupled together through a bus system, where the bus system may include not only a data bus, but also a power bus, a control bus, and a status signal bus.
  • the various buses are referred to as bus systems in the figures.
  • the methods disclosed in the foregoing embodiments of the present application may be applied to the processor 1203 or implemented by the processor 1203 .
  • the processor 1203 may be an integrated circuit chip, which has a signal processing capability.
  • each step of the above-mentioned method may be implemented by an integrated logic circuit of hardware in the processor 1203 or instructions in the form of software.
  • the aforementioned processor 1203 may be a general processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.
  • Various methods, steps, and logic block diagrams disclosed in the embodiments of the present application may be implemented or executed.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 1204, and the processor 1203 reads the information in the memory 1204, and completes the steps of the above method in combination with its hardware.
  • the processor 1203 is configured to execute the operation and maintenance processing method performed by the policy enforcement point shown in FIG. 2 of the foregoing embodiment.
  • the decoding terminal, transmission terminal, or policy enforcement point when the decoding terminal, transmission terminal, or policy enforcement point is a chip in the terminal, the chip includes: a processing unit and a communication unit, where the processing unit may be a processor, for example, and the communication unit is, for example, It can be an input/output interface, a pin or a circuit, etc.
  • the processing unit may execute the computer-executable instructions stored in the storage unit, so that the chip in the terminal executes the operation and maintenance processing method of any one of the first aspect to the second aspect above.
  • the storage unit is a storage unit in the chip, such as a register, a cache, etc.
  • the storage unit may also be a storage unit in the terminal located outside the chip, such as a read-only memory (read -only memory, ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), etc.
  • ROM read-only memory
  • RAM random access memory
  • the processor mentioned in any of the above-mentioned places may be a general-purpose central processing unit, a microprocessor, an ASIC, or one or more integrated circuits for controlling the program execution of the above-mentioned methods from the first aspect to the second aspect.
  • the device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be A physical unit can be located in one place, or it can be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the connection relationship between the modules indicates that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines.
  • the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product is stored in a readable storage medium, such as a floppy disk of a computer , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute the method described in each embodiment of the present application .
  • a computer device which can be a personal computer, a server, or a network device, etc.
  • all or part of them may be implemented by software, hardware, firmware or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server, or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • wired eg, coaxial cable, optical fiber, digital subscriber line (DSL)
  • wireless eg, infrared, wireless, microwave, etc.
  • the computer-readable storage medium may be any available medium that can be stored by a computer, or a data storage device including a server, a data center, and the like integrated with one or more available media.
  • the available medium may be a magnetic medium (such as a floppy disk, a hard disk, or a magnetic tape), an optical medium (such as a DVD), or a semiconductor medium (such as a solid state disk (Solid State Disk, SSD)), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed in the embodiments of the present application are an operation and maintenance processing method, and a terminal device, which are used for reducing the security risk of an operation and maintenance user. The operation and maintenance processing method provided in the embodiments of the present application comprises: receiving a service access request sent by an operation and maintenance user by means of an operation and maintenance terminal; performing multi-factor identity authentication on the operation and maintenance user on the basis of the service access request; once the operation and maintenance user passes the multi-factor identity authentication, acquiring, from a work order system, a work order task to be executed by the operation and maintenance user, acquiring identity data of the operation and maintenance user from an identity authentication management system, acquiring terminal risk data of the operation and maintenance terminal from a terminal risk perception system, and acquiring service security data from a service providing system; performing trust evaluation on the operation and maintenance user on the basis of the work order task, the identity data, the terminal risk data and the service security data, so as to obtain a trust evaluation result; and generating an access control policy on the basis of the trust evaluation result.

Description

一种运维处理方法和终端设备An operation and maintenance processing method and terminal equipment
本申请要求于2022年02月28日提交中国专利局、申请号为202210191834.X、发明名称为“一种运维处理方法和终端设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202210191834.X and the title of the invention "an operation and maintenance processing method and terminal equipment" submitted to the China Patent Office on February 28, 2022, the entire contents of which are incorporated by reference in this application.
技术领域technical field
本申请涉及计算机网络技术领域,尤其涉及一种运维处理方法和终端设备。The present application relates to the technical field of computer networks, and in particular to an operation and maintenance processing method and terminal equipment.
背景技术Background technique
目前的运营商网络变得越来越复杂,现网多制式共存,网络规模更大,业务管理变得更加复杂和困难,为网络安全运维管理带来新的挑战。运维管理面是运营商网络基础设施中的核心网络中枢,在运维管理面上可以对运营商网络进行管理,例如上线和配置新设备,对现有基础设施的变更,对正在运行的设备或服务的修改等。运维管理面成为攻击者破坏运营商网络运行的恶意攻击的首要目标,攻击者利用运维管理面发起潜在的攻击行为,可能对运营商业务造成很大的安全风险。The current network of operators is becoming more and more complex. The coexistence of multiple standards on the existing network and the larger network scale make business management more complex and difficult, which brings new challenges to network security operation and maintenance management. The operation and maintenance management plane is the core network hub of the operator's network infrastructure. On the operation and maintenance management plane, the operator's network can be managed, such as going online and configuring new equipment, changing the existing infrastructure, and monitoring the running equipment. or modification of the service, etc. The operation and maintenance management plane has become the primary target of malicious attacks by attackers to disrupt the operation of the operator's network. Attackers use the operation and maintenance management plane to launch potential attacks, which may cause great security risks to the operator's business.
为了保障运维用户能够安全的接入网络,需要对运维用户的身份进行认证鉴权,当认证通过之后,同时根据角色授予用户相应的运维操作权限,运维用户可以登录网管和网元进行相应运维操作。目前对运维用户进行静态授权,例如可以包括:在运维用户登录网管或网元时,对用户身份以用户名和口令的方式进行认证,一次认证通过后,在连接未重建之前不会再重新认证。面对越来越复杂的网络环境,目前对运维用户的静态授权方案存在网络安全风险大的问题。In order to ensure that the operation and maintenance users can safely access the network, the identity of the operation and maintenance user needs to be authenticated. After the authentication is passed, the user is granted the corresponding operation and maintenance operation authority according to the role, and the operation and maintenance user can log in to the network management system and network elements. Perform corresponding operation and maintenance operations. At present, the static authorization of operation and maintenance users can include, for example: when the operation and maintenance users log in to the network management system or network elements, the user identity is authenticated in the form of user name and password. certified. Faced with an increasingly complex network environment, the current static authorization scheme for operation and maintenance users has a problem of high network security risks.
发明内容Contents of the invention
本申请实施例提供了一种运维处理方法和终端设备,用于降低运维用户的安全风险。Embodiments of the present application provide an operation and maintenance processing method and a terminal device, which are used to reduce security risks of operation and maintenance users.
为解决上述技术问题,本申请实施例提供以下技术方案:In order to solve the above technical problems, the embodiments of the present application provide the following technical solutions:
第一方面,本申请实施例提供一种运维处理方法,所述方法包括:接收运维用户通过运维终端发送的业务访问请求;根据所述业务访问请求对所述运维用户进行多因素身份认证;当所述运维用户通过所述多因素身份认证之后,从工单系统获取所述运维用户的待执行的工单任务,以及从身份认证管理系统获取所述运维用户的身份数据,以及从终端风险感知系统获取所述运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果;根据所述信任评估结果生成访问控制策略。In the first aspect, the embodiment of the present application provides an operation and maintenance processing method. The method includes: receiving a service access request sent by an operation and maintenance user through an operation and maintenance terminal; Identity authentication: after the operation and maintenance user passes the multi-factor identity authentication, obtain the work order task of the operation and maintenance user to be executed from the work order system, and obtain the identity of the operation and maintenance user from the identity authentication management system data, and obtain the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain the service security data from the service provision system; according to the work order task, the identity data, the terminal risk data and the service The security data conducts a trust assessment on the operation and maintenance user to obtain a trust assessment result; an access control policy is generated according to the trust assessment result.
在上述方案中,根据业务访问请求对运维用户进行多因素身份认证;当运维用户通过多因素身份认证之后,从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,根据信任评估结果生成访问控制策略,该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范 围内,保证运维用户的安全访问,降低运维用户的安全风险。In the above scheme, multi-factor identity authentication is performed on the operation and maintenance user according to the business access request; after the operation and maintenance user passes the multi-factor authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, and The management system obtains the identity data of the operation and maintenance user, obtains the terminal risk data of the operation and maintenance terminal from the terminal risk perception system, and obtains the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business security data Conduct trust assessment for operation and maintenance users, and generate access control policies based on the results of the trust assessment. The access control policies include the control methods for operation and maintenance operations of operation and maintenance users, so that the operation and maintenance operations of operation and maintenance users can be accurately controlled To ensure the safe access of operation and maintenance users and reduce the security risks of operation and maintenance users.
在一种可能的实现方式中,所述方法还包括:根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制。在上述方案中,在生成访问控制策略之后,根据访问控制策略对运维用户执行的运维操作进行动态访问控制,能够保证运维用户的安全访问,降低运维用户的安全风险。In a possible implementation manner, the method further includes: performing dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy. In the above solution, after the access control policy is generated, dynamic access control is performed on the operation and maintenance operations performed by the operation and maintenance users according to the access control policy, which can ensure the safe access of the operation and maintenance users and reduce the security risks of the operation and maintenance users.
在一种可能的实现方式中,所述根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制,包括:针对所述运维用户执行所述运维操作时产生的每个会话,根据所述访问控制策略和所述工单任务生成授权指令,所述授权指令用于指示所述运维用户按照授权集执行的任务内容以及禁止所述运维用户执行所述工单任务以外的任务内容;根据所述授权指令对所述运维用户执行的运维操作进行权限监控。在上述方案中,策略执行点按照授权指令对运维用户在每个会话中的任务内容,对运维用户执行的运维操作进行权限监控,使得运维用户按照授权集执行的任务内容,而且禁止运维用户执行工单任务以外的任务内容,保证运维用户的安全访问,降低运维用户的安全风险。In a possible implementation manner, the performing dynamic access control on the operation and maintenance operation performed by the operation and maintenance user according to the access control policy includes: For each session, an authorization instruction is generated according to the access control policy and the work order task, and the authorization instruction is used to instruct the operation and maintenance user to perform the task content according to the authorization set and prohibit the operation and maintenance user from executing the work order. Task content other than a single task; perform authority monitoring on the operation and maintenance operations performed by the operation and maintenance user according to the authorization instruction. In the above scheme, the policy execution point monitors the task content of the operation and maintenance user in each session and the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction, so that the operation and maintenance user performs the task content according to the authorization set, and Operation and maintenance users are prohibited from performing tasks other than work order tasks to ensure safe access of operation and maintenance users and reduce security risks for operation and maintenance users.
在一种可能的实现方式中,所述授权集,包括如下至少一种:所述运维用户的账号、所述运维用户执行运维操作的角色、所述运维用户执行运维操作的时间、所述运维用户执行运维操作的操作指令、所述运维用户具有访问所述业务提供系统的权限。在上述方案中,授权集可以控制角色、时间、指令、权限等内容,从而使得运维用户只能按照授权集来执行具体的任务,例如策略执行点将输入的工单任务进行解析,解析工单中执行时间、执行用户、操作的网元类型和操作命令。策略执行点根据工单任务启动定时任务,到达任务执行时间时,把对应操作命令权限赋予执行角色和用户。In a possible implementation, the authorization set includes at least one of the following: the account of the operation and maintenance user, the role of the operation and maintenance user to perform operation and maintenance operations, and the role of the operation and maintenance user to perform operation and maintenance operations. time, the operation instruction for the operation and maintenance user to perform the operation and maintenance operation, and the operation and maintenance user has the authority to access the service provision system. In the above solution, the authorization set can control roles, time, instructions, permissions, etc., so that the operation and maintenance users can only perform specific tasks according to the authorization set. Execution time, user, type of NE and operation command in the order. The policy execution point starts the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
在一种可能的实现方式中,所述方法还包括:向策略执行点发生所述访问控制策略,以使得所述策略执行点根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制。在上述方案中,策略决策点可以通过策略决策点和策略执行点之间的传输通道向策略执行点发送访问控制策略,以使得策略执行点根据访问控制策略对运维用户执行的运维操作进行动态访问控制。In a possible implementation, the method further includes: generating the access control policy to a policy enforcement point, so that the operation and maintenance operation performed by the policy enforcement point on the operation and maintenance user according to the access control policy Perform dynamic access control. In the above solution, the policy decision point can send the access control policy to the policy enforcement point through the transmission channel between the policy decision point and the policy enforcement point, so that the policy enforcement point can implement the operation and maintenance operation performed by the operation and maintenance user according to the access control policy. Dynamic access control.
在一种可能的实现方式中,所述根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果,包括:根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据生成所述运维用户的信任评估模型;根据所述信任评估模型获取所述运维用户的异常行为;根据所述运维用户的异常行为与预先确定的用户历史行为基线确定所述运维用户的运维操作风险参数;根据所述运维操作风险参数生成所述信任评估结果。在上述方案中,策略决策点在生成运维操作风险参数之后,可以将该运维操作风险参数作为信任评估结果,或者根据运维操作风险参数对运维用户进行打分,以此生成信任评估结果。本申请实施例中策略决策点通过信任评估模型可以识别运维用户的异常行为,通过异常行为与用户历史行为基线生成该运维用户的信任评估结果,能够实现对运维用户的准确评估,提高对运维用户的评估准确性和评估效率。In a possible implementation manner, the trust assessment is performed on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and a trust assessment result is obtained, including : Generate a trust evaluation model of the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data; acquire the abnormal behavior of the operation and maintenance user according to the trust evaluation model ; determining the operation and maintenance operation risk parameters of the operation and maintenance user according to the abnormal behavior of the operation and maintenance user and the predetermined user historical behavior baseline; generating the trust evaluation result according to the operation and maintenance operation risk parameters. In the above scheme, after the operation and maintenance operation risk parameters are generated by the policy decision point, the operation and maintenance operation risk parameters can be used as the trust evaluation result, or the operation and maintenance users can be scored according to the operation and maintenance operation risk parameters, so as to generate the trust evaluation result . In the embodiment of this application, the policy decision point can identify the abnormal behavior of the operation and maintenance user through the trust evaluation model, and generate the trust evaluation result of the operation and maintenance user through the abnormal behavior and the user's historical behavior baseline, which can realize accurate evaluation of the operation and maintenance user and improve The evaluation accuracy and evaluation efficiency of operation and maintenance users.
在一种可能的实现方式中,所述访问控制策略,包括:用户风险等级和相应的访问控制方式;其中,当所述用户风险等级为低级别风险,相应的访问控制方式包括如下至少一 种:冒泡提醒、上报告警;或者,当所述用户风险等级为中级别风险,相应的访问控制方式包括如下至少一种:二次身份认证、禁止执行高危操作;或者,当所述用户风险等级为高级别风险,相应的访问控制方式包括如下至少一种:强制注销用户、停用用户。在上述方案中,访问控制策略基于运维用户的信任评估结果动态生成,例如针对运维用户的每次访问会话的信任度评分、风险级别,结合上下文信息,对于不同级别的风险对应不同级别的访问控制方式,从而实现对运维操作的精确控制。In a possible implementation manner, the access control policy includes: a user risk level and a corresponding access control method; wherein, when the user risk level is a low-level risk, the corresponding access control method includes at least one of the following : bubbling reminder, report alarm; or, when the user risk level is a medium level risk, the corresponding access control method includes at least one of the following: secondary identity authentication, prohibiting execution of high-risk operations; or, when the user risk level The level is high-level risk, and the corresponding access control methods include at least one of the following: forced logout of users, deactivation of users. In the above solution, access control policies are dynamically generated based on the trust evaluation results of operation and maintenance users, such as the trust score and risk level for each access session of operation and maintenance users, combined with context information, different levels of risk correspond to different levels of Access control methods to achieve precise control over O&M operations.
在一种可能的实现方式中,所述业务安全数据包括:所述业务提供系统的运维安全日志、操作日志和安全事件。在上述方案中,业务提供系统可以向运维用户提供业务访问功能,且业务提供系统在提供业务访问时还能够记录业务安全数据,业务提供系统的运维安全日志、操作日志和安全事件都可以作为业务安全数据,具体取决于应用场景。In a possible implementation manner, the service security data includes: operation and maintenance security logs, operation logs, and security events of the service provision system. In the above solution, the service provision system can provide service access functions to operation and maintenance users, and the service provision system can also record service security data when providing service access. The operation and maintenance security logs, operation logs and security events of the service provision system can all be As business security data, it depends on the application scenario.
在一种可能的实现方式中,所述业务提供系统,包括如下至少一种:网络管控单元、业务访问网元。在上述方案中,对于运维用户执行的运维操作的业务类型不同,业务提供系统具有多种实现方式,例如网络管控单元可以向运维用户提供业务访问功能,又如,业务访问网元可以向运维用户提供业务访问功能。In a possible implementation manner, the service providing system includes at least one of the following: a network management and control unit, and a service access network element. In the above solution, the service provision system has multiple implementation methods for different types of services performed by the operation and maintenance users. For example, the network management and control unit can provide service access functions to the operation and maintenance users. Provide business access functions to operation and maintenance users.
第二方面,本申请实施例还提供一种运维处理方法,所述方法包括:获取来自策略决策点的访问控制策略;根据所述访问控制策略对运维用户执行的运维操作进行动态访问控制。In the second aspect, the embodiment of the present application also provides an operation and maintenance processing method, the method comprising: obtaining an access control policy from a policy decision point; performing dynamic access to the operation and maintenance operation performed by the operation and maintenance user according to the access control policy control.
在上述方案中,获取来自策略决策点的访问控制策略;根据访问控制策略对运维用户执行的运维操作进行动态访问控制。该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the above solution, the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy. The access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
在一种可能的实现方式中,所述根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制,包括:获取所述运维用户的待执行的工单任务;针对所述运维用户执行所述运维操作时产生的每个会话,根据所述访问控制策略和所述工单任务生成授权指令,所述授权指令用于指示所述运维用户按照授权集执行的任务内容以及禁止所述运维用户执行所述工单任务以外的任务内容;根据所述授权指令对所述运维用户执行的运维操作进行权限监控。在上述方案中,策略执行点按照授权指令对运维用户在每个会话中的任务内容,对运维用户执行的运维操作进行权限监控,使得运维用户按照授权集执行的任务内容,而且禁止运维用户执行工单任务以外的任务内容,保证运维用户的安全访问,降低运维用户的安全风险。In a possible implementation manner, the dynamic access control of the operation and maintenance operation performed by the operation and maintenance user according to the access control policy includes: obtaining the work order task to be executed by the operation and maintenance user; For each session generated when the operation and maintenance user performs the operation and maintenance operation, an authorization instruction is generated according to the access control policy and the work order task, and the authorization instruction is used to instruct the operation and maintenance user to execute according to the authorization set The content of the task and prohibit the operation and maintenance user from performing the task content other than the task of the work order; perform authority monitoring on the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction. In the above scheme, the policy execution point monitors the task content of the operation and maintenance user in each session and the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction, so that the operation and maintenance user performs the task content according to the authorization set, and Operation and maintenance users are prohibited from performing tasks other than work order tasks to ensure safe access of operation and maintenance users and reduce security risks for operation and maintenance users.
在一种可能的实现方式中,所述授权集,包括如下至少一种:所述运维用户的账号、所述运维用户执行运维操作的角色、所述运维用户执行运维操作的时间、所述运维用户执行运维操作的操作指令、所述运维用户具有访问所述业务提供系统的权限。在上述方案中,In a possible implementation, the authorization set includes at least one of the following: the account of the operation and maintenance user, the role of the operation and maintenance user to perform operation and maintenance operations, and the role of the operation and maintenance user to perform operation and maintenance operations. time, the operation instruction for the operation and maintenance user to perform the operation and maintenance operation, and the operation and maintenance user has the authority to access the service provision system. In the above scheme,
在一种可能的实现方式中,所述访问控制策略,包括:用户风险等级和相应的访问控制方式;其中,当所述用户风险等级为低级别风险,相应的访问控制方式包括如下至少一种:冒泡提醒、上报告警;或者,当所述用户风险等级为中级别风险,相应的访问控制方式包括如下至少一种:二次身份认证、禁止执行高危操作;或者,当所述用户风险等级为高级别风险,相应的访问控制方式包括如下至少一种:强制注销用户、停用用户。在上述 方案中,授权集可以控制角色、时间、指令、权限等内容,从而使得运维用户只能按照授权集来执行具体的任务,例如策略执行点将输入的工单任务进行解析,解析工单中执行时间、执行用户、操作的网元类型和操作命令。策略执行点根据工单任务启动定时任务,到达任务执行时间时,把对应操作命令权限赋予执行角色和用户。In a possible implementation manner, the access control policy includes: a user risk level and a corresponding access control method; wherein, when the user risk level is a low-level risk, the corresponding access control method includes at least one of the following : bubbling reminder, report alarm; or, when the user risk level is a medium level risk, the corresponding access control method includes at least one of the following: secondary identity authentication, prohibiting execution of high-risk operations; or, when the user risk level The level is high-level risk, and the corresponding access control methods include at least one of the following: forced logout of users, deactivation of users. In the above solution, the authorization set can control roles, time, instructions, permissions, etc., so that the operation and maintenance users can only perform specific tasks according to the authorization set. Execution time, user, type of NE and operation command in the order. The policy execution point starts the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
第三方面,本申请实施例还提供一种终端设备,所述终端设备具体为策略决策点,所述终端设备包括:In a third aspect, the embodiment of the present application further provides a terminal device, where the terminal device is specifically a policy decision point, and the terminal device includes:
接收模块,用于接收运维用户通过运维终端发送的业务访问请求;The receiving module is used to receive the service access request sent by the operation and maintenance user through the operation and maintenance terminal;
认证模块,用于根据所述业务访问请求对所述运维用户进行多因素身份认证;An authentication module, configured to perform multi-factor identity authentication on the operation and maintenance user according to the service access request;
获取模块,用于当所述运维用户通过所述多因素身份认证之后,从工单系统获取所述运维用户的待执行的工单任务,以及从身份认证管理系统获取所述运维用户的身份数据,以及从终端风险感知系统获取所述运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;An acquisition module, configured to acquire the work order tasks of the operation and maintenance user from the work order system after the operation and maintenance user passes the multi-factor identity authentication, and acquire the operation and maintenance user from the identity authentication management system identity data, and obtain terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain service security data from the service provision system;
评估模块,用于根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果;An evaluation module, configured to perform trust evaluation on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and obtain a trust evaluation result;
策略生成模块,用于根据所述信任评估结果生成访问控制策略。A policy generating module, configured to generate an access control policy according to the trust evaluation result.
在本申请的第三方面中,终端设备的组成模块还可以执行前述第一方面以及各种可能的实现方式中所描述的步骤,详见前述对第一方面以及各种可能的实现方式中的说明。In the third aspect of the present application, the component modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations. For details, refer to the aforementioned first aspect and various possible implementations. illustrate.
第四方面,本申请实施例还提供一种终端设备,所述终端设备具体为策略执行点,所述终端设备包括:In a fourth aspect, the embodiment of the present application further provides a terminal device, the terminal device is specifically a policy enforcement point, and the terminal device includes:
获取模块,用于获取来自策略决策点的访问控制策略;An acquisition module, configured to acquire an access control policy from a policy decision point;
控制模块,用于根据所述访问控制策略对运维用户执行的运维操作进行动态访问控制。A control module, configured to perform dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
在本申请的第四方面中,终端设备的组成模块还可以执行前述第一方面以及各种可能的实现方式中所描述的步骤,详见前述对第一方面以及各种可能的实现方式中的说明。In the fourth aspect of the present application, the constituent modules of the terminal device can also perform the steps described in the aforementioned first aspect and various possible implementations. For details, refer to the aforementioned first aspect and various possible implementations. illustrate.
第五方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面或第二方面所述的方法。In the fifth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores instructions, and when it is run on a computer, the computer executes the above-mentioned first aspect or the second aspect. described method.
第六方面,本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面所述的方法。In a sixth aspect, the embodiment of the present application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the method described in the first aspect above.
第七方面,本申请实施例提供一种通信装置,该通信装置可以包括终端设备或者芯片等实体,所述通信装置包括:处理器、存储器;所述存储器用于存储指令;所述处理器用于执行所述存储器中的所述指令,使得所述通信装置执行如前述第一方面或第二方面中任一项所述的方法。In the seventh aspect, the embodiment of the present application provides a communication device, which may include entities such as terminal equipment or chips, and the communication device includes: a processor and a memory; the memory is used to store instructions; the processor is used to Executing the instructions in the memory causes the communication device to execute the method as described in any one of the aforementioned first aspect or second aspect.
第把方面,本申请提供了一种芯片系统,该芯片系统包括处理器,用于支持策略决策点或策略执行点实现上述方面中所涉及的功能,例如,发送或处理上述方法中所涉及的数据和/或信息。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存策略决策点或策略执行点必要的程序指令和数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。In the first aspect, the present application provides a chip system, the chip system includes a processor, used to support the policy decision point or the policy execution point to realize the functions involved in the above aspects, for example, send or process the information involved in the above method data and/or information. In a possible design, the chip system further includes a memory, and the memory is used for storing necessary program instructions and data of a policy decision point or a policy execution point. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.
从以上技术方案可以看出,本申请实施例具有以下优点:It can be seen from the above technical solutions that the embodiments of the present application have the following advantages:
在本申请实施例中,根据业务访问请求对运维用户进行多因素身份认证;当运维用户通过多因素身份认证之后,从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,根据信任评估结果生成访问控制策略,该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the embodiment of this application, multi-factor identity authentication is performed on the operation and maintenance user according to the service access request; after the operation and maintenance user passes the multi-factor identity authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, and from The identity authentication management system obtains the identity data of the operation and maintenance user, obtains the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtains the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business The security data evaluates the trust of the operation and maintenance users, and generates an access control policy based on the trust evaluation results. Within the scope of control, the safe access of operation and maintenance users is guaranteed, and the security risk of operation and maintenance users is reduced.
在本申请实施例中,获取来自策略决策点的访问控制策略;根据访问控制策略对运维用户执行的运维操作进行动态访问控制。该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the embodiment of the present application, the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy. The access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
附图说明Description of drawings
图1为本申请实施例提供的一种运维处理系统的组成结构示意图;FIG. 1 is a schematic diagram of the composition and structure of an operation and maintenance processing system provided by an embodiment of the present application;
图2为本申请实施例提供的策略决策点和策略执行点之间的交互流程示意图;FIG. 2 is a schematic diagram of an interaction flow between a policy decision point and a policy enforcement point provided in an embodiment of the present application;
图3为本申请实施例提供的运维用户访问网络管控单元的场景示意图;FIG. 3 is a schematic diagram of a scene where an operation and maintenance user accesses a network management and control unit according to an embodiment of the present application;
图4为本申请实施例提供的运维用户访问网元的场景示意图;FIG. 4 is a schematic diagram of a scene where an operation and maintenance user accesses a network element provided by an embodiment of the present application;
图5为本申请实施例提供的防范攻击者假冒管理员身份的场景示意图;FIG. 5 is a schematic diagram of a scene for preventing an attacker from impersonating an administrator provided by an embodiment of the present application;
图6为本申请实施例提供的防范藏匿的攻击行为的场景示意图;FIG. 6 is a schematic diagram of a scenario for preventing hidden attacks provided by the embodiment of the present application;
图7为本申请实施例提供的防范人为误操作事故的场景示意图;FIG. 7 is a schematic diagram of the scene of preventing human misoperation accidents provided by the embodiment of the present application;
图8为本申请实施例提供的防范近端访问绕过的管控漏洞的场景示意图;FIG. 8 is a schematic diagram of a scenario for preventing near-end access bypassing management and control loopholes provided by the embodiment of the present application;
图9为本申请实施例提供的一种策略决策点的组成结构示意图;FIG. 9 is a schematic diagram of the composition and structure of a policy decision point provided by the embodiment of the present application;
图10为本申请实施例提供的一种策略执行点的组成结构示意图;FIG. 10 is a schematic diagram of the composition and structure of a policy enforcement point provided by the embodiment of the present application;
图11为本申请实施例提供的另一种策略决策点的组成结构示意图;FIG. 11 is a schematic diagram of the composition and structure of another policy decision point provided by the embodiment of the present application;
图12为本申请实施例提供的另一种策略执行点的组成结构示意图。FIG. 12 is a schematic diagram of the composition and structure of another policy enforcement point provided by the embodiment of the present application.
具体实施方式Detailed ways
本申请实施例提供了一种运维处理方法和终端设备,用于降低运维用户的安全风险。Embodiments of the present application provide an operation and maintenance processing method and a terminal device, which are used to reduce security risks of operation and maintenance users.
下面结合附图,对本申请的实施例进行描述。Embodiments of the present application are described below in conjunction with the accompanying drawings.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的术语在适当情况下可以互换,这仅仅是描述本申请的实施例中对相同属性的对象在描述时所采用的区分方式。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,以便包含一系列单元的过程、方法、系统、产品或设备不必限于那些单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它单元。The terms "first", "second" and the like in the specification and claims of the present application and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It should be understood that the terms used in this way can be interchanged under appropriate circumstances, and this is merely a description of the manner in which objects with the same attribute are described in the embodiments of the present application. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, product, or apparatus comprising a series of elements is not necessarily limited to those elements, but may include elements not expressly included. Other elements listed explicitly or inherent to the process, method, product, or apparatus.
目前的运营商网络变得越来越复杂,多制式网络共存,网络规模更大,业务管理变得更加复杂和困难,运维处理系统可用于对运营商网络进行运营和维护,运维处理系统成为攻击者破坏运营商网络运行的恶意攻击的目标,可能对运营商业务造成很大的安全风险, 包括其关键业务的可用性和保密性产生长期影响。The current operator network is becoming more and more complex, multi-standard networks coexist, the network scale is larger, and business management becomes more complicated and difficult. The operation and maintenance processing system can be used to operate and maintain the operator network. The operation and maintenance processing system Being the target of malicious attacks by attackers to disrupt the operation of the operator's network may cause great security risks to the operator's business, including long-term impacts on the availability and confidentiality of its key services.
运维用户可以控制运维终端,通过本地管理网络或者从互联网通过虚拟专用网络(virtual private network,VPN)方式远程接入运营商网络,执行运维任务。运维用户可以通过接入网络管控单元(简称为网管)对业务访问网元(简称为网元)进行运维,或者运维用户直接登录网元进行运维。Operation and maintenance users can control the operation and maintenance terminal, remotely access the operator's network through the local management network or from the Internet through a virtual private network (virtual private network, VPN), and perform operation and maintenance tasks. The operation and maintenance user can operate and maintain the service access network element (referred to as the network element) by accessing the network management and control unit (referred to as the network management unit), or the operation and maintenance user can directly log in to the network element to perform operation and maintenance.
为了应对新的不断开放和复杂的安全环境,在不可信的网络环境中解决运维用户安全接入的问题,降低运维用户的安全风险,本申请实施例提供一种运维处理系统,采用更灵活,更多样的方式对动态变化的用户、终端、系统建立新的逻辑边界,保障运维用户安全接入和安全访问操作,在运维过程中,实时感知运维环境、用户行为,持续进行信任评估,根据生成的信任评估结果进行动态授权,有效缓解运维用户的身份信息被窃取、攻击者通过控制运维终端潜入网络、定向威胁攻击(advanced persistent threat,APT)高级威胁、内鬼攻击、人为误操作事故等安全风险,实现运维管理的持续可信、自适应安全。In order to cope with the new continuously open and complex security environment, solve the problem of safe access of operation and maintenance users in an untrusted network environment, and reduce the security risks of operation and maintenance users, the embodiment of this application provides an operation and maintenance processing system, which adopts More flexible and diverse ways to establish new logical boundaries for dynamically changing users, terminals, and systems to ensure safe access and safe access operations for operation and maintenance users. During the operation and maintenance process, real-time perception of the operation and maintenance environment and user behavior, Continuously conduct trust evaluation, and perform dynamic authorization based on the generated trust evaluation results, effectively mitigating the theft of identity information of operation and maintenance users, attackers sneaking into the network by controlling operation and maintenance terminals, advanced persistent threat (APT) advanced threats, insider It eliminates security risks such as ghost attacks and human misoperation accidents, and realizes continuous credible and self-adaptive security of operation and maintenance management.
接下来对本申请实施例提供的运维处理系统和运维处理方法进行详细说明。Next, the operation and maintenance processing system and the operation and maintenance processing method provided in the embodiments of the present application will be described in detail.
首先请参阅图1,所示,本申请实施例提供一种运维处理系统100,运维处理系统100能够对运维用户的运维操作进行动态访问控制,以实现降低运维用户的安全风险。该运维处理系统100包括:策略决策点(policy decision point,PDP)101和策略执行点(policy enforcement point,PEP)102,策略决策点101和策略执行点102之间能够进行通信。具体的,运维用户通过运维终端发送业务访问请求,策略决策点101能够根据业务访问请求对运维用户进行多因素身份认证(multi-factor authentication),以保证运维用户的身份是安全可信的,策略决策点101还可以根据采集多方面的数据,例如采集运维用户、终端、环境、行为等数据,从而策略决策点101能够持续进行信任评估,然后生成访问控制策略,策略决策点101可以向策略执行点102发送访问控制策略,策略执行点102基于访问控制策略进行策略更新、对运维用户的访问操作进行精准授权,实现动态访问控制,保障运维用户接入和访问的安全可信。First, please refer to FIG. 1, as shown, the embodiment of the present application provides an operation and maintenance processing system 100. The operation and maintenance processing system 100 can perform dynamic access control on the operation and maintenance operations of the operation and maintenance users, so as to reduce the security risks of the operation and maintenance users. . The operation and maintenance processing system 100 includes: a policy decision point (policy decision point, PDP) 101 and a policy enforcement point (policy enforcement point, PEP) 102, and the policy decision point 101 and the policy enforcement point 102 can communicate. Specifically, the operation and maintenance user sends a service access request through the operation and maintenance terminal, and the policy decision point 101 can perform multi-factor authentication on the operation and maintenance user according to the service access request, so as to ensure that the identity of the operation and maintenance user is safe and reliable. Trustworthy, the policy decision point 101 can also collect various data, such as collecting operation and maintenance user, terminal, environment, behavior and other data, so that the policy decision point 101 can continue to conduct trust evaluation, and then generate access control policies, policy decision point 101 can send the access control policy to the policy enforcement point 102, and the policy enforcement point 102 updates the policy based on the access control policy, and accurately authorizes the access operation of the operation and maintenance user to realize dynamic access control and ensure the security of the operation and maintenance user's access and access believable.
在本申请实施例中,策略决策点还可以连接工单系统、身份认证管理系统、终端风险感知系统和业务提供系统,因此在运维用户的访问过程中,策略决策点可以分别从工单系统、身份认证管理系统、终端风险感知系统和业务提供系统获取到多种的安全相关数据,从而可以基于上述获取到多种的安全相关数据进行动态的信任评估,以生成访问控制策略,该访问控制策略可以用于指示对运维用户的运维操作的控制方式。上述工单系统、身份认证管理系统、终端风险感知系统和业务提供系统都可以称为第三方系统。In this embodiment of the application, the policy decision point can also be connected to the work order system, the identity authentication management system, the terminal risk perception system and the service provision system, so during the access process of the operation and maintenance user, the policy decision point can be connected to the work order system , the identity authentication management system, the terminal risk perception system and the service provision system obtain a variety of security-related data, so that dynamic trust evaluation can be performed based on the above-mentioned various security-related data to generate access control policies. Policies can be used to indicate how to control the O&M operations of O&M users. The above-mentioned work order system, identity authentication management system, terminal risk awareness system and service provision system can all be called third-party systems.
其中,工单系统中存储有工单任务,运维用户需要根据工单任务进行运维操作。Among them, work order tasks are stored in the work order system, and operation and maintenance users need to perform operation and maintenance operations according to work order tasks.
身份认证管理系统提供运维用户的身份数据。身份认证管理系统可以是认证授权审计(Authentication Authorization Audit,3A)或者认证授权审计账号(Authentication Authorization Audit Account,4A)服务器。The identity authentication management system provides the identity data of operation and maintenance users. The identity authentication management system may be an authentication authorization audit (Authentication Authorization Audit, 3A) or an authentication authorization audit account (Authentication Authorization Audit Account, 4A) server.
终端风险感知系统可用于提供运维终端的终端风险数据,终端风险数据又可以称为终端安全数据,终端风险数据可以包括运维用户登录的运维终端的环境安全数据。如操作系统(operating system OS)补丁、终端注册信息、浏览器安全状态等。The terminal risk awareness system can be used to provide terminal risk data of the operation and maintenance terminal, which can also be called terminal security data, and the terminal risk data can include the environmental security data of the operation and maintenance terminal logged in by the operation and maintenance user. Such as operating system (operating system OS) patches, terminal registration information, browser security status, etc.
业务提供系统可以向运维用户提供业务访问功能,且业务提供系统在提供业务访问时 还能够记录业务安全数据。业务安全数据包括的内容可以有多种,举例说明如下,业务安全数据包括:业务提供系统的运维安全日志、操作日志和安全事件。The service provision system can provide service access functions to operation and maintenance users, and the service provision system can also record service security data when providing service access. The content of the business security data can be various, and the examples are as follows. The business security data includes: operation and maintenance security logs, operation logs and security events of the service provision system.
该业务提供系统可以向运维用户提供业务访问功能,根据业务访问功能的不同,业务提供系统,包括如下至少一种:网络管控单元、业务访问网元。例如,对于运维用户执行的运维操作的业务类型不同,业务提供系统具有多种实现方式,例如网络管控单元可以向运维用户提供业务访问功能,又如,业务访问网元可以向运维用户提供业务访问功能。本申请实施例中对于运维用户执行的具体运维操作并不限定。The service provision system can provide service access functions to operation and maintenance users. According to different service access functions, the service provision system includes at least one of the following: a network management and control unit, and a service access network element. For example, the service provision system has various implementation methods for different types of operations performed by operation and maintenance users. For example, the network management and control unit can provide service access functions to operation and maintenance users. Users provide business access functions. The specific operation and maintenance operations performed by the operation and maintenance user in the embodiment of the present application are not limited.
本申请实施例中,策略决策点和策略执行点可以设置在同一个设备上,或者策略决策点和策略执行点可以设置在不同的设备上。举例说明如下,运维用户可以通过运维终端访问网络管控单元,策略决策点和策略执行点都可以设置在网络管控单元上,策略决策点可以生成访问控制策略,策略执行点根据该访问控制策略对运维用户的运维操作进行动态访问控制。又如,运维用户可以通过运维终端访问业务访问网元,策略决策点可以设置在网络管控单元上,策略执行点可以设置在业务访问网元上,策略决策点可以生成访问控制策略,策略执行点根据该访问控制策略对运维用户的运维操作进行动态访问控制。In the embodiment of the present application, the policy decision point and the policy execution point may be set on the same device, or the policy decision point and the policy execution point may be set on different devices. As an example, the operation and maintenance user can access the network management and control unit through the operation and maintenance terminal. Both the policy decision point and the policy enforcement point can be set on the network management and control unit. The policy decision point can generate an access control policy, and the policy enforcement point is based on the access control policy Perform dynamic access control on the operation and maintenance operations of operation and maintenance users. For another example, the operation and maintenance users can access the service access network element through the operation and maintenance terminal, the policy decision point can be set on the network management and control unit, the policy execution point can be set on the service access network element, the policy decision point can generate access control policies, policy The execution point performs dynamic access control on the operation and maintenance operations of the operation and maintenance users according to the access control policy.
基于前述的运维处理系统,接下来介绍本申请实施例提供的运维处理方法,如图2所示,主要包括策略决策点和策略执行点之间的交互流程,具体的,可以包括如下步骤:Based on the aforementioned operation and maintenance processing system, the operation and maintenance processing method provided by the embodiment of the present application is introduced next. As shown in Figure 2, it mainly includes the interaction process between the policy decision point and the policy execution point. Specifically, it may include the following steps :
201、策略决策点接收运维用户通过运维终端发送的业务访问请求。201. The policy decision point receives a service access request sent by an operation and maintenance user through an operation and maintenance terminal.
当运维用户需要发起对业务提供系统的访问时,运维用户可以控制运维终端生成业务访问请求,该运维终端可以发送业务访问请求,例如运维终端向策略执行点发送业务访问请求,策略执行点向策略决策点发送该业务访问请求,从而策略决策点能够接收到该业务访问请求。本申请实施例对于运维用户发起的业务访问的具体内容不做限定。When the operation and maintenance user needs to initiate access to the service provision system, the operation and maintenance user can control the operation and maintenance terminal to generate a service access request, and the operation and maintenance terminal can send the service access request, for example, the operation and maintenance terminal sends a service access request to the policy execution point, The policy enforcement point sends the service access request to the policy decision point, so that the policy decision point can receive the service access request. The embodiment of the present application does not limit the specific content of the service access initiated by the operation and maintenance user.
202、策略决策点根据业务访问请求对运维用户进行多因素身份认证。202. The policy decision point performs multi-factor identity authentication on the operation and maintenance user according to the service access request.
其中,策略决策点接收到业务访问请求之后,需要对发起该业务访问请求的运维用户进行身份认证,以确认该运维用户的身份是可信的。本申请实施例中策略决策点需要根据业务访问请求对运维用户进行多因素身份认证,通过多因素身份认证,能够提高身份认证的安全性。本申请实施例中多因素身份认证具有多种实现方式,策略决策点以身份为基石构筑逻辑边界,采用多因素身份认证,如用户口令、数字证书、短信验证码、指纹等技术,对运维用户进行强制身份鉴别,并将身份认证结果作为访问控制信任基础,保障运维用户的身份可信。若运维用户的身份是可行的,触发执行后续步骤203,若运维用户的身份是不可信的,拒绝该运维用户的业务访问请求,即不再执行后续步骤203。Among them, after the policy decision point receives the service access request, it needs to perform identity authentication on the operation and maintenance user who initiates the service access request, so as to confirm that the identity of the operation and maintenance user is credible. In the embodiment of the present application, the policy decision point needs to perform multi-factor identity authentication on the operation and maintenance user according to the business access request, and the security of identity authentication can be improved through the multi-factor identity authentication. In the embodiment of this application, multi-factor identity authentication has multiple implementation methods. The policy decision-making point uses identity as the cornerstone to construct a logical boundary, and adopts multi-factor identity authentication, such as user password, digital certificate, SMS verification code, fingerprint and other technologies. The user performs mandatory identity authentication, and the identity authentication result is used as the basis of access control trust to ensure that the identity of the operation and maintenance user is credible. If the identity of the operation and maintenance user is feasible, the subsequent step 203 is triggered, and if the identity of the operation and maintenance user is untrustworthy, the service access request of the operation and maintenance user is rejected, that is, the subsequent step 203 is not executed.
203、当运维用户通过多因素身份认证之后,策略决策点从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据,以及从业务提供系统获取业务安全数据。203. After the operation and maintenance user passes the multi-factor identity authentication, the policy decision point obtains the work order task to be executed by the operation and maintenance user from the work order system, obtains the identity data of the operation and maintenance user from the identity authentication management system, and obtains the operation and maintenance user's identity data from the terminal risk The perception system obtains the terminal risk data of the operation and maintenance terminal, and obtains the service security data from the service provision system.
本申请实施例通过前述步骤202根据业务访问请求对运维用户进行多因素身份认证,当运维用户通过多因素身份认证之后,可以执行前述步骤203,若运维用户没有通过多因素身份认证,则无法执行步骤203。In the embodiment of the present application, the operation and maintenance user performs multi-factor identity authentication according to the service access request through the aforementioned step 202. After the operation and maintenance user passes the multi-factor identity authentication, the aforementioned step 203 can be executed. If the operation and maintenance user does not pass the multi-factor identity authentication, Then step 203 cannot be executed.
当运维用户通过多因素身份认证之后,策略决策点可以获取多种的安全相关数据,基于前述对策略决策点的连接关系的说明可知,略决策点还可以连接工单系统、身份认证管 理系统、终端风险感知系统和业务提供系统,则策略决策点可以从上述系统中分别获取到相关的安全数据。具体的,策略决策点可以对运维用户进行持续信任评估,本申请实施例中对于所有运维用户的接入和访问默认是不可信的,在策略决策点上可以构筑用户信任评估和动态策略管理能力,使得该策略决策点可以执行多种数据获取功能的一种或多种:After the operation and maintenance user passes the multi-factor identity authentication, the strategic decision point can obtain a variety of security-related data. Based on the above description of the connection relationship of the strategic decision point, it can be seen that the strategic decision point can also be connected to the work order system and the identity authentication management system. , terminal risk awareness system and service provision system, the policy decision point can obtain relevant security data from the above systems respectively. Specifically, the policy decision point can conduct continuous trust assessment for the operation and maintenance users. In the embodiment of this application, the access and access of all operation and maintenance users is untrusted by default. User trust assessment and dynamic policies can be constructed on the policy decision point Management capabilities that enable the policy decision point to perform one or more of the various data acquisition functions:
从工单系统获取运维用户的待执行的工单任务,以及,Obtain the pending work order tasks of the operation and maintenance user from the work order system, and,
从身份认证管理系统获取运维用户的身份数据,以及,Obtain the identity data of the operation and maintenance user from the identity authentication management system, and,
从终端风险感知系统获取运维终端的终端风险数据,以及,Obtain the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and,
从业务提供系统获取业务安全数据。The service security data is obtained from the service providing system.
其中,工单系统存储有多种工单任务,工单系统可以向策略决策点发送该运维用户的待执行的工单任务,策略决策点将输入的工单任务进行解析,解析工单中执行时间、执行用户、操作的网元类型和操作命令。Among them, the work order system stores a variety of work order tasks. The work order system can send the work order tasks to be executed by the operation and maintenance user to the policy decision point. The policy decision point analyzes the input work order tasks and analyzes the work order tasks Execution time, execution user, NE type and operation command.
身份认证管理系统可以向策略决策点发送该运维用户的身份数据,从而策略决策点可以持续的对运维用户的身份数据进行认证。The identity authentication management system can send the identity data of the operation and maintenance user to the policy decision point, so that the policy decision point can continuously authenticate the identity data of the operation and maintenance user.
终端风险感知系统可以向策略决策点发送该运维终端的终端风险数据,策略决策点可以通过终端风险数据对运维终端的安全环境进行持续监测和评估,如OS补丁、终端注册信息、浏览器安全状态等。The terminal risk awareness system can send the terminal risk data of the operation and maintenance terminal to the policy decision point, and the policy decision point can continuously monitor and evaluate the security environment of the operation and maintenance terminal through the terminal risk data, such as OS patches, terminal registration information, browser security status, etc.
业务提供系统可以向策略决策点发送业务安全数据,策略决策点可以根据该业务安全数据对运维用户即将访问的业务提供系统进行安全检测,例如,策略决策点可以获取网络管控单元和网元的运维操作日志、网络管控单元的安全事件等。The service provision system can send service security data to the policy decision point, and the policy decision point can perform security detection on the service provision system that the operation and maintenance user will access based on the service security data. For example, the policy decision point can obtain the network management and control unit and network element Operation and maintenance operation logs, security events of network management and control units, etc.
204、策略决策点根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,得到信任评估结果。204. The policy decision point evaluates the trust of the operation and maintenance user according to the work order task, identity data, terminal risk data, and business security data, and obtains a trust evaluation result.
其中,策略决策点获取到工单任务、身份数据、终端风险数据和业务安全数据之后,策略决策点可以对上述数据进行综合分析,通过上述数据评估运维用户的安全等级,策略决策点可以生成信任评估结果,该信任评估结果中可以包括对运维用户进行信任评估之后得到的安全等级信息。该信任评估结果的内容与工单任务、身份数据、终端风险数据和业务安全数据相关,本申请实施例中不限定信任评估结果的具体内容。Among them, after the policy decision point obtains work order tasks, identity data, terminal risk data, and business security data, the policy decision point can comprehensively analyze the above data, evaluate the security level of the operation and maintenance user through the above data, and the policy decision point can generate A trust assessment result, the trust assessment result may include security level information obtained after trust assessment is performed on the operation and maintenance user. The content of the trust evaluation result is related to the work order task, identity data, terminal risk data, and business security data, and the specific content of the trust evaluation result is not limited in this embodiment of the application.
在本申请的一些实施例中,步骤204策略决策点根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,得到信任评估结果,包括:In some embodiments of the present application, the policy decision point in step 204 conducts a trust assessment on the operation and maintenance user according to the work order task, identity data, terminal risk data and business security data, and obtains the trust assessment result, including:
A1、根据工单任务、身份数据、终端风险数据和业务安全数据生成运维用户的信任评估模型。A1. Generate a trust evaluation model for operation and maintenance users based on work order tasks, identity data, terminal risk data, and business security data.
其中,策略决策点可以获取到工单任务、身份数据、终端风险数据和业务安全数据等多维度数据,对运维用户的安全可信度进行持续综合评估。具体的,策略决策点可以将工单任务、身份数据、终端风险数据和业务安全数据输入到攻击链模型中,结合实际的运维业务场景,以生成信任评估模型,该信任评估模型可以识别用户的行为轨迹。Among them, the policy decision point can obtain multi-dimensional data such as work order tasks, identity data, terminal risk data, and business security data, and continuously and comprehensively evaluate the security credibility of operation and maintenance users. Specifically, the policy decision point can input work order tasks, identity data, terminal risk data, and business security data into the attack chain model, and combine the actual operation and maintenance business scenarios to generate a trust evaluation model, which can identify users behavior trajectory.
A2、根据信任评估模型获取运维用户的异常行为。A2. Obtain the abnormal behavior of operation and maintenance users according to the trust evaluation model.
策略决策点在生成信任评估模型之后,通过信任评估模型识别运维用户的异常行为。例如运维用户的异常行为可以是请求执行工单任务以外的任务内容,或者运维用户的异常行为运维终端存在风险数据,或者运维用户的异常行为运维用户访问的网络管控单元或网 元产生安全事件等。After the trust evaluation model is generated at the policy decision point, the abnormal behavior of the operation and maintenance user is identified through the trust evaluation model. For example, the abnormal behavior of the operation and maintenance user can be the request to perform tasks other than work order tasks, or the abnormal behavior of the operation and maintenance user has risky data on the operation and maintenance terminal, or the abnormal behavior of the operation and maintenance user Yuan generates security incidents, etc.
A3、根据运维用户的异常行为与预先确定的用户历史行为基线确定运维用户的运维操作风险参数。A3. Determine the operation risk parameters of the operation and maintenance users according to the abnormal behavior of the operation and maintenance users and the pre-determined user historical behavior baseline.
其中,策略决策点可以预先确定用户历史行为基线,该用户的历史行为可以作为参考,在识别出运维用户的异常行为之后,策略决策点生成运维用户的运维操作风险参数,运维操作风险参数可以指示该运维用户执行的运维操作对应的风险等级,例如策略决策点依据运维用户的异常行为的阶段、上下文信息、发生次数、风险及影响等综合因素,进行风险判别,并参考用户历史行为基线,最终得出运维用户的运维操作风险参数。Among them, the policy decision point can pre-determine the user's historical behavior baseline, and the user's historical behavior can be used as a reference. After identifying the abnormal behavior of the operation and maintenance user, the policy decision point generates the operation and maintenance operation risk parameters of the operation and maintenance user, and the operation and maintenance operation The risk parameter can indicate the risk level corresponding to the operation and maintenance operation performed by the operation and maintenance user. For example, the policy decision point is based on comprehensive factors such as the stage of the abnormal behavior of the operation and maintenance user, context information, occurrence times, risk and impact, etc., to carry out risk discrimination, and Refer to the user's historical behavior baseline, and finally obtain the operation and maintenance operation risk parameters of the operation and maintenance user.
A4、根据运维操作风险参数生成信任评估结果。A4. Generate trust assessment results based on operational risk parameters of operation and maintenance.
策略决策点在生成运维操作风险参数之后,可以将该运维操作风险参数作为信任评估结果,或者根据运维操作风险参数对运维用户进行打分,以此生成信任评估结果。本申请实施例中策略决策点通过信任评估模型可以识别运维用户的异常行为,通过异常行为与用户历史行为基线生成该运维用户的信任评估结果,能够实现对运维用户的准确评估,提高对运维用户的评估准确性和评估效率。After the operation and maintenance operation risk parameters are generated at the policy decision point, the operation and maintenance operation risk parameters can be used as the trust evaluation result, or the operation and maintenance users can be scored according to the operation and maintenance operation risk parameters to generate the trust evaluation results. In the embodiment of this application, the policy decision point can identify the abnormal behavior of the operation and maintenance user through the trust evaluation model, and generate the trust evaluation result of the operation and maintenance user through the abnormal behavior and the user's historical behavior baseline, which can realize accurate evaluation of the operation and maintenance user and improve The evaluation accuracy and evaluation efficiency of operation and maintenance users.
举例说明如下,策略决策点对所有运维用户的接入和访问默认是不可信的,在策略决策点上构筑用户信任评估和动态策略管理能力,具体的:As an example, the policy decision point is untrustworthy by default for the access and access of all operation and maintenance users. Build user trust evaluation and dynamic policy management capabilities on the policy decision point, specifically:
对工单系统输入的工单任务进行解析,实现基于工单任务对用户进行精准授权,通过账号、角色、时间、操作指令等要素进行细粒度授权,禁止用户执行工单任务之外的高危操作出现非预期结果,规避人为误操作风险及非法访问;将输入的工单任务进行解析,解析工单中执行时间、执行用户、操作的网元类型和操作命令。根据工单任务启动定时任务,到达任务执行时间时,把对应操作命令权限赋予执行角色和用户。Analyze the work order tasks entered by the work order system, realize precise authorization of users based on work order tasks, perform fine-grained authorization through account, role, time, operation instructions and other elements, and prohibit users from performing high-risk operations other than work order tasks Unexpected results occur, avoiding the risk of human misoperation and illegal access; analyze the input work order task, analyze the execution time, execution user, network element type of operation and operation command in the work order. Start the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
针对运维终端的多样化接入,基于终端风险感知系统输入的终端风险数据,对登录终端的安全环境进行持续监测和评估,如OS补丁、终端注册信息、浏览器安全状态等,一旦发现异常立即降低用户信任等级并动态调整访问权限,防止攻击者假冒管理员身份或者通过感染运维终端进行攻击。例如,终端操作系统存在漏洞且未打补丁、浏览器相关组件存在安全漏洞未打补丁、终端安装了违规或者盗版软件、终端被安装了病毒木马等,都可以确定运维终端在操作系统及应用软件层面出现安全问题,会将该运维终端识别为异常。For the diversified access of operation and maintenance terminals, based on the terminal risk data input by the terminal risk awareness system, the security environment of the login terminal is continuously monitored and evaluated, such as OS patches, terminal registration information, browser security status, etc., once an abnormality is found Immediately lower user trust levels and dynamically adjust access rights to prevent attackers from pretending to be administrators or attacking by infecting operation and maintenance terminals. For example, there are vulnerabilities in the terminal operating system that have not been patched, security vulnerabilities in browser-related components have not been patched, illegal or pirated software is installed on the terminal, and viruses and Trojan horses are installed on the terminal, etc. If there is a security problem at the software level, the operation and maintenance terminal will be identified as abnormal.
在用户进行运维操作过程当中,基于身份认证管理系统输入的用户身份数据、网络管控单元和网元的运维操作日志、网络管控单元的安全事件等多维度数据,对运维用户的所有访问操作进行持续的安全监测和评估,对于偏离日常访问基线的异常行为以及威胁事件,一旦发现异常立即降低用户信任等级并动态调整访问权限,将入侵影响降至最低。During the user's operation and maintenance operation, based on the multi-dimensional data such as user identity data input by the identity authentication management system, operation and maintenance operation logs of network management and control units and network elements, and security events of network management and control units, all access to operation and maintenance users The operation conducts continuous security monitoring and evaluation. For abnormal behaviors and threat events that deviate from the daily access baseline, once an abnormality is found, the user's trust level is immediately reduced and access rights are dynamically adjusted to minimize the impact of intrusion.
205、策略决策点根据信任评估结果生成访问控制策略。205. The policy decision point generates an access control policy according to the trust evaluation result.
具体的,策略决策点对运维用户进行信任评估之后,策略决策点根据信任评估结果生成访问控制策略,该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问。Specifically, after the policy decision point evaluates the trust of the operation and maintenance users, the policy decision point generates an access control policy according to the trust assessment results. The operation and maintenance operations are within the precise and controllable range to ensure the safe access of operation and maintenance users.
在本申请的一些实施例中,访问控制策略,包括:用户风险等级和相应的访问控制方式;In some embodiments of the present application, the access control policy includes: user risk levels and corresponding access control methods;
其中,当用户风险等级为低级别风险,相应的访问控制方式包括如下至少一种:冒泡 提醒、上报告警;或者,Wherein, when the user risk level is a low-level risk, the corresponding access control method includes at least one of the following: bubbling reminder, reporting an alarm; or,
当用户风险等级为中级别风险,相应的访问控制方式包括如下至少一种:二次身份认证、禁止执行高危操作;或者,When the user risk level is a medium level risk, the corresponding access control methods include at least one of the following: secondary identity authentication, prohibiting high-risk operations; or,
当用户风险等级为高级别风险,相应的访问控制方式包括如下至少一种:强制注销用户、停用用户。When the user risk level is a high-level risk, the corresponding access control methods include at least one of the following: forced logout of the user, deactivation of the user.
举例说明如下,访问控制策略基于运维用户的信任评估结果动态生成,例如针对运维用户的每次访问会话的信任度评分、风险级别,结合上下文信息,对于不同级别的风险对应不同级别的访问控制方式,从而实现对运维操作的精确控制。如针对低级别风险采用“冒泡提醒”、“上报告警”,其中,冒泡提醒指的是通过冒泡的方式发送提醒框,使得用户能够接收到低级别风险的提示。针对中危级别风险采用“二次身份认证”、“禁止执行高危操作”,针对高危级别风险采用“强制注销用户”、“停用用户”等策略。本申请实施例中,在访问控制策略中,不同的用户风险等级与相应的访问控制方式相结合,因此能够保证运维用户的安全访问,降低运维用户的安全风险。For example, the access control policy is dynamically generated based on the trust evaluation results of operation and maintenance users, such as the trust score and risk level for each access session of operation and maintenance users, combined with context information, different levels of risk correspond to different levels of access Control methods, so as to achieve precise control of operation and maintenance operations. For example, "bubble reminder" and "report to alarm" are used for low-level risks. Among them, bubble reminder refers to sending a reminder box through bubbling, so that users can receive reminders of low-level risks. For medium-risk risks, "secondary identity authentication" and "prohibition of high-risk operations" are adopted, and for high-risk risks, strategies such as "forced logout of users" and "deactivation of users" are adopted. In the embodiment of this application, in the access control policy, different user risk levels are combined with corresponding access control methods, so that the safe access of operation and maintenance users can be guaranteed and the security risk of operation and maintenance users can be reduced.
在本申请的一下实施例中,若执行前述步骤201至205的策略决策点设置在网络管控单元上,且策略执行点也设置在网络管控单元上,则该网络管控单元还可以在生成访问控制策略之后,执行如下步骤:In the following embodiments of the present application, if the policy decision point for performing the aforementioned steps 201 to 205 is set on the network management and control unit, and the policy enforcement point is also set on the network management and control unit, then the network management and control unit can also generate access control After the policy, perform the following steps:
B1、网络管控单元根据访问控制策略对运维用户执行的运维操作进行动态访问控制。B1. The network management and control unit performs dynamic access control on the operation and maintenance operations performed by the operation and maintenance users according to the access control policy.
其中,网络管控单元可以执行前述的步骤201至205,网络管控单元在生成访问控制策略之后,若运维用户需要访问网络管控单元,则网络管控单元根据访问控制策略对运维用户执行的运维操作进行动态访问控制,能够保证运维用户的安全访问,降低运维用户的安全风险。Wherein, the network management and control unit can perform the aforementioned steps 201 to 205. After the network management and control unit generates the access control policy, if the operation and maintenance user needs to access the network management and control unit, the network management and control unit performs the operation and maintenance of the operation and maintenance user according to the access control policy. Dynamic access control for operations can ensure the safe access of operation and maintenance users and reduce the security risks of operation and maintenance users.
206、策略决策点向策略执行点发生访问控制策略。206. The policy decision point generates an access control policy to the policy execution point.
其中,策略决策点执行步骤205之后,策略决策点可以通过策略决策点和策略执行点之间的传输通道向策略执行点发送访问控制策略,以使得策略执行点根据访问控制策略对运维用户执行的运维操作进行动态访问控制。具体的,策略执行点执行的具体方法详见后续步骤207和步骤208的说明。Wherein, after the policy decision point executes step 205, the policy decision point can send the access control policy to the policy enforcement point through the transmission channel between the policy decision point and the policy enforcement point, so that the policy enforcement point executes the operation and maintenance user according to the access control policy Dynamic access control for O&M operations. Specifically, for the specific method of execution by the policy enforcement point, refer to the descriptions of subsequent steps 207 and 208.
207、策略执行点获取来自策略决策点的访问控制策略。207. The policy enforcement point obtains the access control policy from the policy decision point.
其中,策略执行点可以通过策略决策点和策略执行点之间的传输通道接收访问控制策略,策略执行点解析该访问控制策略,从而可以获取到对运维用户的运维操作的控制方式。Among them, the policy enforcement point can receive the access control policy through the transmission channel between the policy decision point and the policy enforcement point, and the policy enforcement point can analyze the access control policy, so as to obtain the control mode of the operation and maintenance operation of the operation and maintenance user.
208、策略执行点根据访问控制策略对运维用户执行的运维操作进行动态访问控制。208. The policy enforcement point performs dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
策略执行点对运维用户的运维操作进行动态访问控制,该运维操作只能在访问控制策略指示的控制范围执行,从而使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问。The policy enforcement point performs dynamic access control on the operation and maintenance operations of the operation and maintenance users. Secure access for operation and maintenance users.
在本申请的一些实施例中,步骤208策略执行点根据访问控制策略对运维用户执行的运维操作进行动态访问控制,包括:In some embodiments of the present application, the policy enforcement point in step 208 performs dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy, including:
C1、策略执行点针对运维用户执行运维操作时产生的每个会话,根据访问控制策略和工单任务生成授权指令,授权指令用于指示运维用户按照授权集执行的任务内容以及禁止运维用户执行工单任务以外的任务内容。C1. The policy enforcement point generates an authorization instruction for each session generated when the operation and maintenance user performs the operation and maintenance operation according to the access control policy and the work order task. Dimension users perform tasks other than work order tasks.
其中,策略执行点确定运维用户执行运维操作时产生的每个会话,策略执行点按照访问控制策略确定该运维用户在该会话中执行任务的授权集,针对该会话可以生成授权指令。Among them, the policy enforcement point determines each session generated when the operation and maintenance user performs the operation and maintenance operation, and the policy enforcement point determines the authorization set for the operation and maintenance user to perform tasks in the session according to the access control policy, and an authorization instruction can be generated for the session.
C2、策略执行点根据授权指令对运维用户执行的运维操作进行权限监控。C2. The policy execution point monitors the authority of the operation and maintenance operations performed by the operation and maintenance users according to the authorization instructions.
其中,策略执行点按照授权指令对运维用户在每个会话中的任务内容,对运维用户执行的运维操作进行权限监控,使得运维用户按照授权集执行的任务内容,而且禁止运维用户执行工单任务以外的任务内容,保证运维用户的安全访问,降低运维用户的安全风险。Among them, the policy execution point monitors the task content of the operation and maintenance user in each session and the operation and maintenance operation performed by the operation and maintenance user according to the authorization instruction, so that the operation and maintenance user performs the task content according to the authorization set, and prohibits the operation and maintenance Users perform tasks other than work order tasks to ensure safe access for operation and maintenance users and reduce security risks for operation and maintenance users.
在本申请的一些实施例中,授权集,包括如下至少一种:运维用户的账号、运维用户执行运维操作的角色、运维用户执行运维操作的时间、运维用户执行运维操作的操作指令、运维用户具有访问业务提供系统的权限。In some embodiments of the present application, the authorization set includes at least one of the following: the account of the operation and maintenance user, the role of the operation and maintenance user to perform the operation and maintenance operation, the time when the operation and maintenance user performs the operation and maintenance operation, and the time when the operation and maintenance user performs the operation and maintenance operation. Operational instructions and operation and maintenance users have the authority to access the service provision system.
其中,授权集可以控制角色、时间、指令、权限等内容,从而使得运维用户只能按照授权集来执行具体的任务,例如策略执行点将输入的工单任务进行解析,解析工单中执行时间、执行用户、操作的网元类型和操作命令。策略执行点根据工单任务启动定时任务,到达任务执行时间时,把对应操作命令权限赋予执行角色和用户。Among them, the authorization set can control roles, time, instructions, permissions, etc., so that the operation and maintenance users can only perform specific tasks according to the authorization set. Time, user performing the operation, type of network element and operation command. The policy execution point starts the scheduled task according to the work order task, and when the task execution time is reached, the corresponding operation command authority is given to the execution role and user.
举例说明如下,对工单任务进行解析,实现基于工单任务对用户进行精准授权,通过账号、角色、时间、操作指令等要素进行细粒度授权,禁止用户执行工单任务之外的高危操作出现非预期结果,规避人为误操作风险及非法访问,从而保证运维用户的安全访问,降低运维用户的安全风险。For example, analyze the work order tasks to achieve precise authorization of users based on the work order tasks, perform fine-grained authorization through account, role, time, operation instructions and other elements, and prohibit users from performing high-risk operations other than work order tasks. Unexpected results, avoiding the risk of human misoperation and illegal access, so as to ensure the safe access of operation and maintenance users and reduce the security risks of operation and maintenance users.
通过前述实施例的举例说明可知,根据业务访问请求对运维用户进行多因素身份认证;当运维用户通过多因素身份认证之后,从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,根据信任评估结果生成访问控制策略,该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。Through the examples of the foregoing embodiments, it can be seen that multi-factor identity authentication is performed on the operation and maintenance user according to the service access request; after the operation and maintenance user passes the multi-factor identity authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, And obtain the identity data of the operation and maintenance user from the identity authentication management system, obtain the terminal risk data of the operation and maintenance terminal from the terminal risk perception system, and obtain the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business security data to evaluate the trust of operation and maintenance users, and generate an access control policy based on the trust evaluation results. Within the controllable range, the safe access of operation and maintenance users is guaranteed, and the security risk of operation and maintenance users is reduced.
在本申请实施例中,获取来自策略决策点的访问控制策略;根据访问控制策略对运维用户执行的运维操作进行动态访问控制。该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the embodiment of the present application, the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy. The access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
为便于更好的理解和实施本申请实施例的上述方案,下面举例相应的应用场景来进行具体说明。In order to facilitate a better understanding and implementation of the above-mentioned solutions in the embodiments of the present application, the corresponding application scenarios are exemplified below for specific description.
如图3所示,为本申请实施例提供的运维用户访问网络管控单元的场景示意图。其中,运维用户通过运维终端向网络管理单元(可简称为网管)发送业务访问请求,网络管控单元根据该业务访问请求根据业务访问请求对运维用户进行多因素身份认证,并从第三方系统获取多维度的第三方数据,基于上述多维度的第三方数据生成访问控制策略;根据该访问控制策略对运维用户的运维操作进行动态访问控制,例如运维用户可以访问网络管控单元中的应用和数据,或者访问网元。网元包括:无线基站、路由器、交换机和云化网元等。As shown in FIG. 3 , it is a schematic diagram of a scene where an operation and maintenance user accesses a network management and control unit provided in the embodiment of the present application. Among them, the operation and maintenance user sends a service access request to the network management unit (referred to as network management) through the operation and maintenance terminal, and the network management and control unit performs multi-factor identity authentication on the operation and maintenance user according to the service access request, and obtains the information from the third party. The system acquires multi-dimensional third-party data, and generates an access control policy based on the above-mentioned multi-dimensional third-party data; according to the access control policy, dynamic access control is performed on the operation and maintenance operations of the operation and maintenance user. For example, the operation and maintenance user can access the network management and control unit applications and data, or access network elements. Network elements include: wireless base stations, routers, switches, and cloud network elements.
接下来对图3所示的各个设备以及功能模块进行说明。Next, various devices and functional modules shown in FIG. 3 will be described.
其中,运维终端具有风险感知代理功能,运维终端向网络管控单元发送业务访问请求, 该业务访问请求对于网络管控单元是不可信的。例如,风险感知代理既可以是个人电脑端,也可以是移动端,此处不做限定。Wherein, the operation and maintenance terminal has a risk-aware agent function, and the operation and maintenance terminal sends a service access request to the network management and control unit, and the service access request is untrustworthy to the network management and control unit. For example, the risk awareness agent can be either a personal computer terminal or a mobile terminal, which is not limited here.
网络管控单元,包括:策略决策点、策略执行点以及应用和数据。Network management and control unit, including: policy decision point, policy enforcement point, application and data.
当运维用户登录网络管控单元时,运维用户通过运维终端向网络管控单元中的策略执行点发送业务访问请求,网络管控单元中的策略决策点可以强制对运维用户进行多因素身份认证,以鉴别用户合法身份,如通过用户口令、短信验证码、数字证书等方式,用户认证不通过无法登陆网络管控单元。When the operation and maintenance user logs in to the network management and control unit, the operation and maintenance user sends a service access request to the policy enforcement point in the network management and control unit through the operation and maintenance terminal, and the policy decision point in the network management and control unit can force multi-factor authentication on the operation and maintenance user , to identify the legal identity of the user, such as through user password, SMS verification code, digital certificate, etc., if the user fails to pass the authentication, he cannot log in to the network management and control unit.
第三方系统包括如下至少一种:工单系统、身份认证管理系统、终端风险感知系统。第三方系统可以向策略决策点提供数据查询功能,例如工单系统提供工单任务,身份认证管理系统提供运维用户的身份数据,终端风险感知系统提供运维终端的终端风险数据。The third-party system includes at least one of the following: a work order system, an identity authentication management system, and a terminal risk awareness system. Third-party systems can provide data query functions to policy decision points. For example, the work order system provides work order tasks, the identity authentication management system provides the identity data of operation and maintenance users, and the terminal risk awareness system provides terminal risk data of operation and maintenance terminals.
当运维用户通过多因素身份认证之后,策略决策点从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据。另外,策略决策点还可以获取业务安全数据,例如该业务安全数据包括:网管和网元的安全日志、操作日志、安全事件等数据。After the operation and maintenance user has passed the multi-factor identity authentication, the policy decision point obtains the work order tasks to be executed by the operation and maintenance user from the work order system, obtains the identity data of the operation and maintenance user from the identity authentication management system, and obtains the operation and maintenance user’s identity data from the terminal risk awareness system Obtain the terminal risk data of the operation and maintenance terminal. In addition, the policy decision point can also obtain service security data, for example, the service security data includes: security logs, operation logs, security events and other data of the network management and network elements.
策略决策点根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,得到信任评估结果,并根据信任评估结果生成访问控制策略。The policy decision point evaluates the trust of operation and maintenance users based on work order tasks, identity data, terminal risk data, and business security data, obtains the trust evaluation results, and generates access control policies based on the trust evaluation results.
策略决策点,在用户的运维操作过程中,实现基于工单任务的精准授权,同时基于网管和网元的安全日志、操作日志、安全事件,以及第三方输入的终端风险数据、用户身份数据等多维度数据,对访问用户和访问客体(包括网络管控单元和网元)安全可信度进行持续综合评估,形成用户可信评分,并基于可信评分对用户生成访问控制策略。举例说明如下:Policy decision point, in the process of user operation and maintenance, realizes precise authorization based on work order tasks, and based on security logs, operation logs, and security events of network management and network elements, as well as terminal risk data and user identity data input by third parties Continuously and comprehensively evaluate the security credibility of access users and access objects (including network management and control units and network elements), form user credibility scores, and generate access control policies for users based on credibility scores. Examples are as follows:
基于工单任务的精准授权:运营商网络中执行运维操作任务的流程中,涉及到工单申请流程,工单任务经过各方检验和审批后方可按计划执行。在网络管控单元上通过对输入工单任务的解析,形成具体的授权集赋予用户权限,通过账号、角色、时间、操作指令、是否具有访问网络管控单元的权限等要素进行精准授权,不在工单任务范围之内的操作无法执行。Precise authorization based on work order tasks: In the process of performing O&M tasks in the carrier network, the work order application process is involved, and the work order tasks can only be executed as planned after being inspected and approved by all parties. On the network management and control unit, through the analysis of the input work order tasks, a specific authorization set is formed to grant user permissions, and precise authorization is performed through factors such as account number, role, time, operation instructions, and whether they have access to the network management and control unit. Operations within the scope of the task cannot be performed.
用户信任持续评估和动态策略:网络管控单元上设置策略决策点,采集网络管控单元的操作日志、安全日志、安全事件,以及第三方系统输入的终端风险数据、用户身份风险信息等多维度数据,对访问用户和访问客体(网络管控单元)安全可信度进行持续综合评估。Continuous evaluation of user trust and dynamic policies: Set up policy decision points on the network management and control unit, collect multi-dimensional data such as operation logs, security logs, and security events of the network management and control unit, as well as terminal risk data and user identity risk information input by third-party systems, Conduct continuous and comprehensive evaluation of the security credibility of access users and access objects (network management and control units).
策略决策点根据用户的行为日志(包括安全日志、操作日志等),终端风险日志以及安全事件的输入,结合攻击链模型,识别用户的行为轨迹。结合实际的运维业务场景,形成信任评估模型。信任评估模型依据攻击行为轨迹的阶段、上下文信息、发生次数、风险及影响等综合因素,进行风险判别,并参考一段时间内的历史行为,最终得出用户每次访问会话的信任度评分。The policy decision point identifies the user's behavior track based on the user's behavior log (including security log, operation log, etc.), terminal risk log, and security event input, combined with the attack chain model. Combined with actual operation and maintenance business scenarios, a trust evaluation model is formed. The trust evaluation model conducts risk discrimination based on comprehensive factors such as the stage of the attack behavior trajectory, context information, occurrence times, risks, and impacts, and refers to historical behavior over a period of time to finally obtain a trust score for each user access session.
访问控制策略基于用户每次访问会话的信任度评分、风险级别,结合上下文信息动态生成,不同级别的风险对应不同级别的访问控制方式,如针对低级别风险采用“冒泡提醒”、“上报告警”,针对中危级别风险采用“二次身份认证”、“禁止执行高危操作”,针对高危 级别风险采用“强制注销用户”、“停用用户”等策略。The access control policy is dynamically generated based on the trust score and risk level of each user's access session, combined with context information. Different levels of risk correspond to different levels of access control methods. For example, "bubble reminder" and "up report For medium-risk risks, "secondary identity authentication" and "prohibition of high-risk operations" are adopted, and for high-risk risks, strategies such as "forced logout of users" and "deactivation of users" are adopted.
另外,策略决策点还支持向第三方信任评估引擎发送信任评估结果,以供第三方信任评估引擎进行信任评估。In addition, the policy decision point also supports sending the trust evaluation result to the third-party trust evaluation engine, so that the third-party trust evaluation engine can perform trust evaluation.
其中,本申请实施例涉及的信任评估模型和评估方法如下:Among them, the trust evaluation model and evaluation method involved in the embodiment of this application are as follows:
首先说明基于用户画像的操作风险评估方法。从用户登录和运维操作维度出发,综合安全日志、安全事件、工单任务、业务安全数据等多维数据,构建用户画像,学习用户和用户组历史行为基线,多维度关联分析偏离正常行为基线的用户异常行为,及时发现操作风险,基于风险得出用户的运维操作的信任评分。其中,用户组中包括具有同一个角色的多个用户。First, the operational risk assessment method based on user portraits is explained. Starting from the dimensions of user login and operation and maintenance operations, comprehensive security logs, security events, work order tasks, business security data and other multi-dimensional data, construct user portraits, learn the historical behavior baseline of users and user groups, and multi-dimensional correlation analysis deviate from the normal behavior baseline Abnormal user behavior, timely detection of operational risks, and a trust score for the user's operation and maintenance operations based on the risk. Wherein, the user group includes multiple users with the same role.
接下来说明信任评估模型的生成方式。首先基于安全事件评估用户风险,获取事件风险系数,攻击阶段系数,攻击次数。根据事件风险系数,攻击阶段系数,攻击次数获取用户风险度。例如事件风险系数包括的风险级别有多种,例如低风险、中风险、高风险、紧急风险等。攻击阶段系数对应的攻击链包括:侦查、渗透、入侵、植入、扩散、破坏。Next, the generation method of the trust evaluation model is explained. First, evaluate user risks based on security events, and obtain event risk coefficients, attack stage coefficients, and attack times. According to the event risk coefficient, attack stage coefficient, and attack times, the user risk degree is obtained. For example, the event risk coefficient includes multiple risk levels, such as low risk, medium risk, high risk, and urgent risk. The attack chain corresponding to the attack stage coefficient includes: reconnaissance, infiltration, intrusion, implantation, diffusion, and destruction.
具体的用户风险评估方法包括:Specific user risk assessment methods include:
安全事件风险系数初始值与事件威胁等级相关,共划分为5个等级。威胁等级越高,初始风险系数越大。The initial value of the security event risk coefficient is related to the event threat level, which is divided into 5 levels. The higher the threat level, the greater the initial risk factor.
在威胁等级划分的基础上,风险系数受事件发生的攻击阶段影响,攻击阶段共6个阶段。攻击者会依循行为轨迹进行不断深入的攻击(横向移动)直到达到最终窃取数据等的目的。所以在行为轨迹上,后发生的行为要比前面的风险大。Based on the classification of threat levels, the risk factor is affected by the attack stage of the incident, and there are 6 attack stages in total. Attackers will follow the behavior track to carry out continuous and in-depth attacks (lateral movement) until they finally achieve the purpose of stealing data and so on. Therefore, on the behavior trajectory, the later behavior is more risky than the previous one.
事件风险系数受事件发生次数影响,随次数增加风险系数增大,当风险系数接近于1时,增长率会变缓,趋近于1。The event risk coefficient is affected by the number of events, and the risk coefficient increases with the increase of the number of events. When the risk coefficient is close to 1, the growth rate will slow down and tend to 1.
用户当前威胁率与事件发生前的威胁率相关,评估周期内用户初次异常时,威胁率最大。The current threat rate of the user is related to the threat rate before the event, and the threat rate is the highest when the user is abnormal for the first time during the evaluation period.
举例说明如下,首先获取当前用户可信率和上一时刻可信率,每种行为都有对应的异常概率,用于表示这种行为是一次真实攻击的可能性。虽然每种行为的异常概率由事件的风险等级决定,但在不同的攻击阶段,事件的威胁程度是不一样的。攻击者会依循行为轨迹进行不断深入的攻击(横向移动)直到达到最终窃取数据等的目的。所以在行为轨迹上,后发生的行为要比前面的风险大。为了区分不同的攻击阶段,引入杀伤链(kill-chain)系数,即依循用户行为轨迹,发生的事件的异常概率。为每个行为分配一个风险系数,用于表示当前行为是一次恶意行为的可能性。例如一次失败的认证可能是用户偶然的密码输入错误行为,可以分配一个风险系数0.1,但如果在当前登录失败之前已经连续发生了5次登录失败,那么这就很有可能是一次恶意爆破行为,这时不再使用0.1作为风险系数,此时风险系数要相应增高,例如0.7。从前面的例子可以看出,风险系数和异常事件的重复发生次数相关,次数越多风险系数越高。An example is as follows. Firstly, the credibility rate of the current user and the credibility rate of the previous moment are obtained. Each behavior has a corresponding abnormal probability, which is used to indicate the possibility that this behavior is a real attack. Although the abnormal probability of each behavior is determined by the risk level of the event, the threat level of the event is different in different attack stages. Attackers will follow the behavior track to carry out continuous and in-depth attacks (lateral movement) until they finally achieve the purpose of stealing data and so on. Therefore, on the behavior trajectory, the later behavior is more risky than the previous one. In order to distinguish different attack stages, a kill-chain coefficient is introduced, which is the abnormal probability of events occurring following the user behavior trajectory. Assign a risk factor to each behavior, which is used to represent the possibility that the current behavior is a malicious behavior. For example, a failed authentication may be an accidental password input error by the user, and a risk factor of 0.1 can be assigned. However, if there have been 5 consecutive login failures before the current login failure, then this is likely to be a malicious blasting behavior. At this time, 0.1 is no longer used as the risk factor, and the risk factor should be increased accordingly, such as 0.7. It can be seen from the previous examples that the risk coefficient is related to the number of repetitions of abnormal events, and the higher the number of times, the higher the risk coefficient.
接下来说明基于用户行为评估用户风险。首先,获取用户操作行为和用户行为基线,例如基于用户操作日志建立用户行为基线。然后,根据用户行为基线可以计算异常行为比例和单次行为异常度。接下来,根据异常行为比例和行为异常度计算单次行为风险度。最后,根据单次行为风险度和历史风险度计算用户风险度。The following describes the evaluation of user risk based on user behavior. First, user operation behaviors and user behavior baselines are obtained, for example, user behavior baselines are established based on user operation logs. Then, according to the user behavior baseline, the proportion of abnormal behavior and the abnormal degree of a single behavior can be calculated. Next, calculate the risk degree of a single behavior according to the proportion of abnormal behavior and the degree of abnormal behavior. Finally, the user risk is calculated based on the single behavior risk and historical risk.
策略执行单元通过上述方式生成访问策略之后,可以向策略执行点发送访问控制策略。After the policy enforcement unit generates the access policy in the above manner, it can send the access control policy to the policy enforcement point.
策略执行点基于策略决策点生成的访问控制策略,对运维用户的所有业务访问请求进行控制,例如根据访问控制策略决定是否发放访问令牌或执行其他策略。The policy enforcement point controls all business access requests of operation and maintenance users based on the access control policy generated by the policy decision point, such as deciding whether to issue an access token or execute other policies according to the access control policy.
本申请实施例中,策略决策点根据信任评估结果生成访问控制策略,该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the embodiment of this application, the policy decision point generates an access control policy according to the trust evaluation result, and the access control policy includes the control mode for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user can be accurately controlled. Within the scope, the safe access of operation and maintenance users is guaranteed, and the security risks of operation and maintenance users are reduced.
如图4所示,为本申请实施例提供的运维用户访问网元的场景示意图,运维用户接入网元的访问场景与接入网络管控单元的访问场景类似。As shown in FIG. 4 , it is a schematic diagram of a scenario where an operation and maintenance user accesses a network element provided in the embodiment of the present application. The access scenario for an operation and maintenance user to access a network element is similar to the access scenario for accessing a network management and control unit.
运维用户通过运维终端向网元发送业务访问请求,网元请求网络管控单元根据业务访问请求对运维用户进行多因素身份认证,网络管控单元从第三方系统获取多维度的第三方数据,基于上述多维度的第三方数据生成访问控制策略;网元根据网络管控单元生成的访问控制策略对运维用户的运维操作进行动态访问控制,例如运维用户可以访问网元。网元包括:无线基站、路由器、交换机和云化网元等。The operation and maintenance user sends a service access request to the network element through the operation and maintenance terminal, and the network element requests the network management and control unit to perform multi-factor authentication on the operation and maintenance user according to the service access request, and the network management and control unit obtains multi-dimensional third-party data from the third-party system, Generate access control policies based on the above-mentioned multi-dimensional third-party data; network elements perform dynamic access control on the operation and maintenance operations of operation and maintenance users according to the access control policies generated by the network management and control unit, for example, operation and maintenance users can access network elements. Network elements include: wireless base stations, routers, switches, and cloud network elements.
接下来对图4所示的各个设备以及功能模块进行说明。Next, various devices and functional modules shown in FIG. 4 will be described.
其中,运维终端具有风险感知代理功能,运维终端向网元中的策略执行点发送业务访问请求,该业务访问请求对于网元是不可信的。例如,风险感知代理既可以是个人电脑端,也可以是移动端,此处不做限定。图4中以网元上部署4个策略执行点为例进行说明。Among them, the operation and maintenance terminal has a risk-aware proxy function, and the operation and maintenance terminal sends a service access request to the policy enforcement point in the network element, and the service access request is untrustworthy to the network element. For example, the risk awareness agent can be either a personal computer terminal or a mobile terminal, which is not limited here. In Fig. 4, four policy enforcement points are deployed on network elements as an example for illustration.
网络管控单元,包括:策略决策点、策略执行点以及应用和数据。Network management and control unit, including: policy decision point, policy enforcement point, application and data.
当运维用户登录网元时,运维用户通过运维终端向网元中的策略执行点发送业务访问请求,策略执行点触发网络管控单元中的策略决策点强制对运维用户进行多因素身份认证,以鉴别用户合法身份,如通过用户口令、短信验证码、数字证书等方式,用户认证不通过无法登陆网络管控单元。When the operation and maintenance user logs in to the network element, the operation and maintenance user sends a service access request to the policy enforcement point in the network element through the operation and maintenance terminal, and the policy enforcement point triggers the policy decision point in the network management and control unit to force the multi-factor identity of the operation and maintenance user Authentication, to identify the legal identity of the user, such as through user password, SMS verification code, digital certificate, etc. If the user fails to pass the authentication, he cannot log in to the network management and control unit.
第三方系统包括如下至少一种:工单系统、身份认证管理系统、终端风险感知系统。第三方系统可以向策略决策点提供数据查询功能,例如工单系统提供工单任务,身份认证管理系统提供运维用户的身份数据,终端风险感知系统提供运维终端的终端风险数据。The third-party system includes at least one of the following: a work order system, an identity authentication management system, and a terminal risk awareness system. Third-party systems can provide data query functions to policy decision points. For example, the work order system provides work order tasks, the identity authentication management system provides the identity data of operation and maintenance users, and the terminal risk awareness system provides terminal risk data of operation and maintenance terminals.
当运维用户通过多因素身份认证之后,策略决策点从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据。另外,策略决策点还可以获取业务安全数据,例如该业务安全数据包括:网管和网元的安全日志、操作日志、安全事件等数据。After the operation and maintenance user has passed the multi-factor identity authentication, the policy decision point obtains the work order tasks to be executed by the operation and maintenance user from the work order system, obtains the identity data of the operation and maintenance user from the identity authentication management system, and obtains the operation and maintenance user’s identity data from the terminal risk awareness system Obtain the terminal risk data of the operation and maintenance terminal. In addition, the policy decision point can also obtain service security data, for example, the service security data includes: security logs, operation logs, security events and other data of the network management and network elements.
策略决策点根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,得到信任评估结果,并根据信任评估结果生成访问控制策略。The policy decision point evaluates the trust of operation and maintenance users based on work order tasks, identity data, terminal risk data, and business security data, obtains the trust evaluation results, and generates access control policies based on the trust evaluation results.
策略决策点,在用户的运维操作过程中,实现基于工单任务的精准授权,同时基于网管和网元的安全日志、操作日志、安全事件,以及第三方输入的终端风险数据、用户身份数据等多维度数据,对访问用户和访问客体(包括网络管控单元和网元)安全可信度进行持续综合评估,形成用户可信评分,并基于可信评分对用户生成访问控制策略。Policy decision point, in the process of user operation and maintenance, realizes precise authorization based on work order tasks, and based on security logs, operation logs, and security events of network management and network elements, as well as terminal risk data and user identity data input by third parties Continuously and comprehensively evaluate the security credibility of access users and access objects (including network management and control units and network elements), form user credibility scores, and generate access control policies for users based on credibility scores.
具体说明如下:The specific instructions are as follows:
基于工单任务的精准授权:在网络管控单元上通过对输入工单任务的解析,形成具体的授权集赋予网元用户权限,通过账号、角色、时间、操作指令、是否具有访问网元的权 限等要素进行精准授权,不在工单任务范围之内的操作无法执行。Precise authorization based on work order tasks: On the network management and control unit, through the analysis of the input work order tasks, a specific authorization set is formed to grant network element user rights, through account number, role, time, operation instructions, and whether they have access to network elements. Precise authorization is carried out on such factors as operations that are not within the scope of work order tasks cannot be performed.
用户信任持续评估和动态策略:网络管控单元上设置策略决策点,采集网元的运维操作日志、安全日志,网元的运维操作安全检测事件,以及第三方系统输入的终端风险数据、用户身份数据等多维度数据,持续综合评估用户风险,并支持根据用户历史行为评估用户信任度,评估形成用户信任度评分,基于用户信任度评分动态生成访问控制策略,如“冒泡提醒”、“上报告警”、“二次身份认证”、“禁止执行高危操作”、“强制注销用户”、“停用用户”等。不同级别的风险对应不同级别的访问控制方式,如针对低级别风险采用“冒泡提醒”、“上报告警”,针对中危级别风险采用“二次身份认证”、“禁止执行高危操作”,针对高危级别风险采用“强制注销用户”、“停用用户”等。Continuous evaluation of user trust and dynamic policies: set policy decision points on the network management and control unit, collect network element operation and maintenance operation logs, security logs, network element operation and maintenance operation security detection events, and terminal risk data input by third-party systems, user Multi-dimensional data such as identity data, continuously and comprehensively evaluate user risks, and support user trust evaluation based on user historical behavior, evaluate and form user trust score, and dynamically generate access control policies based on user trust score, such as "bubble reminder", " Report to the police”, “Second identity authentication”, “Prohibition of performing high-risk operations”, “Forced logout of users”, “Deactivation of users”, etc. Different levels of risk correspond to different levels of access control methods, such as "bubble reminder" and "report to alarm" for low-level risks, and "secondary identity authentication" and "prohibit high-risk operations" for medium-risk risks. For high-risk risks, use "forced logout of users", "deactivation of users", etc.
策略执行单元通过上述方式生成访问策略之后,可以向策略执行点发送访问控制策略。After the policy enforcement unit generates the access policy in the above manner, it can send the access control policy to the policy enforcement point.
策略执行点基于策略决策点生成的访问控制策略,对运维用户的所有业务访问请求进行控制,例如根据访问控制策略决定是否发放访问令牌或执行其他策略。The policy enforcement point controls all business access requests of operation and maintenance users based on the access control policy generated by the policy decision point, such as deciding whether to issue an access token or execute other policies according to the access control policy.
通过前述的举例说明可知,在网络管控单元及网元上构筑基于零信任架构的动态访问控制能力,整个体系以身份认证为基石,对运维用户、终端、环境、操作等持续进行风险感知和信任评估,基于信任等级实时进行策略更新、精准授权,实现动态访问控制,保障运维用户接入和访问安全可信,有效缓解运营商网络运维管理的各种风险,如外部高级渗透攻击风险,用户对资源的违规访问和内鬼风险等。针对用户和终端的多样化接入,通过多因素认证对用户身份进行合法性验证,并对登录终端的OS补丁、终端注册信息、浏览器安全状态等进行持续检查,一旦发现异常立即降低用户信任等级并动态调整访问权限,防止攻击者假冒管理员身份或者通过感染运维终端进行攻击。为了规避人为误操作风险,可以结合工单任务进行精细化授权,禁止用户执行工单任务之外的高危操作出现非预期结果。另外,在用户进行运维管理的过程当中,对用户的所有访问操作进行持续的安全检测,对于偏离日常访问基线的异常行为以及威胁事件,及时发现并对用户访问进行动态策略控制,将入侵影响降至最低。Through the foregoing examples, it can be seen that the dynamic access control capability based on the zero trust architecture is built on the network management and control unit and network elements. Trust evaluation, real-time policy update and precise authorization based on trust level, realize dynamic access control, ensure safe and reliable operation and maintenance user access and access, and effectively alleviate various risks of operators' network operation and maintenance management, such as the risk of external advanced penetration attacks , users' illegal access to resources and the risk of insider ghosts, etc. For the diversified access of users and terminals, the legality of user identities is verified through multi-factor authentication, and the OS patches, terminal registration information, and browser security status of login terminals are continuously checked. Once abnormalities are found, user trust is immediately reduced level and dynamically adjust access rights to prevent attackers from pretending to be administrators or attacking by infecting operation and maintenance terminals. In order to avoid the risk of human misoperation, fine-grained authorization can be combined with work order tasks to prohibit users from performing unexpected results in high-risk operations other than work order tasks. In addition, during the process of user operation and maintenance management, continuous security detection is performed on all user access operations, and abnormal behaviors and threat events that deviate from the daily access baseline are detected in time and dynamic policy control is performed on user access to minimize the impact of intrusions. minimized.
在网络管控单元及网元上构筑基于工单任务的访问控制策略,实现基于工单任务的动态细粒度授权,根据经审批的工单任务要求,实现运维用户对网络管控单元操作的实时授权、通过网络管控单元下发网元命令的实时授权,并最终在任务时间结束后收回用户权限,通过最小化授权,有效规避因用户授权过大而导致的人为误操作风险或者外部入侵风险。Construct access control policies based on work order tasks on network management and control units and network elements, realize dynamic fine-grained authorization based on work order tasks, and realize real-time authorization of operation and maintenance users to network management and control unit operations according to approved work order task requirements , Real-time authorization of network element commands issued by the network management and control unit, and finally withdraw user rights after the end of the task time. By minimizing authorization, it can effectively avoid the risk of human misoperation or external intrusion caused by excessive user authorization.
接下来对本申请实施例的应用场景进行举例说明,如图5所示,为本申请实施例提供的防范攻击者假冒管理员身份的场景示意图,攻击者假冒管理员身份登录,如通过社会攻击获得网络管理员身份ID和密码信息,或者通过攻击终端设备获取管理员身份信息。本申请实施例可以实现如下技术效果,在用户登录时,通过对终端设备安全风险持续感知,防止终端带病入网,以及通过多因素身份认证对用户进行识别,攻击者仅获得管理员账号密码,不能提供生物特征等其他辅助身份信息同样无法登录系统。Next, the application scenario of the embodiment of the present application is illustrated. As shown in FIG. 5, it is a schematic diagram of the scenario of preventing an attacker from pretending to be an administrator provided by the embodiment of the present application. The attacker logs in as an administrator, such as obtaining the Network administrator ID and password information, or obtain administrator identity information by attacking terminal devices. The embodiment of the present application can achieve the following technical effects. When a user logs in, by continuously sensing the security risk of the terminal device, preventing the terminal from entering the network with a disease, and identifying the user through multi-factor authentication, the attacker only obtains the password of the administrator account, It is also impossible to log in to the system without providing other auxiliary identity information such as biometrics.
如图6所示,为本申请实施例提供的防范藏匿的攻击行为的场景示意图。面对APT等高级威胁,攻击者已经顺利通过终端和身份验证,渗透到目标系统发起恶意操作。本申请实施例可以实现如下技术效果,通过对用户的操作行为进行持续风险感知和信任评估,当发现用户的操作行为偏离日常行为基线存在异常,例如,用户请求执行命令x,此刻的访 问偏离日常行为基线,则会拒绝访问,及时进行相关的访问控制,及时控制用户的权限,防止对业务产生重大影响。As shown in FIG. 6 , it is a schematic diagram of a scenario of preventing hidden attacks provided by the embodiment of the present application. In the face of advanced threats such as APT, attackers have successfully passed terminal and identity verification, penetrated into the target system and launched malicious operations. The embodiment of the present application can achieve the following technical effects. Through continuous risk perception and trust evaluation of the user's operation behavior, when it is found that the user's operation behavior deviates from the daily behavior baseline, there is an exception. For example, the user requests to execute command x, and the access at this moment deviates from the daily If the behavior baseline is not met, access will be denied, relevant access control will be carried out in a timely manner, and user permissions will be controlled in a timely manner to prevent a major impact on the business.
如图7所示,为本申请实施例提供的防范人为误操作事故的场景示意图。正常的运维人员在现网作业时,由于人为疏忽,在操作网络管控单元或网元过程中,使用没有在工单中报备的命令或者参数,造成现网人为安全事故。本申请实施例可以实现如下技术效果,网络管控单元对接工单任务,解析工单任务,按照工单里申请的权限向用户精准授权,例如,用户使用a账号,在b时段,执行命令x,该用户在该时段内没有该工单任务,则会拒绝访问,用户只能执行在工单任务范围之内的权限,从而规避人为误操作事故。As shown in FIG. 7 , it is a schematic diagram of a scene for preventing human misoperation accidents provided by the embodiment of the present application. When normal operation and maintenance personnel are working on the live network, due to human negligence, they use commands or parameters that have not been reported in the work order during the operation of the network management and control unit or network element, causing human safety accidents on the live network. The embodiment of the present application can achieve the following technical effects. The network management and control unit connects to the work order task, analyzes the work order task, and accurately authorizes the user according to the authority applied in the work order. For example, the user uses account a and executes command x during period b, If the user does not have the work order task during this period, the access will be denied, and the user can only execute the authority within the scope of the work order task, so as to avoid human misoperation accidents.
如图8所示,本申请实施例提供的防范近端访问绕过的管控漏洞的场景示意图。攻击者获取网元登录账号密码,通过近端登录(网线直连管理口或者串口)的方式访问网元,执行恶意操作。本申请实施例可以实现如下技术效果,在网络管控单元上对网元登录用户的操作行为进行持续风险感知和信任评估,当发现用户的操作行为存在异常,则生成并下发控制策略到网元,及时进行相关的访问控制,及时控制网元用户的权限,防止对业务产生重大影响。As shown in FIG. 8 , it is a schematic diagram of a scenario of preventing local access bypassing management and control loopholes provided by the embodiment of the present application. The attacker obtains the network element login account password, accesses the network element through local login (network cable directly connected to the management port or serial port), and performs malicious operations. The embodiment of the present application can achieve the following technical effects: on the network management and control unit, continuous risk perception and trust assessment are performed on the operation behavior of the network element login user, and when the user's operation behavior is found to be abnormal, a control strategy is generated and delivered to the network element , carry out relevant access control in a timely manner, control the authority of network element users in a timely manner, and prevent major impacts on services.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that for the foregoing method embodiments, for the sake of simple description, they are expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence. Depending on the application, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by this application.
为便于更好的实施本申请实施例的上述方案,下面还提供用于实施上述方案的相关装置。In order to facilitate better implementation of the above solutions in the embodiments of the present application, related devices for implementing the above solutions are also provided below.
请参阅图9所示,本申请实施例提供的一种终端设备,该终端设备具体为策略决策点900,可以包括:接收模块901、认证模块902、获取模块903、评估模块904和策略生成模块905,其中,Please refer to FIG. 9 , a terminal device provided by an embodiment of the present application, the terminal device is specifically a policy decision point 900, and may include: a receiving module 901, an authentication module 902, an acquisition module 903, an evaluation module 904, and a policy generation module 905, of which,
接收模块,用于接收运维用户通过运维终端发送的业务访问请求;The receiving module is used to receive the service access request sent by the operation and maintenance user through the operation and maintenance terminal;
认证模块,用于根据所述业务访问请求对所述运维用户进行多因素身份认证;An authentication module, configured to perform multi-factor identity authentication on the operation and maintenance user according to the service access request;
获取模块,用于当所述运维用户通过所述多因素身份认证之后,从工单系统获取所述运维用户的待执行的工单任务,以及从身份认证管理系统获取所述运维用户的身份数据,以及从终端风险感知系统获取所述运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;An acquisition module, configured to acquire the work order tasks of the operation and maintenance user from the work order system after the operation and maintenance user passes the multi-factor identity authentication, and acquire the operation and maintenance user from the identity authentication management system identity data, and obtain terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain service security data from the service provision system;
评估模块,用于根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果;An evaluation module, configured to perform trust evaluation on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and obtain a trust evaluation result;
策略生成模块,用于根据所述信任评估结果生成访问控制策略。A policy generating module, configured to generate an access control policy according to the trust evaluation result.
在本申请实施例中,根据业务访问请求对运维用户进行多因素身份认证;当运维用户通过多因素身份认证之后,从工单系统获取运维用户的待执行的工单任务,以及从身份认证管理系统获取运维用户的身份数据,以及从终端风险感知系统获取运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;根据工单任务、身份数据、终端风险数据和业务安全数据对运维用户进行信任评估,根据信任评估结果生成访问控制策略,该访问 控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the embodiment of this application, multi-factor identity authentication is performed on the operation and maintenance user according to the service access request; after the operation and maintenance user passes the multi-factor identity authentication, the work order task to be executed by the operation and maintenance user is obtained from the work order system, and from The identity authentication management system obtains the identity data of the operation and maintenance user, obtains the terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtains the business security data from the service provision system; according to the work order task, identity data, terminal risk data and business The security data evaluates the trust of the operation and maintenance users, and generates an access control policy based on the trust evaluation results. Within the scope of control, the safe access of operation and maintenance users is guaranteed, and the security risk of operation and maintenance users is reduced.
请参阅图10所示,本申请实施例提供的一种终端设备,该终端设备具体为策略执行点1000,可以包括:获取模块1001和控制模块1002,其中,Please refer to FIG. 10 , a terminal device provided by an embodiment of the present application, the terminal device is specifically a policy enforcement point 1000, and may include: an acquisition module 1001 and a control module 1002, wherein,
获取模块,用于获取来自策略决策点的访问控制策略;An acquisition module, configured to acquire an access control policy from a policy decision point;
控制模块,用于根据所述访问控制策略对运维用户执行的运维操作进行动态访问控制。A control module, configured to perform dynamic access control on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
在本申请实施例中,获取来自策略决策点的访问控制策略;根据访问控制策略对运维用户执行的运维操作进行动态访问控制。该访问控制策略中包括对运维用户的运维操作的控制方式,以使得运维用户的运维操作在精确的可控范围内,保证运维用户的安全访问,降低运维用户的安全风险。In the embodiment of the present application, the access control policy from the policy decision point is obtained; and the operation and maintenance operations performed by the operation and maintenance user are dynamically accessed according to the access control policy. The access control strategy includes the control method for the operation and maintenance operation of the operation and maintenance user, so that the operation and maintenance operation of the operation and maintenance user is within the precise controllable range, ensuring the safe access of the operation and maintenance user, and reducing the security risk of the operation and maintenance user .
需要说明的是,上述装置各模块/单元之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其带来的技术效果与本申请方法实施例相同,具体内容可参见本申请前述所示的方法实施例中的叙述,此处不再赘述。It should be noted that the information interaction and execution process between the modules/units of the above-mentioned device are based on the same concept as the method embodiment of the present application, and the technical effect it brings is the same as that of the method embodiment of the present application. The specific content can be Refer to the descriptions in the foregoing method embodiments of the present application, and details are not repeated here.
本申请实施例还提供一种计算机存储介质,其中,该计算机存储介质存储有程序,该程序执行包括上述方法实施例中记载的部分或全部步骤。The embodiment of the present application also provides a computer storage medium, wherein the computer storage medium stores a program, and the program executes some or all of the steps described in the above method embodiments.
接下来介绍本申请实施例提供的另一种策略决策点,请参阅图11所示,策略决策点1100包括:Next, another policy decision point provided by the embodiment of this application is introduced. Please refer to FIG. 11, the policy decision point 1100 includes:
接收器1101、发射器1102、处理器1103和存储器1104(其中策略决策点1100中的处理器1103的数量可以一个或多个,图11中以一个处理器为例)。在本申请的一些实施例中,接收器1101、发射器1102、处理器1103和存储器1104可通过总线或其它方式连接,其中,图11中以通过总线连接为例。A receiver 1101, a transmitter 1102, a processor 1103, and a memory 1104 (the number of processors 1103 in the policy decision point 1100 can be one or more, one processor is taken as an example in FIG. 11 ). In some embodiments of the present application, the receiver 1101 , the transmitter 1102 , the processor 1103 and the memory 1104 may be connected through a bus or in other ways, wherein connection through a bus is taken as an example in FIG. 11 .
存储器1104可以包括只读存储器和随机存取存储器,并向处理器1103提供指令和数据。存储器1104的一部分还可以包括非易失性随机存取存储器(non-volatile random access memory,NVRAM)。存储器1104存储有操作系统和操作指令、可执行模块或者数据结构,或者它们的子集,或者它们的扩展集,其中,操作指令可包括各种操作指令,用于实现各种操作。操作系统可包括各种系统程序,用于实现各种基础业务以及处理基于硬件的任务。The memory 1104 may include read-only memory and random-access memory, and provides instructions and data to the processor 1103 . A part of the memory 1104 may also include a non-volatile random access memory (non-volatile random access memory, NVRAM). The memory 1104 stores operating systems and operating instructions, executable modules or data structures, or their subsets, or their extended sets, wherein the operating instructions may include various operating instructions for implementing various operations. The operating system may include various system programs for implementing various basic services and processing hardware-based tasks.
处理器1103控制策略决策点的操作,处理器1103还可以称为中央处理单元(central processing unit,CPU)。具体的应用中,策略决策点的各个组件通过总线系统耦合在一起,其中总线系统除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都称为总线系统。The processor 1103 controls the operation of the policy decision point, and the processor 1103 may also be called a central processing unit (central processing unit, CPU). In a specific application, various components of the policy decision point are coupled together through a bus system, where the bus system may include not only a data bus, but also a power bus, a control bus, and a status signal bus. However, for the sake of clarity, the various buses are referred to as bus systems in the figures.
上述本申请实施例揭示的方法可以应用于处理器1103中,或者由处理器1103实现。处理器1103可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器1103中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器1103可以是通用处理器、数字信号处理器(digital signal processing,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现场可编程门阵列(field-programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管 逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1104,处理器1103读取存储器1104中的信息,结合其硬件完成上述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the processor 1103 or implemented by the processor 1103 . The processor 1103 may be an integrated circuit chip and has a signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the processor 1103 or instructions in the form of software. The above-mentioned processor 1103 may be a general-purpose processor, a digital signal processor (digital signal processing, DSP), an application specific integrated circuit (application specific integrated circuit, ASIC), a field-programmable gate array (field-programmable gate array, FPGA) or Other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Various methods, steps, and logic block diagrams disclosed in the embodiments of the present application may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 1104, and the processor 1103 reads the information in the memory 1104, and completes the steps of the above method in combination with its hardware.
接收器1101可用于接收输入的数字或字符信息,以及产生与策略决策点的相关设置以及功能控制有关的信号输入,发射器1102可包括显示屏等显示设备,发射器1102可用于通过外接接口输出数字或字符信息。The receiver 1101 can be used to receive input digital or character information, and generate signal input related to the relevant setting of policy decision points and function control. The transmitter 1102 can include a display device such as a display screen, and the transmitter 1102 can be used to output through an external interface. Numeric or character information.
本申请实施例中,处理器1103用于执行前述实施例图2所示的由策略决策点执行的运维处理方法。In the embodiment of the present application, the processor 1103 is configured to execute the operation and maintenance processing method performed by the policy decision point shown in FIG. 2 of the foregoing embodiment.
接下来介绍本申请实施例提供的另一种策略执行点,请参阅图12所示,策略执行点1200包括:Next, another policy enforcement point provided by the embodiment of this application is introduced. Please refer to FIG. 12, the policy enforcement point 1200 includes:
接收器1201、发射器1202、处理器1203和存储器1204(其中策略执行点1200中的处理器1203的数量可以一个或多个,图12中以一个处理器为例)。在本申请的一些实施例中,接收器1201、发射器1202、处理器1203和存储器1204可通过总线或其它方式连接,其中,图12中以通过总线连接为例。A receiver 1201, a transmitter 1202, a processor 1203, and a memory 1204 (the number of processors 1203 in the policy enforcement point 1200 may be one or more, one processor is taken as an example in FIG. 12 ). In some embodiments of the present application, the receiver 1201 , the transmitter 1202 , the processor 1203 and the memory 1204 may be connected through a bus or in other ways, wherein connection through a bus is taken as an example in FIG. 12 .
存储器1204可以包括只读存储器和随机存取存储器,并向处理器1203提供指令和数据。存储器1204的一部分还可以包括NVRAM。存储器1204存储有操作系统和操作指令、可执行模块或者数据结构,或者它们的子集,或者它们的扩展集,其中,操作指令可包括各种操作指令,用于实现各种操作。操作系统可包括各种系统程序,用于实现各种基础业务以及处理基于硬件的任务。The memory 1204 may include read-only memory and random-access memory, and provides instructions and data to the processor 1203 . A portion of memory 1204 may also include NVRAM. The memory 1204 stores operating systems and operating instructions, executable modules or data structures, or their subsets, or their extended sets, wherein the operating instructions may include various operating instructions for implementing various operations. The operating system may include various system programs for implementing various basic services and processing hardware-based tasks.
处理器1203控制策略执行点的操作,处理器1203还可以称为CPU。具体的应用中,策略执行点的各个组件通过总线系统耦合在一起,其中总线系统除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都称为总线系统。The processor 1203 controls the operation of the policy enforcement point, and the processor 1203 may also be called a CPU. In a specific application, various components of the policy enforcement point are coupled together through a bus system, where the bus system may include not only a data bus, but also a power bus, a control bus, and a status signal bus. However, for the sake of clarity, the various buses are referred to as bus systems in the figures.
上述本申请实施例揭示的方法可以应用于处理器1203中,或者由处理器1203实现。处理器1203可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器1203中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器1203可以是通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1204,处理器1203读取存储器1204中的信息,结合其硬件完成上述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the processor 1203 or implemented by the processor 1203 . The processor 1203 may be an integrated circuit chip, which has a signal processing capability. During implementation, each step of the above-mentioned method may be implemented by an integrated logic circuit of hardware in the processor 1203 or instructions in the form of software. The aforementioned processor 1203 may be a general processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. Various methods, steps, and logic block diagrams disclosed in the embodiments of the present application may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 1204, and the processor 1203 reads the information in the memory 1204, and completes the steps of the above method in combination with its hardware.
本申请实施例中,处理器1203,用于执行前述实施例图2所示的由策略执行点执行的运维处理方法。In the embodiment of the present application, the processor 1203 is configured to execute the operation and maintenance processing method performed by the policy enforcement point shown in FIG. 2 of the foregoing embodiment.
在另一种可能的设计中,当解码终端、传输终端或者策略执行点为终端内的芯片时,芯片包括:处理单元和通信单元,所述处理单元例如可以是处理器,所述通信单元例如可以是输入/输出接口、管脚或电路等。该处理单元可执行存储单元存储的计算机执行指令,以使该终端内的芯片执行上述第一方面至第二方面任意一项的运维处理方法。可选地,所述存储单元为所述芯片内的存储单元,如寄存器、缓存等,所述存储单元还可以是所述终端内的位于所述芯片外部的存储单元,如只读存储器(read-onlymemory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(randomaccessmemory,RAM)等。In another possible design, when the decoding terminal, transmission terminal, or policy enforcement point is a chip in the terminal, the chip includes: a processing unit and a communication unit, where the processing unit may be a processor, for example, and the communication unit is, for example, It can be an input/output interface, a pin or a circuit, etc. The processing unit may execute the computer-executable instructions stored in the storage unit, so that the chip in the terminal executes the operation and maintenance processing method of any one of the first aspect to the second aspect above. Optionally, the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit may also be a storage unit in the terminal located outside the chip, such as a read-only memory (read -only memory, ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), etc.
其中,上述任一处提到的处理器,可以是一个通用中央处理器,微处理器,ASIC,或一个或多个用于控制上述第一方面至第二方面方法的程序执行的集成电路。Wherein, the processor mentioned in any of the above-mentioned places may be a general-purpose central processing unit, a microprocessor, an ASIC, or one or more integrated circuits for controlling the program execution of the above-mentioned methods from the first aspect to the second aspect.
另外需说明的是,以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。另外,本申请提供的装置实施例附图中,模块之间的连接关系表示它们之间具有通信连接,具体可以实现为一条或多条通信总线或信号线。In addition, it should be noted that the device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be A physical unit can be located in one place, or it can be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the device embodiments provided in the present application, the connection relationship between the modules indicates that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件的方式来实现,当然也可以通过专用硬件包括专用集成电路、专用CPU、专用存储器、专用元器件等来实现。一般情况下,凡由计算机程序完成的功能都可以很容易地用相应的硬件来实现,而且,用来实现同一功能的具体硬件结构也可以是多种多样的,例如模拟电路、数字电路或专用电路等。但是,对本申请而言更多情况下软件程序实现是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,如计算机的软盘、U盘、移动硬盘、ROM、RAM、磁碟或者光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by means of software plus necessary general-purpose hardware, and of course it can also be realized by special hardware including application-specific integrated circuits, dedicated CPUs, dedicated memories, Special components, etc. to achieve. In general, all functions completed by computer programs can be easily realized by corresponding hardware, and the specific hardware structure used to realize the same function can also be varied, such as analog circuits, digital circuits or special-purpose circuit etc. However, for this application, software program implementation is a better implementation mode in most cases. Based on this understanding, the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product is stored in a readable storage medium, such as a floppy disk of a computer , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute the method described in each embodiment of the present application .
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数 据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server, or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be stored by a computer, or a data storage device including a server, a data center, and the like integrated with one or more available media. The available medium may be a magnetic medium (such as a floppy disk, a hard disk, or a magnetic tape), an optical medium (such as a DVD), or a semiconductor medium (such as a solid state disk (Solid State Disk, SSD)), etc.

Claims (13)

  1. 一种运维处理方法,其特征在于,所述方法包括:An operation and maintenance processing method, characterized in that the method comprises:
    接收运维用户通过运维终端发送的业务访问请求;Receive service access requests sent by operation and maintenance users through the operation and maintenance terminal;
    根据所述业务访问请求对所述运维用户进行多因素身份认证;performing multi-factor identity authentication on the operation and maintenance user according to the service access request;
    当所述运维用户通过所述多因素身份认证之后,从工单系统获取所述运维用户的待执行的工单任务,以及从身份认证管理系统获取所述运维用户的身份数据,以及从终端风险感知系统获取所述运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;After the operation and maintenance user passes the multi-factor identity authentication, obtain the work order task of the operation and maintenance user to be executed from the work order system, and obtain the identity data of the operation and maintenance user from the identity authentication management system, and Obtain terminal risk data of the operation and maintenance terminal from a terminal risk awareness system, and obtain service security data from a service provision system;
    根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果;performing a trust assessment on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and obtaining a trust assessment result;
    根据所述信任评估结果生成访问控制策略。An access control policy is generated according to the trust evaluation result.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制。Dynamic access control is performed on the operation and maintenance operations performed by the operation and maintenance user according to the access control policy.
  3. 根据权利要求2所述的方法,其特征在于,所述根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制,包括:The method according to claim 2, wherein the dynamic access control of the operation and maintenance operation performed by the operation and maintenance user according to the access control policy includes:
    针对所述运维用户执行所述运维操作时产生的每个会话,根据所述访问控制策略和所述工单任务生成授权指令,所述授权指令用于指示所述运维用户按照授权集执行的任务内容以及禁止所述运维用户执行所述工单任务以外的任务内容;For each session generated when the operation and maintenance user performs the operation and maintenance operation, an authorization instruction is generated according to the access control policy and the work order task, and the authorization instruction is used to instruct the operation and maintenance user to follow the authorization set The content of the task to be performed and the operation and maintenance user is prohibited from performing tasks other than the task of the work order;
    根据所述授权指令对所述运维用户执行的运维操作进行权限监控。Perform authority monitoring on the operation and maintenance operations performed by the operation and maintenance user according to the authorization instruction.
  4. 根据权利要求3所述的方法,其特征在于,所述授权集,包括如下至少一种:所述运维用户的账号、所述运维用户执行运维操作的角色、所述运维用户执行运维操作的时间、所述运维用户执行运维操作的操作指令、所述运维用户具有访问所述业务提供系统的权限。The method according to claim 3, wherein the authorization set includes at least one of the following: the account number of the operation and maintenance user, the role of the operation and maintenance user to perform the operation and maintenance operation, the The time of the operation and maintenance operation, the operation instruction for the operation and maintenance user to perform the operation and maintenance operation, and the authorization of the operation and maintenance user to access the service provision system.
  5. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    向策略执行点发生所述访问控制策略,以使得所述策略执行点根据所述访问控制策略对所述运维用户执行的运维操作进行动态访问控制。The access control policy is sent to the policy enforcement point, so that the policy enforcement point performs dynamic access control on the operation and maintenance operation performed by the operation and maintenance user according to the access control policy.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果,包括:The method according to any one of claims 1 to 5, characterized in that, the operation and maintenance user is identified according to the work order task, the identity data, the terminal risk data and the business security data Conduct trust assessment and get trust assessment results, including:
    根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据生成所述运维用户的信任评估模型;generating a trust evaluation model for the operation and maintenance user according to the work order task, the identity data, the terminal risk data, and the business security data;
    根据所述信任评估模型获取所述运维用户的异常行为;Obtaining the abnormal behavior of the operation and maintenance user according to the trust evaluation model;
    根据所述运维用户的异常行为与预先确定的用户历史行为基线确定所述运维用户的运维操作风险参数;determining the operation risk parameters of the operation and maintenance user according to the abnormal behavior of the operation and maintenance user and the predetermined user historical behavior baseline;
    根据所述运维操作风险参数生成所述信任评估结果。The trust evaluation result is generated according to the operation and maintenance operation risk parameters.
  7. 根据权利要求1至6中任一项所述的方法,其特征在于,所述访问控制策略,包括:用户风险等级和相应的访问控制方式;The method according to any one of claims 1 to 6, wherein the access control policy includes: user risk levels and corresponding access control methods;
    其中,当所述用户风险等级为低级别风险,相应的访问控制方式包括如下至少一种:冒泡提醒、上报告警;或者,Wherein, when the user risk level is a low-level risk, the corresponding access control method includes at least one of the following: bubbling reminder, reporting an alarm; or,
    当所述用户风险等级为中级别风险,相应的访问控制方式包括如下至少一种:二次身 份认证、禁止执行高危操作;或者,When the user risk level is a medium-level risk, the corresponding access control method includes at least one of the following: secondary identity authentication, prohibiting high-risk operations; or,
    当所述用户风险等级为高级别风险,相应的访问控制方式包括如下至少一种:强制注销用户、停用用户。When the user risk level is a high-level risk, the corresponding access control method includes at least one of the following: forced logout of the user, deactivation of the user.
  8. 根据权利要求1至7中任一项所述的方法,其特征在于,所述业务安全数据包括:所述业务提供系统的运维安全日志、操作日志和安全事件。The method according to any one of claims 1 to 7, wherein the service security data includes: operation and maintenance security logs, operation logs and security events of the service provision system.
  9. 根据权利要求1至8中任一项所述的方法,其特征在于,所述业务提供系统,包括如下至少一种:网络管控单元、业务访问网元。The method according to any one of claims 1 to 8, wherein the service providing system includes at least one of the following: a network management and control unit, and a service access network element.
  10. 一种终端设备,其特征在于,所述终端设备具体为策略决策点,所述终端设备包括:A terminal device, characterized in that the terminal device is specifically a policy decision point, and the terminal device includes:
    接收模块,用于接收运维用户通过运维终端发送的业务访问请求;The receiving module is used to receive the service access request sent by the operation and maintenance user through the operation and maintenance terminal;
    认证模块,用于根据所述业务访问请求对所述运维用户进行多因素身份认证;An authentication module, configured to perform multi-factor identity authentication on the operation and maintenance user according to the service access request;
    获取模块,用于当所述运维用户通过所述多因素身份认证之后,从工单系统获取所述运维用户的待执行的工单任务,以及从身份认证管理系统获取所述运维用户的身份数据,以及从终端风险感知系统获取所述运维终端的终端风险数据,以及从业务提供系统获取业务安全数据;An acquisition module, configured to acquire the work order tasks of the operation and maintenance user from the work order system after the operation and maintenance user has passed the multi-factor identity authentication, and obtain the operation and maintenance user from the identity authentication management system identity data, and obtain terminal risk data of the operation and maintenance terminal from the terminal risk awareness system, and obtain service security data from the service provision system;
    评估模块,用于根据所述工单任务、所述身份数据、所述终端风险数据和所述业务安全数据对所述运维用户进行信任评估,得到信任评估结果;An evaluation module, configured to perform trust evaluation on the operation and maintenance user according to the work order task, the identity data, the terminal risk data and the business security data, and obtain a trust evaluation result;
    策略生成模块,用于根据所述信任评估结果生成访问控制策略。A policy generating module, configured to generate an access control policy according to the trust evaluation result.
  11. 一种终端设备,其特征在于,所述终端设备具体为策略决策点,所述终端设备包括:处理器,存储器;所述处理器、所述存储器之间进行相互的通信;A terminal device, wherein the terminal device is specifically a policy decision point, and the terminal device includes: a processor and a memory; the processor and the memory communicate with each other;
    所述存储器用于存储指令;The memory is used to store instructions;
    所述处理器用于执行所述存储器中的所述指令,执行如权利要求1至9中任一项所述的方法。The processor is configured to execute the instructions in the memory, and execute the method according to any one of claims 1-9.
  12. 一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1-9任意一项所述的方法。A computer-readable storage medium, including instructions, which, when run on a computer, cause the computer to execute the method according to any one of claims 1-9.
  13. 一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行如权利要求1-9任意一项所述的方法。A computer program product comprising instructions, when run on a computer, causes the computer to execute the method according to any one of claims 1-9.
PCT/CN2022/127819 2022-02-28 2022-10-27 Operation and maintenance processing method, and terminal device WO2023159994A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210191834.XA CN116708210A (en) 2022-02-28 2022-02-28 Operation and maintenance processing method and terminal equipment
CN202210191834.X 2022-02-28

Publications (1)

Publication Number Publication Date
WO2023159994A1 true WO2023159994A1 (en) 2023-08-31

Family

ID=87764583

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/127819 WO2023159994A1 (en) 2022-02-28 2022-10-27 Operation and maintenance processing method, and terminal device

Country Status (2)

Country Link
CN (1) CN116708210A (en)
WO (1) WO2023159994A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116962091A (en) * 2023-09-21 2023-10-27 华能信息技术有限公司 Dynamic authorization method and system for accurate access
CN117081859A (en) * 2023-10-16 2023-11-17 北京中关村实验室 Industrial Internet zero-trust access control system
CN117278329A (en) * 2023-11-21 2023-12-22 大连凌一科技发展有限公司 Application resource dynamic control access method based on zero trust gateway
CN117272262A (en) * 2023-11-17 2023-12-22 北京睿航至臻科技有限公司 Zero trust data security operation and maintenance system and method
CN117811897A (en) * 2024-02-23 2024-04-02 济南通华电子技术有限公司 Intelligent analysis management system for internet of things card communication operation and maintenance worksheet data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10313386B1 (en) * 2017-03-28 2019-06-04 Symantec Corporation Systems and methods for assessing security risks of users of computer networks of organizations
CN111935165A (en) * 2020-08-14 2020-11-13 中国工商银行股份有限公司 Access control method, device, electronic device and medium
CN112019560A (en) * 2020-09-07 2020-12-01 长沙誉联信息技术有限公司 End-to-end zero trust security gateway system
CN112165461A (en) * 2020-09-10 2021-01-01 杭州安恒信息技术股份有限公司 Zero-trust dynamic authorization method and device and computer equipment
CN114065162A (en) * 2021-11-29 2022-02-18 深信服科技股份有限公司 Risk control method and device of business system and computer readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10313386B1 (en) * 2017-03-28 2019-06-04 Symantec Corporation Systems and methods for assessing security risks of users of computer networks of organizations
CN111935165A (en) * 2020-08-14 2020-11-13 中国工商银行股份有限公司 Access control method, device, electronic device and medium
CN112019560A (en) * 2020-09-07 2020-12-01 长沙誉联信息技术有限公司 End-to-end zero trust security gateway system
CN112165461A (en) * 2020-09-10 2021-01-01 杭州安恒信息技术股份有限公司 Zero-trust dynamic authorization method and device and computer equipment
CN114065162A (en) * 2021-11-29 2022-02-18 深信服科技股份有限公司 Risk control method and device of business system and computer readable storage medium

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116962091A (en) * 2023-09-21 2023-10-27 华能信息技术有限公司 Dynamic authorization method and system for accurate access
CN116962091B (en) * 2023-09-21 2024-02-27 华能信息技术有限公司 Dynamic authorization method and system for accurate access
CN117081859A (en) * 2023-10-16 2023-11-17 北京中关村实验室 Industrial Internet zero-trust access control system
CN117081859B (en) * 2023-10-16 2023-12-22 北京中关村实验室 Industrial Internet zero-trust access control system
CN117272262A (en) * 2023-11-17 2023-12-22 北京睿航至臻科技有限公司 Zero trust data security operation and maintenance system and method
CN117278329A (en) * 2023-11-21 2023-12-22 大连凌一科技发展有限公司 Application resource dynamic control access method based on zero trust gateway
CN117278329B (en) * 2023-11-21 2024-01-16 大连凌一科技发展有限公司 Application resource dynamic control access method based on zero trust gateway
CN117811897A (en) * 2024-02-23 2024-04-02 济南通华电子技术有限公司 Intelligent analysis management system for internet of things card communication operation and maintenance worksheet data
CN117811897B (en) * 2024-02-23 2024-04-30 济南通华电子技术有限公司 Intelligent analysis management system for internet of things card communication operation and maintenance worksheet data

Also Published As

Publication number Publication date
CN116708210A (en) 2023-09-05

Similar Documents

Publication Publication Date Title
WO2023159994A1 (en) Operation and maintenance processing method, and terminal device
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
Cazorla et al. Cyber stealth attacks in critical information infrastructures
US20220210173A1 (en) Contextual zero trust network access (ztna) based on dynamic security posture insights
US8407240B2 (en) Autonomic self-healing network
CN111917714B (en) Zero trust architecture system and use method thereof
CN115001870B (en) Information security protection system, method and storage medium
CN114598540B (en) Access control system, method, device and storage medium
US11197160B2 (en) System and method for rogue access point detection
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
CN115150208B (en) Zero-trust-based Internet of things terminal secure access method and system
CN117061556B (en) Remote operation and maintenance safety protection device for power monitoring system
CN116707980A (en) Immune security defense method based on zero trust
CN110933054B (en) Data network security protection method and device, computer equipment and storage medium
CN116192497B (en) Network access and user authentication safe interaction method based on zero trust system
US11663325B1 (en) Mitigation of privilege escalation
CN111343194B (en) Camera violation identification method, system and equipment and computer storage medium
CN114915427A (en) Access control method, device, equipment and storage medium
Tsai et al. Strategy for Implementing of Zero Trust Architecture
Choi IoT (Internet of Things) based Solution Trend Identification and Analysis Research
KR20100067383A (en) Server security system and server security method
Yang et al. Cybersecurity Analysis of Wind Farm Industrial Control System Based on Hierarchical Threat Analysis Model Framework
Udaykumar A Study on Network Threats, Attacks & Security Measures
KR102655993B1 (en) System for providing zero trust model based seruity management service
Mahlous Threat Model and Risk Management for a Smart Home IoT System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22928256

Country of ref document: EP

Kind code of ref document: A1