CN118317315A

CN118317315A - Fingerprint information identification technology for network access control system equipment

Info

Publication number: CN118317315A
Application number: CN202410535597.3A
Authority: CN
Inventors: 顾文彬; 赵时博
Original assignee: Nanjing Zhongke Huasai Technology Co ltd
Current assignee: Nanjing Zhongke Huasai Technology Co ltd
Priority date: 2024-04-30
Filing date: 2024-04-30
Publication date: 2024-07-09

Abstract

The invention provides a network access control system device fingerprint information identification technology, which comprises the following steps: collecting information of equipment and analyzing the information to form equipment fingerprints; combining the GPS positioning of the equipment, the scanning result of the Wi-Fi access point and the detection of Bluetooth peripheral equipment, and extracting environmental characteristics by utilizing the built-in sensor and network layer data collection; performing mode analysis on equipment behaviors, and identifying behaviors which do not accord with a normal mode; analyzing the historical network behavior and the security event log of the equipment, and calculating the reputation score; establishing an information sharing platform, and sharing device fingerprint information by devices; the access control policy is adjusted according to the behavior patterns, environmental characteristics, and reputation scores of the devices. By accurately identifying the device fingerprint, the invention ensures that only authorized devices can access network resources, effectively prevents unauthorized access and internal threat, monitors device behavior and environment information in real time, timely discovers and responds to abnormal behavior or security threat, and reduces potential security risk.

Description

Fingerprint information identification technology for network access control system equipment

Technical Field

The invention relates to the technical field of network security and information, in particular to a fingerprint information identification technology of network access control system equipment.

Background

In the current digital age, with the rapid development of information technology and the increasing complexity of network environments, network security is a major challenge facing organizations. Enterprises and institutions not only need to protect themselves from external network attacks, but also have to protect against security threats such as internal data leakage and unauthorized access. These security issues not only threaten the security of sensitive data, but may also seriously affect the organization's operation and reputation.

The existing network access control system prevents unauthorized access by limiting equipment access to network resources, and is a common means for constructing network security protection measures. However, these systems face increasing challenges as the types of devices are diversified and the manner of access is changed. Traditional identification mechanisms, such as relying on IP addresses or MAC addresses, are vulnerable to forgery and spoofing, resulting in inaccuracy in device authentication. Furthermore, existing admission control solutions often lack real-time monitoring and analysis of device behavior, making them difficult to respond in time to rapidly evolving security threats.

Furthermore, personalized access control policies are not popular in the prior art. In complex network environments, simple one-time access control policies have failed to meet the security requirements of organizations. Meanwhile, the cross-network security protection capability also becomes a prominent problem, and the lack of an effective mechanism to share information about security threats with other network admission control systems limits the defensive capability of an organization against cross-network attacks.

Therefore, there is an urgent need for a new network admission control technology capable of precisely identifying and managing access rights of devices. The technology should be capable of implementing personalized access control based on the device's behavior patterns, environmental information, and reputation scores, while being capable of monitoring and analyzing the device's behavior in real time, and timely discovering and responding to potential security threats. In addition, it should also support information sharing with other network admission control systems to enhance the organization's defensive capabilities against cross-network security threats. The method provides higher efficiency and flexibility for network security protection, and improves the efficiency and user experience of network resource management.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides the fingerprint information identification technology of the network access control system equipment, which not only strengthens the network security protection capability of organizations, but also improves the management efficiency and user experience of network resources, is helpful to construct a safer, more flexible and more efficient IT environment, can support remote work and multi-equipment access, meets the requirements of modern working scenes, and enhances the satisfaction degree and the working efficiency of staff.

In order to achieve the above object, the present invention provides a technology for identifying fingerprint information of a network access control system device, including:

Step S1: the hardware information, the operating system details, the network behavior modes (such as access frequency and service usage habit) and the like of the equipment are automatically collected through the client software or the monitoring tool of the network layer installed on the equipment, and the information is transmitted to a central server through an API (application program interface) for analysis, so that a comprehensive and multidimensional equipment fingerprint is formed;

step S2: combining the GPS positioning of the equipment, the scanning result of a Wi-Fi access point and the detection of Bluetooth peripheral equipment, extracting environmental characteristics by utilizing a built-in sensor and a network layer data collection technology, and combining the environmental characteristics with equipment fingerprints to enhance the identification and verification process of equipment identity;

Step S3: a high-performance behavior analysis engine is deployed, network requests, application use conditions and the like of the equipment are monitored in real time, and the behavior of the equipment is subjected to pattern analysis by utilizing a machine learning algorithm so as to identify the behavior which does not accord with a normal pattern and trigger a corresponding safety response mechanism;

Step S4: an algorithm is used to calculate a reputation score by analyzing the historical network behavior and security event logs of the device. This score reflects the security status and behavior credibility of the device for use in subsequent access control decision-making processes;

Step S5: a safe and encrypted information sharing platform is established, so that equipment among different networks can share fingerprint information of the equipment on the premise of ensuring privacy. This helps to build a broader device identification network, enhancing the defensive power against new threats;

step S6: the access control policy is adjusted by a dynamic rules engine based on the behavior patterns, environmental characteristics, and reputation scores of the devices. This engine can update access rules in real-time to accommodate changes in device status and emerging security threats.

Further, the step S1 is specifically as follows:

Step S11: standard hardware information (CPU model, memory size, etc.) and operating system information of the device are collected;

step S12: recording network behavior modes of the equipment, including the type of the accessed website, the network request frequency, the active time period and the like;

step S13: collecting service usage data of the device, such as most commonly used applications or services and frequency of use;

step S14: integrating the data of the connection time and duration through the connection history of the device.

Further, the step S2 specifically includes:

Step S21: utilizing a Wi-Fi network name (SSID) and signal strength of a device connection as part of the identification;

Step S22: analyzing the geographic position information of the equipment through GPS or IP addresses;

Step S23: information is collected about the surrounding bluetooth devices as part of the device environment.

Further, the step S3 is specifically as follows:

step S31: deploying a real-time monitoring system, and continuously analyzing network requests and behavior patterns of equipment;

Step S32: applying an anomaly detection algorithm, such as a machine-learned anomaly behavior recognition model, to detect unusual behavior patterns;

Step S33: upon detection of abnormal behavior, measures are taken immediately, such as limiting network access to the device or issuing a security alert.

Further, the step S4 is specifically as follows:

Step S41: establishing a scoring mechanism, and distributing credit scores to the equipment according to factors such as the network behavior normality of the equipment, historical security events and the like;

step S42: periodically updating the reputation score of the device to reflect its most current behavior pattern and security status;

step S43: and dynamically adjusting the network access rights of the equipment according to the reputation score of the equipment.

Further, step S5 further includes:

step S51: sharing device fingerprint information with other network access control systems, and establishing an anonymized device fingerprint sharing platform;

Step S52: data encryption and anonymization are implemented, so that the safety and privacy of shared information are ensured;

Step S53: shared device fingerprint data is utilized to identify and guard against security threats across a network.

Further, step S6 includes

Step S61: based on the behavior mode, environment information and reputation score of the equipment, a personalized access control strategy is formulated;

Step S62: automatically adjusting access rights of the device upon detection of a change in the device behavior pattern, e.g., to increase security verification requirements or limit access to sensitive resources;

Step S63: access restrictions may be relaxed appropriately when the device is in a known secure environment, such as connecting to a trusted corporate network.

Further, in step S3, deploying a real-time monitoring system, continuously analyzing a network request and a behavior pattern of the device, and applying an anomaly detection algorithm are key links, and the steps are as follows:

(1) The appropriate network monitoring tools or software are evaluated and selected, and the monitoring tools are configured at critical network access points (e.g., routers, switches, firewalls) to ensure that all traffic to and from the network is captured.

(2) And installing client software on the equipment to be monitored, wherein the client software is used for collecting behavior data of the equipment, including application use cases, network requests and the like.

(3) The configuration monitoring system sends the captured data in real time to a central analysis server or cloud platform for further processing and analysis.

(4) The collected data is cleaned and preprocessed, including removal of extraneous information, format normalization, etc., to improve accuracy and efficiency of analysis.

(5) And analyzing the network request and the behavior pattern of the equipment by using the statistical analysis and the machine learning model, and identifying the normal behavior pattern of the equipment.

(6) The system monitors the equipment behaviors in real time, and pre-processes and behavior pattern analysis are repeatedly carried out on the newly collected data so as to realize continuous behavior monitoring.

Further, the detection algorithm of step S32 is specifically as follows:

step S321: network activity data of the device is collected, and the collected data is preprocessed, wherein the preprocessing comprises the steps of data cleaning (removing invalid or missing data), feature extraction (converting the data into an algorithm usable format), normalization and the like.

Step S322: a portion is randomly selected from the preprocessed data as a training set. This training set should contain known normal behavior data and possibly abnormal behavior data.

Step S323: the isolated forest model is trained using the training set data. In this step, a plurality of isolation trees are constructed, each tree isolates observation points by randomly selecting features and segmentation values, and a trained isolation forest model is deployed into a network admission control system for analyzing network behaviors of the access equipment in real time.

Step S324: for the network request or behavior of each device, the corresponding features are extracted in real time, and the anomaly scores thereof are calculated through the deployed model.

Step S325: and judging whether the equipment behaviors are abnormal or not according to the calculated abnormal scores. A score above a preset threshold is considered to be an abnormal behavior.

Step S326: for device behavior that is detected as abnormal, the system may automatically perform predefined responsive measures, such as issuing security alerts, restricting or preventing network access to the device, initiating further investigation, and so forth.

Step S327: and (3) periodically evaluating the detection effect of the isolated forest model, evaluating the accuracy and the effectiveness of the model by comparing the predicted result of the model with the actually-occurring safety event, and adjusting the model parameters or updating the training data set according to the evaluation result so as to improve the detection capability and the adaptability of the model.

Compared with the prior art, the invention has the beneficial effects that:

1. The invention provides a network access control system device fingerprint information identification technology, by means of accurate identification of device fingerprints, the system can ensure that only authorized devices can access network resources, effectively prevent unauthorized access and internal threat, monitor device behavior and environment information in real time, discover and respond abnormal behavior or security threat in time, and reduce potential security risk.

2. The invention provides a fingerprint information identification technology of network access control system equipment, which reduces risks of data leakage and abuse by limiting access to sensitive data and key systems, establishes a personalized access control strategy based on the behavior mode, environment information and reputation score of the equipment, and improves the use efficiency of network resources and the work flexibility of staff.

3. The invention provides a network access control system equipment fingerprint information identification technology, automatic equipment identification and access control lighten the management burden of an IT department, reduce the requirement of manual intervention, share equipment fingerprint information with partners and industry organizations, and promote the defending capability against cross-network and cross-region threats.

4. The invention provides a network access control system device fingerprint information identification technology, which centrally manages and analyzes device behavior data from different networks and provides security situation awareness and threat information at a global view.

5. The invention provides a fingerprint information identification technology of network access control system equipment, provides seamless network access experience for users, and legal equipment can easily access required resources without complicated login and verification processes.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will briefly explain the drawings needed in the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic flow chart of the steps of the present invention

Detailed Description

The technical solution of the present invention will be more clearly and completely explained by the description of the preferred embodiments of the present invention with reference to the accompanying drawings.

As shown in fig. 1, the present invention specifically comprises:

Step S1: installing a monitoring tool of a network layer on equipment, collecting hardware information, operating system details and network behavior modes of the equipment, and transmitting the information to a central server through an API (application program interface) for analysis to form equipment fingerprints;

step S2: combining the GPS positioning of the equipment, the scanning result of the Wi-Fi access point and the detection of the Bluetooth peripheral equipment, collecting data by utilizing a built-in sensor and a network layer, extracting environmental characteristics, and combining the environmental characteristics with the equipment fingerprint;

Step S3: monitoring network request and application service conditions of equipment, performing mode analysis on equipment behaviors, identifying behaviors which do not accord with a normal mode, and triggering a corresponding safety response mechanism;

Step S4: analyzing the historical network behavior and the security event log of the equipment, and calculating a credit score, wherein the credit score reflects the security state and the behavior credibility of the equipment and is used in the subsequent access control decision process;

step S5: establishing an information sharing platform, wherein equipment sharing equipment fingerprint information among different networks;

step S6: the access control policy is adjusted according to the behavior patterns, environmental characteristics, and reputation scores of the devices.

As a specific embodiment, in the network admission control system, the detailed recording of the network behavior pattern of the device, the collection of service usage data and the integration of the connection history information of the device are key steps, which are essential for the construction of a precise device fingerprint. The following is a detailed step flow:

1. Deployment monitoring agents or tools: monitoring agent software or tools are deployed on the web portal or device for capturing in real time the web activity of the device, including the URL of the request, the type of service (e.g., HTTP, HTTPS, FTP, etc.), the timestamp, etc.

2. Data classification and labeling: the captured data is classified by type, e.g., by type of service accessed, frequency of requests, time period of activity, etc., and the data is labeled accordingly.

3. Pattern analysis: data analysis techniques (e.g., statistical analysis, machine learning algorithms) are used to identify patterns of behavior of the device. This may include identifying the liveness of the device over a particular period of time, the type of service that is commonly accessed, and so on.

4. Recording and storing: the analyzed behavior patterns are recorded and stored in a database securely for later device fingerprint comparison and access control decisions.

Collecting service usage data of the device:

1. application layer monitoring: the usage information of the device for a particular service (e.g., mail service, social network, online office platform) is collected by a client application installed on the device or by a monitoring tool at the network layer.

2. And (3) log analysis: and analyzing the application log file generated by the equipment, and extracting detailed information of service use, such as access time, use frequency, use duration and the like.

3. Data integration: and integrating the collected service usage data with other information of the equipment to form a comprehensive service usage profile reflecting the conventional usage habit and preference of the equipment.

Integrating connection history information of the device:

1. connection log collection: the information of the time stamp, connection duration, network SSID of connection and the like of each time the device is connected to the network is recorded through network devices (such as routers and switches) or a network access control system.

2. Time analysis: the collected connection logs are subjected to time series analysis to identify patterns of connection of the devices to the network, such as connection activities, connection frequencies, etc. for a specific period of time.

3. Historical data fusion: the connection history information of the device is fused with other fingerprint information (such as hardware information and software configuration) of the device, so that the uniqueness and the identification degree of the device fingerprint are enhanced.

Through the steps, the network behavior mode, service use data and connection history of the equipment can be recorded and analyzed in detail, and rich data support is provided for a network access control system, so that more accurate equipment identification and safety control are realized.

As a specific implementation manner, in the network access control system, the understanding of the device environment can be greatly enhanced by utilizing the WiFi network name (SSID) and the signal strength of the device connection and collecting the information of surrounding Bluetooth devices, so that the accuracy and the safety of device identification are improved. The method comprises the following specific steps:

Using WiFi network name (SSID) and signal strength as part of identification

The identification process comprises the following steps:

1. And (3) data collection: when a device attempts to connect to a network, the network admission control system automatically captures the SSID of the WiFi network to which the device is connecting, as well as the WiFi signal strength. This may be accomplished by a monitoring tool or software deployed on a network access point (e.g., router).

2. Environmental feature analysis: and the system identifies the physical environment of the equipment according to the collected SSID and signal strength information. For example, a device is often connected to a WiFi network of a particular SSID and the signal strength is high, possibly indicating that the device is often located near the network signal source.

3. Device fingerprint enhancement: and integrating the SSID and signal strength data of the WiFi into fingerprint information of the equipment, and enhancing the uniqueness of the equipment fingerprint. Different physical location and environmental characteristics help to distinguish between devices having similar hardware and software configurations.

4. Identification and verification: when the device attempts to access the network again, the system assists in verifying the identity of the device by comparing the current SSID and signal strength information to previously recorded data.

The purpose is as follows:

The recognition precision is improved: by analyzing the WiFi network characteristics of the device connection, the system is able to more accurately identify and authenticate the device, especially if there are multiple devices with similar or duplicate hardware and software configurations.

The safety is enhanced: when the physical location of the device or the common WiFi network changes abnormally, the system can detect potential security risks such as theft or illegal movement of the device.

Information implementation process of collecting surrounding Bluetooth devices:

1. bluetooth scanning: the device scans surrounding Bluetooth devices through a built-in Bluetooth module, and records information such as names, MAC addresses, signal strength and the like of the detected Bluetooth devices.

2. And (3) data recording: these bluetooth device information are sent to the network admission control system and recorded with other fingerprint information of the device.

3. Environmental analysis: the system analyzes the collected bluetooth device information to identify the physical environment surrounding the device and possible interacting devices.

The purpose is as follows:

Environmental perception: by identifying bluetooth devices around the device, the system is able to obtain additional information about the current physical environment of the device, which facilitates implementation of environment-based security policies and device identification.

Dynamic security policy: and dynamically adjusting the security policy and the access right according to the change of the environment where the equipment is located. For example, when the device is in a trusted environment (e.g., home or office), the system may properly relax access restrictions.

By combining the environmental information collected by the WiFi and Bluetooth technologies, the network access control system can more accurately identify the device and implement more reasonable security policies according to the use environment and the behavior mode of the device.

In step 3 of the network admission control system, as a specific implementation manner, deploying a real-time monitoring system, continuously analyzing network requests and behavior patterns of equipment, and applying an anomaly detection algorithm are key links, and the following specific steps are:

deployment real-time monitoring system

1. Selecting a monitoring tool: suitable network monitoring tools or software are evaluated and selected that should be capable of capturing and analyzing network traffic in real-time, supporting a variety of devices and operating systems.

2. Network device configuration: monitoring tools are deployed at critical network access points (e.g., routers, switches, firewalls) to ensure that all traffic to and from the network is captured.

3. Client deployment: and installing client software on the equipment to be monitored, wherein the client software is used for collecting behavior data of the equipment, including application use cases, network requests and the like.

4. Summarizing data: the configuration monitoring system sends the captured data in real time to a central analysis server or cloud platform for further processing and analysis.

Network request and behavior patterns of continuous analysis devices

1. Data preprocessing: the collected data is cleaned and preprocessed, including removal of extraneous information, format normalization, etc., to improve accuracy and efficiency of analysis.

2. Behavioral pattern analysis: and analyzing the network request and the behavior pattern of the equipment by using the statistical analysis and the machine learning model, and identifying the normal behavior pattern of the equipment.

3. And (3) continuously monitoring: the system monitors the equipment behaviors in real time, and pre-processes and behavior pattern analysis are repeatedly carried out on the newly collected data so as to realize continuous behavior monitoring.

Specific examples of the steps of the anomaly detection algorithm are: isolation Forest (Isolation Forest), which is an efficient anomaly detection algorithm, 'isolates' observations by randomly selecting features and randomly selecting split points of the feature values. Outliers typically have shorter path lengths and are more easily 'isolated' in the tree structure.

The isolated forest model is trained with normal behavior data of the device, and then the model is used to evaluate the anomaly scores for each observation point in the real-time data stream. Observations whose score exceeds a certain threshold are marked as anomalies.

As a specific implementation mode, the process of establishing a device reputation scoring mechanism and distributing reputation scores to devices according to network behaviors and historical security events of the devices and then dynamically adjusting network access rights of the devices is implemented according to the following steps:

establishing a device reputation scoring mechanism

1. Defining scoring criteria: factors that affect the reputation score of a device, such as the normality of network behavior, historical security events (including security exploits, malware infections, etc.), the configuration and update status of the device, etc., are first determined.

2. Scoring model design: a scoring model is designed that quantifies the factors into numerical values and defines their weight on the total reputation score. For example, historical security events may have a greater negative impact on reputation scores.

3. Data collection and processing: the deployment system collects the relevant data for the above factors, performs the necessary pre-processing, such as data cleansing and formatting, for use in the scoring model.

Assigning reputation scores to devices

1. Calculating an initial reputation score: an initial reputation score is calculated for each device based on the collected data and the scoring model.

2. Continuously updating the reputation score: as new data is continually collected, the reputation score for each device is periodically recalculated to reflect its most current network behavior and security status.

3. Abnormality detection feedback: and (3) incorporating the result of the anomaly detection (such as the anomaly detection in the step 3) into a reputation score, and correspondingly reducing the reputation score of the equipment if the anomaly is detected.

Dynamically adjusting network access rights

1. Defining an access policy: different network access policies are defined according to the reputation score range of the device. For example, high reputation score devices may enjoy looser access rights, while low reputation score devices are more severely restricted.

2. Access control is implemented: and dynamically adjusting the network access rights of the equipment according to the current reputation score of the equipment. This may be done automatically by the network admission control system, such as modifying firewall rules, adjusting network access policies, etc.

3. Monitoring and feedback: and continuously monitoring the network behavior of the equipment and the corresponding access right adjustment effect thereof, collecting feedback, and further optimizing a reputation scoring mechanism and an access control strategy according to actual conditions.

4. Manual intervention and auditing: if necessary, the security administrator is allowed to manually adjust the reputation score of the device or directly modify its access rights, especially if the automation system is unable to accurately reflect the device's security conditions.

Through the steps, the network access control system can dynamically manage the network access authority of the equipment based on the behavior and the historical security record of the equipment, and the overall security of the network is improved.

As a specific implementation manner, the process of sharing device fingerprint information with other network access control systems and establishing an anonymized device fingerprint sharing platform, and how to use the shared data to identify and prevent security threats across networks, comprises the following specific steps:

establishing anonymized device fingerprint sharing platform

1. And (3) establishing a sharing protocol: and the method and the system establish a data sharing protocol with each party participating in sharing, determine which data can be shared, the data sharing mode, the data use specification and the like, ensure that all the parties follow the same rules, and respect the privacy and legal requirements of users.

2. Data anonymization processing: anonymizing the device fingerprint information to be shared to remove or replace all information that may identify the identity of the individual. Technical means such as k anonymization, differential privacy and the like can be used to ensure that the data protects the user privacy during sharing.

3. Establishing a safe data transmission mechanism: a safe data transmission mechanism is established through encryption technology and a safe communication protocol (such as TLS), so that the safety of data in the transmission process is ensured.

4. Platform development and deployment: an online platform supporting anonymized data sharing, querying and updating is developed and deployed to a secure server. The platform supports each party to inquire shared equipment fingerprint information according to the need, and simultaneously guarantees the integrity and reliability of data.

Utilizing shared device fingerprint data

1. Identifying across network devices: with the shared platform, the participants can query known device fingerprint information to identify whether devices present in their network have adverse behavior records in other networks or are identified as potential risks.

2. Security threat analysis: by analyzing device fingerprint information and related security events from different networks, common characteristics of particular types of attack patterns or malicious behavior can be identified.

3. Preventive measures are implemented: based on the shared device fingerprint and security threat information, each network may pre-adjust its security policies and safeguards, such as updating access control policies, enhancing monitoring of specific devices or behaviors to prevent potential cross-network security threats.

4. Information feedback and update: and each party participating in sharing periodically provides new equipment fingerprint information and security events found in own network, updates the database of the sharing platform and ensures timeliness and accuracy of the sharing information.

Through the process, the establishment and utilization of an anonymized equipment fingerprint sharing platform can strengthen cooperation among different networks, improve the identification and defending capacity of cross-network security threats, and protect user privacy and data security.

As a specific implementation, the process of formulating a personalized access control policy based on the device's behavior patterns, environmental information, and reputation scores, and automatically adjusting its access rights upon detection of a change in the device's behavior patterns involves data analysis, policy design, and the establishment of an automated response mechanism. The method comprises the following steps:

Formulating personalized access control policies

1. Data integration and analysis

Step 1.1: behavior pattern data for the device, environmental information (e.g., connected WiFi networks, location information, etc.), and reputation scores for the device are collected.

Step 1.2: the collected data is analyzed to identify the normal usage patterns, the security environment levels and reputation levels of the device.

2. Policy design

Step 2.1: different levels of access control policies are designed according to the normal use mode, the environmental security level and the reputation level of the device. For example:

high reputation device: allowing for a wider range of network access rights such as accessing sensitive data or performing advanced tasks.

Low reputation device: limiting network access rights allows access only to public information or performs basic operations.

Step 2.2: additional access control rules are set for device behavior in certain environments, such as automatically enhancing security checks under public WiFi.

3. Personalized policy application

Step 3.1: and applying the designed personalized access control strategy to a network access control system to ensure that each device obtains corresponding access rights according to the behavior mode, the environment information and the reputation score.

Step 3.2: access control policies are periodically reviewed and updated to accommodate new security threats and changes in device usage patterns.

Automatically adjusting device access rights

1. Device behavior monitoring

Step 1.1: network behavior and environmental information of the device are monitored in real time, and reputation scores of the device are updated periodically.

Step 1.2: the behavior pattern of the device is analyzed using an anomaly detection algorithm (such as the previously mentioned isolated forest) to identify deviations from the normal pattern.

2. Automatic response mechanism

Step 2.1: an automatic response mechanism is triggered when a significant change in the device behavior pattern is detected, or a change in the environmental information and reputation score occurs.

Step 2.2: the access rights of the device are automatically adjusted according to predefined policies and rules. For example, for a device that detects abnormal behavior, it is temporarily restricted from accessing sensitive resources until further verification.

3. Auditing and review

Step 3.1: all operations for automatically adjusting access rights and behavior pattern changes of related devices are recorded.

Step 3.2: and auditing and rechecking the automatic response decision regularly to optimize the response strategy and reduce misjudgment.

Through the process, the network access control system can realize personalized management and automatic adjustment of the access rights of the equipment, improve the safety and flexibility of the network, and simultaneously reduce the management burden of an administrator.

As a specific implementation case, the fingerprint information identification technology of the network access control system equipment applied by a certain international finance company comprises the following steps:

The security team first analyzes the business needs of the company and existing security challenges, and determines the type of device information that needs to be collected, such as operating system version, hardware configuration, common applications, etc. Team makes data processing and privacy protection policies to ensure compliance with international standards such as GDPR.

1. Device registration and fingerprint generation: all staff's devices need to go through a registration process when first connecting to the corporate network, and the system automatically collects device information and generates device fingerprints.

2. Environmental perception and behavioral analysis: the system identifies the conventional use environment and behavior habit of the device by analyzing the connection history and behavior pattern of the device. For example, devices that find staff in a financial department typically only access a particular financial system at work time.

3. Dynamic access control: the access rights are dynamically adjusted based on the reputation score and the behavior pattern of the device. Additional authentication may be required when the system detects that a device is attempting to access the sensitive system during non-operational times.

4. Abnormal behavior detection: using a machine learning model to monitor device behavior, such as abnormal login attempts or access to abnormal amounts of data, the system automatically triggers an alarm and limits the access rights of the device.

5. Across-facility information sharing: the company and the partner establish a safe information sharing platform, share and receive the fingerprint information of the equipment related to the known threat, and enhance the safety protection across the network.

6. Continuous monitoring and optimization: the security team uses the collected data to continuously optimize access control policies and abnormal behavior detection models to accommodate new security threats and changes in business needs.

The company significantly improves the security of the network and reduces the occurrence of security events. Staff can safely and efficiently use various devices to access network resources, and IT security team can monitor network activities better and respond to security threats in time. In addition, information sharing with other institutions also enhances the defensive power against cross-network threats.

The above detailed description is merely illustrative of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Various modifications, substitutions and improvements of the technical scheme of the present invention will be apparent to those skilled in the art from the description and drawings provided herein without departing from the spirit and scope of the invention. The scope of the invention is defined by the claims.

Claims

1. The network access control system equipment fingerprint information identification technology is characterized by comprising the following steps:

2. The network admission control system device fingerprint information identification technology according to claim 1, wherein step S1 is specifically as follows:

Step S11: collecting standard hardware information and operating system information of the equipment;

step S12: recording a network behavior mode of the device;

step S13: collecting service usage data of the device;

3. The network admission control system device fingerprint information identification technology according to claim 1, wherein step S2 is specifically as follows:

step S21: utilizing the Wi-Fi network name and signal strength of the device connection as part of the identification;

4. The network admission control system device fingerprint information identification technology according to claim 1, wherein step S3 is specifically as follows:

step S32: detecting unusual behavior patterns by using an anomaly detection algorithm;

Step S33: upon detection of abnormal behavior, network access by the device is restricted or a security alert is raised.

5. The network admission control system device fingerprint information identification technology according to claim 1, wherein step S4 is specifically as follows:

Step S41: establishing a scoring mechanism, and distributing reputation scores for the equipment;

6. The network admission control system device fingerprint information identification technique of claim 1, wherein step S5 further comprises:

Step S51: sharing device fingerprint information with other network access control systems, and establishing a device fingerprint sharing platform;

7. The network admission control system device fingerprint information identification technique of claim 1, wherein step S6 comprises

Step S61: formulating an access control policy based on the behavior mode, the environmental information and the reputation score of the device;

Step S62: when detecting the change of the behavior mode of the equipment, automatically adjusting the access right of the equipment;

step S63: the access restriction is relaxed when the device is in a known secure environment.

8. The network admission control system device fingerprint information identification technology according to claim 1, wherein in step S3, deploying a real-time monitoring system, continuously analyzing a network request and a behavior pattern of a device, and applying an anomaly detection algorithm are key links, and the steps are as follows:

(1) Evaluating and selecting a network monitoring tool, and configuring the monitoring tool at a key network access point to ensure that all traffic entering and exiting a network can be captured;

(2) Installing client software on equipment to be monitored, wherein the client software is used for collecting behavior data of the equipment;

(3) Configuring a monitoring system to send captured data to a central analysis server or a cloud platform in real time;

(4) Cleaning and preprocessing the collected data;

(5) Analyzing the network request and the behavior mode of the equipment by using a statistical analysis and machine learning model, and identifying the normal behavior mode of the equipment;

9. The network admission control system device fingerprint information identification technology according to claim 1, wherein the detection anomaly algorithm in step S32 is specifically as follows:

step S321: collecting network activity data of equipment, and preprocessing the collected data;

step S322: randomly selecting a part of the preprocessed data as a training set, wherein the training set comprises known normal behavior data and possible abnormal behavior data;

Step S323: training an isolation forest model by using training set data, constructing a plurality of isolation trees, isolating observation points by randomly selecting characteristics and segmentation values for each tree, and deploying the trained isolation forest model into a network access control system for analyzing network behaviors of the access equipment in real time;

Step S324: for the network request or behavior of each device, extracting corresponding characteristics in real time, and calculating the anomaly scores of the corresponding characteristics through a deployed model;

step S325: judging whether the equipment behavior is abnormal or not according to the calculated abnormal score, wherein the abnormal behavior is considered to be the abnormal behavior when the score is higher than a preset threshold;

Step S326: for device behavior detected as abnormal, the system may automatically perform predefined responsive measures;