CN119945773A - Distributed identity authentication and access control system based on zero trust - Google Patents
Distributed identity authentication and access control system based on zero trust Download PDFInfo
- Publication number
- CN119945773A CN119945773A CN202510094098.XA CN202510094098A CN119945773A CN 119945773 A CN119945773 A CN 119945773A CN 202510094098 A CN202510094098 A CN 202510094098A CN 119945773 A CN119945773 A CN 119945773A
- Authority
- CN
- China
- Prior art keywords
- access
- reliability
- data
- identity authentication
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a distributed identity authentication and access control system based on zero trust, in particular to the technical field of access control, which authenticates identity information of a user when logging in a service Internet platform and accessing an item corresponding to a role user advanced authority, reduces the possibility of data leakage, introduces an integrated access credibility analysis mechanism in an access process, applies basic data access authority, if the comprehensive access reliability does not meet the expectations, directly exiting the interface where the item to be accessed is located and returning to the upper level interface of the item to be accessed, if the comprehensive access reliability does not meet the expectations at the main interface, directly exiting the service Internet platform, and when the high-level data access rights are applied, only the high-level data access rights of the item to be accessed are issued for the user when the comprehensive access reliability meets the expectations and the access identity authentication passes, so that the data exposure risk during the access of the service Internet platform can be effectively reduced.
Description
Technical Field
The invention relates to the technical field of access control, in particular to a distributed identity authentication and access control system based on zero trust.
Background
With the rapid development of internet technology, various services which are continuously emerging are aggregated through the internet, so that a service internet is formed. In recent years, micro Service Architecture (MSA) based on SOA concept is widely used due to easy expansion and maintenance, and is widely used in service Internet platform, so that the MSA becomes the first choice for enterprises to provide services to users and operate in organizations. However, due to the cross-network and cross-domain characteristics of the service internet, remote service call and service access scenes are gradually increased, scenes faced by access control are increasingly complicated, and the requirement for access control is also increasingly increased.
The existing identity authentication and access control system correlates the login identity authentication result of the user with the access control strategy, and opens all access and operation authorities for the user after the user successfully logs in the service Internet platform, so that the user can directly and quickly access the data required by the user, the data query is greatly facilitated, and the service quality is effectively improved.
However, the existing system still has some problems that the existing system only performs identity authentication when a user logs in the service internet platform and releases all access operation authorities after the user logs in the service internet platform, the one-time verification mechanism is difficult to ensure that the security risk of access or operation behaviors is completely eliminated, unauthorized access or data leakage can possibly occur, and a new access control mechanism needs to be introduced, so that the risk of data leakage is further reduced.
Disclosure of Invention
In order to overcome the above-mentioned drawbacks of the prior art, embodiments of the present invention provide a distributed authentication and access control system based on zero trust, so as to solve the problems set forth in the background art.
In order to achieve the above purpose, the invention provides the following technical scheme that the distributed identity authentication and access control system based on zero trust comprises:
The access right setting module is used for constructing a role access control model to create users with different roles and distributing different data access rights for each role user;
The identity authentication module comprises two modes of login identity authentication and access identity authentication, wherein the login identity authentication is used for authenticating identity information of a user when logging in a service Internet platform, and the access identity authentication is used for authenticating the identity information of the user when accessing an item corresponding to the advanced authority of the character user;
the access monitoring module is used for monitoring the access behavior of a user on the service Internet platform in real time, generating an access log for backup, extracting real-time access operation data, real-time access network environment data and real-time access equipment data and sending the real-time access operation data, the real-time access network environment data and the real-time access equipment data to the access monitoring data analysis module;
the access monitoring data analysis module is used for respectively processing and calculating operational reliability coefficients, network reliability coefficients and equipment reliability coefficients of the extracted real-time access operation data, real-time access network environment data and real-time access equipment data;
The comprehensive access reliability analysis module is used for calculating a comprehensive access reliability index based on the operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient, judging whether the comprehensive access reliability index meets the expectations or not and sending a judgment result to the access control module;
the access control module receives the comprehensive access reliability judging result and the identity authentication result, generates an access control strategy based on the comprehensive access reliability judging result and the identity authentication result, and updates the user access authority by combining the user history access log after the daily access log is generated;
And the database is used for storing the data information of all the modules in the system.
The identity authentication module comprises an account registration unit, a login identity authentication unit, an access identity authentication unit and an identity authentication result output unit, wherein the account registration unit generates a login account after a user inputs real name, an identity card number, an email account, a login strong password, a real name registration mobile phone number, expected authentication questions and answers and fingerprint information, the login identity authentication unit is used for performing multi-factor identity authentication on the user and entering a service Internet platform main interface after authentication is passed, the access identity authentication unit is used for authenticating identity information of the user when the user accesses an item corresponding to the role advanced authority, and the identity authentication result output unit sends the login identity authentication result and the access identity authentication result to the access control module.
Preferably, the real-time access operation data extracted by the access monitoring module are the repeated access application times mfcij of the jth item at the ith moment and the no-operation access duration Tfcij of the jth item at the ith moment, the real-time access network environment data extracted by the access monitoring module comprise the network connection speed vai, the network bandwidth vbi and the time Tai of the user at the ith moment, and the real-time access equipment data extracted by the access monitoring module comprise the firewall false alarm rate alpha wi at the ith moment, the update difference times mai of the version of the operating system at the ith moment and the version of the latest operating system and the encryption strength coefficient epsilon mi of the browser at the ith moment.
Preferably, the access monitoring data analysis module includes a data receiving unit, an operation reliability analysis unit, a network reliability analysis unit, a device reliability analysis unit and a data output unit, where the data receiving unit is configured to receive the extracted real-time access operation data, real-time access network environment data and real-time access device data, and the operation reliability analysis unit is configured to calculate an operation reliability coefficient Xrci at the ith moment, and the specific formula is as follows: The betamij and betaTij are sequentially the access application overrun coefficient and the no-operation stay overrun coefficient of the jth item at the ith moment, and the specific calculation formula is as follows: , the mfr and Tfr are sequentially the maximum allowed repeated access times of the items, the maximum allowed no-operation stay time of the items, na is the number of the items, and the network reliability analysis unit is used for calculating a network reliability coefficient Xrwi at the ith moment, and the specific formula is as follows: The vae, vbe, tae is the lowest network connection speed, lowest network bandwidth and maximum time delay, and the device reliability analysis unit is used for calculating the device reliability coefficient Xrsi at the ith moment, and the specific formula is as follows: The data output unit is used for transmitting the calculated operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient to the comprehensive access reliability analysis module.
Preferably, the integrated access reliability analysis module comprises a data receiving unit, an integrated access reliability analysis unit, an integrated access reliability judging unit and a judging result output unit, wherein the data receiving unit is used for receiving the calculated operation reliability coefficient, network reliability coefficient and equipment reliability coefficient at the ith moment, and the integrated access reliability analysis unit is used for calculating an integrated access reliability index YFi at the ith moment, and the specific formula is as follows: The comprehensive access reliability judging unit compares the calculated comprehensive access reliability index with a comprehensive access reliability expected value, the calculated value accords with the expected if the calculated value is larger than or equal to the comprehensive access reliability expected value, the calculated value does not accord with the expected if the calculated value is smaller than the comprehensive access reliability expected value, and the judging result output unit is used for sending the comprehensive access reliability judging result to the access control module.
The access control module comprises an information receiving unit and an access control strategy generating unit, wherein the information receiving unit is used for receiving a comprehensive access reliability judging result and an identity authentication result, the access control strategy generating unit automatically issues role basic data access rights for a user when login identity authentication is passed and sends an instruction to the access monitoring module to start access monitoring, when the basic data access rights are applied, the comprehensive access reliability is not in line with expectations, the interface where the item to be accessed is directly exited and returned to a higher-level interface of the item to be accessed, if the comprehensive access reliability is not in line with expectations in a main interface, the service internet platform is directly exited, when the higher-level data access rights are applied, the higher-level data access rights for the item to be accessed are issued for the user when the comprehensive access reliability is in line with expectations and the access identity authentication is passed, and the internet platform is directly exited when the comprehensive access reliability is in line with expectations but the access identity authentication is not passed.
Preferably, the access control module further comprises a history access log calling unit, a comprehensive access average credibility calculating unit, a user access right adjustment judging unit and a user access right updating unit, wherein the history access log calling unit is used for calling a history access log of a user, the comprehensive access average credibility calculating unit sums up the current access log and the comprehensive access credibility index which can be calculated in the history access log and calculates the comprehensive access average credibility index YFe, and the specific formula is as follows: The user access authority adjustment judging unit compares the comprehensive access average credibility index with the comprehensive access credibility expected value, the calculated value is larger than or equal to the expected value, the user access authority is not adjusted, otherwise, the user part of high-level data access authority is frozen until the next access log is generated, the user access authority updating unit carries out importance assessment on the existing high-level data access authority and sorts the data according to importance from high to low, and the number of the ith high-level data access authority is calculated according to the specific formula: Nc is the total number of high-level data access rights, and the difference coefficient thetaa between the integrated access average credibility index YFe and the integrated access credibility expected value YFu is calculated by the following specific formula: When (when) When the high-level data access right of the importance ranking 1 is frozen, whenWhen the high-level data access rights of the importance ranks 1,2 are frozen, whenAnd freezing all high-level data access rights.
The invention has the technical effects and advantages that:
1. The invention sets the identity authentication module to authenticate the identity information of the user when logging in the service Internet platform, and to authenticate the identity information of the user when accessing the project corresponding to the role user advanced authority, thereby changing the one-time identity authentication into the continuous identity authentication and reducing the possibility of data leakage.
2. The invention sets an access monitoring module to monitor the access behavior of a user in a service internet platform in real time and extract real-time access operation data, real-time access network environment data and real-time access equipment data, sets an access monitoring data analysis module to respectively process and calculate operation reliability coefficient, network reliability coefficient and equipment reliability coefficient for the extracted real-time access operation data, real-time access network environment data and real-time access equipment data, sets a comprehensive access reliability analysis module to calculate a comprehensive access reliability index based on the operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient and judge whether the comprehensive access reliability index accords with expectations or not, evaluates the comprehensive access reliability in real time in the access process of the user, when the basic data access right is applied, the integrated access reliability is not in accordance with the expectation, the interface where the item to be accessed is located is directly exited, and the interface is returned to the upper level interface of the item to be accessed, if the integrated access reliability of the main interface is not in accordance with the expectation, the service Internet platform is directly exited, when the high-level data access right is applied, when the integrated access reliability is in accordance with the expectation and the access identity authentication passes, the high-level data access right of the item to be accessed is issued for the user, and when the integrated access reliability is in accordance with the expectation but the access identity authentication does not pass, the service Internet platform is directly exited, so that the data exposure risk during the access period of the service Internet platform can be effectively reduced, and the flexibility and the accuracy of safety protection are improved.
3. The invention sets the access control module to collect the calculated comprehensive access credibility index in the current access log and the history access log and calculate the comprehensive access average credibility index, compares the comprehensive access average credibility index with the expected value of the comprehensive access credibility, and does not adjust the access authority of the user when the calculated value is larger than or equal to the expected value, otherwise, freezes part of the advanced data access authority of the user until the next access log is generated, reduces the loss caused by stealing important data access authority, and provides an advanced data access authority freezing method, wherein the lower the credibility, the lower the user authority, and the data security and the Internet service quality can be effectively protected.
Drawings
Fig. 1 is a block diagram of a system architecture of the present invention.
Fig. 2 is a process step diagram of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The distributed identity authentication and access control system based on zero trust provided in this embodiment as shown in fig. 1 includes an access authority setting module, an identity authentication module, an access monitoring data analysis module, a comprehensive access reliability analysis module, an access control module and a database, where the authority setting module, the identity authentication module, the comprehensive access reliability analysis module are connected with the access control module, and the access monitoring module, the access monitoring data analysis module and the comprehensive access reliability analysis module are sequentially connected, and all modules in the system are connected with the database.
The access right setting module builds a role access control model to create users with different roles, and distributes different data access rights for each role user;
In this embodiment, the role access control model construction process is a prior art, so the model construction process is not specifically described herein.
In this embodiment, it should be specifically noted that, the data access rights allocated to each role user by the access rights setting module are divided into a basic data access right and a high-level data access right, where each role user can directly apply the basic data access right when passing login identity authentication, and can apply the corresponding high-level data access right when the comprehensive access reliability evaluation reaches the expectation and the access identity authentication passes.
The identity authentication module comprises two modes of login identity authentication and access identity authentication, wherein the login identity authentication is used for authenticating identity information of a user when logging in a service Internet platform, and the access identity authentication is used for authenticating the identity information of the user when accessing an item corresponding to the advanced authority of the character user;
The identity authentication module comprises an account registration unit, a login identity authentication unit, an access identity authentication unit and an identity authentication result output unit, wherein the account registration unit generates a login account after a user inputs real name, an identity card number, an email account, a login strong password, a real name registration mobile phone number, expected authentication questions and answers and fingerprint information, the login identity authentication unit is used for performing multi-factor identity authentication on the user and entering a service Internet platform main interface after authentication is passed, the access identity authentication unit authenticates identity information of the user when the user accesses an item corresponding to the role advanced authority, and the identity authentication result output unit sends login identity authentication results and access identity authentication results to the access control module.
In this embodiment, it is specifically required to explain that the specific steps of the login identity authentication unit for performing multi-factor authentication on the user are as follows:
a1, carrying out login account password authentication on an access user, and entering a correct login account and a correct login strong password by the access user to pass the authentication and enter knowledge factor authentication;
A2, carrying out knowledge factor authentication on the access user, randomly sending out an expected authentication problem input when the access user registers an account, and enabling the knowledge factor authentication to pass and enter ownership factor authentication when the access user inputs a correct expected answer;
A3, carrying out ownership factor authentication on the access user, randomly sending a dynamic verification password to an email account or a mobile phone number of the access user, and entering the biological characteristic factor authentication after the access user correctly inputs the password within the validity period of the verification password;
A4, performing biological characteristic factor authentication on the access user, and detecting that the biological characteristic factor authentication passes when the fingerprint information input by the access user is consistent with the fingerprint information input during account registration, wherein the identity authentication passes.
In this embodiment, it is specifically required to explain that, when the access authentication unit performs identity authentication on the user, one authentication mode of knowledge factor authentication, ownership factor authentication, and biometric factor authentication is randomly applied.
The access monitoring module monitors the access behavior of a user on the service Internet platform in real time, generates an access log for backup, extracts real-time access operation data, real-time access network environment data and real-time access equipment data and sends the real-time access operation data, the real-time access network environment data and the real-time access equipment data to the access monitoring data analysis module;
Further, the real-time access operation data extracted by the access monitoring module are the repeated access application times mfcij of the jth item at the ith moment and the no-operation access duration Tfcij of the jth item at the ith moment, the real-time access network environment data extracted by the access monitoring module comprise the network connection speed vai, the network bandwidth vbi and the time Tai of the user at the ith moment, and the real-time access equipment data extracted by the access monitoring module comprise the firewall false alarm rate alpha wi at the ith moment, the update difference times mai of the operating system version at the ith moment and the latest operating system version and the encryption strength coefficient epsilon mi of the browser at the ith moment.
In this embodiment, it is specifically required to provide a method for calculating the encryption intensity coefficient epsilon mi of the browser, which specifically includes the following formula: Epsilon ai is the key length generated by the encryption algorithm used by the browser at time i.
The access monitoring data analysis module processes and calculates operational reliability coefficients, network reliability coefficients and equipment reliability coefficients of the extracted real-time access operation data, real-time access network environment data and real-time access equipment data respectively;
Further, the access monitoring data analysis module includes a data receiving unit, an operation reliability analysis unit, a network reliability analysis unit, a device reliability analysis unit and a data output unit, where the data receiving unit is configured to receive the extracted real-time access operation data, real-time access network environment data and real-time access device data, and the operation reliability analysis unit is configured to calculate an operation reliability coefficient Xrci at the ith moment, and the specific formula is: The betamij and betaTij are sequentially the access application overrun coefficient and the no-operation stay overrun coefficient of the jth item at the ith moment, and the specific calculation formula is as follows: , the mfr and Tfr are sequentially the maximum allowed repeated access times of the items, the maximum allowed no-operation stay time of the items, na is the number of the items, and the network reliability analysis unit is used for calculating a network reliability coefficient Xrwi at the ith moment, and the specific formula is as follows: The vae, vbe, tae is the lowest network connection speed, lowest network bandwidth and maximum time delay, and the device reliability analysis unit is used for calculating the device reliability coefficient Xrsi at the ith moment, and the specific formula is as follows: The data output unit is used for transmitting the calculated operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient to the comprehensive access reliability analysis module.
The comprehensive access reliability analysis module calculates a comprehensive access reliability index based on the operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient, judges whether the comprehensive access reliability index accords with expectations, and sends a judgment result to the access control module;
Further, the integrated access reliability analysis module comprises a data receiving unit, an integrated access reliability analysis unit, an integrated access reliability judging unit and a judging result output unit, wherein the data receiving unit is used for receiving the calculated operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient at the ith moment, and the integrated access reliability analysis unit is used for calculating an integrated access reliability index YFi at the ith moment, and the specific formula is as follows: The comprehensive access reliability judging unit compares the calculated comprehensive access reliability index with a comprehensive access reliability expected value, the calculated value accords with the expected if the calculated value is larger than or equal to the comprehensive access reliability expected value, the calculated value does not accord with the expected if the calculated value is smaller than the comprehensive access reliability expected value, and the judging result output unit is used for sending the comprehensive access reliability judging result to the access control module.
The access control module receives the comprehensive access reliability judging result and the identity authentication result, generates an access control strategy based on the comprehensive access reliability judging result and the identity authentication result, and updates the user access authority by combining the user history access log after the daily access log is generated;
The access control module comprises an information receiving unit and an access control strategy generating unit, wherein the information receiving unit is used for receiving a comprehensive access reliability judging result and an identity authentication result, the access control strategy generating unit automatically issues role basic data access rights for a user when login identity authentication is passed and sends an instruction to an access monitoring module to start access monitoring, when the basic data access rights are applied, the comprehensive access reliability is not in line with expectations, the interface where an item to be accessed is directly exited and returned to a higher-level interface of the item to be accessed, if the comprehensive access reliability is not in line with expectations in a main interface, the service internet platform is directly exited, when the high-level data access rights are applied, the high-level data access rights of the item to be accessed are issued for the user when the comprehensive access reliability is in line with expectations and the access identity authentication is passed, and the service internet platform is directly exited when the comprehensive access reliability is in line with expectations but the access identity authentication is not passed.
The access control module further comprises a history access log calling unit, a comprehensive access average credibility calculating unit, a user access right adjustment judging unit and a user access right updating unit, wherein the history access log calling unit is used for calling a history access log of a user, the comprehensive access average credibility calculating unit gathers the current access log and the comprehensive access credibility index which can be calculated in the history access log and calculates the comprehensive access average credibility index YFe, and the specific formula is as follows: The user access authority adjustment judging unit compares the comprehensive access average credibility index with the comprehensive access credibility expected value, the calculated value is larger than or equal to the expected value, the user access authority is not adjusted, otherwise, the user part of high-level data access authority is frozen until the next access log is generated, the user access authority updating unit carries out importance assessment on the existing high-level data access authority and sorts the data according to importance from high to low, and the number of the ith high-level data access authority is calculated according to the specific formula: Nc is the total number of high-level data access rights, and the difference coefficient thetaa between the integrated access average credibility index YFe and the integrated access credibility expected value YFu is calculated by the following specific formula: When (when) When the high-level data access right of the importance ranking 1 is frozen, whenWhen the high-level data access rights of the importance ranks 1,2 are frozen, whenAnd freezing all high-level data access rights.
In this embodiment, it is specifically required to specify that one access log refers to the result after all access records are integrated within 24 hours from 0:00 to 24:00.
The database is used for storing data information of all modules in the system.
In this embodiment, it is specifically required to explain that the expected value and the preset value are all selected based on actual needs, and are not limited herein.
The distributed identity authentication and access control method based on zero trust provided in this embodiment as shown in fig. 2 includes the following steps:
s1, constructing a role access control model, creating users with different roles, and distributing different data access rights for each role user;
S2, two modes of login identity authentication and access identity authentication are included, wherein the login identity authentication is used for authenticating identity information of a user when logging in a service Internet platform, and the access identity authentication is used for authenticating the identity information of the user when accessing an item corresponding to the advanced authority of the character user;
S3, monitoring the access behavior of a user on a service Internet platform in real time, generating an access log for backup, and extracting real-time access operation data, real-time access network environment data and real-time access equipment data;
S4, processing and calculating operational reliability coefficients, network reliability coefficients and equipment reliability coefficients respectively for the extracted real-time access operation data, real-time access network environment data and real-time access equipment data;
s5, calculating a comprehensive access reliability index based on the operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient and judging whether the comprehensive access reliability index meets the expectations;
and S6, receiving the comprehensive access reliability judging result and the identity authentication result, generating an access control strategy based on the comprehensive access reliability judging result and the identity authentication result, and updating the user access authority by combining the user history access log after the daily access log is generated.
Finally, the foregoing description of the preferred embodiment of the invention is provided for the purpose of illustration only, and is not intended to limit the invention to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
Claims (7)
1. The distributed identity authentication and access control system based on zero trust is characterized by comprising the following components:
The access right setting module is used for constructing a role access control model to create users with different roles and distributing different data access rights for each role user;
The identity authentication module comprises two modes of login identity authentication and access identity authentication, wherein the login identity authentication is used for authenticating identity information of a user when logging in a service Internet platform, and the access identity authentication is used for authenticating the identity information of the user when accessing an item corresponding to the advanced authority of the character user;
the access monitoring module is used for monitoring the access behavior of a user on the service Internet platform in real time, generating an access log for backup, extracting real-time access operation data, real-time access network environment data and real-time access equipment data and sending the real-time access operation data, the real-time access network environment data and the real-time access equipment data to the access monitoring data analysis module;
the access monitoring data analysis module is used for respectively processing and calculating operational reliability coefficients, network reliability coefficients and equipment reliability coefficients of the extracted real-time access operation data, real-time access network environment data and real-time access equipment data;
The comprehensive access reliability analysis module is used for calculating a comprehensive access reliability index based on the operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient, judging whether the comprehensive access reliability index meets the expectations or not and sending a judgment result to the access control module;
And the access control module is used for receiving the comprehensive access reliability judging result and the identity authentication result, generating an access control strategy based on the comprehensive access reliability judging result and the identity authentication result, and updating the user access authority by combining the user history access log after the daily access log is generated.
2. The distributed identity authentication and access control system based on zero trust according to claim 1, wherein the identity authentication module comprises an account registration unit, a login identity authentication unit, an access identity authentication unit and an identity authentication result output unit, wherein the account registration unit generates a login account after a user inputs a real name, an identity card number, an email account, a login strong password, a real name registration mobile phone number, an expected authentication question and answer and fingerprint information, the login identity authentication unit is used for performing multi-factor identity authentication on the user and entering a service internet platform main interface after authentication is passed, the access identity authentication unit is used for authenticating identity information of the user when the user accesses an item corresponding to a role advanced authority, and the identity authentication result output unit sends the login identity authentication result and the access identity authentication result to the access control module.
3. The distributed identity authentication and access control system based on zero trust according to claim 1, wherein the real-time access operation data extracted by the access monitoring module are the repeated access application number mfcij of the jth item at the ith moment and the no-operation access duration Tfcij of the jth item at the ith moment, the real-time access network environment data extracted by the access monitoring module comprises the network connection speed vai, the network bandwidth vbi and the time delay Tai of the user at the ith moment, and the real-time access equipment data extracted by the access monitoring module comprises the firewall false alarm rate alpha wi at the ith moment, the update difference number mai of the version of the operating system at the ith moment and the version of the latest operating system and the encryption intensity coefficient epsilon mi of the browser at the ith moment.
4. The distributed identity authentication and access control system based on zero trust according to claim 3, wherein the access monitoring data analysis module comprises a data receiving unit, an operation reliability analysis unit, a network reliability analysis unit, a device reliability analysis unit and a data output unit, the data receiving unit is used for receiving the extracted real-time access operation data, real-time access network environment data and real-time access device data, and the operation reliability analysis unit is used for calculating an operation reliability coefficient Xrci at the ith moment, and the specific formula is: The betamij and betaTij are sequentially the access application overrun coefficient and the no-operation stay overrun coefficient of the jth item at the ith moment, and the specific calculation formula is as follows: , the mfr and Tfr are sequentially the maximum allowed repeated access times of the items, the maximum allowed no-operation stay time of the items, na is the number of the items, and the network reliability analysis unit is used for calculating a network reliability coefficient Xrwi at the ith moment, and the specific formula is as follows: The vae, vbe, tae is the lowest network connection speed, lowest network bandwidth and maximum time delay, and the device reliability analysis unit is used for calculating the device reliability coefficient Xrsi at the ith moment, and the specific formula is as follows: The data output unit is used for transmitting the calculated operation reliability coefficient, the network reliability coefficient and the equipment reliability coefficient to the comprehensive access reliability analysis module.
5. The distributed identity authentication and access control system based on zero trust according to claim 1, wherein the integrated access reliability analysis module comprises a data receiving unit, an integrated access reliability analysis unit, an integrated access reliability judgment unit and a judgment result output unit, the data receiving unit is used for receiving the calculated operation reliability coefficient, network reliability coefficient and equipment reliability coefficient at the i-th moment, and the integrated access reliability analysis unit is used for calculating an integrated access reliability index YFi at the i-th moment, and the specific formula is as follows: The comprehensive access reliability judging unit compares the calculated comprehensive access reliability index with a comprehensive access reliability expected value, the calculated value accords with the expected if the calculated value is larger than or equal to the comprehensive access reliability expected value, the calculated value does not accord with the expected if the calculated value is smaller than the comprehensive access reliability expected value, and the judging result output unit is used for sending the comprehensive access reliability judging result to the access control module.
6. The distributed identity authentication and access control system based on zero trust according to claim 1, wherein the access control module comprises an information receiving unit and an access control policy generating unit, the information receiving unit is used for receiving a comprehensive access reliability judging result and an identity authentication result, the access control policy generating unit automatically issues role basic data access rights for a user when login identity authentication is passed and sends an instruction to the access monitoring module to start access monitoring, when the basic data access rights are applied, the comprehensive access reliability is not in conformity with expectations, the interface where a project to be accessed is directly exited and returned to a top-level interface of the project to be accessed, if the comprehensive access reliability of a main interface is not in conformity with expectations, the service internet platform is directly exited, when the high-level data access rights are applied, the high-level data access rights for the project to be accessed are issued for the user when the comprehensive access reliability is in conformity with expectations and the access identity authentication is passed, and the service internet platform is directly exited when the comprehensive access reliability is in conformity with expectations but the access identity authentication is not passed.
7. The distributed identity authentication and access control system based on zero trust according to claim 1, wherein the access control module further comprises a history access log calling unit, a comprehensive access average credibility calculating unit, a user access right adjustment judging unit and a user access right updating unit, wherein the history access log calling unit is used for calling a history access log of a user, the comprehensive access average credibility calculating unit sums up the comprehensive access credibility indexes which can be calculated in the current access log and the history access log and calculates the comprehensive access average credibility index YFe, and the specific formula is as follows: The user access authority adjustment judging unit compares the comprehensive access average credibility index with the comprehensive access credibility expected value, the calculated value is larger than or equal to the expected value, the user access authority is not adjusted, otherwise, the user part of high-level data access authority is frozen until the next access log is generated, the user access authority updating unit carries out importance assessment on the existing high-level data access authority and sorts the data according to importance from high to low, and the number of the ith high-level data access authority is calculated according to the specific formula: Nc is the total number of high-level data access rights, and the difference coefficient thetaa between the integrated access average credibility index YFe and the integrated access credibility expected value YFu is calculated by the following specific formula: When (when) When the high-level data access right of the importance ranking 1 is frozen, whenWhen the high-level data access rights of the importance ranks 1,2 are frozen, whenAnd freezing all high-level data access rights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510094098.XA CN119945773B (en) | 2025-01-21 | 2025-01-21 | Distributed identity authentication and access control system based on zero trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510094098.XA CN119945773B (en) | 2025-01-21 | 2025-01-21 | Distributed identity authentication and access control system based on zero trust |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119945773A true CN119945773A (en) | 2025-05-06 |
| CN119945773B CN119945773B (en) | 2025-08-29 |
Family
ID=95543234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510094098.XA Active CN119945773B (en) | 2025-01-21 | 2025-01-21 | Distributed identity authentication and access control system based on zero trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119945773B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017177077A2 (en) * | 2016-04-08 | 2017-10-12 | Cloud Knox, Inc. | Method and system to detect discrepancy in infrastructure security configurations from translated security best practice configurations in heterogeneous environments |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
| CN116388989A (en) * | 2022-12-12 | 2023-07-04 | 四川启睿克科技有限公司 | Distributed identity-based zero-trust single-package authentication system and method |
| CN116455668A (en) * | 2023-05-06 | 2023-07-18 | 东南大学 | User trust measurement method and system in zero trust network environment |
-
2025
- 2025-01-21 CN CN202510094098.XA patent/CN119945773B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017177077A2 (en) * | 2016-04-08 | 2017-10-12 | Cloud Knox, Inc. | Method and system to detect discrepancy in infrastructure security configurations from translated security best practice configurations in heterogeneous environments |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
| CN116388989A (en) * | 2022-12-12 | 2023-07-04 | 四川启睿克科技有限公司 | Distributed identity-based zero-trust single-package authentication system and method |
| CN116455668A (en) * | 2023-05-06 | 2023-07-18 | 东南大学 | User trust measurement method and system in zero trust network environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119945773B (en) | 2025-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102624677B (en) | Method and server for monitoring network user behavior | |
| CN109840591A (en) | model training system, method and storage medium | |
| CN113162923B (en) | User reliability evaluation method and device based on user behaviors and storage medium | |
| CN113536243B (en) | Enterprise internal software use management system based on authority analysis | |
| CN109413000A (en) | A kind of anti-stealing link method and door chain gateway system | |
| CN120017424B (en) | A method and system for secure access to encrypted enterprise network data | |
| CN116436683A (en) | Zero-trust power network equipment access security trust evaluation method and device | |
| CN112511484B (en) | U shield safety control management system | |
| CN111756721B (en) | Associated authentication method and device, IAM server and readable storage medium | |
| US12169838B2 (en) | Communications server apparatus, method and communications system for managing authentication of a user | |
| CN119945773B (en) | Distributed identity authentication and access control system based on zero trust | |
| CN119106410A (en) | A method for verifying access identity of computer software | |
| CN116167025A (en) | Multi-factor user identity dynamic authentication system and method thereof | |
| CN118939622A (en) | A knowledge base cloud sharing method for enterprises based on AI big model | |
| CN114257451A (en) | Verification interface replacing method and device, storage medium and computer equipment | |
| CN114006735A (en) | Data protection method and device, computer equipment and storage medium | |
| CN107995204A (en) | Hadoop framework method for evaluating trust based on Bayes models | |
| CN112966235A (en) | Big data component access control method and system of intelligent education platform | |
| CN118174924A (en) | Data asset authorization method and system based on industrial Internet of things | |
| CN117319450A (en) | Ultrasonic metering instrument data interaction method, device and equipment based on Internet of things | |
| CN116170199A (en) | Equipment access verification system based on gateway of Internet of things | |
| CN115168830A (en) | Login method and login device for detecting user login environment | |
| CN108512815A (en) | Door chain detection method, door chain detection device and server | |
| JP7740552B2 (en) | Personal authentication system, personal authentication method, personal score calculation device, authentication device, and program | |
| CN117240607B (en) | Security authentication method based on security computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |