Search

CN-116527317-B - Access control method, system and electronic equipment

CN116527317BCN 116527317 BCN116527317 BCN 116527317BCN-116527317-B

Abstract

The embodiment of the invention provides an access control method, an access control system and electronic equipment, wherein the method comprises the steps of obtaining an access control request based on attributes; the access policy evaluation result is determined according to the access control request based on the attribute and a preset access policy, the access policy comprises a corresponding relation between attribute information and the access policy evaluation result, the access risk level of the access control request is determined according to target feature information corresponding to the access control request, the target feature information comprises at least one of a main body target trust value, historical access data, environment attribute and access request operation, and the access control evaluation result is generated according to the access policy evaluation result and the access risk level. The method of the embodiment of the invention effectively improves the accuracy and the effectiveness of the access control and greatly reduces the leakage risk.

Inventors

  • XIE RONGNA
  • SHI GUOZHEN
  • LI SUZHE
  • DONG XIUZE
  • LOU JIAPENG
  • LI LI
  • TAN LI

Assignees

  • 北京电子科技学院

Dates

Publication Date
20260508
Application Date
20230324

Claims (8)

  1. 1. An access control method, comprising: Acquiring an access control request based on the attribute; determining an access policy evaluation result according to the access control request based on the attribute and a preset access policy, wherein the access policy comprises a corresponding relation between attribute information and the access policy evaluation result; Determining an access risk level of the access control request according to target feature information corresponding to the access control request, wherein the target feature information comprises at least one of a main body target trust value, historical access data, an environment attribute and access request operation; generating an access control evaluation result according to the access strategy evaluation result and the access risk level; the determining the access risk level of the access control request according to the target feature information corresponding to the access control request includes: The method comprises the steps of determining uncertainty of an access history according to historical access data, wherein the uncertainty of the access history is used for representing uncertainty of occurrence of values of elements in the access history, and the historical access data comprises weights occupied by the elements in the access history and probability of occurrence of the values of the elements in the access history; determining the credibility of the environment attribute corresponding to the access control request according to the historical access data; determining the influence degree of the access request operation corresponding to the access control request on the object security; determining an access risk value according to a subject target trust value, uncertainty of access history, credibility of environment attribute and influence degree of access request operation on object security, wherein the subject target trust value is used for representing a trust value of a subject corresponding to the access control request; judging an access risk level according to the access risk value and a preset risk threshold value; The method further comprises the steps of: determining a target trust value of a subject according to the direct trust value of the subject, the indirect trust value, the weight of the direct trust value of the subject in the target trust value of the subject and the weight of the indirect trust value of the subject in the target trust value of the subject, wherein the direct trust value of the subject is used for representing the trust of a domain of an object corresponding to the access control request to the subject, the indirect trust value of the subject is used for representing the trust of other domains of the object corresponding to the access control request to the subject, the indirect trust value is determined according to the direct trust value of the subject in each domain and the weight of the direct trust value of each domain to the subject in the indirect trust value evaluation, the access history corresponding to the access control request is generated, the access feedback result comprises an access feedback result type and an access feedback result value, and the direct trust value of the subject corresponding to the access control request based on the attribute is generated according to the access feedback result.
  2. 2. The access control method according to claim 1, characterized by further comprising: determining the weight of the direct trust value of the main body in the main body target trust value and the weight of the indirect trust value of the main body in the main body target trust value according to the access times and access times threshold values of the main body corresponding to the access control request in each domain; Obtaining a direct trust value of a main body in each domain and domain trust rate of each domain according to the trust degree of the main body corresponding to the access control request, wherein the domain trust rate represents the trust degree of the domain and is generated based on the security level of the domain; Obtaining the access times and access time of the main body corresponding to the access control request in each domain according to the historical access data; and determining the weight of the direct trust value of each domain to the main body in indirect trust value evaluation according to the domain trust rate of each domain, the access times and the access time of the main body in each domain.
  3. 3. The access control method according to claim 1 or 2, wherein the generating an access control evaluation result according to the access policy evaluation result and the access risk level includes at least one of: if the access risk level is high risk, the access control evaluation result is no; if the access strategy evaluation result is negative, the access control evaluation result is negative; if the access strategy evaluation result is yes and the access risk level is risk, the risk access times in the subject attribute and/or the object attribute are increased by one; if the risk access times in the subject attribute and/or the object attribute are greater than the risk access times threshold in the corresponding subject attribute and/or object attribute, the access control evaluation result is no, otherwise, the access control evaluation result is yes; And if the access policy evaluation result is yes, and the access risk level is low risk, the access control evaluation result is yes.
  4. 4. The access control method according to claim 3, wherein after generating the access control evaluation result according to the access policy evaluation result and the access risk level, further comprising: And updating the trust degree of the main body in the stored main body attribute according to the direct trust value of the main body.
  5. 5. An access control system for implementing the access control method of claim 1, comprising: the system comprises a policy execution module, a policy management module, a risk management module and a policy decision module; the policy execution module is used for acquiring an access control request based on the attribute; the policy management module is used for determining an access policy evaluation result according to the access control request based on the attribute and a preset access policy, wherein the access policy comprises a corresponding relation between attribute information and the access policy evaluation result; The risk management module is used for determining the access risk level of the access control request according to target characteristic information corresponding to the access control request, wherein the target characteristic information comprises at least one of a main body target trust value, historical access data, environment attributes and access request operation; and the policy decision module is used for generating an access control evaluation result according to the access policy evaluation result and the access risk level.
  6. 6. The access control system of claim 5, further comprising at least one of: the system comprises a first module, a strategy information module, a history management module and a credibility management module; the first module is used for sending a target access request to the policy execution module; The policy execution module is used for extracting a subject identifier and/or an object identifier in the target access request and sending the subject identifier and/or the object identifier to the policy information module; The policy information module is used for acquiring a target attribute corresponding to the target access request based on the subject identifier and/or the object identifier, and sending the target attribute to the policy execution module, wherein the target attribute comprises at least one of a subject attribute, an object attribute and an environment attribute; the policy execution module is used for generating an access control request based on the attribute based on the target attribute and/or the access request operation corresponding to the target access request, and sending the access control request based on the attribute to the policy decision module; The policy decision module is used for receiving the access control request based on the attribute and sending the access control request to the policy management module and the risk management module; The risk management module is used for receiving the access control request based on the attribute and sending the access control request based on the attribute to the history management module; The history management module is used for obtaining history access data according to the access control request based on the attribute and sending the history access data to the risk management module, wherein the history access data is related to at least one attribute corresponding to the access control request based on the attribute; the risk management module is used for extracting the trust of the main body in the main body attribute corresponding to the access control request based on the attribute, and sending the trust of the main body and the historical access data of the main body to the trust management module; The credibility management module is used for generating a main body target trust value according to the main body credibility and main body historical access data and sending the main body target trust value to the risk management module; the policy decision module is used for sending the generated access control evaluation result to the policy execution module; The policy execution module is used for generating an access token according to the access control evaluation result and returning the access token to the first module, wherein the access token carries an access authorization result corresponding to the target access request, or the policy execution module is used for returning an access control evaluation result and/or an object to the first module according to the access control evaluation result; the first module is used for executing access operation according to the access token or the access control evaluation result.
  7. 7. The access control system of claim 6, further comprising: The first module is used for generating an access history corresponding to the access control request and sending the access history to the history management module after executing the access operation according to the access token or the access control evaluation result; The history management module is used for generating an access feedback result according to the access history corresponding to the access control request and sending the access feedback result to the credibility management module, wherein the access feedback result comprises an access feedback result type and a value of the access feedback result; The credibility management module is used for generating a direct trust value of a main body corresponding to the attribute-based access control request according to the access feedback result, and sending the direct trust value of the main body to the policy information module; the policy information module is used for updating the trust degree of the main body in the stored main body attribute according to the direct trust value of the main body.
  8. 8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the access control method of any of claims 1 to 4 when the computer program is executed.

Description

Access control method, system and electronic equipment Technical Field The present invention relates to the field of information security technologies, and in particular, to an access control method, an access control system, and an electronic device. Background With the continuous development and popularization of information technology, people have higher and higher dependence on information systems, and meanwhile, the safety of the information systems has become an increasingly prominent problem. In the related art, an attacker performs abnormal access to an information system through a network protection vulnerability, thereby causing security threat to the information system. Therefore, how to effectively perform access control and improve system security is a technical problem that needs to be solved by those skilled in the art. Disclosure of Invention Aiming at the problems in the prior art, the embodiment of the invention provides an access control method, an access control system and electronic equipment. Specifically, the embodiment of the invention provides the following technical scheme: in a first aspect, an embodiment of the present invention further provides an access control method, including: Acquiring an access control request based on the attribute; determining an access policy evaluation result according to the access control request based on the attribute and a preset access policy, wherein the access policy comprises a corresponding relation between attribute information and the access policy evaluation result; Determining the access risk level of the access control request according to target feature information corresponding to the access control request, wherein the target feature information comprises at least one of a main body target trust value, historical access data, environment attributes and access request operation; And generating an access control evaluation result according to the access strategy evaluation result and the access risk level. Further, determining the access risk level of the access control request according to the target feature information corresponding to the access control request includes: Determining the uncertainty of the access history according to the history access data, wherein the uncertainty of the access history is used for representing the uncertainty of the occurrence of the value of each element in the access history; Determining the credibility of the environment attribute corresponding to the access control request according to the historical access data; Determining the influence degree of access request operation corresponding to the access control request on the object security; Determining an access risk value according to a subject target trust value, uncertainty of access history, credibility of environment attribute and influence degree of access request operation on object security, wherein the subject target trust value is used for representing a trust value of a subject corresponding to an access control request; and judging the access risk level according to the access risk value and a preset risk threshold value. Further, a subject target trust value is determined based on: The method comprises the steps of determining a direct trust value and an indirect trust value of a subject corresponding to an access control request, wherein the direct trust value of the subject is used for representing trust of a domain where an object corresponding to the access control request is located on the subject, and the indirect trust value of the subject is used for representing trust of other domains except the domain where the object corresponding to the access control request is located on the subject; Determining the weight of the direct trust value of the main body in the main body target trust value and the weight of the indirect trust value of the main body in the main body target trust value according to the access times and access times threshold values of the main body in each domain corresponding to the access control request; and determining the target trust value of the main body according to the direct trust value of the main body, the indirect trust value, the weight of the direct trust value of the main body in the target trust value of the main body and the weight of the indirect trust value of the main body in the target trust value of the main body. Further, determining the indirect trust value is based on: Obtaining a direct trust value of a main body in each domain and a domain trust rate of each domain according to the trust degree of the main body corresponding to the access control request; obtaining the access times and access time of a main body corresponding to the access control request in each domain according to the historical access data; Determining the weight of the direct trust value of each domain to the main body in indirect trust value evaluation according to the domain trust rate of each domain, the access