CN-121984687-A - Zero-trust self-adaptive API gateway method and device based on multidimensional space-time context awareness

Abstract

The application provides a zero trust self-adaptive API gateway method and device based on multidimensional space-time context awareness, which relate to the technical field of network security, and the method comprises the steps of carrying out integrity check on a dynamic token based on current space-time context information; if the drift detection does not detect that the identification behavior mode is abnormal, the flow control strategy aiming at the current connection is dynamically adjusted based on the real-time safety state of the current connection between the client and the gateway. Therefore, the spanning from static passive defense to dynamic active perception of the gateway is realized through environment binding verification of the dynamic token, personalized behavior drift detection based on a Bayesian model and self-adaptive flow control of risk perception, and abnormal behaviors can be intelligently identified and network strategies can be flexibly adjusted while identity is continuously verified.

Inventors

• LIU JIFENG

Assignees

• 江苏信江数字科技有限公司
• 江苏数乘科技有限公司

Dates

Publication Date

20260505

Application Date

20260407

Claims (10)

1. 1. A zero-trust adaptive API gateway method based on multidimensional spatiotemporal context awareness, comprising: Acquiring a dynamic token and current space-time context information corresponding to a session request initiated by a client, and carrying out integrity check on the dynamic token based on the current space-time context information so as to verify the validity of the request; If the integrity check is passed, drift detection is carried out on the current access behavior based on the historical behavior representation of the client so as to identify whether the behavior mode is abnormal; If the drift detection does not detect that the recognition behavior mode is abnormal, dynamically adjusting a flow control strategy aiming at the current connection based on the real-time safety state of the current connection between the client and the gateway; The drift detection comprises the step of carrying out drift detection on the current access behavior of the client by utilizing a Bayesian statistical model constructed for the access behavior of the client.
2. 2. The method of claim 1, wherein the dynamic token is generated based on an improved hash chain mechanism for incorporating historical space-time context information as a perturbation factor into a recursive generation of a hash chain.
3. 3. The method of claim 2, wherein the integrity checking the dynamic token based on the current spatiotemporal context information comprises: carrying out hash calculation according to the received dynamic token and the current space-time context information to obtain a hash verification value, and comparing the hash verification value with a locally stored target token successfully verified last time; and if the hash verification value is equal to the target token, checking to pass, and updating the locally stored token to be the currently received token.
4. 4. A method according to claim 3, wherein said integrity checking said dynamic token based on said current spatiotemporal context information comprises: If the hash verification value is not equal to the target token, carrying out hash iteration attempts for limited times on the received dynamic token so as to match the target token stored locally; if the matching is successful, checking is passed, and the locally stored token is updated to be the currently received dynamic token.
5. 5. The method of claim 1, wherein the drift detection of current access behavior based on the historical behavior representation of the client to identify whether an anomaly has occurred in a behavior pattern comprises: acquiring the distribution characteristics of the current access behaviors; Calculating a drift metric value between the distribution characteristic of the current access behavior and the history distribution characteristic described by the history behavior portrait, wherein the drift metric value is obtained by adopting symmetrical KL divergence calculation; if the drift metric value is larger than the self-adaptive threshold value, judging that the behavior mode of the client is abnormal; The self-adaptive threshold is dynamically adjusted according to the entropy value of the historical behavior portrait, a first detection threshold is adopted for clients with the historical behavior entropy value being larger than or equal to a preset threshold, a second detection threshold is adopted for clients with the historical behavior entropy value being smaller than the preset threshold, and the second detection threshold is smaller than the first detection threshold.
6. 6. The method of claim 1, wherein the real-time security state of the current connection is determined after evaluation by a survivor analysis model that calculates an instantaneous risk value for the connection based on the connection's duration and a real-time network quality covariate, and determines the security state of the connection based on the calculated instantaneous risk value.
7. 7. The method of claim 6, wherein dynamically adjusting the flow control policy for the current connection comprises: taking the instantaneous risk value as input, and adjusting a proportional gain coefficient in a PID controller, wherein the proportional gain coefficient is inversely related to the instantaneous risk value; and calculating the back pressure rate according to the queue deviation by using a PID controller after adjusting the proportional gain coefficient so as to dynamically control the length of the internal queue of the gateway.
8. 8. The method of claim 6, wherein the dynamically adjusting the flow control policy for the current connection further comprises: Dynamically adjusting the heartbeat interval of the current connection according to the instantaneous risk value; The heartbeat interval is used for controlling the triggering frequency of drift detection, and is inversely related to the instantaneous risk value.
9. 9. A multi-dimensional spatiotemporal context aware based zero trust adaptive API gateway apparatus, the apparatus comprising: the acquisition module is used for acquiring the dynamic token and the current space-time context information corresponding to the session request initiated by the client; The verification module is used for carrying out integrity verification on the dynamic token based on the current space-time context information so as to verify the validity of the request; The drift detection module is used for carrying out drift detection on the current access behavior based on the historical behavior representation of the client if the integrity check is passed so as to identify whether the behavior mode is abnormal; The strategy adjustment module is used for dynamically adjusting the flow control strategy aiming at the current connection based on the real-time safety state of the current connection between the client and the gateway if the drift detection does not detect that the recognition behavior mode is abnormal; The drift detection comprises the step of carrying out drift detection on the current access behavior of the client by utilizing a Bayesian statistical model constructed for the access behavior of the client.
10. 10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the multidimensional spatiotemporal context aware based zero trust adaptive API gateway method of any one of claims 1 to 8 when the program is executed.

Description

Zero-trust self-adaptive API gateway method and device based on multidimensional space-time context awareness Technical Field The application relates to the technical field of network security, in particular to a zero trust self-adaptive API gateway method and device based on multidimensional space-time context awareness. Background With the convergence of cloud computing, micro-services and mobile internet, enterprise network boundaries have been broken, and the traditional "Castle-guard river" trust model has failed to address the current complex security threats. The zero trust architecture (Zero Trust Architecture, ZTA) follows the core principle of "never trusted, always verified", requiring continuous authentication and authorization checks for each access request. The API gateway is used as a unified entry under the micro-service and cloud native architecture, and is a key component for realizing a zero-trust security model. However, the API gateway technology in the related art mainly has the problems of hysteresis of a static authorization mechanism, lack of deep perception of a user behavior pattern, and stiffness of a connection management policy, and is difficult to meet the security requirement of dynamic self-adaption under a zero-trust architecture. Based on this, there is a need for an API gateway scheme that enables dynamic, adaptive security validation and traffic scheduling to cope with complex and varying zero-trust security requirements. Disclosure of Invention The application aims to provide a zero-trust self-adaptive API gateway method and device based on multidimensional space-time context awareness, which realize the spanning from static passive defense to dynamic active awareness of an API gateway through environment binding verification of a dynamic token, personalized behavior drift detection based on a Bayesian model and self-adaptive flow control of risk awareness, and can intelligently identify abnormal behaviors and flexibly adjust network strategies while continuously verifying identities. The application provides a zero trust self-adaptive API gateway method based on multidimensional space-time context awareness, which comprises the following steps: The method comprises the steps of obtaining a dynamic token and current space-time context information corresponding to a session request initiated by a client, carrying out integrity check on the dynamic token based on the current space-time context information to verify the validity of the request, carrying out drift detection on current access behaviors based on historical behavior portraits of the client if the integrity check is passed to identify whether the behavior patterns are abnormal, and dynamically adjusting a flow control strategy for the current connection based on the real-time safety state of the current connection between the client and a gateway if the abnormality of the identification behavior patterns is not detected by drift detection, wherein the drift detection comprises the step of carrying out drift detection on the current access behaviors of the client by utilizing a Bayesian statistical model constructed for the access behaviors of the client. Optionally, the integrity verification of the dynamic token based on the current space-time context information comprises the steps of carrying out hash calculation according to the received dynamic token and the current space-time context information to obtain a hash verification value, comparing the hash verification value with a target token which is stored locally and successfully verified last time, and if the hash verification value is equal to the target token, verifying and updating the locally stored token to be the currently received token. Optionally, the integrity checking of the dynamic token based on the current space-time context information comprises the steps of performing a limited number of hash iteration attempts on the received dynamic token to match the locally stored target token if the hash verification value is not equal to the target token, and checking and updating the locally stored token to be the currently received dynamic token if the matching is successful. The method comprises the steps of obtaining distribution characteristics of current access behaviors, calculating drift metric values between the distribution characteristics of the current access behaviors and historical distribution characteristics described by the historical behavior portraits, calculating the drift metric values by means of symmetrical KL divergence, and judging that the behavior patterns of the clients are abnormal if the drift metric values are larger than an adaptive threshold value, wherein the adaptive threshold value is dynamically adjusted according to entropy values of the historical behavior portraits, a first detection threshold value is adopted for clients with historical behavior entropy values larger than or equal to a preset threshold value,