Search

CN-121984736-A - Intent-driven cross-network access control strategy dynamic arrangement method

CN121984736ACN 121984736 ACN121984736 ACN 121984736ACN-121984736-A

Abstract

The invention relates to a method for dynamically arranging a cross-network access control strategy based on intention driving, belonging to the field of network security. The invention realizes the closed-loop control of the intention-strategy-state through a four-layer collaborative architecture by a BERT-based domain self-adaptive intention analysis engine, a rule reasoning and machine learning fusion strategy generation algorithm, a graph theory-based multidimensional strategy conflict detection and resolution mechanism, a multi-network domain-oriented multi-objective optimization strategy arrangement framework and a eBPF-based high-performance strategy execution engine. The invention has the closed-loop control capability, can respond to network changes in real time, and obviously reduces the operation and maintenance complexity while improving the safety management efficiency.

Inventors

  • WU ZHIYONG
  • ZHU TAO
  • CHANG TIANYOU
  • SONG XIAOBIN
  • LIU WEIWEI
  • HU QI
  • ZHANG ZHEBIN
  • DU LI
  • ZHANG PENG
  • LI CHUNHAO
  • ZHAO YUANJIE
  • LIAO JIANHUA
  • RAO JINLONG
  • GUO HAO
  • MU YUAN
  • LIU LEI
  • GU YUNJIE
  • LI YANBIN

Assignees

  • 中国人民解放军32003部队

Dates

Publication Date
20260505
Application Date
20260127

Claims (10)

  1. 1. A dynamic arrangement method of cross-network access control strategy based on intention drive is characterized in that the method automatically converts high-level user intention into cross-network access control strategy through a multi-level architecture and dynamically adjusts in real time according to network state change, wherein the multi-level architecture comprises an intention layer, a strategy layer, an arrangement layer and an execution layer; Intention layer structured intention parsing based on domain NLP The analysis engine adopts a pre-training language model BERT to carry out named entity recognition and relation extraction, and the analysis result is mapped and normalized into a structured intention description language IDL object; Policy layer policy composition and conflict resolution based on graph theory and context awareness The policy layer receives IDL objects and generates a security policy rule set which can be deployed and is consistent in the global scope, wherein the security policy rule set comprises policy synthesis and conflict resolution; scheduling layer policy deployment scheduling based on SDN and multi-objective optimization The arrangement layer is responsible for physically deploying the security policy rule set output by the policy layer to a distributed policy execution point PEP according to the optimal deployment position and path; Execution layer, performing kernel level policy execution and data acquisition based on eBPF And deploying policy execution points based on eBPF at each network boundary node, compiling policy rules into safe byte codes, directly injecting the safe byte codes into a network protocol stack of a Linux kernel to execute kernel-level policies, and simultaneously realizing state monitoring and feedback.
  2. 2. The method for dynamically arranging the cross-network access control strategy based on the intention driving of claim 1, wherein the intention layer constructs a natural language processing NLP pipeline special for the field, firstly, corpora under a large-scale cross-network access control scene are collected and marked, and a field dictionary and a labeling set containing 'subject', 'object', 'action', 'condition', 'network domain' entities are constructed; In the reasoning stage, the analysis engine executes two subtasks in parallel, namely named entity recognition, relation extraction and semantic association between entities, wherein the named entity recognition is used for extracting key elements in sentences; The parsing result is mapped and normalized into a structured intent description language IDL object, which is defined by JSON Schema and has strict grammar and semantics.
  3. 3. The intent-driven cross-network access control policy dynamic orchestration method according to claim 2, wherein one IDL object instance contains unique intent identifiers, semantic descriptions, collection of subjects/objects/actions, multidimensional constraints, business contexts, and priorities, and the structured object provides accurate, unambiguous input for subsequent policy generation.
  4. 4. The intent-driven cross-network access control policy dynamic orchestration method according to claim 1, wherein policy composition comprises a policy generation engine dynamically integrating real-time context information from multiple systems, including user attributes and roles in an identity management system IAM, asset information and topology relationships in a configuration management database CMDB, device security status of endpoint detection and response EDR platform, and threat intelligence feeds.
  5. 5. The method for dynamically arranging the cross-network access control policies based on the intention driver as recited in claim 4, wherein the conflict resolution comprises modeling a policy set as a directed graph G= (V, E) by adopting a conflict analysis model based on graph theory, wherein a vertex set V represents policy atomic elements or compound policy rules, and an edge set E represents the relationship among policies and comprises specialization-generalization, dependence and mutual exclusion; Detecting three types of core conflicts through a graph traversal algorithm and a set operation, namely 1) semantic conflicts, namely, if the intersection of two rules of a subject and an object is not empty, but the action one is 'permission' and 'refusal', forming direct opposition; And after the conflict is detected, carrying out automatic processing according to a predefined resolution element strategy.
  6. 6. The method for dynamically arranging cross-network access control policies based on intention driving according to claim 5, wherein the resolution element policy comprises a security priority principle > a specificity priority principle > an explicit priority principle > a nearest priority principle, the resolution process may generate policy exceptions or modify original policies, and finally an internal consistent and collision-free 'pure' security policy rule set is output, all resolution actions are recorded, and a tamper-proof audit log is generated.
  7. 7. The method of claim 1, wherein the resource scheduler of the orchestration layer obtains a real-time global network view including topology, link bandwidth, device load, propagation delay and security domain partitioning through a northbound API of the SDN controller, forms the policy deployment problem as a multi-objective optimization problem, the decision variable is a mapping relationship between the policy rule and the execution point, and the optimization objective function F is defined as a weighted sum of minimizing the total policy validation delay L, maximizing the critical path available bandwidth B and balancing the load U of each execution point, wherein f=min (α·l- β·b+γ·u), and wherein α, β, γ are weight coefficients, constraint conditions include checkpoints through which the policy must be deployed in the data stream, an upper limit of processing capacity of a single execution point, and security isolation domain requirements that must be satisfied.
  8. 8. The method for dynamically arranging the cross-network access control policy based on the intention driving according to claim 7, wherein the policy distributor is responsible for safely and reliably issuing the deployment list to the target execution point, and the transmission security is guaranteed through double links by 1) channel security, namely, an encryption channel for establishing bidirectional authentication by using TLS 1.3 based on a national secret certificate, 2) content security, namely, policy data is encrypted by using a national secret SM4 algorithm at an application layer and is digitally signed by using a national secret SM2 algorithm, so that confidentiality, integrity and non-repudiation of data transmission are ensured; The strategy distributor realizes an end-to-end confirmation and state synchronization mechanism, adopts gRPC streaming interfaces to distribute, each execution point needs to return confirmation ACK after the strategy is loaded successfully, maintains a version strategy state machine to support atomization deployment and quick rollback, and automatically triggers rollback to a last stable version if the deployment fails or a monitoring system detects abnormality, thereby reducing the influence on the service to the greatest extent.
  9. 9. The method for dynamically orchestrating cross-network access control policies based on intent drivers according to claim 8, wherein eBPF allows compiling policy rules into secure bytecodes, injecting directly into network protocol stacks of Linux kernels, utilizing XDP and TC hook points, XDP processing data packets early in the network card driver layer to achieve ultra-low latency discard or forwarding decisions, TC providing richer processing contexts in the IP layer, issued policies being converted into efficient eBPF programs that use hash mapping internally to store and match access control lists; The strategy execution point can acquire abundant stream logs, strategy hit counts and data packet sampling information with extremely low cost besides executing 'permit/reject' actions, the data are transmitted to a collector process of a user space in real time through PERF EVENT or ring buffer mechanisms shared by a kernel and the user space, the collector performs lightweight aggregation and then issues the data to a Kafka message queue in an asynchronous mode, the real-time data streams form a 'perception nerve' of closed loop feedback, a subsequent stream processing engine performs real-time analysis on the data, calculates key performance indexes and provides a data driving basis for dynamic optimization.
  10. 10. The method for dynamically orchestrating an intent-driven cross-network access control strategy according to any one of claims 1-9, wherein the closed-loop control system comprises a monitor-analyze-program-execute control loop; The flow processing engine continuously analyzes the remote measurement data from the execution layer and the external threat information, calculates strategy effectiveness indexes and detects abnormal events; The analysis comprises that the evaluation engine compares the current state with the expected intention state to perform root cause analysis, if a large number of legal service requests are detected to be refused, the policy is possibly indicated to be too strict, and if new exploit flow is found to pass, the policy is indicated to be missed; The optimizing planning module generates strategy adjustment advice according to the analysis result, and comprises the steps of calling a strategy layer to generate a new compensation strategy, modifying the prior strategy parameters or triggering rearrangement deployment of the strategy; the optimized strategy is safely and reliably deployed to an execution layer through an arrangement layer, and one-time adjustment cycle is completed; The knowledge is used for optimizing training of an intention NLP model, improving strategy generation rules and training a predictive model, so that continuous learning and evolution of the system are realized.

Description

Intent-driven cross-network access control strategy dynamic arrangement method Technical Field The invention belongs to the field of network security, and particularly relates to a method for dynamically arranging a cross-network access control strategy based on intention driving. Background An Intention Driven Network (IDN) is an emerging Network architecture concept, and aims to convert service intention of a Network manager into specific Network configuration and strategy so as to realize automatic management and optimization of the Network. Through natural language processing, machine learning and other technologies, the IDN can understand the intention of an administrator and dynamically adjust the network behavior according to the real-time state of the network, thereby providing a new thought for solving the problem of traditional cross-network access control. A cross-network access control management method, a device and an electronic device (application number 202010970278.7) are provided, access control management is achieved by acquiring target route and authority behavior data when a user accesses a system, the mode is relatively static and single, a unified global view angle is lacked, overall security protection and business collaboration of a cross-network are difficult to achieve, the cross-network access control method (application number CN 202510194579.8) based on IP control is achieved by dividing a fixed IP network segment for an office network user, access control is achieved according to account network attributes (technical network or office network) and an IP white list, and the method and the device are limited in that a static IP binding mechanism cannot adapt to mobile office and dynamic IP environments, and have the defects of flexibility and dynamic adjustment capability, are difficult to adapt to complex and variable network environments and business scenes, and cannot be flexibly adjusted according to factors such as real-time behaviors of the user, business dynamics and the like. In face of emerging network attack means and diversified business demands, the method has obvious short plates in terms of safety, flexibility and adaptability, and needs to be optimized and improved. Disclosure of Invention First, the technical problem to be solved The invention aims to solve the technical problem of how to provide a dynamic arrangement method of a cross-network access control strategy based on intention driving, so as to solve the problems that the prior art has obvious short plates in terms of safety, flexibility and adaptability, and needs to be optimized and improved. (II) technical scheme In order to solve the technical problems, the invention provides a dynamic arrangement method of a cross-network access control strategy based on intention driving, which automatically converts high-level user intention into the cross-network access control strategy through a multi-level architecture and dynamically adjusts the cross-network access control strategy in real time according to network state change, wherein the multi-level architecture comprises an intention layer, a strategy layer, an arrangement layer and an execution layer; Intention layer structured intention parsing based on domain NLP The analysis engine adopts a pre-training language model BERT to carry out named entity recognition and relation extraction, and the analysis result is mapped and normalized into a structured intention description language IDL object; Policy layer policy composition and conflict resolution based on graph theory and context awareness The policy layer receives IDL objects and generates a security policy rule set which can be deployed and is consistent in the global scope, wherein the security policy rule set comprises policy synthesis and conflict resolution; scheduling layer policy deployment scheduling based on SDN and multi-objective optimization The arrangement layer is responsible for physically deploying the security policy rule set output by the policy layer to a distributed policy execution point PEP according to the optimal deployment position and path; Execution layer, performing kernel level policy execution and data acquisition based on eBPF And deploying policy execution points based on eBPF at each network boundary node, compiling policy rules into safe byte codes, directly injecting the safe byte codes into a network protocol stack of a Linux kernel to execute kernel-level policies, and simultaneously realizing state monitoring and feedback. (III) beneficial effects The invention provides a method for dynamically arranging a cross-network access control strategy based on intention driving, which is characterized in that the core innovation is represented by a BERT-based domain self-adaptive intention analysis engine, a rule reasoning and machine learning fusion strategy generation algorithm, a graph theory-based multidimensional strategy conflict detection and resolution mechanism