CN-121985396-A - Network access processing method, wireless broadband terminal and system

Abstract

The invention discloses a network access processing method, a wireless broadband terminal and a system, in particular to the technical field of network access, wherein the method comprises the steps of multidimensional sensing and information acquisition, and collecting and reporting multidimensional context information of equipment; the method comprises the steps of intention analysis and strategy binding, deducing equipment business intention based on the information and automatically generating and issuing fine-grained network strategies, safety evaluation and strategy correction, continuous monitoring of equipment safety state and automatic triggering of strategy correction according to dynamic grading, flow self-learning and elastic scheduling, analyzing and predicting equipment flow mode, dynamically adjusting network bandwidth resource quota, session termination and resource cleaning, and automatically cleaning related strategies and recovering resources after the equipment is offline. The invention realizes the radical transition from static configuration to dynamic scheduling based on intention and context by constructing the intelligent closed loop, and remarkably improves the automation, the safety and the resource utilization efficiency of network access.

Inventors

• HOU YAJIE
• LIN WEI
• ZHANG MINGHAO

Assignees

• 深圳市昕思达电子科技有限公司

Dates

Publication Date

20260505

Application Date

20260130

Claims (9)

1. 1. The network access processing method is characterized by comprising the following steps: When the equipment initiates a network access request, the network access control point acquires traditional authentication information of the equipment, equipment type, purported access destination, equipment basic state, access time and position multidimensional context information, and sends the information to the central policy controller; the central policy controller deduces the service intention of the equipment according to the received multidimensional context information, matches and generates a corresponding fine-grained network policy from a preset policy template library based on the deduced service intention, binds the network policy with the unique identifier of the equipment and issues the network policy to a policy execution point in the network; The method comprises the steps of carrying out security evaluation and policy correction, namely continuously monitoring the security state of equipment and generating a dynamic security health degree score after the equipment is accessed to a network, automatically triggering a policy correction flow when the security health degree score is lower than a preset threshold value, and generating and issuing a corrected network policy to adjust the network access authority of the equipment; analyzing the historical traffic flow generated by the equipment to construct a resource portrait, and dynamically adjusting the network bandwidth resource quota allocated to the equipment based on the resource portrait and the prediction of the future traffic flow of the equipment; And session termination and resource cleaning, namely notifying a central policy controller after detecting that the equipment is offline, and instructing related network nodes to clean all dynamic policies issued by the equipment by the controller and recovering network resources occupied by the dynamic policies.
2. 2. The method for processing network access according to claim 1, wherein in the step of multidimensional sensing and information acquisition, acquiring and transmitting multidimensional context information specifically includes: automatically collecting local information and generating a structured information object according to a unified data model through a preset collection agent on the managed device; for equipment incapable of installing an agent, an access control point indirectly acquires equipment type information by sending an LLDP extension message or a custom detection message and analyzing a response mode of the LLDP extension message or the custom detection message; the access control point sends the packaged authentication information and the multidimensional context information data packet to the northbound RESTful API interface of the central policy controller through a secure channel based on TLS.
3. 3. The network access processing method according to claim 1, wherein the intent resolution and policy binding further comprises an online feedback optimization process, specifically comprising: after the equipment is accessed and starts to communicate, extracting an actual service mode vector Q thereof through flow analysis; The method comprises the steps that the matching degree R between an intention description P and an actual service mode vector Q is inferred initially by the computing device, and the matching degree R is determined based on the intersection size of key feature sets extracted from the P and the Q and a consistency indicating function of a traffic destination and an intention declaring target; according to the matching degree R, a dynamic attenuation updating algorithm with forgetting factors is adopted to update the confidence degree C for the intention analysis of the equipment; When the confidence coefficient C is continuously lower than the credibility threshold value in a preset observation time window W, triggering an optimized learning process, wherein the process comprises the steps of correcting an intention mapping rule base or taking context information X which generates low confidence coefficient inference and an actual business mode as a new sample pair, and adding the new sample pair into an incremental learning queue of a machine learning model for training.
4. 4. The method for processing network access according to claim 1, wherein in the step of security assessment and policy correction, the generating a dynamic security health score is specifically: maintaining an initial score S for each device and subscribing to real-time event streams from the security information and event management system; When a security event occurs, deducting the score S according to a predefined event weight and an event severity coefficient to obtain an updated security health score S (t); The security event at least comprises the detection of an unauthorized process, the existence of a known high-risk vulnerability and the occurrence of abnormal external connection; S (t) is updated in a periodic manner.
5. 5. The method for processing network access according to claim 1, wherein in the step of self-learning and flexible scheduling of traffic, the dynamically adjusting based on the prediction of future traffic specifically comprises: Maintaining a flow prediction model for a device or a device group, wherein the model takes a historical flow pattern fingerprint time sequence of the device as a training set, and the fingerprint comprises a bandwidth value, an application type distribution vector and flow entropy characteristics; in each scheduling decision period, inputting flow pattern fingerprints of the latest L time windows of the equipment into a model to obtain predicted flow tracks Ť and confidence scores of the predicted flow tracks Ť of the K windows in the future; An active preheating mode, wherein when the predicted track display equipment enters a key service state in m future windows with confidence coefficient larger than a preset standard and the overall network utilization rate is lower than a safety threshold, a pre-upgrading decision is triggered, and an enhanced bandwidth quota is dynamically calculated and distributed in advance according to a predicted bandwidth peak value; Predictive load shedding mode when the predicted trajectory display device will enter a long-time traffic quiet period and the confidence level meets the standard, a more durable resource reclamation strategy is triggered to conduct predictive global load balancing across devices.
6. 6. The network access processing method according to claim 5, wherein the traffic prediction model supports online learning and calibration; after each prediction period is finished, comparing the model predicted value with the actual observed value, and if the prediction deviation continuously exceeds the tolerance range, adding the corresponding historical sequence and actual value data pair into the circulation buffer area; the model periodically samples data from the circular buffer for incremental training to adapt to gradual or abrupt changes in the device flow pattern.
7. 7. The method for processing network access according to claim 1, wherein in the session termination and resource cleaning step, the cleaning policy and recycling resources specifically include the following atomic operations: Querying a device-policy mapping table to obtain a global unique identifier list of all policies issued by the offline device; Sending a batch policy deletion instruction to all the recorded related network devices, wherein the instruction is a Flow-Mod message of OpenFlow, the instruction is DELETE, and the matching field is the MAC address of the device; And sending a DHCP-Release request to the IP address management system, and releasing the IP address lease allocated for the equipment.
8. 8. A network access handling wireless broadband terminal for any one of claims 1-7, comprising: the context perception agent is used for collecting the equipment attribute and the declared business intention of the terminal, formatting the equipment attribute and the declared business intention into a standard data model and reporting the standard data model to the network control plane; The policy execution adapter is used for receiving and analyzing a network policy instruction based on service intention issued by the network controller, converting the network policy instruction into a configuration identifiable by the terminal and driving a network protocol stack of the configuration to execute the configuration; The state coordination unit is used for providing necessary terminal operation time data interfaces for the security and performance monitoring assembly of the network side and allowing the network side to deeply detect the network traffic; and the connection life cycle manager is used for managing the whole process from network access authentication, session maintenance to offline disconnection of the terminal and coordinating resource cleaning and state synchronization during offline.
9. 9. A network access processing system as claimed in any one of claims 1 to 7, comprising the following modules: The multidimensional information sensing and collecting module is deployed at the network access control point and is used for collecting and uploading identity authentication information and multidimensional context information of the equipment when the equipment is accessed; The intelligent intention analysis and strategy generation module is deployed in the central strategy controller and is used for deducing the service intention of the equipment according to the received information and automatically generating and binding the special network strategy of the fine granularity equipment based on the intention; the dynamic monitoring and self-adaptive optimizing module is used for continuously evaluating the safety state of the equipment during the online period of the equipment to trigger policy correction and dynamically scheduling network bandwidth resources based on the self-learning and prediction results of the flow mode; And the policy life cycle management module is used for monitoring the offline event of the equipment and automatically triggering the cleaning of the related policies of the equipment and the global recovery of network resources.

Description

Network access processing method, wireless broadband terminal and system Technical Field The present invention relates to the field of network access technologies, and in particular, to a network access processing method, a wireless broadband terminal, and a system. Background With the rapid development of internet of things (IoT), mobile office (BYOD) and industrial internet, the types of devices accessed in the network are increasingly complex, the number of devices is rapidly increased, and the devices range from traditional personal computers, servers, to various sensors, cameras, intelligent terminals and special industrial devices. This translates the enterprise and carrier network environments from relatively closed, homogenous to highly open, heterogeneous complex systems. Under the background, how to realize efficient, safe and intelligent network access control becomes a key challenge for ensuring smooth operation of service and effective utilization of network resources. Currently, the mainstream network access control method mainly relies on static policy management based on identity. Typical technical means include identity authentication based on the IEEE 802.1X protocol, access Control List (ACL) binding based on MAC addresses, and assigning a fixed Virtual Local Area Network (VLAN) and bandwidth quota to the device after authentication is successful. These conventional approaches have gradually revealed significant drawbacks in practical applications, in that, first, policy configuration is highly dependent on manual operations by a network administrator, requiring detailed network policies (e.g., VLAN, ACL, qoS) to be defined in advance for each device type or role. In the face of massive and diverse access devices, the mode causes large operation and maintenance workload, low efficiency and easy security holes or network faults caused by configuration errors. Second, the policies cure once issued, lacking dynamic adjustment capabilities. The method can not sense the real-time security state change (for example, whether the device is infected with malicious software or not and whether unrepaired high-risk loopholes exist) after the device is accessed, can not understand the real service intention and the behavior mode of the device, causes security protection lag, and can not flexibly allocate resources according to the service priority. Finally, static resource allocation modes (such as fixed bandwidth) cannot adapt to tidal changes of equipment flow and business priority fluctuation, network resources are easy to be congested in peak, idle in valley, and overall utilization rate is low. Therefore, a network access processing method capable of breaking through the static configuration limitation, realizing intelligent sensing, dynamic policy generation and self-adaptive adjustment is needed in the prior art. Disclosure of Invention In order to overcome the above-mentioned drawbacks of the prior art, embodiments of the present invention provide a network access processing method, a wireless broadband terminal, and a system. In order to achieve the above purpose, the present invention provides the following technical solutions: a network access processing method, comprising the steps of: When the equipment initiates a network access request, the network access control point acquires traditional authentication information of the equipment, equipment type, purported access destination, equipment basic state, access time and position multidimensional context information, and sends the information to the central policy controller; the central policy controller deduces the service intention of the equipment according to the received multidimensional context information, matches and generates a corresponding fine-grained network policy from a preset policy template library based on the deduced service intention, binds the network policy with the unique identifier of the equipment and issues the network policy to a policy execution point in the network; The method comprises the steps of carrying out security evaluation and policy correction, namely continuously monitoring the security state of equipment and generating a dynamic security health degree score after the equipment is accessed to a network, automatically triggering a policy correction flow when the security health degree score is lower than a preset threshold value, and generating and issuing a corrected network policy to adjust the network access authority of the equipment; analyzing the historical traffic flow generated by the equipment to construct a resource portrait, and dynamically adjusting the network bandwidth resource quota allocated to the equipment based on the resource portrait and the prediction of the future traffic flow of the equipment; And session termination and resource cleaning, namely notifying a central policy controller after detecting that the equipment is offline, and instructing related network nodes to clean a