Search

CN-122001692-A - Zero-trust dynamic encryption routing method, device and equipment based on flow sensing

CN122001692ACN 122001692 ACN122001692 ACN 122001692ACN-122001692-A

Abstract

The application provides a zero-trust dynamic encryption routing method, device and equipment based on flow sensing, wherein the method comprises the steps of determining identity characteristics and behavior characteristics corresponding to a first message to be processed when a data plane receives the first message to be processed through a zero-trust secure tunnel; the method comprises the steps of obtaining a first message to be processed, obtaining a second message to be processed after decryption operation through target key information corresponding to a zero trust security tunnel, determining a routing action of the second message to be processed based on a first forwarding strategy if the first forwarding strategy matched with an identity characteristic exists in a data plane, operating the second message to be processed based on the routing action, and updating the second forwarding strategy to the data plane based on the second forwarding strategy matched with the identity characteristic when the identity characteristic and the behavior characteristic are received through a control plane. By the scheme of the application, the data quantity and CPU load mirrored to the control plane are reduced on the premise of keeping zero trust.

Inventors

  • WANG BIN
  • YANG ZHIQU
  • SU ZHOU
  • WANG DINGLEI
  • YAN HAONAN

Assignees

  • 杭州海康威视数字技术股份有限公司

Dates

Publication Date
20260508
Application Date
20260409

Claims (10)

  1. 1. A traffic awareness-based zero-trust dynamic encryption routing method, characterized by being applied to an electronic device, the electronic device comprising a data plane and a control plane, the method comprising: When the data plane receives a first message to be processed through a zero trust secure tunnel, determining identity characteristics and behavior characteristics corresponding to the first message to be processed, wherein the behavior characteristics comprise static behavior characteristics and dynamic behavior characteristics, the static behavior characteristics comprise unencrypted information in the first message to be processed, and the dynamic behavior characteristics comprise statistical characteristics of data flow corresponding to the identity characteristics; performing decryption operation on the first message to be processed through the target key information corresponding to the zero trust secure tunnel to obtain a second message to be processed after the decryption operation; Determining a routing action of the second message to be processed based on the first forwarding strategy if the data plane has the first forwarding strategy matched with the identity characteristic, and determining the routing action of the second message to be processed based on the behavior characteristic if the data plane does not have the first forwarding strategy matched with the identity characteristic; And when the identity feature and the behavior feature sent by the data plane are received through the control plane, determining a second forwarding strategy matched with the identity feature based on the behavior feature, updating the second forwarding strategy to the data plane to determine a routing action of a subsequent message to be processed based on the second forwarding strategy through the data plane, wherein the second forwarding strategy is determined based on fingerprint trust scores and/or model prediction trust scores, the fingerprint trust scores are scores corresponding to the behavior feature in a fingerprint database, and the prediction trust scores are scores obtained by inputting the behavior feature into a network model.
  2. 2. The method of claim 1, wherein the step of determining the position of the substrate comprises, The determining a routing action of the second pending message based on the behavior feature includes: Determining whether the second message to be processed is an abnormal message or not based on the behavior characteristics; If yes, determining that the routing action is a blocking action or a safety isolation action; If not, a first trust score is distributed to the second message to be processed, a score to be adjusted is determined based on the behavior characteristics, and the first trust score is adjusted based on the score to be adjusted to obtain a second trust score; if the behavior characteristics are matched with the acquired scoring strategies, the score value of the score to be adjusted is increased, and if the behavior characteristics are matched with the acquired scoring strategies, the score value of the score to be adjusted is reduced; the fingerprint database comprises a corresponding relation between behavior characteristics and fingerprint trust scores, the behavior characteristics with the fingerprint trust scores being larger than a first threshold are used for acquiring a scoring strategy, the behavior characteristics with the fingerprint trust scores being smaller than a second threshold are used for acquiring a subtracting strategy, and the second threshold is smaller than the first threshold.
  3. 3. The method of claim 2, wherein the step of determining the position of the substrate comprises, The determining whether the second message to be processed is an abnormal message based on the behavior feature includes: If the behavior characteristics comprise a flag bit and a flow state of an FSM, determining a first state of the data flow based on the flow state of the FSM, and determining a second state of the second message to be processed based on the flag bit, wherein the flow state of the FSM represents a state of a last message to be processed corresponding to the data flow, and the flag bit represents the state of the second message to be processed; the method comprises the steps of determining an expected transfer state based on the first state, determining that the second message to be processed is not an abnormal message if the second state is the expected transfer state, and determining that the second message to be processed is the abnormal message if the second state is not the expected transfer state.
  4. 4. The method according to claim 1, wherein the process of determining the second forwarding policy based on fingerprint trust scores and/or model predictive trust scores, in particular comprises: Determining a target trust score based on the fingerprint trust score if the fingerprint database comprises the fingerprint trust score corresponding to the behavior feature, determining a target trust score based on the fingerprint trust score or based on the fingerprint trust score and the predicted trust score, or determining a target trust score based on the fingerprint trust score, the predicted trust score and the acquired authentication trust score, determining a target trust score based on the predicted trust score if the fingerprint database does not comprise the fingerprint trust score corresponding to the behavior feature, or determining a target trust score based on the predicted trust score and the authentication trust score; Determining a forwarding policy corresponding to the target trust score as the second forwarding policy, where the second forwarding policy is used to indicate a routing action as a blocking action, or a security isolation action, or a forwarding action; and determining the authentication trust score based on the verification information if the second message to be processed comprises the verification information which is subjected to encryption and integrity protection, wherein the authentication trust score is larger if the verification information indicates that the security of the second message to be processed is higher.
  5. 5. The method according to claim 1 or 4, wherein, The network model comprises a basic time sequence anomaly detection model, a depth time sequence anomaly detection model and an entity interaction topology analysis model, and the obtaining process of the prediction trust score specifically comprises the following steps: Inputting the second message to be processed into the basic time sequence abnormality detection model to obtain a basic time sequence trust score if the second message to be processed sent by the data plane is received through the control plane, wherein if the routing action of the second message to be processed is a blocking action or a safety isolation action, the data plane sends the second message to be processed to the control plane; Inputting the behavior characteristics into the depth time sequence anomaly detection model to obtain a depth time sequence trust score; Inputting the behavior characteristics and the associated behavior characteristics into the entity interaction topology analysis model to obtain entity interaction trust scores, wherein the associated behavior characteristics are behavior characteristics of associated data streams of the data stream; and carrying out weighting operation on the basic time sequence trust score, the depth time sequence trust score and the entity interaction trust score to obtain the prediction trust score, or carrying out weighting operation on the depth time sequence trust score and the entity interaction trust score to obtain the prediction trust score.
  6. 6. The method according to claim 4, wherein the method further comprises: After the target trust score is obtained, determining key information to be updated corresponding to the zero trust secure tunnel based on the target trust score, wherein if the target trust score is smaller than a third threshold, the key information to be updated is first key information, and the encryption level of the first key information is greater than that of the target key information; and sending the first key information or the second key information to a data plane to update the target key information of the zero-trust secure tunnel through the first key information or the second key information.
  7. 7. The method according to claim 4, wherein the method further comprises: after the target trust score is obtained, updating the target trust score into a fingerprint trust score corresponding to the behavior feature, adding a data item in the fingerprint database, recording the corresponding relation between the behavior feature and the fingerprint trust score through the data item, and configuring expiration time for the data item; and deleting the data item from the fingerprint database when the data item is determined to be expired based on the expiration time.
  8. 8. A traffic awareness-based zero-trust dynamic encryption routing apparatus for use with an electronic device, the electronic device comprising a data plane and a control plane, the apparatus comprising: The system comprises a data plane management module, a decryption operation module, a data plane management module and a decryption operation module, wherein the data plane management module is used for determining identity characteristics and behavior characteristics corresponding to a first message to be processed when the data plane receives the first message to be processed through a zero trust security tunnel, the behavior characteristics comprise static behavior characteristics and dynamic behavior characteristics, the static behavior characteristics comprise unencrypted information in the first message to be processed, and the dynamic behavior characteristics comprise statistical characteristics of data flow corresponding to the identity characteristics; The data plane management module is used for determining a routing action of a second message to be processed based on the first forwarding strategy if the data plane has the first forwarding strategy matched with the identity characteristic, determining the routing action of the second message to be processed based on the behavior characteristic if the data plane does not have the first forwarding strategy matched with the identity characteristic; And the control plane management module is used for determining a second forwarding strategy matched with the identity characteristic based on the behavior characteristic when the identity characteristic and the behavior characteristic sent by the data plane are received through the control plane, updating the second forwarding strategy to the data plane so as to determine the routing action of a subsequent message to be processed based on the second forwarding strategy through the data plane, wherein the second forwarding strategy is determined based on fingerprint trust scores and/or model prediction trust scores, the fingerprint trust scores are scores corresponding to the behavior characteristic in a fingerprint database, and the prediction trust scores are scores obtained by inputting the behavior characteristic into a network model.
  9. 9. The apparatus of claim 8, wherein the device comprises a plurality of sensors, The data plane management module is specifically used for determining whether the second message to be processed is an abnormal message or not based on the behavior characteristics, if so, determining that the routing action is a blocking action or a safe isolation action, if not, distributing a first trust score for the second message to be processed, determining a score to be adjusted based on the behavior characteristics, adjusting the first trust score based on the score to be adjusted to obtain a second trust score, determining an action corresponding to the second trust score as the routing action, wherein if the behavior characteristics are matched with the score adding strategy, increasing the score value of the score to be adjusted, and if the behavior characteristics are matched with the score subtracting strategy, decreasing the score value of the score to be adjusted, wherein the fingerprint database comprises a corresponding relation between the behavior characteristics and the fingerprint trust score, the behavior characteristics of which are larger than a first threshold are used for obtaining the score adding strategy, and the behavior characteristics of which are smaller than a second threshold are used for obtaining the score subtracting strategy, and the second threshold is smaller than the first threshold; Or the data plane management module is specifically used for determining whether the second message to be processed is an abnormal message or not based on the behavior characteristics, if the behavior characteristics comprise a flag bit and a stream state of an FSM, determining a first state of the data stream based on the stream state of the FSM, and determining a second state of the second message to be processed based on the flag bit, wherein the stream state of the FSM represents a state of a last message to be processed corresponding to the data stream, and the flag bit represents a state of the second message to be processed; Determining an expected transition state based on the first state; if the second state is the expected transition state, determining that the second message to be processed is not an abnormal message; if the second state is not the expected transition state, determining that the second message to be processed is an abnormal message; The control plane management module is specifically configured to determine, when determining the second forwarding policy based on a fingerprint trust score and/or a model predictive trust score, a target trust score based on the fingerprint trust score if the fingerprint trust score corresponding to the behavior feature is included in the fingerprint database, or determine a target trust score based on the fingerprint trust score and the predictive trust score, or determine a target trust score based on the fingerprint trust score, the predictive trust score, and an acquired authentication trust score, determine a target trust score based on the predictive trust score if the fingerprint trust score corresponding to the behavior feature is not included in the fingerprint database, or determine a target trust score based on the predictive trust score and the authentication trust score, determine a forwarding policy corresponding to the target trust score as the second forwarding policy, the second forwarding policy being configured to indicate a routing action as a blocking action, a security isolation action, or a forwarding action, or determining the authentication trust score based on the authentication information if the second message to be processed includes verification information that is subject to encryption and integrity protection, wherein the greater security verification score indicates that the second message is more secure if the second message is processed; The network model comprises a basic time sequence abnormality detection model, a depth time sequence abnormality detection model and an entity interaction topology analysis model, wherein when the control plane management module obtains the prediction trust score, the control plane management module is specifically used for inputting a second message to be processed sent by a data plane into the basic time sequence abnormality detection model to obtain the basic time sequence trust score if the control plane receives the second message to be processed, and if the routing action of the second message to be processed is blocking action or safe isolation action, the data plane sends the second message to be processed to the control plane; The control plane management module is further configured to determine key information to be updated corresponding to the zero-trust secure tunnel based on the target trust score after obtaining the target trust score, wherein if the target trust score is smaller than a third threshold, the key information to be updated is first key information, an encryption level of the first key information is greater than an encryption level of the target key information, if the target trust score is greater than a fourth threshold, the key information to be updated is second key information, the encryption level of the second key information is smaller than the encryption level of the target key information, the fourth threshold is greater than the third threshold, and the first key information or the second key information is issued to a data plane to update the target key information of the zero-trust secure tunnel through the first key information or the second key information; Or the control plane management module is further configured to update the target trust score to a fingerprint trust score corresponding to the behavior feature after the target trust score is obtained, add a data item in the fingerprint database, record a corresponding relationship between the behavior feature and the fingerprint trust score through the data item, configure an expiration time for the data item, and delete the data item from the fingerprint database when the expiration time is determined to be out of date.
  10. 10. An electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor configured to execute the machine-executable instructions to implement the method of any one of claims 1-7.

Description

Zero-trust dynamic encryption routing method, device and equipment based on flow sensing Technical Field The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for dynamic encryption routing with zero trust based on flow awareness. Background Network Security (Cyber Security) refers to protection of hardware, software of a network system and data in the system, and is free from damage, modification and leakage caused by accidental or malicious reasons, so that the network system continuously, reliably and normally operates, and network service is not interrupted. The network security is based on the physical boundary defense of the firewall, the network inside the firewall is used as an intranet, all office equipment and data resources of an enterprise are in the intranet, and the intranet is completely trusted, namely, the devices of the intranet are safe when mutually accessing. With the continuous rise of emerging technologies such as cloud computing, big data, internet of things and the like, enterprise IT architecture is transitioning from "bordered" to "borderless", and traditional security boundaries gradually collapse. In addition, with the continuous advancement of new infrastructure represented by 5G and industrial internet, the "borderless" evolution process is further accelerated. Zero trust security is becoming a new concept and new architecture to solve the network security problem in the new era. Zero trust security represents a new generation of network security protection concept, and the key is to break the default 'trust', namely 'continuous verification and never trust'. Anyone, equipment and a system inside and outside the enterprise network are not trusted by default, a trust basis for access control is reconstructed based on identity authentication and authorization, and identity trust, equipment trust, application trust and link trust are ensured. The terminal security, the link security and the access control security can be ensured based on zero trust. However, how the management of zero trust access should be achieved has not been effectively implemented in the related art. Disclosure of Invention The application provides a zero-trust dynamic encryption routing method based on flow sensing, which is applied to electronic equipment, wherein the electronic equipment comprises a data plane and a control plane, and the method comprises the following steps: When the data plane receives a first message to be processed through a zero trust secure tunnel, determining identity characteristics and behavior characteristics corresponding to the first message to be processed, wherein the behavior characteristics comprise static behavior characteristics and dynamic behavior characteristics, the static behavior characteristics comprise unencrypted information in the first message to be processed, and the dynamic behavior characteristics comprise statistical characteristics of data flow corresponding to the identity characteristics; performing decryption operation on the first message to be processed through the target key information corresponding to the zero trust secure tunnel to obtain a second message to be processed after the decryption operation; Determining a routing action of the second message to be processed based on the first forwarding strategy if the data plane has the first forwarding strategy matched with the identity characteristic, and determining the routing action of the second message to be processed based on the behavior characteristic if the data plane does not have the first forwarding strategy matched with the identity characteristic; And when the identity feature and the behavior feature sent by the data plane are received through the control plane, determining a second forwarding strategy matched with the identity feature based on the behavior feature, updating the second forwarding strategy to the data plane to determine a routing action of a subsequent message to be processed based on the second forwarding strategy through the data plane, wherein the second forwarding strategy is determined based on fingerprint trust scores and/or model prediction trust scores, the fingerprint trust scores are scores corresponding to the behavior feature in a fingerprint database, and the prediction trust scores are scores obtained by inputting the behavior feature into a network model. The application provides a zero trust dynamic encryption routing device based on flow sensing, which is applied to electronic equipment, wherein the electronic equipment comprises a data plane and a control plane, and the device comprises: The system comprises a data plane management module, a decryption operation module, a data plane management module and a decryption operation module, wherein the data plane management module is used for determining identity characteristics and behavior characteristics corresponding to