CN-122001693-A - Dynamic access control method and system for communication information security

Abstract

The application provides a dynamic access control method and a system for communication information security, which relate to the technical field of communication information security. And querying a security policy center database according to the uniform resource name of the application layer service and the port number of the transmission layer protocol, and matching with a basic security policy configuration unit. And inputting the access risk comprehensive measurement vector and the initial request context object into a dynamic authority arbitration logic model, and performing certificate chain validity verification and function conflict analysis to generate the access risk comprehensive measurement vector. And obtaining a real-time authorization authority set through a real-time authority synthesizer, and transmitting the real-time authorization authority set back to the policy execution gateway to generate a response message. The application can dynamically adapt to the communication environment and improve the safety and flexibility of access control.

Inventors

• ZHANG GANG
• Ran Yunlong
• SHI CHUNMEI

Assignees

• 上海明奇网络科技有限公司

Dates

Publication Date

20260508

Application Date

20260410

Claims (10)

1. 1. A dynamic access control method for communication information security, the method comprising: A policy execution gateway is deployed at a communication network access layer, an original access request message transmitted from a communication session initiating terminal to a communication session receiving terminal is captured in real time through the policy execution gateway, and an initiating terminal network protocol address, a transmission layer protocol port number, an application layer service uniform resource name requesting access and an initiating terminal digital identity certificate file are encapsulated in the original access request message; Performing message analysis processing on the original access request message, stripping a medium access control layer header and an internet protocol layer header, extracting a transmission layer load data segment, analyzing a temporary session identification character string submitted by a starting end, an encryption suite negotiation list and an operation authority set description text granted by a request from the transmission layer load data segment, and converging the temporary session identification character string, the encryption suite negotiation list and the operation authority set description text into an initial request context object; Inquiring a preset security policy center database according to the uniform resource name of the application layer service requested to be accessed and the port number of the transport layer protocol, and matching a basic security policy configuration unit corresponding to the current access request from the security policy center database, wherein a static permission allocation list and a function mutex constraint rule set are solidified in the basic security policy configuration unit; The initial request context object and the basic security policy configuration unit are input into a dynamic authority arbitration logic model at the same time, certificate chain validity verification operation is carried out on the digital identity certificate file of the initiating terminal to obtain identity reliability scores, the conflict degree between the operation authority set description text granted by the request and the historical operation behavior record of the initiating terminal is analyzed according to the job mutual exclusion constraint rule set to obtain job conflict intensity coefficients, and the identity reliability scores and the job conflict intensity coefficients are combined to form an access risk comprehensive measurement vector; Transmitting the access risk comprehensive measurement vector to a real-time authority synthesizer in the dynamic authority arbitration logic model to obtain a real-time authority set, transmitting the real-time authority set back to the strategy execution gateway, generating a corresponding access permission response message or access rejection response message according to the real-time authority set through the strategy execution gateway, and forwarding the access permission response message or the access rejection response message to the communication session initiating terminal.
2. 2. The dynamic access control method for communication information security according to claim 1, wherein the step of performing a certificate chain validity verification operation on the originating digital identity certificate file to obtain an identity trusted degree tag specifically comprises: extracting the initiating terminal digital identity certificate file from the initial request context object, carrying out certificate chain level splitting treatment on the initiating terminal digital identity certificate file, and analyzing a root certificate node, an intermediate certificate node and a terminal entity certificate node according to the affiliation of a certificate issuing authority; extracting a certificate subject name field, a certificate issuer name field, a certificate valid start time field, a certificate valid end time field and a certificate signature value field from the terminal entity certificate node; extracting an intermediate certificate issuer name field, an intermediate certificate body public key information field and an intermediate certificate signature value field from the intermediate certificate node; Extracting a root certificate issuer name field, a root certificate body public key information field and a root certificate self-signature numerical value field from the root certificate node; Accessing a preset root certificate trust anchor warehouse, acquiring a trust anchor public key matched with the name field of the root certificate issuer from the root certificate trust anchor warehouse, decrypting the root certificate self-signed value field by using the trust anchor public key to obtain a root certificate original hash value, and performing hash operation on a certificate content main body of a root certificate node to obtain a root certificate calculation hash value; comparing the original hash value of the root certificate with the calculated hash value of the root certificate bit by bit, and if the original hash value of the root certificate and the calculated hash value of the root certificate are completely consistent, judging that the root certificate node passes the self-signature verification, and generating a valid flag bit of the root certificate; Performing decryption operation on the intermediate certificate signature value field by utilizing the root certificate main body public key information field to obtain an intermediate certificate original hash value, and performing hash operation on a certificate content main body of the intermediate certificate node to obtain an intermediate certificate calculation hash value; Comparing the original hash value of the intermediate certificate with the calculated hash value of the intermediate certificate bit by bit, and if the original hash value of the intermediate certificate and the calculated hash value of the intermediate certificate are completely consistent, judging that the intermediate certificate node passes the issuing signature verification, and generating an effective flag bit of the intermediate certificate; Decrypting the signature value field of the terminal entity certificate node by utilizing the public key information field of the intermediate certificate body to obtain a terminal certificate original hash value, and simultaneously carrying out hash operation on the certificate content body of the terminal entity certificate node to obtain a terminal certificate calculated hash value; Comparing the original hash value of the terminal certificate with the calculated hash value of the terminal certificate bit by bit, and if the original hash value of the terminal certificate is completely consistent with the calculated hash value of the terminal certificate and the current system time is in a time interval formed by the valid start time field of the certificate and the valid end time field of the certificate, judging that the terminal entity certificate node passes the validity verification, and generating a valid flag bit of the terminal certificate; Generating the identity credibility label according to the logical AND operation results of the root certificate valid flag bit, the intermediate certificate valid flag bit and the terminal certificate valid flag bit, wherein the identity credibility label takes the value as the identity full credibility label if all the certificate nodes obtain valid flag bits, and takes the value as the identity unreliable label if any one-level certificate node lacks valid flag bits.
3. 3. The dynamic access control method for communication information security according to claim 1, wherein analyzing the degree of conflict between the operation authority set description text granted by the request and the historical operation behavior record of the initiator according to the job mutual exclusion constraint rule set to obtain a job conflict intensity coefficient specifically comprises: A historical operation behavior record set associated with the network protocol address of the initiating terminal is called from a preset operation behavior audit database, wherein the historical operation behavior record set comprises a plurality of historical operation log entries, and each historical operation log entry records an operation initiating time point, an operation target resource name, an operation authority type code and an operation execution result state; performing time axis sequencing on the historical operation behavior record set, and constructing a historical operation behavior time sequence of the initiating terminal according to the sequential increasing sequence of the operation initiating time points; extracting a nearest operation authority type code contained in a nearest neighbor operation log entry from the historical operation behavior time sequence; analyzing a current request authority type coding list attached to the current request from the operation authority set description text granted by the request; Counting the number of commonly-occurring authority type codes between the current request authority type code list and the latest operation authority type code, and taking the commonly-occurring authority type code number as a first conflict calculation factor; acquiring a solidified function mutual exclusion constraint rule set in the basic security policy configuration unit, wherein the function mutual exclusion constraint rule set comprises a plurality of function mutual exclusion constraint rule entries, and each function mutual exclusion constraint rule entry is composed of a mutual exclusion role group identifier and a permission type coding blacklist in the mutual exclusion role group; Sequentially traversing each function mutual exclusion constraint rule item, and extracting a right type coding blacklist in a mutual exclusion role group in the current function mutual exclusion constraint rule item for the current function mutual exclusion constraint rule item traversed currently; Detecting whether any two or more authority type codes in the authority type code blacklist are simultaneously contained in the current request authority type code list; When detecting that the current request authority type code list simultaneously contains at least two authority type codes in the authority type code blacklist, judging that the current request violates the current function mutual exclusion constraint rule entry, and generating a rule violation indicator aiming at the current function mutual exclusion constraint rule entry; Accumulating and counting rule violation indicators of all function mutual exclusion constraint rule entries to obtain a rule violation accumulated total number as a second conflict calculation factor; And carrying out normalization weighting fusion processing on the first conflict calculation factor and the second conflict calculation factor, mapping the first conflict calculation factor to a first numerical interval to obtain a first normalization value, mapping the second conflict calculation factor to a second numerical interval to obtain a second normalization value, and carrying out weighting summation operation on the first normalization value and the second normalization value to obtain the role conflict intensity coefficient.
4. 4. The communication information security oriented dynamic access control method according to claim 1, wherein the transmission of the access risk comprehensive measurement vector to a real-time authority synthesizer in the dynamic authority arbitration logic model obtains a real-time authority set, specifically comprising: Loading a pre-established authority adjustment coefficient mapping table from a local storage area of the real-time authority synthesizer, wherein a row index of the authority adjustment coefficient mapping table consists of a value type of an identity credibility label, a column index of the authority adjustment coefficient mapping table consists of a value interval dividing threshold value of a function conflict intensity coefficient, and each table item unit in the authority adjustment coefficient mapping table stores authority scaling factor values corresponding to the row index and the column index; Analyzing identity credibility scores contained in the access risk comprehensive measurement vector, sequentially comparing specific numerical values of the identity credibility scores with preset boundary values of a plurality of identity credibility score intervals, and determining target row index positions to which the identity credibility scores belong; synchronously analyzing the function conflict intensity coefficients contained in the access risk comprehensive measurement vector, sequentially comparing the specific numerical values of the function conflict intensity coefficients with a plurality of preset function conflict intensity interval boundary values, and determining the target column index positions to which the function conflict intensity coefficients belong; Positioning a corresponding target authority scaling factor value in the authority adjustment coefficient mapping table according to the target row index position and the target column index position, and extracting a specific target authority scaling factor floating point value from the target authority scaling factor value; Extracting a static authority allocation list from the basic security policy configuration unit, wherein the static authority allocation list comprises a plurality of reference authority items, each reference authority item consists of an authority type coding field and a corresponding reference authority value field, and the reference authority value field is preset as a fixed authority opening degree quantized value; Traversing each reference authority item in the static authority allocation list, and acquiring a reference authority quantification value stored in a reference authority value field of the current reference authority item for the current traversed reference authority item; multiplying the reference authority quantized value with the target authority scaling factor floating point value to obtain a real-time authority intermediate calculated quantized value of the current reference authority item; Comparing the real-time authority intermediate calculation quantized value with a preset authority value upper limit threshold, and taking the authority value upper limit threshold as a final authority quantized value of the current reference authority item if the real-time authority intermediate calculation quantized value is larger than the authority value upper limit threshold; Comparing the real-time authority intermediate calculation quantized value with a preset authority value lower limit threshold, and taking the authority value lower limit threshold as a final authority quantized value of the current reference authority item if the real-time authority intermediate calculation quantized value is smaller than the authority value lower limit threshold; When the real-time authority intermediate calculation quantized value is in a closed interval formed by the authority value lower limit threshold and the authority value upper limit threshold, the real-time authority intermediate calculation quantized value is directly used as a final authority quantized value of the current reference authority item; Collecting authority type coding fields of all reference authority items and final authority quantization values corresponding to each authority type coding field, and carrying out paired encapsulation processing on the authority type coding fields and the final authority quantization values to generate a real-time authorization authority set.
5. 5. The dynamic access control method for communication information security according to claim 1, wherein the policy execution gateway generates a corresponding access permission response message or access rejection response message according to the real-time authorization authority set and forwards the access permission response message or access rejection response message to the communication session initiator, specifically including: Receiving a real-time authority set returned by the dynamic authority arbitration logic model through the strategy execution gateway, carrying out data structure analysis on the real-time authority set, and extracting all authority type coding fields and corresponding final authority quantization values contained in the real-time authority set; Sequentially traversing each authority type coding field, and obtaining a final authority quantization value corresponding to the current authority type coding field for the current traversed authority type coding field; Comparing the final authority quantification value with a preset authority activation judgment threshold, and if the final authority quantification value is larger than or equal to the authority activation judgment threshold, judging that the authority item indicated by the current authority type coding field is in an activation state, and generating an authority activation state mark aiming at the current authority type coding field; Comparing the final authority quantification value with a preset authority activation judgment threshold, and if the final authority quantification value is smaller than the authority activation judgment threshold, judging that the authority item indicated by the current authority type coding field is in a suppression state, and generating an authority suppression state mark aiming at the current authority type coding field; Collecting all authority type coding fields marked as an activation state mark, and constructing a final permission authority type coding list of the access request; collecting all authority type coding fields marked as inhibition state marks, and constructing a final refusing authority type coding list of the access request; counting the total number of entries of the authority type coding fields contained in the final permission authority type coding list, comparing the total number of entries with a zero value, determining that an access permission response message needs to be generated if the total number of entries is greater than zero, and determining that an access rejection response message needs to be generated if the total number of entries is equal to zero; when the need of generating an access permission response message is determined, constructing an access permission response message Wen Moban according to a transport layer protocol port number in the original access request message, and filling a predefined access success state identifier in a protocol state code field of the access permission response message template; Embedding the final permission type coding list in an expansion option field of the access permission response message template, converting the final permission type coding list into byte stream data blocks according to coding rules corresponding to the transport layer protocol port numbers, and filling the byte stream data blocks into a load area of the access permission response message template; When determining that an access rejection response message needs to be generated, constructing an access rejection response message Wen Moban according to a transport layer protocol port number in the original access request message, and filling a predefined access failure state identifier in a protocol state code field of the access rejection response message template; Embedding the final refusal permission type coding list in an expansion option field of the access refusal response message template, converting the final refusal permission type coding list into byte stream data blocks according to coding rules corresponding to the transport layer protocol port numbers, and filling the byte stream data blocks into a load area of the access refusal response message template; and forwarding the generated access permission response message or the access rejection response message to the communication session initiating terminal through the communication network access layer to complete the current dynamic access control operation flow.
6. 6. The dynamic access control method for communication information security according to claim 1, wherein after performing a certificate chain validity verification operation on the originating digital identity certificate file by the dynamic rights arbitration logic model to obtain an identity trusted degree label, the method further comprises: Extracting an authority information access point location field in a certificate expansion area from a terminal entity certificate node of the initiating terminal digital identity certificate file, wherein a certificate state online inquiry protocol uniform resource locator is packaged in the authority information access point location field; Constructing a certificate state online inquiry request data unit according to the certificate state online inquiry protocol uniform resource locator, and embedding a certificate serial number field and a certificate issuer name field of the terminal entity certificate node in the certificate state online inquiry request data unit; Sending the certificate state online inquiry request data unit to a certificate state online response server corresponding to the authority information access point location field, and receiving a certificate state online response data unit returned by the certificate state online response server; analyzing a certificate state information main body in the certificate state online response data unit, and extracting a certificate revocation state identification bit and a certificate revocation time point field from the certificate state information main body; comparing the certificate revocation status identification bit with a preset certificate valid status identifier, and if the certificate revocation status identification bit is consistent with the certificate valid status identifier, generating an online status verification passing mark; comparing the certificate revocation status identification bit with a preset certificate revocation status identifier, and if the certificate revocation status identification bit is consistent with the certificate revocation status identifier, generating an online status verification failure mark; Analyzing the time sequence relation among the certificate revocation time point field, the certificate valid starting time field and the certificate valid ending time field, and judging that the terminal entity certificate node is revoked in advance in the validity period if the certificate revocation time point field is positioned behind the certificate valid starting time field and in front of the certificate valid ending time field; And correcting the identity credibility score according to the online state verification passing mark or the online state verification failure mark, if the online state verification failure mark is obtained, adjusting the identity credibility score to a preset unreliable score threshold value, and re-packaging the corrected identity credibility score into the access risk comprehensive measurement vector to replace the original identity credibility score.
7. 7. The dynamic access control method for communication information security according to claim 1, wherein after analyzing the degree of conflict between the operation authority set description text granted by the request and the historical operation behavior record of the initiator according to the job mutual exclusion constraint rule set to obtain a job conflict intensity coefficient, the method further comprises: Extracting a plurality of historical operation log entries associated with the operation target resource name from the historical operation behavior record set of the initiating terminal, wherein the plurality of historical operation log entries comprise a plurality of historical access records of the same operation target resource name; re-ordering the plurality of historical operation log entries according to the sequence of the operation initiation time points to generate a target resource operation time sequence track aiming at the operation target resource name; Extracting a time interval value between two consecutive adjacent historical access records from the target resource operation time sequence track, and comparing the time interval value with a preset frequent access time threshold; if the time interval value is smaller than the frequent access time threshold, judging that the initiating terminal has frequent access behaviors to the operation target resource name, and generating a frequent access marker; Counting the times that the time interval numerical value between all adjacent historical access records in the target resource operation time sequence track is smaller than the frequent access time threshold value to obtain a frequent access frequency accumulated value; Comparing the frequent access frequency accumulated value with a preset abnormal access frequency threshold, and if the frequent access frequency accumulated value is larger than the abnormal access frequency threshold, generating an access frequency abnormal warning mark; Calculating an access frequency abnormal score value based on a comparison result of the frequent access frequency accumulated value and the abnormal access frequency threshold value, and carrying out weighted fusion on the access frequency abnormal score value and the job conflict intensity coefficient to correct the job conflict intensity coefficient, wherein the weighted fusion weight is dynamically determined according to the identity credibility score; and repackaging the corrected function conflict intensity coefficient into the access risk comprehensive measurement vector.
8. 8. The dynamic access control method for communication information security according to claim 1, wherein before the dynamic offset correction processing is performed on the preset reference rights entry in the static rights allocation list by calling a pre-established rights adjustment coefficient mapping table through the real-time rights synthesizer, the method further comprises: extracting a plurality of mutual exclusion role group identifiers associated with the job mutual exclusion constraint rule set from the basic security policy configuration unit, wherein each mutual exclusion role group identifier corresponds to a group of mutual exclusion authority type coding blacklist; Analyzing a role attribute field in the digital identity certificate file of the initiating terminal, and extracting a current role group identifier list of the initiating terminal from the role attribute field; Performing intersection operation on the current character group identifier list and the plurality of mutually exclusive character group identifiers, and detecting whether the current character group identifier list simultaneously contains two or more character group identifiers belonging to the same mutually exclusive character group identifier; When the fact that the current role group identifier list simultaneously contains two or more role group identifiers belonging to the same mutual exclusion role group identifier is detected, determining that the role assignment of the initiating terminal violates a role mutual exclusion constraint rule, and generating a role assignment conflict mark; Inputting the role assignment conflict mark into the real-time authority synthesizer, and triggering the real-time authority synthesizer to call a preset conflict authority zeroing processing program; traversing each reference rights entry in the static rights allocation list by the conflicting rights zeroing handler to force a reference rights value field corresponding to a rights type encoding field associated with the mutually exclusive role group identifier to a zero value; And taking the static authority allocation list subjected to zero resetting as the input of the real-time authority synthesizer to replace the original static authority allocation list to participate in dynamic offset correction processing.
9. 9. The dynamic access control method for communication information security according to claim 1, wherein after the policy execution gateway generates a corresponding access permission response message or access rejection response message according to the real-time authorization authority set and forwards the access permission response message or access rejection response message to the communication session initiator, the method further comprises: Capturing a subsequent service operation request data packet initiated by the communication session initiating terminal after obtaining an access permission response message by the policy enforcement gateway, wherein an operation instruction type field and an operation parameter content field are encapsulated in the subsequent service operation request data packet; Extracting the operation instruction type field from the subsequent service operation request data packet, and carrying out matching retrieval on the operation instruction type field and the authority type coding field in the real-time authorization authority set; If the operation instruction type field exists in the authority type coding field of the real-time authorization authority set, acquiring a final authority quantization value corresponding to the operation instruction type field; comparing the final authority quantized value with the operation resource scale quantized value indicated by the operation parameter content field, and if the final authority quantized value is smaller than the operation resource scale quantized value, judging that the current business operation exceeds the authority range; when the current business operation is judged to be beyond the range of the authorized authority, generating an operation blocking instruction by the strategy execution gateway, and embedding the operation blocking instruction into a response message corresponding to the follow-up business operation request data packet; The response message carrying the operation blocking instruction is returned to the communication session initiating terminal, and the current business operation execution flow of the communication session initiating terminal is interrupted; And writing an event record of which the operation exceeds the authorized authority range into a preset operation behavior audit database to generate a security audit log entry comprising an initiating terminal network protocol address, an operation instruction type field, an operation resource scale quantization value and an authority exceeding quantization difference value.
10. 10. A dynamic access control system for communication information security, comprising a processor and a computer readable storage medium storing machine executable instructions that when executed by the processor implement the communication information security oriented dynamic access control method of any of claims 1-9.

Description

Dynamic access control method and system for communication information security Technical Field The application relates to the technical field of communication information security, in particular to a dynamic access control method and a dynamic access control system for communication information security. Background In the field of communication information, with rapid development and wide application of network technology, information interaction in a communication network is increasingly frequent and complex. The data transfer between the originating and receiving end of a communication session involves a lot of critical information such as network protocol addresses, application layer service resources etc. In order to ensure the safety of communication information, access control becomes an important link. Most of the existing access control methods adopt a static permission allocation mechanism, namely, fixed access permissions are preset for different users or devices. The limitation of the above approach is that it cannot dynamically adjust the rights according to the real-time communication environment and user behavior. For example, in a complex network environment, the operation behavior of a user may change due to changes in service requirements, but static rights allocation cannot respond to these changes in time, which may result in that a legal user cannot complete necessary operations due to insufficient rights, or an illegal user uses fixed rights for illegal access. Meanwhile, when complex constraint rules such as functional mutex and the like are processed by the existing method, an effective dynamic analysis and conflict detection mechanism is lacked, and the safety of communication information is difficult to comprehensively guarantee. Disclosure of Invention In view of the above, the present application aims to provide a dynamic access control method and system for communication information security. According to a first aspect of the present application, there is provided a dynamic access control method for security of communication information, the method comprising: A policy execution gateway is deployed at a communication network access layer, an original access request message transmitted from a communication session initiating terminal to a communication session receiving terminal is captured in real time through the policy execution gateway, and an initiating terminal network protocol address, a transmission layer protocol port number, an application layer service uniform resource name requesting access and an initiating terminal digital identity certificate file are encapsulated in the original access request message; Performing message analysis processing on the original access request message, stripping a medium access control layer header and an internet protocol layer header, extracting a transmission layer load data segment, analyzing a temporary session identification character string submitted by a starting end, an encryption suite negotiation list and an operation authority set description text granted by a request from the transmission layer load data segment, and converging the temporary session identification character string, the encryption suite negotiation list and the operation authority set description text into an initial request context object; Inquiring a preset security policy center database according to the uniform resource name of the application layer service requested to be accessed and the port number of the transport layer protocol, and matching a basic security policy configuration unit corresponding to the current access request from the security policy center database, wherein a static permission allocation list and a function mutex constraint rule set are solidified in the basic security policy configuration unit; The initial request context object and the basic security policy configuration unit are input into a dynamic authority arbitration logic model at the same time, certificate chain validity verification operation is carried out on the digital identity certificate file of the initiating terminal to obtain identity reliability scores, the conflict degree between the operation authority set description text granted by the request and the historical operation behavior record of the initiating terminal is analyzed according to the job mutual exclusion constraint rule set to obtain job conflict intensity coefficients, and the identity reliability scores and the job conflict intensity coefficients are combined to form an access risk comprehensive measurement vector; Transmitting the access risk comprehensive measurement vector to a real-time authority synthesizer in the dynamic authority arbitration logic model to obtain a real-time authority set, transmitting the real-time authority set back to the strategy execution gateway, generating a corresponding access permission response message or access rejection response message according to the real-t