Search

CN-122027197-A - Dynamic access control method, system, equipment and storage medium oriented to zero trust architecture

CN122027197ACN 122027197 ACN122027197 ACN 122027197ACN-122027197-A

Abstract

The invention relates to the technical field of information security and network communication, in particular to a dynamic access control method, a system, equipment and a storage medium for a zero-trust architecture, which comprise the steps of constructing a trust evaluation matrix to integrate user behavior characteristics, terminal equipment states and network environment parameters to generate a comprehensive trust score; and judging whether the score meets the lowest trust threshold or not to decide the access request. The invention improves decision accuracy and response speed through an intelligent dynamic authorization mechanism, optimizes the system architecture, reduces calculation expenditure, enhances instantaneity and expansibility, and is suitable for efficient safety management in a multi-resource pool scene.

Inventors

  • WU WEI
  • CHENG BO
  • GUO SIYUAN
  • YANG ZHOULI
  • XIE FEI
  • LIU ZHE
  • WANG HEXU
  • LIU JING
  • SHI ZHANHUA
  • MA JIAXING

Assignees

  • 西京学院

Dates

Publication Date
20260512
Application Date
20251225

Claims (10)

  1. 1. The dynamic access control method oriented to the zero trust architecture is characterized by comprising the following steps of: constructing a trust evaluation matrix, wherein the trust evaluation matrix is used for integrating user behavior characteristic data, terminal equipment state data and network environment parameter data and generating a comprehensive trust score; Creating a dynamic authorization rule base, wherein the dynamic authorization rule base is used for generating a dynamic authorization strategy according to the comprehensive trust score and the resource sensitivity; Judging whether the comprehensive trust score meets the lowest trust threshold of the current resource, if so, allowing access requests and recording access logs, and if not, rejecting the access requests and triggering a security alarm mechanism.
  2. 2. The method for dynamic access control to a zero-trust-oriented architecture according to claim 1, wherein the process of constructing the trust evaluation matrix comprises: Collecting user behavior characteristic data, wherein the user behavior characteristic data comprises login frequency, operation habit and history access record; Acquiring terminal equipment state data, wherein the terminal equipment state data comprises equipment health state, operating system version and security patch updating condition; Collecting network environment parameter data, wherein the network environment parameter data comprises network delay, bandwidth utilization rate and connection stability; and inputting the user behavior characteristic data, the terminal equipment state data and the network environment parameter data into a preset trust evaluation algorithm to generate a comprehensive trust score.
  3. 3. The zero-trust-architecture-oriented dynamic access control method of claim 1, further comprising, prior to the creating the dynamic authorization rule base: Selecting at least one resource from a resource pool as a high-sensitivity resource, selecting at least one resource as a low-sensitivity resource, classifying and marking other resources except the selected high-sensitivity resource and low-sensitivity resource, wherein the classified and marked resource is used as a common resource, and the access rights of the resources are isolated independently; the lowest trust threshold for the highly sensitive resource is set to be higher than the lowest trust threshold for the less sensitive resource.
  4. 4. The zero-trust-architecture-oriented dynamic access control method of claim 1, further comprising: the dynamic authorization strategy index and the resource sensitivity index are stored in a dynamic authorization rule base, the application range of the dynamic authorization strategy is recorded in the dynamic authorization strategy index, and the sensitivity level of the resource is recorded in the resource sensitivity index.
  5. 5. The zero-trust-architecture-oriented dynamic access control method of claim 1, further comprising: receiving an access request of a client; judging whether the target resource has access restriction, if so, generating an access token according to a dynamic authorization strategy in a dynamic authorization rule base, and if not, directly allowing an access request and recording an access log.
  6. 6. The dynamic access control method for a zero trust architecture according to claim 1, wherein the generating an access token according to a dynamic authorization policy in a dynamic authorization rule base comprises: Querying whether target resources exist in the dynamic authorization policy index and the resource sensitivity index and whether the target resources are marked as limited; Generating an access token if the dynamic authorization policy index and the resource sensitivity index have target resources and the target resources are not marked as limited; and if the dynamic authorization policy index and the resource sensitivity index have no target resource or the target resource is marked as limited, rejecting the access request and triggering a security alarm mechanism.
  7. 7. The zero-trust-architecture-oriented dynamic access control method of claim 1, further comprising: If the dynamic authorization policy index and the resource sensitivity index are limited, an approval request is sent to an administrator, a temporary access token is generated and an approval log is recorded after the administrator approves, and a security alarm mechanism is triggered and a reject log is recorded after the administrator approves and rejects.
  8. 8. A dynamic access control system oriented to a zero trust architecture, characterized in that the system is used for the dynamic access control method oriented to a zero trust architecture according to any one of claims 1 to 7, and the system comprises a local resource pool and other resource pools connected by a wide area network; The other resource pools are used for sending dynamic authorization strategy indexes and resource sensitivity indexes in the other resource pools to the local resource pool; The local resource pool includes: The resource dividing module is used for selecting at least one resource from all the resources in the local resource pool as a high-sensitivity resource and selecting at least one resource as a low-sensitivity resource, the dynamic authorization rule base maintains a dynamic authorization policy index and a resource sensitivity index, classifies and marks other resources except the selected high-sensitivity resource and low-sensitivity resource, the classified and marked resources are used as common resources, and the common resources, the high-sensitivity resources and the storage resources of the low-sensitivity resources of each resource pool are separated; The trust evaluation matrix construction module is used for constructing a trust evaluation matrix, wherein the trust evaluation matrix is used for integrating user behavior characteristic data, terminal equipment state data and network environment parameter data and generating a comprehensive trust score; the dynamic authorization rule base is used for generating a dynamic authorization strategy according to the comprehensive trust score and the resource sensitivity; the trust score judging module is used for judging whether the comprehensive trust score meets the lowest trust threshold of the current resource, if so, allowing access request and recording access log, and if not, rejecting the access request and triggering a security alarm mechanism; the access request receiving module is used for receiving the access request of the client; the resource access module is used for judging whether the target resource has access restriction or not, if so, generating an access token according to the dynamic authorization strategy in the dynamic authorization rule base, and if not, directly allowing the access request and recording the access log.
  9. 9. A zero trust architecture oriented dynamic access control device, the device comprising: A memory for storing a computer program; A processor for implementing the steps of the zero trust architecture oriented dynamic access control method according to any one of claims 1 to 7 when executing said computer program.
  10. 10. A computer readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, implements the steps of the zero trust architecture oriented dynamic access control method according to any one of claims 1 to 7.

Description

Dynamic access control method, system, equipment and storage medium oriented to zero trust architecture Technical Field The present invention relates to the field of information security and network communication technologies, and in particular, to a dynamic access control method, system, device, and storage medium for a zero trust architecture. Background With the wide application of the zero trust architecture in the network security field, the dynamic access control method gradually becomes a research hotspot. The zero-trust architecture emphasizes the principle of 'never trust, always verification', and requires real-time trust evaluation and dynamic authorization for each access request to cope with complex and changeable network threat environments. However, the existing dynamic access control method still has some defects in the implementation process, and in particular, there is still room for improvement in terms of comprehensiveness of trust evaluation, flexibility of dynamic authorization and efficiency of system integration. Through retrieval, a dynamic access control management method and a system based on a zero trust architecture are disclosed, wherein the patent discloses a technical scheme of enhancing the detection capability of an authentication result set by combining the method of generating an identity chain and carrying out encryption signature and authentication on the identity chain and resisting sample attack and finally dynamically adjusting the access authority according to the identity credibility of a user. However, the technical solution mainly relies on the construction and authentication of the identity chain, and cannot fully consider the influence of external environmental factors (such as network state, equipment security, etc.) on trust evaluation, which may result in insufficient overall evaluation results. Furthermore, its dynamic authorization mechanism is based solely on user identity trustworthiness, lacks comprehensive consideration of resource sensitivity and access context, and may affect the accuracy and flexibility of authorization decisions. On the other hand, a trust evaluation method with privacy protection in a zero trust architecture with a publication number of CN114760118B is disclosed, and the patent generates a trust value by extracting equipment and user information of an access subject, protects privacy by using a public key encryption and random number calculation mode, and simultaneously completes trust value evaluation by combining with a level server rule. However, the technical scheme excessively depends on fixed rules and scoring mechanisms in the trust evaluation process, and fails to fully adapt to dynamically-changed network environments and novel threat scenes, so that evaluation results can be lagged or misaligned. In addition, although the privacy protection mechanism can effectively prevent data leakage, the calculation cost is high in a high concurrency scene, and the instantaneity and expansibility of the system can be affected. The above problems indicate that the existing zero-trust architecture dynamic access control method still has certain defects in the aspects of comprehensiveness of trust evaluation, flexibility of dynamic authorization and optimization of system performance. The invention provides a dynamic access control method, a system, equipment and a storage medium for a zero-trust architecture, which aim to optimize a trust evaluation model by comprehensively considering multidimensional factors such as users, terminal equipment, network environments and the like, introduce an intelligent dynamic authorization mechanism at the same time, improve the accuracy and response speed of authorization decision, reduce the calculation cost and improve the real-time performance and expansibility of the system through efficient system architecture design, thereby meeting the requirements of the modern network security field on efficient and intelligent dynamic access control. Disclosure of Invention The invention aims to provide a dynamic access control method, a system, equipment and a storage medium for a zero trust architecture, which are used for optimizing a trust evaluation model by comprehensively considering multidimensional factors such as user behavior characteristics, terminal equipment states, network environment parameters and the like, introducing an intelligent dynamic authorization mechanism, improving the accuracy and response speed of authorization decisions, reducing the calculation cost and improving the instantaneity and expansibility of a system through efficient system architecture design. In order to solve the technical problems, the invention provides a dynamic access control method oriented to a zero trust architecture, which comprises the following steps: constructing a trust evaluation matrix, wherein the trust evaluation matrix is used for integrating user behavior characteristics, terminal equipment st