Search

CN-122027207-A - Dynamic access control method and system for computer network

CN122027207ACN 122027207 ACN122027207 ACN 122027207ACN-122027207-A

Abstract

The application provides a dynamic access control method and a system for a computer network, which relate to the technical field of computer networks, wherein the method comprises the steps of obtaining a dynamic authority probability vector of an access subject under the current context; and executing the actual execution effect, returning response information simulating that the current request operation is successfully executed to the access main body, and recording the actual execution log of the actual execution effect. The application solves the technical problems that the prior art is difficult to adapt to changeable access requests and complex operating environments due to the binarization of the traditional access control decisions, and further affects the security of the computer network, reduces the risks of unauthorized access and authority abuse by dynamically adjusting the authorities, and improves the security of the computer network.

Inventors

  • LIU FUGUO
  • YANG LIYUAN
  • ZHANG CHENGYU

Assignees

  • 北京兰君科技有限公司

Dates

Publication Date
20260512
Application Date
20251230

Claims (10)

  1. 1. A dynamic access control method for a computer network, comprising: Responding to an operation request initiated by an access subject for an access object in a computer network, and acquiring a dynamic authority probability vector of the access subject under the current context, wherein the dynamic authority probability vector characterizes probability distribution of various operations performed by the access subject on the computer network; Selecting an actual execution effect from a plurality of predefined candidate execution effects corresponding to the current request operation type according to weight distribution associated with the target probability value based on the target probability value corresponding to the current request operation in the dynamic authority probability vector; And executing the actual execution effect, returning response information simulating that the current request operation is successfully executed to the access main body, and recording a real execution log of the actual execution effect.
  2. 2. The dynamic access control method for a computer network according to claim 1, further comprising, after executing the actual execution effect: acquiring a continuous operation request sequence of the access subject, and calculating a behavior information entropy sequence; analyzing the change of the behavior information entropy based on the behavior information entropy sequence, and detecting whether a detection behavior exists or not; when presence detect behavior is detected, an active countermeasure policy is triggered.
  3. 3. The dynamic access control method for a computer network according to claim 2, wherein the detecting whether a probe behavior exists based on the behavior information entropy sequence analyzing a change in behavior information entropy, comprises: And constructing a time sequence of the change of the behavior information entropy value along with time based on the behavior information entropy sequence, analyzing the time sequence in real time by adopting an accumulation and control graph algorithm, and judging that the detection behavior is detected when the accumulation sum statistic exceeds a preset threshold value.
  4. 4. The dynamic access control method for a computer network of claim 2, wherein triggering an active countermeasure policy includes any one of a probability vector disturbance trigger mode or an effect set pollution trigger mode; The probability vector disturbance triggering mode is to apply a preset dynamic noise function which is disturbed towards the direction of 0.5 to the dynamic authority probability vector of the access subject; the effect set pollution triggering mode is used for temporarily increasing the weight of a deceptive or non-substantial effect option in the plurality of candidate execution effects.
  5. 5. The dynamic access control method for a computer network according to claim 1, wherein obtaining a dynamic authority probability vector of an access subject in a current context in response to an operation request for an access subject in the computer network initiated by the access subject, comprises: Distributing reference operation probability aiming at the access object to the access subject based on a preset static access control strategy; Based on the context information acquired in real time, the reference operation probability is adjusted for the first time, so that the context sensing probability is obtained; and based on the deviation degree between the historical behavior sequence of the access subject and a preset normal behavior baseline, carrying out second adjustment on the context awareness probability, and generating the dynamic permission probability vector.
  6. 6. The dynamic access control method for a computer network according to claim 5, wherein the first adjustment of the reference operation probability based on the context information acquired in real time to obtain the context awareness probability comprises: extracting real-time context information of at least two dimensions, carrying out standardization processing on the context information of each dimension, and mapping the context information into a standardization factor in a predefined numerical value interval, wherein the standardization factor is used for representing the degree of negative or positive influence of the context of the corresponding dimension on an operation request; each normalization factor is weighted and summed to obtain an aggregate offset; inputting the aggregate offset into a predefined nonlinear adjustment function, and calculating to obtain a probability adjustment quantity for performing first adjustment on the reference operation probability; And adding the reference operation probability and the probability adjustment quantity, and limiting an addition result between a preset probability lower limit value and a probability upper limit value to obtain the context sensing probability.
  7. 7. The dynamic access control method for a computer network of claim 5, wherein the plurality of candidate execution effects includes a first effect, a second effect, a third effect, and a fourth effect; The first effect is to completely execute the current request operation, the second effect is to execute a function subset or limited version of the current request operation, the third effect is to redirect the current request operation to an isolated environment for execution, and the fourth effect is to record only an audit log without executing a substantial operation and returning a successful response.
  8. 8. The dynamic access control method for a computer network as recited in claim 7, wherein selecting an actual execution effect from a predefined plurality of candidate execution effects corresponding to a current request operation type based on a target probability value corresponding to a current request operation in the dynamic authority probability vector according to a weight distribution associated with the target probability value, comprises: Constructing a weight model related to the target probability value, and distributing weights for each candidate execution effect; In the weight model, the weight of the first effect is positively correlated with the target probability value, and the weights of the second effect, the third effect and the fourth effect are positively correlated with the result of subtracting the target probability value from 1.
  9. 9. The dynamic access control method for a computer network according to claim 1, wherein when the current request operation is a write operation type request, after the actual execution effect is executed, a state coordination process is executed according to a preset period, the state coordination process comprising: And cleaning, repairing or finally submitting the intermediate state generated by executing the non-first effect according to a preset final consistency rule.
  10. 10. A dynamic access control system for a computer network, characterized by the steps for implementing the dynamic access control method for a computer network according to any of claims 1 to 9, said dynamic access control system for a computer network comprising: the system comprises a dynamic authority probability vector acquisition module, a dynamic authority probability vector generation module and a dynamic authority probability vector generation module, wherein the dynamic authority probability vector acquisition module is used for responding to an operation request initiated by an access subject for an access object in a computer network and acquiring a dynamic authority probability vector of the access subject under the current context, wherein the dynamic authority probability vector represents probability distribution of various operations performed by the access subject on the computer network; The actual execution effect selecting module is used for selecting an actual execution effect from a plurality of predefined candidate execution effects corresponding to the current request operation type according to weight distribution associated with the target probability value based on the target probability value corresponding to the current request operation in the dynamic authority probability vector; And the operation execution module is used for executing the actual execution effect, returning response information simulating that the current request operation is successfully executed to the access main body, and recording a real execution log of the actual execution effect.

Description

Dynamic access control method and system for computer network Technical Field The present application relates to the field of computer network technology, and in particular, to a dynamic access control method and system for a computer network. Background With the continued development of computer network applications, conventional access control mechanisms face increasing challenges. Prior art access control methods typically rely on static permission models, especially role-based access control and rule-based access control, often employing binary decision mechanisms, i.e. either allowing access or denying access. However, when facing complex and changeable access requests, the binary decision mode is very rigid, and is difficult to adapt to the security requirements in different situations, or the potential attack clues are interrupted due to direct rejection, or the real risks are born due to permission, so that hidden deep monitoring and evidence obtaining are difficult to implement while ensuring service continuity. When the existing dynamic access control system identifies a high-risk access request, the direct blocking or alarming response of the existing dynamic access control system can immediately expose the defending gesture, so that an attacker adjusts the strategy and hides the track, the network security risk is increased, the response efficiency and flexibility are reduced, and the user experience is affected. In summary, in the prior art, due to the binary access control decision, it is difficult to adapt to variable access requests and complex operating environments, which further affects the security of the computer network. Disclosure of Invention The application aims to provide a dynamic access control method and a dynamic access control system for a computer network, which are used for solving the technical problems that in the prior art, the traditional access control decision is binary, so that the prior art is difficult to adapt to changeable access requests and complex operating environments, and the safety of the computer network is further influenced. In order to achieve the above object, the present application provides a dynamic access control method and system for a computer network. The application provides a dynamic access control method for a computer network, which is realized by a dynamic access control system for the computer network, and comprises the steps of responding to an operation request initiated by an access subject for an access object in the computer network, obtaining a dynamic authority probability vector of the access subject under the current context, wherein the dynamic authority probability vector characterizes probability distribution of various operations executed by the access subject on the computer network, selecting an actual execution effect from a plurality of predefined candidate execution effects corresponding to the current request operation type according to weight distribution associated with the target probability value based on target probability values corresponding to the current request operation in the dynamic authority probability vector, executing the actual execution effect, returning response information simulating successful execution of the current request operation to the access subject, and recording an actual execution log of the actual execution effect. Optionally, a reference operation probability for the access subject is allocated to the access subject based on a preset static access control policy, the reference operation probability is adjusted for the first time based on context information acquired in real time to obtain a context awareness probability, and the context awareness probability is adjusted for the second time based on a deviation degree between a historical behavior sequence of the access subject and a preset normal behavior baseline to generate the dynamic authority probability vector. Optionally, extracting real-time context information of at least two dimensions, performing standardization processing on the context information of each dimension, mapping the real-time context information into standardization factors in a predefined numerical interval, wherein the standardization factors are used for representing negative or positive influence degree of the context of the corresponding dimension on an operation request, performing weighted summation on each standardization factor to obtain an aggregate offset, inputting the aggregate offset into a predefined nonlinear adjustment function, calculating to obtain a probability adjustment quantity for performing first adjustment on the reference operation probability, adding the reference operation probability and the probability adjustment quantity, and limiting an added result between a preset probability lower limit value and a probability upper limit value to obtain the context perception probability. Optionally, the plurality of candidate execution effec