CN-122027286-A - Self-adaptive context-aware access control method and system based on zero trust architecture

Abstract

The invention discloses a self-adaptive context awareness access control method and a self-adaptive context awareness access control system based on a zero trust framework, which comprise the steps of constructing a standardized access request object, carrying out identity authentication and trust evaluation to generate a trust evaluation result, constructing a context information collection and forming a context data object, matching a preset access control strategy and screening candidate strategies based on the access request object, the trust evaluation result and the context data object, sequencing and selecting the candidate strategies by adopting a multi-level priority arbitration mechanism to generate an authorization decision result, executing corresponding control operation on an access request based on the authorization decision result, continuously acquiring an access behavior state, and adjusting an authorization state based on the access behavior state. The invention carries out integral reconstruction on the access authorization decision flow by introducing a continuous identity authentication mechanism, a multidimensional context sensing mechanism and a strategy decision mechanism with priority level cutting capability so as to realize the fine control on dynamic access behaviors.

Inventors

• LIU LIANG
• Gong Ruojia

Assignees

• 山东师范大学

Dates

Publication Date

20260512

Application Date

20260212

Claims (10)

1. 1. The self-adaptive context-aware access control method based on the zero trust architecture is characterized by comprising the following steps of: obtaining an access request sent by an access main body, analyzing the access request, and constructing a standardized access request object; based on the access subject, carrying out identity authentication and trust evaluation, and generating a trust evaluation result for representing the access credibility; Acquiring environment information parameters related to the access request, constructing a context information set corresponding to the access request based on the environment information parameters, and forming a context data object for representing the characteristics of the access scene; based on the access request object, the trust evaluation result and the context data object, matching a preset access control strategy, screening candidate strategies, and adopting a multi-level priority arbitration mechanism to sort and select the candidate strategies in combination with auxiliary factors to generate a unique authorization decision result so as to obtain an authorization state corresponding to the access request; And continuously acquiring the access behavior state, and dynamically adjusting the authorization state corresponding to the access request based on the access behavior state.
2. 2. The adaptive context-aware access control method based on a zero-trust architecture of claim 1, wherein the access request is parsed to extract a principal identification, a target resource identification, and an operation type therefrom, while generating a unique identification for the access request for identifying a request processing link.
3. 3. The adaptive context-aware access control method based on a zero-trust architecture of claim 1, wherein the identity authentication employs a multi-factor identity authentication scheme including one or more of username and password authentication, dynamic password authentication, biometric authentication, and device fingerprint authentication.
4. 4. The adaptive context-aware access control method based on a zero-trust architecture of claim 1, wherein the environmental information parameters associated with the access request include terminal device information, network connection status, access time characteristics, geographic location information, and user behavior characteristics.
5. 5. The adaptive context-aware access control method based on zero-trust architecture of claim 1, wherein the preset access control policy comprises an access principal attribute, a resource object attribute, a context environmental condition, an authorization action, and a priority identification; The multi-level priority arbitration mechanism comprises one or more of static priority, conditional priority, coverage priority, risk perception priority and time window priority, and when the candidate strategies are ordered, the candidate strategies are ordered step by step according to a preset priority element rule, and the priority element rule is used for prescribing arbitration sequences among different types of priorities.
6. 6. The method of claim 5, wherein the candidate policies are selected in combination with cofactors when they remain in a juxtaposition after being ordered by a multi-level priority arbitration mechanism, the cofactors including policy scope of action, policy source weights, and access operation sensitivity.
7. 7. An adaptive context-aware access control system based on a zero-trust architecture, comprising: the user request management module is configured to acquire an access request sent by an access main body, analyze the access request and construct a standardized access request object; The identity authentication and trust management module is configured to perform identity authentication and trust evaluation based on the access subject and generate a trust evaluation result used for representing the access credibility; the context sensing module is configured to acquire environment information parameters related to the access request, construct a context information set corresponding to the access request based on the environment information parameters, and form a context data object for representing the characteristics of the access scene; The policy decision module is configured to match a preset access control policy and screen out candidate policies based on an access request object, a trust evaluation result and a context data object, and rank and select the candidate policies by adopting a multi-level priority arbitration mechanism and combining auxiliary factors to generate a unique authorization decision result so as to obtain an authorization state corresponding to the access request; the access control execution and feedback module is configured to execute corresponding control operation on the access request based on the authorization decision result, continuously acquire the access behavior state and dynamically adjust the authorization state corresponding to the access request based on the access behavior state.
8. 8. An electronic device comprising a memory and a processor, and computer instructions stored on the memory and running on the processor, which when executed by the processor, perform the adaptive context-aware access control method based on a zero-trust architecture of any one of claims 1-6.
9. 9. A computer readable storage medium storing computer instructions which, when executed by a processor, perform the adaptive context-aware access control method based on a zero-trust architecture of any one of claims 1-6.
10. 10. A computer program product comprising a computer program which, when executed by a processor, implements a zero trust architecture based adaptive context aware access control method according to any one of claims 1 to 6.

Description

Self-adaptive context-aware access control method and system based on zero trust architecture Technical Field The invention relates to the technical field of information security and access control, in particular to a self-adaptive context-aware access control method and system based on a zero trust architecture. Background The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art. Along with the continuous deep digital transformation of education, a modern college information system has widely covered a plurality of core fields such as teaching, scientific research, management and service and the like, and covers diversified complex businesses such as students' course selection, online teaching, scientific research data management, achievement assessment, personnel finance and the like. The system has rich data types and high resource sensitivity, and simultaneously faces application scenes of frequent user role crossing and multiple access modes, which puts forward more stringent requirements on the safety, flexibility and expandability of an access control mechanism, and a refined, dynamic and safe and elastic access control system is needed to be constructed so as to ensure the stable operation and data safety of the system. Currently, a role-based access control (RBAC) mechanism is commonly adopted in an educational information system for authority management, a static attribute access control (ABAC) model is assisted by part of scenes, and a core depends on a predefined role-authority mapping relation or fixed attribute matching rule to realize authority management. The RBAC model simplifies the authority configuration flow under a multi-user scene by dividing users into different roles and then distributing corresponding authorities for the roles, and the static ABAC model carries out authorization judgment based on the inherent attributes of an access main body and a resource object, thereby improving the fine granularity of authority control to a certain extent. However, the existing access control method still has a plurality of significant defects in practical application: Firstly, an authorization mechanism is static, and the response capability is insufficient; The user identity and the behavior state have remarkable dynamic property, for example, a teacher can bear multiple roles of teaching, scientific research, management and the like at the same time, the roles are frequently switched, the RBAC model is difficult to reflect the identity and the behavior change in real time, the authorization hysteresis or the authority generalization problem is easy to be caused, and the static ABAC model cannot adapt to the dynamic adjustment of the user state and the service scene in time. Secondly, the dynamic sensing and adapting capability of the access context is lacking; The existing model is generally focused on inherent attributes of user identity and resources, is lack of attention to context environment factors such as equipment state, network position, access time, behavior characteristics and the like when access behaviors occur, cannot incorporate the dynamic factors into unified authorization judgment logic, is difficult to dynamically adjust authorization strategies according to risk changes, and increases potential safety hazards of identity impossibility and authority abuse. Thirdly, the granularity of the strategy is thicker, and a conflict judging mechanism is insufficient; In the environment of multi-system integration and multi-role cooperative operation, the number of access control strategies is continuously increased, the structure is increasingly complex, the traditional model lacks a clear strategy priority management and conflict judging mechanism, the conditions of overlapping authorization rules, strategy coverage or inconsistent decision results and the like are easy to occur, and the safety consistency and management controllability of the system are seriously affected. Fourth, lack of continuous verification mechanism, limited trust boundary control capability; Most systems adopt a disposable identity authentication mode, after user authentication is passed, access rights are maintained for a long time, follow-up behavior change and session risk cannot be continuously evaluated, and the authorization mode of default trust is difficult to meet dynamic security protection requirements, so that internal security risks such as transverse movement and account sharing are increased to a certain extent. In summary, although the access control method of the existing educational information system realizes the basic management of user identity and resource authority, the authorization decision mechanism takes static rules and single authentication as the core, lacks comprehensive consideration of key factors such as access context change, policy conflict arbitration, session risk evolution and t