CN114553554A - Terminal trust management and trusted access system and method - Google Patents
Terminal trust management and trusted access system and method Download PDFInfo
- Publication number
- CN114553554A CN114553554A CN202210173292.3A CN202210173292A CN114553554A CN 114553554 A CN114553554 A CN 114553554A CN 202210173292 A CN202210173292 A CN 202210173292A CN 114553554 A CN114553554 A CN 114553554A
- Authority
- CN
- China
- Prior art keywords
- terminal
- trust
- vulnerability
- module
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000007726 management method Methods 0.000 claims abstract description 41
- 238000005259 measurement Methods 0.000 claims abstract description 20
- 238000012550 audit Methods 0.000 claims abstract description 10
- 238000006243 chemical reaction Methods 0.000 claims abstract description 10
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 36
- 238000004364 calculation method Methods 0.000 claims description 19
- 238000003860 storage Methods 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000008054 signal transmission Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010367 cloning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a terminal trust management and trusted access system, which relates to the technical field of network security and comprises a terminal, an equipment information base, a vulnerability database, a vulnerability assessment module, an audit database, an equipment scanning module, a protocol conversion module, a trusted measurement module, a trust database and a self-adaptive encryption module; the invention discloses a terminal trust management and trusted access method, which comprises the following steps: s100, scanning terminal information; s200, inquiring vulnerability information; s300, calculating risk factors; s400, calculating initial trust; s500, accessing a network; s600, measuring in real time; and S700, self-adaptive encryption transmission. According to the invention, the equipment is verified in the cloud computing center, data is processed and calculated at the network edge, the safety and the time delay are considered, and the initial trust value problem under the scene with higher safety requirement is solved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a terminal trust management and trusted access system and a method.
Background
The development and large-scale application of technologies such as mobile internet, internet of things, distributed computing, block chains and the like not only change the life style of people, but also greatly affect the working mode of enterprises, and the specific expression of the technology is that the number of users and equipment participating in the network is increased dramatically, so that the scale of the network is increased explosively. To date, hundreds of millions of devices have been connected to the internet, and services and applications carried by the internet have been growing, and therefore, the resource sharing mode, the resource running mode, the security management mode and the network application mode are fundamentally transformed.
Taking industrial internet as an example, under a collaborative and open trend, devices are interconnected through networks to become a bridge between a physical world and an information world. The service mode of digitalizing manufacturing resources and capabilities and supporting dynamic sharing and cooperation of devices with position distribution and heterogeneous functions according to requirements is a development trend of intelligent manufacturing.
Cloud on device is a necessary trend for the development of industrial internet, but this also means that the originally closed device and data are sufficiently exposed to the internet. The heterogeneous devices have larger difference of computing and storage resources, and the devices of different manufacturers use different communication protocols, so that the complexity of the whole network system is increased; meanwhile, various devices are positioned at the edge of the network, the physical security and the communication security are very weak, and the device is very easy to be attacked by cloning, counterfeiting, impersonation, interception, eavesdropping and the like, so that great potential safety hazards exist.
The device-side flaw makes it the primary target of attack for hackers. In recent two years, with the outbreak of security incidents of edge devices, even though manufacturers have gradually realized the importance of information security, the limitation of resources, technologies and the like of terminals still restrict the improvement of security protection capability, and edge access devices still remain weak links of system information security until now. However, the mainstream protection mode of the network information system at present is to strengthen the network boundary protection, such as firewall, intrusion detection and other technologies, and in the face of increasingly complex attack behaviors and high attack skills of hackers, the means is not enough to ensure the security of the network space.
Accordingly, those skilled in the art are devoted to developing a terminal trust management and trusted access system and method.
Disclosure of Invention
In view of the above defects in the prior art, the technical problem to be solved by the present invention is to guarantee the trusted access of the terminal based on the cloud-edge coordination architecture.
The inventor analyzes a method based on trust management and credibility measurement, a trust management model adopts a uniform method to describe and verify a security certificate, a trust relationship is constructed, and authorization of key operation is completed based on a security strategy of a system; the credibility measurement technology is a key in a trust management model and is an important criterion for judging whether a node in a system is credible or not. The basic steps of the credibility measurement are as follows: (1) initialization of trust; (2) selecting and defining trust attributes; (3) and performing fusion calculation on the trust attributes. The inventors have found that the algorithms proposed by the prior art mostly focus on steps (2) and (3), however, initialization of trust is a prerequisite for accurate calculation of the trust value. If the assignment is higher, the node has higher authority, so that the system is easy to be attacked by the newly added node; a lower value of assignment would limit the interaction capability of the access device, resulting in a lower performance of the overall system. Especially for scenes with high safety requirements, such as the industrial internet of things. The setting of the initial value is important. The invention provides a terminal trust management and trusted access system and method based on a cloud edge cooperative architecture.
In an embodiment of the present invention, a terminal trust management and trusted access system is provided, including:
the terminal is used for data acquisition, signal transmission and control execution;
an equipment information base for storing terminal information;
the vulnerability database stores a vulnerability information set mined by the terminal;
the vulnerability assessment module is used for calculating a terminal risk factor based on the mined vulnerability information set;
the audit database stores the data of the network nodes and the running condition of the network;
the equipment scanning module is used for scanning the firmware information and the communication message of the terminal;
the protocol conversion module analyzes and converts the protocol used by the terminal into a communication message of a unified protocol during uploading, and uploads the communication message to the cloud server; packaging the communication message of the cloud server into a communication message of a protocol used by the terminal during downloading, and issuing the communication message to the terminal;
the terminal calculates an initial trust value by combining a preset network security level according to the results returned by the equipment information base and the vulnerability assessment module after being accessed, and calculates a real-time trust value according to network flow and terminal behavior characteristics after the terminal runs;
a trust database for storing the real-time trust value of the terminal in the network;
the self-adaptive encryption module is used for self-adaptively selecting an encryption algorithm according to the real-time trust value of the terminal, considering transmission safety and efficiency, encrypting data sent by the terminal and transmitting the encrypted data to the cloud server;
the equipment information base, the vulnerability database, the vulnerability assessment module and the audit database are deployed on the cloud server; the device scanning module, the protocol conversion module, the credibility measurement module, the credibility database and the self-adaptive encryption module belong to a credible communication agent and are deployed on an edge server;
responding to a terminal access network, scanning the firmware information and the communication message of the terminal by the equipment scanning module, and uploading the scanning result to an equipment information base; after the equipment information base identifies the terminal, the terminal model and the terminal function are issued to the equipment scanning module, and the firmware information of the terminal is sent to the vulnerability assessment module; the equipment scanning module sends the terminal model and the function to the credibility measuring module; the vulnerability assessment module searches in a vulnerability database according to the firmware information of the terminal to obtain a vulnerability information set corresponding to the terminal, and after calculating a terminal risk factor, the vulnerability assessment module sends a calculation result to the credibility measurement module; the credibility measurement module gives an initial trust value to the terminal and sends the result to a trust database based on the terminal risk factor, the terminal model and function and a preset network security level; the terminal starts to work after being endowed with an initial trust value, the real-time trust value of the terminal is calculated in real time by the running trust measurement module based on network flow and terminal behavior characteristics, and the result is transmitted to the trust database for storage; the protocol conversion module analyzes the operation data of the terminal and judges whether the real-time trust value meets a safety threshold value, if so, the data are sent to the self-adaptive encryption module, and the self-adaptive encryption module selects a corresponding encryption algorithm according to the real-time trust value to encrypt the data and upload the data to an audit database of the cloud server; if the safety threshold value is not met, the communication message is discarded, and the connection of the terminal is disconnected.
Optionally, in the above-mentioned terminal trust management and trusted access system, the terminal information includes hardware information, software version, and communication protocol of the terminal.
Optionally, in the terminal trust management and trusted access System in any of the above embodiments, the mined vulnerability information set includes a vulnerability number, a hazard level, a vulnerability disclosure time, patch information, and a CVSS (common vulnerability scoring System) index.
Optionally, in the terminal trust management and trusted access system in any of the above embodiments, the device information base and the vulnerability database are established in advance and periodically updated, so as to ensure the completeness of information.
Optionally, in the terminal trust management and trusted access system in any of the above embodiments, the terminal is deployed at a network edge layer.
Optionally, in the terminal trust management and trusted access system in any of the above embodiments, the terminal includes a sensor, a controller, and various intelligent terminals.
Based on the terminal trust management and trusted access system of any of the above embodiments, in another embodiment of the present invention, a terminal trust management and trusted access method is provided, which includes the following steps:
s100, scanning terminal information, responding to a terminal access network, and uploading the terminal information scanned by an equipment scanning module to an equipment information base;
s200, inquiring vulnerability information, identifying a terminal by the equipment information base according to scanned terminal information, and sending the vulnerability information of the corresponding terminal in the vulnerability database to a vulnerability assessment module;
s300, calculating risk factors, and calculating the terminal risk factors by a vulnerability assessment module;
s400, calculating initial trust, wherein the trust measurement module calculates the initial trust of the terminal based on the terminal function, the terminal risk factor and the security level requirement;
s500, accessing a network, wherein if the initial trust level of the terminal meets a safety threshold, the terminal is successfully accessed into the network and starts working, otherwise, the terminal is disconnected;
s600, measuring in real time, and calculating a real-time trust value of the terminal in real time according to the network flow and the terminal behavior characteristics;
s700, self-adaptive encryption transmission, wherein if the real-time trust value meets a safety threshold, the self-adaptive encryption module selects an encryption algorithm to encrypt data sent by the terminal and then transmits the encrypted data to a cloud server; otherwise, discarding the communication message and disconnecting the terminal connection.
Optionally, in the terminal trust management and trusted access method in the above embodiment, the calculation of the terminal risk factor obeys the following rules: the higher the vulnerability grade is, the higher the terminal risk factor is; the shorter the vulnerability disclosure time is, the higher the terminal risk factor is; the less the patch information is, the higher the terminal risk factor is; the higher the vulnerability score is, the higher the terminal risk factor is; the simpler the attack approach, the higher the terminal risk factor; the lower the attack complexity, the higher the terminal risk factor; the less authentication is needed during attack, the higher the risk factor of the terminal is; the greater the impact on confidentiality, integrity, availability, the higher the terminal risk factor.
Optionally, in the terminal trust management and trusted access method in any of the above embodiments, the risk factor calculation formula is as follows:
wherein risk is a risk factor, WiRepresenting the weight of the vulnerability i, and num representing the number of vulnerabilities in the vulnerability information set M; w is a1As a weight of the attack path, w2Weight of attack complexity, w3Weight, w, for authentication4Weight, w, for confidentiality5Weight for completeness, w6A weight for availability; patch is patch information, and time is vulnerability disclosure time; score, av, ac, auth, C, I, A are CVSS indicators representing vulnerability score, attack pathway, attack complexity, authentication requirements, confidentiality impact, integrity impact and availability, respectivelyA sexual influence; k denotes a time adjustment factor, λ denotes a patch availability factor, and α denotes a vulnerability availability factor.
Further, in the terminal trust management and trusted access method in any of the above embodiments, the weight W of the vulnerability isiThe calculation formula of (a) is as follows:
wherein m represents a level of dangeriThe number of vulnerabilities of; num represents the number of vulnerabilities in the vulnerability information set M; level ofiRepresenting the hazard level of the vulnerability i; rho leveliIndicating a level of hazardiThe weight of (c).
Optionally, in the terminal trust management and trusted access method in any of the above embodiments, the calculation of the initial trust level obeys the following rules: the more powerful the terminal function is, the lower the initial trust level is; the higher the terminal risk factor is, the lower the initial trust level is; the higher the network security level requirement, the lower the initial trust level.
Optionally, in the terminal trust management and trusted access method in any of the above embodiments, the initial trust degree calculation formula is as follows:
wherein ,T0To initial confidence, v1For the weight of the terminal function, v2The weight of the terminal risk factor is fun, the terminal function is risk, the terminal risk factor is risk, and the security level requirement is n.
The invention provides a terminal trust management and trusted access system and method based on cloud-edge cooperation, wherein the system responds to a terminal access network, uploads terminal information to a cloud server after edge scanning, the cloud server issues a result to the edge server after identification, verification and calculation, and the initial trust value of the terminal is calculated based on an established vulnerability information base, so that fine-grained management of an access terminal is enhanced. The edge server which is adjacent to the terminal in space not only guarantees the credible access and dynamic management of the terminal, but also gives consideration to communication time delay, and solves the initial trust value problem in the scene with higher requirements on safety and time delay.
The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.
Drawings
Fig. 1 is a schematic structural diagram illustrating a terminal trust management and trusted access system based on cloud edge coordination according to an exemplary embodiment;
fig. 2 is a flowchart illustrating a terminal trust management and trusted access method based on cloud-edge coordination according to an example embodiment.
Detailed Description
The technical contents of the preferred embodiments of the present invention will be more clearly and easily understood by referring to the drawings attached to the specification. The present invention may be embodied in many different forms of embodiments and the scope of the invention is not limited to the embodiments set forth herein.
In the drawings, structurally identical elements are represented by like reference numerals, and structurally or functionally similar elements are represented by like reference numerals throughout the several views. The size and thickness of each component shown in the drawings are arbitrarily illustrated, and the present invention is not limited to the size and thickness of each component. The thickness of the components is exaggerated somewhat schematically and appropriately in order to make the illustration clearer.
The inventor designs a terminal trust management and trusted access system based on cloud edge coordination, as shown in fig. 1, including:
the terminal comprises a sensor, a controller and various intelligent terminals;
the equipment information base stores terminal information, wherein the terminal information comprises hardware information, software version and communication protocol of the terminal;
the vulnerability database stores a vulnerability information set mined by the terminal;
the vulnerability assessment module is used for calculating a terminal risk factor of the terminal based on a mined vulnerability information set, wherein the mined vulnerability information set comprises vulnerability numbers, hazard levels, vulnerability disclosure time, patch information and CVSS (common vulnerability scoring System) indexes;
the audit database stores the data of the network nodes and the running condition of the network;
the equipment scanning module is used for scanning the firmware information and the communication message of the terminal;
the protocol conversion module analyzes and converts the protocol used by the terminal into a communication message of a unified protocol during uploading, and uploads the communication message to the cloud server; packaging a communication message of the cloud service into a communication message of a protocol used by the terminal during downloading, and issuing the communication message to the terminal;
the terminal calculates an initial trust value by combining a preset network security level according to the results returned by the equipment information base and the vulnerability assessment module after being accessed, and calculates a real-time trust value according to network flow and terminal behavior characteristics after the terminal runs;
a trust database for storing the real-time trust value of the terminal in the network;
the self-adaptive encryption module is used for self-adaptively selecting an encryption algorithm according to the real-time trust value of the terminal, considering transmission safety and efficiency, encrypting data sent by the terminal and transmitting the encrypted data to the cloud server;
the device information base, the vulnerability database, the vulnerability evaluation module and the audit database are deployed on the cloud server, and the device information base and the vulnerability database are established in advance and updated regularly to ensure the completeness of information; the device scanning module, the protocol conversion module, the credibility measurement module, the credibility database and the self-adaptive encryption module belong to a credible communication agent and are deployed on an edge server;
responding to the terminal access network, the equipment scanning module scans the firmware information and the communication message of the terminal and uploads the scanning result to the equipment information base; after the equipment information base identifies the terminal, the terminal model and the terminal function are issued to the equipment scanning module, and the firmware information of the terminal is sent to the vulnerability assessment module; the equipment scanning module sends the terminal model and the function to the credibility measuring module; the vulnerability assessment module searches in a vulnerability database according to the firmware information of the terminal to obtain a vulnerability information set corresponding to the terminal, and after calculating a terminal risk factor, the vulnerability assessment module sends a calculation result to the credibility measurement module; the credibility measurement module gives an initial trust value to the terminal and sends the result to a trust database based on the terminal risk factor, the terminal model and function and a preset network security level; the terminal starts to work after being endowed with an initial trust value, the real-time trust value of the terminal is calculated by the running trust measurement module based on the network flow and the terminal behavior characteristics, and the result is transmitted to the trust database for storage; the protocol conversion module analyzes the operation data of the terminal and judges whether the real-time trust value meets a safety threshold value, if so, the data are sent to the self-adaptive encryption module, and the self-adaptive encryption module selects a corresponding encryption algorithm according to the real-time trust value to encrypt the data and upload the data to an audit database of the cloud server; if the safety threshold value is not met, discarding the communication message at the time, and disconnecting the terminal; the terminal is deployed at the network edge layer.
Based on the foregoing embodiments, the inventor provides a terminal trust management and trusted access method based on cloud-edge coordination, as shown in fig. 2, including:
s100, scanning terminal information, responding to a terminal access network, and uploading the terminal information scanned by an equipment scanning module to an equipment information base;
s200, inquiring vulnerability information, identifying a terminal by the equipment information base according to scanned terminal information, and sending the vulnerability information of the corresponding terminal in the vulnerability database to a vulnerability assessment module;
s300, calculating risk factors, wherein the vulnerability assessment module calculates the terminal risk factors, and the calculation of the terminal risk factors obeys the following rules: the higher the vulnerability grade is, the higher the terminal risk factor is; the shorter the vulnerability disclosure time is, the higher the terminal risk factor is; the less the patch information is, the higher the terminal risk factor is; the higher the vulnerability score is, the higher the terminal risk factor is; the simpler the attack approach, the higher the terminal risk factor; the lower the attack complexity, the higher the terminal risk factor; the less authentication is needed during attack, the higher the risk factor of the terminal is; the larger the influence on confidentiality, integrity and availability is, the higher the terminal risk factor is; the terminal risk factor calculation formula is as follows:
wherein risk is a risk factor, WiAnd representing the weight of the vulnerability i, wherein the calculation formula is as follows:
wherein m represents a level of dangeriThe number of vulnerabilities of; num represents the number of vulnerabilities in the vulnerability information set M; leveliRepresenting the hazard level of the vulnerability i;
indicating a level of hazardiThe weight of (c); leveljRepresenting the hazard level of the vulnerability j;
indicating a level of hazardjThe weight of (c); w is a1As weight of the attack path, w2Weight of attack complexity, w3Weight, w, for authentication4Weight, w, for confidentiality5Weight for completeness, w6A weight for availability; patch is patch information, and time is vulnerability disclosure time; score, av, ac, auth, C, I and A are CVSS indexes which respectively represent vulnerability score, attack approach, attack complexity, authentication requirement, confidentiality influence, integrity influence and availability influence; k represents a time adjustment factor, lambda represents a patch availability factor, and alpha represents a vulnerability availability factor;
s400, calculating initial trust, wherein the trust measurement module calculates the initial trust of the terminal based on the terminal function, the terminal risk factor and the security level requirement, and the calculation of the initial trust obeys the following rules: the more powerful the terminal function is, the lower the initial trust level is; the higher the terminal risk factor is, the lower the initial trust level is; the higher the requirement of the network security level is, the lower the initial trust level is; the initial confidence calculation formula is as follows:
wherein ,T0To initial confidence, v1For the weight of the terminal function, v2The weight of the terminal risk factor is given, fun is a terminal function, risk is the terminal risk factor, and n is a security level requirement;
s500, accessing a network, wherein if the initial trust level of the terminal meets a safety threshold, the terminal is successfully accessed into the network and starts working, otherwise, the terminal is disconnected;
s600, measuring in real time, and calculating a real-time trust value of the terminal in real time according to the network flow and the terminal behavior characteristics;
s700, self-adaptive encryption transmission, wherein if the real-time trust value meets a safety threshold, the self-adaptive encryption module selects an encryption algorithm to encrypt data sent by the terminal and then transmits the encrypted data to a cloud server; otherwise, discarding the communication message and disconnecting the terminal connection.
The foregoing detailed description of the preferred embodiments of the invention has been presented. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (10)
1. A terminal trust management and trusted access system, comprising:
the terminal is used for data acquisition, signal transmission and control execution;
the equipment information base stores the terminal information;
the vulnerability database stores a vulnerability information set mined by the terminal;
the vulnerability assessment module is used for calculating a terminal risk factor based on the mined vulnerability information set;
the audit database stores the data of the network nodes and the running condition of the network;
the equipment scanning module scans the firmware information and the communication message of the terminal;
the protocol conversion module analyzes and converts the protocol used by the terminal into a communication message of a unified protocol during uploading, and uploads the communication message to the cloud server; packaging the communication message of the cloud server into a communication message of a protocol used by the terminal during downloading, and issuing the communication message to the terminal;
the credibility measurement module is used for calculating an initial trust value by combining a preset network security level according to results returned by the equipment information base and the vulnerability assessment module after the terminal is accessed, and calculating a real-time trust value according to network flow and terminal behavior characteristics after the terminal is operated;
a trust database for storing the real-time trust value of the terminal in the network;
the self-adaptive encryption module is used for self-adaptively selecting an encryption algorithm according to the real-time trust value of the terminal, considering transmission safety and efficiency, encrypting data sent by the terminal and transmitting the encrypted data to the cloud server;
the equipment information base, the vulnerability database, the vulnerability assessment module and the audit database are deployed on a cloud server; the equipment scanning module, the protocol conversion module, the credibility measurement module, the credibility database and the self-adaptive encryption module belong to a credible communication agent and are deployed on an edge server;
responding to the terminal access network, the equipment scanning module scans the firmware information and the communication message of the terminal and uploads the scanning result to the equipment information base; after the equipment information base identifies a terminal, the terminal model and the terminal function are sent to the equipment scanning module, and the firmware information of the terminal is sent to the vulnerability assessment module; the equipment scanning module sends the terminal model and the function to the credibility measuring module; the vulnerability assessment module searches in the vulnerability database according to the firmware information of the terminal to obtain a vulnerability information set of the terminal, and after calculating the terminal risk factor, the calculation result is sent to the credible measurement module; the credibility measurement module gives an initial trust value to the terminal and sends the result to the trust database based on the terminal risk factor, the terminal model and function and a preset network security level; the terminal starts to work after being endowed with the initial trust value, and the trust measurement module calculates the real-time trust value of the terminal in real time based on network flow and the terminal behavior characteristics during operation and transmits the result to the trust database for storage; the protocol conversion module analyzes the operation data of the terminal and judges whether the real-time trust value meets a safety threshold value or not, if yes, the data are sent to the self-adaptive encryption module, and the self-adaptive encryption module selects a corresponding encryption algorithm according to the real-time trust value to encrypt the data and uploads the data to the audit database of the cloud server; and if the safety threshold value is not met, discarding the communication message at the time, and disconnecting the terminal.
2. The terminal trust management and trusted access system of claim 1, wherein the terminal information comprises hardware information, software version, communication protocol of the terminal.
3. The terminal trust management and trusted access System of claim 1, wherein the set of mined vulnerability information includes a vulnerability number, a hazard level, a vulnerability disclosure time, patch information, a CVSS (common vulnerability scoring System) index.
4. The terminal trust management and trusted access system of claim 1, wherein the device information base and the vulnerability database are established in advance and updated periodically to ensure completeness of information.
5. The terminal trust management and trusted access system of claim 1, wherein the terminal is deployed at a network edge layer.
6. A terminal trust management and trusted access method, characterized in that, the terminal trust management and trusted access system according to any one of claims 1 to 5 is used, which comprises the following steps:
s100, scanning terminal information, responding to the terminal access network, and uploading the terminal information scanned by the equipment scanning module to the equipment information base;
s200, inquiring vulnerability information, wherein the equipment information base identifies a terminal according to the scanned terminal information and sends vulnerability information of a corresponding terminal in the vulnerability database to the vulnerability assessment module;
s300, calculating risk factors, wherein the vulnerability assessment module calculates terminal risk factors;
s400, calculating initial trust, wherein the trust measurement module calculates the initial trust of the terminal based on the terminal function, the terminal risk factor and the security level requirement;
s500, accessing a network, wherein if the initial trust of the terminal meets a safety threshold, the terminal is successfully accessed to the network and starts working, otherwise, the terminal is disconnected;
s600, measuring in real time, and calculating a real-time trust value of the terminal in real time according to network flow and terminal behavior characteristics;
s700, self-adaptive encryption transmission, wherein if the real-time trust value meets a safety threshold, the self-adaptive encryption module selects an encryption algorithm to encrypt data sent by the terminal and then transmits the encrypted data to a cloud server; otherwise, discarding the communication message and disconnecting the terminal connection.
7. The terminal trust management and trusted access method of claim 6, wherein the calculation of the terminal risk factor of the step is subject to the following rules: the higher the vulnerability grade is, the higher the terminal risk factor in the step is; the shorter the vulnerability disclosure time is, the higher the terminal risk factor is; the less the patch information is, the higher the terminal risk factor of the step is; the higher the vulnerability score is, the higher the terminal risk factor in the step is; the simpler the attack way is, the higher the terminal risk factor in the step is; the lower the attack complexity is, the higher the terminal risk factor of the step is; the less authentication is needed during attack, the higher the terminal risk factor is; the larger the influence on confidentiality, integrity and availability, the higher the terminal risk factor.
8. The terminal trust management and trusted access method of claim 6, wherein the risk factor is calculated by the following formula:
9. the terminal trust management and trusted access method of claim 8, wherein the weight of the vulnerability WiThe calculation formula of (a) is as follows:
10. the terminal trust management and trusted access method of claim 6, wherein the calculation of the initial trust level is subject to the following rules: the stronger the terminal function is, the lower the initial trust level is; the higher the terminal risk factor is, the lower the initial trust level is; the higher the network security level requirement, the lower the initial trust level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210173292.3A CN114553554B (en) | 2022-02-24 | 2022-02-24 | Terminal trust management and trusted access system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210173292.3A CN114553554B (en) | 2022-02-24 | 2022-02-24 | Terminal trust management and trusted access system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553554A true CN114553554A (en) | 2022-05-27 |
| CN114553554B CN114553554B (en) | 2023-09-22 |
Family
ID=81677290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210173292.3A Active CN114553554B (en) | 2022-02-24 | 2022-02-24 | Terminal trust management and trusted access system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553554B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114693193A (en) * | 2022-06-02 | 2022-07-01 | 中国人民解放军海军工程大学 | Equipment scientific research project risk factor evaluation system and method |
| CN117834123A (en) * | 2023-11-21 | 2024-04-05 | 上海掌御信息科技有限公司 | Industrial Internet equipment safety state early warning method based on encrypted data |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100043059A1 (en) * | 2008-08-14 | 2010-02-18 | International Business Machines Corporation | Trusted Electronic Communication Through Shared Vulnerability |
| CN107249015A (en) * | 2017-04-28 | 2017-10-13 | 西安财经学院 | Credible cloud service system of selection, cloud system and Cloud Server based on risk assessment |
| US20180365430A1 (en) * | 2016-02-26 | 2018-12-20 | Huawei Technologies Co., Ltd. | Method and apparatus for trusted measurement of cloud computing platform |
| US20190165941A1 (en) * | 2017-11-30 | 2019-05-30 | Cable Television Laboratories, Inc | Systems and methods for distributed trust model and framework |
| CN109951333A (en) * | 2019-03-19 | 2019-06-28 | 中南大学 | Trust evaluation device based on subjective logic in the processing of edge calculations network video |
| US20200160455A1 (en) * | 2018-06-29 | 2020-05-21 | Ashwarya Pratap Singh | Methods and systems of a marketplace blockchain-based protocol platform with a trust score |
| CN112351022A (en) * | 2020-10-30 | 2021-02-09 | 新华三技术有限公司 | Security protection method and device for trust zone |
| CN113219895A (en) * | 2021-05-10 | 2021-08-06 | 上海交通大学宁波人工智能研究院 | Device and method for enabling edge controller to be safe and credible |
-
2022
- 2022-02-24 CN CN202210173292.3A patent/CN114553554B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100043059A1 (en) * | 2008-08-14 | 2010-02-18 | International Business Machines Corporation | Trusted Electronic Communication Through Shared Vulnerability |
| US20180365430A1 (en) * | 2016-02-26 | 2018-12-20 | Huawei Technologies Co., Ltd. | Method and apparatus for trusted measurement of cloud computing platform |
| CN107249015A (en) * | 2017-04-28 | 2017-10-13 | 西安财经学院 | Credible cloud service system of selection, cloud system and Cloud Server based on risk assessment |
| US20190165941A1 (en) * | 2017-11-30 | 2019-05-30 | Cable Television Laboratories, Inc | Systems and methods for distributed trust model and framework |
| US20200160455A1 (en) * | 2018-06-29 | 2020-05-21 | Ashwarya Pratap Singh | Methods and systems of a marketplace blockchain-based protocol platform with a trust score |
| CN109951333A (en) * | 2019-03-19 | 2019-06-28 | 中南大学 | Trust evaluation device based on subjective logic in the processing of edge calculations network video |
| CN112351022A (en) * | 2020-10-30 | 2021-02-09 | 新华三技术有限公司 | Security protection method and device for trust zone |
| CN113219895A (en) * | 2021-05-10 | 2021-08-06 | 上海交通大学宁波人工智能研究院 | Device and method for enabling edge controller to be safe and credible |
Non-Patent Citations (1)
| Title |
|---|
| 邓晓衡;关培源;万志文;刘恩陆;罗杰;赵智慧;刘亚军;张洪刚;: "基于综合信任的边缘计算资源协同研究", 计算机研究与发展, no. 03 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114693193A (en) * | 2022-06-02 | 2022-07-01 | 中国人民解放军海军工程大学 | Equipment scientific research project risk factor evaluation system and method |
| CN117834123A (en) * | 2023-11-21 | 2024-04-05 | 上海掌御信息科技有限公司 | Industrial Internet equipment safety state early warning method based on encrypted data |
| CN117834123B (en) * | 2023-11-21 | 2024-07-05 | 上海掌御信息科技有限公司 | Industrial Internet equipment safety state early warning method based on encrypted data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114553554B (en) | 2023-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113591119B (en) | Cross-domain identification analysis node data privacy protection and safety sharing method and system | |
| Stan et al. | Extending attack graphs to represent cyber-attacks in communication protocols and modern it networks | |
| CN115396230A (en) | Depth defense safety system and method based on block chain and reinforcement learning | |
| CN114553554A (en) | Terminal trust management and trusted access system and method | |
| CN111031003B (en) | Intelligent evaluation system of cross-network isolation safety system | |
| Basilico et al. | Security games for node localization through verifiable multilateration | |
| CN117040896A (en) | Internet of things management method and Internet of things management platform | |
| CN116232770B (en) | Enterprise network safety protection system and method based on SDN controller | |
| Mbarek et al. | Enhanced network intrusion detection system protocol for internet of things | |
| CN117313122A (en) | Data sharing and exchanging management system based on block chain | |
| Xie et al. | Machine learning-based security active defence model-security active defence technology in the communication network | |
| Hussaini et al. | A taxonomy of security and defense mechanisms in digital twins-based cyber-physical systems | |
| Aldaej et al. | Multidomain blockchain-based intelligent routing in UAV-IoT networks | |
| Ahamed Ahanger et al. | Distributed Blockchain‐Based Platform for Unmanned Aerial Vehicles | |
| Sedjelmaci et al. | Secure attack detection framework for hierarchical 6G-enabled internet of vehicles | |
| Gupta et al. | Fog computing and its security challenges | |
| Bhardwaj et al. | Fortifying home IoT security: A framework for comprehensive examination of vulnerabilities and intrusion detection strategies for smart cities | |
| CN112015111A (en) | Industrial control equipment safety protection system and method based on active immunity mechanism | |
| CN113422776A (en) | Active defense method and system for information network security | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| Li et al. | Blockchain security threats and collaborative defense: A literature review | |
| CN115002775A (en) | Device network access method and device, electronic device and storage medium | |
| Yan et al. | [Retracted] Power IoT System Architecture Integrating Trusted Computing and Blockchain | |
| Srivastava et al. | Blockchain-Based Cybersecurity Solutions for Industry 4.0 Applications | |
| Du et al. | A blockchain authentication scheme for UAV-aided fog computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |