CN116962076A - Zero trust system of internet of things based on block chain - Google Patents

Abstract

The application discloses a zero trust system of the Internet of things based on a blockchain, which relates to the technical field of network security management, wherein an analysis module comprehensively analyzes user verification data and equipment data based on a security model, judges whether security risks exist in a user login system, and when the user login system is judged to have no security risks, an information verification module is responsible for verifying and authorizing access rights of all equipment and users, and after the user verification is passed, a monitoring module monitors user behavior data and equipment data in real time, and logs out an abnormal user from the system based on an abnormal screening mechanism. According to the application, when a user logs in the system, comprehensive analysis is performed on the user and equipment used by the user, the analysis is more comprehensive, the safety of the system is further improved, and in the process that the user uses the system, the user behavior is monitored in real time, and the abnormal user is forced to log out of the system, so that the safe use of the system is ensured.

Description

Zero trust system of internet of things based on block chain

Technical Field

The application relates to the technical field of network security management, in particular to a zero trust system of the Internet of things based on a blockchain.

Background

The internet of things refers to various devices, sensors and objects which are connected and interacted through the internet, so that the devices, the sensors and the objects can collect, exchange and share data, thereby realizing the functions of intellectualization, automation, real-time monitoring and the like, and along with the continuous development of the internet of things technology, more and more devices and systems are connected to the internet, thereby bringing great opportunities and challenges for various industries;

traditional network security models are usually based on boundary defense, i.e. firewalls and other security measures are arranged inside the network to protect the network from external attacks, however, as the number and complexity of the devices of the internet of things increase, the traditional boundary defense models become increasingly inadequate to cope with increasingly complex security threats, the devices of the internet of things often have limited computing power and storage resources, making the traditional security measures difficult to apply directly to these devices;

the zero-trust security model is a novel security concept for modern network environments, the core idea of which is not to trust any device or user, whether or not it is located inside the network, in which all devices, users and applications are considered as potential threats, require authentication and authorization, and then access resources according to their rights, and which emphasizes policy and context based access control to reduce the risk of potential attackers penetrating the network with the hacked device or user.

In a financial transaction system, a zero trust system is generally set to ensure the security of financial transaction, the existing zero trust system only performs identity verification on logged-in users or devices, and after the user or the device passes the identity verification, the user can use the transaction system, and the verification mode has the following defects:

1. when a user logs in a transaction system, if only user identity verification is considered, the user may possibly log in, and the security transaction of the transaction system is also at risk due to the abnormality of equipment (such as virus attack);

2. after the user passes the verification, the zero trust system does not monitor the user behavior in the process of using the transaction system by the user, and the safe use of the transaction system cannot be ensured.

Disclosure of Invention

The application aims to provide a zero trust system of the Internet of things based on a blockchain so as to solve the defects in the background technology.

In order to achieve the above object, the present application provides the following technical solutions: the zero trust system of the Internet of things based on the blockchain comprises an identification module, an intelligent contract module, a data acquisition module, an analysis module, an information verification module, a monitoring module, an alarm module, a data encryption module, an event audit module and a blockchain module;

the identification module: registering and identifying the Internet of things equipment, and setting a unique identifier for each Internet of things equipment;

an intelligent contract module: for defining an access control policy;

and a data acquisition module: when a user logs in a system, acquiring user verification data and equipment data of the login system;

and an analysis module: comprehensively analyzing user verification data and equipment data based on a security model, and judging whether the user logs in a system to have security risks or not;

and an information verification module: when the user is judged to be logged into the system without security risk, verifying and authorizing access rights of all devices and users;

and a monitoring module: after the user passes the verification, monitoring user operation data in real time, and logging out the abnormal user from the system;

and an alarm module: when the user logs in the system and the security risk exists, a first alarm signal is sent out, and when the user with abnormality logs out of the system, a second alarm signal is sent out;

and a data encryption module: when data is transmitted between the Internet of things devices, encrypting the data;

event audit module: recording activity logs of all devices and users;

a blockchain module: for distributed storage of data information and activity logs of devices or users.

In a preferred embodiment, the user authentication data includes a portrait dynamic matching similarity, a password authentication index, and the device data includes a network bandwidth floating coefficient and a vulnerability CVSS index.

In a preferred embodiment, the establishment of the security model comprises the steps of:

comprehensively calculating the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index to obtain a security coefficientThe computational expression is:

，

in the method, in the process of the application,is for peopleLike dynamic matching similarity, ++>For password authentication index->Floating coefficients for network bandwidth, ">For the vulnerability CVSS index, ++>、/>、/>、/>Respectively matching the similarity of the human images, the password verification index, the network bandwidth floating coefficient and the proportional coefficient of the vulnerability CVSS index, and +.>、/>、/>、/>Are all greater than 0;

obtaining a safety factorAfter the value, the safety factor is->And comparing the value with a safety threshold value to complete the establishment of the safety model.

In a preferred embodiment, the analysis module comprehensively analyzes the dynamic matching similarity of the portrait, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index based on the security model, and comprises the following steps of:

substituting the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index into a security coefficient calculation formula to calculate and obtain the security coefficientA value;

if the safety factor isThe value is more than or equal to the safety threshold value, and the user is judged that the safety risk exists in the login system;

if the safety factor isAnd the value is less than the safety threshold value, and judging that the user logs in the system and has safety risk.

In a preferred embodiment, the expression for calculating the dynamic matching similarity of the portrait is:

，

in the method, in the process of the application,for the current verification portrait feature vector, +.>For the initial portrait feature vector, < >>For the dot product of the current verification portrait feature vector and the initial portrait feature vector, +.>The current verification portrait characteristic vector norm and the initial portrait characteristic vector norm are respectively.

In a preferred embodiment, the calculation expression of the current verification portrait feature vector norm and the initial portrait feature vector norm is:

，

in the method, in the process of the application,for the current verification portrait feature vector +.>Is used for the control of the phase of the liquid,is the initial portrait feature vector->Is included in the composition of the composition.

In a preferred embodiment, the cryptographic verification index is calculated as:

，

in the method, in the process of the application,for the number of password input errors, +.>For maximum verification duration +.>Taking the value for 10min, and allowing for the treatment of skin diseases>Verifying the parameter for the ith password, +.>For inputting the total duration of the password->For the duration of the password entry interval>And deleting the time length for the password characters.

In a preferred embodiment, the calculation expression of the network bandwidth floating coefficient is:

，

real-time network bandwidth for user computers, +.>For the time period of the security software early warning, +.>And (5) a time period for network load early warning.

In a preferred embodiment, the calculated expression of the vulnerability CVSS index is:

，

in the method, in the process of the application,indicating the extent of influence of a vulnerability on the availability of the attacked system,/->Indicating the required level of system availability.

In the technical scheme, the application has the technical effects and advantages that:

1. according to the application, when a user logs in the system, user verification data and equipment data of the login system are obtained through the data obtaining module, after the analysis module comprehensively analyzes the user verification data and the equipment data based on the security model, whether the user logs in the system has security risks or not is judged, when the user logs in the system without the security risks, the information verification module is responsible for verifying and authorizing access rights of all equipment and users, after the user verification is passed, the monitoring module monitors user behavior data and equipment data in real time, the abnormal user logs out of the system based on the abnormal screening mechanism, when the user logs in the system is judged to have the security risks, the alarm module sends out a first alarm signal, and when the abnormal user logs out of the system, the alarm module sends out a second alarm signal, and the zero trust system comprehensively analyzes the user and equipment used by the user when the user logs in the system, so that the analysis is more comprehensive, the security of the system is further improved, the user behavior is monitored in real time, the abnormal user is forced to log out of the system, and the security use of the system is ensured;

2. the application obtains the safety coefficient by comprehensively calculating the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS indexObtaining a safety factor->After the value, the safety factor is->The value is compared with the safety threshold value, the establishment of a safety model is completed, the safety model can comprehensively analyze whether safety risks exist when a user logs in the system, analysis is more accurate, the safety of the transaction system is further improved, and the data processing efficiency is effectively improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.

FIG. 1 is a block diagram of a system according to the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Example 1: referring to fig. 1, the blockchain-based internet of things zero trust system of the embodiment includes an identification module, an intelligent contract module, a data acquisition module, an analysis module, an information verification module, a monitoring module, an alarm module, a data encryption module, an event audit module and a blockchain module;

A. the identification module: the module is responsible for registering and identifying all the Internet of things devices, each device has a unique identifier, the identifier is recorded on a blockchain so that the state and activity of the device can be tracked and verified, and the identification result is sent to the intelligent contract module;

a. and (3) equipment registration: when a new internet of things device is introduced into the system, a unique identifier needs to be generated for each device, which may be a hash value, UUID (universal unique identifier) or other ways of ensuring uniqueness;

b. identification information record: the generated unique identifier and metadata associated with the devices (e.g., device type, manufacturer, owner, etc.) are recorded on the blockchain, and the identification information of each device is packaged into a transaction or block to render it tamper-proof;

c. and (3) uniqueness verification: in generating the identifier, it needs to be ensured that it is unique in the whole system, which can be achieved by means of random generation, hash algorithm, UUID, etc.;

d. blockchain recording: the identification information of each device is recorded in different blocks by using a block chain technology, and the blocks form a tamper-proof chain structure so as to ensure the safety and reliability of the identification information;

e. updating equipment information: if the metadata of the equipment changes (such as owner change, position change and the like), related information is updated to the blockchain, so that the real-time property of the equipment information is ensured;

f. identification tracing and verification: during system operation, the status and activity of the device may be tracked using the identification module, and the identity and history of the device may be verified by querying records on the blockchain.

B. An intelligent contract module: the intelligent contract is used for defining an access control strategy, namely, which devices or users can access specific resources, the module can verify the request according to the strategy to determine whether to allow the access, the logic of the intelligent contract can ensure that only legal users can obtain authorization, and the control strategy is sent to the information verification module;

a. determining an access control policy: first, according to the requirements of the system and the security policy, it is defined which devices, users or roles can access a particular resource, which may involve conditions of user identity, device type, location, etc.;

b. designing an intelligent contract: based on the access control policy, designing an intelligent contract, writing logic of the policy into the contract in a code form, wherein the intelligent contract usually adopts a specific programming language, such as stability (for Ethernet);

c. deploying an intelligent contract: deploying the composed intelligent contracts into the blockchain network to ensure the security and credibility of the contracts, wherein the step usually needs to consume some tokens on the blockchain;

d. request verification: when a user or equipment requests to access a certain resource, the intelligent contract module is triggered, and the requested data is used as input of a contract;

e. executing access control logic: the smart contract will execute defined access control logic to compare whether the conditions of the request match the policy, e.g., check user identity, device type, etc.;

f. determining access results: based on the logic executed, the smart contract will decide whether to allow the requested access, which will be authorized if the request complies with the policy; otherwise, the request may be denied.

C. And a data acquisition module: when a user logs in the system, user verification data and device data of the login system are obtained, and the user verification data and the device data are sent to an analysis module.

D. And an analysis module: and after comprehensively analyzing the user verification data and the equipment data based on the security model, judging whether the user logs in the system to have security risk, and sending the judgment result to the information verification module and the alarm module.

E. And an information verification module: when the user is judged to be logged into the system without security risk, the module is responsible for verifying and authorizing the access rights of all devices and users, the devices and the users need to provide identity certificates such as digital certificates or encryption keys so as to obtain the access rights, and the monitoring module and the data encryption module are awakened after the verification is passed;

a. providing identity credentials: a user or device needs to provide identity credentials, such as a digital certificate, encryption key, or other authentication information, before attempting to access a system resource;

b. and (3) identity authentication: the verification module verifies the provided identity certificate to ensure the validity and legitimacy of the identity certificate, which can comprise the operations of verifying digital signatures, decrypting information and the like;

c. identity authorization: if the authentication is successful, the authentication module checks the access rights of the user or the device, which may involve authorization policies such as user roles, device types, etc.;

d. access request analysis: the authentication module analyzes the nature of the access request and determines the type and level of resources that the user or device is attempting to access;

e. resource authorization: based on the access request and the authorization policy, the verification module will decide whether to authorize the access request, if authorized, the request will be approved;

f. encrypted communication: during authentication and authorization, encrypted communications may be used to secure the transmission and processing of sensitive data.

F. And a monitoring module: after the user passes the verification, monitoring user operation data in real time, logging out the abnormal user from the system, and sending an alarm signal to the alarm module;

a. and (3) data collection: the monitoring module collects user operation data from different data sources, which may include log-in, access, data modification, etc. activity records;

b. behavioral analysis: the collected user operation data may be analyzed to identify normal and abnormal operation behavior patterns, which may use techniques such as machine learning, behavior analysis, and the like;

c. abnormality detection: the monitoring module can detect abnormal operation behaviors such as unusual login, unauthorized resource access, frequent sensitive operation and the like;

d. and (3) alarm generation: once abnormal operation is found, the monitoring module generates an alarm or notification notifying a security team or administrator;

e. risk assessment: the monitoring module may perform risk assessment on the abnormal operation behavior to determine the threat level thereof;

f. automatic response: in some cases, the monitoring module may automatically take responsive measures, such as temporarily locking a user account, breaking a connection with the device, etc.;

g. forced logout: if a serious abnormal operation is detected, the monitoring module may force log-out of the user to prevent further risk.

G. And an alarm module: when the user logs in the system and the security risk exists, a first alarm signal is sent out, and when the user with abnormality logs out of the system, a second alarm signal is sent out, so that possible security threats and attacks can be found early, and an administrator can perform corresponding management when receiving the first alarm signal or the second alarm signal, including early maintenance of the system and the like.

H. And a data encryption module: when data is transmitted between the Internet of things devices, encryption is needed to ensure confidentiality of the data, the module is responsible for providing end-to-end encryption and decryption for the data, only authorized users can decrypt and view the data, and data information is sent to the blockchain module;

a. data classification: classifying the data according to the sensitivity and security level of the data, wherein different encryption strategies may be required for different levels of data;

b. data encryption: encrypting the data before transmission by using an encryption algorithm, wherein the encryption algorithm can be symmetric encryption or asymmetric encryption, and the specific selection depends on the security requirement;

c. key management: the encryption needs keys, the data encryption module needs to manage and protect the keys, and the keys can be symmetric keys or asymmetric keys;

d. and (3) data transmission: the encrypted data is transmitted through a secure channel, so that the data is not easy to steal or tamper in the transmission process;

e. decrypting data: at the receiving side, the data encryption module uses the corresponding secret key to decrypt and restore the encrypted data into the original data;

f. access control: after the data is decrypted, an access control module may be required to verify the access rights of the user to ensure that only authorized users can view the decrypted data;

g. and (3) encryption algorithm selection: appropriate encryption algorithms and parameters are chosen to ensure adequate security and performance.

I. Event audit module: recording activity logs of all devices and users, including access requests, authentication attempts, and data exchanges, the activity logs being sent to a blockchain module to provide transparency and traceability, and to support auditing and investigation;

a. generating an event log: the collected activity data are arranged and event logs are generated, and each event log records specific activities, including information such as time stamps, equipment or user identifiers, activity types and the like;

b. and (3) log storage: the event log needs to be stored in a secure storage medium to ensure its integrity and confidentiality;

c. data is sent to the blockchain: in order to provide transparency and traceability, the event audit module may send event logs to the blockchain module, the blockchain records ensuring that the logs are not easily tampered with;

d. privacy protection: when recording event logs, attention is paid to the protection of sensitive information, and certain sensitive data may be subjected to desensitization processing to protect user privacy;

e. audit and investigation: when a security event, violation, or other problem occurs, the records of the event audit module may be used to conduct audits and surveys to ascertain the cause and course of the event.

J. A blockchain module: the method is used for carrying out distributed storage on the data information and the activity log of the equipment or the user, improves the safety of the data, and can also support data synchronization and verification across the equipment so as to ensure the authenticity of the data;

a. blockchain selection: selecting a blockchain technique suitable for the scene of the Internet of things, such as a public blockchain (such as Ethernet) or a private/alliance blockchain (such as HyperledgerFabric);

b. block chain deployment: deploying a blockchain network, including building nodes, initializing chains and configuring the chains;

c. and (3) data storage: converting the data information of the devices and users and the activity log into a proper data structure, and then storing the data structure in a block on a block chain;

d. data encryption: prior to writing the data to the blockchain, the data may be encrypted to protect confidentiality of the data;

e. and (3) distributed storage: the block chain module adopts a distributed storage mode to store data on a plurality of nodes in a network in a scattered way;

f. data synchronization and verification: nodes in the block chain network synchronize data with each other, so that consistency and integrity of the data are ensured, and the nodes verify the correctness of the data through a consensus mechanism;

g. data is not tamperable: the non-tamperable nature of the blockchain ensures that data stored on the blockchain is not easily modified, thereby improving the security of the data.

According to the application, when a user logs in the system, user verification data and equipment data of the login system are obtained through the data obtaining module, after the analysis module comprehensively analyzes the user verification data and the equipment data based on the security model, whether the user logs in the system has security risks or not is judged, when the user logs in the system without the security risks, the information verification module is responsible for verifying and authorizing access rights of all equipment and users, after the user verification is passed, the monitoring module monitors user behavior data and equipment data in real time, the abnormal user logs out of the system based on the abnormal screening mechanism, when the user logs in the system is judged to have the security risks, the alarm module sends out a first alarm signal, and when the abnormal user logs out of the system, the alarm module sends out a second alarm signal.

Example 2: the data acquisition module acquires user verification data and equipment data of the login system when a user logs in the system, and sends the user verification data and the equipment data to the analysis module;

wherein:

the user verification data comprises a portrait dynamic matching similarity and a password verification index, and the device data comprises a network bandwidth floating coefficient and a vulnerability CVSS index.

And the analysis module comprehensively analyzes the user verification data and the equipment data based on the security model, then judges whether the user logs in the system to have security risk, and sends the judgment result to the information verification module and the alarm module.

The establishment of the security model comprises the following steps:

comprehensively calculating the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index to obtain a security coefficientThe computational expression is:

，

in the method, in the process of the application,dynamic matching similarity of human images, < >>For password authentication index->Floating coefficients for network bandwidth, ">For the vulnerability CVSS index, ++>、/>、/>、/>Respectively matching the similarity of the human images, the password verification index, the network bandwidth floating coefficient and the proportional coefficient of the vulnerability CVSS index, and +.>、/>、/>、/>Are all greater than 0;

obtaining a safety factorAfter the value, the safety factor is->And comparing the value with a safety threshold value to complete the establishment of the safety model.

When a user logs in a system, the data acquisition module acquires the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index, and sends the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index to the analysis module;

the analysis module comprehensively analyzes the dynamic matching similarity of the portrait, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index based on the security model, and comprises the following steps:

substituting the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index into a security coefficient calculation formula to calculate and obtain the security coefficientA value;

if the safety factor isThe value is more than or equal to the safety threshold value, and the user is judged that the safety risk exists in the login system;

if the safety factor isAnd the value is less than the safety threshold value, and judging that the user logs in the system and has safety risk.

The application obtains the safety coefficient by comprehensively calculating the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS indexObtaining a safety factor->After the value, the safety factor is->The value is compared with the safety threshold value, the establishment of a safety model is completed, the safety model can comprehensively analyze whether safety risks exist when a user logs in the system, analysis is more accurate, the safety of the transaction system is further improved, and the data processing efficiency is effectively improved.

Specific:

the calculation expression of the dynamic matching similarity of the portrait is as follows:

，

in the method, in the process of the application,for the current verification portrait feature vector, +.>Is an initial portrait characteristic vector (i.e. a portrait characteristic vector which is recorded when a user initially logs in the system and is used for later login system verification) ->For the dot product of the current verification portrait feature vector and the initial portrait feature vector, +.>The greater the dynamic matching similarity of the figures, which respectively are the current verification figure feature vector norm and the initial figure feature vector norm, the closer they are in the feature space, with more similar features, which can be interpreted as a higher security of the user logging into the system, since the verification figures are closer to the known normal users;

the calculation expression of the current verification portrait characteristic vector norm and the initial portrait characteristic vector norm is:

，

in the method, in the process of the application,for the current verification portrait feature vector +.>Is used for the control of the phase of the liquid,is the initial portrait characteristic vector/>Is a component of (a) a component of (b);

the acquisition of the current verification portrait characteristic vector and the initial portrait characteristic vector comprises the following steps:

1) Preprocessing the verification portrait images to ensure that they are suitable for input of a face recognition model, wherein the preprocessing may include scaling, clipping, graying, alignment and the like;

2) Selecting applicable deep learning face recognition models, such as FaceNet, openFace, deepFace, and the like, which can map a portrait image to a high-dimensional feature vector space;

3) Inputting the preprocessed verification portrait image into a selected face recognition model to obtain an embedded vector, namely a feature vector, wherein in general, the output of the model can be used as the feature vector;

4) The feature vector is normalized to ensure that the norm of the vector is 1, which can be achieved by dividing by the L2 norm of the feature vector.

The calculation expression of the password verification index is as follows:

，

in the method, in the process of the application,for the number of password input errors, +.>For maximum verification duration +.>Taking the value for 10min, and allowing for the treatment of skin diseases>Verifying the parameter for the ith password, +.>For inputting the total duration of the password->For the duration of the password entry interval>The method comprises the steps of obtaining a password character deleting time, wherein the total password input time is the time used by a user to completely input a password, the password input interval time is the middle pause maximum time when the user inputs the password (the user can have a plurality of pause conditions when inputting the password, the maximum pause time is used as the password input interval time), the password character deleting time is the time when the user inputs the password, namely, the total deleting time of the user in the password inputting process is the number of characters, the deleting time of the characters is added to obtain the password character deleting time, for example, the user in the password inputting process is the user in total deleting four characters, the deleting time of each character is 1s, 2s, 1s and 1.5s, and the password character deleting time is 5.5s;

the larger the password verification index, the more likely an abnormal condition is to exist in the behavior of the user when logging into the transaction system.

The calculation expression of the network bandwidth floating coefficient is as follows:

，

real-time network bandwidth for user computers, +.>For the time period of the security software early warning, +.>The time period of the network load early warning is the time period of the early warning when the security software monitors that the computer is under network attack, the time period of the network load early warning is the time period when the network load exceeds a load threshold value, bandwidth congestion can be caused at the time, and normal transaction is influenced.

The calculated expression of the vulnerability CVSS index is:

，

in the method, in the process of the application,indicating the extent of influence of a vulnerability on the availability of the attacked system,/->The greater the vulnerability CVSS index, the more severe the vulnerability affects the attacked system, which may lead to a trading system:

confidentiality impact: vulnerabilities may lead to sensitive information disclosure, such as personal identity information, login credentials, bank account information, etc. of the user being acquired by an attacker, which may lead to problems of personal privacy disclosure, identity theft, etc.;

integrity impact: vulnerabilities may cause data to be tampered with or the system to be destroyed, e.g., an attacker can modify data in a database, tamper with website content, or manipulate system configuration files, which may lead to problems of inconsistent data, system dysfunction, service interruption, etc.;

the degree of influence of the vulnerability on the availability of the attacked system is obtained as follows:

knowledge of the extent of impact of a vulnerability on system availability is provided by information sources such as vulnerability reports, security threat intelligence, etc., which typically provide detailed descriptions of the vulnerability, including its extent of impact value on system availability.

The required degree of system availability is obtained as follows:

the required level value of the availability of the system is obtained by referring to documents such as security policies, operation and maintenance manuals, service Level Agreements (SLAs) and the like related to the system.

The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.

The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired or wireless means (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.

In the present application, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only-memory (ROM), a random-access-memory (RAM), a magnetic disk, or an optical disk, etc., which can store program codes.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (9)

1. Zero trust system of thing networking based on block chain, its characterized in that: the system comprises an identification module, an intelligent contract module, a data acquisition module, an analysis module, an information verification module, a monitoring module, an alarm module, a data encryption module, an event audit module and a blockchain module;

the identification module: registering and identifying the Internet of things equipment, and setting a unique identifier for each Internet of things equipment;

an intelligent contract module: for defining an access control policy;

and a data acquisition module: when a user logs in a system, acquiring user verification data and equipment data of the login system;

and an analysis module: comprehensively analyzing user verification data and equipment data based on a security model, and judging whether the user logs in a system to have security risks or not;

and an information verification module: when the user is judged to be logged into the system without security risk, verifying and authorizing access rights of all devices and users;

and a monitoring module: after the user passes the verification, monitoring user operation data in real time, and logging out the abnormal user from the system;

and an alarm module: when the user logs in the system and the security risk exists, a first alarm signal is sent out, and when the user with abnormality logs out of the system, a second alarm signal is sent out;

and a data encryption module: when data is transmitted between the Internet of things devices, encrypting the data;

event audit module: recording activity logs of all devices and users;

a blockchain module: for distributed storage of data information and activity logs of devices or users.

2. The blockchain-based internet of things zero trust system of claim 1, wherein: the user verification data comprises a portrait dynamic matching similarity and a password verification index, and the equipment data comprises a network bandwidth floating coefficient and a vulnerability CVSS index.

3. The blockchain-based internet of things zero trust system of claim 2, wherein: the establishment of the security model comprises the following steps:

comprehensively calculating the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index to obtain a security coefficientThe computational expression is:

，

in the method, in the process of the application,dynamic matching similarity of human images, < >>For password authentication index->For the network bandwidth to float by a factor,for the vulnerability CVSS index, ++>、/>、/>、/>Respectively matching the similarity of the human images, the password verification index, the network bandwidth floating coefficient and the proportional coefficient of the vulnerability CVSS index, and +.>、/>、/>、/>Are all greater than 0;

obtaining a safety factorAfter the value, the safety factor is->And comparing the value with a safety threshold value to complete the establishment of the safety model.

4. The blockchain-based internet of things zero trust system of claim 3, wherein: the analysis module comprehensively analyzes the dynamic matching similarity of the portrait, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index based on the security model, and comprises the following steps of:

substituting the dynamic matching similarity of the figures, the password verification index, the network bandwidth floating coefficient and the vulnerability CVSS index into a security coefficient calculation formula to calculate and obtain the security coefficientA value;

if the safety factor isThe value is more than or equal to the safety threshold value, and the user is judged that the safety risk exists in the login system;

if the safety factor isAnd the value is less than the safety threshold value, and judging that the user logs in the system and has safety risk.

5. The blockchain-based internet of things zero trust system of claim 4, wherein: the calculation expression of the dynamic matching similarity of the portrait is as follows:

，

in the method, in the process of the application,for the current verification portrait feature vector, +.>For the initial portrait feature vector, < >>For the dot product of the current verification portrait feature vector and the initial portrait feature vector, +.>The current verification portrait characteristic vector norm and the initial portrait characteristic vector norm are respectively.

6. The blockchain-based internet of things zero trust system of claim 5, wherein: the calculation expression of the current verification portrait characteristic vector norm and the initial portrait characteristic vector norm is as follows:

，

in the method, in the process of the application,for the current verification portrait feature vector +.>Is used for the control of the phase of the liquid,is the initial portrait feature vector->Is included in the composition of the composition.

7. The blockchain-based internet of things zero trust system of claim 6, wherein: the calculation expression of the password verification index is as follows:

，

in the method, in the process of the application,for the number of password input errors, +.>For maximum verification duration +.>Taking the value for 10min, and allowing for the treatment of skin diseases>Verifying the parameter for the ith password, +.>For inputting the total duration of the password->For the duration of the password entry interval>And deleting the time length for the password characters.

8. The blockchain-based internet of things zero trust system of claim 7, wherein: the calculation expression of the network bandwidth floating coefficient is as follows:

，

real-time network bandwidth for user computers, +.>For the time period of the security software early warning, +.>And (5) a time period for network load early warning.

9. The blockchain-based internet of things zero trust system of claim 8, wherein: the calculation expression of the vulnerability CVSS index is as follows:

，

in the method, in the process of the application,indicating the extent of influence of a vulnerability on the availability of the attacked system,/->Indicating the required level of system availability.