摘要
为最大程度保护配电终端物联网数据共享安全,提出基于零信任架构与最小权限原则的配电终端物联网数据共享访问控制方法.构建基于零信任的物联网数据共享访问控制框架,通过身份认证模块检验用户身份和访问控制权限,利用IDS模块辨别用户入网后的明显网络攻击行为,用户行为度量模块的行为信任度量代理,依据存储在信任度量数据库中的用户历史行为度量数据计算用户信任度,对用户的行为信任等级进行周期性评估,识别长期潜伏且高度隐蔽的网络攻击行为,基于行为信任的访问决策代理以用户信任等级为依据,依据最小权限原则进行用户-角色分配,制定和实施访问决策;物联网控制器根据信任度量结果动态调整用户资源访问的权限,通过发送流表的方式实现用户配电终端物联网资源访问权限的动态调整.实验结果表明,该方法能够准确控制物联网数据的共享访问,且综合性能更全面,在完成用户访问任务的同时拥有的冗余权限最少,既满足了用户访问要求又保证了网络数据安全.
To maximize the security of IoT data sharing in distribution terminals,a data sharing access control method for distribution terminal IoT based on zero trust architecture and least privilege principle is proposed.We have developed a zero-trust-based IoT data sharing access control framework,which verifies user identity and access control permissions through identity authentication modules.After user access,IDS modules identify obvious network attack behaviors,while behavior trust measurement proxies in user behavior measurement modules,calculate user trust based on historical user behavior measurement data stored in trust measurement databases,and periodically evaluate user behavior trust levels,identify long-term and highly covert network attack behaviors.These proxies also periodically evaluate user behavior trust levels,identify long-term and highly covert network attack behaviors,and use behavioral trust-based access decision agents to allocate user roles based on the user trust level and the principle of least privilege,formulating and implementing access decisions.The IoT controller dynamically adjusts user resource access permissions based on trust measurement results,and achieves dynamic adjustment of user distribution terminal IoT resource access permissions by sending flow tables.The experimental results show that this method can accurately control the shared access of IoT data,and has more comprehensive performance.It has the least redundant permissions while completing user access tasks,which not only meets user access requirements but also ensures network data security.
作者
林奕夫
陈雪
徐梦宇
陈云
Lin Yifu;Chen Xue;Xu Mengyu;Chen Yun(State Grid Fujian Electric Power Co.,Ltd.,Fuzhou 350003;Research Institute of Economics and Technology,State Grid Fujian Electric Power Co.,Ltd.,Fuzhou 350013;Shanghai Wudun Information Technology Co.,Ltd.,Shanghai 201100)
出处
《信息安全研究》
CSCD
北大核心
2024年第10期937-943,共7页
Journal of Information Security Research
基金
国家电网有限公司总部科技项目(5400-202255148A-1-1-ZN)。
关键词
零信任架构
最小权限原则
配电终端
物联网
用户信用度
冗余权限
zero trust architecture
the principle of least privilege
distribution terminal
Internet of things
user credit
redundant permission
