Disclosure of Invention
The invention aims to provide a network port access control method, which is used for realizing the dynamic change and access abnormality of employee access authority and the difference between new and old systems in the migration process by an intelligent network port protection technology based on combination of identity authentication and port perception, adaptively updating and optimizing a system prevention and control strategy based on change and difference analysis, solving the problem of dynamic access control in the system migration process, effectively improving the network port safety protection capability of the system, and realizing stable transition between the new and old systems.
In order to achieve the above object, it is necessary to provide a method and a system for controlling access to a network port in order to solve the above technical problems.
In a first aspect, an embodiment of the present invention provides a method for controlling access to a network port, where the method includes the following steps:
Acquiring current user identity data sets of a new system and an old system in real time, and generating a corresponding system access authority dynamic mapping table according to the current user identity data sets and a preset identity authentication rule base;
Monitoring port state data streams of the new system and the old system, and analyzing user access modes according to the port state data streams to obtain corresponding user access mode sets; the user access mode set comprises a plurality of user access modes with different identities;
Dynamically adjusting access control strategies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table, and executing network port access control of the corresponding system according to the adjusted access control strategies;
Capturing a service data packet accessed by key service data of a system, extracting service access characteristics of the service data packet, carrying out abnormal service access identification according to the service access characteristics, and dynamically adjusting key service access control rules in corresponding system access control strategies according to corresponding abnormal access identification results;
And respectively acquiring performance data of the new system and the old system in response to the system migration completion, inputting the performance data into a pre-constructed strategy adjustment prediction model to perform strategy adjustment prediction, and updating the corresponding system access control strategy according to the obtained system strategy adjustment scheme.
Further, the preset identity authentication rule base comprises identity authentication rules of all system users; the identity authentication rule comprises a plurality of identity characteristics and corresponding matching weights;
The step of generating a corresponding dynamic mapping table of system access authority according to the current user identity data set and a preset identity authentication rule base comprises the following steps:
Based on a preset character string matching algorithm, matching each user identity information in the current user identity data set with each identity authentication rule in the preset identity authentication rule base respectively, and obtaining a corresponding user identity authentication score;
acquiring user identity information of which the user identity authentication score is larger than a preset score threshold value, and generating an effective user identity data set;
Acquiring system identity data corresponding to each user identity information in the effective user identity data set; the system identity data comprises a system identity ID, departments, positions and levels;
generating a corresponding new system authority level and an old system authority level based on a pre-constructed decision tree model according to the system identity data;
Generating a corresponding new system function authority list and an old system function authority list according to the new system authority level and the old system authority level respectively;
and generating the dynamic mapping table of the system access authority according to the system identity IDs, the new system authority levels, the new system function authority list, the old system authority levels and the old system function authority list corresponding to all user identity information in the effective user identity data set.
Further, the step of performing user access pattern analysis according to the port state data stream to obtain a corresponding user access pattern set includes:
Extracting flow characteristics of each network port state data in the port state data stream through an exponentially weighted moving average model to obtain corresponding port flow statistical characteristics; the port flow statistical characteristics comprise an average value, a standard deviation and a peak value;
performing new and old system port mapping change identification according to port flow statistics characteristics of all network ports in the new system and the old system so as to update a current new and old system port function mapping table;
According to the current new and old system port function mapping table, carrying out statistical analysis on historical state data streams of each network port in the new system and the old system to obtain corresponding system port reference flow, and generating a corresponding port flow self-adaptive threshold based on a3 sigma principle according to the system port reference flow;
Judging whether the state data flows of all network ports in the new system and the old system are larger than the corresponding system port flow self-adaptive threshold value or not respectively, if so, judging that suspicious user behavior identification results of the corresponding system network ports are suspicious user access behaviors, otherwise, judging that suspicious user behavior identification results of the corresponding system network ports are not suspicious user access behaviors;
And carrying out user access mode analysis according to suspicious user behavior recognition results of all system network ports to obtain a corresponding user access mode set.
Further, the step of performing new and old system port mapping change identification according to the port traffic statistics of the new system and all network ports in the old system to update the current new and old system port function mapping table includes:
According to port flow statistical characteristics of all network ports in the new system and the old system, respectively carrying out flow difference analysis on corresponding network ports between the new system and the old system to obtain corresponding flow change information, and generating a port list to be analyzed according to the network ports of which the flow change information is larger than a preset percentile threshold;
performing cluster analysis on port flow statistical characteristics of each network port in the port list to be analyzed to generate a corresponding new and old system port mapping change table;
And updating the current new and old system port function mapping tables according to the new and old system port mapping change tables.
Further, the step of performing user access pattern analysis according to suspicious user behavior recognition results of all system network ports to obtain a corresponding user access pattern set includes:
when the suspicious user behavior identification result of the system network port is that suspicious user access behaviors exist, generating a corresponding suspicious access event record; the suspicious access event records include a timestamp, a suspicious type, a related port, a duration, and a threshold percentage exceeded;
acquiring user identity information sets of network ports corresponding to all suspicious access event records, and carrying out association analysis on the suspicious access event records and the corresponding user identity information sets to generate a mapping relation of abnormal access behaviors of users;
And acquiring abnormal access behavior characteristics of all the associated users according to the abnormal access behavior mapping relation of the users, and performing cluster analysis on the abnormal access behavior characteristics of all the associated users to obtain the user access pattern set.
Further, the step of dynamically adjusting access control policies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table includes:
Performing hierarchical clustering analysis on all user access modes in the user access mode set according to the system access authority dynamic mapping table to obtain a user access mode feature vector; the user access mode feature vector comprises access frequency, access time distribution and access resource types;
According to the user access mode feature vector, performing K-means clustering on user access behaviors corresponding to all user access modes in the user access mode set to obtain a plurality of access behavior groups;
And dynamically adjusting the access control strategies of the new system and the old system respectively through a preset rule strategy generator according to the central points and the boundaries of all the access behavior groups.
Further, the step of extracting the service access characteristic of the service data packet and identifying abnormal service access according to the service access characteristic includes:
deep packet detection and protocol analysis are carried out on each service data packet, and corresponding initial service access characteristics are obtained; the initial service access characteristics comprise a user ID, a time stamp, a source IP, a destination IP, a source port, a destination port, a protocol type, a request method, a data volume and a response code;
Performing dimension reduction analysis on the initial service access characteristics based on a principal component analysis method to obtain corresponding service access characteristics;
inputting the service access characteristics into a pre-constructed isolated forest model to perform abnormal service access identification to obtain a corresponding abnormal access identification result
Further, the strategy adjustment prediction model is obtained based on continuous training updating of the reinforcement learning model; the state space and the action space of the reinforcement learning model are respectively defined and obtained according to the system performance data and the corresponding strategy adjustment scheme; and the reward function of the reinforcement learning model is designed according to a preset service continuity index.
Further, before the system migration is completed, the method further comprises:
Continuously detecting network topology change information between the new system and the old system, carrying out real-time network topology reconstruction according to the network topology change information and a pre-constructed graph convolution network model, generating a corresponding low-dimensional network topology relation graph, and self-adaptively adjusting a data transmission routing strategy between the new system and the old system according to the low-dimensional network topology relation graph.
In a second aspect, an embodiment of the present invention provides a network port access control system, including:
The identity authority mapping module is used for acquiring current user identity data sets of the new system and the old system in real time, and generating a corresponding system access authority dynamic mapping table according to the current user identity data sets and a preset identity authentication rule base;
The access mode analysis module is used for monitoring port state data streams of the new system and the old system, and carrying out user access mode analysis according to the port state data streams to obtain a corresponding user access mode set; the user access mode set comprises a plurality of user access modes with different identities;
The access control strategy adjustment module is used for dynamically adjusting the access control strategies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table, and executing network port access control of the corresponding system according to the adjusted access control strategies;
The business access control adjustment module is used for capturing business data packets accessed by key business data of the system, extracting business access characteristics of the business data packets, carrying out abnormal business access identification according to the business access characteristics, and dynamically adjusting key business access control rules in corresponding system access control strategies according to corresponding abnormal access identification results;
And the comprehensive strategy optimization module is used for respectively acquiring the performance data of the new system and the old system in response to the completion of system migration, inputting the performance data into a pre-constructed strategy adjustment prediction model for strategy adjustment prediction, and updating the corresponding system access control strategy according to the obtained system strategy adjustment scheme.
The method is used for acquiring current user identity data sets of a new system and an old system in real time, generating a corresponding system access authority dynamic mapping table according to the current user identity data sets and a preset identity authentication rule base, monitoring port state data streams of the new system and the old system, analyzing the port state data streams according to the port state data streams to obtain corresponding user access mode sets comprising a plurality of user access modes with different identities, dynamically adjusting access control strategies of the new system and the old system according to the user access mode sets and the system access authority dynamic mapping table, executing network port access control of the corresponding system according to the adjusted access control strategies, capturing service data packets accessed by key service data of the system, extracting service access characteristics of the service data packets, carrying out abnormal service access identification according to the service access characteristics, dynamically adjusting key service access control rules in the corresponding system access control strategies according to the corresponding abnormal access identification results, respectively acquiring performance data of the new system and the old system after the port state data streams are analyzed to obtain corresponding user access mode sets comprising a plurality of user access modes with different identities, inputting the performance data into a pre-constructed strategy adjustment prediction model, and carrying out adjustment prediction according to the policy adjustment prediction to obtain a system access strategy adjustment strategy of the corresponding system access control scheme. Compared with the prior art, the network port access control method has the advantages that through the intelligent network port protection technology based on combination of identity authentication and port perception, dynamic changes and access anomalies of employee access authority and differences of old and new systems in the migration process are perceived in real time, and the system prevention and control strategy is adaptively updated and optimized based on change and difference analysis, so that the problem of dynamic access control in the system migration process is solved, the network port safety protection capability of the system is effectively improved, and stable transition between the old and new systems is realized.
Detailed Description
In order to make the objects, technical solutions and advantageous effects of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples, and it is apparent that the examples described below are part of the examples of the present application, which are provided for illustration only and are not intended to limit the scope of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The network port access control method provided by the invention can be understood as an application defect that the network port security control based on the existing enterprise system cannot automatically sense the variation of access port service and the variation of new and old systems based on the dynamic variation of employee access authority and cannot dynamically adjust the network port protection strategy and rule, and the availability and security of each system are difficult to ensure in the migration process. The following embodiments will describe the network port access control method of the present invention in detail.
In one embodiment, as shown in fig. 1, there is provided a network port access control method, including the steps of:
S11, acquiring current user identity data sets of a new system and an old system in real time, and generating a corresponding system access authority dynamic mapping table according to the current user identity data sets and a preset identity authentication rule base; the current user identity data set of the new system and the old system may be understood as a data set of the identity information of the incumbent staff allowed to be accessed by the new system and the old system acquired through the existing human resource management system and the organization architecture management system of the enterprise, and the specific content of each user identity data may be set according to practical application, for example, including a user name, an identity ID, a mailbox address, a mobile phone number, an identity type, a department, a level, a job position, a job time and the like, which are not limited herein specifically. Meanwhile, due to different migration progress of the system for different areas and/or different businesses, a part of staff may need to access the new and old systems at the same time, i.e. the part of staff identity information may exist in the current user identity data set of the new system and the old system at the same time.
The preset identity authentication rule base in this embodiment may be understood as an identity matching rule database which is previously constructed according to application requirements and is used for legally authenticating the identity data of the staff of the enterprise, and includes identity authentication rules of all system users, where each system user's identity authentication rule includes a plurality of identity features and corresponding matching weights, and the identity features may be consistent with the key data of the user identity data according to actual application requirements, such as including a user name, a mailbox address, a mobile phone number, etc., and set corresponding matching weight values for each identity feature, and are used for calculating corresponding user identity authentication scores in the staff identity authentication process. Correspondingly, the dynamic mapping table of the system access authority can be understood as a system function authority list comprising different user identities in the new and old systems based on dynamic updating of effective identity data obtained from system user identity data which is perceived in real time and changes along with the migration progress of the system. Specifically, the step of generating the corresponding dynamic mapping table of the system access authority according to the current user identity data set and the preset identity authentication rule base includes:
Based on a preset character string matching algorithm, matching each user identity information in the current user identity data set with each identity authentication rule in the preset identity authentication rule base respectively, and obtaining a corresponding user identity authentication score; the preset character string matching algorithm can adopt a KMP (Knuth-Morris-Pratt) algorithm, and the corresponding acquisition of each user identity authentication score can be understood as a rule matching score highest value obtained by respectively matching user identity information with each identity authentication rule based on the KMP algorithm; correspondingly, the process of matching the user identity information with each identity authentication rule can be understood as follows: sequentially carrying out character string matching on each data in the user identity information and each identity feature in the identity authentication rule, if a certain data in the user identity information is matched with a certain identity feature in the identity authentication rule, multiplying a corresponding preset feature matching score with a matching weight value to obtain a final score of the feature matching, otherwise, the final score of the feature matching is 0; and finally, adding the final scores of all feature matching corresponding to the user identity information to obtain the rule matching score of the user identity information and a certain identity authentication rule.
Acquiring user identity information of which the user identity authentication score is larger than a preset score threshold value, and generating an effective user identity data set; the preset score threshold value can be selected according to actual application requirements, and is not particularly limited herein; in practical application, if the user identity authentication score corresponding to certain user identity information is greater than a preset score threshold, judging the user identity information as effective data, adding the effective data into an effective user identity data set, and marking that the corresponding system is a new system and/or an old system; and the final effective user identity data set corresponding to the current user identity data sets of the new system and the old system can be obtained through the processing.
Acquiring system identity data corresponding to each user identity information in the effective user identity data set; the system identity data comprises a system identity ID, departments, positions and levels, and can be extracted from user identity information corresponding to the effective user identity data set;
Generating a corresponding new system authority level and an old system authority level based on a pre-constructed decision tree model according to the system identity data; the decision tree model is input into system identity data of a user, and output into a new system authority level and an old system authority level, when the user is only an access user of the new system, the corresponding new system authority level is an effective value, and the corresponding old system authority level is an invalid value, namely the user does not have authority to access the old system; when the user is only the access user of the old system, the corresponding old system authority level is a valid value and the corresponding new system authority level is an invalid value, namely the user has no authority to access the new system. The decision tree model in this embodiment can be understood as a model trained based on the collected system history user identity data sets (each user identity data is labeled with a corresponding access permission level).
Generating a corresponding new system function authority list and an old system function authority list according to the new system authority level and the old system authority level respectively; the new system authority level and the old system authority level correspond to one of the system authority levels, and in practical application, the new system and the old system are provided with a plurality of authority levels according to management requirements, and each authority level corresponds to different system function authorities; after obtaining a new system authority level of a certain user, a corresponding new system function authority list can be generated according to the system function authority corresponding to the level; similarly, after the old system authority level of a certain user is obtained, a corresponding old system function authority list can be generated according to the system function authority corresponding to the level; it should be noted that the system function rights included in the new system function rights list and the old system function rights list of each user are different depending on the user level and the system management rule, and are not particularly limited herein.
Generating the system access authority dynamic mapping table according to the system identity IDs, the new system authority levels, the new system function authority list, the old system authority levels and the old system function authority list corresponding to all user identity information in the effective user identity data set; each user identity authority mapping relation in the system access authority dynamic mapping table can simultaneously comprise a system identity ID, a new system authority level, a new system function authority list, an old system authority level and an old system function authority list, can be stored in a distributed cache in a JSON format for subsequent access control to perform real-time query and verification, and the number of the user identity authority mapping relations in the system access authority dynamic mapping table and the content of each user identity authority mapping relation can change along with the change of an effective user identity data set in a system migration process.
In the implementation, the dynamic change of the employee access authority can be effectively perceived through synchronizing the user identity data of the old and new systems during the system migration in real time, and the dynamic mapping table of the system access authority is updated in real time as the adjustment basis of the subsequent system access control strategy, so that the reliability and the security of the control based on the employee authority level during the system migration are effectively improved.
S12, monitoring port state data streams of the new system and the old system, and analyzing user access modes according to the port state data streams to obtain corresponding user access mode sets; the user access mode set comprises a plurality of user access modes with different identities; the port state data streams of the new system and the old system can be understood as data information of the state data streams simultaneously comprising a plurality of network ports; in practical application, a mode of deploying a distributed probe on network ports of the new and old systems and using port flow collection agents in combination based on network architecture information of the new and old systems can be used, and state data streams of all network ports in each system can be obtained based on a network sniffer according to preset collection frequency, and the state data streams can comprise information such as port connection state, flow change data, port numbers, protocol types, connection duration, data transmission quantity, user login logs and operation records.
The analysis of the user access pattern in the embodiment can be understood as a process of identifying the user access pattern in the coexistence scene of the new and old systems by monitoring the difference of the real-time port state data streams of the new and old systems; specifically, the step of analyzing the user access mode according to the port state data stream to obtain the corresponding user access mode set includes:
Extracting flow characteristics of each network port state data in the port state data stream through an exponentially weighted moving average model to obtain corresponding port flow statistical characteristics; the flow characteristic extraction process of each network port state data can be understood as combining the network port state data acquired at present and the historical network port state data corresponding to a plurality of periods of cache into corresponding port state data flow time sequence data, and then carrying out time sequence analysis on the port state data flow time sequence data based on an exponential weighted moving average model to obtain the required port flow statistical characteristics, and the embodiment preferably sets the port flow statistical characteristics to comprise an average value, a standard deviation and a peak value.
Performing new and old system port mapping change identification according to port flow statistics characteristics of all network ports in the new system and the old system so as to update a current new and old system port function mapping table; the identification of the mapping change of the new and old system ports can be understood as sensing the change of the mapping relationship between the new and old systems, and the basis of the identification is that when the system migration is defaulted, an existing mapping relationship table of the network ports exists between the new and old systems (which is obtained by updating the mapping relationship table gradually based on the initial network port), whether the mapping relationship table of the network ports between the new and old systems is changed or not is judged according to the existing mapping relationship table of the network ports in the migration process of the system, and the existing mapping relationship table of the network ports (the current mapping table of the new and old system ports) is updated based on the identified change. Specifically, the step of performing new and old system port mapping change identification according to the port traffic statistics characteristics of the new system and all network ports in the old system to update the current new and old system port function mapping table includes:
According to port flow statistical characteristics of all network ports in the new system and the old system, respectively carrying out flow difference analysis on corresponding network ports between the new system and the old system to obtain corresponding flow change information, and generating a port list to be analyzed according to the network ports of which the flow change information is larger than a preset percentile threshold; the flow difference analysis can be understood as a process of performing flow comparison analysis on network ports in the new and old systems according to the port mapping relation in the current new and old system port function mapping tables to obtain flow differences (flow change information) between the new system network ports and the old system network ports with the port mapping relation; in principle, the traffic data of the network ports of the same service should be not different greatly in the system migration process, if the traffic data of two network ports with mapping relation are too different, the traffic data is considered to be abnormal, or if the network ports of the same service are not corresponding to the old and new systems, the port statistics needs to be listed in a port list to be analyzed for further analysis, so as to ensure the reliability of the analysis of the access modes of the subsequent users. It should be noted that, the preset percentile threshold in this embodiment may be understood as a threshold generated based on a dynamic threshold function of the percentile, for example, a 95% quantile may be used as a dynamic threshold, and a new and old system network port pair with a traffic difference exceeding 50% may be identified and summarized to obtain a required port list to be analyzed.
Performing cluster analysis on port flow statistical characteristics of each network port in the port list to be analyzed to generate a corresponding new and old system port mapping change table; the process of obtaining the new and old system port mapping change table can be understood as determining the cluster number according to the category number of the network service predefined function ports (such as HTTP, HTTPS, database access, file transmission and the like) of the enterprise system, performing K-means cluster analysis on the port flow statistics characteristics of all network ports in the port list to be analyzed according to the cluster number to obtain a plurality of network port cluster clusters, calculating the inter-cluster distance and the intra-cluster distance of each network port cluster based on Euclidean distance, identifying the change condition of the new and old system port function mapping relation, and further generating the new and old system port mapping change table.
Updating the current new and old system port function mapping table according to the new and old system port mapping change table; the new and old system port mapping change table only comprises part of port mapping relations in the new and old system port function mapping tables, so that the part with wrong port mapping relations in the current new and old system port function mapping tables is corrected, and an effective new and old system port function mapping table can be obtained to provide reliable analysis basis for subsequent port flow state analysis.
According to the current new and old system port function mapping table, carrying out statistical analysis on historical state data streams of each network port in the new system and the old system to obtain corresponding system port reference flow, and generating a corresponding port flow self-adaptive threshold based on a3 sigma principle according to the system port reference flow; the process of obtaining the reference flow of the system port can be understood as calculating the average value of the historical state data flow of the network port pair with the mapping relation in the new and old systems according to the network port mapping relation of the new and old systems in the current new and old system port function mapping table, and taking the average value as the reference flow of the system port of the two network ports in the network port pair; the corresponding port flow self-adaptive threshold is also a flow abnormality detection threshold of two network ports in a mapping relation network port pair existing in the new and old systems; in the embodiment, the historical state data flow of the network port pair with the mapping relation in the new and old systems is used as the reference flow of the system port, and the 3 sigma principle is used for generating the self-adaptive threshold value by taking the reference flow of the system port as the reference, so that the reliability of the flow analysis of the service port corresponding to the new and old systems can be effectively ensured. It should be noted that, in order to ensure the continuous adaptability to the difference between the old and new systems, the current old and new system port function mapping tables may be updated periodically, and corresponding port flow adaptive thresholds may be generated according to the updated current old and new system port function mapping tables, which will not be described in detail herein.
Judging whether the state data flows of all network ports in the new system and the old system are larger than the corresponding system port flow self-adaptive threshold value or not respectively, if so, judging that suspicious user behavior identification results of the corresponding system network ports are suspicious user access behaviors, otherwise, judging that suspicious user behavior identification results of the corresponding system network ports are not suspicious user access behaviors; in order to ensure the security of port resource access during system migration and not to affect normal system service processing requirements, the embodiment preferably uses the following steps to perform user access pattern recognition analysis during coexistence of new and old systems based on suspicious user behavior recognition results of all system network ports.
Performing user access mode analysis according to suspicious user behavior recognition results of all system network ports to obtain a corresponding user access mode set; the user access mode analysis can be understood as a process of identifying all suspicious user behavior recognition results as a system network port with suspicious user access behaviors, performing user identity association analysis, and performing user access mode classification based on abnormal access behavior characteristics of associated users determined according to the association analysis; specifically, the step of performing user access mode analysis according to suspicious user behavior recognition results of all system network ports to obtain a corresponding user access mode set includes:
When the suspicious user behavior identification result of the system network port is that suspicious user access behaviors exist, generating a corresponding suspicious access event record; the suspicious access event record includes a timestamp, a suspicious type, a related port, a duration, and a threshold exceeding percentage, and the suspicious type may be determined according to an actual situation, and the corresponding threshold exceeding percentage may be calculated based on a network port status data flow and a system port traffic adaptive threshold when generating a suspicious user behavior recognition result, which will not be described in detail herein.
Acquiring user identity information sets of network ports corresponding to all suspicious access event records, and carrying out association analysis on the suspicious access event records and the corresponding user identity information sets to generate a mapping relation of abnormal access behaviors of users; the process of obtaining the user identity information set can be understood as firstly obtaining the status data stream related to the port in each suspicious access event record, then obtaining the corresponding user system identity data according to the port access user identity ID recorded by the user login log information in each port status data stream, and finally summarizing all obtained user system identity data to obtain the required user identity information set; correspondingly, the mapping relation of the abnormal access behaviors of the user can be understood as a rule of association between the user identity and the abnormal behavior, which is obtained by carrying out association analysis on each suspicious access event record and the corresponding user identity information set by adopting an Apriori algorithm, and the specific implementation mode can refer to the application technology of the Apriori algorithm and is not described in detail herein.
Acquiring abnormal access behavior characteristics of all associated users according to the abnormal access behavior mapping relation of the users, and performing cluster analysis on the abnormal access behavior characteristics of all associated users to obtain the user access pattern set; the abnormal access behavior characteristics comprise access frequency, data transmission quantity and access time distribution; the corresponding clustering analysis can be realized by adopting a K-means algorithm, an optimal clustering result is selected based on a mode of evaluating the clustering quality by the profile coefficient, and a typical access mode set of a user during system migration is generated and used for optimizing and adjusting the current access control strategy of the new and old systems, so that the new access behaviors of the analysis systems can be compared in real time, and the abnormality detection accuracy is improved.
S13, dynamically adjusting access control strategies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table, and executing network port access control of the corresponding system according to the adjusted access control strategies; wherein the access control policy preferably comprises access time limit, resource usage quota, operation authority level, etc.; specifically, the step of dynamically adjusting the access control policies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table includes:
Performing hierarchical clustering analysis on all user access modes in the user access mode set according to the system access authority dynamic mapping table to obtain a user access mode feature vector; the hierarchical clustering analysis can be understood as adopting a bottom-up aggregation method, and gradually combining the user access modes based on Euclidean distance into the nearest clusters based on the user identity information of each user access mode in the user access mode set corresponding to the user identity authority mapping relation in the system access authority dynamic mapping table until the access mode clusters with the preset number are obtained; after obtaining a plurality of access mode clusters, extracting access mode characteristics of each access mode cluster respectively to obtain required user access mode characteristic vectors, wherein the required user access mode characteristic vectors comprise access frequency, access time distribution, access resource types and the like, the access frequency can be obtained by adopting fast Fourier transform extraction based on collected related time sequence data, the time distribution characteristics can be understood as characteristics formed by counting the user access times of each time period after dividing the duration of the related time sequence into a plurality of time periods, and the access resource types can be represented by adopting binary vectors obtained by using one-hot code conversion.
According to the user access mode feature vector, performing K-means clustering on user access behaviors corresponding to all user access modes in the user access mode set to obtain a plurality of access behavior groups; the access behavior group acquisition mode can be realized by referring to the application technology of the related K-means clustering algorithm, and is not described herein.
According to the central points and boundaries of all access behavior groups, dynamically adjusting access control strategies of the new system and the old system through a preset rule strategy generator respectively; the preset rule policy generator may be understood as a rule-based policy generator, and if-then rules in the policy generator may be preset according to application requirements, which is not specifically limited herein; in practical application, the center point and the boundary of each access behavior group can be used as input of a preset rule policy generator, and the resource access control policy of the new system and/or the old system to be adjusted can be obtained through rule condition analysis in the preset rule policy generator, for example, the resource use quota of the high-frequency access group is increased by 20%.
It should be noted that, the specific adjustment content of the access control policy of the new and old systems may be obtained based on the analysis of the actual application scenario. In practical application, in order to carry out real-time self-adaptive adjustment on a system access control strategy based on the change of a user access mode in the system migration process, the change condition of the user access mode can be monitored in real time through an exponential weighting moving window algorithm, the Euclidean distance between each user access behavior and the center point of the corresponding access behavior group is calculated, and if the Euclidean distance exceeds a preset dynamic threshold value, a user access mode reclassification flow is triggered; meanwhile, for users with frequent change of access modes, network parameter optimization updating is continuously carried out on a circulating neural network comprising an input layer, a hidden layer and an output layer based on a back propagation algorithm in combination with a cross entropy loss function to obtain a continuous optimization access control strategy model, the continuous optimization access control strategy model is used for carrying out time sequence feature analysis on a historical access behavior sequence of the users, and outputting corresponding user authority allocation rules and abnormality judgment standards, so that access control self-adaption capability facing to a system migration transition period is improved, and the characteristic situation of the system migration transition period is better dealt with.
S14, capturing a service data packet accessed by key service data of a system, extracting service access characteristics of the service data packet, identifying abnormal service access according to the service access characteristics, and dynamically adjusting key service access control rules in corresponding system access control strategies according to corresponding abnormal access identification results; wherein, the system key business data access can be determined according to the actual business, and is not particularly limited herein; the corresponding service data packet can be understood as a network data packet related in the key service data access flow of the system, and can be captured and stored in an acceleration way through FPGA hardware deployed at a network port; the key service access control rule in this embodiment may be understood as a service resource data access rule formulated for various key service data access requirements; specifically, the step of extracting the service access characteristic of the service data packet and identifying abnormal service access according to the service access characteristic includes:
Deep packet detection and protocol analysis are carried out on each service data packet, and corresponding initial service access characteristics are obtained; deep packet inspection, among other things, can be understood as DPI (DEEP PACKET inspection) technology based on application layer traffic detection and control; protocol parsing can be understood as a process of identifying an application layer protocol type through a state machine-based protocol parser, extracting key fields such as HTTP header information, SQL sentences, DNS queries and the like, restoring a complete service access flow by combining a TCP recombination technology, generating a structured network flow log, and constructing multidimensional service access features based on the network flow log; the corresponding obtained initial service access characteristics comprise user ID, time stamp, source IP, destination IP, source port, destination port, protocol type, request method, data volume, response code and the like.
Performing dimension reduction analysis on the initial service access characteristics based on a principal component analysis method to obtain corresponding service access characteristics; the service access feature may be understood as a low-dimensional feature representation obtained by performing dimension reduction on the initial service access feature in order to ensure high efficiency of subsequent abnormal access identification, and a specific acquisition mode may refer to a related prior art implementation of dimension reduction analysis based on a principal component analysis method ((PRINCIPAL COMPONENT ANALYSIS, PCA)), which is not described herein.
And inputting the service access characteristics into a pre-constructed isolated forest model to perform abnormal service access identification, so as to obtain a corresponding abnormal access identification result.
In practical application, after the abnormal access identification result is obtained through the method steps, the access control rule of the corresponding service can be dynamically adjusted through forward chain reasoning according to the expert system based on the identification result, so that the fine access control and safety protection of the service level can be realized.
S15, respectively acquiring performance data of the new system and performance data of the old system in response to the completion of system migration, inputting the performance data into a pre-constructed strategy adjustment prediction model for strategy adjustment prediction, and updating a corresponding system access control strategy according to the obtained system strategy adjustment scheme; the performance data comprise CPU utilization rate, memory occupation, request response time and the like, and can be determined according to actual application requirements; the corresponding policy adjustment prediction model may in principle adopt any network model capable of generating a policy adjustment scheme function based on performance data, but in order to ensure the real-time performance and reliability of system policy adjustment, the embodiment preferably utilizes a reinforcement learning algorithm to build a policy adjustment prediction model for balancing the performance and safety of the system, so as to dynamically adjust the protection policy of the new and old systems according to the service continuity requirement, and adaptively balance the safety protection and performance requirement of the new and old systems. Specifically, the strategy adjustment prediction model is obtained by continuously training and updating based on the reinforcement learning model; the state space and the action space of the reinforcement learning model are respectively defined and obtained according to the system performance data and the corresponding strategy adjustment scheme; and the reward function of the reinforcement learning model is designed according to a preset service continuity index.
In practical application, the application process of the strategy adjustment prediction model can be understood as follows: periodically acquiring new and old system performance index data according to the required acquisition frequency by deploying a Prometheus-based distributed monitoring agent program; after performing data cleaning and normalization processing on the performance index data, transmitting the data to an InfluxDB time sequence database in real time for storage to obtain a preprocessed performance index data set; constructing a multidimensional feature vector comprising information such as a CPU utilization rate curve, a memory occupation trend, average response time and the like according to the preprocessed performance index data set, and adopting a principal component analysis algorithm to perform feature dimension reduction on the multidimensional feature vector to obtain a low-dimensional representation reflecting the performance state of the system; establishing a Q-learning model according to a low-dimensional representation, wherein the low-dimensional representation is used as an environmental state in the reinforcement learning model, a protection strategy adjustment scheme is used as an action space in the reinforcement learning model, a business continuity index (defined as a weighted sum of a normal request processing rate and an average response time, for example, a reward function R=0.7, the normal request processing rate+0.3 (1/average response time)) is used as a reward function for iterative optimization learning, and if the Q-learning model reaches a convergence condition, the protection strategy adjustment scheme is output; based on the protection strategy adjustment scheme, the access control rules of the new and old systems are updated through a Drools rule engine, and the rule engine maintains an independent Q table and rule set for the new and old systems so as to realize balanced adaptation of the new and old systems.
The embodiment provides a method for real-time acquisition of current user identity data sets of a new system and an old system, generation of a corresponding system access authority dynamic mapping table according to the current user identity data sets and a preset identity authentication rule base, monitoring port state data streams of the new system and the old system, carrying out user access mode analysis according to the port state data streams to obtain corresponding user access mode sets comprising a plurality of user access modes with different identities, dynamically adjusting access control strategies of the new system and the old system according to the user access mode sets and the system access authority dynamic mapping table, executing network port access control of the corresponding system according to the adjusted access control strategies, capturing service data packets accessed by key service data of the system, extracting service access characteristics of the service data packets, carrying out abnormal service access identification according to the service access characteristics, dynamically adjusting key service access control rules in the corresponding system access control strategies according to the corresponding abnormal access identification results, responding to system migration completion, respectively obtaining performance data of the new system and the old system, inputting the performance data into a pre-constructed strategy adjustment prediction model for strategy adjustment prediction, dynamically adjusting the corresponding system access control strategies according to the obtained system strategy adjustment schemes, carrying out network port access control of the corresponding system, capturing the key service data packets according to the obtained system strategy adjustment schemes, dynamically adjusting the access control strategies, optimizing the network port control strategies of the corresponding system access control strategies according to the obtained by the system access control strategy adjustment, sensing the network access control strategies, and protecting the dynamic network access control strategy control by the network port control strategy control by the system has the dynamic control error, and the dynamic system has the performance control strategy control, and has improved performance control error, and has improved performance and has improved dynamic protection effect by the performance, and realizes the stable transition between the new and old systems.
In addition, considering that migration progress of different areas and different service lines may exist in practical application, a part of staff needs to access new and old systems simultaneously, in order to ensure continuity of system service, in this embodiment, network topology change information between the new and old systems is preferably detected in real time in a migration process, and data transmission routes between the new and old systems are timely adjusted based on the network topology change information, so as to ensure cross-system access behaviors capable of effectively monitoring and responding to abnormality, and gradually complete system migration while ensuring compliance. Specifically, a network port access control method is provided, and before the system migration is completed, the method further includes:
Continuously detecting network topology change information between the new system and the old system, carrying out real-time network topology reconstruction according to the network topology change information and a pre-constructed graph convolution network model, generating a corresponding low-dimensional network topology relation graph, and self-adaptively adjusting a data transmission routing strategy between the new system and the old system according to the low-dimensional network topology relation graph; the network topology change information can be understood as that a network detection tool adopting an SNMP protocol continuously acquires an SNMP protocol data packet carrying a unique identifier of a network device in a system migration process, and the data packet is sent out by the network device when topology change occurs so as to sense data information such as node increase and decrease, link state, bandwidth change and the like between new and old systems.
In practical application, network equipment and link information (including equipment IP address, interface state, bandwidth utilization rate and other parameters) of two systems are periodically detected by deploying a network topology discovery tool compatible with new and old system architectures, dynamic changes of a network topology structure in a system migration process are identified and recorded by adopting a longest public subsequence algorithm according to historical detection data stored in a time sequence database, an incremental data set reflecting the topology changes is generated by identifying and recording the dynamic changes of the network topology structure in the system migration process, the incremental data set is converted into an adjacent matrix of the network topology through data preprocessing, the adjacent matrix comprises node feature vectors and corresponding edge feature vectors, the node feature vectors comprise equipment types, processing capacity, memory size and the edge feature vectors comprise bandwidths, delays, packet loss rates and the like; performing element coding processing on the adjacent matrix by adopting a graph rolling network model which is built based on relevant historical data training in advance, realizing the topology reconstruction of a real-time network between a new system and an old system, and obtaining a low-dimensional topological relation graph (low-dimensional network topological relation graph) capable of reflecting the difference between the current new system and the old system, wherein the network structure of the graph rolling network model comprises 3 layers, 64 neurons in each layer, a ReLU activation function is used, and the embedded representation of neighbor node information and edge attribute update nodes is aggregated through weighted average to form the topological relation graph reflecting the difference between the current new system and the old system; and then, taking a low-dimensional network topology relation graph obtained through graph convolution network model processing and the monitored current system network load as state data to input historical system network topology change data and system historical network performance data in advance, adopting a routing decision model built through Q-learning algorithm training to perform optimal iterative learning of a data transmission routing strategy, outputting an inter-system optimal data transmission route applicable to the current system migration scene, applying the inter-system optimal data transmission route to corresponding network equipment through a relevant network configuration management tool, so as to adaptively and dynamically adjust the inter-new and old inter-system data transmission routing strategy, for example, after route optimization triggering, outputting optimal actions according to the routing decision model, converting the optimal actions into specific routing table updating instructions, such as 'iproute192.168.1.0/24 via 10.0.1', and issuing the instructions to the network equipment through NETCONF protocol to execute. When the Q-learning algorithm is adopted to train a routing decision model, the state space is the current network load and the topology structure, the action space is the selectable routing path, the reward function is designed based on end-to-end delay and throughput, the data transmission routing strategy can be adaptively adjusted according to the current network state and related performance data, and the change of the network topology in the system migration process is dynamically adapted.
It should be noted that, the above-mentioned step of adjusting the data transmission routing policy between the new and old systems may be triggered in real time or periodically detected during the whole system migration, which is not limited herein.
The embodiment of the application generates a corresponding system access authority dynamic mapping table according to a current user identity data set and a preset identity authentication rule base by acquiring the current user identity data set of a new system and an old system in real time, monitors port state data streams of the new system and the old system, analyzes the port state data streams to obtain a corresponding user access mode set comprising a plurality of user access modes with different identities, dynamically adjusts access control strategies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table, executes network port access control of the corresponding system according to the adjusted access control strategies, captures service data packets accessed by key service data of the system, extracts service access characteristics of the service data packets, dynamically adjusts key service access control rules in the corresponding system access control strategies according to corresponding abnormal access identification results, continuously detects network topology change information between the new system and the old system, automatically adjusts the network topology relation map according to the network topology change information and a pre-constructed graph volume network model, automatically adjusts the network topology relation map according to the low-dimensional network topology change information and the pre-constructed graph volume network model, adjusts the corresponding system access control strategy according to the pre-constructed strategy, adjusts the corresponding system access strategy to the pre-constructed strategy, adjusts the system access control strategy according to the pre-adaptive strategy, and the pre-constructed system access strategy, and adjusts the performance of the system, effectively solves the application defects that the network port security prevention and control of the existing enterprise system cannot automatically sense the change of access port service and the difference change of new and old systems based on the dynamic change of employee access authority and cannot dynamically adjust the network port protection policy and rule, and the availability and security of each system are difficult to ensure during migration, the method has the advantages that during the real-time perception of the dynamic changes of employee access authority, the differences of new and old systems, the network topology changes between the new and old systems and the abnormal user access behaviors, the system prevention and control strategies are adaptively updated and optimized based on corresponding changes and difference analysis, the network ports during the system migration are subjected to refined dynamic optimization access control, the safety protection capability of the network ports of the system is effectively improved, meanwhile, the performance requirements of the system can be met, the continuity of system business is guaranteed, and further reliable technical support is provided for stable transition between the new and old systems.
Although the steps in the flowcharts described above are shown in order as indicated by arrows, these steps are not necessarily executed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders.
In one embodiment, as shown in fig. 2, there is provided a network port access control system, the system comprising:
The identity authority mapping module 1 is used for acquiring current user identity data sets of a new system and an old system in real time, and generating a corresponding system access authority dynamic mapping table according to the current user identity data sets and a preset identity authentication rule base;
The access mode analysis module 2 is used for monitoring port state data streams of the new system and the old system, and carrying out user access mode analysis according to the port state data streams to obtain a corresponding user access mode set; the user access mode set comprises a plurality of user access modes with different identities;
The access control policy adjustment module 3 is configured to dynamically adjust access control policies of the new system and the old system according to the user access mode set and the system access authority dynamic mapping table, and execute network port access control of a corresponding system according to the adjusted access control policies;
the business access control adjustment module 4 is used for capturing business data packets accessed by key business data of the system, extracting business access characteristics of the business data packets, carrying out abnormal business access identification according to the business access characteristics, and dynamically adjusting key business access control rules in corresponding system access control strategies according to corresponding abnormal access identification results;
and the comprehensive strategy optimization module 5 is used for respectively acquiring the performance data of the new system and the old system in response to the completion of system migration, inputting the performance data into a pre-constructed strategy adjustment prediction model for strategy adjustment prediction, and updating the corresponding system access control strategy according to the obtained system strategy adjustment scheme.
In one embodiment, a network port access control system is provided, the system further comprising:
And the routing strategy updating module is used for continuously detecting the network topology change information between the new system and the old system, carrying out real-time network topology reconstruction according to the network topology change information and a pre-constructed graph rolling network model, generating a corresponding low-dimensional network topology relation graph, and self-adaptively adjusting the data transmission routing strategy between the new system and the old system according to the low-dimensional network topology relation graph.
For specific limitation of the network port access control system, reference may be made to the limitation of the network port access control method, and corresponding technical effects may be equally obtained, which is not described herein. The various modules in the network port access control system described above may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In summary, the network port access control method and system provided by the embodiment of the invention realize that the current user identity data sets of the new system and the old system are obtained in real time, the corresponding system access authority dynamic mapping table is generated according to the current user identity data sets and the preset identity authentication rule base, the port state data streams of the new system and the old system are monitored, the port state data streams are subjected to user access mode analysis according to the port state data streams to obtain the corresponding user access mode sets comprising a plurality of user access modes with different identities, after the user access mode sets and the system access authority dynamic mapping table are used for dynamically adjusting the access control strategies of the new system and the old system, the network port access control of the corresponding system is executed according to the adjusted access control strategies, and the service data packet of the key service data access of the system is captured, extracting service access characteristics of service data packets, carrying out abnormal service access identification according to the service access characteristics, dynamically adjusting key service access control rules in corresponding system access control strategies according to corresponding abnormal access identification results, continuously detecting network topology change information between a new system and an old system, carrying out real-time network topology reconstruction according to the network topology change information and a pre-constructed graph rolling network model, generating a corresponding low-dimensional network topology relation graph, adaptively adjusting a data transmission route strategy between the new system and the old system according to the low-dimensional network topology relation graph, respectively acquiring performance data of the new system and the old system after system migration is completed, inputting the performance data into a pre-constructed strategy adjustment prediction model to carry out strategy adjustment prediction, and updating the technical scheme of the corresponding system access control strategy according to the obtained system strategy adjustment scheme, according to the method, through an intelligent network port protection technology based on the combination of identity authentication, port perception and network topology change monitoring, dynamic changes of employee access authority, differences of new and old systems, network topology changes between the new and old systems and abnormal user access behaviors in the migration process are perceived in real time, and a system prevention and control strategy is adaptively updated and optimized based on corresponding changes and difference analysis, so that the network port in the system migration process is subjected to refined dynamic optimization access control, the safety protection capability of the network port of the system is effectively improved, meanwhile, the performance requirements of the system can be met, the continuity of system business is guaranteed, and further reliable technical support is provided for stable transition between the new and old systems.
In this specification, each embodiment is described in a progressive manner, and all the embodiments are directly the same or similar parts referring to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. It should be noted that, any combination of the technical features of the foregoing embodiments may be used, and for brevity, all of the possible combinations of the technical features of the foregoing embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples represent only a few preferred embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the application. It should be noted that modifications and substitutions can be made by those skilled in the art without departing from the technical principles of the present application, and such modifications and substitutions should also be considered to be within the scope of the present application. Therefore, the protection scope of the patent of the application is subject to the protection scope of the claims.