Security and trust host access risk management system and method based on collection and distribution management

By adopting a centralized management and control system and multi-dimensional trusted verification, the problems of centralized single point of failure, insufficient distributed collaboration, and rigid resource scheduling in the existing host access risk management have been solved, achieving efficient, accurate, and reliable risk management results.

CN121193542BActive Publication Date: 2026-06-09SHENZHEN Y& D ELECTRONICS CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHENZHEN Y& D ELECTRONICS CO LTD
Filing Date
2025-11-21
Publication Date
2026-06-09

Smart Images

  • Figure CN121193542B_ABST
    Figure CN121193542B_ABST
Patent Text Reader

Abstract

The application discloses a safe and credible host access risk control system and method based on a centralized and distributed control, and relates to the technical field of network security guarantee.The application comprises the following steps: a central controller performs host verification based on a multi-dimensional verification system of credible verification; at least one host controller is arranged at a subnet entrance as a dispersedly executed edge control node; a control object layer is formed by various hosts; the risk control system adopts a centralized and distributed control architecture, and parallel computing engines constructed in the local host controller are used to split and process the control tasks in parallel; the central control node is responsible for global strategy formulation, resource scheduling and high-risk event research and judgment, and the uniformity of the control standard is guaranteed; the host controller is responsible for local access request preprocessing, basic risk assessment and low-risk event disposal, and realizes nearby response; all host devices in the network are controlled in a centralized manner based on the edge security execution component, and the application is suitable for the security control of business terminal computing environments.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security protection technology, and in particular relates to a secure and trusted host access risk management system and method based on centralized and distributed management. Background Technology

[0002] Against the backdrop of accelerated digital transformation, large-scale host access scenarios are becoming increasingly common. Key sectors such as industrial control, financial transactions, and government services are placing stringent demands on the real-time, reliability, and accuracy of host access security management. Furthermore, network access entities have diversified from traditional network devices to massive, heterogeneous host entities, including physical servers, virtualization instances, containers, and even various IoT terminals. However, existing host access risk management technologies still face numerous insurmountable core technological bottlenecks, severely hindering the improvement of management effectiveness. Existing technologies mainly face three bottlenecks:

[0003] First, the management architecture faces a dilemma between "centralization" and "distribution": While centralized architecture is easy to manage, it suffers from single points of failure and performance bottlenecks, making it difficult to support the dynamic access of massive numbers of hosts. All management logic and data storage rely on a single central node, and if that node is attacked or suffers hardware failure, the entire system will be completely paralyzed. While distributed architecture can share the load, it lacks an efficient coordination mechanism, resulting in inconsistent strategies and fragmented risk perspectives. Each node makes independent decisions based on its local policies, making it impossible to form a coordinated defense or a systematic defense synergy.

[0004] Secondly, the security verification system has serious shortcomings. Current verification is mostly static and single-stage identity authentication, lacking dynamic measurement of the entire link of host identity trustworthiness, transmission channel reliability and execution environment integrity. It cannot build a trustworthy access foundation from the inside out. For example, the 802.1X access control system mainly relies on username / password or MAC address authentication, which cannot verify key security attributes such as terminal device operating status and software integrity.

[0005] Finally, the rigid resource scheduling mechanism cannot differentiate resource allocation based on host business attributes and real-time risk levels, resulting in diluted security for critical businesses in complex scenarios, low overall management efficiency, and traditional risk assessment models based on preset rule bases that are difficult to cope with new attack methods.

[0006] Therefore, this application provides a secure and reliable host access risk management system and method based on centralized and distributed management, which solves the shortcomings of existing host access risk management in terms of reliability, scalability, accuracy and resource utilization. Summary of the Invention

[0007] The purpose of this invention is to provide a secure and reliable host access risk management system and method based on distributed control. By relying on a distributed control system and using innovative trusted verification technology, it achieves local trusted computing, local trusted connection, local host monitoring and security assurance, and builds a solid defense line for terminal protection. It solves the problems of insufficient reliability, scalability, accuracy and resource utilization in existing host access risk management, and realizes efficient, accurate and reliable risk management in large-scale heterogeneous host access scenarios.

[0008] To solve the above-mentioned technical problems, the present invention is achieved through the following technical solution:

[0009] As a first aspect provided by the present invention, the present invention is a secure and trusted host access risk management system based on distributed control, comprising:

[0010] The central controller for host verification is based on a multi-dimensional verification system of trusted verification. It is used to formulate global trusted policies, perform dynamic resource scheduling, analyze high-risk events, and conduct cross-regional collaboration, serving as a centralized management central controller.

[0011] At least one host controller is deployed at the subnet entrance as a distributed edge control node to receive host access requests and perform local preprocessing, basic trusted verification, and low-risk event handling.

[0012] The control object layer consists of various types of hosts, which access the host controller through the terminal security agent client and are subject to the management and control of the host controller;

[0013] The risk management system adopts a distributed management architecture and uses a parallel computing engine built on the host controller to split and process management tasks in parallel in order to achieve high-performance, low-latency risk assessment.

[0014] Furthermore, the multi-dimensional verification system adopts a three-dimensional trusted verification system, which realizes the transmission and verification of the host's trusted state through the following rules:

[0015] The host completes its own entity trust verification through trusted card hardware, trusted driver, and terminal security agent client, accurately identifying counterfeit hosts;

[0016] After the host is verified, the transmitted data is first encrypted and signed using the national cryptographic algorithm (SM2 / SM4) through the terminal security agent client to ensure that the access request and control command are not tampered with or stolen. Then, it interacts with the host controller in a trusted manner and performs trusted verification of the host controller through the preset signature and verification mechanism.

[0017] After the host controller passes the verification, it can choose to perform trusted verification locally or report to the central controller for global unified verification based on the built-in policy.

[0018] All components are considered untrusted before being measured. Only components that meet the predefined state after measurement are included in the trusted boundary and gain platform control. Only components within the trusted boundary have the right to act as verification agents to perform integrity verification on other components.

[0019] Furthermore, the central controller includes:

[0020] The cryptographic support module is used to provide cryptographic support services based on the PKI system;

[0021] The real-time monitoring and scheduling module is used to monitor the operating status, load, and trust status of the host controller in real time, thereby executing corresponding dynamic resource scheduling.

[0022] The baseline generation module is used to provide real-time security baseline generation services to the host controller through a trusted security agent under the unified policy scheduling of the central controller.

[0023] The distributed integrated server is used to perform security risk analysis and comprehensive processing on information received from multiple host controllers based on the cryptographic support module, real-time monitoring and scheduling module and baseline generation module, generate a unified host security management policy and distribute it to each host controller for automatic execution.

[0024] The trusted log auditing module generates unalterable trusted logs that record host access time, identity information, verification results, and management operation data, and supports subsequent auditing and tracing.

[0025] Furthermore, the host controller includes:

[0026] Endpoint security agent server, which is used to collect and analyze information reported by endpoint security agent clients installed on the host;

[0027] The trusted security agent is used for secure communication with the central controller, remote operation and maintenance, and local trusted computing. Local trusted computing includes dynamic measurement and verification of executable programs and configuration files, and network connection control based on the measurement and verification report.

[0028] The monitoring and management module is used to monitor the host's hardware status, operating system status, middleware status, and application status.

[0029] The policy management module is used by administrators to define control policies, automatically match corresponding control policies based on the characteristics of access hosts, and perform policy auditing.

[0030] The decision-making and handling module is used for policy execution linkage control, mandatory access control, threat assessment and anomaly identification;

[0031] The configuration management module is used for asset lifecycle management, event handling, and configuration backup and recovery.

[0032] The baseline management module is used for collecting and inputting security benchmarks for host users, configuration files, processes, services, and interfaces, as well as locking, issuing, and updating baselines online.

[0033] Furthermore, the configuration management module includes:

[0034] The asset management submodule is used to provide full asset information management and support lifecycle management of the soft and hard assets of the managed systems and equipment;

[0035] The event management submodule provides the ability to query, change status, and view details of various monitored availability events.

[0036] The backup and recovery management submodule is used to manage backup and recovery strategies for configuration information, audit logs, and business data of network devices, security devices, servers, terminals, databases, and application software.

[0037] The hard assets include network equipment, security equipment, servers, storage, and terminals; the soft assets include antivirus software, virtualization software, operating systems, databases, middleware, business application systems, and system management software.

[0038] Furthermore, the baseline types set by the baseline management module include: hardware baseline, operating system baseline, software baseline, process baseline, file baseline, and security configuration baseline.

[0039] Furthermore, the hardware baseline includes: CPU information, GPU information, hard disk size, memory size, cache size, and network bandwidth of the hardware device;

[0040] The operating system baseline includes: the operating system version, the kernel version, the configured network information (such as IP address, DNS, gateway, etc.), and user information (user type, number, etc.).

[0041] The software baseline includes: information on the versions of the installed software;

[0042] The process baseline includes: the file baseline of the executable program and dependent libraries;

[0043] The file baseline includes: file version, access permissions, operation permissions, and log records;

[0044] The security configuration baseline is divided into basic configuration items and optional configuration items based on necessity. Basic configuration items represent the fundamental security configuration requirements for each managed system, while optional configuration items can be followed at the discretion of administrators of each managed system, depending on the actual situation. The content of each security configuration baseline configuration item includes: configuration item description, inspection method, operating procedure, rollback operation, and operational risk description.

[0045] Furthermore, the host devices of the control object layer support Windows, Linux, macOS, HP-UX, Solaris, and AIX platforms. The control object layer collects host system monitoring logs, agent self logs, and Syslog exception logs through the terminal security agent client and sends them to the host controller.

[0046] As a second aspect of the present invention, the present invention provides a risk control method for secure and trusted host access based on distributed control, the risk control method being implemented based on the risk control system described in the first aspect, and the risk control method comprising the following steps:

[0047] Step SS1: Host Access Request Reception and Preprocessing Steps: The host controller listens for and receives host access requests, and filters invalid requests with incorrect formats or illegal source addresses;

[0048] Step SS2: Task Splitting and Parallel Scheduling Step: The host controller splits valid requests into multiple independent sub-tasks based on host type, service priority, and node load, and performs parallel scheduling.

[0049] Step SS3: End-to-End Security and Trust Verification Steps: Each host controller executes sub-tasks and collaboratively completes end-to-end security and trust verification;

[0050] Step SS4: Risk Assessment and Preliminary Handling Steps: The host controller assesses the risk level based on the trusted verification results and the host security status, and performs local handling for low-risk events in conjunction with preset policies, while reporting high-risk events to the central controller.

[0051] Step SS5: Global Assessment and Precise Control: The central controller combines trusted data from the entire network with historical risk records of the hosts to conduct a secondary assessment of high-risk events and issues the final control instructions.

[0052] Step SS6: Data Synchronization and Resource Scheduling Steps: Complete the synchronization of policies, data and status between the central controller and the host controller, and dynamically adjust resource allocation according to the global load status;

[0053] Step SS7: Iterative optimization of strategies and models: Regularly summarize the access data of all network hosts, risk event records and control effect data, and train and optimize control strategies and update risk assessment models online.

[0054] Furthermore, the end-to-end security and trust verification includes:

[0055] Trusted host identity verification: The trusted hardware card, trusted driver, and endpoint security agent client of the host work together to complete the trusted verification of the host identity.

[0056] Transmission trust assurance: Transmitted data is encrypted and signed using SM4 and SM2 algorithms;

[0057] Environment Trust Verification: Verify the execution environment of the host controller and the security status of the host operating system.

[0058] The present invention has the following beneficial effects:

[0059] This invention is based on a distributed control system with a two-tiered "central-edge" collaboration: the central control node is responsible for global policy formulation, resource scheduling, and high-risk event assessment, ensuring the uniformity of control standards; the host controller undertakes local access request preprocessing, basic risk assessment, and low-risk event handling, achieving local response, and centrally controls all host devices within the network based on edge security execution components. It is suitable for security control of business terminal computing environments, adopts a parallel computing mechanism, and, with the support of a unified distributed control system of the central controller, provides enterprises, military, government and other organizations with proactive defense functions for terminals, application servers and business servers within the managed business system area.

[0060] Of course, any product implementing this invention does not necessarily need to achieve all of the advantages described above at the same time. Attached Figure Description

[0061] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0062] Figure 1 This is a schematic diagram of the structure of the secure and trusted host access risk management system based on distributed control according to the present invention;

[0063] Figure 2 This is a diagram of the distributed control architecture of the present invention;

[0064] Figure 3 This is a schematic diagram illustrating the trusted verification state transfer process of the multi-dimensional verification system of this invention.

[0065] Figure 4 Diagram of a basic single deployment method for host controller;

[0066] Figure 5 This diagram illustrates a multi-region cascaded deployment method for the host controller. Detailed Implementation

[0067] In the following description, specific details such as particular system architectures and techniques are set forth for illustrative purposes and not for limitation, in order to provide a thorough understanding of the embodiments of this application. However, those skilled in the art will understand that this application may also be implemented in other embodiments without these specific details. In other instances, detailed descriptions of well-known systems, apparatuses, circuits, and methods have been omitted so as not to obscure the description of this application with unnecessary detail.

[0068] It should be understood that, when used in this application specification and the appended claims, the term "comprising" indicates the presence of the described features, integrals, steps, operations, elements and / or components, but does not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or a collection thereof.

[0069] It should also be understood that the term “and / or” as used in this application specification and the appended claims means any combination of one or more of the associated listed items and all possible combinations, and includes such combinations.

[0070] As used in this application specification and the appended claims, the term "if" may be interpreted, depending on the context, as "when," "once," "in response to determination," or "in response to detection." Similarly, the phrase "if determined" or "if detected [the described condition or event]" may be interpreted, depending on the context, as meaning "once determined," "in response to determination," "once detected [the described condition or event]," or "in response to detection [the described condition or event]."

[0071] Furthermore, in the description of this application and the appended claims, the terms "first," "second," "third," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0072] References to "one embodiment" or "some embodiments" as described in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized.

[0073] Example 1:

[0074] Please see Figures 1-2 As shown, the present invention is a secure and trusted host access risk management system based on distributed control, comprising: a central controller, a host controller, and a control object layer;

[0075] The central controller for host verification is based on a multi-dimensional verification system with trusted verification. It is used to formulate global trusted policies, perform dynamic resource scheduling, analyze high-risk events, and conduct cross-regional collaboration, serving as a centralized management central controller. By adopting a multi-dimensional host risk assessment system based on trusted verification, it breaks through the bottlenecks of traditional control technologies and achieves real-time and accurate control of large-scale host access.

[0076] At least one host controller is deployed at the subnet entrance as a distributed edge control node to receive host access requests and perform local preprocessing, basic trusted verification, and low-risk event handling.

[0077] The control object layer consists of various types of hosts, which access the host controller through the terminal security agent client and are subject to the management and control of the host controller;

[0078] The risk management system adopts a distributed management architecture and uses a parallel computing engine built on the host controller to split and process management tasks in parallel to achieve high-performance, low-latency risk assessment. The designed parallel computing mechanism solves the problem that the serial processing mode will cause request queuing delays, management response timeouts, and failure to meet real-time management requirements.

[0079] A distributed management architecture addresses the single point of failure risk caused by centralizing all management logic on a single node in a centralized architecture. While a distributed architecture can share the load, it lacks an efficient collaboration mechanism between nodes, making it difficult to achieve comprehensive risk management.

[0080] As an embodiment of the present invention, preferably, a distributed control system based on a "central-periphery" two-level collaboration is constructed to provide an overall management system, such as... Figure 2 As shown, the system adopts a "centralized management, decentralized execution" architecture. The central controller serves as the control center, responsible for global trust policy formulation, resource scheduling, high-risk event assessment, and cross-regional collaboration, ensuring consistency of control standards. The host controller, as an edge control node, is deployed at the subnet entrance, undertaking local terminal access preprocessing, basic trust verification, and low-risk event handling, achieving local response and load balancing.

[0081] As an embodiment of the present invention, preferably, the central controller, as the execution platform of the central controller, is deployed in the core area of ​​the network. As a global control and trusted hub, it centrally manages and controls all host controllers in the managed system, receives status information data of the managed host devices collected and reported by the host controllers, completes big data collection, storage, analysis, and visualization, performs comprehensive risk analysis, formulates and distributes overall security strategies, and performs real-time centralized control.

[0082] As an embodiment of the present invention, preferably, the central controller is used to formulate global management and control strategies and trusted verification rules, distribute them to all host controllers and maintain consistency, monitor the operating status, load and trusted status of the host controllers in real time, and perform dynamic resource scheduling; receive high-risk events reported by the host controllers, perform secondary analysis in combination with trusted data from the entire network, and issue final management and control instructions; summarize the network management and control logs, trusted verification records and risk data, and support auditing and traceability; and provide system-level redundant backup and fault self-healing scheduling to avoid single points of failure.

[0083] Example 2:

[0084] Based on Embodiment 1, the risk management system includes a multi-dimensional verification system. The multi-dimensional verification system adopts a three-dimensional trusted verification system. The trusted state verification starts with the trusted verification of the terminal host and is transmitted through various security agent trust lines, thereby transferring the control of the system. Finally, it converges hierarchically to the host controller and the central controller for distributed management.

[0085] As an embodiment of the present invention, preferably, the three-dimensional trusted verification system realizes the transmission and verification of the host's trusted state through the following rules:

[0086] The host completes its own entity trust verification through trusted card hardware, trusted driver, and terminal security agent client to accurately identify fake hosts; in particular, it uses trusted hardware cards that comply with national cryptographic standards, in conjunction with corresponding trusted drivers, to measure system startup items, and at the same time ensures the trustworthiness of terminal entities through static measurement of key system configuration files;

[0087] After the host verification is successful, the terminal security agent first uses the national cryptographic algorithm to encrypt and sign the transmitted data to ensure that the access request and control command are not tampered with or stolen. Then, it interacts with the host controller in a trusted manner and performs trusted verification of the host controller through a preset signature and verification mechanism. Specifically, the terminal security agent completes its own trusted verification by integrating static measurement, dynamic measurement and whitelist mechanism. After the terminal security agent is trusted, the system control is transferred to the terminal security agent. Its transmitted data is encrypted and digitally signed using the national cryptographic algorithm (SM2 / SM4) and interacts with the host controller to ensure that the access request and control command are not tampered with or stolen. It also uses a preset signature and verification mechanism to perform trusted verification of the host controller.

[0088] After successful verification, the host controller selects to perform trusted verification locally or report to the central controller for global unified verification based on its built-in policies. Specifically, after successful trusted verification, the host controller receives the reporting information from the terminal security agent. The host controller security agent then uses the built-in baseline and policy libraries to select whether to perform local trusted verification or report to the central controller for global unified verification. If local execution is selected, the local trusted computing module performs trusted measurement verification on the execution environment of the managed host terminal (including host resources, programs, processes, services, ports, etc.). If global unified verification is selected by the central controller, the remote operation and maintenance module works with the central controller to perform trusted measurement verification on the execution environment of the managed host terminal.

[0089] As an embodiment of the present invention, preferably, all components are considered untrusted before being measured; only components that have undergone trust measurement and meet the predefined state can be included in the trust boundary; the platform does not allow the operation of component entities outside the trust boundary, and only components within the trust boundary can obtain the corresponding platform control; only components within the trust boundary can act as verification agents to perform integrity verification on unverified components.

[0090] Example 3:

[0091] Based on Embodiments 1 and 2, and specifically regarding the multi-dimensional verification system provided in Embodiment 2, as an embodiment of the present invention, preferably, as follows: Figure 3 As shown:

[0092] For terminal host A: Measurement values ​​are collected through the terminal security agent and the trusted status is continuously updated. When requesting network access, the host controller verifies the trusted status of the host through the access center controller, executes policy management, and decides whether to allow access to the trusted network.

[0093] For terminal host B: After the request for network access information passes the trust determination by the host controller, the network access status is allowed (trusted network access). At the same time, a trusted connection request is initiated with terminal host C. The host controller uses the access center controller to determine the latest trust status of B and C, including the trustworthiness of entities and behaviors. Entity trustworthiness is ensured by a trusted whitelist. Behavioral trustworthiness is determined by the integrated access control tools (such as firewall cloud). If the behavior is not trusted, the terminal connection is terminated; if it is trusted, the connection is established.

[0094] Example 4:

[0095] Based on Embodiments 1 and 2, the host controller, as an edge security execution component, is deployed at the edge of each subnet or at the entry point of a business area. Its number can be dynamically expanded according to the scale of access. The edge security execution component provides high-performance real-time security management of host access risks. The host controller is used for the initial reception, preprocessing, and routing of local host access requests; executing control policies issued by the central node, completing basic identity authentication and terminal security status detection; utilizing local parallel computing resources to achieve distributed processing of some risk assessment tasks; handling low-risk events locally (such as direct access or minor alarms); and real-time reporting of high-risk events.

[0096] As an embodiment of the present invention, preferably, the host controller, supported by the central controller platform, mainly assumes the role of an edge execution component, connecting with various host devices of the managed terminals. It receives and analyzes log information sent from the terminal security agent clients on each managed host through a terminal security agent server, and performs corresponding configuration management based on the analysis results. When handling security incidents, it calls the baseline library and corresponding policy library to classify and process the incidents: security incidents within its own subnet are handled and logged by the host controller, and periodically sent to the central controller for log auditing; security incidents requiring unified resource allocation by the central controller are promptly reported to the central controller through a trusted security agent. The central controller statistically analyzes the information reported by multiple edge execution components, assesses the network operation risk, generates and distributes corresponding policies to the host controller, and coordinates with multiple edge execution components such as firewalls, intrusion detection systems, and security gateways for collaborative control, achieving security operations such as blocking unauthorized external connections, thus constructing a terminal host security system for the managed system.

[0097] As an embodiment of the present invention, preferably, the host controller includes:

[0098] The endpoint security agent server is used to collect and analyze information reported by endpoint security agent clients installed on the host, realize client connection services, collect log information sent by endpoint security agent clients, and provide functions such as registration, maintenance and deregistration of endpoint security agent clients. It also works in conjunction with the monitoring module, configuration management, log analysis engine, baseline management module and decision-making module to achieve security control of the endpoint host.

[0099] The trusted security agent communicates securely with the central controller to deliver collected data and security-related events, send operational data, and report its configuration and status. Connected to the central controller, it can also remotely upgrade, monitor, and configure the device. The host controller architecture utilizes cryptographic techniques to rigorously monitor and verify the configuration status of network devices, enhancing trusted computing capabilities to ensure real-time integrity measurement of the configuration status of managed objects reported to the central controller. The trusted security agent supports automatic clock synchronization, secure and trusted remote operation and maintenance with traceable records, and local trusted computing.

[0100] The monitoring and management module is used to monitor the host's hardware status, operating system status, middleware status, and application status, providing monitoring functions for the terminal host's operation. Specific monitoring content includes: device hardware and status information, including: device CPU utilization, memory utilization, disk utilization, disk read / write IOPS, network interface traffic, network connection count, etc.; device operating system status information, including: system load information, disk read / write information, file access system; middleware status information, providing users with monitoring and management of various middleware connected to the host controller, including: middleware concurrent connections, requests per second, etc. Supported middleware types include: Tomcat, Weblogic, WebSphere, etc.; application status information, which can monitor the running status of applications, including: web running information, MySQL and Oracle database running information, etc.

[0101] The policy management module is used by administrators to define control policies, automatically match corresponding control policies based on the characteristics of access hosts, and perform policy auditing; it provides a flexible control policy configuration and execution mechanism.

[0102] The decision-making and handling module is used for policy execution linkage control, mandatory access control, threat assessment and anomaly identification. Based on the decisions provided by the policy management module and the central controller, it performs corresponding decision-making and handling operations.

[0103] The configuration management module is used for asset lifecycle management, event handling, and configuration backup and recovery.

[0104] The baseline management module is used for collecting and inputting security benchmarks for host users, configuration files, processes, services, interfaces, etc., locking and issuing baselines, and updating them online.

[0105] As an embodiment of the present invention, preferably, the trusted security agent performs trusted verification on the measurement objects during device operation. The measurement objects mainly include executable programs, shared libraries, function libraries, configuration files, etc. Data of the measurement objects is obtained based on the root of trust, and cryptographic operations are performed to complete the verification process. During system operation, key information in memory is actively verified in real time, and the system environment and business program operation status are dynamically measured and monitored. The operating system execution environment is periodically verified, and trusted verification of the operating system execution environment and program execution environment is performed at critical execution stages of the business program. The trusted report is protected from tampering through the national cryptographic algorithm of the root of trust. The software management agent achieves self-protection within the operating system, preventing malicious blocking, uninstallation, and damage. Trusted connections are supported: network connection control is performed based on the device's trusted report, preventing network access from untrusted devices and trusted devices in abnormal states.

[0106] As an embodiment of the present invention, preferably, the configuration management module includes: an asset management submodule, an event management submodule, and a backup and recovery management submodule, specifically:

[0107] The asset management submodule provides comprehensive asset information management, supporting the management and display of assets for managed systems and devices. It offers comprehensive lifecycle management of both software and hardware assets for data centers, providing a foundation for attack surface identification and business availability management. Managed assets include hardware such as network devices, security devices, servers, storage, and terminals; software such as antivirus software, virtualization software, operating systems, databases, middleware, business application systems, and system management software; information on hardware and software procurement and maintenance dates, licenses, users, and management personnel; and network topology and IP addresses. Specific management and disposal methods are as follows for different types of assets:

[0108] For hardware assets, the asset catalog and related information are maintained through proactive discovery and data entry, and asset relationships are sorted out through methods such as data center-cabinet-equipment relationships and switch-equipment relationships.

[0109] For software assets, the asset catalog and related information are maintained through proactive discovery and data entry to ensure timely tracking of software asset information.

[0110] For network topology, network management software is used to generate a network topology map based on the deployment location of hardware assets, and at the same time, label information such as IP addresses;

[0111] The event management submodule provides management operations for various monitored events, specifically including: supporting query operations for availability events; supporting editing operations for the availability event list, including: refreshing the list, changing the status of availability events, clearing filter conditions, configuring event list columns, and controlling the event list page; and supporting viewing availability event details, including: displaying summary information, event type, occurrence time, and other event information.

[0112] The backup and recovery management submodule supports backup, recovery, version management, and comparison analysis of configuration files; it provides the function of viewing backup records of important configuration files, as well as the differences between versions, and specifying a backup version for repair. Specific features include: support for configuring backup servers; support for backup and recovery policy management of configuration information and audit logs of network devices and security devices, configuration information and audit logs of servers, terminals, databases, and application software, and important business data; support for backing up data according to backup policies and encrypting the backup data; and support for monitoring backup and recovery status.

[0113] As an embodiment of the present invention, preferably, the policy management module includes:

[0114] Policy configuration unit: Supports administrators to customize control policies, associate risk levels with handling measures, such as low risk: allow access directly; medium risk: issue an alarm and restrict access; high risk: block access and isolate the terminal; very high risk: trigger emergency response process;

[0115] Policy adaptation unit: Automatically matches the corresponding management and control policy based on the service type, region, and security level of the access host to achieve differentiated management and control;

[0116] Strategy Audit Unit: Records the history of strategy modifications and execution effects, providing data support for strategy optimization.

[0117] As an embodiment of the present invention, preferably, the baseline management module implements a computing environment integrity measurement based on host baselines: it provides the collection and input of security benchmarks for host users, configuration files, processes, services, interfaces, etc., as well as the locking, distribution, and online updating of baselines. The baseline types set by the baseline management module include: hardware baseline, operating system baseline, software baseline, process baseline, important file baseline, and security configuration baseline.

[0118] The hardware baseline includes baseline information such as the recommended processing power of the hardware device (CPU information, GPU information), the recommended storage power of the hardware device (hard drive size, memory size, cache size, etc.), and the recommended network bandwidth of the hardware device.

[0119] The operating system baseline includes: the operating system version, the kernel version, network information configured in the operating system (such as IP address, DNS, gateway, etc.), and user information configured in the operating system (user type, number, etc.).

[0120] The software baseline includes: information on the versions of the installed software;

[0121] Process baselines include: Process baselines mainly refer to process whitelists, including: executable program and dependent library file baselines;

[0122] Important file baselines include: Important file baselines refer to information such as the version, access permissions, operation permissions, and log records of important files;

[0123] The security configuration baseline is divided into basic configuration items and optional configuration items based on necessity. The basic configuration items are the basic security configuration requirements for each managed system, while the optional configuration items can be followed by the administrators of each managed system as appropriate based on the actual situation. The content of the security configuration baseline configuration items includes: description of the configuration item, inspection method, operation procedure, rollback operation, and operation risk description.

[0124] As an embodiment of the present invention, preferably, the decision-making and processing module specifically includes the following functions:

[0125] Linked Control: Supports a joint defense and linkage mechanism based on a trusted connection security management protocol. Based on the AI ​​algorithm library and toolset provided by the central controller, it enables comprehensive collaborative management and defense of terminal hosts.

[0126] Mandatory Access Control: Supports mandatory access control for files, processes, networks, resources, and capability calls; supports learning mandatory access control rules; supports three working modes: learning mode, auditing mode, and mandatory control mode; allows system administrators to associate each program with a security configuration file to restrict the program's functionality, i.e., administrators can specify which files a program can read, write, or run, and whether it can open network ports, etc.

[0127] Threat assessment and anomaly identification: Supports assessment of the current threat level of terminal devices through protocol analysis, behavior detection, etc., and supports viewing information such as assessment progress, recent assessment time, and assessment report; supports identification of abnormal operation behaviors such as brute-force attacks, abnormal logins, rootkits, high-risk commands, and local privilege escalation.

[0128] Example 5:

[0129] Based on Embodiments 1 and 2, the central controller includes:

[0130] The cryptographic support module provides cryptographic support services based on the PKI system, and implements the relevant cryptographic support service functions of the PKI system. It mainly includes modules such as the security authentication system (CA), certificate distribution management system (RA), key management center (KMC), certificate / certificate revocation list storage and distribution system (LDAP), and cryptographic machine. It has functions such as user application, application review, certificate issuance, certificate revocation, key management, user management, and system management. It can realize cryptographic service functions such as certificate application, certificate distribution, certificate download, certificate revocation, certificate update, certificate status query, key recovery, and hardware operation of cryptographic algorithms such as SM1, SM2, SM3, and SM4.

[0131] The real-time monitoring and scheduling module is used to monitor the running status, load, and trust status of edge nodes (host controllers) in real time, thereby performing corresponding dynamic resource scheduling. Specifically, the real-time monitoring and scheduling module integrates a set of tools related to terminal host device information collection and status detection, mainly including functions such as firewall, intrusion detection, vulnerability scanning, virus protection, configuration management, security isolation, and network measurement, to realize the collection of terminal operating environment information and the detection of the terminal's real-time running status.

[0132] The baseline generation module, under the unified policy scheduling of the central controller, provides real-time security baseline generation services to the host controller through a trusted security agent. As the core support of the network communication security baseline generation system, it is equipped with a dedicated AIGC model based on the Transformer architecture. The baseline generation module does not operate independently, but is deeply embedded in the collaborative scheduling system of the central controller. Under the unified policy scheduling of the central controller, it opens up calling capabilities to the host controller through a trusted security agent to meet the needs of real-time generation of security baselines for large-scale terminal host devices.

[0133] The distributed integrated server, based on a cryptographic support module, a real-time monitoring and scheduling module, and a baseline generation module, is centrally managed by a central controller. It performs security risk analysis and comprehensive processing on information received from multiple host controllers, generates unified host security control policies, and distributes them to each host controller for automated execution. It handles and blocks security incidents, reducing the risk of security incidents to an acceptable level. This achieves the goals of distributed deployment, centralized control, automation, and intelligent security control, meeting the needs of highly reliable, efficient, and continuous secure operation of complex system networks.

[0134] The trusted log auditing module generates unalterable trusted logs that record the entire process of host access time, identity information, verification results, and management operations, and supports subsequent auditing and traceability.

[0135] As an embodiment of the present invention, preferably, with the support of a high-computing-power platform, the PDRR model, time-division and space-division control model, risk degradation model, etc. are adopted to have adaptive comprehensive detection, analysis and security management and control capabilities.

[0136] Example 6:

[0137] Based on Embodiment 1 to Embodiment 2, as an embodiment provided by the present invention, preferably, the control object layer refers to the terminal devices for security control by the host controller, including various types of host devices. The host devices of the control object layer support Windows, Linux, macOS, HP-UX, Solaris, and AIX platforms. The terminal devices use terminal security agent clients to access the host controller through a local area network or private network and are subject to the unified management and control of the host controller.

[0138] As an embodiment of the present invention, preferably, the control object layer collects various logs, including host system monitoring logs, agent self-logs, and Syslog exception logs, through a terminal security agent client and sends them to the host controller. Specifically, the terminal security agent client is installed on the host device to be controlled, mainly performing the log collection function of the terminal host device, reading various log files of the host, and sending the collected logs to the security agent server of the host controller for analysis and processing. The scope of collected logs includes, but is not limited to: host system monitoring logs: user login, file integrity, malware; agent self-monitoring logs; Syslog exception logs; email service logs; firewall logs; Privileged Access Management (PAM) personal application management logs; protocol logs; network monitoring logs; virus scanning, vulnerability service, etc.

[0139] Example 7:

[0140] This invention relates to a risk management method for secure and trusted host access based on distributed control. The risk management method is implemented based on the risk management system described in Examples 1 to 6, and includes the following steps:

[0141] Step SS1: Host Access Request Reception and Preprocessing: The host controller listens for and receives host access requests, extracts core information such as host IP address, MAC address, hardware fingerprint, and service identifier, performs format standardization processing, and filters invalid requests with incorrect format or illegal source address.

[0142] Step SS2: Task Splitting and Parallel Scheduling: The host controller sends valid requests to the local parallel computing engine. The task splitting unit splits the control task into N independent subtasks (N≥2) based on the host type, business priority, and current node load. The parallel scheduling unit allocates the subtasks to local idle computing cores or nearby edge nodes, with subtasks of core business hosts being executed first.

[0143] Step SS3: End-to-End Security and Trust Verification: Each host controller executes sub-tasks and collaboratively completes end-to-end security and trust verification;

[0144] Step SS4: Risk Assessment and Preliminary Handling: The host controller assesses the risk level based on the trusted verification results and the host security status, and performs local handling for low-risk events in conjunction with preset policies, while reporting high-risk events to the central controller.

[0145] Step SS5: Global Assessment and Precise Control: The central controller combines trusted data from the entire network with historical risk records of the host to conduct a secondary assessment of high-risk events and issue final control instructions: High risk: Instruct edge nodes to block host access and notify the administrator for verification; Extremely high risk: Instruct edge nodes to block access and isolate the host from the network, triggering emergency response procedures (such as scanning for malicious programs on the host and tracing the source of access).

[0146] Step SS6: Data Synchronization and Resource Scheduling: Complete the synchronization of policies, data and status between the central controller and the host controller. The host controller dynamically adjusts resource allocation according to the load status of each edge node, migrating some tasks from high-load nodes to low-load nodes to achieve global load balancing.

[0147] Step SS7: Strategy and Model Iteration Optimization: The host controller regularly summarizes the access data of all hosts on the network, risk event records, and control effect data to optimize control strategies; it also trains the risk assessment model online, updates model parameters, and improves the accuracy of risk identification.

[0148] As an embodiment of the present invention, preferably, the end-to-end security and trust verification includes:

[0149] Trusted host identity verification: The trusted hardware card, trusted driver, and endpoint security agent client of the host work together to complete the trusted verification of the host identity.

[0150] Transmission Trust Guarantee: Transmitted data is encrypted and signed using SM4 and SM2 algorithms to ensure secure data transmission.

[0151] Environment Trust Verification: Verify the execution environment of the host controller and the security status of the host operating system.

[0152] This invention constructs a three-dimensional verification system: "Trusted Host Identity - Trusted Data Transmission - Trusted Execution Environment." Trusted host identity is achieved through "Hardware Trusted Card + Trusted Driver + Terminal Security Agent" to accurately identify forged hosts. Data transmission uses national cryptographic algorithms (SM2 / SM4) for encryption and digital signatures, ensuring that access requests and control commands are not tampered with or stolen. A trusted execution environment is verified by the host controller to check the integrity of edge node firmware, the security status of the host operating system, and the digital signature of the control program, preventing the execution environment from being hijacked. Simultaneously, an immutable trusted log is generated, enabling full-process traceability and auditing of the access process.

[0153] As an embodiment of the present invention, preferably, step SS4, risk assessment and preliminary handling, combines the trusted verification results with the host security status (vulnerability status, behavioral characteristics), and assesses the risk level (low, medium, high, very high) using an improved random forest algorithm; the host controller then performs preliminary handling according to a preset strategy.

[0154] Trustworthy and low-risk: Allow host access directly and record trusted logs;

[0155] Trusted Medium Risk: Allow access, restrict access to core resources and trigger local alarms;

[0156] Untrustworthy / High Risk / Extremely High Risk: Temporarily reject the access request and report the risk event and complete verification data to the central controller.

[0157] Example 8:

[0158] Based on Embodiments 1 to 6, as an embodiment provided by the present invention, preferably, the secure and trusted host access risk controller built on the distributed control system supports classic independent deployment and multi-region cascaded deployment methods, respectively:

[0159] Classic standalone deployment: Typical deployment schemes for secure and trusted host controllers include... Figure 4 As shown. By connecting a secure and trusted host controller in series at the network core switching node or aggregation switching node, data traffic on the access network side is collected, and north-south traffic monitoring and control are carried out. This enables network operation status monitoring, user-end traffic visualization analysis, and the identification, location, and blocking of unauthorized hosts and unauthorized access devices.

[0160] Multi-region cascaded deployment: When organizations are geographically dispersed, multi-region deployment can be achieved through cascading, such as... Figure 5 As shown, it realizes the collection of data traffic on the network side of the region, performs north-south traffic monitoring and control, conducts network operation status monitoring, user-end traffic visualization analysis, and identifies, locates and blocks unauthorized hosts and unauthorized access devices.

[0161] This invention is based on a distributed security management strategy that combines unified and decentralized approaches. It constructs a two-layer distributed network architecture, utilizing a central controller to comprehensively monitor the operational status of the managed network, responsible for global policy formulation, resource scheduling, and high-risk event assessment, ensuring the uniformity of control standards. Edge node host controllers preprocess local access requests, conduct basic risk assessments, and handle low-risk events, achieving localized response. This achieves a clear separation of system management responsibilities. Security administrators can efficiently formulate unified security management policies for host controllers using the central controller, while host controllers take targeted measures based on the overall policy and the actual situation of their local area network. This effectively balances the standardization and efficiency of terminal host management, making it suitable for the security management of business terminal computing environments. Employing a parallel computing mechanism, and supported by a unified distributed control system under the central controller, it provides proactive defense capabilities for terminals, application servers, and business servers within the managed business system area for organizations such as enterprises, the military, and governments.

[0162] This invention is based on end-to-end trusted security protection of the host, and constructs a three-dimensional trusted verification system of "identity-transmission-environment". Combining national cryptographic algorithms and triple authentication mechanisms, it completely resists malicious behaviors such as identity forgery, man-in-the-middle attacks, data tampering, and execution environment hijacking. Compared with traditional single-dimensional verification schemes, it has more comprehensive security protection dimensions, significantly improves attack resistance capabilities, and effectively avoids the leakage of core data and the intrusion of business systems.

[0163] This invention, based on continuous intelligent monitoring and analysis, constructs a dynamic security defense. Compared to traditional threshold detection devices, the host controller designed in this invention employs intelligent anomaly detection technology to automatically discover and detect the configuration status, operational status, and network connectivity of terminal hosts in real time. The host controller identifies anomalies in network structure and business behavior by setting security baselines, and intelligently predicts and detects terminal hosts by calling the AI ​​algorithm library integrated into the central controller. This reduces manual configuration workload while improving detection accuracy, helping customers establish a continuously responsive and dynamically adjustable security system.

[0164] A secure and trusted host access risk management system and method based on distributed management and control. This system relies on a distributed management and control system and uses innovative trusted verification technology to provide a high-performance product for the secure management and control of business terminal computing environments. It realizes local trusted computing, local trusted connection, local host monitoring and security assurance, and builds a solid defense line for terminal protection.

[0165] In the description of this specification, references to terms such as "an embodiment," "example," "specific example," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0166] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to the specific implementations described. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention. The invention is limited only by the claims and their full scope and equivalents.

Claims

1. A secure and trusted host access risk management system based on distributed control, characterized in that, include: The central controller performs host verification based on a multi-dimensional verification system of trusted verification, and formulates global trusted policies, analyzes high-risk events, performs dynamic resource scheduling, and cross-regional collaboration based on the verification results. At least one host controller is deployed at the subnet ingress as a distributed edge control node. It receives host access requests and performs local preprocessing, basic trusted verification, and low-risk event handling. The host controller breaks down valid requests into multiple independent sub-tasks based on host type, service priority, and node load, and schedules them in parallel. Each host controller executes the sub-tasks and collaboratively completes end-to-end security and trusted verification. The host controller assesses the risk level based on the trusted verification results and host security status, and performs local handling of low-risk events in conjunction with preset policies. High-risk events are reported to the central controller. The control object layer consists of various types of hosts, which access the host controller through the terminal security agent client and are subject to the management and control of the host controller; The secure and trusted host access risk management system based on distributed management adopts a distributed management architecture and uses a parallel computing engine built on the host controller to split and process management tasks in parallel. The central controller includes: The cryptographic support module is used to provide cryptographic support services based on the PKI system; The real-time monitoring and scheduling module is used to monitor the operating status, load, and trust status of the host controller in real time, and to perform corresponding dynamic resource scheduling. The baseline generation module is used to provide real-time security baseline generation services to the host controller through a trusted security agent under the unified policy scheduling of the central controller. The distributed integrated server, based on the cryptographic support module, real-time monitoring and scheduling module and baseline generation module, performs security risk analysis and integrated processing on information received from multiple host controllers, generates a unified host security management policy and distributes it to each host controller for automated execution. The trusted log auditing module generates unalterable trusted logs that record host access time, identity information, verification results, and management operation data, and supports audit traceability. The multi-dimensional verification system adopts a three-dimensional trusted verification system, which realizes the transmission and verification of the host's trusted state through the following rules: The host completes its own entity trust verification through trusted card hardware, trusted driver, and terminal security agent client to identify forged hosts; After the host is verified, the transmitted data is first encrypted and signed using the national cryptographic algorithm through the terminal security agent client, and then trusted interaction is performed with the host controller. The host controller is then trustedly verified through the preset signature and verification mechanism. After the host controller passes the verification, it can choose to perform trusted verification locally or report to the central controller for global unified verification based on the built-in policy.

2. The secure and trusted host access risk management system based on distributed control as described in claim 1, characterized in that, The host controller includes: Endpoint security agent server, which is used to collect and analyze information reported by endpoint security agent clients installed on the host; The trusted security agent is used for secure communication with the central controller, remote operation and maintenance, and local trusted computing. Local trusted computing includes dynamic measurement and verification of executable programs and configuration files, and network connection control based on the measurement and verification report. The monitoring and management module is used to monitor the host's hardware status, operating system status, middleware status, and application status. The policy management module is used by administrators to define control policies, automatically match corresponding control policies based on the characteristics of access hosts, and perform policy auditing. The decision-making and handling module is used for policy execution linkage control, mandatory access control, threat assessment and anomaly identification; The configuration management module is used for asset lifecycle management, event handling, and configuration backup and recovery. The baseline management module is used for collecting and inputting security baselines for host users, configuration files, processes, services, and interfaces, as well as locking, distributing, and updating baselines online.

3. The secure and trusted host access risk management system based on distributed control as described in claim 2, characterized in that, The configuration management module includes: The asset management submodule is used to provide full asset information management and support lifecycle management of the soft and hard assets of the managed systems and equipment; The event management submodule provides the ability to query, change status, and view details of various monitored availability events. The backup and recovery management submodule is used to manage backup and recovery strategies for configuration information, audit logs, and business data of network devices, security devices, servers, terminals, databases, and application software. The hard assets include network equipment, security equipment, servers, storage, and terminals; the soft assets include antivirus software, virtualization software, operating systems, databases, middleware, business application systems, and system management software.

4. The secure and trusted host access risk management system based on distributed control as described in claim 2, characterized in that, The baseline types set by the baseline management module include: hardware baseline, operating system baseline, software baseline, process baseline, file baseline, and security configuration baseline.

5. The secure and trusted host access risk management system based on distributed control as described in claim 4, characterized in that, The baseline types include: Hardware baseline: CPU information, GPU information, hard drive size, memory size, cache size, and network bandwidth of hardware devices; Operating system baseline: operating system version, kernel version, configured network information, and user information; Software baseline: Information on the versions of the installed software; Process baseline: The file baseline of the executable program and its dependent libraries; File baseline: file version, access permissions, operation permissions, and log records; Security configuration baseline: Description of configuration items, inspection methods, operation steps, rollback operations, and explanation of operational risks.

6. The secure and trusted host access risk management system based on distributed control as described in claim 1, characterized in that, The host devices in the control object layer support Windows, Linux, macOS, HP-UX, Solaris, and AIX platforms. The control object layer collects host system monitoring logs, agent logs, and Syslog exception logs through the terminal security agent client and sends them to the host controller.

7. A method for managing the risk of secure and trusted host access based on distributed control, characterized in that, The risk control method is implemented based on the secure and trusted host access risk control system based on distributed control as described in any one of claims 1-6, and the risk control method includes the following steps: Step SS1: The host controller listens for and receives host access requests, and filters invalid requests with incorrect formats or illegal source addresses; Step SS2: The host controller splits valid requests into multiple independent sub-tasks based on host type, service priority, and node load, and performs parallel scheduling. Step SS3: Each host controller executes sub-tasks to collaboratively complete end-to-end security and trust verification; Step SS4: The host controller assesses the risk level based on the trusted verification results and the host security status, and performs local processing for low-risk events in conjunction with preset policies, while reporting high-risk events to the central controller. Step SS5: The central controller combines trusted data from the entire network with historical risk records of the host to conduct a secondary analysis of high-risk events and issues the final control instructions; Step SS6: Complete the synchronization of policies, data and status between the central controller and the host controller, and dynamically adjust resource allocation according to the global load status; Step SS7: Regularly summarize all network host access data, risk event records, and control effectiveness data, and train and optimize control strategies and update risk assessment models online.

8. The method for managing the risk of secure and trusted host access based on distributed control as described in claim 7, characterized in that, The end-to-end security and trust verification includes: The trusted hardware card, trusted driver, and endpoint security agent client of the host are used to work together to complete the trusted verification of the host identity; The transmitted data is encrypted and signed using SM4 and SM2 algorithms; Verify the execution environment of the host controller and the security status of the host operating system.