Process-aware zero-trust access control method and system for industrial internet

By introducing a process flow-aware zero-trust access control method into the Industrial Internet, process flow sequence templates are generated and user equipment operation sequences are recorded to achieve intelligent pre-selection and caching. This solves the decision delay problem caused by the large access policy library and improves the real-time performance and security of access control.

CN121682864BActive Publication Date: 2026-06-19HUNAN ZHONGGUANTIANXIA TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUNAN ZHONGGUANTIANXIA TECH CO LTD
Filing Date
2025-12-09
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing zero-trust access control schemes combined with ABAC suffer from large decision-making overhead and access latency due to the massive access policy library in industrial scenarios with distinct process characteristics, failing to meet the dual requirements of security and real-time performance in industrial internet scenarios.

Method used

By generating process flow sequence templates, establishing persistent session records of user equipment operation sequences, performing process flow awareness and caching, utilizing template libraries for intelligent pre-selection and constraints, and pre-loading candidate policy subsets for access decisions, the scope of policy matching and decision latency are reduced.

Benefits of technology

Without altering the original access control semantics and security strength, the policy matching scope and decision latency are reduced, meeting the dual requirements of security and real-time performance in industrial internet scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121682864B_ABST
    Figure CN121682864B_ABST
Patent Text Reader

Abstract

This application relates to the field of industrial control system security management technology, and discloses a process-aware zero-trust access control method and system for the Industrial Internet. The method includes: generating multiple process sequence templates and mapping policy subsets; generating persistent sessions for users and devices to record device operation sequences; appending access requests to the device operation sequences to form prefix operation sequences; encapsulating the prefix operation sequences into an initial decision request; performing template pre-selection based on the matching degree with each process sequence template; obtaining candidate policy subsets corresponding to the pre-selected process sequence templates, and appending the candidate policy subsets to the initial decision request to form a complete decision request; forming a policy search space based on the candidate policy subsets in the complete decision request to make an access decision on the complete decision request. This application can meet the dual requirements of security and real-time performance for access decision-making methods in Industrial Internet scenarios.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of industrial control security management technology, and in particular to a process-aware zero-trust access control method and an access permission management system for the industrial internet. Background Technology

[0002] With the convergence of the Industrial Internet and IT / OT (IT for Information Technology and OT for Operation Technology), industrial control systems are interconnected with external networks via Ethernet, 5G, and cloud platforms. This exposes production equipment and control systems to more complex environments, significantly increasing risks such as internal privilege escalation, lateral movement, and supply chain attacks. Traditional perimeter protection combined with internal default trust models is no longer sufficient.

[0003] Zero-trust architecture emphasizes continuous verification and eliminates the distinction between internal and external networks. Each access requires dynamic evaluation based on multi-dimensional attributes such as subject, resource, operation, and environment. ABAC (Attribute-Based Access Control), as a typical implementation of zero-trust, constrains access through a combination of subject, resource, operation, and environment attributes. Compared to RBAC (Role-Based Access Control), it offers finer granularity and stronger expressiveness, and has been applied in various industrial internet access control systems.

[0004] However, in industrial scenarios with distinct process flow characteristics, existing zero-trust solutions combined with ABAC still have shortcomings.

[0005] First, in order to ensure sufficient access security during the operation of process equipment, most systems treat each access as an independent event, and the PDP (Policy Decision Module) only performs a general matching strategy based on the current request attributes. In order to cover multiple processes, multiple devices, and multiple levels of security requirements, the ABAC policy library is usually large in scale and complex in conditions. Each authorization by the PDP needs to be matched and calculated in a large number of policies, resulting in a large decision delay, which can easily become a bottleneck in some control scenarios with high real-time requirements.

[0006] To enhance intelligence, some existing technologies attempt to incorporate artificial intelligence to mine risk patterns from historical logs, assist in generating or optimizing strategies, and even use deep learning to directly participate in online decision-making. While these methods have certain advantages in anomaly detection, the high overhead of online inference for complex models conflicts with the millisecond-level response requirements of industrial control scenarios. Furthermore, their focus is primarily on risk scoring or strategy generation, lacking a unified modeling and caching mechanism for process flows and operation sequences, thus failing to systematically leverage the predictability of operation sequences to reduce decision-making overhead.

[0007] Existing systems have also adopted performance optimization techniques such as result caching, policy hierarchy, and resource partitioning. However, these optimization techniques cannot reduce the policy scope. When the number of access operations is large, the policy library is complex, and the technology is diverse, PDP still needs to match on a large-scale policy set, and access control latency is difficult to control stably.

[0008] Therefore, there is an urgent need to propose a process-aware zero-trust access control method for the Industrial Internet to address the shortcomings of existing zero-trust access control schemes combined with ABAC when applied to industrial scenarios with obvious process characteristics. These shortcomings include large decision-making overhead and access latency due to the large access policy library, which fails to meet the dual requirements of security and real-time performance for access decision-making in the Industrial Internet scenario. Summary of the Invention

[0009] The main purpose of this application is to provide a process-aware zero-trust access control method and system for the Industrial Internet, which aims to solve the problem that existing zero-trust access control schemes combined with ABAC cannot meet the dual requirements of security and real-time performance of access decision-making in the Industrial Internet scenario when applied to industrial scenarios with obvious process characteristics.

[0010] To achieve the above objectives, this application provides a process-aware zero-trust access control method for the Industrial Internet, comprising the following steps:

[0011] Multiple process flow sequence templates are generated to build a template library, and a corresponding strategy subset is mapped for each process flow sequence template.

[0012] When a user’s first operation on the device is detected within a preset time period, a persistent session is generated for the user and the device to record the sequence of device operations performed by the user on the device within the preset time period.

[0013] When a user initiates an access request to the device, the operation corresponding to the access request is appended to the device operation sequence to form a prefix operation sequence;

[0014] Based on the prefix operation sequence and the multidimensional attributes of the set type, an initial decision request is encapsulated.

[0015] Based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library, process flow sequence templates are pre-selected;

[0016] Obtain a subset of candidate strategies corresponding to the pre-selected process flow sequence template, and append the subset of candidate strategies to the initial decision request to form a complete decision request;

[0017] A strategy search space is formed based on the subset of candidate strategies in the complete decision request in order to make an access decision for the complete decision request.

[0018] Optionally, after the step of pre-selecting process flow sequence templates based on the matching degree between the prefix operation sequence and each of the process flow sequence templates in the template library, the method further includes:

[0019] When there is no process sequence template in the template library that matches the prefix operation sequence, the preset full strategy library is obtained and loaded, and the access request is evaluated in combination with the obtained multi-dimensional attributes to make an access decision.

[0020] Optionally, the step of generating multiple process sequence templates to construct a template library includes:

[0021] Collect historical access log records from the log library, wherein each log includes: session identifier, user identifier, user role, device identifier, device type, operation type, operation parameters, and timestamp;

[0022] Logs are grouped according to the session identifier to group logs belonging to the same session identifier into the same group, and operation events are sorted in ascending order of timestamp within the same group to obtain a set of historical session event sequences.

[0023] A set of candidate access process sequences is formed based on the frequency of occurrence of the historical session event sequences;

[0024] Based on the set of candidate access flow sequences, construct and train a sequence prediction model;

[0025] Based on the sequence prediction model, process flow sequence templates are selected and formed.

[0026] Optionally, the step of mapping a strategy subset corresponding to each of the process flow sequence templates includes:

[0027] Read each operation event included in the process flow sequence template, and read the set key attributes of each operation event;

[0028] Based on the set key attributes of each operation event, the strategies corresponding to the set key attributes are selected from the full strategy library;

[0029] All strategies selected for each operation event are aggregated to form a subset of candidate strategies;

[0030] Establish an event-strategy mapping relationship between each operation event included in the process flow sequence template and the corresponding subset of candidate strategies;

[0031] The process flow sequence template and the event-strategy mapping relationship are stored in the template library.

[0032] Optionally, the step of pre-selecting process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library includes:

[0033] Extract the feature vector of each operation event in the prefix operation sequence, wherein the operation vector includes operation type, device type and parameter value range;

[0034] The prefix operation sequence is matched sequentially with the operation events of each process flow sequence template pre-stored in the template library.

[0035] Calculate the feature vector similarity between each first operation event included in the prefix operation sequence and the corresponding second operation events in the pre-stored process flow sequence templates in the template library, in order to determine the comprehensive step similarity;

[0036] Based on the comprehensive step similarity and step confidence, the overall matching degree between the prefix operation sequence and each of the process flow sequence templates pre-stored in the template library is calculated;

[0037] When there is a process flow sequence template whose overall matching degree reaches a preset threshold, the process flow sequence template is used as a pre-selected result.

[0038] Optionally, the step of obtaining the candidate strategy subset corresponding to the pre-selected process flow sequence template includes:

[0039] Call the preset event-policy mapping query interface;

[0040] Using the template identifier of the pre-selected process flow sequence template and the cutoff operation event corresponding to the prefix operation sequence as keys, extract the policy subsets corresponding to the cutoff operation events in sequence from the policy subsets corresponding to the pre-selected process flow sequence template, and maintain them in the candidate policy subset.

[0041] Optionally, in the step of generating multiple process flow sequence templates to construct a template library:

[0042] Under the constraints of a preset minimum support threshold, minimum sequence length, and maximum sequence length, the system mines frequently occurring access event sequences in historical data to form a candidate access process sequence set. ,in, ;in, For the first k A sequence of candidate access processes. for The first in j One operation event ;

[0043] When training the sequence prediction model, a set of historical session event sequences is used. C As training samples, the previous j Operation events As input, predict the first Probability distribution of each operation event Optimization is achieved through cross-entropy loss;

[0044] After the model training converges, for each candidate access sequence Perform dependency verification;

[0045] For each location, Input the sequence prediction model to obtain the predicted probability distribution of each subsequent operation event;

[0046] Read the actual number Predicted probability of each operation event As the first i Step confidence of each operation event ;

[0047] By assessing the step confidence of all steps in the process flow sequence template Perform a weighted average to calculate the overall confidence level of the process flow sequence template. ;

[0048] Process flow sequence templates that do not meet the preset conditions for overall confidence are removed, and only process flow sequence templates that simultaneously meet the support threshold and confidence threshold are retained as the process flow sequence templates.

[0049] Optionally, in the step of pre-selecting process flow sequence templates based on the matching degree between the prefix operation sequence and each of the process flow sequence templates in the template library:

[0050] The process flow sequence template The record of the first q Each operation event and the prefix operation sequence S The first in q Comprehensive step similarity of individual operation events for:

[0051] ;

[0052] in, These are the set weights, , The value is configured according to the importance of the operation type in the specific process. The value is configured according to the importance of equipment similarity in the specific process. The value is configured according to the importance of the parameter value in the specific process. For operation type similarity, For device similarity, The similarity of parameter values;

[0053] Then S and Overall matching degree for:

[0054] ;

[0055] in, Template for reflecting the process flow sequence The first in q The typicality and stability of each operational event in the corresponding process flow. L For the prefix operation sequence S The number of operation events in the middle, ;

[0056] Select the process flow sequence template with the highest overall matching degree that is greater than the preset overall matching degree threshold as the pre-selected result.

[0057] To achieve the above objectives, this application also proposes an access control system, which employs the process-aware zero-trust access control method for the Industrial Internet for access control. The access control system includes a policy execution module, a policy decision module, a policy information module, an offline analysis module, and a process flow awareness cache module. The process flow awareness cache module includes a session sequence matching submodule and a process flow template management submodule.

[0058] The offline analysis module is used to generate multiple process flow sequence templates;

[0059] The process flow template management submodule is used to solidify and store the process flow sequence templates to build a template library, and to map a corresponding strategy subset to each process flow sequence template.

[0060] The strategy information module is used to obtain the multi-dimensional attributes corresponding to the access request;

[0061] The policy execution module is used to generate a persistent session for the user and the device when the user's first operation on the device is detected within a preset time period, so as to record the user's device operation sequence on the device within the preset time period; when the user initiates an access request to the device, the operation corresponding to the access request is appended to the device operation sequence to form a prefix operation sequence; and an initial decision request is encapsulated according to the prefix operation sequence and the multidimensional attributes.

[0062] The session sequence matching submodule is used to pre-select process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library;

[0063] The process flow template management submodule is also used to obtain a subset of candidate strategies corresponding to the pre-selected process flow sequence template;

[0064] The strategy execution module is further configured to append the subset of candidate strategies to the initial decision request to form a complete decision request;

[0065] The strategy decision module is used to form a strategy search space based on the subset of candidate strategies in the complete decision request, so as to make an access decision for the complete decision request.

[0066] Optionally, the system further includes: a policy management module;

[0067] The strategy management module is used to store the full strategy library;

[0068] The strategy decision module is further configured to: when there is no process sequence template in the template library that matches the prefix operation sequence, obtain and load a preset full strategy library, and evaluate the access request in conjunction with the obtained multidimensional attributes to make an access decision.

[0069] The technical solution of this application helps to address the shortcomings of existing zero-trust access control schemes combined with ABAC when applied to industrial scenarios with obvious process flow characteristics. These shortcomings include large decision-making overhead and access latency due to the large access policy library, which fails to meet the dual requirements of security and real-time performance in industrial internet scenarios. Specifically, this application, while maintaining the advantages of zero-trust and ABAC fine-grained control, introduces process flow sequence templates. By establishing a persistent session between the user and the device to record the user's device operation sequence, process flow awareness and caching are achieved. When a user initiates an access request for the current device, intelligent pre-selection and constraints are performed on the template library based on the user's device operation sequence, targeting process operation steps. Matching process flow sequence templates pre-selected based on the user's device operation sequence are then pre-loaded with corresponding candidate policy subsets. These loaded candidate policy subsets form a policy search space for determining the access permission for the current access request. Therefore, this application can reduce the policy matching range and decision latency without changing the original access control semantics and security strength, better meeting the dual requirements of security and real-time performance in industrial internet scenarios. Attached Figure Description

[0070] Figure 1 This is a schematic diagram of the process-aware zero-trust access control method for the Industrial Internet in the first embodiment of this application.

[0071] Figure 2 This is a schematic diagram of the functional modules of the access control system in this application.

[0072] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0073] It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of this application.

[0074] In the following description, the use of suffixes such as "unit," "part," or "element" to denote elements is solely for the purpose of illustration and has no specific meaning in itself. Therefore, "unit," "part," or "element" may be used interchangeably.

[0075] Please see Figures 1 to 2 The first embodiment of this application provides a process-aware zero-trust access control method for the Industrial Internet, comprising the following steps:

[0076] Step S10: Generate multiple process flow sequence templates to build a template library, and map a corresponding strategy subset for each process flow sequence template;

[0077] Step S20: When the user's first operation on the device is detected within a preset time period, a persistent session is generated for the user and the device to record the user's device operation sequence within the preset time period.

[0078] Step S30: When the user initiates an access request to the device, the operation corresponding to the access request is appended to the device operation sequence to form a prefix operation sequence.

[0079] Step S40: Based on the prefix operation sequence and the multidimensional attributes of the set type, an initial decision request is encapsulated.

[0080] Step S50: Based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library, perform process flow sequence template pre-selection;

[0081] Step S60: Obtain the candidate strategy subset corresponding to the pre-selected process flow sequence template, and append the candidate strategy subset to the initial decision request to form a complete decision request;

[0082] Step S70: Form a strategy search space based on the subset of candidate strategies in the complete decision request, so as to make an access decision for the complete decision request.

[0083] The technical solution of this application helps to address the shortcomings of existing zero-trust access control schemes combined with ABAC when applied to industrial scenarios with obvious process flow characteristics. These shortcomings include large decision-making overhead and access latency due to the large access policy library, which fails to meet the dual requirements of security and real-time performance in industrial internet scenarios. Specifically, this application, while maintaining the advantages of zero-trust and ABAC fine-grained control, introduces process flow sequence templates. By establishing a persistent session between the user and the device to record the user's device operation sequence, process flow awareness and caching are achieved. When a user initiates an access request for the current device, intelligent pre-selection and constraints are performed on the template library based on the user's device operation sequence, targeting process operation steps. Matching process flow sequence templates pre-selected based on the user's device operation sequence are then pre-loaded with corresponding candidate policy subsets. These loaded candidate policy subsets form a policy search space for determining the access permission for the current access request. Therefore, this application can reduce the policy matching range and decision latency without changing the original access control semantics and security strength, better meeting the dual requirements of security and real-time performance in industrial internet scenarios.

[0084] Specifically, a device operation sequence refers to a series of operations performed sequentially by a user on a device according to time progression. For example, user A performs a series of device operations on machine tool B (such as continuously inputting several different types of machine tool control parameters). Through this series of device operations, the system senses whether there are pre-stored process flow sequence templates with high matching degree in the template library (each process flow sequence template has a pre-set corresponding candidate decision subset, where each process flow step in the process flow sequence template is set with a corresponding strategy subset, so that all process flow steps in the process flow sequence template correspond to strategy subsets respectively). If so, the strategy subset is determined based on the candidate strategy subset associated with the corresponding process flow sequence template and the event step corresponding to the current cutoff operation event in the device operation sequence in the process flow sequence template.

[0085] An access request refers to a preset type of operation initiated against a device, such as accessing local storage data, accessing local storage space, or accessing storage data of other associated devices through the current device.

[0086] This application constructs an access control system for the industrial internet based on a zero-trust architecture. It adopts a framework of policy enforcement module (PEP), policy decision module (PDP), policy management module (PAP), and policy information module (PIP). Each module interacts through a secure channel to achieve unified control over access requests.

[0087] The policy execution module is deployed at the gateway, proxy, or business front end to intercept access requests, extract multi-dimensional attributes, and initiate a decision request to the policy decision module. Based on the allow / deny result returned by the policy decision module, it allows or blocks the access request. In this application, the policy execution module also maintains a device operation sequence for each persistent session and sends the prefix operation sequence of the current persistent session along with the access request to the policy decision module for subsequent process flow sequence template matching and policy lookup. For this application, the policy execution module sends at least the following attributes and data to the policy decision module:

[0088] ① User attributes, including: user identifier (e.g., user ID); user role (identifying the user's role or position, such as: process engineer, field operator, maintenance personnel).

[0089] ② Device attributes, including: device identifier (e.g., device ID); device type.

[0090] ③ Operation attributes, including: operation type (e.g., READ, WRITE, START, STOP, etc.); operation parameters (e.g., list of parameter names to be operated on, new value or target value, etc.).

[0091] ④ Environmental attributes, including: time and location.

[0092] ⑤ The context attributes of the persistent session include: persistent session identifier, user, device and session time period that the persistent session is uniquely bound to, and the sequence of device operations recorded during the session time period (to record every operation event of the current session).

[0093] Further explanation of the context attributes of persistent sessions: When a user makes an access request for the first time within a certain period of time, the policy enforcement module will generate a persistent session based on the user identifier and the unique identifier of the device requested for access. This session will record the operation event data of each access request made by the user during this period. The operation event data includes: operation sequence number, operation type, access device type, parameter value of operation parameters, timestamp, etc.

[0094] The strategy decision-making module, as the core of the decision-making process, obtains and loads ABAC-based access control policies from the strategy management module. Combining this with the multi-dimensional attributes provided by the strategy information module, it performs zero-trust evaluation on each request. Unlike traditional solutions, this embodiment addresses the issue of high computational overhead and limited real-time performance caused by the strategy decision-making module in the strategy execution module, strategy decision-making module, strategy management module, and strategy information module architecture needing to perform matching across the entire policy library for each request. The design goals of the process flow awareness cache module are: firstly, to leverage the significant process flow and step sequence characteristics of industrial production operations to identify the process flow and current step of the access request; and secondly, to perform step-level candidate policy pre-selection from the zero-trust access control policy library, excluding a large number of policies irrelevant to the current process step from the matching process. This significantly reduces the policy matching range and decision latency of the strategy decision-making module without altering the zero-trust decision-making logic and ABAC policy semantics.

[0095] In terms of system deployment, the process flow awareness cache module is integrated into the policy decision module as an extension component, or deployed in a tightly coupled manner, sharing the policy library access interface and attribute query interface with the policy decision module. During online operation, the device operation sequence in the persistent session is first identified based on the process flow sequence template to determine the step position of the current persistent session in a certain process flow sequence template. Then, based on the identified template and the cutoff step (cutoff operation event) of the current device operation sequence, a subset of candidate policies related to the step is selected from the pre-established event-policy mapping relationship. Policy pre-selection and constraints are completed before the policy decision module executes the formal zero-trust decision. When the process flow awareness cache module cannot reliably match the process flow sequence template, no pre-selection is performed, and the policy decision module makes a regular decision from the full policy library. This ensures that the access control results after the introduction of the process flow awareness cache module are consistent with those before the introduction of the process flow awareness cache module, with improvements only in performance and real-time performance.

[0096] The process flow awareness caching module in this application can be internally divided into two functional sub-modules: a process flow template management sub-module and a session sequence matching sub-module. The process flow template management sub-module stores offline-generated process flow sequence templates, maintaining information such as the process identifier, equipment group, applicable role, and operation type, resource grouping, time interval, and confidence level for each step (operation event) of each template. It also filters policies related to the step from the policy library, generating a mapping between the operation events of the specific step in the template ID and a subset of candidate policies. The session sequence matching sub-module receives prefix operation sequences from persistent sessions uploaded by the policy execution module, calculates similarity with existing process flow sequence templates, determines the target template and the cutoff operation event (cutoff step) corresponding to the current persistent session, and provides the corresponding subset of candidate policies to the policy decision module. If matching fails or the confidence level is insufficient, no pre-selection is performed, and the process falls back to the policy decision module evaluating policies from the entire library.

[0097] Based on the first embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, the second embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application further includes the following after step S50:

[0098] Step S80: When there is no process flow sequence template in the template library that matches the prefix operation sequence, the preset full strategy library is obtained and loaded, and the access request is evaluated in combination with the obtained multi-dimensional attributes to make an access decision.

[0099] Based on the first embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, and the third embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, step S10, generating multiple process sequence templates to construct a template library, includes:

[0100] Step S11: Collect historical access log records from the log library, wherein each log includes: session identifier, user identifier, user role, device identifier, device type, operation type, operation parameters, and timestamp;

[0101] Step S12: Group the logs according to the session identifier, so that logs belonging to the same session identifier are divided into the same group, and the operation events are sorted in ascending order of timestamp within the same group to obtain a set of historical session event sequences.

[0102] Step S13: Based on the frequency of occurrence of the historical session event sequence, form a set of candidate access process sequences;

[0103] Step S14: Construct and train a sequence prediction model based on the candidate access process sequence set;

[0104] Step S15: Based on the sequence prediction model, a process flow sequence template is selected and formed.

[0105] The mapping of process flow sequence templates and strategy subsets in this application is completed collaboratively by the offline analysis module and the process flow template management submodule in the process flow awareness cache module.

[0106] In steps S11 and S12:

[0107] Collect historical access log records from the log database; specifically, collect historical access log records from the audit log database.

[0108] After obtaining the set of historical session event sequences, each operation in the set of historical session event sequences is further normalized into discrete operations based on the range in which the operation type, device type, and operation parameter values ​​fall. This is used for subsequent sequence mining and modeling.

[0109] In step S13, after obtaining a large number of session-level event sequences, the offline analysis module performs a sequence pattern mining algorithm on these sequences. PrefixSpan The algorithm, under preset constraints of minimum support threshold, minimum sequence length, and maximum sequence length, mines frequently occurring access event sequences in historical data for subsequent filtering.

[0110] In step S14, the sequence prediction model can be a sequence prediction model based on a multilayer recurrent neural network using LSTM.

[0111] In step S15, the process flow template management submodule in the process flow awareness cache module is responsible for solidifying the above-screened candidate access process sequences into process flow sequence templates and storing them. Each template At a minimum, it should include template-level attributes (including template ID, applicable device type, applicable role type, etc.) and a list of step-level attributes (for each operation event in the template, the information recorded in the step-level attribute list includes operation type, parameter value range of operation parameters, time interval range between the operation event of this step and the operation event of the previous step, and step confidence). ).

[0112] The template management submodule saves the above structured templates to the relational database of the process flow perception cache module, and provides interfaces for querying by "template-level attributes" and by "template-level attributes + step-level attributes" for equipment operation sequence matching and strategy pre-selection in online persistent sessions.

[0113] Based on the first embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, and the fourth embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, the step S10 of mapping a policy subset corresponding to each process sequence template includes:

[0114] Step S16: Read each operation event included in the process flow sequence template, and read the set key attributes of each operation event;

[0115] Step S17: Based on the set key attributes of each operation event, filter the strategies corresponding to the set key attributes from the full strategy library;

[0116] Step S18: Summarize all the strategies selected for each operation event to form a subset of candidate strategies;

[0117] Step S19: Establish an event-strategy mapping relationship between each operation event included in the process flow sequence template and the corresponding candidate strategy subset;

[0118] Step S110: Store the process flow sequence template and the event-strategy mapping relationship in the template library.

[0119] After the process flow sequence template structure is solidified, the process flow template management submodule continues to build the association between the template and the strategy library.

[0120] After the process flow sequence template and the event-strategy mapping relationship are stored in the template library, the last update time is recorded.

[0121] When the candidate strategy subset corresponding to the operation event in the process flow sequence template changes (adding, modifying, or deleting strategies), the template management submodule can selectively re-execute the mapping generation process of step S19 above for the affected process flow sequence template and the operation event in the template according to the scope of application of the strategy change, so as to realize the incremental update of the candidate strategy subset and ensure that the mapping relationship maintained inside the process flow sequence template is consistent with the actual update situation.

[0122] Through the above steps, this application forms a unified management structure within the process flow awareness cache module that includes both the process flow sequence template and the step-level details of its internal operation events, as well as the candidate policy subset corresponding to each operation event, providing a complete data foundation for session sequence matching and policy pre-selection in the online phase.

[0123] Based on the first embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, and the fifth embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, step S50 includes:

[0124] Step S51: Extract the feature vector of each operation event in the prefix operation sequence, wherein the operation vector includes operation type, device type and parameter value range;

[0125] Step S52: Match the prefix operation sequence with the operation events of each pre-stored process flow sequence template in the template library in sequence;

[0126] Step S53: Calculate the feature vector similarity between each first operation event included in the prefix operation sequence and the corresponding second operation events in the pre-stored process flow sequence templates in the template library, so as to determine the comprehensive step similarity.

[0127] Step S54: Calculate the overall matching degree between the prefix operation sequence and each of the process flow sequence templates pre-stored in the template library based on the comprehensive step similarity and step confidence.

[0128] Step S55: When there is a process flow sequence template whose overall matching degree reaches a preset threshold, the process flow sequence template is used as a pre-selected result.

[0129] The process flow awareness caching module of this application uses a session sequence matching submodule to match device operation sequences with process flow sequence templates in an online persistent session. The session sequence matching submodule employs a similarity matching algorithm to calculate the matching degree between the prefix operation sequence corresponding to the device operation sequence in the current persistent session and the prefix sequence of the process flow sequence template, thereby determining the position of the current cutoff operation event of the target process flow sequence template and the prefix operation sequence. The eighth embodiment illustrates this algorithm.

[0130] Based on the fourth embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, and the sixth embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, step S60 of obtaining the candidate strategy subset corresponding to the pre-selected process sequence template includes:

[0131] Step S61: Invoke the preset event-policy mapping query interface;

[0132] Step S62: Using the template identifier of the pre-selected process flow sequence template and the cutoff operation event corresponding to the prefix operation sequence as keys, extract the policy subsets corresponding to the cutoff operation events in sequence from the policy subsets corresponding to the pre-selected process flow sequence template, and maintain them in the candidate policy subset.

[0133] Based on the third embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, and the seventh embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, in step S10, the step of generating multiple process sequence templates to construct a template library is as follows:

[0134] use PrefixSpan The algorithm, under the constraints of a preset minimum support threshold, minimum sequence length, and maximum sequence length, mines frequently occurring access event sequences in historical data, forming a set of candidate access process sequences. ,in, ;in, For the first k A sequence of candidate access processes. for The first in j One operation event ;

[0135] When training the sequence prediction model, a set of historical session event sequences is used. C As training samples, the previous j Operation events As input, predict the first Probability distribution of each operation event Optimization is achieved through cross-entropy loss;

[0136] After the model training converges, for each candidate access sequence Perform dependency verification;

[0137] For each location, Input the sequence prediction model to obtain the predicted probability distribution of each subsequent operation event;

[0138] Read the actual number Predicted probability of each operation event As the first i Step confidence of each operation event ;

[0139] By assessing the step confidence of all steps in the process flow sequence template Perform a weighted average to calculate the overall confidence level of the process flow sequence template. ;

[0140] Process flow sequence templates that do not meet the preset conditions for overall confidence are removed, and only process flow sequence templates that simultaneously meet the support threshold and confidence threshold are retained as the process flow sequence templates.

[0141] Based on the first embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, and the eighth embodiment of the process-aware zero-trust access control method for the Industrial Internet of this application, in step S50:

[0142] The prefix operation sequence is as follows:

[0143] ;

[0144] in, For the prefix operation sequence S The first in q One operation event , L For the prefix operation sequence S The number of operation events in the process;

[0145] Candidate process flow sequence templates for:

[0146] ;

[0147] in, For the process flow sequence template The first in p Each operation event, , For the process flow sequence template The number of operation events in the process;

[0148] For the prefix operation sequence S Each operation event in Extract the following three types of attributes to form a feature vector. :

[0149] ;

[0150] in: For operation events Operation type, For operation events The type of equipment, For operation events The parameter value range is defined as the interval or discrete level of the parameter value.

[0151] For the process flow sequence template The q Operation events Pre-store corresponding features and step confidence :

[0152] ;

[0153] in, For operation events Pre-stored operation types, For operation events Pre-stored device types, For operation events The range of pre-stored parameter values;

[0154] For each of the aforementioned process flow sequence templates ,when At that time, the prefix operation sequence Prefix of the process flow sequence template Align the elements in order; align the elements in order... q For steps Calculate the following three types of similarity:

[0155] (1) Operation type similarity :

[0156] ;

[0157] in, Furthermore, these are preset constants used to distinguish between cases of the same type but different specific instructions;

[0158] (2) Equipment similarity :

[0159] ;

[0160] in, and They are constants, , used to indicate the degree of approximation of the equipment;

[0161] (3) Parameter value similarity :

[0162] The process flow sequence template The record of the first q Typical parameter value range for an operation event and tolerance extension range , No. q The parameter values ​​of each operation event are denoted as follows: ,but:

[0163] ;

[0164] in, for Distance to the nearest interval boundary; This represents the minimum value within the typical parameter value range. It represents the maximum value within the typical parameter value range. It is a constant;

[0165] Then, the three similarities are weighted according to their respective weights to obtain the first... q Overall step similarity of the operation events:

[0166] ;

[0167] in, These are the set weights, , The value is configured according to the importance of the operation type in the specific process. The value is configured according to the importance of equipment similarity in the specific process. The value is configured according to the importance of the parameter value in the specific process. For operation type similarity, For device similarity, The similarity of parameter values;

[0168] Then S and Overall matching degree for:

[0169] ;

[0170] in, Template for reflecting the process flow sequence The typicality and stability of the q-th operation event in the corresponding process flow;

[0171] Select the process flow sequence template with the highest overall matching degree that is greater than the preset overall matching degree threshold as the pre-selected result.

[0172] Specifically, by applying a confidence-weighted average to the overall similarity of steps, we can enhance the influence of typical steps that appear frequently and have stable patterns in historical data on the overall matching degree, and reduce the interference of occasional steps or low-confidence steps, thereby obtaining more robust template matching results.

[0173] The session sequence matching submodule calculates the sequence templates for all process flows sequentially. To obtain the maximum matching degree:

[0174] ;

[0175] This allows us to determine the process flow sequence template corresponding to the maximum matching value.

[0176] when Time (of which) (Based on the preset overall matching threshold), the process flow sequence template corresponding to the maximum matching value is determined as the target process flow sequence template for the current persistent session, and the length of the current prefix operation sequence is set. As the target operation event sequence number (i.e., target step sequence number), the current access request is considered to correspond to the first step in the target process flow sequence template. step;

[0177] when If the current persistent session's prefix operation sequence is deemed insufficient to reliably map to any process flow sequence template, the process flow awareness cache module does not perform policy pre-selection. Instead, the policy decision module makes access control decisions on the full policy library in the traditional ABAC manner, thereby ensuring that the system behavior remains consistent with that when the template matching is insufficient, the system behavior is consistent with that when the process flow awareness cache module is not introduced.

[0178] Once the session sequence matching submodule has determined the target process flow sequence template and the step number corresponding to the current operation event, the process flow perception cache module calls the query interface provided by the process flow template management submodule. Using the template identifier and step number as keys, it retrieves the candidate strategy subset corresponding to the step of the operation event from the pre-established mapping relationship, and appends the candidate strategy subset to the context of the current initial decision request, and passes it to the strategy decision module as a complete decision request.

[0179] After receiving a complete decision request, the strategy decision module first checks whether it carries a subset of candidate strategies provided by the process flow awareness cache module. If it exists, it loads and performs ABAC strategy matching and condition evaluation only within the subset of candidate strategies, treating the subset of candidate strategies as the strategy search space for this request, thereby avoiding traversing the entire strategy library. If it does not exist (including cases where the process flow awareness cache module does not match any templates, the matching degree is lower than the threshold, or the steps are uncertain), it executes the same zero-trust access decision logic on the entire strategy library in the traditional way.

[0180] In this way, the process flow awareness caching module only constrains the policy search scope of the policy decision module, without changing the decision engine implementation and policy semantics of the policy decision module. When the process flow awareness caching module can provide reliable template matching results, it can significantly reduce the number of policies involved in matching, reduce the computational overhead of the process flow awareness caching module, and improve the real-time performance of access control. When the process flow awareness caching module cannot provide reliable results, the system automatically falls back to the full database evaluation path, ensuring that the access control results are consistent with those before the process flow awareness caching module was introduced, thereby achieving performance acceleration without compromising security.

[0181] To achieve the above objectives, this application also proposes an access control system, which employs the process-aware zero-trust access control method for the Industrial Internet for access control. The access control system includes a policy execution module, a policy decision module, a policy information module, an offline analysis module, and a process flow awareness cache module. The process flow awareness cache module includes a session sequence matching submodule and a process flow template management submodule.

[0182] The offline analysis module is used to generate multiple process flow sequence templates;

[0183] The process flow template management submodule is used to solidify and store the process flow sequence templates to build a template library, and to map a corresponding strategy subset to each process flow sequence template.

[0184] The strategy information module is used to obtain the multi-dimensional attributes corresponding to the access request;

[0185] The policy execution module is used to generate a persistent session for the user and the device when the user's first operation on the device is detected within a preset time period, so as to record the user's device operation sequence on the device within the preset time period; when the user initiates an access request to the device, the operation corresponding to the access request is appended to the device operation sequence to form a prefix operation sequence; and an initial decision request is encapsulated according to the prefix operation sequence and the multidimensional attributes.

[0186] The session sequence matching submodule is used to pre-select process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library;

[0187] The process flow template management submodule is also used to obtain a subset of candidate strategies corresponding to the pre-selected process flow sequence template;

[0188] The strategy execution module is further configured to append the subset of candidate strategies to the initial decision request to form a complete decision request;

[0189] The strategy decision module is used to form a strategy search space based on the subset of candidate strategies in the complete decision request, so as to make an access decision for the complete decision request.

[0190] Optionally, the system further includes: a policy management module;

[0191] The strategy management module is used to store the full strategy library;

[0192] The strategy decision module is further configured to: when there is no process sequence template in the template library that matches the prefix operation sequence, obtain and load a preset full strategy library, and evaluate the access request in conjunction with the obtained multidimensional attributes to make an access decision.

[0193] Specifically, the process flow awareness cache module can be set up inside the strategy decision module.

[0194] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms, or by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a readable storage medium (such as ROM / RAM, magnetic disk, optical disk) as described above, and includes several instructions to cause a terminal device to enter the methods described in the various embodiments of this application.

[0195] In the description of this specification, references to terms such as "an embodiment," "another embodiment," "other embodiments," or "first embodiment to Xth embodiment," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of this application. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, method steps, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0196] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or system. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or system that includes that element.

[0197] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.

[0198] The above are merely preferred embodiments of this application and do not limit the patent scope of this application. Any equivalent structural or procedural transformations made using the content of this application's specification and drawings, or direct or indirect applications in other related technical fields, are similarly included within the patent protection scope of this application.

Claims

1. A process-aware zero-trust access control method for the Industrial Internet, characterized in that, Includes the following steps: Multiple process flow sequence templates are generated to build a template library, and a corresponding strategy subset is mapped for each process flow sequence template. When a user’s first operation on the device is detected within a preset time period, a persistent session is generated for the user and the device to record the sequence of device operations performed by the user on the device within the preset time period. When a user initiates an access request to the device, the operation corresponding to the access request is appended to the device operation sequence to form a prefix operation sequence; Based on the prefix operation sequence and the multidimensional attributes of the set type, an initial decision request is encapsulated. Based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library, process flow sequence templates are pre-selected; Obtain a subset of candidate strategies corresponding to the pre-selected process flow sequence template, and append the subset of candidate strategies to the initial decision request to form a complete decision request; A strategy search space is formed based on the subset of candidate strategies in the complete decision request in order to make an access decision for the complete decision request.

2. The industrial internet of things oriented process-aware zero-trust access control method according to claim 1, characterized in that, After the step of pre-selecting process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library, the method further includes: When there is no process sequence template in the template library that matches the prefix operation sequence, the preset full strategy library is obtained and loaded, and the access request is evaluated in combination with the obtained multi-dimensional attributes to make an access decision.

3. The industrial internet of things oriented process-aware zero-trust access control method according to claim 1, characterized in that, The step of generating multiple process flow sequence templates to build a template library includes: Collect historical access log records from the log library, wherein each log includes: session identifier, user identifier, user role, device identifier, device type, operation type, operation parameters, and timestamp; Logs are grouped according to the session identifier to group logs belonging to the same session identifier into the same group, and operation events are sorted in ascending order of timestamp within the same group to obtain a set of historical session event sequences. A set of candidate access process sequences is formed based on the frequency of occurrence of the historical session event sequences; Based on the set of candidate access flow sequences, construct and train a sequence prediction model; Based on the sequence prediction model, process flow sequence templates are selected and formed.

4. The industrial internet of things oriented process-aware zero-trust access control method according to claim 1, characterized in that, The step of mapping a strategy subset corresponding to each process flow sequence template includes: Read each operation event included in the process flow sequence template, and read the set key attributes of each operation event; Based on the set key attributes of each operation event, the strategies corresponding to the set key attributes are selected from the full strategy library; All strategies selected for each operation event are aggregated to form a subset of candidate strategies; Establish an event-strategy mapping relationship between each operation event included in the process flow sequence template and the corresponding subset of candidate strategies; The process flow sequence template and the event-strategy mapping relationship are stored in the template library.

5. The industrial internet of things (IIoT) oriented process-aware zero trust access control method of claim 1, wherein, The step of pre-selecting process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library includes: Extract the feature vector of each operation event in the prefix operation sequence, wherein the operation vector includes operation type, device type and parameter value range; The prefix operation sequence is matched sequentially with the operation events of each process flow sequence template pre-stored in the template library. Calculate the feature vector similarity between each first operation event included in the prefix operation sequence and the corresponding second operation events in the pre-stored process flow sequence templates in the template library, in order to determine the comprehensive step similarity; Based on the comprehensive step similarity and step confidence, the overall matching degree between the prefix operation sequence and each of the process flow sequence templates pre-stored in the template library is calculated; When there is a process flow sequence template whose overall matching degree reaches a preset threshold, the process flow sequence template is used as a pre-selected result.

6. The industrial internet of things (IIoT) oriented process-aware zero trust access control method of claim 4, wherein, The step of obtaining the candidate strategy subset corresponding to the pre-selected process flow sequence template includes: Call the preset event-policy mapping query interface; Using the template identifier of the pre-selected process flow sequence template and the cutoff operation event corresponding to the prefix operation sequence as keys, extract the policy subsets corresponding to the cutoff operation events in sequence from the policy subsets corresponding to the pre-selected process flow sequence template, and maintain them in the candidate policy subset.

7. The industrial internet of things (IIoT) oriented process-aware zero trust access control method of claim 3, wherein, In the step of generating multiple process flow sequence templates to build a template library: Under the constraints of preset minimum support threshold, minimum sequence length, and maximum sequence length, the frequent access event sequences in historical data are mined to form a candidate access process sequence set. ,in, ;in, For the first k A sequence of candidate access processes. for The first in j Each operation event ; When training the sequence prediction model, a set of historical session event sequences is used. C As training samples, the previous j Operation events As input, predict the first Probability distribution of each operation event Optimization is achieved through cross-entropy loss; After the model training converges, the dependency relationship verification is performed on each candidate access flow procedure sequence ​ For each location, Input the sequence prediction model to obtain the predicted probability distribution of each subsequent operation event; read the predicted probability of the actual operation event as the step confidence of the i operation event ; The overall confidence of the process flow sequence template is calculated by weighted average of the step confidences of all steps in the process flow sequence template The overall confidence of the process flow sequence template is calculated by weighted average of the step confidences of all steps in the process flow sequence template ; Process flow sequence templates that do not meet the preset conditions for overall confidence are removed, and only process flow sequence templates that simultaneously meet the support threshold and confidence threshold are retained as the process flow sequence templates.

8. The industrial internet of things (IIoT) oriented process-aware zero trust access control method of claim 1, wherein, In the step of pre-selecting process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library: The process flow sequence template The first q operation event of the prefix operation sequence S The first q operation event of the prefix operation sequence is: ; in, These are the set weights, , The value is configured according to the importance of the operation type in the specific process. The value is configured according to the importance of equipment similarity in the specific process. The value is configured according to the importance of the parameter value in the specific process. For operation type similarity, For device similarity, The similarity of parameter values; Then S and Overall matching degree for: ; in, Template for reflecting the process flow sequence The first in q The typicality and stability of each operational event in the corresponding process flow. L For the prefix operation sequence S The number of operation events in the middle, ; Select the process flow sequence template with the highest overall matching degree that is greater than the preset overall matching degree threshold as the pre-selected result.

9. An access rights management system, characterized by The access control system adopts the process-aware zero-trust access control method for industrial internet as described in any one of claims 1 to 8 for access control; the access control system includes a policy execution module, a policy decision module, a policy information module, an offline analysis module, and a process-aware cache module; The process flow awareness caching module includes a session sequence matching submodule and a process flow template management submodule: The offline analysis module is used to generate multiple process flow sequence templates; The process flow template management submodule is used to solidify and store the process flow sequence templates to build a template library, and to map a corresponding strategy subset to each process flow sequence template. The strategy information module is used to obtain the multi-dimensional attributes corresponding to the access request; The policy execution module is used to generate a persistent session for the user and the device when the user’s first operation on the device is detected within a preset time period, so as to record the user’s device operation sequence on the device within the preset time period. When a user initiates an access request to the device, the operation corresponding to the access request is appended to the device operation sequence to form a prefix operation sequence; Based on the prefix operation sequence and the multidimensional attributes, an initial decision request is encapsulated. The session sequence matching submodule is used to pre-select process flow sequence templates based on the matching degree between the prefix operation sequence and each process flow sequence template in the template library; The process flow template management submodule is also used to obtain a subset of candidate strategies corresponding to the pre-selected process flow sequence template; The strategy execution module is further configured to append the subset of candidate strategies to the initial decision request to form a complete decision request; The strategy decision module is used to form a strategy search space based on the subset of candidate strategies in the complete decision request, so as to make an access decision for the complete decision request.

10. The access rights management system of claim 9, wherein, The system also includes: a policy management module; The strategy management module is used to store the full strategy library; The strategy decision module is further configured to: when there is no process sequence template in the template library that matches the prefix operation sequence, obtain and load a preset full strategy library, and evaluate the access request in conjunction with the obtained multidimensional attributes to make an access decision.