Azure virtual desktop micro-segmentation monitoring method and system based on zero trust architecture
By adopting a virtual desktop micro-segmentation monitoring method based on zero-trust architecture, user operation logs are collected and analyzed in real time, a behavioral baseline model is built, abnormal behaviors are identified and permissions are dynamically adjusted, solving the adaptive problem of security monitoring in virtual desktop environments and improving the security and stability of the system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANGHAI WICRESOFT
- Filing Date
- 2026-03-02
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies struggle to achieve fine-grained, adaptive security monitoring in virtual desktop environments, and are unable to effectively address session risks caused by sudden changes in user behavior, abnormal device access, or network attacks, thus failing to guarantee the continuity and security of industrial production and data interaction.
Based on a zero-trust architecture, user operation logs are collected in real time to build a behavior baseline model, analyze user operation habits, identify abnormal behaviors, and combine with device security features for comprehensive detection. Access permissions are then dynamically adjusted to achieve dynamic environmental adaptation and security policy updates.
It enables precise monitoring of user behavior and environment, improves the accuracy of internal threat identification and early warning capabilities, provides real-time and accurate permission decision-making basis, and ensures system security and stability.
Smart Images

Figure CN121770899B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of network security and virtualization technology, and in particular to a micro-segmentation monitoring method and system for Azure virtual desktops based on a zero-trust architecture. Background Technology
[0002] In the context of today's accelerated digital transformation, the importance of cybersecurity is becoming increasingly prominent, especially in highly centralized remote access scenarios such as virtual desktop environments.
[0003] In one existing technology, enterprises typically use role-based or policy-based static access control technology to manage the security of virtual desktops, such as pre-assigning access permissions based on user identity and filtering abnormal operations using fixed rules.
[0004] However, in the context of industrial internet security management, while existing technologies can restrict unauthorized access to some extent, their permission allocation is relatively rigid and cannot effectively address session risks caused by sudden changes in user behavior, abnormal device access, or network attacks. They also struggle to achieve micro-segmentation and dynamic permission control based on real-time trust assessment, thus failing to guarantee the continuity and security of industrial production and data interaction. Therefore, existing technologies suffer from the difficulty of implementing fine-grained, adaptive security monitoring in virtual desktop environments. Summary of the Invention
[0005] This invention provides a micro-segmentation monitoring method and system for Azure virtual desktops based on a zero-trust architecture, in order to solve the problem in the prior art that it is difficult to achieve fine-grained, adaptive security monitoring in a virtual desktop environment.
[0006] Firstly, to address the aforementioned technical problems, this invention provides a micro-segmentation monitoring method for Azure virtual desktops based on a zero-trust architecture, comprising:
[0007] Real-time collection of user operation logs in the virtual desktop environment; normalization of the user operation logs to obtain structured operation data; extraction of user behavior features; and construction of a behavior baseline model.
[0008] Based on the aforementioned behavioral baseline model, user operation habit data at different time periods are grouped to obtain a preliminary behavioral pattern distribution.
[0009] Based on the distribution of the behavior patterns, the degree of deviation is calculated by combining the preset benchmark behavior vector and the set of outliers is extracted. An anomaly trigger signal is generated based on the topological correlation between the set of outliers and the historical trajectory. The threat confidence is calculated based on the anomaly trigger signal and the corresponding potential risk level is determined.
[0010] Based on the potential risk level and combined with pre-collected device security feature data, a comprehensive detection of the hardware and network environment of the current session is performed to obtain device security status information;
[0011] If the device security status information indicates that there is an external threat in the session environment, user behavior trajectory data and device operating status parameters are captured and weighted for analysis. After obtaining the real-time credibility score, it is compared with the preset dynamic threshold range to determine the access permission level and generate the corresponding session control command.
[0012] Responding to the session control command and extracting the real-time trust score, if the real-time trust score is lower than a preset security threshold, the current permission list is reconstructed and the adjusted permission range is determined;
[0013] Based on the adjusted permission scope, the access control policy in the virtual environment is updated in real time, and the user's subsequent operations are dynamically adapted to the environment to obtain the latest session state information;
[0014] Based on the latest session state information, continuously monitor user behavior dynamics, identify abnormal behavior fluctuation feature vectors and assess risks. If the risk score exceeds a preset threshold, execute a dynamic permission adjustment strategy to obtain dynamic maintenance results for the overall security of the system.
[0015] Secondly, this invention provides an Azure virtual desktop micro-segmentation monitoring system based on a zero-trust architecture, comprising:
[0016] The log collection and baseline modeling module collects user operation logs in the virtual desktop environment in real time, normalizes the user operation logs to obtain structured operation data, extracts user behavior features, and constructs a behavior baseline model.
[0017] The behavior pattern analysis module, based on the behavior baseline model, groups the user's operation habit data at different time periods to obtain a preliminary behavior pattern distribution.
[0018] The behavior fluctuation detection module calculates the degree of deviation and extracts the outlier set based on the behavior pattern distribution and a preset baseline behavior vector. It generates an anomaly trigger signal based on the topological correlation between the outlier set and the historical trajectory, calculates the threat confidence level based on the anomaly trigger signal, and determines the corresponding potential risk level.
[0019] The environmental security monitoring module, based on the potential risk level and combined with pre-collected device security characteristic data, comprehensively detects the hardware and network environment of the current session to obtain device security status information;
[0020] The credibility assessment and instruction generation module, if the device security status information shows that there is an external threat in the session environment, captures user behavior trajectory data and device operating status parameters and performs weighted analysis, obtains a real-time credibility score and compares it with a preset dynamic threshold range, determines the access permission level and generates the corresponding session control instruction;
[0021] The dynamic permission adjustment module responds to the session control command and extracts the real-time credibility score. If the real-time credibility score is lower than a preset security threshold, the current permission list is reconstructed to determine the adjusted permission range.
[0022] The policy update and environment adaptation module updates the access control policy in the virtual environment in real time according to the adjusted permission scope, performs dynamic environment adaptation processing on subsequent user operations, and obtains the latest session state information.
[0023] The continuous monitoring and maintenance module continuously monitors user behavior dynamics based on the latest session status information, identifies abnormal behavior fluctuation feature vectors and assesses risks. If the risk score exceeds a preset threshold, a dynamic permission adjustment strategy is executed to obtain the dynamic maintenance result of the overall system security.
[0024] Compared with the prior art, the present invention has the following beneficial effects:
[0025] (1) This invention constructs a behavior baseline model based on neural networks and combines it with temporal clustering to form a behavior pattern distribution, which can accurately depict the normal operating habits of users; it uses behavior fluctuation analysis technology to quantify and map the operation command flow and calculate the deviation, and introduces topological correlation analysis to effectively distinguish between accidental deviations and malicious anomalies, which significantly improves the accuracy of internal threat identification and early warning capability.
[0026] (2) By constructing a comprehensive trust assessment system that integrates behavior and environment, this invention breaks through the limitations of single-dimensional assessment, and conducts correlation analysis between the potential risk level of user behavior and the security characteristics of the device environment; by generating dynamic credibility scores through weighted aggregation, it realizes a comprehensive and quantitative assessment of session risks, and provides a real-time and accurate basis for permission decisions.
[0027] (3) By calculating the credibility score in real time, the present invention automatically triggers the least privilege constraint rule matching and permission stripping mechanism, which can reconstruct the user permission list on demand and in real time, and realize the dynamic adjustment of access permissions; while the linkage mechanism between the policy configuration matrix and the runtime context enables the security policy to be updated adaptively with changes in user operation and environment. Attached Figure Description
[0028] Figure 1This is a schematic diagram of the Azure virtual desktop micro-segmentation monitoring method based on zero-trust architecture provided in the first embodiment of the present invention;
[0029] Figure 2 This is a schematic diagram of the Azure Virtual Desktop Micro-Segmentation Monitoring System based on a zero-trust architecture, provided in the second embodiment of the present invention. Detailed Implementation
[0030] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0031] Reference Figure 1 The first embodiment of the present invention provides a micro-segmentation monitoring method for Azure virtual desktops based on a zero-trust architecture, including the following steps:
[0032] S11, Real-time collection of user operation logs in the virtual desktop environment, normalization processing of the user operation logs to obtain structured operation data, extraction of user behavior features, and construction of a behavior baseline model;
[0033] S12, Based on the aforementioned behavior baseline model, the user's operational habit data at different time periods are grouped to obtain a preliminary distribution of behavioral patterns;
[0034] S13, Based on the distribution of the behavior patterns, calculate the degree of deviation and extract the set of outliers by combining the preset benchmark behavior vector, generate an anomaly trigger signal based on the topological correlation between the set of outliers and the historical trajectory, calculate the threat confidence level based on the anomaly trigger signal and determine the corresponding potential risk level.
[0035] S14. Based on the potential risk level and combined with the pre-collected device security feature data, a comprehensive detection of the hardware and network environment of the current session is performed to obtain device security status information.
[0036] S15, if the device security status information shows that there is an external threat in the session environment, then capture user behavior trajectory data and device operating status parameters and perform weighted analysis, obtain the real-time credibility score and compare it with the preset dynamic threshold range, determine the access permission level and generate the corresponding session control command.
[0037] S16, respond to the session control command and extract the real-time credibility score. If the real-time credibility score is lower than the preset security threshold, reconstruct the current permission list and determine the adjusted permission range.
[0038] S17, based on the adjusted permission scope, update the access control policy in the virtual environment in real time, perform dynamic environment adaptation processing on the user's subsequent operations, and obtain the latest session state information;
[0039] S18. Based on the latest session state information, continuously monitor user behavior dynamics, identify abnormal behavior fluctuation feature vectors and assess risks. If the risk score exceeds a preset threshold, execute a dynamic permission adjustment strategy to obtain the dynamic maintenance result of the overall system security.
[0040] In step S11, user operation logs in the virtual desktop environment are collected in real time. The user operation logs are normalized to obtain structured operation data, and user behavior features are extracted to construct a behavior baseline model, including:
[0041] S1101: Collect and parse user operation logs in the virtual desktop environment, remove invalid records and normalize fields to obtain structured operation data;
[0042] S1102, perform statistical calculations on the structured operation data using a time window of preset length to obtain statistical quantities including operation density, keyboard input ratio and window switching frequency, and perform standardization processing to combine them into a multi-dimensional dynamic feature vector in sequence.
[0043] S1103, The dynamic feature vector is input into a pre-established neural network model for unsupervised training to construct a behavioral baseline model.
[0044] It should be noted that in a virtual desktop scenario, users perform daily office operations via remote connection, and the system continuously collects logs of mouse clicks, keyboard input, window switching, application startup, etc. After parsing these raw logs, invalid records and duplicate entries generated due to network latency or client errors are filtered out. The various heterogeneous fields of the filtered logs are normalized and mapped into a unified timestamp-operation type-target resource-operation parameter structured format, thereby generating a structured operation data stream arranged in time sequence.
[0045] It should be noted that a fixed-length, non-overlapping time window of T seconds is used to statistically calculate the structured operation data within the window. Operation density is equal to the total number of operation events within the window divided by T; keyboard input percentage is equal to the number of keyboard input events divided by the total number of operation events within the window; and window switching frequency is equal to the number of events where the focus window changes divided by T (in times / second). These calculated statistics, along with other predefined temporal features (such as the Shannon entropy of the operation sequence), are Z-score standardized to eliminate the influence of dimensions. Finally, these standardized values are combined sequentially to form a multi-dimensional dynamic feature vector.
[0046] In one embodiment, for a user's structured operation data during a specific time period, the operation density is calculated to be 0.3125 times / second, the keyboard input ratio is 0.7, and the window switching frequency is 0.2 times / second. The feature vector generated after standardization can be represented as [0.85, 1.2, -0.3, ...].
[0047] It should be noted that user operation logs are collected during a pre-set initial credible observation period, such as 30 consecutive normal working days, and confirmed by the administrator that no security incidents have occurred. These logs are then processed through the aforementioned steps to form a training dataset containing only normal behavioral patterns. The dynamic feature vectors in this dataset are used as training samples and input into a temporal neural network model based on Long Short-Term Memory (LSTM) for unsupervised training to construct a behavioral baseline model representing the normal fluctuation range of user behavior.
[0048] The pre-established neural network model employs an encoder-decoder LSTM network; both the encoder and decoder are single LSTM layers with 128 hidden units; the input layer dimension is the same as the dimension of the dynamic feature vector; during training, the standardized dynamic feature vector sequence is input into the encoder, and the final hidden state output by the encoder is used as a compressed representation of the input sequence; the decoder reconstructs the input sequence based on this hidden state; the training objective is to minimize the mean squared error between the original input sequence and the reconstructed sequence; the Adam optimizer is used with an initial learning rate of 0.001; training stops when the loss value on the reserved validation set no longer decreases for 5 consecutive training epochs.
[0049] It should be noted that before training, the feature vector sequence is standardized and divided into continuous input sequences according to time order. The training objective is to learn the inherent patterns of users' historical operation sequences by minimizing the reconstruction error of the input sequences (using the mean squared error loss function). During training, the number of hidden layer units is set to 128, the learning rate to 0.001, and the batch size to 32. Training stops when the validation set loss no longer decreases for five consecutive epochs. After the model training is completed, for a given input feature sequence, the hidden state vector output by its encoder constitutes the baseline representation of that sequence. Combined with historical data statistics, the confidence interval of the typical behavior pattern for that period can be obtained, thus forming a personalized behavioral baseline model. This behavioral baseline model refers to the user's normal behavior representation model obtained through neural network training, which is periodically updated as new normal operation data accumulates.
[0050] In one embodiment, after training on a user's historical feature sequence during the morning work period, the hidden state space learned by the model can characterize the user's behavior pattern of mouse movement frequency being stable at 0.25–0.4 times / second and keyboard input accounting for more than 65%. This pattern is used as the behavioral baseline for that period for subsequent comparison.
[0051] In step S12, based on the behavioral baseline model, user operation habit data at different time periods are grouped to obtain a preliminary behavioral pattern distribution, including:
[0052] S1201, Calculate the volatility coefficient of user operations based on the behavioral baseline model, and divide the operation habit data based on the volatility coefficient to obtain time slices;
[0053] S1202, the K-means clustering algorithm is used to group the operation data within the time slice to form a preliminary distribution of behavioral patterns.
[0054] It should be noted that the Mahalanobis distance between the dynamic feature vector within the current time period and the corresponding time period baseline vector output by the behavioral baseline model is calculated, and this distance value is normalized to the [0,1] interval before being used as the volatility coefficient for this operation. Based on a preset volatility coefficient threshold, the system marks time periods with volatility coefficients higher than the threshold as high volatility and time periods with volatility coefficients lower than or equal to the threshold as low volatility. For continuous time periods marked as high volatility, the system subdivides the corresponding original operation data window into shorter time slices; for low volatility periods, the original time window division remains unchanged. The volatility coefficient threshold is set by statistically analyzing the volatility coefficients of users over 30 consecutive normal working days, plotting their cumulative distribution curve, and selecting the value corresponding to the 95th percentile as the threshold, which is 0.5 in this experimental scenario.
[0055] In one embodiment, if a user's operation data from 9:00 AM to 10:00 AM is calculated to have a volatility coefficient of 0.62 (higher than the threshold of 0.5), then the data for that hour is further divided into more refined time slices such as 9:00-9:15 and 9:15-9:30.
[0056] It should be noted that the dynamic feature vectors of all users within a time slice are organized into a feature matrix, and the K-means clustering algorithm is used to perform unsupervised grouping of this matrix. First, the silhouette coefficient method is used to determine the optimal number of clusters K, and the K-means++ method is used to initialize the cluster centers; then, iterative calculation is performed, assigning each feature vector to the nearest cluster using Euclidean distance, and updating the cluster centers until the change in cluster centers is less than the preset tolerance or the maximum number of iterations is reached; after clustering, each cluster represents a typical behavioral pattern, and its cluster center is the representation vector of that pattern.
[0057] In one embodiment, after clustering data from multiple time slices on a certain morning, three main clusters can be obtained: Cluster A represents high-frequency keyboard input, low window switching, and long single-time dwell time, which can be interpreted as a deep document editing mode; Cluster B represents medium-frequency mouse movement and high browser tab opening and closing frequency, which can be interpreted as an information retrieval mode; and Cluster C represents extremely high window switching frequency and concentrated instant messaging operations, which can be interpreted as a coordination and communication mode. This constitutes a preliminary, quantitative distribution of the user's behavioral patterns during that time period.
[0058] In step S13, based on the behavioral pattern distribution and a preset baseline behavioral vector, the deviation degree is calculated and an outlier set is extracted. An anomaly trigger signal is generated based on the topological correlation between the outlier set and historical trajectories. Threat confidence is calculated based on the anomaly trigger signal, and the corresponding potential risk level is determined, including:
[0059] S1301, based on the behavior pattern distribution, the operation command flow of the virtual desktop is mapped to the distribution space, and the discreteness of the operation command flow is calculated to generate a fluctuation feature matrix;
[0060] S1302, calculate the deviation value between the fluctuation feature matrix and the preset benchmark behavior vector. If the deviation value exceeds the preset deviation threshold, extract the original operation command at the corresponding time and mark it as an outlier set.
[0061] S1303, Analyze the topological correlation between the set of outliers and the historical trajectory. If the topological correlation is lower than a preset connectivity threshold, generate an anomaly trigger signal.
[0062] S1304, calculate the threat confidence level in response to the abnormal trigger signal, and determine the potential risk level of the abnormal behavior based on the threat confidence level.
[0063] It should be noted that the operation command flow is divided into time windows of a preset fixed duration. For each window, features are extracted from the operation commands according to their type, target application, and operation interval, forming a multi-dimensional feature vector. The cosine similarity between this feature vector and the cluster center vectors in the behavior pattern distribution is calculated to obtain a similarity vector, which serves as the mapping coordinates of the window in the distribution space. By sliding the time window, a series of mapping coordinates are obtained, forming a coordinate trajectory. To quantify the fluctuation of operation behavior, a set of statistical features is calculated for each time window, including the entropy value of the operation type distribution, the standard deviation of the time interval between adjacent operations, and the Euclidean distance between the mapping coordinates of this window and the coordinates of the previous window. Arranging the above statistical features of all time windows within a continuous period in chronological order constitutes a fluctuation feature matrix, where each row corresponds to a time window and each column corresponds to a statistical feature dimension.
[0064] In one embodiment, the user's operation command flow over a 3-hour period in the morning is divided into 36 time windows with a window size of 5 minutes. The operation type entropy, operation interval standard deviation, and mapped coordinate displacement of each window are calculated, ultimately generating a 36-row, 3-column matrix. If the matrix data of a certain time window shows that the operation entropy value increases from the baseline of 0.5 to 1.2, and the operation interval standard deviation jumps from 0.8 seconds to 2.1 seconds, it indicates that the user's behavior during that period exhibits significant abnormal fluctuations.
[0065] It should be noted that the benchmark behavior vector refers to the typical feature vector of a certain period extracted from the behavior baseline model. It is obtained by statistically analyzing the mean value of the row vectors of the fluctuation feature matrix of each corresponding time window during the same initial reliable observation period used to train the behavior baseline model, i.e., the historical stable period, such as the past 30 working days. Specifically, during the initial stage of system deployment or the learning period after user authentication, the operation data of the user in the absence of security alarms for several consecutive working days, for example, no less than 20 working days, is collected. After being processed by the method described in step S11, dynamic feature vectors for each time window are generated. For each type of typical working time period, such as the morning working period and the afternoon working period, the dynamic feature vectors of all historical windows in the period are arithmetically averaged, and the resulting mean vector is used as the benchmark behavior vector for that period.
[0066] Simultaneously, the sample covariance matrix of all row vectors of the fluctuation feature matrix for that historical period is calculated. For each row vector in the fluctuation feature matrix, its Mahalanobis distance is calculated based on the row vector, the historical mean vector, and the historical covariance matrix. The average Mahalanobis distance of all time windows in that period is then used as the comprehensive deviation value. The preset deviation threshold is set based on the statistical distribution of deviation values for all analysis periods within the same historical stable period, typically taking a high quantile of this distribution, such as the 95th quantile, which is set to 0.55 in this embodiment. If the calculated current deviation value exceeds this threshold, the user behavior is determined to have significantly deviated from the baseline. At this time, the system will automatically locate the starting time window where the deviation first exceeds the threshold and continuously extract values until the deviation of a certain time window falls back below the threshold. The corresponding original operation sequence segments within this continuous time period are marked as an outlier set.
[0067] The preset deviation threshold can be calculated based on the same historical dataset used to obtain the baseline behavior vector, for each analysis period, such as every half hour, to form a historical deviation dataset; a cumulative distribution function graph of the dataset is plotted; the threshold is set at the quantile value corresponding to 95% of the cumulative probability; that is, in historical normal behavior, the deviation will exceed this value only in about (100-95)% of the time periods; those skilled in the art can adjust the quantile value according to the leniency of the actual security policy.
[0068] In one embodiment, if the deviation consistently exceeds a threshold of 0.55 between 10:05 AM and 10:25 AM, the system intercepts all operation instructions within this 20-minute period. This segment may contain abnormal operation sequences such as intensive access to multiple non-work-related directories within a short period of time and repeated modification of file attributes; these sequences collectively constitute a set of outliers.
[0069] It should be noted that a user behavior access graph is constructed based on the frequency of adjacent occurrences of nodes in historical operation sequences, using applications, processes, and system resources accessed by the user as nodes. The operation sequences corresponding to outlier sets constitute a subgraph. Topological relevance is measured by calculating the graph similarity between this subgraph and the historical behavior access graph; this similarity can be calculated using the SimRank method based on random walks. The preset connectivity threshold is determined by statistically analyzing the topological relevance of all short-term operation segments generated by the user during historical normal and non-abnormal periods, and taking the lower quantile of this statistical distribution, such as the 5th percentile. If the calculated topological relevance of the current outlier set is lower than this threshold, the abnormal behavior is determined to be significantly inconsistent with user habits, and an anomaly trigger signal is generated.
[0070] In one embodiment, the operation of a set of outliers mainly revolves around an encrypted compression tool node that has never appeared in the historical graph. The edges inside the tool node cannot be connected to any high-frequency paths in the historical graph, resulting in extremely low topological correlation calculation results, thereby triggering an anomaly.
[0071] It should be noted that the three key quantitative indicators extracted for the outlier set include the deviation value, the duration of the outlier sequence, and the proportion of predefined sensitive operations within the outlier sequence. After normalizing each indicator, weight coefficients are assigned to each indicator based on its predictive importance to the actual threat, and a weighted sum is calculated to obtain a threat confidence value between 0 and 1. These weight coefficients can be initialized based on the analysis of historical confirmed security event samples, or they can be configurable parameters that can be adjusted by the system administrator according to the actual security strategy. For example, the weight of deviation can be set to 0.5, the weight of duration to 0.3, and the weight of the proportion of sensitive operations to 0.2. Finally, based on the calculated threat confidence value, the potential risk level is determined by referring to a preset risk level mapping table. This mapping table can be set as follows: confidence below 0.3 is low risk, 0.3 to 0.7 is medium risk, 0.7 to 0.9 is medium-high risk, and above 0.9 is high risk.
[0072] Specifically, the weighting coefficients can be obtained by collecting confirmed abnormal session samples and extracting values for various indicators, such as deviation, duration, and the proportion of sensitive operations. Subsequently, feature importance assessment methods, such as variable importance ranking based on random forests or Delphi method expert consultation, are used to assign initial weighting coefficients to each indicator to ensure that the weights reflect the actual threat contribution. During operation, the weights can be dynamically adjusted through an incremental learning mechanism, and the historical data distribution is reassessed monthly. If the discriminative power of an indicator changes significantly in new events, its weight is automatically updated, and the adjustment log is recorded for auditing.
[0073] In one embodiment, for an outlier set with a deviation of 0.71, a duration of 15 minutes, and a sensitive operation ratio of 40%, a weighted threat confidence level of approximately 0.82 can be obtained. Based on the mapping table, this confidence level will be determined as medium-high risk, thereby triggering corresponding enhanced auditing and monitoring processes.
[0074] In step S14, based on the potential risk level and combined with pre-collected device security feature data, a comprehensive detection of the hardware and network environment of the current session is performed to obtain device security status information, including:
[0075] S1401, in response to the potential risk level, collect the device metadata and network configuration parameters of the current session host to obtain device security feature data;
[0076] S1402, compare the device security feature data with a preset trusted device benchmark to obtain the hardware matching degree, and parse the network configuration parameters to obtain the network compliance status, and construct an environment snapshot based on the hardware matching degree and the network compliance status;
[0077] S1403, Input the environmental snapshot into a preset vulnerability feature matching model to identify potential attack paths;
[0078] S1404, generate a threat score based on the attack path and the potential risk level. If the threat score exceeds a preset security baseline, generate device security status information.
[0079] It should be noted that the data collected includes device metadata, such as host identifier and system version information, as well as the IP addresses and physical addresses of active network interfaces. The collected raw data is then concatenated and standardized according to a predefined order and encoding rules to form a unified hardware feature vector. Standardization includes removing periods from IP addresses and separators from physical addresses.
[0080] In one embodiment, after collecting the motherboard serial number MBA01234567, CPUID CPU7890, IPv4 address 192.168.1.100 and physical address 00-1B-44-11-3A-B7, the feature vector "MB:MBA01234567;CPU:CPU7890;MAC:001B44113AB7;IP:192168001100" can be generated through concatenation and standardization.
[0081] It should be noted that the hardware matching score is obtained by calculating the similarity between the vector formed by the device security feature data and the set of corresponding user benchmark vectors in the trusted device benchmark library. Simultaneously, network configuration parameters are parsed to check whether the IP address belongs to a preset internal network segment, whether the gateway address is a trusted address, and whether the DNS server address complies with enterprise regulations, thereby forming a network compliance status list. The hardware matching score, the network compliance status list, and any hardware identifier anomalies found during the comparison are integrated to generate a structured environment snapshot document. In one embodiment, if the hardware matching score is calculated to be 0.98, the IP address 192.168.1.100 is in an internal network segment and the gateway is correct, but the DNS server 8.8.8.8 is not enterprise-specified, and an unknown USB device is found, the generated environment snapshot may include the hardware matching score, network compliance details, and a list of abnormal devices.
[0082] It should be noted that the vulnerability signature matching model is integrated from the Azure Security Advice Database, the publicly available CVE vulnerability database, and the MITREATT&CK framework. It outputs a list of potential attack paths by matching collected environment snapshots, such as operating system version, list of installed software, and open ports, with vulnerability conditions and attack patterns (TTPs) in the knowledge base according to rules.
[0083] It should be further explained that the preset vulnerability feature matching model is a rule-based inference engine. Its knowledge base is updated periodically, for example daily, by synchronizing security recommendations from Azure Security Center, CVE entries from the National Vulnerability Database (NVD), and tactics and techniques from the MITRE ATT&CK framework, and converting them into rules in the form of 'IF (condition) THEN (potential attack path / vulnerability)'. The condition part is matched with fields in the environment snapshot, such as the operating system version number, open port number, and list of installed software. Identifying potential attack paths refers to comparing each piece of data in the environment snapshot with all rule conditions in the knowledge base, and outputting a list of attack paths corresponding to all rules that meet the conditions.
[0084] In one embodiment, if the network configuration in the snapshot shows that an unconventional port, such as 3389, is open to the outside world, and there are also login attempt logs from unconventional geographical locations, a rule in the model will be triggered. This rule will then correlate with attack patterns in the knowledge base that utilize weak RDP authentication for brute-force attacks, thereby identifying a specific potential attack path. The output might be that the attacker may attempt to brute-force passwords on the RDP port via the internet, and upon success, move laterally to a shared directory on a file server. The model can also use correlation analysis to chain multiple matching rules into more complex attack chains.
[0085] It should be noted that a basic threat score is obtained based on the mapping of the potential risk levels, and a threat score is generated by multiplying the basic threat score by the weighting coefficient corresponding to the severity level of the attack path. The security baseline is calculated by statistically analyzing threat score samples within historical normal session periods to determine their statistical distribution, and a higher quantile, such as the 95th percentile, is selected as the initial security baseline value. During operation, this security baseline is dynamically adjusted based on the severity level of real-time threat intelligence, the anomaly index of the current network environment, and the system resource load status, and can be optimized through periodic reassessment and machine learning methods. When the threat score exceeds this dynamic security baseline, the system generates corresponding device security status information.
[0086] In one embodiment, if the current potential risk level is medium to high risk, its base score is 0.6, and the weighting coefficient corresponding to the severity level of the identified attack path is 1.8, then the calculated threat score is 1.08. After normalization, the score is 0.77. If the security baseline dynamically calculated by the system based on the current environment is 0.72, then because 0.77 is greater than 0.72, it is determined that the security baseline has been exceeded, thereby generating device security status information indicating the presence of external threats and triggering an alarm.
[0087] In step S15, if the device security status information indicates an external threat to the session environment, user behavior trajectory data and device operating status parameters are captured and weighted for analysis. A real-time credibility score is obtained and compared with a preset dynamic threshold range. After determining the access permission level, corresponding session control instructions are generated, including:
[0088] S1501, responding to the external threat identifier in the device security status information, capturing user interaction behavior trajectory data and device operating status parameters, and constructing a multi-dimensional feature vector;
[0089] S1502, the multidimensional feature vector is mapped to a preset risk weight matrix to generate a weighted feature set, and the real-time credibility score is obtained after aggregate analysis of the weighted feature set;
[0090] S1503, compare the real-time credibility score with a preset dynamic threshold range to determine the access permission level, and generate a session control instruction based on the access permission level.
[0091] It should be noted that the system collects event logs in real time, including process creation, file access, and remote desktop sessions, and analyzes them to obtain user interaction behavior trajectory data such as process startup chains, file access sequences, and window focus switching. Simultaneously, it collects device operating status parameters such as CPU utilization, changes in memory working set, and disk IOPS through performance counters. Within a set time window, statistical features such as mouse movement trajectory curvature, keystroke interval variance, and focus dwell time standard deviation are extracted from the behavior trajectory data. Moving averages and peak values are calculated from the performance parameters. All extracted feature values are normalized to the [0,1] interval and concatenated into a fixed-length multidimensional feature vector in a predefined order.
[0092] In one embodiment, features such as mouse trajectory curvature 0.15, keystroke interval variance 0.08, focus switching frequency 0.33, average CPU utilization 0.62, and memory fluctuation 0.21 are extracted within a monitoring period. After normalization and concatenation, a feature vector of the form [0.15, 0.08, 0.33, 0.62, 0.21, ...] can be formed.
[0093] It should be noted that the risk weight matrix is a predefined two-dimensional weight table. The number of rows corresponds to the dimension of the multi-dimensional feature vector, i.e., each specific feature, and the number of columns corresponds to the preset number of risk categories, such as abnormal behavior patterns, abnormal equipment status, and composite risks. Each element in the matrix represents the contribution weight of the feature corresponding to its row to the risk category corresponding to its column. The initial values of the risk weight matrix are assigned based on empirical judgments of various behavioral and equipment status features regarding risk categories such as abnormal behavior patterns and abnormal equipment status. After the system goes live, historical session data, including feature vectors and manually labeled risk levels, can be collected periodically, such as weekly. Interpretable models such as logistic regression or gradient boosting trees can be used to analyze the contribution of each feature to the actual risk level, and this contribution can be used as a reference to manually or semi-automatically adjust and optimize the values in the weight matrix.
[0094] During mapping, each feature value in the multidimensional feature vector is multiplied by its weight in the corresponding risk category in the matrix, and all weighted results belonging to the same risk category are summed to generate a weighted feature set representing the comprehensive strength of each category. The initial value of this weight matrix is assigned based on the preset importance of each feature to different risk categories, through analysis of historical data. For example, the initial weight of the mouse trajectory smoothness feature to the abnormal behavior pattern category might be set to 0.18, and the initial weight of the abnormal process initiation feature to the abnormal device status category might be set to 0.22. These weights can be periodically updated by calibrating and optimizing using historical data containing normal and known abnormal sessions. Subsequently, based on the values of each dimension in the weighted feature set and their deviation from the historical normal session statistical benchmark, a real-time confidence score between 0 and 1 is calculated.
[0095] In one embodiment, when a user is detected to be making rapid, disordered clicks and starting an unknown process, the overall anomaly intensity represented by the weighted feature set after the relevant features are weighted and summed will be significantly increased, thereby calculating a lower real-time credibility score, indicating that the current session is at high risk.
[0096] It should be noted that the upper and lower bounds of the threshold range are dynamically adjusted based on the determined potential risk level. For example, if the preceding risk level is medium to high risk, the threshold range is tightened to [0.75, 0.90]; if it is high risk, it is further tightened to [0.82, 0.95]. The specific value of the threshold is set based on the statistical distribution of the credibility score of historical normal sessions under that risk level, such as taking the 10th quantile of the distribution as the lower limit and the 90th quantile as the upper limit, to ensure the adaptability of the judgment. Next, the calculated real-time credibility score is compared with the adjusted dynamic threshold range. Based on the comparison result, the access permission level is determined through a preset permission mapping table. For example, when the score is below the lower limit of the range, such as 0.75, it is mapped to the restricted level (only viewing operations are allowed); when the score falls within the range, such as between 0.75 and 0.90, it is mapped to the standard level (normal editing operations are allowed); when the score is above the upper limit of the range, such as 0.90, it is mapped to the full level (all permissions are granted). Finally, based on the determined access permission level, specific and executable session control instructions are generated. This instruction is a set of instructions that includes the operation type, target resource, and execution parameters.
[0097] In one embodiment, if the real-time trust score is 0.68, and prior identification of external threats has tightened the threshold range, the system determines the permission level to be restricted and generates instructions such as restricting file operations to read-only, blocking new network connections, and enabling full auditing. If the score subsequently rises back to 0.87, the permission level can be adjusted to standard, and the control instructions can be adjusted accordingly.
[0098] In step S16, the session control command is responded to and the real-time trust score is extracted. If the real-time trust score is lower than a preset security threshold, the current permission list is reconstructed, and the adjusted permission range is determined, including:
[0099] S1601, respond to the session control command and extract the real-time trust score. If the real-time trust score is lower than the preset security threshold, mark the risk as under control.
[0100] S1602, Based on the risk-controlled state, intercept resource access requests and locate active permission items involving sensitive resource identifiers, and re-acquire the least privilege constraint rule that matches the real-time credibility score;
[0101] S1603, use the least privilege constraint rule to verify the active permission items, filter out illegal operation instructions, generate permission stripping instructions and resource degradation configuration parameters, and construct a set of permissions to be adjusted;
[0102] S1604, Execute the set of permissions to be adjusted to reconstruct the current permission list and determine the scope of permissions after adjustment.
[0103] It should be noted that the preset security threshold is set by statistically analyzing the credibility scores of the same historical normal session dataset used to train the behavioral baseline model during the stable operation phase, taking the lower quantile of its distribution, such as the 5th percentile, to ensure stable detection capability for low-credibility states significantly below historical normal levels. If the extracted real-time credibility score is lower than this preset security threshold, such as 0.70, and this state below the threshold persists for several consecutive monitoring cycles, such as three cycles with each cycle lasting 5 seconds, the system will officially mark the current session as a risk-controlled state. This mark is a persistent session attribute that will trigger a series of subsequent enhanced security control processes.
[0104] In one embodiment, in a virtual desktop session, the system refreshes the trust score every 5 seconds. If the scores are 0.68, 0.65, and 0.66 for three consecutive periods (15 seconds), which are all lower than the preset security threshold of 0.70, the system will mark the status of the session as risk-controlled.
[0105] It should be noted that when a resource access request is detected, the target resource identifier is parsed and compared with a predefined list of sensitive resource identifiers to determine whether it is a sensitive resource access request. If a match is found, all active permission items of the current session user for that sensitive resource are queried and located. Subsequently, based on the current real-time trust score, the system retrieves the rule entries corresponding to the applicable score range from a preset least privilege constraint rule base. These rule entries define the list of operations allowed to be performed on the sensitive resource and the resource modes that are prohibited from access at the current trust level. The least privilege constraint rule base is a structured list, and each rule contains the following key fields: the applicable lower limit of the trust score, the applicable upper limit of the trust score, the list of operation types allowed to be performed on the sensitive resource within the score range, and the list of resource modes that are explicitly prohibited from access or execution within the range. The system retrieves the corresponding rule entries based on the current score range.
[0106] It is worth noting that the establishment of the least privilege constraint rule base first defines resources with different sensitivity levels based on the enterprise's data classification and grading standards and business roles, such as core design documents, financial statements, and allowed operations under different trust levels (represented by trust score ranges), such as read-only and edit-only but not export-only. These definitions are entered in the form of a form through the management console, and the system stores them as a structured rule base.
[0107] In one embodiment, a user attempts to access the path \\fileserver\finance\report.xlsx. The system identifies that the path matches the sensitive identifier pattern \\finance\ and discovers that the user currently has modification permissions for this file. Because the session is in a risk-controlled state and the real-time trust score is 0.65, the system retrieves a rule from the rule base applicable to a score range of 0.60 to 0.70. This rule stipulates that only read operations are allowed for such sensitive files.
[0108] It should be noted that when a user attempts to access any resource system, the Azure Purview data catalog REST API and the Microsoft Defender for Cloud security assessment API are periodically called to dynamically retrieve and synchronize sensitive data classification patterns defined by the administrator in Purview, such as file patterns containing tags like "financial" or "PII," as well as a list of resources marked as high severity in Defender for Cloud. This information is cached in the local sensitive resource policy library and is updated periodically, such as synchronizing every 5 minutes.
[0109] When a user attempts to access any resource, the request is first captured and suspended by a lightweight security agent deployed on the virtual desktop session host. This agent parses the target resource identifier in the request, such as the file path, application ID, and resource URI, and performs pattern matching by querying the local sensitive resource policy library in real time to determine if it is a sensitive resource. If a match is found, the agent further queries the Azure AD Graph API and Azure Resource Management (ARM) API to obtain all active permission entries for that resource currently in effect for the session, comprised of Azure Active Directory (Azure AD) conditional access policies, Azure RBAC role assignments, and virtual machine group policy objects.
[0110] It should be noted that the specific operation types included in each identified active permission item, such as GetSecret and ListSecrets permissions for KeyVault, and Read and Write permissions for stored files, are compared one by one with the set of operations explicitly allowed for that type of sensitive resource in the least privilege constraint rules. Any operation type not within the allowed set is filtered and judged as a violation instruction. For each violation instruction, the system generates two core outputs: permission stripping instructions and resource degradation configuration parameters. Finally, the system packages all permission stripping instructions and resource degradation configuration parameters generated for this session into a structured set of permissions to be adjusted. This set is a task list containing specific API call parameters and configuration details.
[0111] In one embodiment, if the verification finds that the user has Set and Delete permissions for a sensitive KeyVault, while the rule only allows Get, the system will generate a permission stripping instruction to call the Azure KeyVault management API, and at the same time generate resource degradation configuration parameters to ensure that all subsequent access tokens have only read-only scope for the resource.
[0112] In step S17, the access control policy in the virtual environment is updated in real time according to the adjusted permission scope, and dynamic environment adaptation processing is performed on subsequent user operations to obtain the latest session state information, including:
[0113] S1701, Generate a policy configuration matrix containing the latest constraints based on the adjusted permission range;
[0114] S1702, Load the policy configuration matrix and parse the second instruction stream generated by the user's subsequent operations, and extract the runtime context from the second instruction stream;
[0115] S1703, if the runtime context triggers the constraint conditions in the policy configuration matrix, then perform dynamic environment adaptation processing and collect session state information to construct a time-series state snapshot;
[0116] S1704, Perform stability feature analysis on the time-series state snapshot, calculate the deviation value, quantify the stability guarantee of the system based on the deviation value, and obtain the latest session state information.
[0117] It should be noted that the system parses the adjusted permission scope and converts each resource-operation authorization relationship within it into a single row in the policy configuration matrix. This matrix is a two-dimensional data structure, where each row includes at least a unique resource identifier (e.g., URL), a list of allowed operation types (e.g., [read]), an effective condition (e.g., the associated real-time credibility score range [0.60, 0.70)), and a policy priority. The generation process is automated: the system iterates through all entries in the adjusted permission scope, creating a basic policy record for each entry; for operations explicitly prohibited within the permission scope, explicit denial rule records are generated. Finally, the system sorts these records by resource type and priority, integrating them into a complete policy configuration matrix.
[0118] In one embodiment, the adjusted permission scope specifies that "read operations are only allowed for files under the path \finance\", and the system generates a policy record {resource_id: "\finance\", allowed_actions: ["read"], condition: "scorein[0.60, 0.70)", priority: 10}. This matrix defines the latest set of constraints for the session at the current trust level.
[0119] It should be noted that the second instruction stream is captured by the system monitoring component and is a time-sequential, structured sequence of operation events. Each event contains fields such as operation type (e.g., file_open), target resource identifier, timestamp, and initiating process. During parsing, the system processes each operation event sequentially and extracts key attributes that constitute the runtime context. These attributes typically include the action type of the current operation, the specific resource object targeted by the operation, the exact time the operation occurred, and the current real-time credibility score of the session.
[0120] In one embodiment, when the system captures a subsequent user action event with the content {action: "execute", target: "C:\App\editor.exe", time: "10:05:23", trust_score: 0.65}, the parser extracts the runtime context as follows: the action type is program execution, the target resource is editor.exe, and it is associated with the current session trust score of 0.65. This context will be used for real-time matching and decision-making with the loaded policy configuration matrix.
[0121] It should be noted that when the runtime context successfully matches any constraint in the loaded policy configuration matrix, it is determined that a constraint condition has been triggered. The system then performs dynamic environment adaptation processing, which in real time blocks the execution of the violation, records security alarm events, notifies the security administrator, triggers multi-factor re-authentication for the current session, or simulates the execution of the intercepted operation command in an isolated sandbox environment to further analyze its intent. Simultaneously, it automatically collects current session state information, including but not limited to trigger time, user ID, detailed intercepted operation commands, process tree information, network connection status, and the system's current CPU and memory load. The system associates this trigger event with the collected state information in chronological order with historical events of the same type, constructing a structured time-series state snapshot. This snapshot is typically a JSON object or a database record, used to depict the overall system security state at the moment the policy is triggered.
[0122] In one embodiment, a user attempts to save modified content to a protected financial document report.xlsx (action type: write). After matching the policy matrix, the system finds that the resource is only allowed to "read" under the current trust score, so it immediately blocks the save operation and collects and generates the following snapshot: {"timestamp":"2023-10-2710:15:30","user":"user123","blocked_action":"write","target":"report.xlsx","trust_score":0.65,"process":"winword.exe","connections":[]}.
[0123] It should be noted that key features for evaluating stability are extracted from the time-series state snapshots, including the frequency of operation triggers per unit time, the concentration of access to protected resources, and the density of abnormal session events. The current value of each feature is compared with the stability feature benchmark range established for the user or similar user groups during historical normal sessions, calculating the relative degree of deviation of each feature value from its benchmark range midpoint. Based on the preset influence weight of each feature on stability, the deviation degrees of all features are weighted and synthesized to obtain a comprehensive deviation score between 0 and 1, i.e., the deviation value. Subsequently, according to preset rules that map the level of protection based on the magnitude of the deviation value, the deviation value is converted into a level of protection rating for system stable operation. Finally, the current real-time reliability score, triggered control policies, deviation value, and protection rating are integrated to generate structured, up-to-date session state information.
[0124] In one embodiment, snapshot analysis revealed an operation frequency of 12 times per minute, far exceeding the historical baseline range of [4,8] times / minute. Similar deviations were observed in characteristics such as resource access concentration. The weighted overall deviation score was 0.28. According to the mapping rules, this deviation score corresponds to a "medium" level of assurance (65%). The generated latest session state information is recorded as {"trust_score": 0.65, "stability_deviation": 0.28, "assurance_level": "medium", "assurance_percentage": 65}.
[0125] In step S18, user behavior dynamics are continuously monitored based on the latest session state information, abnormal behavior fluctuation feature vectors are identified and risks are assessed. If the risk score exceeds a preset threshold, a dynamic permission adjustment strategy is executed to obtain the dynamic maintenance result of the overall system security, including:
[0126] S1801, parse the latest session state information, extract the user operation instruction sequence, and map the user operation instruction sequence to the behavior baseline model for comparison to obtain the behavior deviation value;
[0127] S1802, Perform time-series fluctuation analysis based on the behavior deviation value to generate a behavior fluctuation feature vector containing multi-dimensional fluctuation attributes;
[0128] S1803, input the behavior fluctuation feature vector into the abnormal pattern recognition logic to calculate the real-time risk assessment score. If the real-time risk assessment score exceeds the preset risk score threshold, generate a dynamic permission adjustment strategy.
[0129] S1804, execute the dynamic permission adjustment strategy, reset access control parameters, and obtain the dynamic maintenance result of the overall system security.
[0130] It should be noted that the user operation command sequence consists of a series of operation events of a clearly defined type, arranged in chronological order. This sequence is then input into the behavior baseline model. The comparison process is achieved by calculating the cosine or Euclidean distance between the feature vector of the current operation command sequence (e.g., the sequence representation extracted through the embedding layer) and the typical feature vector output by the baseline model. This distance value, after normalization, is the behavior deviation value.
[0131] In one embodiment, the system analysis revealed that the user executed a sequence of operations at 11:30 AM, including `open("sensitive file A")`, `copy_to_clipboard`, and `save_as("external path")`. This sequence was processed by a baseline model, and the cosine distance between this sequence and the user's typical sequence characteristics during historical morning work periods was calculated to be 0.75. After normalization, a behavioral deviation value of 0.25 was obtained (a higher value indicates a greater deviation), indicating a quantifiable difference between the current behavior and the user's habitual pattern.
[0132] It should be noted that the system acquires a series of behavioral deviation values calculated at fixed intervals, such as every minute, over a continuous time period, such as the most recent 30 minutes, forming a time series. Subsequently, fluctuation features are extracted from this time series. The standard deviation of the series within a sliding time window, such as a 5-minute window, is calculated as a measure of fluctuation amplitude. The number of peaks in the series whose values exceed a preset calm threshold, such as 0.1, is counted and divided by the total duration to obtain the fluctuation frequency. The maximum duration of a subsequence that continuously exceeds the calm threshold is calculated. Finally, the calculated fluctuation amplitude, fluctuation frequency, maximum duration, and other statistics, along with the mean, slope, and latest value of the time series, are encoded together into a fixed-dimensional numerical array, namely the behavioral fluctuation feature vector.
[0133] In one embodiment, for the user's behavioral deviation sequence in the most recent 30 minutes [0.05, 0.12, 0.08, 0.25, 0.18, 0.22, ...], the above analysis calculates a fluctuation amplitude of 0.07, a fluctuation frequency of 0.15 times / minute, and a duration of 4 minutes, etc. The final generated feature vector may be [0.07, 0.15, 4, 0.15, 0.005, 0.22]. This vector comprehensively represents the multi-dimensional dynamic characteristics of the user's behavioral fluctuations.
[0134] It should be noted that the anomaly pattern recognition logic is a random forest classification model trained on historical data. The training data comes from historical session records. Behavioral fluctuation feature vectors corresponding to session segments ultimately confirmed by the security system as having a real threat are labeled as anomaly categories; feature vectors corresponding to segments extracted from normal sessions without any security alerts for extended periods are labeled as normal categories. After receiving the current behavioral fluctuation feature vector, the model outputs a value between 0 and 1, representing the probability that the vector is judged as an anomaly. Multiplying this probability value by 100 yields a real-time risk assessment score between 0 and 100, with higher scores indicating greater risk. The preset risk score threshold is set based on the model's performance evaluation on an independent validation set, such as by analyzing the precision-recall curve to select a decision point that balances the two, aiming to balance detection sensitivity and false alarm rate. If the calculated real-time risk assessment score exceeds this threshold, the system triggers the policy generation module. This module matches a dynamic permission adjustment policy from the policy template library based on the preset risk score range (e.g., [60, 80) for medium risk, [80, 100] for high risk). The policy is a JSON object containing a list of specific operation instructions.
[0135] In one embodiment, if the real-time risk assessment score is 75, which exceeds the threshold of 60 and is classified as medium risk, the system can generate the following policy: for sensitive resources, immediately revoke file write permissions and start session operation recording.
[0136] It should be noted that the system invokes a unified policy execution engine to parse the list of specific operation instructions contained in the dynamic permission adjustment policy. For each instruction, the engine translates it into one or more API calls to underlying security subsystems such as file server access control lists, application whitelist services, and network filtering drivers to complete the real-time modification of permissions. This process is called resetting access control parameters. For example, according to the instruction `revoke_file_write`, the engine calls the file server's API to disable the write bit in the user permission entry on the specified sensitive resource path. After all instructions have been executed, the system performs a consistency check to confirm that the access control parameters of all target resources have been updated according to the policy. Finally, the system summarizes comprehensive information about this policy execution, including execution time, triggered policy content, successfully reset parameters, the latest permission snapshot of the current session, and the latest real-time risk assessment score. This information is integrated to generate a structured report, which represents the dynamic maintenance result of the overall system security within the current period. This result not only confirms that risk response measures have taken effect but also provides a new state baseline for continuous monitoring cycles.
[0137] In one embodiment, after the system executes the policy, it successfully downgrades the user's permissions for all files in the financial reporting directory from modify to read-only and enables operation recording. The generated dynamic maintenance result report is recorded as {"timestamp":"2023-10-27 11:30:05","policy_executed":"Moderate risk mitigation strategy","parameters_reset":["file_write_revoked","session_recording_enabled"],"current_risk_score":65,"security_state":"Risk under control, under monitoring"}.
[0138] It should also be noted that all thresholds in this invention are not fixed values. The system is equipped with a threshold maintenance submodule, which is used to automatically re-execute the above statistical process and update the corresponding thresholds every preset period, such as 30 working days, or when the accumulated amount of new normal operation data reaches a certain scale, so as to adapt to the long-term evolution of operating habits.
[0139] Furthermore, the continuous monitoring and maintenance process also includes a permission recovery mechanism. If, within the subsequent N consecutive monitoring periods, the user's behavior deviation value falls back below the threshold, the real-time credibility score is consistently higher than the preset recovery threshold, and no new threats are detected in the device environment, the system will gradually upgrade the user's access permission level according to a predefined recovery strategy until it is restored to its initial or role-based standard permission range, thereby achieving flexibility and adaptability in security management.
[0140] It should be noted that the deployment of this system in the Azure Virtual Desktop architecture includes: a client agent deployed on each session host, responsible for real-time collection of user operation logs and device data, and receiving and executing policy instructions from the control plane; a security analytics engine, which, as a cloud service, receives data reported by the agent and performs core calculations such as behavioral baseline modeling, fluctuation analysis, and trustworthiness assessment; policy decision and execution points, integrated into Azure Active Directory conditional access policies and / or session host local security policies, receiving real-time control instructions from the security analytics engine and translating them into specific access control list (ACL) changes, session interruptions, or operation interception actions; and finally, a management console used to configure initial parameters, define sensitive resource rules, and monitor alerts. The data flow is as follows: the agent collects data, the security analytics engine processes and generates decisions, the decision instructions are issued to the policy execution points, the execution points take effect and provide status feedback, and the agent continues to monitor and report new data, forming a closed loop.
[0141] In summary, this invention discloses a micro-segmentation monitoring method for Azure virtual desktops based on a zero-trust architecture. This method includes real-time collection and analysis of user operation logs to construct a behavioral baseline model and pattern distribution; quantifying the degree of operational deviation through behavioral fluctuation analysis to identify anomalies and determine risk levels; detecting session environment threats by combining device security data; generating session trust scores and control commands based on weighted analysis of user behavior and device status; dynamically adjusting access permissions according to the trust scores and updating security policies in real time to adapt to environmental changes; and continuously monitoring and cyclically executing anomaly analysis and permission adjustments to achieve dynamic maintenance of system security. This invention addresses the security management needs of the Industrial Internet by constructing a closed-loop monitoring and micro-segmentation technology system from user intent to device environment, achieving comprehensive and fine-grained security protection for Azure virtual desktop sessions.
[0142] Reference Figure 2 The second embodiment of the present invention provides an Azure virtual desktop micro-segmentation monitoring system based on a zero-trust architecture, comprising:
[0143] The log collection and baseline modeling module collects user operation logs in the virtual desktop environment in real time, normalizes the user operation logs to obtain structured operation data, extracts user behavior features, and constructs a behavior baseline model.
[0144] The behavior pattern analysis module, based on the behavior baseline model, groups the user's operation habit data at different time periods to obtain a preliminary behavior pattern distribution.
[0145] The behavior fluctuation detection module calculates the degree of deviation and extracts the outlier set based on the behavior pattern distribution and a preset baseline behavior vector. It generates an anomaly trigger signal based on the topological correlation between the outlier set and the historical trajectory, calculates the threat confidence level based on the anomaly trigger signal, and determines the corresponding potential risk level.
[0146] The environmental security monitoring module, based on the potential risk level and combined with pre-collected device security characteristic data, comprehensively detects the hardware and network environment of the current session to obtain device security status information;
[0147] The credibility assessment and instruction generation module, if the device security status information shows that there is an external threat in the session environment, captures user behavior trajectory data and device operating status parameters for weighted analysis, obtains a real-time credibility score, compares it with a preset dynamic threshold range, determines the access permission level, and generates the corresponding session control instruction.
[0148] The dynamic permission adjustment module responds to the session control command and extracts the real-time credibility score. If the real-time credibility score is lower than a preset security threshold, the current permission list is reconstructed to determine the adjusted permission range.
[0149] The policy update and environment adaptation module updates the access control policy in the virtual environment in real time according to the adjusted permission scope, performs dynamic environment adaptation processing on subsequent user operations, and obtains the latest session state information.
[0150] The continuous monitoring and maintenance module continuously monitors user behavior dynamics based on the latest session status information, identifies abnormal behavior fluctuation feature vectors and assesses risks. If the risk score exceeds a preset threshold, a dynamic permission adjustment strategy is executed to obtain the dynamic maintenance result of the overall system security.
[0151] It should be noted that the Azure Virtual Desktop Micro-Segmentation Monitoring System based on Zero Trust Architecture provided in this embodiment of the invention is used to execute all process steps of the Azure Virtual Desktop Micro-Segmentation Monitoring Method based on Zero Trust Architecture in the above embodiment. The working principles and beneficial effects of the two are one-to-one, so they will not be described again.
[0152] It should be noted that the system embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Furthermore, in the accompanying drawings of the system embodiments provided by this invention, the connection relationships between modules indicate that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines. Those skilled in the art can understand and implement this without any creative effort.
[0153] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above descriptions are merely specific embodiments of the present invention and are not intended to limit the scope of protection of the present invention. In particular, it should be noted that any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention for those skilled in the art.
Claims
1. An Azure Virtual Desktop micro-segmentation monitoring method based on a zero-trust architecture, characterized in that, include: Real-time collection of user operation logs in the virtual desktop environment; normalization of the user operation logs to obtain structured operation data; extraction of user behavior features; and construction of a behavior baseline model. Based on the aforementioned behavioral baseline model, user operation habit data at different time periods are grouped to obtain a preliminary behavioral pattern distribution. Based on the distribution of the behavior patterns, the degree of deviation is calculated by combining the preset benchmark behavior vector and the set of outliers is extracted. An anomaly trigger signal is generated based on the topological correlation between the set of outliers and the historical trajectory. The threat confidence is calculated based on the anomaly trigger signal and the corresponding potential risk level is determined. Based on the potential risk level and combined with pre-collected device security feature data, a comprehensive detection of the hardware and network environment of the current session is performed to obtain device security status information; If the device security status information indicates that there is an external threat in the session environment, user behavior trajectory data and device operating status parameters are captured and weighted for analysis. After obtaining the real-time credibility score, it is compared with the preset dynamic threshold range to determine the access permission level and generate the corresponding session control command. Responding to the session control command and extracting the real-time trust score, if the real-time trust score is lower than a preset security threshold, the current permission list is reconstructed and the adjusted permission range is determined; Based on the adjusted permission scope, the access control policy in the virtual environment is updated in real time, and the user's subsequent operations are dynamically adapted to the environment to obtain the latest session state information; Based on the latest session state information, continuously monitor user behavior dynamics, identify abnormal behavior fluctuation feature vectors and assess risks. If the risk score exceeds a preset threshold, execute a dynamic permission adjustment strategy to obtain dynamic maintenance results for the overall security of the system.
2. The Azure Virtual Desktop micro-segmentation monitoring method based on a zero trust architecture according to claim 1, characterized in that, Real-time collection of user operation logs in the virtual desktop environment; normalization processing of the user operation logs to obtain structured operation data; extraction of user behavior features; and construction of a behavior baseline model, including: Collect and parse user operation logs in the virtual desktop environment, remove invalid records and normalize fields to obtain structured operation data; The structured operation data is statistically calculated using a time window of preset length to obtain statistics including operation density, keyboard input ratio, and window switching frequency. These statistics are then standardized and sequentially combined into a multidimensional dynamic feature vector. The dynamic feature vectors are input into a pre-established neural network model for unsupervised training to construct a behavioral baseline model.
3. The method of claim 1, wherein the method further comprises: Based on the aforementioned behavioral baseline model, user operation habit data at different time periods are grouped to obtain a preliminary distribution of behavioral patterns, including: The volatility coefficient of user operations is calculated based on the behavioral baseline model, and the operation habit data is divided based on the volatility coefficient to obtain time slices; The K-means clustering algorithm is used to group the operational data within the time slice to form a preliminary distribution of behavioral patterns.
4. The method of claim 1, wherein the method further comprises: Based on the behavioral pattern distribution, the deviation degree is calculated in conjunction with a preset baseline behavioral vector, and an outlier set is extracted. Anomaly trigger signals are generated based on the topological correlation between the outlier set and historical trajectories. Threat confidence is calculated based on the anomaly trigger signals, and the corresponding potential risk level is determined, including: Based on the behavior pattern distribution, the operation command flow of the virtual desktop is mapped to the distribution space, and the discreteness of the operation command flow is calculated to generate a fluctuation feature matrix; Calculate the deviation value between the fluctuation feature matrix and the preset benchmark behavior vector. If the deviation value exceeds the preset deviation threshold, extract the original operation command at the corresponding time and mark it as an outlier set. Analyze the topological correlation between the set of outliers and the historical trajectory. If the topological correlation is lower than a preset connectivity threshold, an anomaly trigger signal is generated. The threat confidence level is calculated in response to the abnormal trigger signal, and the potential risk level of the abnormal behavior is determined based on the threat confidence level.
5. The method of claim 1, wherein the method further comprises: Based on the potential risk level and combined with pre-collected device security feature data, a comprehensive detection of the hardware and network environment of the current session is performed to obtain device security status information, including: In response to the potential risk level, collect the device metadata and network configuration parameters of the current session host to obtain device security feature data; The hardware matching degree is obtained by comparing the device security feature data with a preset trusted device benchmark, and the network compliance status is obtained by parsing the network configuration parameters. An environment snapshot is constructed based on the hardware matching degree and the network compliance status. The environmental snapshot is input into a preset vulnerability feature matching model to identify potential attack paths; A threat score is generated based on the attack path and the potential risk level. If the threat score exceeds a preset security baseline, device security status information is generated.
6. The Azure Virtual Desktop micro-segmentation monitoring method based on a zero trust architecture according to claim 1, characterized in that, If the device security status information indicates that there is an external threat in the session environment, then user behavior trajectory data and device operating status parameters are captured and weighted for analysis. After obtaining a real-time credibility score, it is compared with a preset dynamic threshold range to determine the access permission level and generate corresponding session control instructions, including: In response to the external threat identifier in the device security status information, capture user interaction behavior trajectory data and device operating status parameters, and construct a multi-dimensional feature vector; The multidimensional feature vectors are mapped to a preset risk weight matrix to generate a weighted feature set. The real-time credibility score is obtained by aggregating and analyzing the weighted feature set. The real-time credibility score is compared with a preset dynamic threshold range to determine the access permission level, and a session control instruction is generated based on the access permission level.
7. The method of claim 6, wherein the method further comprises: Responding to the session control command and extracting the real-time trust score, if the real-time trust score is lower than a preset security threshold, the current permission list is reconstructed to determine the adjusted permission range, including: Responding to the session control command and extracting the real-time trust score, if the real-time trust score is lower than a preset security threshold, the risk is marked as controlled. Based on the risk-controlled state, intercept resource access requests and locate active permission items involving sensitive resource identifiers, and re-acquire the least privilege constraint rule that matches the real-time credibility score; The active permission items are verified using the least privilege constraint rule, illegal operation instructions are filtered out, permission stripping instructions and resource degradation configuration parameters are generated, and a set of permissions to be adjusted is constructed. The set of permissions to be adjusted is executed to reconstruct the current permission list and determine the scope of permissions after adjustment.
8. The method of claim 1, wherein the method further comprises: Based on the adjusted permission scope, the access control policy in the virtual environment is updated in real time to dynamically adapt to subsequent user operations and obtain the latest session state information, including: Generate a policy configuration matrix containing the latest constraints based on the adjusted permission scope; Load the policy configuration matrix and parse the second instruction stream generated by subsequent user operations, and extract the runtime context from the second instruction stream; If the runtime context triggers the constraints in the policy configuration matrix, then dynamic environment adaptation processing is performed and session state information is collected to construct a time-series state snapshot; Stability feature analysis is performed on the time-series state snapshot, and the deviation value is calculated. Based on the deviation value, the stability of the system operation is quantified to obtain the latest session state information.
9. The method of claim 1, wherein the method further comprises: Based on the latest session state information, user behavior is continuously monitored, abnormal behavior fluctuation feature vectors are identified and risks are assessed. If the risk score exceeds a preset threshold, a dynamic permission adjustment strategy is executed to obtain the dynamic maintenance results of the overall system security, including: The latest session state information is parsed, the user operation instruction sequence is extracted, and the user operation instruction sequence is mapped to the behavior baseline model for comparison to obtain the behavior deviation value; Based on the stated behavioral deviation values, a time-series fluctuation analysis is performed to generate a behavioral fluctuation feature vector containing multi-dimensional fluctuation attributes; The behavioral fluctuation feature vector is input into the abnormal pattern recognition logic to calculate the real-time risk assessment score. If the real-time risk assessment score exceeds the preset risk score threshold, a dynamic permission adjustment strategy is generated. By executing the dynamic permission adjustment strategy, access control parameters are reset, resulting in dynamic maintenance of the overall system security.
10. An Azure Virtual Desktop micro-segmentation monitoring system based on a zero trust architecture, characterized in that, include: The log collection and baseline modeling module collects user operation logs in the virtual desktop environment in real time, normalizes the user operation logs to obtain structured operation data, extracts user behavior features, and constructs a behavior baseline model. The behavior pattern analysis module, based on the behavior baseline model, groups the user's operation habit data at different time periods to obtain a preliminary behavior pattern distribution. The behavior fluctuation detection module calculates the degree of deviation and extracts the outlier set based on the behavior pattern distribution and a preset baseline behavior vector. It generates an anomaly trigger signal based on the topological correlation between the outlier set and the historical trajectory, calculates the threat confidence level based on the anomaly trigger signal, and determines the corresponding potential risk level. The environmental security monitoring module, based on the potential risk level and combined with pre-collected device security characteristic data, comprehensively detects the hardware and network environment of the current session to obtain device security status information; The credibility assessment and instruction generation module, if the device security status information shows that there is an external threat in the session environment, captures user behavior trajectory data and device operating status parameters and performs weighted analysis, obtains a real-time credibility score and compares it with a preset dynamic threshold range, determines the access permission level and generates the corresponding session control instruction; The dynamic permission adjustment module responds to the session control command and extracts the real-time credibility score. If the real-time credibility score is lower than a preset security threshold, the current permission list is reconstructed to determine the adjusted permission range. The policy update and environment adaptation module updates the access control policy in the virtual environment in real time according to the adjusted permission scope, performs dynamic environment adaptation processing on subsequent user operations, and obtains the latest session state information. The continuous monitoring and maintenance module continuously monitors user behavior dynamics based on the latest session status information, identifies abnormal behavior fluctuation feature vectors and assesses risks. If the risk score exceeds a preset threshold, a dynamic permission adjustment strategy is executed to obtain the dynamic maintenance result of the overall system security.