Network access control system, method, apparatus and device
By using a large language model for asynchronous network access risk assessment, the problems of poor user experience and high hardware requirements in existing technologies are solved. This enables efficient identification of new risks and reduces data processing requirements, thereby improving the security and user experience of the network access control system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ALIBABA (CHINA) CO LTD
- Filing Date
- 2026-02-24
- Publication Date
- 2026-06-09
AI Technical Summary
Existing network access control systems cannot simultaneously provide a high level of user experience and the ability to identify new risks, while also having high requirements for equipment hardware and risk assessment data processing capabilities.
A large language model is used for asynchronous network access risk assessment. The network access authentication server obtains behavioral information related to the network access device and the owner of the network access certificate, generates risk assessment task prompts, and uses the large language model for dynamic risk assessment.
Improve user experience, reduce hardware requirements, enhance the ability to identify new risks, and reduce the need for risk assessment data processing capabilities.
Smart Images

Figure CN122179153A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, specifically to network access control systems, methods and apparatus, and electronic devices. Background Technology
[0002] In today's highly interconnected digital world, personal and organizational data has become one of the most valuable assets. From online banking and social media to internal organizational systems, everything relies on digital identities and access credentials. These credentials, such as usernames, passwords, digital certificates, or biometric information, are key safeguards for verifying user identity and authorizing access to sensitive resources. Once these credentials are stolen or misused, it can not only lead to the leakage of personal privacy and financial losses, but also have catastrophic consequences for organizations, such as the theft of critical data, production disruptions, reputational damage, and even serious legal and financial liabilities.
[0003] To address increasingly complex credential security threats, current solutions are evolving from simple static password protection to multi-layered, defense-in-depth systems. Specifically, this includes: 1) employing Multi-Factor Authentication (MFA) to increase authentication strength, such as combining passwords, mobile verification codes, and biometrics; simultaneously, using public key infrastructure and digital certificates to ensure encryption of communication channels and authenticity of identity; 2) enhancing the security of credential storage itself by introducing a Trusted Platform Module (TPM) to prevent credential export; and 3) summarizing patterns from numerous known threat cases and providing threat signatures based on these patterns through a complex data engineering approach.
[0004] However, the inventors of this application have found that the existing solutions have at least the following problems: 1. Multi-Factor Authentication (MFA): In some authentication scenarios, due to practical constraints such as operating system limitations, network device limitations, or user experience limitations, such as network access certificate authentication scenarios where the system handles the process, there is no suitable opportunity to initiate the MFA process. Furthermore, it is not advisable to require users to perform excessive MFA authentication while they are moving normally. Therefore, multi-factor authentication schemes suffer from a poor user experience.
[0005] 2. Trusted Platform Module (TPM): Many security solutions choose TPM to build the root of trust, assuming that as long as the root of trust is not breached, credentials are guaranteed to be secure. However, in reality, the variety of device hardware versions often limits the ability to require all devices within a large-scale organization to integrate a TPM module. As long as this exception exists, the system must be compatible with this reasonable production requirement, thus creating some level of risk exposure. Therefore, the Trusted Platform Module (TPM) solution has the problem of high requirements for device hardware.
[0006] 3. Regular Risk Detection Rules: Traditional risk detection relies on summarizing patterns from a large number of known threat cases and processing these patterns through data engineering. However, in dealing with zero-day vulnerabilities, and with hackers today leveraging AI, it's easy to find ways to break through these deterministic rules (defenses) through continuous probing. Building new detection rules is costly and difficult to translate into effective defensive measures in a short time. Inconsistent protocol standards among various security components, as well as different procurement channels and organizational self-developed scenarios, make data exchange difficult. Traditional risk detection relies on powerful data aggregation, processing, and storage capabilities to handle large amounts of scattered unstructured and semi-structured data. Therefore, traditional risk detection suffers from weak new risk identification capabilities and high requirements for risk assessment data processing capabilities.
[0007] In conclusion, how to implement a network access control system that balances a high level of user experience with the ability to identify new risks, and low requirements for equipment hardware and risk assessment data processing capabilities, is an issue that urgently needs to be researched and tackled. Summary of the Invention
[0008] This application provides a network access control system to address the problem that existing technologies cannot simultaneously achieve a high level of user experience and the ability to identify new risks, while also having relatively low requirements for equipment hardware and risk assessment data processing capabilities. This application also provides a network access control method and apparatus, as well as an electronic device.
[0009] This application provides a network access control system, including: The device requesting network access is used to send a network access request to the network access authentication server of the target network. The server is used to authenticate the network access request; if the authentication result is successful, the requesting device is allowed to access the target network; obtain information related to a first network access behavior corresponding to the network access request and information related to a second network access behavior corresponding to the network access credential holder; generate a network access risk assessment task prompt based on the first and second network access behavior information; perform a network access risk assessment on the network access request based on the prompt using the large language model; and control the access of the requesting device to the target network based on the network access risk assessment result.
[0010] Optionally, the server is specifically configured to, if the network access risk assessment result includes suspected risk, send a first verification instruction to the network access credential owner device, receive first verification item information submitted by the network access credential owner device, verify the network access risk assessment result based on the first verification item information and the corresponding information of the requesting network access device, and control the access of the requesting network access device to the target network based on the first verification result; The device that owns the network access certificate is used to receive the first verification instruction and submit the first verification item information to the server.
[0011] Optionally, the server is specifically configured to, if the network access risk assessment result includes suspected risk and the network access credential holder device is suspected of being compromised, send a second verification instruction to network access devices near the network access credential holder device, receive second verification item information submitted by the network access devices, verify the network access risk assessment result based on the second verification item information and the corresponding information of the requesting network access device, and control the access of the requesting network access device to the target network based on the second verification result. A network access device is used to receive the second verification instruction and submit the second verification item information to the server.
[0012] Optional, also includes: The device that owns the network access certificate is used to report information about the device that owns the network access certificate to the server. The server is also used to receive information about the device to which the network access certificate belongs, as relevant information for the second network access behavior.
[0013] This application also provides a network access control method, including: Perform network access authentication on network access requests; If the network access authentication result is successful, then obtain the first network access behavior information corresponding to the network access request and the second network access behavior information corresponding to the network access credential owner; Based on the information related to the first network access behavior and the information related to the second network access behavior, generate a network access risk assessment task prompt for the large language model; Using a large language model, the network access risk assessment is performed on the network access request based on the prompt; Based on the network access risk assessment results, the access of the requesting network access device to the target network is controlled.
[0014] Optionally, the information related to the first network access behavior includes at least one of the following: information of the requesting network access device, and information of the network access device of the requesting network access device; the information of the requesting network access device includes at least one of the following: device identifier, network address, physical location, operating system information, process information, and the logical network area where the device is located; the information of the network access device includes at least one of the following: device identifier, network address, and physical location; the network address includes at least one of the following: MAC address and IP address; the logical network area includes at least one of the following: office network and guest network. The second network access behavior related information includes at least one of the following: information on the device to which the network access certificate belongs, and historical network access behavior information of the network access certificate holder; the historical network access behavior information includes at least one of the following: historical high-frequency network access locations, and recent network access information; the recent network access time includes: recent network access time and recent network access location.
[0015] Optional, also includes: If the network access authentication result is successful, the requesting device is allowed to access the target network.
[0016] Optional, also includes: Obtain information about data query tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the data query tool information, the information related to the first network entry behavior, and the information related to the second network entry behavior, the prompt is generated so that the large language model can call the data query tool based on the data query tool information, and obtain supplementary information related to the first network entry behavior and / or the second network entry behavior based on the information related to the first network entry behavior and / or the second network entry behavior.
[0017] Optional, also includes: Obtain information about data query tools; Obtain the network access user identifier and / or the credential owner user identifier; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the data query tool information, the information related to the first network access behavior and the information related to the second network access behavior, as well as the network access user identifier and / or the credential-owning user identifier, the prompt is generated so that the large language model can call the data query tool based on the data query tool information, and obtain supplementary information related to the first network access behavior based on the network access user identifier; and / or obtain supplementary information related to the second network access behavior based on the credential-owning user identifier.
[0018] Optional, also includes: Obtain the network access credential identifier; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the network access credential identifier, the information related to the first network access behavior, and the information related to the second network access behavior, generate a network access risk assessment task prompt for the large language model.
[0019] Optional, also includes: Obtain the network access scenario information of the network access request; Based on the network access scenario information, obtain the network access risk assessment items corresponding to the network access scenario; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: The prompt is generated based on the network access risk assessment items, the information related to the first network access behavior, and the information related to the second network access behavior, so that the large language model can perform network access risk assessment based on the network access risk assessment items.
[0020] Optional, also includes: Based on the network access request, obtain network access scenario information; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: The prompt message is generated based on the network access scenario information, the information related to the first network access behavior, and the information related to the second network access behavior.
[0021] Optional, also includes: Obtain information about data query tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the data query tool information, the information related to the first network access behavior, and the information related to the second network access behavior, the prompt message is generated so that if the large language model fails to perform a network access risk assessment and the large language model assessment stop condition is not met, the data query tool is invoked to obtain supplementary information related to the first network access behavior and / or the second network access behavior; based on the supplementary data, the network access request continues to be assessed for network access risk until the large language model successfully performs the network access risk assessment or the large language model assessment stop condition is met.
[0022] Optional, also includes: If the large language model fails to perform the network access risk assessment and the large language model assessment stop condition is not met, then obtain supplementary information related to the first network access behavior and / or supplementary information related to the second network access behavior. Based on the supplementary information related to the first network access behavior and / or the supplementary information related to the second network access behavior, generate supplementary prompts; Based on the supplementary prompts, the network access request is further assessed using the large language model until the network access risk assessment is successful or the conditions for stopping the large language model assessment are met.
[0023] Optionally, obtaining supplementary information related to the first network access behavior and / or supplementary information related to the second network access behavior includes: Obtain the supplementary data items output by the large language model; Retrieve supplementary information corresponding to the data items to be supplemented.
[0024] Optionally, obtaining supplementary information related to the first network access behavior and / or supplementary information related to the second network access behavior includes: The supplementary information was obtained using a data query tool.
[0025] Optional, also includes: Obtain information on risk assessment report generation tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the risk assessment report generation tool information, the first network access behavior information, and the second network access behavior information, the prompt is generated so that the large language model can call the risk assessment report generation tool to generate a risk assessment report based on the risk assessment report generation tool information and the network access risk assessment results.
[0026] Optional, also includes: The format for obtaining the network access risk assessment results; The step of generating the prompt message based on the risk assessment report generation tool information, the first network access behavior information, and the second network access behavior information includes: Based on the format of the network access risk assessment result, the information of the risk assessment report generation tool, the information related to the first network access behavior, and the information related to the second network access behavior, the prompt is generated so that the large language model can generate the input parameters of the risk assessment report generation tool according to the format and the network access risk assessment result.
[0027] Optional, also includes: Obtain information on risk management tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the risk management tool information, the first network access behavior information, and the second network access behavior information, a network access risk assessment task prompt is generated for the large language model. The prompt is generated so that the large language model can invoke the risk management tool according to the risk management tool information and the risk management measures output by the large language model, and send the target risk management instruction to the target risk management node.
[0028] Optional, also includes: Obtain user behavior information of the user to whom the network access certificate belongs; Based on the user behavior information, obtain the location information of the user to whom the network access certificate belongs; The network access risk assessment results are verified based on the location information of the user to whom the network access certificate belongs and the location information of the device requesting network access.
[0029] This application also provides a network access control method, including: Receive verification instructions sent by the network access authentication server; Send the verification item information to the server.
[0030] Optionally, the method is used for the device to which the network access certificate belongs; the method further includes: reporting the information of the device to which the network access certificate belongs to the server.
[0031] This application also provides a network access control device, including: The network access authentication unit is used to authenticate network access requests. The network access behavior related information acquisition unit is used to acquire, if the network access authentication result is successful, the first network access behavior related information corresponding to the network access request and the second network access behavior related information corresponding to the network access certificate owner; The prompt generation unit is used to generate prompts for the network access risk assessment task based on the information related to the first network access behavior and the information related to the second network access behavior. The large language model evaluation unit is used to perform a network access risk assessment on the network access request based on the prompts using a large language model. The control unit is used to control the access of the requesting network access device to the target network based on the network access risk assessment results.
[0032] This application also provides a network access control device, including: The verification instruction receiving unit is used to receive verification instructions sent by the network access authentication server; The verification item information sending unit is used to send verification item information to the server.
[0033] This application provides an electronic device, including: Processor; and A memory for storing a program for implementing the method described in any of the preceding methods, wherein the device is powered on and the program of the method is executed by the processor.
[0034] This application also provides a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the various methods described above.
[0035] This application also provides a computer program product including instructions that, when run on a computer, cause the computer to perform the various methods described above.
[0036] Compared with the prior art, this application has the following advantages: The network access control system provided in this application embodiment sends a network access request from a requesting network access device to the network access authentication server of the target network; the server performs network access authentication on the request; if the authentication result is successful, the requesting network access device is allowed to access the target network; it obtains first network access behavior related information corresponding to the network access request and second network access behavior related information corresponding to the network access credential holder; it generates a network access risk assessment task prompt based on a large language model based on the first and second network access behavior related information; it performs a network access risk assessment on the request based on the prompt based on the large language model; and it controls the access of the requesting network access device to the target network based on the network access risk assessment result. This processing method allows for an immediate network access authentication using network access credentials, ensuring basic security levels are met; then, an asynchronous network access risk assessment based on a large language model is triggered. The network access behavior related information relied upon by the large language model for risk assessment is variable data, making the network access risk assessment based on the large language model a dynamic risk assessment. Therefore, it has the following beneficial effects: 1. Improve user experience: The large language model can recognize the normal movement of the network access certificate holder without generating alarms. This way, when the network access certificate holder moves normally, the user will not be required to perform multi-factor authentication. 2. Balancing high user experience with target network data security: After the network access request is authenticated based on the network access credential, the requesting device is allowed to access the target network until the subsequent asynchronous network access risk assessment based on the large language model detects a network access risk. In this way, the requesting device is allowed to access the target network for a short period of time within the risk range that the target network can accept. 3. Reduce hardware requirements for network access credential ownership devices: Asynchronous network access risk assessment is performed using a large language model, eliminating the need for TPM installation on network access credential ownership devices, thus making the device hardware version unrestricted; 4. Enhance the ability to identify new risks: As an intelligent agent, the large language model can not only identify existing types of network entry risks, but also new types of network entry risks. It does not require building and updating risk detection rules based on a large number of known threat cases and feature engineering, thus effectively improving the ability to identify new risks. 5. Reduced data processing requirements for risk assessment systems: Since there is no need to build and update risk detection rules, there is no need to rely on summarizing patterns from a large number of known threat cases, nor is there a need to process features through data engineering. This effectively reduces the data processing requirements for risk assessment systems. Attached Figure Description
[0037] Figure 1 This is a schematic diagram of device interaction in an embodiment of the network access control system provided in this application; Figure 2 This is a schematic diagram of specific device interactions of an embodiment of the network access control system provided in this application; Figure 3 This is another specific device interaction diagram of an embodiment of the network access control system provided in this application; Figure 4 This is a flowchart illustrating an embodiment of the network access control method provided in this application. Detailed Implementation
[0038] Many specific details are set forth in the following description to provide a full understanding of this application. However, this application can be implemented in many other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of this application; therefore, this application is not limited to the specific embodiments disclosed below.
[0039] This application provides a network access control system, method, and apparatus, as well as an electronic device. The various solutions are described in detail below in each embodiment.
[0040] First Embodiment Please refer to Figure 1 This is a schematic diagram of device interaction in a network access control system provided in an embodiment of this application. In this embodiment, the system includes: a network access authentication server for the target network, and a device requesting network access.
[0041] A requesting device sends a network access request to the network access authentication server of the target network. The server performs network access authentication on the request. If the authentication result is successful, the requesting device is allowed to access the target network. The system acquires first network access behavior information corresponding to the request and second network access behavior information corresponding to the network access credential holder. Based on the first and second network access behavior information, it generates a network access risk assessment task prompt using a large language model. The system then performs a network access risk assessment on the request based on the prompt using the large language model. Finally, it controls the requesting device's access to the target network based on the network access risk assessment result.
[0042] A network access credential is a "passport" that allows a device to legally access a target network. In practical applications, a network access credential can be a network access certificate issued by the target network to the device, a user account and password assigned by the target network to employees, or a whitelist of Media Access Control Addresses (MAC addresses) that are allowed to access the target network, and so on. In specific implementations, MAC whitelists can be used on some Internet of Things (IoT) devices. By selectively whitelisting the MAC addresses of IoT devices, they can be allowed to access the network. For example, if an IoT device cannot install a network access authentication client (corresponding to a network access authentication server), it can be allowed to access the network by selectively whitelisting its MAC address.
[0043] The requesting device for network access could be the device that owns the network access certificate or the device of the person who stole the certificate. Taking a certificate-based network access scenario as an example, the network authentication process can be managed by the operating system. Once the certificate is stolen, it means the thief can impersonate the victim to enter the target network, thus exposing the target network system or data. The target network's network access authentication server performs network access authentication on the requesting device based on the network access certificate. If the authentication result is successful, the requesting device is allowed to access the target network; if the authentication result is unsuccessful, access is denied. This approach allows the network access authentication server to perform an immediate authentication based on the network access certificate, granting access upon successful authentication. This ensures basic security while meeting user requirements for authentication latency, thereby improving the user experience.
[0044] From the user's perspective on network access experience, there are certain requirements regarding authentication latency. Under normal circumstances, regardless of technical or application scenario limitations, simple factor verification, such as account authorization and necessary risk checks, can be performed during actual authentication to achieve a fast response. Considering limitations such as operating system, network equipment, and stability, custom parameters are typically not directly extended into the authentication protocol.
[0045] The server-side authentication of network access requests based on network access credentials is a rule-based, one-time authentication, belonging to static risk assessment. For example, a network access request from a device might include a user account and password. If the user account exists and the password is correct, the authentication result is successful. Another example is a network access request from a device that includes its MAC address. If the device's MAC address is on a MAC whitelist and the device's location is a preset location, the authentication result is successful. Yet another example is a device initiating a network access request to the server based on its network access certificate.
[0046] After an instant network access authentication is successful, the network access authentication server also obtains information related to a first network access behavior corresponding to the network access request and information related to a second network access behavior corresponding to the network access credential holder. Based on the information related to the first and second network access behaviors, it generates a network access risk assessment task prompt based on a large language model. Then, using the large language model, it performs a network access risk assessment on the network access request based on the prompt. This processing method allows the network access authentication server to asynchronously trigger a network access risk assessment based on a large language model (LLM) after an instant network access authentication is successful. This achieves enhanced decision-making by integrating a large language model into the existing expert experience rule-based decision-making process for network access risk assessment.
[0047] It should be noted that in practical applications, after successful instant network access authentication, the network access authentication server can also simultaneously trigger a risk assessment process based on a large language model. Specifically, after successful authentication based on the network access credential, access to the target network is not immediately granted to the requesting device. Instead, it first obtains information related to the first network access behavior corresponding to the request and information related to the second network access behavior corresponding to the credential holder. Based on these two information sets, a network access risk assessment task prompt using the large language model is generated. The network access risk is then assessed based on the prompt using the large language model. Finally, based on the network access risk assessment result, access to the target network by the request is controlled. This approach effectively improves the security of access to the target network.
[0048] Network access behavior-related information includes, but is not limited to, at least one of the following: device information (such as device identifier, device type, and other device hardware and software information), device status information (such as device physical location, device operating system, device processes, device MAC address, and other variable device status information), and device historical network access behavior information (such as the most recent network access time and location). Since the device requesting network access may belong to the device holding the network access credential or to the device of the credential thief, the device requesting network access using the same credential may change. Furthermore, the device status and historical network access behavior of the same device may change at different times. Therefore, compared to the network access credential, which remains unchanged after issuance, network access behavior-related information is variable information.
[0049] In this embodiment, the large language model performs a network access risk assessment by comparing the first network access behavior information corresponding to the network access request with the second network access behavior information corresponding to the network access credential holder. The assessment evaluates whether the network access behavior of the requesting device is consistent with the network access behavior of the network access credential holder (device / account). If the network access behaviors are consistent, the network access risk assessment result can be no risk; if the network access behaviors are inconsistent, the network access risk assessment result may be risky, potentially risky, or a specific risk type. Since the network access credential is immutable information, while the network access behavior information is variable information, the risk assessment based on network access behavior information performed by the large model is a dynamic risk assessment compared to the static risk assessment based on the network access credential performed by the network access authentication server.
[0050] As an intelligent agent, the large language model can identify not only existing types of network access risks but also new types, effectively improving the ability to identify new risks. This allows for decisions based on existing expert experience rules to ensure basic security levels meet requirements and guarantee user experience, while also significantly improving the accuracy of risk detection. Furthermore, the large language model is an AI model trained on massive amounts of text data, capable of understanding and generating text similar to human language. Prompts are instructions or questions given to the large language model to guide it in generating specific responses or performing specific tasks. The network access behavior information processed by the large language model can come from various components (such as different protocol standards, different procurement channels, and organization-developed security components) in different formats, thereby effectively reducing the data processing capabilities required by the risk assessment system.
[0051] The information related to the first network access behavior corresponding to the network access request includes, but is not limited to, at least one of the following: information about the requesting device and information about the network access device of the requesting device. The information about the requesting device includes, but is not limited to, at least one of the following: device identifier (e.g., motherboard serial number), device type (e.g., graphics processing unit (GPU), central processing unit (CPU), etc.), network address, physical location, operating system information, process information, and the logical network area where the device is located. The network address includes, but is not limited to, at least one of the following: MAC address, IP address; the operating system information includes, but is not limited to, at least one of the following: operating system type, operating system version; the logical network area includes, but is not limited to, at least one of the following: office network, guest network. The information about the network access device includes, but is not limited to, at least one of the following: device identifier, network address, physical location. For example, if the network access device is a wireless access point (AP), the AP's network address is its MAC address; if the network access device is a switch, the switch's network address is its IP address. In addition, the information related to the first network access behavior may also include the network access authentication time.
[0052] In practice, some data related to the first network access behavior can be obtained from the network access authentication event. An authentication event, also known as a network event, refers to the event that processes the network access request sent by the requesting device. The authentication event may include information about the network access credential (such as the network access certificate serial number, user account, etc.), the authentication time, and may also include network identifiers (such as the MAC address and IP address of the requesting device, and the name, MAC address, and IP address of the network access device), etc. Based on the information of the network access credential, it is possible to associate it with the device or user account to which the credential belongs. The name of the network access device of the requesting device can serve as a source of location information for the requesting device; that is, the location information of the requesting device can be determined based on the name of the network access device.
[0053] In practice, the server can capture authentication events through Network Access Control (NAC). NAC ensures that only compliant and trusted devices can access network resources by enforcing preset security policies when a device requests network access.
[0054] In one example, the network access device requesting network access is a wireless access point (AP). The device connects to the AP to achieve network access. An AP is a device that creates a Wireless Local Area Network (WLAN), and it is a network access device belonging to the target network. A wireless LAN refers to a local area network that uses radio frequency technology to construct a network using radio waves instead of traditional cables.
[0055] The information related to the second network access behavior corresponding to the party owning the network access credential includes, but is not limited to, at least one of the following: information about the device owning the network access credential, and historical network access behavior information of the party owning the network access credential. For example, the information related to the second network access behavior includes information about the device owning the network access credential and the information reporting time; or the information related to the second network access behavior includes historical network access behavior information of the party owning the network access credential; or the information related to the second network access behavior includes information about the device owning the network access credential, the information reporting time, and historical network access behavior information of the party owning the network access credential. The information about the device owning the network access credential includes, but is not limited to, at least one of the following: device identifier, device type, network address, physical location, operating system information, process information, and the logical network area where the device is located. Historical network access behavior information includes, but is not limited to, at least one of the following: historical high-frequency network access locations, and recent network access information; the recent network access time includes, but is not limited to, recent network access time and recent network access location. The MAC address of the device owning the credential can be used as a trusted fingerprint of the device owning the credential, the IP address can be used as a source of location information for the device owning the credential, and the operating system type and version can be used as a fingerprint of the device owning the credential. In specific implementation, after the network access authentication is passed, the server can retrieve the information related to the second network access behavior through the context module.
[0056] Please refer to Figure 2 This is a schematic diagram illustrating the specific device interaction of the network access control system provided in this application embodiment. In one example, the system may further include: a network access credential attribution device, used to report information about the network access credential attribution device to the server. Correspondingly, the server is also used to receive the information about the network access credential attribution device as information related to the second network access behavior. This processing method allows for the reporting of richer information related to the second network access behavior through the network access credential attribution device, enabling the large language model to obtain more accurate network access risk assessment results.
[0057] In practice, the device that owns the network access credential can periodically or according to the server's requirements report its information to the server. The server can store the reporting time and the information of the device that owns the network access credential. The device that owns the network access credential can install a network access authentication client and keep it running in the background through process keep-alive, periodically reporting its information to the server through the network access authentication client.
[0058] The aforementioned information related to the first and second network entry behaviors are the data items relied upon by the large language model for risk assessment. In practical applications, the sources of this network entry behavior information are quite diverse, potentially originating from application databases, threat information, user behavior, and user device environments. In specific implementations, a unified data query service can be provided through a single encapsulation layer. The server can then use this service to efficiently retrieve the data items required for risk assessment.
[0059] In one example, the network access scenario is a MAC address whitelist access scenario. When adding a MAC address to the MAC address whitelist, the access location of the MAC address needs to be specified, such as specifying the access location of MAC address A as meeting room 302 on the 3rd floor of Zone C. The network access authentication of the request can be implemented as follows: determine the physical location of the requesting device and the physical location in the MAC address whitelist. Secondly, network access behavior related information may include the historical network access information of the MAC address. Using this processing method, during network access authentication, it is necessary to query whether the access location of the requesting device is consistent with the location specified in the MAC address whitelist application, and whether the historical network access traffic of the MAC address is consistent with the baseline of the current network access request behavior information to determine whether there is any risk.
[0060] In one example, the server is also used to obtain data query tool information. The step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior information and the second network access behavior information can be implemented as follows: The prompt is generated based on the data query tool information, the first network access behavior information, and the second network access behavior information, so that the large language model can invoke the data query tool based on the data query tool information. Through the data query tool, supplementary information related to the first network access behavior information and / or the second network access behavior information can be obtained. For example, the first network access behavior information includes the IP address or logical region of the requesting network access device, and the data query tool includes a location query tool based on the IP address or logical region. This data query tool can be used to obtain the physical location of the requesting network access device as supplementary information to the first network access behavior information. In specific implementations, the data query tool can be a standalone program or a data query interface API. For example, the data query interface includes interfaces for querying geographic location information corresponding to IP addresses, such as `query_geo(ip: str):`, which returns geographic location information; and interfaces for querying detailed information about wireless access points (APs) corresponding to MAC addresses, such as `query_ap_info(mac:str):`, which returns detailed AP information, and so on. This approach allows the large language model to obtain richer network access behavior information from existing data query tools. This enables the large language model to perform network access risk assessment based on more comprehensive network access behavior information, thus effectively improving the success rate and accuracy of network access risk assessment.
[0061] In one example, the server is also used to obtain data query tool information; obtain the network access user identifier and / or the credential ownership user identifier; the step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior related information and the second network access behavior related information can be implemented in the following way: The prompt is generated based on the data query tool information, the first network access behavior related information, the second network access behavior related information, and at least one of the network access user identifier and the credential ownership user identifier, so that the large language model can call the data query tool based on the data query tool information to obtain supplementary information related to the first network access behavior based on the network access user identifier; and / or, obtain supplementary information related to the second network access behavior based on the credential ownership user identifier. Using this processing method, the large language model can obtain richer network access behavior related information through the data query tool based on at least one of the credential ownership user identifier and the network access user identifier, thus enabling the large language model to obtain more accurate network access risk assessment results.
[0062] For example, data query tools include trusted device query tools based on employee ID numbers. These tools can be used to obtain the identifier of the device requesting network access based on the employee identifier (user identifier), serving as supplementary information for the first network access behavior. They can also be used to obtain the identifier of the device to which the network access certificate belongs based on the user identifier to which the certificate belongs, serving as supplementary information for the second network access behavior.
[0063] For example, data query tools include attendance information query tools based on employee ID numbers. Through these tools, the attendance information of the user who owns the network access credential can be obtained based on the user identifier, serving as supplementary information for the second network access behavior. The large language model can determine the location of the user who owns the network access credential based on this supplementary information. Based on the user's location and the location corresponding to the network access request, it can be determined whether there is impossible travel. For example, if the device owned by the network access credential is lent to someone else while the user is in another city, the behavior of requesting the network access device is clearly inconsistent with the behavior of the user who owns the network access credential, indicating that there is a risk in the network access request.
[0064] For example, the data query tool includes historical network access authentication information based on employee ID. This tool can retrieve the historical network access authentication information of the user to whom the network access credential belongs, based on the user identifier, as supplementary information to the second network access behavior. The large language model can determine whether the network access request has network access risk based on the historical network access authentication information of the user to whom the network access credential belongs and the current network access authentication information of the network access request. This processing method allows the large language model to assess the risk of the current network access request based on the historical authentication information of the legitimate user of the network access credential. During the assessment, it can determine whether the authentication behavior of the requesting network access device (authentication time, location, device posture) conforms to the historical authentication habits of the legitimate user corresponding to the network access credential.
[0065] In practical implementation, the data query interface includes a data query interface for obtaining user historical authentication information. The large language model can obtain user historical authentication information based on the data query interface for obtaining user historical authentication information included in the prompt, the user identifier, and at least one of the following: the identifier of the device to which the network access certificate belongs, the MAC address of the device to which the network access certificate belongs, the start time, and the end time. This processing method can obtain more effective historical authentication information; therefore, it can further improve the accuracy of the large language model's risk assessment.
[0066] In one example, the server is also used to obtain the network access credential identifier; the step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior information and the second network access behavior information includes: generating a network access risk assessment task prompt for the large language model based on the network access credential identifier, the first network access behavior information, and the second network access behavior information. This processing method allows the large language model to perform network access risk assessment based on the network access credential identifier, such as performing credential validity checks, i.e., checking whether the credential is valid or has been revoked; therefore, it can effectively improve the comprehensiveness of network access risk assessment based on the large language model.
[0067] In one example, the server is also used to obtain network access scenario information of the network access request; based on the network access scenario information, obtain network access risk assessment items corresponding to the network access scenario; the step of generating a network access risk assessment task prompt based on the first network access behavior related information and the second network access behavior related information includes: generating the prompt based on the network access risk assessment items, the first network access behavior related information, and the second network access behavior related information. In specific implementation, different network access risk assessment items can be configured for different network access authentication scenarios according to actual needs. This processing method enables different items (assessment principles) to be used for network access risk assessment in different network access authentication scenarios; therefore, it can effectively improve the flexibility of risk assessment for different scenarios.
[0068] In practical applications, there can be various network access scenarios, which can be combinations of multiple dimensions of information. In one example, a network access scenario is a combination of three dimensions: Dimension 1. Whether the terminal to which the network access credential belongs has a network access authentication client (corresponding to the network access authentication server). This client can be a client that manages the device's access to the target network; Dimension 2. Network access method, which can be wireless or wired. For example, if the requesting device accesses the network through a wireless access point, it is wireless network access; if the requesting device accesses the network through a network cable, it is wired network access; Dimension 3. Credential type, which can be a network access certificate, user account / password, MAC address whitelist, etc. For example, a network access scenario could be a device with a client accessing the network wirelessly based on a network access certificate, a device with a client accessing the network wirelessly based on an account and password, or a device without a client accessing the network wirelessly based on a MAC address, and so on.
[0069] Different network access scenarios can correspond to different network access risk assessment items. In practice, multiple correspondences between network access scenarios and network access risk assessment items can be set; based on these multiple correspondences, the network access risk assessment items for the network access scenario corresponding to the network access request can be obtained. This approach allows the large language model to evaluate different network access risk assessment items for network access behaviors in different network access scenarios; therefore, it can effectively improve the accuracy of network access risk assessment.
[0070] In one example, the network access scenario is as follows: the terminal owning the network access credential has a secure client, and the corresponding network access risk assessment items include: strong consistency verification. Strong consistency verification can include at least one of the following: end-to-end fingerprint (e.g., MAC address) cross-verification, device hardware fingerprint verification, and impossible travel detection. End-to-end fingerprint cross-verification can be performed to check if the MAC address of the requesting network access device exists in the MAC address list of the network access credential owning device; if not, the network access risk assessment result may include: man-in-the-middle attack or unauthorized routing. Device hardware fingerprint verification can be performed to compare the identifier (e.g., umid) of the network access credential owning device with the registered device records under the name of the employee accessing the network; it can also check if the device identifier (baseline) of the network access credential owning terminal is consistent with the registered device identifier of the current user accessing the network; if they are inconsistent, the network access risk assessment result may include: certificate theft or illegal account borrowing. Impossible travel detection can be performed to calculate the physical movement speed of the device between the network access authentication time corresponding to the network access request and the most recent network access time of the network access credential owning device; if an abnormal speed is found (e.g., crossing cities in 5 minutes), it can be determined as risky or suspected risky.
[0071] In network access scenarios where the terminal to which the network access certificate belongs has a secure client, the network access risk assessment items may also include: proactively verifying the device to which the network access certificate belongs; proactively verifying the device to which the network access certificate belongs may include at least one of the following: hardware integrity verification and location verification.
[0072] Location verification refers to verifying the physical location of the device that owns the network access certificate and the physical location of the device requesting network access. For example, impossible travel detection can be combined with location verification. If abnormal speed is detected (e.g., crossing a city in 5 minutes), it should not be directly judged as an attack, as this may be a misjudgment caused by incorrect location information configuration on the network side (e.g., the location of the wireless access point AP has not been updated). In specific implementation, the large language model can return a "location verification" suggestion. The network access authentication client of the device owning the network access certificate reports the actual physical location (e.g., GPS) or surrounding environment information of the device to verify the "impossible travel" network access risk assessment result given by the large language model. If the physical location of the device owning the network access certificate is basically consistent with the physical location of the device requesting network access, then it can be determined that "impossible travel" is a misjudgment.
[0073] Hardware integrity verification can be performed if it is suspected that the device requesting network access has committed fingerprint forgery (such as frequent MAC address changes). In this case, the large language model can return a "hardware integrity verification" suggestion, sign the network card through the network access authentication client of the device to which the network access certificate belongs, report the MAC address signature data, and the server performs signature verification on the network card.
[0074] In another example, the network access scenario is: the terminal to which the network access credential belongs has no secure client. The corresponding network access risk assessment items include: defensive verification and correlation analysis. Defensive verification may include at least one of the following: location / time verification, vendor verification; correlation analysis may include: cross-dimensional correlation. Location / time verification can check whether the MAC address used by the requesting network access device is allowed to access the network in the logical network area (such as a guest network) and time period corresponding to the network access request when the network access credential is a MAC address. For example, IoT devices usually access the network at a fixed location. Vendor verification can check whether the MAC address prefix (OUI) of the requesting network access device is consistent with the expected device type. For example, a device of brand A should not have a network card vendor number of brand B. If the requesting network access device is a device of brand A, but its network access MAC address corresponds to a network card vendor number of brand B, then the requesting network access device may have forged a MAC address. Cross-dimensional association can be achieved by using a data query tool to query the application layer access record (SSO) corresponding to the user account when the network access credential is a user account. This allows the user to check whether the account has application layer access records from different physical locations within the same time period. If the network access requested by the network access device is in location A, but the SSO login IP shows location B, then the network access risk assessment result includes high risk.
[0075] In one example, the server is further configured to obtain network access scenario information based on the network access request; the step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior related information and the second network access behavior related information includes: generating the prompt based on the network access scenario information, the first network access behavior related information, and the second network access behavior related information. This processing method allows the large language model to automatically determine network access risk assessment items based on the network access scenario information; therefore, it can effectively improve the performance of network access risk assessment.
[0076] In practical implementation, any existing large language model can be selected to perform dynamic network access risk assessment. In one example, the server is also used to obtain network access scenario information based on the network access request; obtain the large oracle model corresponding to the network access scenario based on the network access scenario information; and perform dynamic network access risk assessment through the large oracle model corresponding to the network access scenario. In practical implementation, a correspondence between network access scenarios and large oracle models can be set; based on this correspondence, the large oracle model corresponding to the network access scenario can be obtained. This approach abstracts the large language model to support dynamic switching of the base large language model under different application scenarios and high availability requirements, thereby avoiding excessive dependence on a single large language model. In addition to improving risk detection and mitigation accuracy, it also improves the overall high availability of the system.
[0077] In one example, the server is also used to obtain data query tool information; the step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior related information and the second network access behavior related information includes: generating the prompt based on the data query tool information, the first network access behavior related information, and the second network access behavior related information, so that if the large language model fails to perform network access risk assessment and the large language model assessment stop condition is not met, then based on the data query tool information, the data query tool is invoked to obtain supplementary information on the first network access behavior related information and / or supplementary information on the second network access behavior related information; based on the supplementary data, the network access request continues to be assessed for network access risk until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met.
[0078] In practice, the large language model's network access risk assessment may succeed or fail based on the prompts. If the assessment fails, and the large language model's assessment stop condition is not met, the large language model can use a data query tool to obtain supplementary data about the network access risk assessment environment. Based on this supplementary data, the network access request is reassessed. This assessment process can be repeated until the large language model successfully completes the network access risk assessment or the assessment stop condition is met. Successful network access risk assessment means the large language model obtains a network access risk assessment result, such as a risk score of 82 or a medium risk level. In practice, the large language model's assessment stop condition can be set according to actual needs, such as an upper limit on the number of assessments. This approach allows the large language model to continuously obtain supplementary information through data query tools and conduct network access risk assessments based on this information even when the network access risk assessment fails and the stop condition is not met; therefore, it can effectively improve the success rate of network access risk assessment based on the large language model.
[0079] In another example, the server is further configured to, if the large language model fails to perform network access risk assessment and the large language model assessment stop condition is not met, obtain supplementary information related to the first network access behavior and / or the second network access behavior; generate supplementary prompts based on the supplementary information related to the first and / or second network access behavior; and continue to perform network access risk assessment on the network access request through the large language model, based on the supplementary prompts, until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met. This processing method allows the server to continuously obtain supplementary information and generate supplementary prompts when it detects that the network access risk assessment through the large language model has failed and the large language model stop condition is not met, and then call the large language model again to perform network access risk assessment. This process can be repeated until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met; therefore, it can effectively improve the success rate of network access risk assessment based on the large language model.
[0080] In specific implementation, the server-side execution of obtaining supplementary information related to the first network access behavior and / or the second network access behavior can be achieved in the following way: obtaining the supplementary data items output by the large language model; obtaining the supplementary information corresponding to the supplementary data items. Specifically, the server-side can obtain the supplementary information through a data query tool. Specifically, the server-side can call the aforementioned data query interface to obtain the supplementary data. This processing method ensures that the large language model outputs supplementary data items, and the server-side provides corresponding supplementary information to the large language model based on these supplementary data items; therefore, it can effectively improve the success rate of network access risk assessment based on the large language model.
[0081] In one example, the server is also used to obtain information about the risk assessment report generation tool. The step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior information and the second network access behavior information includes: generating the prompt based on the risk assessment report generation tool information, the first network access behavior information, and the second network access behavior information, so that the large language model can call the risk assessment report generation tool based on the risk assessment report generation tool information and the network access risk assessment results to generate a risk assessment report. This processing method allows the large language model to use the risk assessment report generation tool information to call the risk assessment report generation tool to automatically generate a risk assessment report based on the network access risk assessment results output by the large language model; therefore, it can effectively improve the generation efficiency of risk assessment reports, thereby improving the user experience.
[0082] The large language model performs a network access risk assessment based on the prompts and outputs the assessment results. These results include, but are not limited to, at least one of the following: risk score, risk level, risk summary, risk evidence, presence or absence of a client, risk mitigation measures, and whether verification of the risk assessment results is recommended. In specific implementations, if the assessment results include a recommendation to verify the risk assessment results, then the assessment results may also include, but are not limited to, at least one of the following: verification items and verification reasons. The risk score is a score obtained after assessing the risk of the network access request. It can be an integer from 0 to 100, or a score range, such as [0-30 low score], [31-70 medium score], [71-100 high score]. The risk summary is a brief description of the network access risk, such as a risk summary indicating fingerprint cross-verification failure and concurrent use. Risk evidence refers to evidence that yields a risk summary, such as a mismatch between the MAC address (AA:...) of the network side (the requesting device) and the MAC address (BB:...) of the endpoint side (the device to which the access certificate belongs) at 12:30; or authentication failures detected at 12:30 (Shanghai) and 12:00 (Beijing), constituting an impossible trip. Risk mitigation measures are recommendations for risk mitigation output by the large language model, such as immediately isolating the device (the requesting device) or revoking the certificate. Timely disabling or revoking of certificates will effectively reduce the probability of subsequent intrusion risks. This approach enables continuous enhancement of risk detection and response capabilities through the large language model in the face of increasingly complex credential security threats. It also completes a closed-loop lifecycle from risk detection to risk mitigation and ultimately risk summary by linking existing risk detection and response measures. Leveraging the risk analysis capabilities of the large language model, applied to all stages of risk detection, response, and summary, risks are quickly converged to an acceptable range.
[0083] In one example, the server is also used to obtain the format of the network access risk assessment result; generating the prompt based on the risk assessment report generation tool information, the first network access behavior related information, and the second network access behavior related information includes: generating the prompt based on the format of the network access risk assessment result, the risk assessment report generation tool information, the first network access behavior related information, and the second network access behavior related information, so that the large language model can generate input parameters for the risk assessment report generation tool based on the format and the network access risk assessment result. In specific implementation, the format of the network access risk assessment result can adopt a structured format such as JSON. This processing method can standardize the format of the input parameters of the risk assessment report generation tool and automatically generate input parameters that conform to the format of the risk assessment report generation tool; therefore, it can effectively improve the standardization of the network access risk assessment procedure and the efficiency of the risk assessment report generation tool, thereby improving the stability of the network access risk assessment.
[0084] In one example, the server is also used to obtain risk management tool information. The step of generating a network access risk assessment task prompt for the large language model based on the first network access behavior information and the second network access behavior information includes: generating the network access risk assessment task prompt for the large language model based on the risk management tool information, the first network access behavior information, and the second network access behavior information; generating the prompt so that the large language model, based on the risk management tool information and the risk management measures output by the large language model, invokes the risk management tool to send a target risk management instruction to the target risk management node. The input parameters of the risk management tool include: the target risk management node and the target risk management method. This processing method enables the large language model to use the risk management tool information to invoke the risk management tool, and to send risk management instructions to the corresponding risk management node based on the risk management measures output by the large language model; therefore, it can effectively improve risk management efficiency.
[0085] In one example, when processing the network access request, the network access authentication server can obtain the network access credential identifier (such as the network access certificate serial number, user account, etc.), the MAC address and IP address of the requesting network access device, and the network access device of the requesting network access device (such as the MAC address and IP address of a wireless access point AP or a wired access device). The prompt in the large language model may include the following data: the MAC address and IP address of the requesting network access device, the MAC address and IP address of the network access device, and the network access credential identifier. The large language model is associated with a complete set of information maintained by the network access authentication server, which revolves around the device and the device's owner account (i.e., the person), including user behavior information, for final evaluation.
[0086] The above explains how the large language model performs dynamic network access risk assessment based on network access behavior information. After obtaining the network access risk assessment result through the large language model, the access of the requesting network access device to the target network can be controlled according to the assessment result. For example, if the network access risk assessment result is risky, the requesting network access device will be removed from the target network; if the network access risk assessment result is risk-free, the requesting network access device will be allowed to continue accessing the target network. This processing method allows the network access authentication server to asynchronously trigger another dynamic network access risk assessment based on the large language model after quickly returning the authentication result. If the network access risk assessment result based on the large language model is risky, the requesting network access device's access to the target network will be terminated. This achieves the goal of allowing the requesting network access device to access the target network for a short period of time, within the risk range acceptable to the target network.
[0087] In implementing the system provided in this application, the applicant also discovered the following problems: Whether it's rule-based judgments built using data engineering and expert experience, or detection algorithms built through vertical fields such as behavior detection, few considerations are given to avoiding the risk of system jitter. A large number of false interceptions due to errors in data collection, production, or rule configuration can disrupt production.
[0088] Please refer to Figure 3 This is another specific device interaction diagram of the network access control system provided in this application embodiment. In one example, controlling the access of the requesting network access device to the target network based on the network access risk assessment result may include the following processing steps: if the network access risk assessment result includes suspected risk, a first verification instruction is sent to the network access credential owner device, and the first verification item information submitted by the network access credential owner device is received; the network access risk assessment result is verified based on the first verification item information and the corresponding information of the requesting network access device; and the access of the requesting network access device to the target network is controlled based on the first verification result. Accordingly, the network access credential owner device is used to receive the first verification instruction and submit the first verification item information to the server. The first verification item includes, but is not limited to: device physical location, device fingerprint (such as MAC address, operating system type, etc.), etc. Taking the physical location of the device as the first verification item as an example, after obtaining the risk assessment results output by the large language model, the server can further initiate a location challenge to the device to which the network access certificate belongs. This involves comparing the current location of the device to which the certificate belongs with the current location of the requesting device to verify the network access risk assessment results from the large language model. In practice, the device to which the certificate belongs can install a network access authentication client and keep it running in the background via process keep-alive, responding to verification commands issued by the control plane of the network access authentication server. This approach integrates the large language model as an enhanced decision-making mechanism on top of existing expert experience and rule-based decision-making. Furthermore, by introducing a post-verification mechanism, the network access risk assessment results from the large language model are verified, avoiding potential compliance fluctuations caused by excessive intervention by the large language model or its own inherent illusions. In this way, while ensuring user experience and the accuracy of risk detection, the security level of the certificate is continuously enhanced.
[0089] For example, a potentially risky situation is when the large language model identifies an abnormal movement speed of the requesting network access device relative to the device to which the network access certificate belongs. For instance, if the device to which the network access certificate belongs is located in Beijing at 12:05, but the requesting network access device is located in Hangzhou at 12:10, with only a 5-minute interval between the two locations, this is obviously an impossible journey. In this case, the network access risk assessment results output by the large language model can be verified. The first verification item includes the physical location of the device to which the network access certificate belongs, to prevent misjudgment by the large language model due to incorrect location configuration of the network access device connected to the terminal device (system jitter).
[0090] For example, a potentially risky situation is when the large language model identifies frequent changes in the MAC address of the requesting device, suggesting possible device fingerprint forgery. In this case, the first verification item could be the MAC address. The device to which the network access certificate belongs can sign and encrypt the MAC address based on the random number and certificate issued by the server. The server can then verify whether the frequent changes in the MAC address of the requesting device constitute device fingerprint forgery based on the MAC address uploaded by the device to which the network access certificate belongs.
[0091] In practice, the server can send a first verification command to the device that owns the network access certificate via an out-of-band control channel. Data transmission between the requesting network access device and the server occurs through a data channel. The authentication link of this data channel includes a first network access device. The out-of-band control channel is a trusted data transmission channel different from the data channel, and its authentication link includes a second network access device. Both the first and second network access devices can be network access devices belonging to the target network. This approach prevents the requesting network access device from forging the location information of the device that owns the network access certificate; therefore, it can further improve the accuracy of risk assessment.
[0092] In practice, the first verification instruction includes a random string. The device submitting the network access certificate can encrypt the first verification item information of the device according to the random string and submit the encrypted first verification item information to the server. This processing method can prevent the first verification item information of the device receiving the network access certificate from being tampered with, thereby ensuring the accuracy of the first verification item information of the device receiving the network access certificate from the server.
[0093] For example, a device currently gaining network access by stealing a certificate (the requesting device) is using an AP located at XX in Hangzhou. If the large language model suspects that the current authentication request did not originate from the device that owns the certificate (the certificate registration device), it can initiate a challenge (verification) on the first verification item (such as device fingerprint and physical location) to the original device (the certificate registration device) through an out-of-band control channel. The challenge will use credentials and private keys held solely by the device (the certificate registration device) independent of the network access certificate to issue a random string and require the challenge item (the first verification item) to be distributed to devices with the network access authentication client installed, requiring them to use their trusted credentials to sign and respond to the corresponding challenge item (the first verification item).
[0094] In one example, the server is specifically configured to, if the network access risk assessment result includes suspected risk and the device to which the network access credential belongs is suspected of being compromised, send a second verification instruction to network access devices near the device to which the network access credential belongs, receive second verification item information submitted by the network access devices, verify the network access risk assessment result based on the second verification item information and the corresponding information of the requesting network access device, and control the access of the requesting network access device to the target network based on the second verification result. The network access devices are configured to receive the second verification instruction and submit the second verification item information to the server. The network access devices can be network access devices near the device to which the network access credential belongs, such as wireless access points. The second verification item can correspond to the first verification item and includes, but is not limited to, the physical location of the device, the model and brand of the connectable terminal devices, etc. Taking location verification as an example, after obtaining the risk assessment results output by the large language model, the server can further initiate a location challenge to the network access device of the device to which the access credential belongs. The location of the network access device is usually consistent with the location of the device to which the access credential belongs. The current location of the network access device is compared with the current location of the device requesting access, thus verifying the access risk assessment results of the large language model. This approach integrates the large language model as an enhanced decision-making mechanism on top of existing expert experience rules. Simultaneously, by introducing a post-verification mechanism, the access risk assessment results of the large language model are verified. Even if the device to which the access credential belongs is compromised, the first verification item information of the access credential's owner can still be determined by checking the network access devices surrounding the access credential's owner. For example, if the network access devices surrounding the access credential's owner are in Beijing, it means that the access credential's owner is in Beijing, not in another city. In this way, while ensuring user experience and the accuracy of risk detection, the security level of the credential can be continuously enhanced, further improving the accuracy of risk assessment and avoiding the impact of inaccurate assessments by the large language model. Furthermore, this approach allows for the verification of the network access risk assessment results of the large language model even if the certificate registration device is completely compromised, through the network access device connected to it.
[0095] In practice, a multi-layered verification response, including the device to which the network access certificate belongs and the network access device it is connected to, can be used to jointly confirm whether the current authentication device originated from the expected device.
[0096] In one example, the server is specifically configured to, if the network access risk assessment result includes a suspected intrusion of the network access credential's owner device, send a device intrusion verification instruction to the owner device and receive device intrusion verification item information submitted by the owner device; determine whether the owner device has been intruded based on the device intrusion verification item information; if the determination result indicates that the owner device has been intruded, send a second verification instruction to network access devices surrounding the owner device; the owner device receives the device integrity verification instruction and submits the device integrity verification item information to the server. Device intrusion verification items include, but are not limited to: MAC address, device fingerprint (such as device identifier, operating system version and name, etc.), IP address, etc. This approach ensures that after the network access risk assessment results indicate that the device to which the network access certificate belongs has been suspected of being compromised, the system first checks whether the device has actually been compromised. If the verification result confirms that the device has been compromised, a second verification command is sent to the network access devices surrounding the device to which the network access certificate belongs. If the verification result indicates that the device has not been compromised, then only the device to which the network access certificate belongs needs to be verified, without needing to verify the surrounding network access devices. Therefore, this approach can effectively improve verification performance.
[0097] In one example, the server also obtains user behavior information of the user to whom the access credential belongs, such as user attendance information, like access control card swipe information for the day; based on the user behavior information, it obtains the location information of the user to whom the access credential belongs; and based on the location information of the user to whom the access credential belongs and the location information of the requesting access device, it verifies the access risk assessment result of the large language model. This approach ensures that even if the access credential-owning device and its connected network access devices are both compromised, the user's location can still be determined by combining the user behavior information of the user to whom the access credential belongs, to determine whether the access behavior corresponding to the access request matches expectations, thereby verifying the access risk assessment result of the large language model. By integrating the large language model as an enhanced decision-making mechanism on the basis of existing expert experience rules, and by introducing a post-verification mechanism, the security level of the credential is continuously enhanced while ensuring user experience and the accuracy of risk detection.
[0098] It should be noted that the above challenge (verification) processing performed by the server is optional. If the existence of risk can be confirmed based on some simple static rules, or the large language model can clearly indicate that the probability of risk is high, or the risk handling itself has little impact, the corresponding handling can be issued directly without the need for the first and second verifications.
[0099] Below is an example of a prompt from a large language model, which may include the following four parts: 1. Role You are a high-level cybersecurity analytics agent responsible for performing network access risk assessments based on stolen access credentials. Your task is to simulate a senior security architect and conduct continuous adaptive risk assessments of network access requests. You will analyze network access behavior and cross-validate multi-source data (authentication logs, endpoint reports, network events) to identify whether access credentials have been stolen, copied, or used on non-compliant devices.
[0100] 2. Evaluation Items The analysis is based on the following security principles: Assessment Item 1. Identity Verification: Is the network access credential valid? Assessment Item 2. Device Verification: Whether the device using the network access certificate is trustworthy and has been registered. Evaluation Item 3. Context Awareness: Does the network access authentication behavior (time, location, device posture) conform to the user's historical limits? 3. Evaluation Reference Data Reference data 1. ${Current authentication information} Reference data 2. Network access behavior information, using a JSON structure, includes the following fields (the meaning of each field is provided in the comments). Json { "CertSN": "String, certificate serial number", "employeeNo": "String, user identifier (employee number)", "umid": "String, the identifier of the device to which the certificate belongs (reported by the network access authentication client of the device to which the certificate belongs)", "device": { "currentDeviceNAC": { / / Request authentication events captured by the Network Access Control (NAC) of the inbound device. "time": "String, authentication time (YYYY-MM-DD HH:MM:SS)", "deviceMAC": "String, the MAC address of the device displayed on the network", "apMAC": "String, the MAC address of the network access device (AP)", "apName": "String, AP name (key location information source)" }, "certAssociatedDeviceNet":[ / / Device status reported by the client of the device to which the certificate belongs] { "time": "string, log report time", "interfaceMAC": "String, network interface MAC address (trusted fingerprint)", "interfaceName": "String, network interface name", "publicIp": "String, public IP address (key location information source)", "osType": "String, operating system type (key fingerprint)", "osVersion": "String, operating system version (key fingerprint)" } / / May contain multiple history records ] }, / / Other fields } 4. Available tools Tool 1.query_geo(ip: str): Returns geolocation information.
[0101] Tool 2. query_ap_info(mac: str): Returns detailed AP information.
[0102] Tool 3. query_device_info(employeeNo: str, umid: str, mac: str): Returns detailed device information.
[0103] Tool 4. query_nac_log(emplNo: str, umid: str, mac: str, start: date, end: date): Return to historical authentication records.
[0104] Tool 5.disposal(target: str, type: str, extend_info: Str): Requires the relevant node to respond and handle the request.
[0105] Tool 6. finish_analysis(summary: str): Ends the analysis and submits the final conclusion.
[0106] 5. Evaluation Result Format Please call the tool 'finish_analysis(summary: str)' to end the task. The parameter 'summary' is a string containing a structured JSON string, formatted as follows: Json { "riskScore": "Risk score, an integer from 0 to 100. [0-30 Low], [31-70 Medium], [71-100 High]" "reason": A brief summary of the risks. For example: fingerprint cross-verification failed and concurrent use occurred. "evidence": [ Describe specific evidence. For example: The network-side MAC address and the endpoint-side MAC address do not match at 12:30.
[0107] "For example: finding authentication at 12:30 (Shanghai) and 12:00 (Beijing) constitutes an impossible trip." ], "recommendation": "Suggested actions. For example: immediately isolate the equipment, revoke the certificate." } As can be seen from the above embodiments, the network access control system provided in this application sends a network access request from a requesting network access device to the network access authentication server of the target network; the server performs network access authentication on the network access request; if the network access authentication result is successful, the requesting network access device is allowed to access the target network; it obtains first network access behavior related information corresponding to the network access request and second network access behavior related information corresponding to the network access credential holder; it generates a network access risk assessment task prompt based on the first network access behavior related information and the second network access behavior related information; it performs a network access risk assessment on the network access request based on the prompt using the large language model; and it controls the access of the requesting network access device to the target network based on the network access risk assessment result. This approach first performs an immediate network access authentication using network access credentials; successful authentication grants network access, ensuring a basic security level is met. Then, an asynchronous network access risk assessment based on a large language model is triggered. Since the network access behavior information relied upon by the large language model for risk assessment is variable data, this dynamic risk assessment offers the following advantages: 1. Improve user experience: The large language model can recognize the normal movement of the network access certificate holder without generating alarms. This way, when the network access certificate holder moves normally, the user will not be required to perform multi-factor authentication. 2. Balancing high user experience with target network data security: After the network access request is authenticated based on the network access credential, the requesting device is allowed to access the target network until the subsequent asynchronous network access risk assessment based on the large language model detects a network access risk. In this way, the requesting device is allowed to access the target network for a short period of time within the risk range that the target network can accept. 3. Reduce hardware requirements for network access credential ownership devices: Asynchronous network access risk assessment is performed using a large language model, eliminating the need for TPM installation on network access credential ownership devices, thus making the device hardware version unrestricted; 4. Enhance the ability to identify new risks: As an intelligent agent, the large language model can not only identify existing types of network entry risks, but also new types of network entry risks. It does not require building and updating risk detection rules based on a large number of known threat cases and feature engineering, thus effectively improving the ability to identify new risks. 5. Reduced data processing requirements for risk assessment systems: Since there is no need to build and update risk detection rules, there is no need to rely on summarizing patterns from a large number of known threat cases, nor is there a need to process features through data engineering. This effectively reduces the data processing requirements for risk assessment systems.
[0108] Second Embodiment In the above embodiments, a network access control system is provided. Correspondingly, this application also provides a network access control method for a server. This method corresponds to the embodiments of the above system, so its description is relatively simple; relevant details can be found in the descriptions of the system embodiments. The method embodiments described below are merely illustrative.
[0109] Please refer to Figure 4 This is a flowchart illustrating the network access control method provided in this embodiment. The network access control method of this embodiment includes the following steps: Step S401: Perform network access authentication on the network access request.
[0110] Step S403: If the network access authentication result is successful, then obtain the first network access behavior information corresponding to the network access request and the second network access behavior information corresponding to the network access credential owner.
[0111] In one example, before obtaining the first network access behavior information corresponding to the network access request and the second network access behavior information corresponding to the network access credential holder, the method provided in this application embodiment may further include the following steps: allowing the requesting network access device to access the target network. This processing method ensures that if the network access authentication result is successful, the requesting network access device is allowed to access the target network; and that the first network access behavior information corresponding to the network access request and the second network access behavior information corresponding to the network access credential holder are obtained.
[0112] The first network access behavior related information includes at least one of the following: information about the requesting network access device, and information about the network access device of the requesting network access device; the information about the requesting network access device includes at least one of the following: device identifier, network address, physical location, operating system information, process information, and the logical network area where the device is located; the information about the network access device includes at least one of the following: device identifier, network address, and physical location; the network address includes at least one of the following: MAC address and IP address; the logical network area includes at least one of the following: office network and visitor network. The second network access behavior related information includes at least one of the following: information about the device to which the network access certificate belongs, and historical network access behavior information of the network access certificate holder; the historical network access behavior information includes at least one of the following: historical high-frequency network access locations and recent network access information; the recent network access time includes: recent network access time and recent network access location.
[0113] Step S405: Based on the information related to the first network access behavior and the information related to the second network access behavior, generate a network access risk assessment task prompt for the large language model.
[0114] Step S407: Using a large language model, perform a network access risk assessment on the network access request based on the prompt.
[0115] In one example, the method provided in this application embodiment may further include the following steps: obtaining data query tool information; step S405 may be implemented as follows: generating the prompt based on the data query tool information, the first network access behavior related information, and the second network access behavior related information, so that the large language model calls the data query tool based on the data query tool information, so as to obtain supplementary information of the first network access behavior related information and / or the second network access behavior related information through the data query tool, based on the first network access behavior related information and / or the second network access behavior related information; and performing a network access risk assessment on the network access request based on the first network access behavior related information, the second network access behavior related information, and the supplementary information of the first network access behavior related information and / or the second network access behavior related information.
[0116] In one example, the method provided in this application embodiment may further include the following steps: obtaining data query tool information; obtaining the network access user identifier and / or the credential-owning user identifier; step S405 may be implemented as follows: generating the prompt based on the data query tool information, the first network access behavior related information and the second network access behavior related information, and the network access user identifier and / or the credential-owning user identifier, so that the large language model calls the data query tool based on the data query tool information, so as to obtain supplementary information of the first network access behavior related information based on the network access user identifier through the data query tool; and / or, obtain supplementary information of the second network access behavior related information based on the credential-owning user identifier; and perform a network access risk assessment on the network access request based on the first network access behavior related information and the second network access behavior related information, and the supplementary information of the first network access behavior related information and / or the supplementary information of the second network access behavior related information.
[0117] In one example, the method provided in this application embodiment may further include the following steps: obtaining the network access credential identifier; step S405 may be implemented in the following manner: generating a network access risk assessment task prompt for a large language model based on the network access credential identifier, the first network access behavior related information and the second network access behavior related information, so that the large language model performs a network access risk assessment on the network access request based on the network access credential identifier, the first network access behavior related information and the second network access behavior related information.
[0118] In one example, the method provided in this application embodiment may further include the following steps: obtaining network access scenario information of the network access request; obtaining network access risk assessment items corresponding to the network access scenario based on the network access scenario information; step S405 may be implemented in the following way: generating the prompt based on the network access risk assessment items, the first network access behavior related information and the second network access behavior related information, so that the large language model performs network access risk assessment based on the network access risk assessment items.
[0119] In one example, the method provided in this application embodiment may further include the following steps: obtaining network access scenario information according to the network access request; step S405 may be implemented in the following manner: generating the prompt message according to the network access scenario information, the first network access behavior related information and the second network access behavior related information.
[0120] In one example, the method provided in this application embodiment may further include the following steps: obtaining data query tool information; step S405 may be implemented in the following manner: generating the prompt message based on the data query tool information, the first network access behavior related information, and the second network access behavior related information, so that if the large language model fails to perform network access risk assessment and the large language model assessment stop condition is not met, the data query tool is invoked based on the data query tool information to obtain supplementary information on the first network access behavior related information and / or supplementary information on the second network access behavior related information; the network access risk assessment of the network access request continues based on the supplementary data until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met.
[0121] In one example, the method provided in this application embodiment may further include the following steps: if the large language model fails to perform network access risk assessment and the large language model assessment stop condition is not met, then obtain supplementary information related to the first network access behavior and / or supplementary information related to the second network access behavior; generate a supplementary prompt based on the supplementary information related to the first network access behavior and / or the supplementary information related to the second network access behavior; and continue to perform network access risk assessment on the network access request through the large language model based on the supplementary prompt until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met.
[0122] In one example, obtaining supplementary information related to the first network access behavior and / or the second network access behavior includes: obtaining supplementary data items output by the large language model; and obtaining supplementary information corresponding to the supplementary data items.
[0123] In one example, obtaining supplementary information related to the first network access behavior and / or the second network access behavior includes obtaining the supplementary information through a data query tool.
[0124] In one example, the method provided in this application embodiment may further include the following steps: obtaining risk assessment report generation tool information; step S405 may be implemented in the following manner: generating the prompt based on the risk assessment report generation tool information, the first network access behavior related information and the second network access behavior related information, so that the large language model calls the risk assessment report generation tool based on the risk assessment report generation tool information and the network access risk assessment result to generate a risk assessment report.
[0125] In one example, the method provided in this application embodiment may further include the following steps: obtaining the format of the network access risk assessment result; step S405 may be implemented in the following manner: generating the prompt according to the format of the network access risk assessment result, the information of the risk assessment report generation tool, the information related to the first network access behavior and the information related to the second network access behavior, so that the large language model generates the input parameters of the risk assessment report generation tool according to the format and the network access risk assessment result.
[0126] In one example, the method provided in this application embodiment may further include the following steps: obtaining risk management tool information; step S405 may be implemented in the following manner: generating a network access risk assessment task prompt for a large language model based on the risk management tool information, the first network access behavior related information and the second network access behavior related information, generating the prompt so that the large language model can call the risk management tool based on the risk management tool information and the risk management measures output by the large language model, so as to send the target risk management instruction to the target risk management node.
[0127] Step S409: Based on the network access risk assessment results, control the access of the requesting network access device to the target network.
[0128] In one example, the method provided in this application embodiment may further include the following steps: obtaining user behavior information of the user to whom the network access certificate belongs; obtaining location information of the user to whom the network access certificate belongs based on the user behavior information; and verifying the network access risk assessment result based on the location information of the user to whom the network access certificate belongs and the location information of the requesting network access device.
[0129] Third Embodiment In the above embodiments, a network access control method is provided. Correspondingly, this application also provides a network access control device. This device corresponds to the embodiments of the method described above. Since the device embodiments are basically similar to the method embodiments, the description is relatively simple, and relevant parts can be referred to in the description of the method embodiments. The device embodiments described below are merely illustrative.
[0130] This application also provides a network access control device, including: a network access authentication unit, a network access behavior related information acquisition unit, a prompt generation unit, a large language model evaluation unit, and a control unit.
[0131] The system includes: a network access authentication unit for authenticating network access requests; a network access behavior-related information acquisition unit for acquiring, if the network access authentication result is successful, first network access behavior-related information corresponding to the network access request and second network access behavior-related information corresponding to the network access credential holder; a prompt generation unit for generating a network access risk assessment task prompt based on the first and second network access behavior-related information; a large language model evaluation unit for performing a network access risk assessment on the network access request using the large language model and the prompt; and a control unit for controlling the access of the requesting network access device to the target network based on the network access risk assessment result.
[0132] In one example, the apparatus provided in this application embodiment may further include: if the network access authentication unit determines that the network access authentication result is successful, it activates the network access unit. The network access unit is used to allow the requesting network access device to access the target network.
[0133] In one example, the apparatus provided in this application embodiment may further include: a data query tool information acquisition unit, used to acquire data query tool information; and a prompt generation unit, specifically used to generate the prompt based on the data query tool information, the first network access behavior related information, and the second network access behavior related information, so that the large language model can invoke the data query tool based on the data query tool information, and obtain supplementary information related to the first network access behavior and / or the second network access behavior related information through the data query tool, based on the first network access behavior related information and / or the second network access behavior related information; and perform a network access risk assessment on the network access request based on the first network access behavior related information, the second network access behavior related information, and the supplementary information related to the first network access behavior and / or the second network access behavior related information.
[0134] In one example, the apparatus provided in this application embodiment may further include: a data query tool information acquisition unit, used to acquire data query tool information; a user identifier acquisition unit, used to acquire an access user identifier and / or a credential-owned user identifier; and a prompt generation unit, specifically used to generate the prompt based on the data query tool information, the first access behavior related information, the second access behavior related information, and the access user identifier and / or the credential-owned user identifier, so that the large language model can invoke the data query tool based on the data query tool information, and obtain supplementary information related to the first access behavior based on the access user identifier; and / or obtain supplementary information related to the second access behavior based on the credential-owned user identifier; and perform an access risk assessment on the access request based on the first access behavior related information, the second access behavior related information, and the supplementary information related to the first access behavior and / or the supplementary information related to the second access behavior.
[0135] In one example, the apparatus provided in this application embodiment may further include: a credential identifier acquisition unit, used to acquire an access credential identifier; and a prompt generation unit, specifically used to generate an access risk assessment task prompt for a large language model based on the access credential identifier, the first access behavior related information, and the second access behavior related information, so that the large language model can perform an access risk assessment on the access request based on the access credential identifier, the first access behavior related information, and the second access behavior related information.
[0136] In one example, the apparatus provided in this application embodiment may further include: a scenario information acquisition unit, used to acquire network access scenario information of the network access request; a risk assessment item acquisition unit, used to acquire network access risk assessment items corresponding to the network access scenario based on the network access scenario information; and a prompt generation unit, specifically used to generate the prompt based on the network access risk assessment items, the first network access behavior related information, and the second network access behavior related information, so that the large language model performs network access risk assessment based on the network access risk assessment items.
[0137] In one example, the apparatus provided in this application embodiment may further include: a scene information acquisition unit, configured to acquire network access scene information according to the network access request; and a prompt generation unit, specifically configured to generate the prompt based on the network access scene information, the first network access behavior related information, and the second network access behavior related information.
[0138] In one example, the apparatus provided in this application embodiment may further include: a data query tool information acquisition unit, used to acquire data query tool information; and a prompt generation unit, specifically used to generate the prompt based on the data query tool information, the first network access behavior related information, and the second network access behavior related information, so that if the large language model fails to perform network access risk assessment and the large language model assessment stop condition is not met, it will call the data query tool based on the data query tool information to obtain supplementary information on the first network access behavior related information and / or supplementary information on the second network access behavior related information; and continue to perform network access risk assessment on the network access request based on the supplementary data until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met.
[0139] In one example, the apparatus provided in this application embodiment may further include: a supplementary information acquisition unit, configured to acquire supplementary information related to the first network access behavior and / or supplementary information related to the second network access behavior if the large language model fails to perform network access risk assessment and the large language model assessment stop condition is not met; a supplementary prompt generation unit, configured to generate a supplementary prompt based on the supplementary information related to the first network access behavior and / or the supplementary information related to the second network access behavior; and a large language model continued assessment unit, configured to continue to perform network access risk assessment on the network access request through the large language model based on the supplementary prompt, until the large language model successfully performs network access risk assessment or the large language model assessment stop condition is met.
[0140] In one example, the supplementary information acquisition unit is specifically used to acquire the supplementary data items output by the large language model; and to acquire the supplementary information corresponding to the supplementary data items.
[0141] In one example, the supplementary information acquisition unit is specifically used to acquire the supplementary information through a data query tool.
[0142] In one example, the apparatus provided in this application embodiment may further include: a report generation tool information acquisition unit, used to acquire risk assessment report generation tool information; and a prompt generation unit, specifically used to generate the prompt based on the risk assessment report generation tool information, the first network access behavior related information, and the second network access behavior related information, so that the large language model can call the risk assessment report generation tool based on the risk assessment report generation tool information and the network access risk assessment result to generate a risk assessment report.
[0143] In one example, the apparatus provided in this application embodiment may further include: an assessment result format acquisition unit, used to acquire the format of the network access risk assessment result; and a prompt generation unit, specifically used to generate the prompt based on the format of the network access risk assessment result, the risk assessment report generation tool information, the first network access behavior related information, and the second network access behavior related information, so that the large language model generates input parameters for the risk assessment report generation tool based on the format and the network access risk assessment result.
[0144] In one example, the apparatus provided in this application embodiment may further include: a risk management tool information acquisition unit, used to acquire risk management tool information; and a prompt generation unit, specifically used to generate a network access risk assessment task prompt for a large language model based on the risk management tool information, the first network access behavior related information, and the second network access behavior related information, so that the large language model can invoke the risk management tool based on the risk management tool information and the risk management measures output by the large language model, so as to send a target risk management instruction to the target risk management node.
[0145] In one example, the apparatus provided in this application embodiment may further include: a user behavior information acquisition unit, used to acquire user behavior information of the user to whom the network access certificate belongs; a user location determination unit, used to acquire location information of the user to whom the network access certificate belongs based on the user behavior information; and an evaluation result verification unit, used to verify the network access risk assessment result based on the location information of the user to whom the network access certificate belongs and the location information of the requesting network access device.
[0146] Fourth embodiment In the above embodiments, a network access control system is provided. Correspondingly, this application also provides a network access control method. This method corresponds to the embodiments of the above system, so it is described simply. For relevant details, please refer to the descriptions of the system embodiments. The method embodiments described below are merely illustrative.
[0147] The network access control method of this embodiment includes the following steps: Step 1: Receive the verification command sent by the network access authentication server.
[0148] Step 2: Send the verification item information to the server.
[0149] In one example, the method is used for the device to which the network access certificate belongs, the verification instruction is the first verification instruction, and the verification item information is the first verification item information.
[0150] In another example, the method is used for a network access device, the verification instruction is a second verification instruction, and the verification item information is second verification item information.
[0151] In one example, the method is used for the device to which the network access certificate belongs; the method may further include the following steps: reporting the information of the device to which the network access certificate belongs to the server.
[0152] Fifth Embodiment In the above embodiments, a network access control method is provided. Correspondingly, this application also provides a network access control device. This device corresponds to the embodiments of the method described above. Since the device embodiments are basically similar to the method embodiments, the description is relatively simple, and relevant parts can be referred to in the description of the method embodiments. The device embodiments described below are merely illustrative.
[0153] This application also provides a network access control device, including: a verification instruction receiving unit and a verification item information sending unit. The verification instruction receiving unit is used to receive verification instructions sent by a network access authentication server. The verification item information sending unit is used to send verification item information to the server.
[0154] In one example, the device is used for the network access certificate attribution device, the verification instruction is the first verification instruction, and the verification item information is the first verification item information.
[0155] In another example, the device is used as a network access device, the verification instruction is a second verification instruction, and the verification item information is a second verification item information.
[0156] In one example, the device is used for the device to which the network access certificate belongs; the device may further include: a device information sending unit, used to report information about the device to which the network access certificate belongs to the server.
[0157] In one example, the Sixth Embodiment In the above embodiments, a network access control method is provided. Correspondingly, this application also provides an electronic device. This device corresponds to the embodiments of the above method. Since the device embodiments are basically similar to the method embodiments, the description is relatively simple, and relevant details can be found in the description of the method embodiments. The device embodiments described below are merely illustrative.
[0158] The electronic device of this embodiment includes: a memory and a processor; the memory is used to store a program for implementing the network access control method, and the device is powered on and runs the program of the network access control method through the processor.
[0159] Memory can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk or optical disk.
[0160] In specific implementations, the electronic device may further include one or more of the following components: a power supply component, an input / output (I / O) interface, and a communication component. The power supply component provides power to various components of the electronic device. The power supply component may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to the electronic device. The I / O interface provides an interface between the processor 503 and peripheral interface modules, which may be a keyboard, click wheel, buttons, etc. The communication component is configured to facilitate wired or wireless communication between the electronic device and user devices (such as smartphones, tablets, etc.).
[0161] Seventh Embodiment This application also provides a computer-readable storage medium. Since the embodiments of the computer-readable storage medium are substantially similar to the method embodiments, the description is relatively simple; relevant details can be found in the description of the method embodiments. The computer-readable storage medium embodiments described below are merely illustrative.
[0162] In this embodiment, a non-transitory computer-readable storage medium including instructions is provided, such as a memory including instructions, which can be executed by a processor of an electronic device to complete the network access control method provided in this disclosure. For example, the non-transitory computer-readable storage medium may be a ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, and optical data storage device, etc.
[0163] It should be noted that the embodiments of this application may involve the use of user data. In practical applications, user-specific personal data may be used in the scheme described herein within the scope permitted by applicable laws and regulations, provided that it complies with the applicable laws and regulations of the country (e.g., with the user's explicit consent, with the user being properly notified, etc.).
[0164] Although this application discloses preferred embodiments as described above, it is not intended to limit this application. Any person skilled in the art can make possible changes and modifications without departing from the spirit and scope of this application. Therefore, the scope of protection of this application should be determined by the scope defined in the claims of this application.
[0165] In a typical configuration, a computing device includes one or more processors (CPUs), input / output interfaces, network interfaces, and memory.
[0166] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0167] 1. Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include non-transitory computer-readable media, such as modulated data signals and carrier waves.
[0168] 2. Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
Claims
1. A network access control system, characterized by, include: The device requesting network access is used to send a network access request to the network access authentication server of the target network. The server is used to perform network access authentication on the network access request; If the network access authentication result is successful, the requesting network access device is allowed to access the target network; obtain the first network access behavior related information corresponding to the network access request and the second network access behavior related information corresponding to the network access credential holder; generate a network access risk assessment task prompt for the large language model based on the first network access behavior related information and the second network access behavior related information. Using a large language model, a network access risk assessment is performed on the network access request based on the prompt; based on the network access risk assessment result, the access of the requesting network access device to the target network is controlled.
2. The system according to claim 1, characterized in that, The server is specifically configured to, if the network access risk assessment result includes suspected risk, send a first verification instruction to the network access credential owner device, receive first verification item information submitted by the network access credential owner device, verify the network access risk assessment result based on the first verification item information and the corresponding information of the requesting network access device, and control the access of the requesting network access device to the target network based on the first verification result. The device that owns the network access certificate is used to receive the first verification instruction; Submit the first verification item information to the server.
3. A network access control method characterized by, include: Perform network access authentication on network access requests; If the network access authentication result is successful, then obtain the first network access behavior information corresponding to the network access request and the second network access behavior information corresponding to the network access credential owner; Based on the information related to the first network access behavior and the information related to the second network access behavior, generate a network access risk assessment task prompt for the large language model; Using a large language model, the network access risk assessment is performed on the network access request based on the prompt; Based on the network access risk assessment results, the access of the requesting network access device to the target network is controlled.
4. The method of claim 3, wherein, Also includes: Obtain information about data query tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the data query tool information, the information related to the first network entry behavior, and the information related to the second network entry behavior, the prompt is generated so that the large language model can call the data query tool based on the data query tool information, and obtain supplementary information related to the first network entry behavior and / or the second network entry behavior based on the information related to the first network entry behavior and / or the second network entry behavior.
5. The method according to claim 3, characterized in that, Also includes: Obtain information about data query tools; Obtain the network access user identifier and / or the credential owner user identifier; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the data query tool information, the information related to the first network access behavior and the information related to the second network access behavior, as well as the network access user identifier and / or the credential owner user identifier, the prompt is generated so that the large language model can call the data query tool based on the data query tool information, and obtain supplementary information related to the first network access behavior based on the network access user identifier through the data query tool. And / or, based on the user identifier to which the credential belongs, obtain supplementary information related to the second network access behavior.
6. The method according to claim 3, characterized in that, Also includes: Obtain the network access scenario information of the network access request; Based on the network access scenario information, obtain the network access risk assessment items corresponding to the network access scenario; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: The prompt is generated based on the network access risk assessment items, the information related to the first network access behavior, and the information related to the second network access behavior, so that the large language model can perform network access risk assessment based on the network access risk assessment items.
7. The method according to claim 3, characterized in that, Also includes: Obtain information about data query tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the data query tool information, the information related to the first network access behavior, and the information related to the second network access behavior, the prompt message is generated so that if the large language model fails to perform a network access risk assessment and the large language model assessment stop condition is not met, the data query tool is invoked to obtain supplementary information related to the first network access behavior and / or the second network access behavior; based on the supplementary data, the network access request continues to be assessed for network access risk until the large language model successfully performs the network access risk assessment or the large language model assessment stop condition is met.
8. The method according to claim 3, characterized in that, Also includes: Obtain information on risk assessment report generation tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the risk assessment report generation tool information, the first network access behavior information, and the second network access behavior information, the prompt is generated so that the large language model can call the risk assessment report generation tool to generate a risk assessment report based on the risk assessment report generation tool information and the network access risk assessment results.
9. The method according to claim 3, characterized in that, Also includes: Obtain information on risk management tools; The step of generating network access risk assessment task prompts based on the first network access behavior information and the second network access behavior information includes: Based on the risk management tool information, the first network access behavior information, and the second network access behavior information, a network access risk assessment task prompt is generated for the large language model. The prompt is generated so that the large language model can invoke the risk management tool according to the risk management tool information and the risk management measures output by the large language model, and send the target risk management instruction to the target risk management node.
10. The method according to claim 3, characterized in that, Also includes: Obtain user behavior information of the user to whom the network access certificate belongs; Based on the user behavior information, obtain the location information of the user to whom the network access certificate belongs; The network access risk assessment results are verified based on the location information of the user to whom the network access certificate belongs and the location information of the device requesting network access.
11. A network access control method, characterized in that, include: Receive verification instructions sent by the network access authentication server; Send the verification item information to the server.
12. A network access control device, characterized in that, include: The network access authentication unit is used to authenticate network access requests. The network access behavior related information acquisition unit is used to acquire, if the network access authentication result is successful, the first network access behavior related information corresponding to the network access request and the second network access behavior related information corresponding to the network access certificate owner; The prompt generation unit is used to generate prompts for the network access risk assessment task based on the information related to the first network access behavior and the information related to the second network access behavior. The large language model evaluation unit is used to perform a network access risk assessment on the network access request based on the prompts using a large language model. The control unit is used to control the access of the requesting network access device to the target network based on the network access risk assessment results.
13. A network access control device, characterized in that, include: The verification instruction receiving unit is used to receive verification instructions sent by the network access authentication server; The verification item information sending unit is used to send verification item information to the server.
14. An electronic device, characterized in that, include: processor; as well as A memory for storing a program for implementing the method according to any one of claims 3 to 11, wherein the device is powered on and the program for running the method is executed by the processor.