Intelligent access control management system for network perimeter protection

By combining real-time threat intelligence and business context, the intelligent access control management system automatically generates access control policies, solving the problems of dynamic adaptability and management efficiency in traditional network access control, and achieving efficient and intelligent network boundary protection.

CN122268640APending Publication Date: 2026-06-23SHENZHEN LIHE XINNUO TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN LIHE XINNUO TECH CO LTD
Filing Date
2026-04-01
Publication Date
2026-06-23

Smart Images

  • Figure CN122268640A_ABST
    Figure CN122268640A_ABST
Patent Text Reader

Abstract

This application provides an intelligent access control management system for network boundary protection, relating to the field of access control management technology. By connecting a threat intelligence and behavior analysis module, this application no longer relies on static rules but dynamically adjusts access control policies based on real-time threat intelligence and traffic anomaly detection results. This enhances the protection capabilities against unknown threats, zero-day vulnerabilities, and internal abnormal behavior, and shortens threat response time. Furthermore, by introducing a business context-aware module, this application can deeply understand the business attributes of network traffic, allowing policy formulation and execution to extend beyond the network layer to the business layer, reducing false positives and false negatives, and ensuring that core business operations are not affected while maintaining security.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of access control management technology, and more specifically, to an intelligent access control management system for network boundary protection. Background Technology

[0002] As digital transformation deepens, enterprise network architectures are becoming increasingly complex, the number of business applications is surging, and network boundaries are becoming increasingly blurred. Traditional network access control technologies, such as static firewall rules based on IP addresses and ports, VPNs (Virtual Private Networks), or simple ACLs (Access Control Lists), are no longer able to cope with the current dynamic and ever-changing security threats. First, traditional access control policies are typically statically configured and remain unchanged for extended periods, unable to dynamically adjust based on real-time network traffic characteristics or threat intelligence. When new vulnerabilities emerge or internal anomalies occur, static policies often react slowly, creating protection gaps. Second, traditional protection methods lack awareness of business context. Security devices typically focus only on network and transport layer information (such as the five-tuple), failing to understand which specific business application the data flowing through the network belongs to or its current status. This disconnect leads to frequent misjudgments or omissions in security policies; for example, they cannot distinguish between normal business bursts and malicious DDoS attacks, or identify data theft disguised as business traffic. Finally, existing systems often lack intelligent policy orchestration capabilities. The formulation, testing, and deployment of security policies heavily rely on human experience, resulting in cumbersome and error-prone processes. As network scale expands, policy conflicts and redundancy become increasingly severe, leading to a sharp rise in management costs. Therefore, we propose an intelligent access control management system for network boundary protection to address these issues. Summary of the Invention

[0003] This invention provides an intelligent access control management system for network boundary protection, comprising: The policy engine module is used to store, parse, and enforce network access control policies; The traffic analysis module is used to capture and deeply analyze network packets flowing through the network boundary in real time; The threat intelligence and behavior analysis module is used to integrate external threat intelligence and, based on the output of the traffic analysis module, to perform anomaly detection and risk assessment on network access behavior. The business context awareness module is used to acquire and identify the attributes and access patterns of business applications in the current network. The policy orchestration and automation module is connected to the policy engine module, threat intelligence and behavior analysis module, and business context awareness module, respectively, and is used to automatically generate, recommend, and adjust access control policies in the policy engine module based on risk assessment results and business context. The management console module provides a user-friendly interface for policy configuration, policy visualization, auditing, and system status monitoring.

[0004] As a preferred technical solution of this application, the threat intelligence and behavior analysis module includes: The intrusion detection submodule is used to match known attack signatures; The User and Entity Behavior Analysis submodule is used to establish a baseline for network access behavior and identify abnormal behaviors that deviate from the baseline.

[0005] As a preferred technical solution of this application, the strategy orchestration and automation module includes a strategy decision sub-module, whose decision logic integrates at least one or more of the following factors: risk score output by the threat intelligence and behavior analysis module, business priority identified by the business context awareness module, predefined compliance requirements, and feedback on the historical strategy execution effect.

[0006] As a preferred technical solution of this application, the management console module includes a policy simulator, which is used to simulate the allow, deny or mark actions on specified network traffic after the policy takes effect before the policy is deployed, and to predict the resulting policy conflicts or business impacts.

[0007] As a preferred technical solution of this application, in the risk assessment process of the threat intelligence and behavior analysis module, a quantitative scoring method is used to calculate the risk value of the access behavior, and the specific calculation formula is as follows: R = α × T + β × A + γ × V; Wherein, R is the comprehensive risk score of the access behavior, with a value range of [0, 100], and the higher the score, the higher the risk level; T is the external threat intelligence matching coefficient, with a value range of [0, 50], which is determined according to the degree of matching between the access source IP, port, protocol and the external threat intelligence database, and the higher the matching degree, the larger the T value; A is the behavior anomaly coefficient, with a value range of [0, 30], which is calculated by the user and entity behavior analysis submodule according to the degree of deviation of the access behavior from the baseline; V is the vulnerability correlation coefficient, with a value range of [0, 20], which is assigned according to the system vulnerability level corresponding to the access target port; α, β, and γ are the weights of each coefficient, and satisfy α + β + γ = 1, which are dynamically adjusted according to actual network security needs.

[0008] As a preferred technical solution of this application, the formula for calculating the behavioral anomaly coefficient A is as follows: A = 30 × 1 / ni = 1 / n(xi − x)² / x; Where n is the number of access behavior samples within the preset statistical period, xi is the characteristic parameter value of the i-th access behavior (including access frequency, data transmission volume, and access duration), x is the average value of the characteristic parameters of n access behaviors, and the behavior anomaly coefficient A is calculated by normalizing the coefficient of variation of the characteristic parameters. The larger the coefficient of variation, the more serious the deviation of the access behavior from the baseline, and the higher the A value.

[0009] As a preferred technical solution of this application, the policy decision submodule determines the execution priority of the access control policy based on a comprehensive calculation of the policy matching degree using multiple factors. The specific calculation formula is as follows: P=ω1×(1−R / 100)+ω2×S+ω3×C+ω4×H; Wherein, P is the policy matching degree, with a value range of [0,1]. The higher the P value, the higher the policy execution priority; R is the comprehensive risk score of access behavior; S is the business priority coefficient, with a value range of [0,1], which is assigned by the business context awareness module according to the coreness of the business and the sensitivity of data; C is the compliance coefficient, with a value range of [0,1]. If it meets the predefined compliance requirements, it takes a value of 1; if it does not meet the requirements, it takes a value of 0; if it partially meets the requirements, it is assigned a value linearly according to the degree of compliance; H is the historical policy execution effect feedback coefficient, with a value range of [0,1], which is calculated based on the interception accuracy and false alarm rate of similar policies in the past; ω1, ω2, ω3, and ω4 are the weights of each factor, and satisfy ω1+ω2+ω3+ω4=1.

[0010] As a preferred technical solution of this application, the business context awareness module is also used to automatically identify core services, ordinary services and non-core services in the network, record the access time, access subject and access frequency of each service, and form a business access feature profile.

[0011] As a preferred technical solution of this application, the intrusion detection submodule also has a built-in attack signature library to identify common network attack behaviors and immediately feed back attack warning information to the threat intelligence and behavior analysis module. Common network attack behaviors include port scanning, brute force cracking, SQL injection, and cross-site scripting.

[0012] As a preferred technical solution of this application, the traffic analysis module also includes a traffic threshold setting, which is used to preset a normal traffic range based on network bandwidth and business needs. When traffic exceeds the preset threshold or a sudden traffic change occurs, a traffic anomaly signal is sent to the threat intelligence and behavior analysis module to provide data support for anomaly detection.

[0013] Compared with the prior art, the beneficial effects of the present invention are as follows: In the scheme of this application: 1. By connecting the threat intelligence and behavior analysis module, this application no longer relies on static rules, but can dynamically adjust access control policies based on real-time threat intelligence and traffic anomaly detection results, thereby improving the protection against unknown threats, zero-day vulnerabilities and internal abnormal behaviors (such as abnormal data transmission) and shortening threat response time. 2. By introducing a business context-aware module, this application can gain a deeper understanding of the business attributes of network traffic (such as application type, user role, and data sensitivity), so that the formulation and execution of policies are no longer limited to the network layer, but rise to the business layer, reducing false alarms and false negatives, and ensuring that the normal operation of core businesses is not affected while ensuring security. 3. The policy orchestration and automation module of this application combines risk assessment results with business context, and can automatically generate or recommend the optimal access control policy and send it to the policy engine for execution. This not only solves the problem of tedious and error-prone manual policy configuration, but also automatically detects and resolves policy conflicts, realizing automated management of the entire lifecycle of security policies and reducing operation and maintenance costs. 4. The management console module provides a unified human-computer interaction interface, which visualizes complex policy configurations, network traffic status, and threat alarm information. Administrators can intuitively monitor the system's operating status, trace historical access behavior, meet compliance audit requirements, and improve the transparency and convenience of management. Attached Figure Description

[0014] Figure 1 A schematic diagram of the intelligent access control management system for network boundary protection provided in this application; Figure 2 A schematic diagram of the threat intelligence and behavior analysis module provided for this application; Figure 3 A schematic diagram of the strategy orchestration and automation module provided in this application. Detailed Implementation

[0015] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.

[0016] It should be noted that, unless otherwise specified, the embodiments and features and technical solutions in the present invention can be combined with each other.

[0017] It should be noted that similar labels and letters in the following figures indicate similar items. Therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.

[0018] For an example, please refer to... Figures 1-3 An intelligent access control management system for network boundary protection, comprising: The policy engine module is used to store, parse, and enforce network access control policies; The traffic analysis module is used to capture and deeply analyze network packets flowing through the network boundary in real time; The threat intelligence and behavior analysis module is used to integrate external threat intelligence and, based on the output of the traffic analysis module, to perform anomaly detection and risk assessment on network access behavior. The business context awareness module is used to acquire and identify the attributes and access patterns of business applications in the current network. The policy orchestration and automation module is connected to the policy engine module, threat intelligence and behavior analysis module, and business context awareness module, respectively. It is used to automatically generate, recommend, and adjust access control policies in the policy engine module based on risk assessment results and business context. The management console module provides a user-friendly interface for policy configuration, policy visualization, auditing, and system status monitoring.

[0019] Furthermore, the threat intelligence and behavioral analysis module includes: The intrusion detection submodule is used to match known attack signatures; The User and Entity Behavior Analysis submodule is used to establish a baseline for network access behavior and identify abnormal behaviors that deviate from the baseline.

[0020] Furthermore, the strategy orchestration and automation module includes a strategy decision-making submodule, whose decision-making logic integrates at least one or more of the following factors: risk scores output by the threat intelligence and behavior analysis module, business priorities identified by the business context awareness module, predefined compliance requirements, and feedback on historical strategy execution results.

[0021] Furthermore, the management console module includes a policy simulator, which simulates the allow, deny, or mark actions on specified network traffic after a policy takes effect before it is deployed, and predicts the resulting policy conflicts or business impacts.

[0022] Furthermore, in the risk assessment process of the threat intelligence and behavior analysis module, a quantitative scoring method is used to calculate the risk value of the access behavior. The specific calculation formula is as follows: ; in, The comprehensive risk score for access behavior ranges from [0, 100], with higher scores indicating higher risk levels. T is the external threat intelligence matching coefficient, ranging from [0, 50], determined by the degree of matching between the access source IP, port, protocol, and the external threat intelligence database; higher matching results in a larger T value. A is the behavior anomaly coefficient, ranging from [0, 30], calculated by the user and entity behavior analysis submodule based on the degree of deviation of the access behavior from the baseline. V is the vulnerability correlation coefficient, ranging from [0, 20], assigned based on the system vulnerability level corresponding to the access target port. α, β, and γ are the weights of each coefficient, and satisfy the following conditions: It will be dynamically adjusted based on actual network security needs.

[0023] Furthermore, the formula for calculating the behavioral abnormality coefficient A is as follows: ; Where n is the number of access behavior samples within the preset statistical period. The characteristic parameter values ​​(including access frequency, data transmission volume, and access duration) for the i-th access behavior. The average value of the behavioral anomaly coefficient A is the average value of the behavioral characteristic parameters of n visits. The formula for calculating the behavioral anomaly coefficient A is obtained by normalizing the coefficient of variation of the characteristic parameters. The larger the coefficient of variation, the more serious the deviation of the visit behavior from the baseline, and the higher the A value.

[0024] Furthermore, the policy decision submodule calculates the policy matching degree based on multiple factors to determine the execution priority of the access control policy. The specific calculation formula is as follows: P=ω1×(1−R / 100)+ω2×S+ω3×C+ω4×H; Where P is the policy matching degree, and its value ranges from [0,1]. The higher the value of P, the higher the policy execution priority. The system provides a comprehensive risk score for access behavior; S is the business priority coefficient, ranging from [0,1], assigned by the business context awareness module based on the core nature of the business and data sensitivity; C is the compliance coefficient, ranging from [0,1], with a value of 1 for compliance with predefined compliance requirements, 0 for non-compliance, and linearly assigned according to the degree of compliance for partial compliance; H is the feedback coefficient for historical policy execution effect, ranging from [0,1], calculated based on the interception accuracy and false alarm rate of similar historical policies; ω1, ω2, ω3, and ω4 are the weights of each factor, satisfying ω1+ω2+ω3+ω4=1.

[0025] Furthermore, the business context awareness module is also used to automatically identify core services, ordinary services and non-core services in the network, record the access time, access subject and access frequency of each service, and form a business access feature profile.

[0026] Furthermore, the intrusion detection submodule also has a built-in attack signature library to identify common network attack behaviors and immediately provide attack warning information to the threat intelligence and behavior analysis module. Common network attack behaviors include port scanning, brute-force attacks, SQL injection, and cross-site scripting.

[0027] Furthermore, the traffic analysis module also includes a traffic threshold setting, which is used to preset a normal traffic range based on network bandwidth and business needs. When traffic exceeds the preset threshold or a sudden change in traffic occurs, an abnormal traffic signal is sent to the threat intelligence and behavior analysis module to provide data support for anomaly detection.

[0028] When in use, the basic system configuration is completed through the human-computer interaction interface provided by the management console module. Based on the actual network bandwidth and business needs, the traffic threshold is preset, the priority of core and non-core businesses is clarified, compliance requirements are predefined, and key parameters such as the correlation coefficient weight in each quantitative formula are dynamically adjusted. Once configured, the system traffic analysis module will capture all data packets flowing through the network boundary in real time, perform in-depth analysis and extract key features. At the same time, when traffic exceeds the preset threshold or a sudden change in traffic occurs, it will promptly send an abnormal signal to the threat intelligence and behavior analysis module. The threat intelligence and behavior analysis module integrates external threat intelligence and combines it with traffic analysis data to calculate the comprehensive risk value of access behavior through a preset quantitative scoring formula. Its built-in intrusion detection submodule also relies on the attack signature database to identify common network attacks such as port scanning and SQL injection, and promptly provides early warning information. At the same time, the business context awareness module automatically identifies core, ordinary and non-core businesses in the network, records the access time, subject and frequency of each business, and establishes a complete business access feature profile. The policy orchestration and automation module combines the risk assessment results from the threat intelligence and behavior analysis module with business information from the business context awareness module, and other factors. It calculates priorities using the policy matching formula, automatically generates, recommends, and dynamically adjusts access control policies, and synchronously pushes them to the policy engine module for storage, parsing, and execution. The management console module provides full-process policy visualization, operation auditing, and real-time system status monitoring. It can also use the built-in policy simulator to simulate the allow, deny, or mark actions on specified network traffic after the policy takes effect before it is officially deployed, so as to predict and avoid possible policy conflicts and business impacts in advance.

[0029] In this invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," "linking," and "fixing," etc., should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection, an electrical connection, or a connection that allows communication between them; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components, unless otherwise explicitly limited. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.

[0030] Obviously, the embodiments described above are merely some embodiments of the present invention, not all embodiments. The accompanying drawings show preferred embodiments of the present invention, but do not limit the patent scope of the present invention. The present invention can be implemented in many different forms; rather, these embodiments are provided to provide a more thorough and complete understanding of the disclosure of the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing specific embodiments, or make equivalent substitutions for some of the technical features. Any equivalent structures made using the content of this specification and drawings, directly or indirectly applied to other related technical fields, are similarly within the patent protection scope of this invention.

Claims

1. An intelligent access control management system for network boundary protection, characterized in that, include: The policy engine module is used to store, parse, and enforce network access control policies; The traffic analysis module is used to capture and deeply analyze network packets flowing through the network boundary in real time; The threat intelligence and behavior analysis module is used to integrate external threat intelligence and, based on the output of the traffic analysis module, to perform anomaly detection and risk assessment on network access behavior. The business context awareness module is used to acquire and identify the attributes and access patterns of business applications in the current network. The policy orchestration and automation module is connected to the policy engine module, threat intelligence and behavior analysis module, and business context awareness module, respectively, and is used to automatically generate, recommend, and adjust access control policies in the policy engine module based on risk assessment results and business context. The management console module provides a user-friendly interface for policy configuration, policy visualization, auditing, and system status monitoring.

2. The intelligent access control management system for network boundary protection according to claim 1, characterized in that, The threat intelligence and behavior analysis module includes: The intrusion detection submodule is used to match known attack signatures; The User and Entity Behavior Analysis submodule is used to establish a baseline for network access behavior and identify abnormal behaviors that deviate from the baseline.

3. The intelligent access control management system for network boundary protection according to claim 1, characterized in that, The strategy orchestration and automation module includes a strategy decision-making submodule, whose decision-making logic integrates at least one or more of the following factors: risk scores output by the threat intelligence and behavior analysis module, business priorities identified by the business context awareness module, predefined compliance requirements, and feedback on the historical strategy execution results.

4. The intelligent access control management system for network boundary protection according to claim 1, characterized in that, The management console module includes a policy simulator, which is used to simulate the allow, deny, or mark actions on specified network traffic after the policy takes effect before deployment, and to predict the resulting policy conflicts or business impacts.

5. The intelligent access control management system for network boundary protection according to claim 3, characterized in that, In the risk assessment process of the threat intelligence and behavior analysis module, a quantitative scoring method is used to calculate the risk value of the access behavior.

6. The intelligent access control management system for network boundary protection according to claim 5, characterized in that, The formula for calculating the behavioral abnormality coefficient A is: ; Where n is the number of access behavior samples within the preset statistical period. Let i be the feature parameter value of the i-th access behavior. This represents the average value of the behavioral characteristic parameters from n visits.

7. The intelligent access control management system for network boundary protection according to claim 5, characterized in that, The strategy decision-making submodule calculates the policy matching degree based on multiple factors to determine the execution priority of the access control policy. The specific calculation formula is as follows: P=ω1×(1−R / 100)+ω2×S+ω3×C+ω4×H; Where P is the policy matching degree, and its value ranges from [0,1]. The higher the value of P, the higher the policy execution priority. The comprehensive risk score for access behavior is calculated as follows: S is the business priority coefficient, with a value range of [0,1], which is assigned by the business context awareness module based on the coreness of the business and the sensitivity of the data; C is the compliance coefficient, with a value range of [0,1]. If the predefined compliance requirements are met, the value is 1; if they are not met, the value is 0; if they are partially compliant, the value is assigned linearly according to the degree of compliance; H is the feedback coefficient for the historical strategy execution effect, with a value range of [0,1].

8. The intelligent access control management system for network boundary protection according to claim 1, characterized in that, The business context awareness module is also used to automatically identify core services, ordinary services and non-core services in the network, record the access time, access subject and access frequency of each service, and form a business access feature profile.

9. The intelligent access control management system for network boundary protection according to claim 2, characterized in that, The intrusion detection submodule also has a built-in attack signature database to identify common network attack behaviors and immediately report attack warning information to the threat intelligence and behavior analysis module. Common network attack behaviors include port scanning, brute force attacks, SQL injection, and cross-site scripting.

10. The intelligent access control management system for network boundary protection according to claim 1, characterized in that, The traffic analysis module also includes a traffic threshold setting, which is used to preset a normal traffic range based on network bandwidth and business needs. When traffic exceeds the preset threshold or a sudden traffic change occurs, a traffic anomaly signal is sent to the threat intelligence and behavior analysis module to provide data support for anomaly detection.