Zero-trust-based operation and maintenance management method and system, electronic device and storage medium

By constructing a simulated sandbox to execute instructions in the operation and maintenance access request, and combining historical access information to calculate trust scores and risk coefficients, the shortcomings of static authentication in existing operation and maintenance management strategies are solved, and dynamic risk assessment and precise control of operation and maintenance operations are realized.

CN122339827APending Publication Date: 2026-07-03GUANGZHOU ACADEMY OF FINE ARTS

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUANGZHOU ACADEMY OF FINE ARTS
Filing Date
2026-05-21
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing operation and maintenance management strategies employ static identity access mechanisms, which separate identity verification from access request processing. This makes it impossible to dynamically assess the risks of operation and maintenance personnel, resulting in difficulties in achieving precise control and effective defense.

Method used

By extracting operation instructions from operation and maintenance access requests, a simulation sandbox is constructed to execute instructions, obtain instruction security scores, and calculate initial trust scores and access risk coefficients by combining them with historical access information. The trust scores are then dynamically updated to determine management strategies.

Benefits of technology

It enables accurate prediction and dynamic trust management of operational risks in advance without interfering with normal business systems, solves the problems of high false alarm rate and easy bypass caused by static text matching, and realizes adaptive permission adjustment under real-time risk situation.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339827A_ABST
    Figure CN122339827A_ABST
Patent Text Reader

Abstract

This application relates to the field of computer technology, specifically to a zero-trust-based operation and maintenance management method, system, electronic device, and storage medium. The method includes: responding to an operation and maintenance access request, extracting operation and maintenance operation instructions, and obtaining the access target and historical access information; calculating an initial trust score based on the historical access information; constructing a simulation sandbox to execute the operation and maintenance operation instructions, and obtaining an instruction security score based on the simulation execution status; combining historical access information and the instruction security score to calculate an access risk coefficient, and updating the initial trust score accordingly to obtain an access trust score after the operation and maintenance operation instructions are executed; finally, determining the target operation and maintenance management strategy based on the access trust score and processing the operation and maintenance access request. This application, by integrating the initial trust score based on historical behavior with real-time instruction risk, quantifies historical risk and current operational risk, achieving adaptive permission adjustment and improving operation and maintenance access control and defense capabilities.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer technology, and more specifically, to a zero-trust-based operation and maintenance management method, system, electronic device, and storage medium. Background Technology

[0002] As digital transformation deepens, more and more enterprises and universities are upgrading their traditional offline operations and maintenance (O&M) and manual management models to automated and standardized online O&M management systems. Against this backdrop, the security management of infrastructure such as cloud servers, databases, core network devices, and critical business systems has become a core issue in building a cybersecurity defense system.

[0003] Existing operations and maintenance (O&M) management strategies typically employ static identity access mechanisms. For example, when an O&M personnel initiates an access request, the system only performs one-way verification of their identity; once the identity is confirmed, subsequent access requests are allowed and processed. However, this model separates "identity verification" from "access request processing" into two independent stages. This separation means that the system cannot consider the O&M personnel's access requests during identity verification; simultaneously, it lacks consideration of the dynamic risks posed by O&M personnel when processing access requests. Therefore, existing O&M management strategies struggle to achieve precise control and effective defense against O&M access requests. Summary of the Invention

[0004] This invention provides a zero-trust-based operation and maintenance management method, system, electronic device, and storage medium for effectively controlling and defending against operation and maintenance access requests.

[0005] According to a first aspect of this application, a zero-trust-based operation and maintenance management method is provided, the method comprising: In response to an operation and maintenance access request, extract the operation and maintenance operation instructions contained in the operation and maintenance access request, and obtain the access target and historical access information of the operation and maintenance personnel in the operation and maintenance access request. Based on the historical access information, calculate the initial trust score of the operations and maintenance personnel under the operations and maintenance access request; Construct a simulation sandbox for the access target, and execute the operation and maintenance instructions in the simulation sandbox to obtain the simulation execution state of the simulation sandbox after the operation and maintenance instructions are executed; The instruction security score of the operation and maintenance instructions is obtained based on the simulation execution status; Based on the historical access information and the instruction security score, calculate the access risk coefficient of the operation and maintenance personnel; The initial trust score is updated based on the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the operation and maintenance instruction is executed. The target operation and maintenance management strategy is determined based on the access trust score, and the operation and maintenance access request is processed according to the target operation and maintenance management strategy.

[0006] By performing quantitative calculations based on the simulated execution status in the simulation sandbox and the historical access information of operations and maintenance personnel before maintenance access requests enter the production environment, accurate pre-emptive prediction and dynamic trust control of operational risks are achieved without interfering with normal business systems. Specifically, by extracting maintenance operation instructions and constructing a simulated sandbox for execution, the actual system side effects of instruction execution can be captured to obtain instruction security scores, solving the problem of high false alarm rates and easy bypassing caused by relying solely on static text matching. Combining historical access information to calculate initial trust scores and access risk coefficients allows for the quantification of historical behavioral risks and current operational risks of operations and maintenance personnel. Finally, the trust scores are updated based on instruction security scores and access risk coefficients to determine management strategies, achieving adaptive permission adjustments based on real-time risk situations, effectively realizing precise control and effective defense of maintenance access requests.

[0007] Optionally, calculating the initial trust score of the operations and maintenance personnel under the operations and maintenance access request based on the historical access information includes: Based on the historical access information, the access types of the historical operation and maintenance access requests of the operation and maintenance personnel within a preset historical time range are obtained, as well as the instruction types of the historical operation and maintenance operation instructions contained in the historical operation and maintenance access requests; wherein, the access types include secure access, risky access, and high-risk access, and the instruction types include secure instructions and high-risk instructions; A positive trust score is obtained based on the number of historical maintenance access requests for secure access within the historical time range, and a negative trust score is obtained based on the number of historical maintenance access requests for high-risk access and the number of historical maintenance operation instructions for high-risk instructions within the historical time range. The initial trust score is obtained based on the preset initial trust base score, the positive trust score, and the negative trust score.

[0008] By acquiring the number of secure and risky accesses within a historical timeframe, positive and negative trust scores can be obtained. This allows operations personnel to transform their historical operational habits into calculable numerical indicators. Furthermore, by combining these with preset initial trust base scores, positive trust scores, and negative trust scores, an initial trust score is obtained. This establishes a comprehensive evaluation mechanism that balances historical behavior incentives with risk penalties, providing a precise initial benchmark for subsequent dynamic risk coefficient calculations and access strategy adjustments based on this initial trust score.

[0009] Optionally, the operation and maintenance instructions are executed sequentially in the simulation sandbox; The step of calculating the access risk coefficient of the operations and maintenance personnel based on the historical access information and the instruction security score includes: Based on the historical access information, obtain the number of historical maintenance access requests and the number of historical maintenance operation instructions of high-risk access by the maintenance personnel within the historical time range. The historical behavior baseline coefficient is obtained by weighting the number of historical operation and maintenance access requests for high-risk access and the number of historical operation and maintenance instructions for high-risk instructions within the historical time range, and then adding the weighted average to the preset historical coefficient baseline value. Based on the instruction security score of the currently executed operation and maintenance operation instructions in the operation and maintenance access request, obtain the instruction type of the currently executed operation and maintenance operation instructions, and count the number of operation and maintenance operation instructions that are high-risk instructions among the currently executed operation and maintenance operation instructions. The number of maintenance operation instructions for the high-risk instructions is scaled down using a preset instruction weighting coefficient and then added to a preset real-time coefficient benchmark value to obtain the real-time behavior risk coefficient. The product of the historical behavior baseline coefficient and the real-time behavior risk coefficient is used as the access risk coefficient.

[0010] By analyzing the number of high-risk accesses and commands executed by operations and maintenance personnel within a preset historical timeframe, a historical behavior baseline coefficient is generated. This quantifies the long-term negative impact of historical violations on the current trust status, resolving the disconnect between the initial trust score and the historical behavior of operations and maintenance personnel. Secondly, by statistically analyzing the number of security commands executed in current operations and maintenance access requests and combining this with command weighting coefficients, a real-time behavior risk coefficient is generated. This enables immediate positive feedback and trust restoration for compliant operations within a single request. Finally, the product of the historical behavior baseline coefficient and the real-time behavior risk coefficient is used as the final access risk coefficient, constructing a penalty model of "historical accumulated risk × current session real-time risk." This ensures that the risk assessment logic strictly adheres to the security control principle of "slowly adding points and quickly deducting points," meaning that the more historical violations or the more consecutive violations, the greater the penalty. This effectively achieves pre-emptive closed-loop control of operations and maintenance risks and continuous dynamic authorization with zero trust.

[0011] Optionally, the step of obtaining the access type of the historical maintenance access requests made by the maintenance personnel within a preset historical time range, and the instruction type of the historical maintenance operation instructions contained in the historical maintenance access requests, based on the historical access information, includes: Based on the historical access information, extract the historical operation and maintenance access requests of the operation and maintenance personnel within a preset historical time range, as well as the historical operation and maintenance operation instructions contained in the historical operation and maintenance access requests; Obtain the historical access trust score of the historical operation and maintenance access request after executing its historical operation and maintenance operation instruction, and obtain the historical final access trust score of the historical operation and maintenance access request from the historical access trust score according to the time sequence. Obtain the historical instruction security score corresponding to the historical operation and maintenance instructions; If the security score of the historical instruction is greater than or equal to the preset instruction score threshold, the historical operation and maintenance instruction is classified as a safe instruction; otherwise, it is classified as a high-risk instruction. If the historical final access trust score is greater than or equal to a preset trust score threshold, and all historical operation and maintenance instructions contained in the historical operation and maintenance access request are secure instructions, then the historical operation and maintenance access request is classified as secure access; if the historical final access trust score is less than a preset high-risk score threshold, then the historical operation and maintenance access request is classified as high-risk access; otherwise, it is classified as risky access.

[0012] By extracting historical operation and maintenance access requests and their corresponding command security scores, and comparing these scores with preset thresholds, the system accurately identifies the risk nature of historical operation and maintenance commands, resolving the misjudgment problem caused by simply relying on command text matching. Furthermore, by introducing a "historical final access trust score" as the core basis for session-level risk assessment, and verifying whether this score meets the standard and whether all included commands are secure, historical operation and maintenance access requests are classified into secure access, risky access, or high-risk access, thereby quantifying the overall compliance status of a single session. This provides accurate data source support for subsequent calculation of historical behavior benchmark coefficients, enabling the system to effectively distinguish between long-term compliant trusted users and potentially risky users, avoiding the trust assessment distortion caused by ignoring session context in traditional coarse-grained auditing, and laying a solid data foundation for achieving dynamic least privilege based on zero trust.

[0013] Optionally, obtaining the instruction security score of the operation and maintenance instruction based on the simulation execution state includes: Extract file system operation information and network connection operation information based on the simulation execution status; Calculate the file system risk score based on the file system operation information; Calculate the network connection risk score based on the network connection operation information; The instruction security score of the operation and maintenance instructions is calculated based on the file system risk score and the network connection risk score.

[0014] By extracting file system operation information and network connection operation information from the simulation execution state, system side effects generated during instruction execution can be obtained in real time. Then, based on these dynamic behaviors, file system risk scores and network connection risk scores are calculated respectively, enabling multi-dimensional quantitative assessment of instruction behavior from two core dimensions: data asset tampering risk and network out-of-bounds access risk. Finally, an instruction security score is calculated based on the above two risk scores, achieving an objective and comprehensive judgment on the security of operation and maintenance instructions. This provides a reliable technical basis for subsequent dynamic trust updates and accurate execution of access control policies based on this score.

[0015] Optionally, calculating the instruction security score of the operation and maintenance instructions based on the file system risk score and the network connection risk score includes: The file risk weight is multiplied by the file system risk score to obtain the file system risk component; The network connection risk component is obtained by multiplying the preset network risk weight by the network connection risk score. Based on the file system risk component and the network connection risk component, obtain the total risk component; The difference between the preset risk scoring benchmark value and the total risk component is used as the instruction security score.

[0016] By obtaining the total risk component based on the file system risk component and the network connection risk component, the side effects of instructions at different system levels can be uniformly quantified. Finally, the difference between the preset risk score benchmark value and the total risk component is used as the instruction security score, establishing a direct mapping relationship from risk accumulation to security score, providing accurate numerical basis for subsequent dynamic trust updates and access control based on this score.

[0017] Optionally, calculating the file system risk score based on the file system operation information includes: Based on the file system operation information, extract the total number of operations performed on system files by the operation and maintenance instructions, the preset confidentiality index of the system file for each system file operation, and the preset risk index of the operation type for each system file operation; For each system file operation, the product of the preset confidentiality index and the preset danger index is calculated as the risk operation value of the corresponding system file operation; Calculate the sum of the risk operation values ​​for all system file operations, and use the ratio of the sum of the risk operation values ​​to the total number of operations as the file system risk score.

[0018] By extracting the total number of operations, the preset confidentiality index, and the preset danger index, the scale of file access and potential harm involved in the instruction can be comprehensively reflected. For each operation, the product of the preset confidentiality index and the preset danger index is calculated as the risk operation value, which can accurately quantify the comprehensive risk level of a single file operation. Finally, by calculating the ratio of the sum of all risk operation values ​​to the total number of operations, the file system risk score can be obtained, which can integrate the multi-dimensional and multi-batch file operation behaviors involved in the instruction into a unified risk.

[0019] Optionally, calculating the network connection risk score based on the network connection operation information includes: Based on the network connection operation information, extract the total number of network connections triggered by the operation and maintenance operation instructions, the address risk index of the target connection address for each connection, and the port risk index of the target port for each connection; For each network connection, the product of the address risk index and the port risk index is calculated as the risk connection value for the corresponding network connection; The highest risky connection value among all network connections is used as the network connection risk score.

[0020] By calculating the product of the address risk index of the target connection address and the port risk index of the target port as the risk connection value of the corresponding network connection, the "external threat intelligence" and "service sensitivity" are correlated and weighted to effectively capture complex high-risk operations such as "connecting to database ports with high-risk connection addresses". This allows for the keen identification of the most serious security risks in the instruction execution process, avoiding the masking of fatal risks by averaging, and providing an accurate risk assessment basis for subsequent refined access control decisions based on this score.

[0021] Optionally, updating the initial trust score based on the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the execution of the operation and maintenance operation instruction includes: Extract the execution order of the operation and maintenance instructions in the simulation sandbox; Based on the execution order of the operation and maintenance instructions, the security score of the instructions, and the access risk coefficient corresponding to the operation and maintenance instructions, the trust score to be processed is iteratively updated; if the current iterative update cycle is the first iterative update cycle, then the trust score to be processed is the initial trust score, otherwise it is the trust score to be processed updated in the previous iterative update cycle. According to the update order of the iterative update cycle, the updated trust score to be processed in the iterative update cycle is used as the access trust score after the operation and maintenance instructions are executed in the corresponding execution order.

[0022] By utilizing iterative computation logic, compliant operations can be rewarded by providing real-time feedback on the security score of the current instruction, and the penalty for violations can be amplified by using the access risk coefficient, thereby building a zero-trust continuous verification system with historical cumulative effect and real-time dynamic response capability.

[0023] Optionally, in each iteration update cycle: Calculate the complementary score value of the instruction security score, and multiply the preset penalty factor, the complementary score value and the access risk coefficient to obtain the risk penalty score; The preset reward factor is multiplied by the instruction security score to obtain the security reward score; The pending trust score is penalized using the risk penalty score, and the penalized pending trust score is rewarded using the security reward score, resulting in a rewarded pending trust score. The pending trust score is corrected by adjusting the rewarded trust score within a preset trust score range to obtain the updated pending trust score for the current iteration update cycle.

[0024] By multiplying the complementary score of the instruction security score with the access risk coefficient to generate a risk penalty score, the intensity of trust penalty can be non-linearly amplified as the access risk coefficient increases. This allows for precise quantification and immediate blocking of potential threats from high-risk or unauthorized operations. Simultaneously, a security reward score is generated by multiplying the reward factor with the instruction security score, providing positive incentives for compliant operations and ensuring the fairness and continuity of trust assessment. Furthermore, risk penalties and security rewards are applied sequentially to the trust scores to be processed, and boundary correction is performed using a preset trust score range. This effectively prevents logical anomalies caused by numerical overflow and constructs a zero-trust dynamic convergence model with "slow addition and fast deduction" characteristics. This allows the real-time trust status of operations personnel to dynamically expand and contract strictly in accordance with the risk fluctuations of their operational behavior, ultimately achieving a security paradigm shift from static identity authentication to continuous dynamic verification throughout the entire lifecycle.

[0025] According to a second aspect of this application, a zero-trust-based operation and maintenance management system is provided, the system comprising: The access data acquisition module is used to respond to the operation and maintenance access request, extract the operation and maintenance operation instructions contained in the operation and maintenance access request, and obtain the access target and historical access information of the operation and maintenance personnel in the operation and maintenance access request. The initial trust calculation module is used to calculate the initial trust score of the operation and maintenance personnel under the operation and maintenance access request based on the historical access information. The sandbox simulation module is used to construct a simulation sandbox for the access target, execute the operation and maintenance instructions in the simulation sandbox, and obtain the simulation execution state of the simulation sandbox after the operation and maintenance instructions are executed. The instruction scoring acquisition module is used to acquire the instruction security score of the operation and maintenance instruction based on the simulation execution status; The risk coefficient acquisition module is used to calculate the access risk coefficient of the operation and maintenance personnel based on the historical access information and the instruction security score; The score update module is used to update the initial trust score according to the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the operation and maintenance operation instruction is executed. The request processing module is used to determine the target operation and maintenance management policy based on the access trust score, and to process the operation and maintenance access request according to the target operation and maintenance management policy.

[0026] According to a third aspect of this application, an electronic device is provided, comprising: Memory, used to store one or more computer programs; The processor, when the one or more computer programs are executed by the processor, implements the zero-trust-based operation and maintenance management method described in the first aspect above.

[0027] According to a fourth aspect of this application, a computer-readable storage medium is provided, the computer-readable storage medium storing computer instructions, the computer instructions being configured to cause a processor to execute and implement the zero-trust-based operation and maintenance management method described in the first aspect above.

[0028] Based on any of the above aspects, the zero-trust-based operation and maintenance management method, system, electronic device, and computer storage medium provided in this application, by performing quantitative calculations based on the simulated execution state in the simulation sandbox and the historical access information of operation and maintenance personnel before the operation and maintenance access request enters the production environment, achieves accurate pre-judgment and dynamic trust control of operation and maintenance operation risks without interfering with normal business systems. Specifically, by extracting operation and maintenance operation instructions and constructing a simulation sandbox for execution, the actual system side effects of instruction execution can be captured to obtain instruction security scores, solving the problem of high false alarm rates and easy bypassing caused by relying solely on static text matching; by combining historical access information to calculate the initial trust score and access risk coefficient, the historical behavioral risks and current operational risks of operation and maintenance personnel can be quantified; finally, the trust score is updated and the management strategy is determined based on the instruction security score and access risk coefficient, realizing adaptive permission adjustment based on real-time risk situation, effectively preventing the risk of core data leakage and system crash caused by account theft or misoperation. Attached Figure Description

[0029] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0030] Figure 1 This is a flowchart illustrating the steps of the operation and maintenance management method provided in this embodiment.

[0031] Figure 2 This is a schematic diagram illustrating the steps for calculating the initial trust score in this embodiment.

[0032] Figure 3 This is a flowchart illustrating the steps for obtaining the instruction security score in this embodiment.

[0033] Figure 4 This is a flowchart illustrating the steps involved in calculating the access risk coefficient in this embodiment.

[0034] Figure 5 This is a flowchart illustrating the iterative update cycle of the trust score to be processed provided in this embodiment.

[0035] Figure 6 This is a schematic diagram of the functional modules of the operation and maintenance management system provided in this embodiment.

[0036] Figure 7 This is a schematic diagram of the device structure of the electronic device provided in this embodiment. Detailed Implementation

[0037] The accompanying drawings are for illustrative purposes only and should not be construed as limiting the scope of this application. To better illustrate the following embodiments, some components in the drawings may be omitted, enlarged, or reduced, and do not represent the actual dimensions of the product; it is understandable to those skilled in the art that some well-known structures and their descriptions may be omitted in the drawings.

[0038] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.

[0039] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0040] As digital transformation deepens, more and more enterprises and universities are upgrading their traditional offline operations and maintenance (O&M) and manual management models to automated and standardized online O&M management systems. Against this backdrop, the security management of infrastructure such as cloud servers, databases, core network devices, and critical business systems has become a core issue in building a cybersecurity defense system.

[0041] Existing operations and maintenance (O&M) management strategies typically employ static identity access mechanisms. For example, when an O&M personnel initiates an access request, the system only performs one-way verification of their identity; once the identity is confirmed, subsequent access requests are allowed and processed. However, this model separates "identity verification" from "access request processing" into two independent stages. This separation means that the system cannot consider the O&M personnel's access requests during identity verification; simultaneously, it lacks consideration of the dynamic risks posed by O&M personnel when processing access requests. Therefore, existing O&M management strategies struggle to achieve precise control and effective defense against O&M access requests.

[0042] This embodiment provides a technical solution that can solve the above problems. The specific implementation of this application will be described in detail below with reference to the accompanying drawings.

[0043] like Figure 1 As shown, this embodiment provides a zero-trust-based operation and maintenance management method, which may include the following steps: S1: In response to the operation and maintenance access request, extract the operation and maintenance operation instructions contained in the operation and maintenance access request, and obtain the access target and historical access information of the operation and maintenance personnel of the operation and maintenance access request; S2: Calculate the initial trust score of the operation and maintenance personnel under the operation and maintenance access request based on the historical access information; S3: Construct a simulation sandbox for the access target, and execute the operation and maintenance instructions in the simulation sandbox to obtain the simulation execution state of the simulation sandbox after the operation and maintenance instructions are executed; S4: Obtain the instruction security score of the operation and maintenance instruction based on the simulation execution status; S5: Calculate the access risk coefficient of the operation and maintenance personnel based on the historical access information and the instruction security score; S6: Update the initial trust score according to the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the operation and maintenance operation instruction is executed; S7: Determine the target operation and maintenance management strategy based on the access trust score, and process the operation and maintenance access request according to the target operation and maintenance management strategy.

[0044] In this embodiment, the maintenance access request can be understood as a holistic connection action or network session initiated by the maintenance client to the production cluster. It represents the maintenance personnel's "intention" and "channel" to establish communication with the production cluster, including specific maintenance operation instructions, handshake information required to establish the connection, protocol headers, authentication information, and the entire lifecycle of the communication process. The maintenance operation instructions can be understood as the specific commands or operations that the maintenance personnel actually want to execute on the production server, such as a specific computer command or operation sequence.

[0045] In this embodiment, the interaction information between the operation and maintenance client and the production cluster can be monitored. When an operation and maintenance access request is detected from the operation and maintenance client, the direct connection path between the operation and maintenance client and the production cluster is blocked in response to the operation and maintenance access request, thus intercepting the operation and maintenance access request. The operation and maintenance access request is then decomposed to extract the operation and maintenance operation instructions contained in the operation and maintenance access request, as well as the handshake information and identity authentication information required to establish the connection. The target production cluster of the operation and maintenance access request is obtained using the handshake information, and the information of the operation and maintenance personnel making the operation and maintenance access request is obtained using the identity authentication information. Based on the information of the operation and maintenance personnel, the historical access information of the operation and maintenance personnel is extracted from a preset historical access information database.

[0046] The historical access information may include all historical operation and maintenance access requests of the operation and maintenance personnel and related information of the historical operation and maintenance access requests, as well as all historical operation instructions in each historical access request and related information of the historical operation instructions.

[0047] In one implementation, after obtaining the information of the operation and maintenance personnel, the identity of the operation and maintenance personnel can be verified based on the information to determine whether the operation and maintenance personnel has access rights to the access target. If the operation and maintenance personnel does not have access rights to the access target, the operation and maintenance access request of the operation and maintenance personnel is rejected.

[0048] As described above, the historical access information includes the historical operation and maintenance access requests of the operation and maintenance personnel and related information on the historical operation and maintenance instructions contained therein. Therefore, based on the historical access information, the historical performance of the operation and maintenance personnel in the historical operation and maintenance access requests can be obtained as the decision basis for the current operation and maintenance access requests of the operation and maintenance personnel, avoiding misjudgments and omissions caused by relying solely on the simulation results of current static rules or single instructions, thereby achieving dynamic perception and precise prevention and control of operation and maintenance risks.

[0049] Therefore, in this embodiment, as Figure 2 As shown, step S2 may include the following sub-steps: S21: Based on the historical access information, obtain the access type of the historical operation and maintenance access request of the operation and maintenance personnel within a preset historical time range, and the instruction type of the historical operation and maintenance operation instructions contained in the historical operation and maintenance access request; In this embodiment, the access type may include secure access, risky access, and high-risk access, and the instruction type may include secure instructions and high-risk instructions.

[0050] It is understood that secure access means that the operation and maintenance access request or the historical operation and maintenance access request as a whole meets the security requirements; however, secure access does not mean that all operation and maintenance operation instructions in the operation and maintenance access request or all historical operation and maintenance operation instructions in the historical operation and maintenance access request are secure instructions. It needs to be determined based on the historical access trust score corresponding to the historical operation and maintenance access request and the historical instruction security score of the historical operation and maintenance operation instructions therein.

[0051] Therefore, in this embodiment, step S21 may include the following steps: First, based on the historical access information, extract the historical operation and maintenance access requests of the operation and maintenance personnel within a preset historical time range, as well as the historical operation and maintenance operation instructions contained in the historical operation and maintenance access requests; In this embodiment, based on the information of the maintenance personnel, historical maintenance access requests within the historical time range from the current time point, as well as the historical maintenance operation instructions therein, can be extracted from the historical access information database.

[0052] Next, the historical access trust score of the historical operation and maintenance access request after executing its historical operation and maintenance operation instruction is obtained, and the historical final access trust score of the historical operation and maintenance access request is obtained from the historical access trust score according to the time sequence; the historical instruction security score corresponding to the historical operation and maintenance operation instruction is obtained. In this embodiment, the historical access information database also records relevant information about the historical operation and maintenance access requests and the historical operation and maintenance operation instructions. The relevant information includes the historical access trust score of the historical operation and maintenance access requests and the historical instruction security score of the historical operation and maintenance operation instructions.

[0053] Understandably, in this embodiment, the access trust score corresponding to the maintenance access request is updated based on the instruction security score of the maintenance operation instruction within it. The maintenance operation instruction in the maintenance access request is executed in a specific order based on the content of the maintenance access request, such as first querying a file and then opening it. Therefore, the access trust score of the maintenance access request is continuously updated as the maintenance operation instruction is executed, and each updated access trust score is recorded in the historical access information database. Each access trust score of the maintenance access request corresponds to one maintenance operation instruction within the maintenance access request.

[0054] Therefore, for each historical operation and maintenance access request, the historical access information database records the historical access trust score corresponding to the execution of all historical operation and maintenance operation instructions of the historical operation and maintenance access request. All the historical access trust scores of the historical operation and maintenance access request are arranged in chronological order, and the last historical access trust score is the historical final access trust score of the historical operation and maintenance access request.

[0055] Understandably, the historical final access trust score corresponds to the last historical operation and maintenance instruction executed in the historical operation and maintenance access request. After the historical operation and maintenance instruction is executed, the corresponding historical operation and maintenance access request stops executing. This may be because the historical final access trust score of the historical operation and maintenance access request causes the historical operation and maintenance access request to be interrupted midway, or it may be because all the historical operation and maintenance instructions in the historical operation and maintenance access request have been executed normally.

[0056] In either case, the historical final access trust score, serving as the basis for determining historical maintenance access requests, reflects the overall trust status of the corresponding historical maintenance access request. Therefore, the access type of the historical maintenance access request can be determined based on the historical final access trust score. Similarly, the historical security instruction score reflects the security attributes of the execution of its corresponding historical maintenance operation instruction. Therefore, the instruction type of the historical maintenance operation instruction can be determined based on the historical security instruction score.

[0057] In this embodiment, determining the instruction type of the historical operation and maintenance instructions may include: If the security score of the historical instruction is greater than or equal to the preset instruction score threshold, the historical operation and maintenance instruction is classified as a safe instruction; otherwise, it is classified as a high-risk instruction. Furthermore, determining the access type of the historical maintenance access request may include: If the historical final access trust score is greater than or equal to a preset trust score threshold, and all historical operation and maintenance instructions contained in the historical operation and maintenance access request are secure instructions, then the historical operation and maintenance access request is classified as secure access; if the historical final access trust score is less than a preset high-risk score threshold, then the historical operation and maintenance access request is classified as high-risk access; otherwise, it is classified as risky access.

[0058] Understandably, when the historical maintenance access request is a secure access request, it means that the security of the corresponding historical maintenance access request and all historical maintenance instructions is high. When the historical maintenance access request is a high-risk access request, it means that at the time of the historical maintenance access request, due to the low trust score of the corresponding historical final access, the security of the historical maintenance access request is too low, and the historical maintenance access request is circuit-broken. At this time, the historical maintenance operation instructions in the historical maintenance access request may contain high-risk instructions. When the historical maintenance access request is a risky access request, it means that the historical maintenance access request contains historical maintenance operation instructions with high-risk instructions, and the historical maintenance access request has a certain degree of uncertainty.

[0059] S22: Obtain a positive trust score based on the number of historical maintenance access requests for secure access within the historical time range, and obtain a negative trust score based on the number of historical maintenance access requests for high-risk access and the number of historical maintenance operation instructions for high-risk instructions within the historical time range. Understandably, the positive trust score reflects the reward for the operation and maintenance personnel to perform secure access and secure commands, while the negative trust score reflects the penalty for the operation and maintenance personnel to perform high-risk access or high-risk commands.

[0060] In a preferred example, the positive trust score is initially set to 0. Within the historical time range, each secure access request from the operations and maintenance personnel can add 2 points to the positive trust score. If multiple consecutive historical access requests are secure, the positive trust score will add an additional 3 points. Assuming that within the historical time range, the operations and maintenance personnel have a total of 10 historical access requests, of which 8 are secure, and there are multiple consecutive secure historical access requests, the positive trust score can be finally calculated as 19 points. Correspondingly, the negative trust score is initially set to 0. Within the historical time frame, each high-risk instruction from the operations and maintenance personnel will deduct 3 points from the negative trust score. These high-risk instructions can be found within historical operations and maintenance access requests for risky or high-risk accesses, and each high-risk access request will deduct 10 points from the negative trust score. For example, if the operations and maintenance personnel have a total of 10 historical operations and maintenance access requests within the historical time frame, including one high-risk access request and two high-risk instruction requests, then the negative trust score would be -16 points. S23: Obtain the initial trust score based on the preset initial trust base score, the positive trust score, and the negative trust score.

[0061] In this embodiment, the initial trust base score can be set according to the overall security policy of the production cluster. The initial trust score is obtained by summing the initial trust base score, the positive trust score, and the negative trust score.

[0062] In this embodiment, the positive trust score has a maximum upper limit and the negative trust score has a minimum lower limit. By using the maximum upper limit, the minimum lower limit, and the initial trust base score, the initial trust score is limited to a certain range, preventing the access trust score obtained in subsequent updates from unilaterally accumulating, thus making the obtained access trust score more reliable.

[0063] Understandably, if the operations and maintenance personnel have no historical access requests within the historical time range, then when calculating the initial trust score, both the positive trust score and the negative trust score will be 0, and the initial trust score will be set as the initial trust base score. This ensures that new operations and maintenance personnel, or those who have been idle for a long time, can access the system normally.

[0064] In one implementation, the initial trust score of the operations and maintenance personnel calculated in step S2 can be compared with the high-risk score threshold. If the initial trust score is lower than the high-risk score threshold, the operations and maintenance personnel's access request is determined to be a high-risk access, and the access request is circuit-broken, rejecting the access request. The relevant data of the access request is recorded in the historical access information database. It is understood that in step S2, if the initial trust score is lower than the high-risk score threshold, the access request is circuit-broken, and subsequent steps S3-S7 are not executed. If the initial trust score is greater than or equal to the high-risk score threshold, subsequent steps S3-S7 are executed.

[0065] In this embodiment, after obtaining the access target of the operation and maintenance access request, the environment configuration of the access target can be extracted from the preset production environment configuration. Then, through copy-on-write storage technology and lightweight virtualization snapshots, a simulation sandbox with an environment configuration completely identical to the access target in terms of operating system version, kernel parameters, key configuration files, and software dependency stack can be quickly cloned in an isolated computing resource pool. This allows the operation and maintenance instructions to be executed in the simulation sandbox. At the same time, the simulation sandbox is configured with a kernel audit function based on the extended Berkeley packet filter. Through the kernel audit function, every system call triggered by the execution of the operation and maintenance instructions in the simulation sandbox can be captured in real time in the kernel mode, such as file read and write frequency, changes in sensitive directory permissions, abnormal network socket openings, and instantaneous fluctuations in CPU / memory, as information for the simulation execution status.

[0066] In this embodiment, step S4, which involves obtaining the instruction security score of the operation and maintenance instruction based on the simulation execution state, is as follows: Figure 3 As shown, it may include: S41: Extract file system operation information and network connection operation information based on the simulation execution state; In this embodiment, the file system operation information may include the operation and maintenance operation instructions' calls to classified system files, as well as the risks associated with the operation and maintenance operation instructions' operations on system files; the network connection operation information may include the target connection address and target port of the network connection triggered by the operation and maintenance operation instructions.

[0067] S42: Calculate the file system risk score based on the file system operation information; In this embodiment, the calculation of the file system risk score may include the following steps: First, based on the file system operation information, extract the total number of system file operations performed by the operation and maintenance instructions, the preset confidentiality index of the system file for each system file operation, and the preset risk index of the operation type for each system file operation. Next, for each system file operation, calculate the product of the preset confidentiality index and the preset risk index as the risk operation value for the corresponding system file operation. Finally, calculate the sum of the risk operation values ​​for all system file operations, and use the ratio of the sum of the operation values ​​to the total number of operations as the file system risk score.

[0068] Understandably, the higher the total number of system file operations performed by the maintenance operation instructions, and the higher the confidentiality index of the system files being operated on, the higher the risk of the maintenance operation instructions. At the same time, since system files are very important, operations such as deletion or modification of system files should not be performed arbitrarily. Therefore, setting a risk index for the operation types of system file operations can effectively supervise maintenance operation instructions that involve risks such as deleting or modifying system files.

[0069] Therefore, in this embodiment, by extracting the total number of operations, the preset confidentiality index, and the preset danger index, the scale of file access and potential harm involved in the instruction can be comprehensively reflected; for each operation, the product of the preset confidentiality index and the preset danger index is calculated as the risk operation value, which can accurately quantify the comprehensive risk level of a single file operation; finally, by calculating the ratio of the sum of all risk operation values ​​to the total number of operations as the file system risk score, the multi-dimensional and multi-batch file operation behaviors involved in the instruction can be integrated into a unified risk.

[0070] In this embodiment, the calculation of the file system risk score can be expressed by the following formula: In the formula, Assess the risk of the file system. This represents the total number of operations performed on system files by the aforementioned operation and maintenance instructions.

[0071] The preset confidentiality index is set for the system file in the i-th system file operation. The preset confidentiality index ranges from 0 to 1. In implementation, the preset confidentiality index can be set for the system file according to the path name of the system file. For example, the preset confidentiality index of the system file path name can be set to 1. The setting of the preset confidentiality index of the system file path name can be set according to the environment configuration of the production cluster and the standard directory specification.

[0072] The preset danger index is set for the operation type of the i-th system file operation, and the value of the preset danger index ranges from 0 to 1. In implementation, the preset danger index can be set for the operation type of the system file operation according to the risk classification standard of general vulnerability scoring. For example, operations such as recursive deletion, disk formatting, and global permission modification that will cause system crashes and irreversible data loss can have their preset danger index set to 1. Operations such as file writing, service start and stop, kernel module operation, and firewall rule change that will cause system configuration changes and business interruption can have their preset danger index set to 0.7.

[0073] Understandably, if the total number of operations n=0, then the file system risk score F=0, indicating that the operation and maintenance instructions do not involve system file operations and do not have the corresponding risks.

[0074] S43: Calculate the network connection risk score based on the network connection operation information; In this embodiment, the calculation of the network connectivity risk score may include the following steps: First, based on the network connection operation information, extract the total number of network connections triggered by the operation and maintenance operation instructions, the address risk index of the target connection address for each connection, and the port risk index of the target port for each connection; then, for each network connection, calculate the product of the address risk index and the port risk index as the risk connection value of the corresponding network connection; finally, take the largest risk connection value among all network connections as the network connection risk score.

[0075] It is understandable that if the target connection address of the network connection in the operation and maintenance instruction contains a risky connection address, or the port of the target connection address contains a risky port, then it may be subject to external threats from the risky connection address or the risky connection port. Therefore, the risk status of the network connection can be judged based on the risk attributes of the risky connection address and the risky connection port.

[0076] Therefore, in this embodiment, by calculating the product of the address risk index of the target connection address and the port risk index of the target port as the risk connection value of the corresponding network connection, the "external threat intelligence" and "service sensitivity" are correlated and weighted to effectively capture complex high-risk operations such as "connecting to database ports with high-risk connection addresses"; thus, it can keenly grasp the most serious security risks in the instruction execution process and avoid masking fatal risks due to averaging.

[0077] In this embodiment, the network connectivity risk score can be calculated using the following formula: In the formula, The network connection risk score is given, where m is the total number of network connections triggered by the operation and maintenance instructions. It is a function for maximizing the value; The address risk index is the target connection address for the j-th network connection, and its value ranges from 0 to 1. In implementation, the target connection address can be determined based on its matching degree with a preset list of authorized secure addresses, which can be allocated according to the information of the operations and maintenance personnel. Understandably, the lower the matching degree, the higher the address risk index.

[0078] The port risk index is the target connection port for the j-th network connection, and the port risk index ranges from 0 to 1. In implementation, the corresponding port risk index can be pre-set for each port according to the risk classification standard and the business risk level corresponding to the port.

[0079] Understandably, if the total number of connections m=0, then the network connection risk score N=0, indicating that the operation and maintenance instructions do not involve network connections.

[0080] S44: Calculate the instruction security score of the operation and maintenance instructions based on the file system risk score and the network connection risk score.

[0081] In this embodiment, step S44 may include the following steps: Multiply the preset file risk weight by the file system risk score to obtain the file system risk component; multiply the preset network risk weight by the network connection risk score to obtain the network connection risk component; obtain the total risk component based on the file system risk component and the network connection risk component; and use the difference between the preset risk score benchmark value and the total risk component as the instruction security score.

[0082] In this embodiment, the calculation of the instruction security score can be expressed by the following formula: In the formula, The security score for the instruction is given. The risk weight of the document. The network risk weight is denoted as .

[0083] In this embodiment, by calculating the file system risk score and the network connection risk score respectively, the command behavior can be quantitatively evaluated from two core dimensions: data asset tampering risk and network overreach risk.

[0084] In this embodiment, after calculating the instruction security score of the operation and maintenance instruction, the instruction type of the operation and maintenance instruction can be obtained based on the instruction security score. The determination of the instruction type of the operation and maintenance instruction is similar to the determination method of the instruction type of the historical operation and maintenance instruction mentioned above. If the instruction security score is greater than or equal to a preset instruction score threshold, the operation and maintenance instruction is classified as a safe instruction; otherwise, it is classified as a high-risk instruction.

[0085] Furthermore, in one embodiment, if the operation and maintenance instruction is a secure instruction, it can be sent to the access target for execution; if the operation and maintenance instruction is a high-risk instruction, it continues to be intercepted. If the corresponding operation and maintenance access request is ultimately detected and sent to the access target, the operation and maintenance instruction of the high-risk instruction is removed from the operation and maintenance access request and continues to be intercepted until the operation and maintenance access request ends, at which point the operation and maintenance instruction of the high-risk instruction is released.

[0086] In this embodiment, as described above, the operation and maintenance instructions are executed in a certain order within the simulation sandbox based on the content of the operation and maintenance access request. Therefore, the number and status of the operation and maintenance instructions executed at the current time point in the operation and maintenance access request can be statistically analyzed at different time points, and the status of the operation and maintenance access request can be judged based on the statistical results. Therefore, as... Figure 4 As shown, step S5 may include the following sub-steps: S51: Based on the historical access information, obtain the number of historical maintenance access requests and the number of historical maintenance operation instructions of high-risk accesses by the maintenance personnel within the historical time range. S52: Weight the number of historical maintenance access requests for high-risk access and the number of historical maintenance operation instructions for high-risk instructions within the historical time range, and add them to the preset historical coefficient benchmark value to obtain the historical behavior benchmark coefficient. S53: Based on the instruction security score of the currently executed operation and maintenance operation instructions in the operation and maintenance access request, obtain the instruction type of the currently executed operation and maintenance operation instructions, and count the number of operation and maintenance operation instructions that are high-risk instructions among the currently executed operation and maintenance operation instructions. S54: After scaling the number of operation and maintenance instructions of the high-risk instructions using a preset instruction weighting coefficient, add it to the preset real-time coefficient benchmark value to obtain the real-time behavior risk coefficient. S55: The product of the historical behavior baseline coefficient and the real-time behavior risk coefficient is used as the access risk coefficient.

[0087] The above steps S51-S55 can be expressed by the following formula: In the formula, The access risk coefficient is [value].

[0088] The historical coefficient benchmark value, This refers to the number of historical maintenance access requests that were considered high-risk within the specified historical time range. This refers to the number of historical maintenance operation commands that are considered high-risk commands within the specified historical time range. A preset request weight is assigned to the number of historical maintenance access requests. The preset instruction weight for the number of historical operation and maintenance instructions; The historical behavior benchmark coefficient represents the historical behavior baseline coefficient, which can range from 1.0 to 2.5, and the benchmark value can be set to 1.0. It is understood that the historical behavior benchmark coefficient is used to quantify the impact of historical risks on the current level of punishment.

[0089] The real-time coefficient reference value, This represents the number of high-risk operation and maintenance instructions among the currently executed operation and maintenance instructions. Preset real-time weights for the number of operation and maintenance commands; The real-time behavioral risk coefficient is represented, and its value range can be 1.0-3.5. The baseline value of the real-time coefficient can be set to 1.0. It is understood that the historical behavioral baseline coefficient is used to quantify the amplified penalty effect of real-time risk.

[0090] In this embodiment, the above-described , , The historical coefficient benchmark value and the real-time coefficient benchmark value The settings can be configured based on factors such as the security protection level of the target's production environment, business importance, and the size of the operations and maintenance team.

[0091] In this embodiment, step S6 may include the following steps: First, the execution order of the operation and maintenance instructions in the simulation sandbox is extracted. Then, based on the execution order of the operation and maintenance instructions, the security score of the instructions, and the access risk coefficient corresponding to the operation and maintenance instructions, the trust score to be processed is iteratively updated. If the current iteration update cycle is the first iteration update cycle, the trust score to be processed is the initial trust score; otherwise, it is the trust score to be processed updated in the previous iteration update cycle. Based on the update order of the iteration update cycle, the updated trust score to be processed in the iteration update cycle is used as the access trust score after the operation and maintenance instructions in the corresponding execution order are executed.

[0092] Understandably, the operation and maintenance instructions are executed in a certain order within the simulation sandbox. Therefore, after the first operation and maintenance instruction in the operation and maintenance access request is executed, the instruction security score and access risk coefficient of the first operation and maintenance instruction are calculated. The initial trust score is then updated using the instruction security score and access risk coefficient of the first operation and maintenance instruction to obtain the pending trust score after the execution of the first operation and maintenance instruction, which serves as the access trust score of the first operation and maintenance instruction. Next, after the second operation and maintenance instruction in the operation and maintenance access request is executed, the instruction security score and access risk coefficient of the second operation and maintenance instruction are calculated. The pending trust score (access trust score) of the first operation and maintenance instruction is then updated using the instruction security score and access risk coefficient of the second operation and maintenance instruction to obtain the pending trust score of the second operation and maintenance instruction, which serves as the access trust score of the second operation and maintenance instruction. This process is repeated to iterate and update the initial trust score until all maintenance operation instructions in the maintenance access request are executed, or the maintenance access request is interrupted due to the access trust score after the maintenance operation instructions are executed.

[0093] In this embodiment, extracting the execution order of the operation and maintenance instructions in the simulation sandbox can be understood as follows: after the operation and maintenance instructions are executed in the simulation sandbox, the execution position of the currently completed operation and maintenance instructions is determined, thereby determining the previous operation and maintenance instructions and updating them based on the access credit score of the previous operation and maintenance instructions.

[0094] In this embodiment, as Figure 5 As shown, the following steps are performed in each of the said iterative update cycles: S61: Calculate the complementary score value of the instruction security score, and multiply the preset penalty factor, the complementary score value and the access risk coefficient to obtain the risk penalty score; S62: Multiply the preset reward factor with the instruction security score to obtain a security reward score; S63: The pending trust score is penalized using the risk penalty score, and the penalized pending trust score is rewarded using the security reward score to obtain the rewarded pending trust score; S64: The trust score to be processed after the reward is corrected by a preset trust score range to obtain the trust score to be processed after the current iteration update cycle.

[0095] The steps S61-S64 described above can be represented by the following formula: In the formula, The updated trust score to be processed is the result of the current iteration update cycle. The trust score to be processed is the score from the previous iteration update cycle, wherein if the current iteration update cycle is the first iteration update cycle, then The initial trust score; (x () is a boundary constraint function used to force the calculation result to be locked within the valid interval of 0-100 points; The penalty factor is used to adjust the degree to which high-risk commands deduct from the access trust score. The reward factor is used to adjust the repair strength of security commands on the access trust score; the value range of the penalty factor can be set to 1-50, and the value range of the reward factor can be set to 1-10. The penalty factor and the reward factor can be configured according to the security policy of the access target, wherein the reward factor is smaller than the penalty factor, so that the access trust score is more sensitive to the punishment of high-risk commands.

[0096] Understandable. This constitutes the risk penalty item for updating the access trust score. The access risk coefficient is mentioned above. It integrates historical high-risk access requests from operations and maintenance personnel with real-time high-risk operation commands. This design effectively integrates long-term user risk profiles of operations and maintenance personnel with real-time risk operations, thereby accurately distinguishing between unintentional mistakes and malicious attacks by operations and maintenance personnel.

[0097] Therefore, the access risk coefficient is... Complementary rating value Multiplication can be based on The user profiles and real-time status reflected in the system adaptively adjust the risk penalty for current operational instructions. This allows the system to implement differentiated penalties for different types of violations, resulting in the updated access trust score more accurately reflecting the true intentions of the operations and maintenance personnel.

[0098] In this embodiment, step S7, which involves determining the target operation and maintenance management policy based on the access trust score and processing the operation and maintenance access request according to the target operation and maintenance management policy, may include: Extract the currently executed operation and maintenance operation instructions corresponding to the access trust score; based on the access trust score, obtain the real-time access type of the operation and maintenance access request corresponding to the currently executed operation and maintenance operation instructions; Specifically, if the access trust score is greater than or equal to the trust score threshold, the real-time access type of the operation and maintenance access request is secure access; if the access trust score is less than the trust score threshold but greater than or equal to the high-risk score threshold, the real-time access type of the operation and maintenance access request is risky access; if the access trust score is less than the high-risk score threshold, the real-time access type of the operation and maintenance access request is high-risk access.

[0099] Based on the real-time access type of the operation and maintenance access request, obtain the target operation and maintenance management strategy: If the operation and maintenance access request is a secure access, the target operation and maintenance management policy is: continue to execute the operation and maintenance operation instructions in the operation and maintenance access request, and send the operation and maintenance operation instructions that are secure instructions to the access target, until the operation and maintenance operation instructions in the operation and maintenance access request are executed, or until the real-time access type of the operation and maintenance access request is changed to risk access or high-risk access. If the maintenance access request is a risky access request, the target maintenance management strategy is as follows: adjust the preset confidentiality index and the preset danger index of the system files to increase the risk of system file operations and their corresponding penalties, thus restricting the maintenance personnel's operations on the system files; based on the adjusted preset confidentiality index and the preset danger index, continue to execute the maintenance operation instructions in the maintenance access request, and send the maintenance operation instructions that are safe instructions to the access target, until the maintenance operation instructions in the maintenance access request are executed, or until the real-time access type of the maintenance access request changes to safe access or high-risk access. It can be understood that if the real-time access type of the maintenance access request changes from risky access to safe access, then the preset confidentiality index and the preset danger index are adjusted back to the safe access state.

[0100] If the operation and maintenance access request is a high-risk access, the target operation and maintenance management policy is to: circuit breaker the operation and maintenance access request and terminate the execution of any remaining unexecuted operation and maintenance instructions in the operation and maintenance access request.

[0101] like Figure 6 As shown in the illustration, this application also provides a zero-trust-based operation and maintenance management system 6. Optionally, the zero-trust-based operation and maintenance management system may include: Access data acquisition module 11 is used to respond to the operation and maintenance access request, extract the operation and maintenance operation instructions contained in the operation and maintenance access request, and obtain the access target and historical access information of the operation and maintenance personnel of the operation and maintenance access request. In this embodiment, the access data acquisition module 11 can be used to perform... Figure 1 For a detailed description of the access data acquisition module 11 shown in step S1, please refer to the description of step S1.

[0102] The initial trust calculation module 12 is used to calculate the initial trust score of the operation and maintenance personnel under the operation and maintenance access request based on the historical access information. In this embodiment, the initial trust calculation module 12 can be used to perform... Figure 1 For a detailed description of the initial trust calculation module 12 shown in step S2, please refer to the description of step S2.

[0103] The sandbox simulation module 13 is used to construct a simulation sandbox for the access target, and execute the operation and maintenance instructions in the simulation sandbox to obtain the simulation execution state of the simulation sandbox after the operation and maintenance instructions are executed. In this embodiment, the sandbox simulation module 13 can be used to execute... Figure 1 For a detailed description of the sandbox simulation module 13 shown in step S3, please refer to the description of step S3.

[0104] The instruction score acquisition module 14 is used to acquire the instruction security score of the operation and maintenance instruction based on the simulation execution status; In this embodiment, the instruction scoring acquisition module 14 can be used to execute... Figure 1 For a detailed description of the instruction scoring acquisition module 14 shown in step S4, please refer to the description of step S4.

[0105] The risk coefficient acquisition module 15 is used to calculate the access risk coefficient of the operation and maintenance personnel based on the historical access information. In this embodiment, the risk coefficient acquisition module 15 can be used to perform... Figure 1For a detailed description of the risk coefficient acquisition module 15 shown in step S5, please refer to the description of step S5.

[0106] The score update module 16 is used to update the initial trust score according to the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the operation and maintenance operation instruction is executed; In this embodiment, the score update module 16 can be used to perform... Figure 1 For a detailed description of the score update module 16 shown in step S6, please refer to the description of step S6.

[0107] The request processing module 17 is used to determine the target operation and maintenance management policy based on the access trust score, and to process the operation and maintenance access request according to the target operation and maintenance management policy.

[0108] In this embodiment, the request processing module 17 can be used to execute... Figure 1 For a detailed description of the request processing module 17, please refer to the description of step S7 shown.

[0109] This application provides an electronic device with the following structure: Figure 7 As shown.

[0110] The electronic device includes a memory 21, a processor 22, a communication module 23, and an input / output interface 24, etc. Optionally, the memory 21, the processor 22, the communication module 23, and the input / output interface 24 can be connected and communicate with each other through a bus 25.

[0111] The memory 21 is used to store one or more computer programs and transmit the code of the computer programs to the processor 22; when the one or more computer programs are executed by the processor 22, the zero-trust-based operation and maintenance management method in this application embodiment is implemented.

[0112] Optionally, the electronic device can be connected to a network via communication module 23 to communicate with other devices, such as terminals or servers, to achieve data interaction. The electronic device can be various forms of digital computers, exemplarily such as desktop computers, servers, workbenches, mainframes, or other types of computers. The electronic device can also be various forms of mobile terminals, exemplarily such as smartphones, tablets, wearable devices (such as helmets, glasses, watches, etc.), and other similar mobile terminals.

[0113] Optionally, the electronic device can connect to required input / output devices, such as a keyboard or display device, via the input / output interface 24. The electronic device itself may have a display device, and other display devices can also be connected externally via the input / output interface 24. Optionally, a storage device, such as a hard disk, can also be connected via the input / output interface 24 to store data from the electronic device, read data from the storage device, or store data from the storage device in the memory 21. It is understood that the input / output interface 24 can be a wired interface or a wireless interface. Depending on the actual application scenario, the device connected to the input / output interface 24 can be a component of the electronic device or an external device connected to the electronic device when needed.

[0114] Optionally, the memory 21 may be a volatile memory and / or a non-volatile memory. The volatile memory may be a random access memory, etc., and the non-volatile memory may be a read-only memory, a programmable read-only memory, an erasable programmable read-only memory, an electrically erasable programmable read-only memory, or a flash memory, etc.

[0115] Optionally, the computer program stored in the processor 22 can be divided into one or more modules, which are stored in the memory 21 and executed by the processor 22 to perform the method provided in this embodiment. The one or more modules can be a series of computer program instruction segments capable of performing specific functions, which describe the execution process of the computer program in the electronic device.

[0116] Optionally, the processor 22 can be various general-purpose and / or dedicated processing components with processing and computing capabilities. Some examples of the processor 22 include, but are not limited to, a central processing unit, a graphics processing unit, a digital signal processor, various dedicated artificial intelligence computing chips, various processors running machine learning model algorithms, and can also be any suitable controller, microcontroller, processor, etc. The processor 22 executes the various methods and processes of this embodiment, exemplarily, such as a zero-trust-based operation and maintenance management method according to an embodiment of this application.

[0117] Optionally, the bus 25 may include a path for transmitting information. Depending on its function, the bus 25 may be divided into an address bus, a data bus, a control bus, etc.

[0118] In an optional implementation, this application embodiment also provides a computer storage medium storing a computer program thereon. When the computer program is executed by a computer, it enables the computer to perform the methods described in the above-described method embodiments. Part or all of the computer program can be loaded and / or installed on the memory 21 of an electronic device. When the computer program is executed by the processor 22, one or more steps of a zero-trust-based operation and maintenance management method according to this application embodiment can be performed.

[0119] Optionally, the computer-readable storage medium may be a random access memory, a read-only memory, a programmable read-only memory, an erasable programmable read-only memory, an electrically erasable programmable read-only memory, etc.

[0120] Obviously, the above embodiments of this application are merely examples for clearly illustrating the technical solution of this application, and are not intended to limit the specific implementation of this application. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the claims of this application should be included within the protection scope of the claims of this application.

Claims

1. A zero-trust-based operation and maintenance management method, characterized in that, The method includes: In response to an operation and maintenance access request, extract the operation and maintenance operation instructions contained in the operation and maintenance access request, and obtain the access target and historical access information of the operation and maintenance personnel in the operation and maintenance access request. Based on the historical access information, calculate the initial trust score of the operations and maintenance personnel under the operations and maintenance access request; Construct a simulation sandbox for the access target, and execute the operation and maintenance instructions in the simulation sandbox to obtain the simulation execution state of the simulation sandbox after the operation and maintenance instructions are executed; The instruction security score of the operation and maintenance instructions is obtained based on the simulation execution status; Based on the historical access information and the instruction security score, calculate the access risk coefficient of the operation and maintenance personnel; The initial trust score is updated based on the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the operation and maintenance instruction is executed. The target operation and maintenance management strategy is determined based on the access trust score, and the operation and maintenance access request is processed according to the target operation and maintenance management strategy.

2. The zero trust-based operation and maintenance management method according to claim 1, characterized in that, The step of calculating the initial trust score of the operations and maintenance personnel under the operations and maintenance access request based on the historical access information includes: Based on the historical access information, the access types of the historical operation and maintenance access requests of the operation and maintenance personnel within a preset historical time range are obtained, as well as the instruction types of the historical operation and maintenance operation instructions contained in the historical operation and maintenance access requests; wherein, the access types include secure access, risky access, and high-risk access, and the instruction types include secure instructions and high-risk instructions; A positive trust score is obtained based on the number of historical maintenance access requests for secure access within the historical time range, and a negative trust score is obtained based on the number of historical maintenance access requests for high-risk access and the number of historical maintenance operation instructions for high-risk instructions within the historical time range. The initial trust score is obtained based on the preset initial trust base score, the positive trust score, and the negative trust score.

3. The zero trust-based operation and maintenance management method according to claim 2, characterized in that, The operation and maintenance commands are executed sequentially in the simulation sandbox; The step of calculating the access risk coefficient of the operations and maintenance personnel based on the historical access information and the instruction security score includes: Based on the historical access information, obtain the number of historical maintenance access requests and the number of historical maintenance operation instructions of high-risk access by the maintenance personnel within the historical time range. The historical behavior baseline coefficient is obtained by weighting the number of historical operation and maintenance access requests for high-risk access and the number of historical operation and maintenance instructions for high-risk instructions within the historical time range, and then adding the weighted average to the preset historical coefficient baseline value. Based on the instruction security score of the currently executed operation and maintenance operation instructions in the operation and maintenance access request, obtain the instruction type of the currently executed operation and maintenance operation instructions, and count the number of operation and maintenance operation instructions that are high-risk instructions among the currently executed operation and maintenance operation instructions. The number of maintenance operation instructions for the high-risk instructions is scaled down using a preset instruction weighting coefficient and then added to a preset real-time coefficient benchmark value to obtain the real-time behavior risk coefficient. The product of the historical behavior baseline coefficient and the real-time behavior risk coefficient is used as the access risk coefficient.

4. The zero trust-based operation and maintenance management method according to claim 2, characterized in that, The step of obtaining the access type of the historical maintenance access requests made by the maintenance personnel within a preset historical time range, and the instruction type of the historical maintenance operation instructions contained in the historical maintenance access requests, based on the historical access information, includes: Based on the historical access information, extract the historical operation and maintenance access requests of the operation and maintenance personnel within a preset historical time range, as well as the historical operation and maintenance operation instructions contained in the historical operation and maintenance access requests; Obtain the historical access trust score of the historical operation and maintenance access request after executing its historical operation and maintenance operation instruction, and obtain the historical final access trust score of the historical operation and maintenance access request from the historical access trust score according to the time sequence. Obtain the historical instruction security score corresponding to the historical operation and maintenance instructions; If the security score of the historical instruction is greater than or equal to the preset instruction score threshold, the historical operation and maintenance instruction is classified as a safe instruction; otherwise, it is classified as a high-risk instruction. If the historical final access trust score is greater than or equal to a preset trust score threshold, and all historical operation and maintenance instructions contained in the historical operation and maintenance access request are secure instructions, then the historical operation and maintenance access request is classified as secure access; if the historical final access trust score is less than a preset high-risk score threshold, then the historical operation and maintenance access request is classified as high-risk access; otherwise, it is classified as risky access.

5. The zero trust-based operation and maintenance management method according to claim 1, characterized in that, The step of obtaining the instruction security score of the operation and maintenance instructions based on the simulation execution status includes: Extract file system operation information and network connection operation information based on the simulation execution status; Calculate the file system risk score based on the file system operation information; Calculate the network connection risk score based on the network connection operation information; The instruction security score of the operation and maintenance instructions is calculated based on the file system risk score and the network connection risk score.

6. The zero trust-based operation and maintenance management method according to claim 5, characterized in that, The step of calculating the instruction security score of the operation and maintenance instructions based on the file system risk score and the network connection risk score includes: The file risk weight is multiplied by the file system risk score to obtain the file system risk component; The network connection risk component is obtained by multiplying the preset network risk weight by the network connection risk score. Based on the file system risk component and the network connection risk component, obtain the total risk component; The difference between the preset risk scoring benchmark value and the total risk component is used as the instruction security score.

7. The zero trust-based operation and maintenance management method according to any one of claims 1-6, characterized in that, The step of updating the initial trust score based on the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the execution of the operation and maintenance operation instruction includes: Extract the execution order of the operation and maintenance instructions in the simulation sandbox; Based on the execution order of the operation and maintenance instructions, the security score of the instructions, and the access risk coefficient corresponding to the operation and maintenance instructions, the trust score to be processed is iteratively updated; if the current iterative update cycle is the first iterative update cycle, then the trust score to be processed is the initial trust score, otherwise it is the trust score to be processed updated in the previous iterative update cycle. According to the update order of the iterative update cycle, the updated trust score to be processed in the iterative update cycle is used as the access trust score after the operation and maintenance instructions are executed in the corresponding execution order.

8. The zero trust-based operation and maintenance management method according to claim 7, characterized in that, In each iteration update cycle: Calculate the complementary score value of the instruction security score, and multiply the preset penalty factor, the complementary score value and the access risk coefficient to obtain the risk penalty score; The preset reward factor is multiplied by the instruction security score to obtain the security reward score; The pending trust score is penalized using the risk penalty score, and the penalized pending trust score is rewarded using the security reward score, resulting in a rewarded pending trust score. The pending trust score is corrected by adjusting the rewarded trust score within a preset trust score range to obtain the updated pending trust score for the current iteration update cycle.

9. A zero-trust-based operation and maintenance management system, characterized in that, The system includes: The access data acquisition module is used to respond to the operation and maintenance access request, extract the operation and maintenance operation instructions contained in the operation and maintenance access request, and obtain the access target and historical access information of the operation and maintenance personnel in the operation and maintenance access request. The initial trust calculation module is used to calculate the initial trust score of the operation and maintenance personnel under the operation and maintenance access request based on the historical access information. The sandbox simulation module is used to construct a simulation sandbox for the access target, execute the operation and maintenance instructions in the simulation sandbox, and obtain the simulation execution state of the simulation sandbox after the operation and maintenance instructions are executed. The instruction scoring acquisition module is used to acquire the instruction security score of the operation and maintenance instruction based on the simulation execution status; The risk coefficient acquisition module is used to calculate the access risk coefficient of the operation and maintenance personnel based on the historical access information and the instruction security score; The score update module is used to update the initial trust score according to the access risk coefficient and the instruction security score to obtain the access trust score of the operation and maintenance access request after the operation and maintenance operation instruction is executed. The request processing module is used to determine the target operation and maintenance management policy based on the access trust score, and to process the operation and maintenance access request according to the target operation and maintenance management policy.

10. An electronic device, characterized in that, include: Memory, used to store one or more computer programs; A processor, when the one or more computer programs are executed by the processor, implements the zero-trust-based operation and maintenance management method as described in any one of claims 1-8.

11. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that cause a processor to execute and implement the zero-trust-based operation and maintenance management method as described in any one of claims 1-8.