A network security detection and early warning method based on access authentication
By improving the Hawkes risk propagation model, the risk intensity and trust status of access subjects are dynamically generated, which solves the problems of lag and high false alarm rate in existing access authentication methods, and realizes timely and accurate early warning of network security detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Filing Date
- 2026-05-18
- Publication Date
- 2026-07-14
AI Technical Summary
In existing network security detection and early warning technologies, access authentication methods fail to effectively link the level of authentication trustworthiness with subsequent access behavior, making it difficult to identify account theft, device spoofing, and abnormal access behavior in a timely manner. Furthermore, risk warnings are delayed, have a high false alarm rate, and are difficult to provide feedback on the impact on the recovery of the trusted state.
An improved Hawkes risk propagation model is adopted to generate access security event sequences by accessing authentication data and behavioral data, calculate the initial value of event risk, and dynamically generate the risk intensity and trust status of access subjects by utilizing adaptive time decay, self-excited risk propagation and trusted state update layer, so as to achieve continuous trusted detection and accurate early warning.
It improves the timeliness of detecting continuous authentication anomalies and abnormal access within sessions, generates structured detection results, avoids the trust state from recovering too quickly after ineffective handling, and improves the accuracy and timeliness of network security detection and early warning.
Smart Images

Figure CN122394945A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security detection and early warning technology, and in particular to a network security detection and early warning method based on access authentication. Background Technology
[0002] Currently, in the field of network security detection and early warning technology, existing technologies typically determine whether an access subject is allowed to enter the target network through identity authentication, device verification, and permission verification, and then perform security detection based on access logs, traffic characteristics, or abnormal rules after access. These methods often treat access authentication as a one-time admission judgment, failing to continuously correlate the reliability of authentication and the degree of permission deviation with subsequent access behaviors. This makes it difficult to promptly identify account theft, device spoofing, and abnormal access behaviors that have already passed authentication.
[0003] At the same time, when conducting risk warnings, existing technologies typically generate alarm results based on fixed thresholds, static risk scores, or ordinary time-series models. They are insufficient in characterizing the time decay relationship, continuous triggering relationship, and intra-session risk accumulation relationship between historical access security events and current access security events. They are unable to distinguish between single anomalies and risk evolution processes such as continuous permission deviations and continuous high-frequency accesses. This results in problems such as delayed network security detection and warning, high false alarm rate, and difficulty in reverse influencing subsequent trusted state recovery through handling feedback. Summary of the Invention
[0004] One objective of this invention is to propose a network security detection and early warning method based on access authentication. This invention adopts an improved Hawkes risk propagation model to achieve continuous and reliable detection of access subjects, and has the advantages of timely early warning and accurate identification.
[0005] A network security detection and early warning method based on access authentication according to an embodiment of the present invention includes:
[0006] Acquire access authentication data and access behavior data, and preprocess them to form basic access security data;
[0007] Based on the basic access security data, the system generates access authentication results, authentication trust gating coefficients, permission deviation descriptors, and permission deviation modulation coefficients, and forms an access security event sequence based on the access authentication results, permission deviation descriptors, and access behavior data.
[0008] Calculate the initial risk value of the event based on the access security event sequence;
[0009] The access security event sequence, initial event risk value, authentication trust gating coefficient and permission deviation modulation coefficient are input into the adaptive time decay layer of the improved Hawkes risk propagation model to generate event adaptive time decay parameters.
[0010] The access security event sequence, initial event risk value, authentication trust gating coefficient, permission deviation modulation coefficient, and event adaptive time decay parameter are input into the self-excited risk propagation layer of the improved Hawkes risk propagation model to generate the access subject risk intensity sequence.
[0011] The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trusted state update layer of the improved Hawkes risk propagation model to generate the updated trusted state of the access subject. Based on the updated trusted state of the access subject, the access subject risk intensity sequence, and the historical trusted state of the access subject, network security detection results are generated.
[0012] Based on the network security detection results, generate network security detection and early warning results, collect corresponding handling feedback data for the network security detection and early warning results, and adjust the recovery range of the trusted status of the next access subject based on the handling feedback data.
[0013] Optionally, the formation of the access security basic data includes:
[0014] Obtain access authentication data and access behavior data to obtain time-series correlation data;
[0015] The time-series correlated data is preprocessed and written into the access security basic data. The preprocessing includes merging duplicate records, filling in missing fields, unifying field formats, and normalizing numerical fields.
[0016] Optionally, the formation of the access security event sequence includes:
[0017] Based on access security basic data, generate access authentication results, authentication trust gating coefficients, permission deviation descriptors, and permission deviation modulation coefficients;
[0018] The access authentication results, permission deviation descriptions, and access behavior data are bound together as access security events, forming a sequence of access security events.
[0019] Optionally, the calculation of the initial value of the event risk includes:
[0020] Read access security events from the access security event sequence, determine the event type of the access security event based on the access authentication result, permission deviation description, and access behavior data, and generate the basic event risk quantity based on the event type;
[0021] Based on the access authentication results, determine the impact of authentication anomalies, generate a comprehensive permission deviation based on the permission deviation description, generate a resource-sensitive impact based on the actual accessed resources in the access behavior data, generate an operation impact based on the actual operation type, and generate a frequency anomaly impact based on the actual access frequency and the upper limit of the authorized access frequency.
[0022] Based on the basic risk quantity of the event, the impact quantity of authentication anomalies, the comprehensive deviation quantity of permissions, the impact quantity of resource sensitivity, the impact quantity of operation, and the impact quantity of frequency anomalies, candidate values of event risk are generated. Based on the actual access time difference between the current access security event and the previous access security event, the change in the permission deviation description quantity, and the change in the access authentication result, continuous offset of the event is generated.
[0023] The event risk calibration value is generated based on the cumulative permission deviation, the continuous event offset, and the reverse value of the authentication trust gating coefficient. The event risk calibration value is then used to calibrate the event risk candidate value to obtain the initial event risk value.
[0024] Optionally, the generation of the event adaptive time decay parameter includes:
[0025] The access security event sequence, initial event risk value, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the adaptive time decay layer of the improved Hawkes risk propagation model. The adaptive time decay layer includes an event time interval construction unit, a risk persistence unit, a trust degradation adjustment unit, a deviation persistence adjustment unit, a session density adjustment unit, and a decay parameter output unit.
[0026] The improved Hawkes risk propagation model includes an adaptive time decay layer, a self-excited risk propagation layer, and a trusted state update layer.
[0027] In the adaptive time decay layer, the actual access time of the current access security event and the actual access time of the historical access security event are read from the access security event sequence through the event time interval construction unit, and the event time interval between the current access security event and the historical access security event is calculated.
[0028] The risk persistence unit reads the initial event risk value corresponding to the historical access security event, as well as the relationship between the initial event risk value change from the historical access security event to the current access security event, and generates the risk persistence quantity.
[0029] The trusted degradation adjustment unit reads the authentication trusted gating coefficient corresponding to the current access security event and the authentication trusted gating coefficient corresponding to the previous access security event, and generates a trusted degradation adjustment quantity.
[0030] Input the permission deviation modulation coefficient into the deviation duration adjustment unit, and generate the permission deviation duration based on the permission deviation modulation coefficient;
[0031] In the session-intensive adjustment unit, session event intensity is generated based on the number of historical access security events and session duration.
[0032] The event adaptive time decay parameter is generated by taking the event time interval, risk persistence amount, trust degradation adjustment amount, permission deviation persistence amount, and session event density amount as inputs to the decay parameter output unit.
[0033] Optionally, the generation of the access subject risk intensity sequence includes:
[0034] The access security event sequence, initial event risk value, authentication trust gating coefficient, permission deviation modulation coefficient, and event adaptive time decay parameter are input into the self-excited risk propagation layer of the improved Hawkes risk propagation model. The self-excited risk propagation layer includes a basic risk state construction unit, an event link continuity gating unit, an authentication-permission coupling trigger kernel generation unit, an asymmetric self-excited triggering unit, and a risk intensity sequence output unit.
[0035] In the self-excited risk propagation layer, the basic risk state of the current access security event is generated by reading the initial value of the event risk and the permission deviation modulation coefficient corresponding to the current access security event through the basic risk intensity construction unit.
[0036] The access subject identifier, session identifier, actual accessed resources, actual operation type, and actual access time of historical access security events and current access security events in the access security event sequence are input into the event link continuity gating unit, and an event link continuity gating quantity is generated.
[0037] The authentication-permission coupling triggering core generation unit reads the initial event risk value corresponding to the historical access security event, the initial event risk value corresponding to the current access security event, the authentication trust gating coefficient corresponding to the historical access security event, the permission deviation modulation coefficient corresponding to the current access security event, and the permission deviation modulation coefficient corresponding to the historical access security event, and generates the authentication-permission coupling triggering core.
[0038] In the asymmetric self-excitation triggering unit, based on the event adaptive time decay parameter, the event link continuity gating quantity, and the authentication-authorization coupling triggering core, the asymmetric self-excitation triggering strength of historical access security events on the current access security event is generated;
[0039] The risk intensity sequence output unit aggregates the basic risk status of the current access security event with the asymmetric self-excitation trigger intensity corresponding to all historical access security events prior to the current access security event to generate the access subject risk intensity corresponding to the current access security event, and forms the access subject risk intensity sequence according to the order of the access security event sequence.
[0040] Optionally, the generation of the network security detection result includes:
[0041] The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trust state update layer of the improved Hawkes risk propagation model. The trust state update layer includes a risk change parsing unit, a trust descent gate generation unit, a trust recovery gate generation unit, a trust state recursion unit, and a detection result output unit.
[0042] In the trusted state update layer, the risk intensity of the access subject corresponding to the current access security event and the risk intensity of the access subject corresponding to the previous access security event are read from the access subject risk intensity sequence by the risk change parsing unit, and the risk change quantity is generated.
[0043] Input the risk change, the authentication trust gating coefficient, and the permission deviation modulation coefficient into the trust descent gate generation unit to generate the trust descent gate value.
[0044] The trusted recovery gate generation unit reads the risk change and the authentication trusted gating coefficient to generate the trusted recovery gate value.
[0045] In the trusted state recursion unit, an updated trusted state of the access subject is generated based on the trusted state of the access subject corresponding to the previous access security event, the trusted decline threshold, the trusted recovery threshold, and the risk intensity of the access subject corresponding to the current access security event.
[0046] The detection result output unit reads the updated access subject's trust status, access subject risk intensity sequence, authentication trust gating coefficient, permission deviation modulation coefficient, and historical access subject trust status, and generates network security detection results.
[0047] Optionally, the adjustment of the recovery magnitude of the trusted state of the access subject includes:
[0048] Read the network security detection results, generate a set of risks to be warned, and select the risk result with the highest risk intensity value from the set of risks to be warned as the dominant risk result;
[0049] Based on the dominant risk results, early warning information and response strategies are generated and incorporated into the network security detection and early warning results;
[0050] Based on the disposal execution results after the disposal strategy is implemented, the risk intensity of the access entity after disposal, and the trust status of the access entity after disposal, disposal feedback data is generated.
[0051] The effective disposal quantity is generated based on the difference between the risk intensity of the access entity before disposal and the risk intensity of the access entity after disposal, and the recovery range of the trust status of the access entity in the next round is adjusted based on the effective disposal quantity.
[0052] The beneficial effects of this invention are:
[0053] This invention proposes a network security detection and early warning method based on access authentication. By improving the adaptive time decay layer, self-excitation risk propagation layer, and trusted state update layer in the Hawkes risk propagation model, the impact of historical access security events on current access security events is no longer treated according to a fixed time decay method. Instead, it dynamically generates a sequence of access subject risk intensity based on the initial event risk value, authentication trusted gating coefficient, permission deviation modulation coefficient, event link continuity, and asymmetric self-excitation triggering strength. This enables a more accurate depiction of the accumulation, transmission, and change of access subject risk over time, improving the timeliness of detection of continuous authentication anomalies, persistent permission deviations, and abnormal access links within a session.
[0054] In addition, this invention generates structured network security detection results based on the risk intensity sequence of the access subject, the updated trusted status of the access subject, and the historical trusted status of the access subject. It further generates network security detection and early warning results and handling feedback data, enabling the early warning results to simultaneously reflect the risk type, risk intensity, access subject, session, and corresponding access security event. By adjusting the recovery range of the trusted status of the access subject in the next round through handling feedback data, it avoids the trusted status from recovering too quickly after ineffective handling, forming a closed-loop protection from access authentication, risk propagation, trusted update, detection and early warning to feedback correction, thus improving the accuracy, timeliness, and responsiveness of network security detection and early warning. Attached Figure Description
[0055] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings:
[0056] Figure 1 This is an overall flowchart of a network security detection and early warning method based on access authentication proposed in this invention;
[0057] Figure 2 This is a schematic diagram of the three-layer structure of an improved Hawkes risk propagation model for a network security detection and early warning method based on access authentication proposed in this invention.
[0058] Figure 3 This is a flowchart illustrating the initial value calculation of event risk for a network security detection and early warning method based on access authentication proposed in this invention. Detailed Implementation
[0059] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.
[0060] refer to Figures 1-3 A network security detection and early warning method based on access authentication includes:
[0061] Acquire access authentication data and access behavior data, and preprocess them to form basic access security data;
[0062] Based on the basic access security data, the system generates access authentication results, authentication trust gating coefficients, permission deviation descriptors, and permission deviation modulation coefficients, and forms an access security event sequence based on the access authentication results, permission deviation descriptors, and access behavior data.
[0063] Calculate the initial risk value of the event based on the access security event sequence;
[0064] The access security event sequence, initial event risk value, authentication trust gating coefficient and permission deviation modulation coefficient are input into the adaptive time decay layer of the improved Hawkes risk propagation model to generate event adaptive time decay parameters.
[0065] The access security event sequence, initial event risk value, authentication trust gating coefficient, permission deviation modulation coefficient, and event adaptive time decay parameter are input into the self-excited risk propagation layer of the improved Hawkes risk propagation model to generate the access subject risk intensity sequence.
[0066] The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trusted state update layer of the improved Hawkes risk propagation model to generate the updated trusted state of the access subject. Based on the updated trusted state of the access subject, the access subject risk intensity sequence, and the historical trusted state of the access subject, network security detection results are generated.
[0067] Based on the network security detection results, generate network security detection and early warning results, collect corresponding handling feedback data for the network security detection and early warning results, and adjust the recovery range of the trusted status of the next access subject based on the handling feedback data.
[0068] In this embodiment, the formation of access security basic data includes:
[0069] Obtain access authentication data and access behavior data to obtain time-series correlation data;
[0070] The generation of time-series correlation data specifically includes: reading access authentication data and access behavior data. The access authentication data includes access subject identifier, access time, authentication result, device fingerprint, access time, access location, number of authentication failures, and authorized access data. The access behavior data includes session identifier, actual accessed resources, actual operation type, actual access time, actual access frequency, and actual access location. Using the access subject identifier and session identifier as correlation fields, the access authentication data and access behavior data are correlated to obtain subject-related data. Using the access time and actual access time as time bases, the subject-related data is time-aligned to obtain time-series correlation data.
[0071] The time-series correlated data is preprocessed and written into the access security basic data. The preprocessing includes merging duplicate records, filling in missing fields, unifying field formats, and normalizing numerical fields.
[0072] In this embodiment, the formation of the access security event sequence includes:
[0073] Based on access security basic data, generate access authentication results, authentication trust gating coefficients, permission deviation descriptors, and permission deviation modulation coefficients;
[0074] The generation of access authentication results specifically includes: reading the authentication result, device fingerprint, access location, and access time; and performing consistency checks on the consistency relationships of device fingerprint, access location, and access time, respectively. Specifically, the device fingerprint consistency relationship refers to the consistency between the device fingerprint and historical device fingerprints; the access location consistency relationship refers to the consistency between the access location and historical access locations; and the access time consistency relationship refers to the consistency between the access time and the historical access time range. In detail, when the authentication result is passed and the device fingerprint, access location, and access time all satisfy the corresponding consistency relationships, the access authentication result is recorded as a trusted passed state. When the authentication result is passed but there are inconsistencies in the device fingerprint, access location, or access time, the access authentication result is recorded as an abnormal passed state. When the authentication result is failed, the access authentication result is recorded as a failed state.
[0075] The generation of the authentication trust gating coefficient specifically includes: reading the access authentication result, the number of authentication failures, the device fingerprint consistency relationship, the access location consistency relationship, and the access time consistency relationship; when the access authentication result is in a trusted pass state, the authentication trust base value is set to 1; when the access authentication result is in an abnormal pass state, the authentication trust base value is set to 0.5; when the access authentication result is in a fail state, the authentication trust base value is set to 0; counting the number of inconsistencies in the device fingerprint consistency relationship, the access location consistency relationship, and the access time consistency relationship to obtain the number of authentication conflicts; counting the number of consistent items in the device fingerprint consistency relationship, the access location consistency relationship, and the access time consistency relationship to obtain the number of authentication consistency items; dividing the number of authentication conflicts by the sum of the number of authentication conflicts and the number of authentication consistency items to obtain the authentication conflict compression amount; reading the number of authentication failures in the access security base data; dividing the number of authentication failures by the sum of the number of authentication failures and 1 to obtain the failure compression amount; subtracting the authentication conflict compression amount and the failure compression amount from the authentication trust base value to obtain the gating candidate value, which is used as the authentication trust gating coefficient.
[0076] The generation of the permission deviation descriptor specifically includes: reading authorized access data to determine the authorized resource scope, authorized operation type, authorized access time range, authorized access frequency limit, authorized access location range, and operation risk level corresponding to the authorized operation type of the access subject; reading access behavior data to determine the actual accessed resources, actual operation type, actual access time, actual access frequency, actual access location, and operation risk level corresponding to the actual operation type; reading the number of resources that do not belong to the authorized resource scope in the actual accessed resources as the number of unauthorized resources; dividing the number of unauthorized resources by the number of actual accessed resources to obtain the resource deviation; when the actual operation type belongs to the authorized operation type, the operation deviation is set to 0; when the actual operation type does not belong to the authorized operation type, the operation risk level corresponding to the actual operation type and the highest operation risk level among the authorized operation types are read; the difference between the operation risk level corresponding to the actual operation type and the highest operation risk level among the authorized operation types is divided by the maximum operation risk level to obtain the operation deviation. When the access time is within the authorized access time range, the time deviation is set to 0. When the actual access time is outside the authorized access time range, the time interval between the actual access time and the nearest boundary of the authorized access time range is calculated. The time interval is divided by the sum of the length of the authorized access time range and the time interval to obtain the time deviation. When the actual access frequency does not exceed the upper limit of the authorized access frequency, the frequency deviation is set to 0. When the actual access frequency exceeds the upper limit of the authorized access frequency, the difference between the actual access frequency and the upper limit of the authorized access frequency is divided by the actual access frequency to obtain the frequency deviation. The shortest regional level distance between the actual access location and the authorized access location range is determined according to the network area hierarchy. When the actual access location is within the authorized access location range, the location deviation is set to 0. When the actual access location is not within the authorized access location range, the shortest regional level distance is divided by the total number of network area levels to obtain the location deviation. The permission deviation description is composed of resource deviation, operation deviation, time deviation, frequency deviation and location deviation in a fixed order.
[0077] Operational risk level is used to characterize the degree of impact of the actual operation type on the integrity, availability and permission status of the target network resources. It uses an integer value from 1 to 5. The corresponding operation risk level for query and read is set to 1, the corresponding operation risk level for download is set to 2, the corresponding operation risk level for write is set to 3, the corresponding operation risk level for modify is set to 4, and the corresponding operation risk level for delete, configuration change and permission change is set to 5.
[0078] The authorized access frequency limit is used to represent the maximum number of times an access subject is allowed to access the target resource within the statistical time window. The statistical time window is set to 10 minutes. The authorized access frequency limit for ordinary office accounts to access high-sensitivity resources is set to 20 times / 10 minutes, the authorized access frequency limit for operation and maintenance accounts to access high-sensitivity resources is set to 50 times / 10 minutes, and the authorized access frequency limit for administrator accounts to access high-sensitivity resources is set to 80 times / 10 minutes.
[0079] The generation of the permission deviation modulation coefficient is specifically obtained by weighting and summing the resource deviation, operation deviation, time deviation, frequency deviation and location deviation in the permission deviation descriptor.
[0080] The access authentication results, permission deviation descriptions, and access behavior data are bound together as access security events, forming a sequence of access security events.
[0081] The formation of an access security event sequence specifically includes: determining the event's attributing entity using the access entity identifier, determining the access session to which the event belongs using the session identifier, determining the event's occurrence time using the actual access time, reading the access authentication results, permission deviation descriptions, and access behavior data under the same access entity identifier and session identifier, writing the access entity identifier, session identifier, actual access time, access authentication results, permission deviation descriptions, and actual access resources, actual operation types, actual access frequencies, and actual access locations from the access behavior data into the same event record, generating an access security event, and arranging multiple access security events in chronological order of actual access time to form an access security event sequence.
[0082] In this embodiment, the calculation of the initial value of event risk includes:
[0083] Read access security events from the access security event sequence, determine the event type of the access security event based on the access authentication result, permission deviation description, and access behavior data, and generate the basic event risk quantity based on the event type;
[0084] The determination of event types specifically includes: when the access authentication result is an abnormal pass or fail, the corresponding access security event is determined as an authentication abnormal event; when any deviation in the permission deviation description is not 0, the corresponding access security event is determined as a permission deviation event; when the actual accessed resource is a medium-sensitivity resource or a high-sensitivity resource, the corresponding access security event is determined as a resource access event. Among them, ordinary office pages and public document libraries correspond to low sensitivity level, business databases and internal interface services correspond to medium sensitivity level, identity authentication server, permission management server, core configuration library and security audit log library correspond to high sensitivity level; when the actual access frequency exceeds the authorized access frequency limit, the corresponding access security event is determined as an access frequency abnormal event.
[0085] The generation of the basic event risk value specifically includes: generating an event type set based on authentication anomaly events, permission deviation events, resource access events, and access frequency anomaly events. When the event type set contains only resource access events, the basic event risk value is set to 0.4; when the event type set contains only access frequency anomaly events, the basic event risk value is set to 0.5; when the event type set contains only permission deviation events, the basic event risk value is set to 0.6; when the event type set contains only authentication anomaly events, the basic event risk value is set to 0.7; when the event type set contains two event types, the maximum value of the corresponding two basic event risk values is added to 0.1 to obtain the basic event risk value; when the event type set contains three event types, the maximum value of the corresponding three basic event risk values is added to 0.2 to obtain the basic event risk value; when the event type set contains four event types, the basic event risk value is set to 1; when the calculated result is greater than 1, the basic event risk value is set to 1.
[0086] Based on the access authentication results, determine the impact of authentication anomalies, generate a comprehensive permission deviation based on the permission deviation description, generate a resource-sensitive impact based on the actual accessed resources in the access behavior data, generate an operation impact based on the actual operation type, and generate a frequency anomaly impact based on the actual access frequency and the upper limit of the authorized access frequency.
[0087] The determination of the impact of authentication anomalies specifically includes: when the access authentication result is a trusted pass status, the impact of authentication anomalies is set to 0; when the access authentication result is an abnormal pass status, the impact of authentication anomalies is set to 0.5; and when the access authentication result is a fail status, the impact of authentication anomalies is set to 1.
[0088] The generation of the overall permission deviation includes: reading the permission deviation description; taking the maximum value from the five deviations to obtain the maximum permission deviation; counting the number of deviations with values greater than 0 among the five deviations and dividing this number by 5 to obtain the deviation coverage; calculating the arithmetic mean of the five deviations to obtain the average permission deviation; calculating the absolute value of the difference between each of the five deviations and the average permission deviation, summing the five absolute values of the difference and dividing by 5 to obtain the deviation dispersion; subtracting the deviation dispersion from 1 to obtain the deviation equilibrium; multiplying the maximum permission deviation, the deviation coverage, and the deviation equilibrium to obtain the first overall component; averaging the maximum permission deviation and the average permission deviation to obtain the second overall component; averaging the first overall component and the second overall component to obtain the overall permission deviation; when the overall permission deviation is less than 0, the overall permission deviation is set to 0; when the overall permission deviation is greater than 1, the overall permission deviation is set to 1.
[0089] The generation of resource sensitivity impact quantity specifically includes: reading the actual accessed resources in the access security event and the resource sensitivity level corresponding to the actual accessed resources in the access security basic data. The resource sensitivity impact quantities corresponding to low sensitivity level, medium sensitivity level, and high sensitivity level are set to 0.3, 0.6, and 1, respectively. When the same access security event corresponds to more than two actual accessed resources, the resource sensitivity impact quantity corresponding to each actual accessed resource is determined separately, and the maximum value is taken as the resource sensitivity impact quantity of the access security event.
[0090] The generation of the operation impact quantity specifically includes: reading the actual operation type and authorized operation type in the access security event; when the actual operation type belongs to the authorized operation type, the operation impact quantity is set to 0; when the actual operation type does not belong to the authorized operation type, the operation risk level corresponding to the actual operation type is read, and the maximum value among the operation risk levels corresponding to the authorized operation type is read as the authorized highest operation risk level; the operation risk level corresponding to the actual operation type is subtracted from the authorized highest operation risk level to obtain the operation risk difference; when the operation risk difference is less than 0, the operation risk difference is set to 0; the operation risk difference is divided by the sum of the operation risk level corresponding to the actual operation type and the authorized highest operation risk level to obtain the operation impact quantity; when the actual operation type does not belong to the authorized operation type and the operation risk difference is 0, the operation impact quantity is set to 0.2.
[0091] When the same access security event contains more than two actual operation types, calculate the operation impact of each actual operation type separately, and take the maximum value as the operation impact of the access security event.
[0092] The generation of frequency anomaly impact quantity specifically includes: reading the actual access frequency and authorized access frequency limit in the access security event; when the actual access frequency does not exceed the authorized access frequency limit, the frequency anomaly impact quantity is set to 0; when the actual access frequency exceeds the authorized access frequency limit, the difference between the actual access frequency and the authorized access frequency limit is taken as the access frequency excess quantity; the access frequency excess quantity is divided by the actual access frequency to obtain the frequency excess ratio; the number of access security events of the same access subject that continuously exceed the authorized access frequency limit under the current session identifier is read to obtain the number of consecutive frequency anomalies; the number of consecutive frequency anomalies is divided by the sum of the number of consecutive frequency anomalies and 1 to obtain the continuous frequency enhancement quantity; the frequency excess ratio is added to the continuous frequency enhancement quantity and then divided by 2 to obtain the frequency anomaly candidate quantity; when the frequency anomaly candidate quantity is greater than 1, the frequency anomaly impact quantity is set to 1; when the frequency anomaly candidate quantity is not greater than 1, the frequency anomaly candidate quantity is taken as the frequency anomaly impact quantity.
[0093] Based on the basic risk quantity of the event, the impact quantity of authentication anomalies, the comprehensive deviation quantity of permissions, the impact quantity of resource sensitivity, the impact quantity of operation, and the impact quantity of frequency anomalies, candidate values of event risk are generated. Based on the actual access time difference between the current access security event and the previous access security event, the change in the permission deviation description quantity, and the change in the access authentication result, continuous offset of the event is generated.
[0094] The generation of event risk candidate values specifically includes: taking the maximum value among the event basic risk quantity, authentication anomaly impact quantity, permission comprehensive deviation quantity, resource sensitivity impact quantity, operation impact quantity and frequency anomaly impact quantity as the first candidate component, taking the arithmetic mean of the above impact quantities as the second candidate component, and averaging the first candidate component and the second candidate component to obtain the event risk candidate value;
[0095] The generation of continuous event offsets specifically includes: when the actual access time difference does not exceed the same session statistics window, the generated continuous time flag is 1, otherwise it is 0; when the sum of the offsets in the current permission deviation description is not less than the sum of the offsets in the previous permission deviation description, the generated deviation non-decreasing flag is 1, otherwise it is 0; multiply the continuous time flag by the deviation non-decreasing flag to obtain the first continuous offset flag; when the current access authentication result changes from a trusted pass state to an abnormal pass state or a failed pass state relative to the previous access authentication result, the generated second continuous offset flag is 1, otherwise it is 0; when the actual access frequency of the current access security event and the actual access frequency of the previous access security event both exceed the authorized access frequency limit, the generated third continuous offset flag is 1, otherwise it is 0; average the first continuous offset flag, the second continuous offset flag, and the third continuous offset flag to obtain the continuous event offset.
[0096] The event risk calibration value is generated based on the cumulative permission deviation, the continuous event offset, and the reverse value of the authentication trust gating coefficient. The event risk calibration value is then used to calibrate the event risk candidate value to obtain the initial event risk value.
[0097] The generation of the initial event risk value specifically includes: dividing the cumulative permission deviation by the sum of the cumulative permission deviation and 1 to obtain the deviation memory threshold; multiplying the continuous event offset by the comprehensive permission deviation corresponding to the current access security event to obtain the continuous trigger threshold; subtracting the authentication trust gating coefficient from 1 to obtain the trust suppression threshold; averaging the deviation memory threshold and the continuous trigger threshold to obtain the original risk enhancement; multiplying the original risk enhancement by the trust suppression threshold to obtain the suppressed risk enhancement; multiplying the event risk candidate value by the suppressed risk enhancement to obtain the calibration risk increment; and adding the event risk candidate value and the calibration risk increment to obtain the event risk calibration result. When the event risk calibration result is greater than 1, the initial event risk value is set to 1; otherwise, the event risk calibration result is used as the initial event risk value.
[0098] In this embodiment, the generation of the event adaptive time decay parameter includes:
[0099] The access security event sequence, initial event risk value, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the adaptive time decay layer of the improved Hawkes risk propagation model. The adaptive time decay layer includes an event time interval construction unit, a risk persistence unit, a trust degradation adjustment unit, a deviation persistence adjustment unit, a session density adjustment unit, and a decay parameter output unit.
[0100] The improved Hawkes risk propagation model includes an adaptive time decay layer, a self-excited risk propagation layer, and a trusted state update layer.
[0101] The training process for improving the Hawkes risk propagation model includes: constructing an annotated access security training sample set, including access security event sequences, initial event risk values, authentication trust gating coefficients, permission deviation modulation coefficients, event adaptive time decay parameters, access subject risk annotation results, and early warning handling annotation results; inputting the access security event sequences, initial event risk values, authentication trust gating coefficients, and permission deviation modulation coefficients into the adaptive time decay layer, and generating event adaptive time decay parameters for the training phase through event time interval construction units, risk persistence units, trust degradation adjustment units, deviation persistence adjustment units, session density adjustment units, and decay parameter output units; inputting the access security event sequences, initial event risk values, authentication trust gating coefficients, permission deviation modulation coefficients, and event adaptive time decay parameters for the training phase into the self-excited risk propagation layer, and generating event adaptive time decay parameters for the training phase through basic risk state construction units, event link continuity gating units, and authentication-permission coupling triggering kernels. The system consists of a generation unit, an asymmetric self-triggered unit, and a risk intensity sequence output unit. It generates the access subject risk intensity sequence for the training phase. The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trust state update layer to generate the access subject trust state and network security detection results for the training phase. Based on the difference between the access subject risk intensity sequence and the access subject risk labeling results, a risk intensity training loss is generated. Based on the difference between the network security detection results and the early warning and handling labeling results, a detection and early warning training loss is generated. The risk intensity training loss and the detection and early warning training loss are weighted and fused into a joint model training loss. Based on the joint model training loss, the learnable parameters in the adaptive time decay layer, the self-triggered risk propagation layer, and the trust state update layer are iteratively updated until the joint model training loss converges or reaches the upper limit of the training rounds, resulting in the improved Hawkes risk propagation model after training.
[0102] Improvements to the Hawkes risk propagation model: This invention does not directly use the traditional Hawkes model to predict security events in time series, but rather improves the Hawkes risk propagation structure in a layered manner for access authentication scenarios. First, at the data input level, the access authentication result, authentication trust gating coefficient, permission deviation description, permission deviation modulation coefficient, and access security event sequence are used as unified inputs, so that the risk propagation process is simultaneously constrained by the authentication trust level and the permission deviation level. Second, in the adaptive time decay layer, risk persistence quantity, trust degradation adjustment quantity, permission deviation persistence quantity, and session event density quantity are introduced, and event adaptive time decay parameters are generated through an authentication-deviation coupled gating hybrid decay method, so that the impact of historical access security events no longer decreases according to a fixed decay law. Third, in the self-excited risk propagation layer, an event link continuity gating quantity and an authentication-permission coupled trigger kernel are introduced to form an asymmetric self-excited triggering relationship from historical access security events to current access security events, so that risk events in the same access subject, the same session, and the same access link can be targeted and amplified. Finally, in the trusted state update layer, the access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are used together for the recursive update of the access subject's trusted state and generate structured network security detection results. Through the above improvements, the present invention can solve the problem that traditional one-time access authentication methods are unable to continuously identify subsequent abnormal behaviors of authenticated subjects, and improve the timeliness and accuracy of detection and early warning of account theft, abnormal access, permission deviation and continuous abnormal access behavior.
[0103] In the adaptive time decay layer, the actual access time of the current access security event and the actual access time of the historical access security event are read from the access security event sequence through the event time interval construction unit, and the event time interval between the current access security event and the historical access security event is calculated.
[0104] The specific calculation of the event time interval includes: subtracting the actual access time of the historical access security event from the actual access time of the current access security event to obtain the event time interval. When the event time interval is less than 0, the corresponding historical access security event is discarded, and otherwise it is retained.
[0105] The risk persistence unit reads the initial event risk value corresponding to the historical access security event, as well as the relationship between the initial event risk value change from the historical access security event to the current access security event, and generates the risk persistence quantity.
[0106] The generation of the risk persistence quantity specifically includes: reading the initial event risk value corresponding to the historical access security event, and reading the initial event risk value corresponding to each access security event from the time of the historical access security event to the time of the current access security event. Calculate the difference between the initial event risk values of adjacent events in the order of actual access time. Accumulate the differences greater than 0 to obtain the cumulative risk increase quantity, and accumulate the absolute values of the differences less than 0 to obtain the cumulative risk decrease quantity. Subtract the cumulative risk decrease quantity from the cumulative risk increase quantity to obtain the risk trend quantity. Add the initial event risk value corresponding to the historical access security event to the risk trend quantity and input it into the logic compression function to obtain the risk persistence quantity. The logic compression function is 1 divided by 1 plus an exponential function with the natural constant as the base and the negative number of the sum of the initial event risk value and the risk trend quantity as the exponent.
[0107] The trusted degradation adjustment unit reads the authentication trusted gating coefficient corresponding to the current access security event and the authentication trusted gating coefficient corresponding to the previous access security event, and generates a trusted degradation adjustment quantity.
[0108] The generation of the trusted degradation adjustment amount specifically includes: reading the authentication trusted gating coefficient corresponding to the current access security event and the authentication trusted gating coefficient corresponding to the previous access security event; subtracting the authentication trusted gating coefficient corresponding to the current access security event from the authentication trusted gating coefficient corresponding to the previous access security event to obtain the trusted degradation amount; when the trusted degradation amount is less than 0, the trusted degradation amount is set to 0; inputting the trusted degradation amount and the authentication trusted gating coefficient corresponding to the current access security event into the exponential compression function to obtain the trusted degradation adjustment amount, wherein the exponential compression function is an exponential function of 1 minus the negative number of the result obtained by dividing the trusted degradation amount by the authentication trusted gating coefficient corresponding to the current access security event and 1 with the natural constant as the base;
[0109] Input the permission deviation modulation coefficient into the deviation duration adjustment unit, and generate the permission deviation duration based on the permission deviation modulation coefficient;
[0110] The generation of the permission deviation persistence quantity specifically includes: reading the permission deviation modulation coefficient corresponding to the current access security event, and reading the permission deviation modulation coefficient and event time interval corresponding to the historical access security events before the current access security event; multiplying the permission deviation modulation coefficient corresponding to each historical access security event by the time memory weight and summing them to obtain the historical permission deviation memory quantity, where the time memory weight is equal to the value of an exponential function with the natural constant as the base and the negative number of the corresponding event time interval as the exponent; and inputting the sum of the permission deviation modulation coefficient corresponding to the current access security event and the historical permission deviation memory quantity into the hyperbolic tangent compression function to obtain the permission deviation persistence quantity.
[0111] In the session-intensive adjustment unit, session event intensity is generated based on the number of historical access security events and session duration.
[0112] The generation of session event density specifically includes: reading the number of historical access security events before the current access security event under the same access subject and the same session identifier, and reading the session duration between the actual access time of the current access security event and the actual access time of the first access security event under the same session identifier. The session event density is obtained by dividing the number of historical access security events by the session duration. The session event density is then input into the logarithmic compression function to obtain the session event density, where the logarithmic compression function is the natural logarithm of the session event density divided by the sum of the natural logarithm of the session event density and 1.
[0113] The event time decay parameter is generated by taking the event time interval, risk persistence amount, trust degradation adjustment amount, permission deviation persistence amount and session event density amount as inputs to the decay parameter output unit.
[0114] The generation of the event adaptive time decay parameter specifically includes: generating a short-term burst decay rate based on the risk persistence level, wherein the short-term burst decay rate decreases as the risk persistence level increases; generating a long-term residual decay scale based on the permission deviation persistence level and the session event density level, wherein the long-term residual decay scale increases as the permission deviation persistence level and the session event density level increase; generating a long- and short-term decay hybrid gating value based on the trust degradation adjustment level and the permission deviation persistence level, wherein the long- and short-term decay hybrid gating value is a numerical value between 0 and 1; and generating a short-term burst decay component based on the short-term burst decay rate and the event time interval, wherein the short-term burst decay component is equal to a value with the natural constant as the base and the short-term decay rate as the minimum value. The negative of the product of the burst decay rate and the event time interval is the exponential function value of the exponent. A long-term residual decay component is generated based on the long-term residual decay scale and the event time interval. The long-term residual decay component is equal to 1 divided by the sum of the ratios of 1 to the event time interval and the long-term residual decay scale. The long-term decay contribution is obtained by multiplying the long-term residual decay component by the mixed long-term and short-term decay gating quantity. The short-term decay contribution is obtained by multiplying the value of the mixed long-term and short-term decay gating quantity by 1 and the short-term burst decay component. The event adaptive time decay parameter is obtained by adding the long-term decay contribution and the short-term decay contribution. The event adaptive time decay parameter is a numerical data between 0 and 1.
[0115] The generation of the short-term burst decay rate specifically includes: reading the risk persistence value, inputting the risk persistence value into the reciprocal compression function, and obtaining the short-term burst decay rate, wherein the reciprocal compression function is 1 divided by the sum of the risk persistence value and 1;
[0116] The generation of the long-term residual decay scale specifically includes: the duration of read permission deviation and the density of session events. The duration of permission deviation and the density of session events are multiplied to obtain the residual enhancement amount. The residual enhancement amount is input into the exponential spread function to obtain the long-term residual decay scale. The exponential spread function is an exponential function value with the natural constant as the base and the residual enhancement amount as the exponent.
[0117] The generation of the long-short-time decay hybrid gating quantity specifically includes: reading the trusted degradation adjustment quantity and the permission deviation duration quantity, adding the trusted degradation adjustment quantity and the permission deviation duration quantity to obtain the gating input quantity, and inputting the gating input quantity into the logic compression function to obtain the long-short-time decay hybrid gating quantity, wherein the logic compression function is 1 divided by 1 plus the exponential function value with the natural constant as the base and the negative number of the gating input quantity as the exponent.
[0118] In this embodiment, the generation of the access subject risk intensity sequence includes:
[0119] The access security event sequence, initial event risk value, authentication trust gating coefficient, permission deviation modulation coefficient, and event adaptive time decay parameter are input into the self-excited risk propagation layer of the improved Hawkes risk propagation model. The self-excited risk propagation layer includes a basic risk state construction unit, an event link continuity gating unit, an authentication-permission coupling trigger kernel generation unit, an asymmetric self-excited triggering unit, and a risk intensity sequence output unit.
[0120] In the self-excited risk propagation layer, the basic risk state of the current access security event is generated by reading the initial value of the event risk and the permission deviation modulation coefficient corresponding to the current access security event through the basic risk intensity construction unit.
[0121] The generation of the basic risk status specifically includes: reading the initial event risk value and permission deviation modulation coefficient corresponding to the current access security event; multiplying the initial event risk value and the permission deviation modulation coefficient to obtain the deviation participation risk amount; adding the initial event risk value and the deviation participation risk amount to obtain the basic risk candidate value; and inputting the basic risk candidate value into a saturation compression function to obtain the basic risk status. The saturation compression function is the basic risk candidate value divided by the sum of the basic risk candidate value and 1. The basic risk status is a numerical data between 0 and 1, used to characterize the basic risk level formed by the risk of the current access security event itself and the degree of current permission deviation.
[0122] The access subject identifier, session identifier, actual accessed resources, actual operation type, and actual access time of historical access security events and current access security events in the access security event sequence are input into the event link continuity gating unit, and an event link continuity gating quantity is generated.
[0123] The generation of the event link continuity gating quantity specifically includes: reading the access subject identifier, session identifier, actual access resources, actual operation type, and actual access time of historical access security events and current access security events; when the historical access security event and the current access security event have the same access subject identifier, a subject continuity flag of 1 is generated, otherwise 0; when the two have the same session identifier, a session continuity flag of 1 is generated, otherwise 0; when the two have the same actual access resources or the same actual operation type, a behavior link continuity flag of 1 is generated, otherwise 0; the actual access time of the current access security event is subtracted from the actual access time of the historical access security event to obtain the event time interval; when the event time interval is greater than 0, a time-directed flag of 1 is generated, otherwise 0; the subject continuity flag, session continuity flag, behavior link continuity flag, and time-directed flag are multiplied together to obtain the event link continuity gating quantity. The event link continuity gating quantity is a binary gating data of 0 or 1, which is used to block the triggering contribution of historical access security events that do not belong to the same access subject, the same session, or the same access behavior link to the current access security event.
[0124] The authentication-permission coupling triggering core generation unit reads the initial event risk value corresponding to the historical access security event, the initial event risk value corresponding to the current access security event, the authentication trust gating coefficient corresponding to the historical access security event, the permission deviation modulation coefficient corresponding to the current access security event, and the permission deviation modulation coefficient corresponding to the historical access security event, and generates the authentication-permission coupling triggering core.
[0125] The generation of the authentication-permission coupling trigger kernel specifically includes: reading the authentication trusted gating coefficients corresponding to historical access security events; inputting the authentication trusted gating coefficients corresponding to historical access security events into a trusted vulnerability function to obtain the historical authentication vulnerability quantity, specifically the complement of the exponential function value with the natural constant as the base and the negative of the authentication trusted gating coefficients corresponding to historical access security events as the exponent; reading the permission deviation modulation coefficients corresponding to the current access security event and the permission deviation modulation coefficients corresponding to historical access security events; subtracting the permission deviation modulation coefficients corresponding to historical access security events from the permission deviation modulation coefficients corresponding to the current access security event to obtain the permission deviation transition quantity; when the permission deviation transition quantity is less than... At time 0, the permission deviation transition value is set to 0. The initial value of the event risk corresponding to the historical access security event and the initial value of the event risk corresponding to the current access security event are read. The two are multiplied and the square root is taken to obtain the risk tolerance value. The historical authentication vulnerability value, the permission deviation transition value and the risk tolerance value are added to obtain the coupling trigger input value. The coupling trigger input value is input into the logic compression function to obtain the authentication-permission coupling trigger kernel. The logic compression function is 1 divided by 1 plus an exponential function with the natural constant as the base and the negative number of the coupling trigger input value as the exponent. The authentication-permission coupling trigger kernel is a numerical data between 0 and 1, which is used to represent the directional triggering capability of the historical low-trust authentication state to the current permission deviation event.
[0126] In the asymmetric self-excitation triggering unit, based on the event adaptive time decay parameter, the event link continuity gating quantity, and the authentication-authorization coupling triggering core, the asymmetric self-excitation triggering strength of historical access security events on the current access security event is generated;
[0127] The generation of asymmetric self-excitation trigger strength specifically includes: reading the initial event risk value, event adaptive time decay parameter, event link continuity gating quantity, and authentication-authorization coupling trigger kernel corresponding to the historical access security event; multiplying the initial event risk value, event adaptive time decay parameter, event link continuity gating quantity, and authentication-authorization coupling trigger kernel corresponding to the historical access security event to obtain the asymmetric self-excitation trigger strength of the historical access security event on the current access security event; the asymmetric self-excitation trigger strength is a numerical data between 0 and 1, used to represent the risk triggering contribution of the historical access security event to the current access security event under the conditions of authentication trust degradation, permission deviation transition, and event link continuity.
[0128] The risk intensity sequence output unit aggregates the basic risk status of the current access security event with the asymmetric self-excitation trigger intensity corresponding to all historical access security events before the current access security event to generate the access subject risk intensity corresponding to the current access security event, and forms the access subject risk intensity sequence according to the order of the access security event sequence.
[0129] The generation of access subject risk intensity specifically includes: summing the asymmetric self-excitation triggering intensities corresponding to all historical access security events prior to the current access security event to obtain the historical asymmetric self-excitation risk quantity; adding the basic risk state to the historical asymmetric self-excitation risk quantity to obtain the risk intensity candidate value; inputting the risk intensity candidate value into the saturation compression function to obtain the access subject risk intensity corresponding to the current access security event, specifically by dividing the risk intensity candidate value by the sum of the risk intensity candidate value and 1. The access subject risk intensity is a numerical data between 0 and 1, and the access subject risk intensity sequence is formed according to the order of the access security event sequence.
[0130] In this embodiment, the generation of network security detection results includes:
[0131] The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trust state update layer of the improved Hawkes risk propagation model. The trust state update layer includes a risk change parsing unit, a trust descent gate generation unit, a trust recovery gate generation unit, a trust state recursion unit, and a detection result output unit.
[0132] In the trusted state update layer, the risk intensity of the access subject corresponding to the current access security event and the risk intensity of the access subject corresponding to the previous access security event are read from the access subject risk intensity sequence by the risk change parsing unit, and the risk change quantity is generated.
[0133] The generation of risk change amount specifically includes: reading the risk intensity of the access subject corresponding to the current access security event and the risk intensity of the access subject corresponding to the previous access security event, subtracting the risk intensity of the access subject corresponding to the previous access security event from the risk intensity of the access subject corresponding to the current access security event to obtain the risk change amount; when there is no previous access security event, the risk intensity of the access subject corresponding to the current access security event is used as the risk change amount.
[0134] Input the risk change, the authentication trust gating coefficient, and the permission deviation modulation coefficient into the trust descent gate generation unit to generate the trust descent gate value.
[0135] The generation of the trusted decline threshold specifically includes: reading the risk change, the authentication trusted threshold coefficient, and the permission deviation modulation coefficient. When the risk change is greater than 0, the risk change is multiplied by the permission deviation modulation coefficient to obtain the deviation-driven decline. The value obtained by subtracting the authentication trusted threshold coefficient from 1 is multiplied by the risk change to obtain the authentication-driven decline. The deviation-driven decline and the authentication-driven decline are added together and then input into the logic compression function to obtain the trusted decline threshold. When the risk change is not greater than 0, the trusted decline threshold is set to 0. The trusted decline threshold is a numerical data between 0 and 1, which is used to control the decline of the trusted status of the access subject.
[0136] The trusted recovery gate generation unit reads the risk change and the authentication trusted gating coefficient to generate the trusted recovery gate value.
[0137] The generation of the trusted recovery threshold specifically includes: reading the risk change amount and the authentication trusted gate coefficient; when the risk change amount is less than 0, multiplying the absolute value of the risk change amount by the authentication trusted gate coefficient to obtain the recovery candidate amount; and inputting the recovery candidate amount into the hyperbolic tangent compression function to obtain the trusted recovery threshold; when the risk change amount is not less than 0, setting the trusted recovery threshold to 0. The trusted recovery threshold is a numerical data between 0 and 1, used to control the recovery range of the trusted state of the access subject.
[0138] In the trusted state recursion unit, an updated trusted state of the access subject is generated based on the trusted state of the access subject corresponding to the previous access security event, the trusted decline threshold, the trusted recovery threshold, and the risk intensity of the access subject corresponding to the current access security event.
[0139] The generation of the updated trusted state of the access subject specifically includes: reading the trusted state of the access subject corresponding to the previous access security event; when there is no trusted state of the access subject corresponding to the previous access security event, using the authentication trusted threshold coefficient as the initial trusted state of the access subject; subtracting the product of the trusted decline threshold and the risk intensity of the access subject corresponding to the current access security event from the trusted state of the access subject corresponding to the previous access security event, and adding the product of the trusted recovery threshold and the authentication trusted threshold coefficient to obtain a candidate trusted state value; when the candidate trusted state value is less than 0, the updated trusted state of the access subject is set to 0; when the candidate trusted state value is greater than 1, the updated trusted state of the access subject is set to 1; when the candidate trusted state value is neither less than 0 nor greater than 1, the candidate trusted state value is used as the updated trusted state of the access subject.
[0140] The detection result output unit reads the updated access subject's trusted status, access subject risk intensity sequence, authentication trusted gating coefficient, permission deviation modulation coefficient, and historical access subject trusted status, and generates network security detection results.
[0141] Network security testing results are structured testing results data, including authentication anomaly risk results, permission deviation risk results, and access behavior risk results. Among them, authentication anomaly risk results, permission deviation risk results, and access behavior risk results respectively include risk judgment markers, risk intensity values, access subject identifiers, session identifiers, and access security event identifiers.
[0142] The generation of risk assessment markers specifically includes: reading the updated trusted status of the access subject, the access subject risk intensity sequence, the authentication trusted threshold coefficient, and the permission deviation modulation coefficient; reading the historical trusted status of the same access subject before the current access security event, calculating the arithmetic mean and standard deviation of the historical trusted status, and subtracting the standard deviation from the arithmetic mean to obtain the trusted status assessment value; when there is no historical trusted status of the access subject, using the authentication trusted threshold coefficient as the trusted status assessment value; reading the access subject risk intensity corresponding to the current access security event and the access subject risk intensity corresponding to the previous access security event, subtracting the previous access subject risk intensity from the current access subject risk intensity to obtain the risk intensity change; when the risk intensity change is greater than 0, setting the risk increase marker to 1, otherwise setting it to 0; within the same access subject... Under the same session identifier, the risk escalation flags corresponding to adjacent access security events are read sequentially backward from the current access security event. When the read risk escalation flag is 1, it is accumulated once. When the read risk escalation flag is 0, the accumulation stops, and the number of consecutive escalations is obtained. When the updated trusted status of the access subject is less than the trusted status judgment value and the risk escalation flag is 1, the risk judgment flag in the authentication anomaly risk result is set to 1. Otherwise, the risk judgment flag in the authentication anomaly risk result is set to 0. When the permission deviation modulation coefficient is greater than 0 and the risk escalation flag is 1, the risk judgment flag in the permission deviation risk result is set to 1. Otherwise, the risk judgment flag in the permission deviation risk result is set to 0. When the number of consecutive escalations is not less than 2, the risk judgment flag in the access behavior risk result is set to 1. Otherwise, the risk judgment flag in the access behavior risk result is set to 0.
[0143] The generation of the risk intensity value specifically includes: when the risk judgment flag in the authentication anomaly risk result is 1, the trusted state judgment value is subtracted from the updated trusted state of the access subject to obtain the trusted gap amount, and the trusted gap amount is multiplied by the current access subject risk intensity to obtain the risk intensity value in the authentication anomaly risk result; when the risk judgment flag in the authentication anomaly risk result is 0, the risk intensity value in the authentication anomaly risk result is set to 0; when the risk judgment flag in the permission deviation risk result is 1, the permission deviation modulation coefficient is multiplied by the current access subject risk intensity to obtain the risk intensity value in the permission deviation risk result; when the risk judgment flag in the permission deviation risk result is 0, the risk intensity value in the permission deviation risk result is set to 0; when the risk judgment flag in the access behavior risk result is 1, the number of consecutive increases is divided by the sum of the number of consecutive increases and 1 to obtain the consecutive increase impact amount, and the consecutive increase impact amount is multiplied by the current access subject risk intensity to obtain the risk intensity value in the access behavior risk result; when the risk judgment flag in the access behavior risk result is 0, the risk intensity value in the access behavior risk result is set to 0.
[0144] In this embodiment, the adjustment of the recovery range of the trusted state of the access subject includes:
[0145] Read the network security detection results, generate a set of risks to be warned, and select the risk result with the highest risk intensity value from the set of risks to be warned as the dominant risk result;
[0146] Based on the dominant risk results, early warning information and response strategies are generated and incorporated into the network security detection and early warning results;
[0147] The generation of network security detection and early warning results specifically includes: determining the risk level based on the risk intensity value corresponding to the dominant risk result; when the risk intensity value is less than 0.3, it is determined as the first risk level; when the risk intensity value is not less than 0.3 and less than 0.7, it is determined as the second risk level; when the risk intensity value is not less than 0.7, it is determined as the third risk level; writing the type and risk level of the dominant risk result into the early warning information and generating a handling strategy; when the dominant risk result is an authentication anomaly risk result and the risk level is the first risk level, generating a secondary authentication strategy; when the dominant risk result is an authentication anomaly risk result and the risk level is the second risk level, generating a secondary authentication and sensitive resource access restriction strategy; when the dominant risk result is an authentication anomaly risk result and the risk level is the third risk level, generating a session blocking strategy; when the dominant risk result is a permission deviation risk result, generating sensitive resource access restrictions based on the risk level; when the dominant risk result is an access behavior risk result, generating access frequency restrictions based on the risk level; and writing the early warning information and handling strategy into the network security detection and early warning result. The network security detection and early warning result also includes the risk level, access subject identifier, session identifier, and access security event identifier.
[0148] Based on the disposal execution results after the disposal strategy is implemented, the risk intensity of the access entity after disposal, and the trust status of the access entity after disposal, disposal feedback data is generated.
[0149] The formation of the disposal feedback data specifically includes: after the disposal strategy is executed, reading the disposal execution result, the risk intensity of the access subject after disposal, and the trust status of the access subject after disposal. The disposal execution result is binary data, with 1 for successful execution and 0 for failure. The risk intensity of the access subject after disposal is the risk intensity value corresponding to the same access subject after the disposal strategy is executed. The trust status of the access subject after disposal is the trust status value corresponding to the same access subject after the disposal strategy is executed.
[0150] The effective disposal quantity is generated based on the difference between the risk intensity of the access entity before disposal and the risk intensity of the access entity after disposal, and the recovery range of the trust status of the access entity in the next round is adjusted based on the effective disposal quantity.
[0151] The generation of effective disposal quantity specifically includes: reading the risk intensity of the access entity before disposal and the risk intensity of the access entity after disposal; subtracting the risk intensity of the access entity after disposal from the risk intensity of the access entity before disposal to obtain the risk reduction amount; when the risk reduction amount is less than 0, the risk reduction amount is set to 0; and multiplying the risk reduction amount by the disposal execution result to obtain the effective disposal quantity.
[0152] The adjustment of the recovery range of the trusted state of the access subject specifically includes: when the effective amount of the action is greater than 0, the effective amount of the action is used as the recovery increment and written into the trusted state update layer; when the effective amount of the action is equal to 0, the recovery range is maintained at 0, so that the trusted state of the access subject in the next round is not restored due to invalid action.
[0153] Example 1: To verify the feasibility of this invention in practice, it was applied to a converged access environment of the office network and production management network of a large manufacturing enterprise. This enterprise has a headquarters office area, production workshops, a remote operation and maintenance access area, and a data center. The internal network includes office terminals, operation and maintenance terminals, a production management server, an identity authentication server, a permission management server, a business database, and security auditing equipment. The main problem in this environment is that while some accounts can pass identity authentication normally, their subsequent access behavior does not always conform to authorized boundaries. For example, ordinary office accounts access production management interfaces outside of working hours, operation and maintenance accounts continue to access business data unrelated to their responsibilities after maintenance is completed, or the same account continuously accesses multiple sensitive resources on different terminals.
[0154] During application, the system obtains access authentication data and access behavior data from the access gateway, identity authentication server, permission management server, resource access log node, and session management node, and associates them according to the access subject identifier and session identifier, forming basic access security data based on the actual access time. The system generates access authentication results based on the authentication results, device fingerprint consistency, access location consistency, and access time consistency, and generates authentication trust gating coefficients through authentication conflict compression and failure compression. At the same time, the system compares the authorized access data with the actual accessed resources, actual operation type, actual access time, actual access frequency, and actual access location to generate permission deviation descriptor and permission deviation modulation coefficients.
[0155] During the risk propagation calculation phase, the system inputs the access security event sequence, initial event risk value, authentication trust gating coefficient, and permission deviation modulation coefficient into the improved Hawkes risk propagation model. The adaptive time decay layer generates adaptive time decay parameters based on the risk persistence amount, trust degradation adjustment amount, permission deviation persistence amount, and session event density amount, ensuring that the impact of historical access security events on current access security events no longer decays over a fixed time. The self-excited risk propagation layer further combines the event link continuity gating amount and the authentication-permission coupling trigger kernel to generate an asymmetric self-excited trigger strength, thereby characterizing the directional triggering effect of preceding abnormal authentication or preceding permission deviation on subsequent access behaviors. During the trusted state update phase, the system generates the updated trusted state of the access subject based on the access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient.
[0156] This embodiment selects a portion of access session records from the converged access network of a large manufacturing enterprise as the verification data source. The data covers the access gateway, identity authentication server, permission management server, resource access log node, and session management node, and includes multiple access subjects, different permission roles, and continuous access time windows. The comparison method adopts the traditional static authentication alarm method and the conventional time-series anomaly detection method. The evaluation indicators include anomaly pass rate, permission deviation rate, continuous anomaly access rate, average false alarm rate, and average warning delay.
[0157] Table 1. Comprehensive Comparison of Network Security Detection and Early Warning in Access Authentication Scenarios
[0158] Anomaly detection rate / percentage 78.6 84.3 93.8 Permission deviation recognition rate / percentage 74.1 82.5 94.6 Continuous abnormal access detection rate / percentage 71.8 83.2 95.1 Average false alarm rate / percentage 13.7 10.4 5.9 Average warning delay / second 28.5 21.8 11.6
[0159] As shown in Table 1, this invention significantly outperforms traditional methods in terms of anomaly pass detection rate, permission deviation detection rate, and continuous anomaly access detection rate. The traditional authentication + rule-based alerting method achieves an anomaly pass detection rate of 78.6%, primarily because it relies on static results of authentication success or failure, making it difficult to leverage the conflicting relationships between device fingerprints, access location, and access time. This invention transforms the access authentication result into a trusted authentication gating coefficient and embeds it into an adaptive time decay layer, a self-excited risk propagation layer, and a trusted state update layer. This allows access subjects that pass authentication but have abnormal contexts to still be continuously tracked, thus achieving an anomaly pass detection rate of 93.8%.
[0160] In terms of permission deviation identification, the traditional authentication + rule-based alarm method achieves only 74.1%, the traditional anomaly detection model achieves 82.5%, while this invention achieves 94.6%. The main reason for the improvement is that this invention does not only determine whether access is denied, but also performs multi-dimensional comparison between authorized access data and actual access resources, actual operation type, actual access time, actual access frequency, and actual access location to generate permission deviation descriptive quantity and permission deviation modulation coefficient.
[0161] In terms of continuous abnormal access identification rate, this invention achieves 95.1%, a 23.3 percentage point improvement compared to the traditional authentication + rule-based alerting method. Regarding false alarm rate, the average false alarm rate of this invention is 5.9%, lower than the 13.7% of the traditional authentication + rule-based alerting method, and the average warning delay is 11.6 seconds, also significantly lower than both traditional methods. This indicates that this invention does not simply increase sensitivity, but rather constrains risk judgment through the authentication trust gating coefficient, permission deviation modulation coefficient, and trust state update layer, preventing the amplification of occasional, low-correlation access fluctuations.
[0162] The above are merely preferred embodiments of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.
Claims
1. A network security detection and early warning method based on access authentication, characterized in that, include: Acquire access authentication data and access behavior data, and preprocess them to form basic access security data; Based on the basic access security data, the system generates access authentication results, authentication trust gating coefficients, permission deviation descriptors, and permission deviation modulation coefficients, and forms an access security event sequence based on the access authentication results, permission deviation descriptors, and access behavior data. Calculate the initial risk value of the event based on the access security event sequence; The access security event sequence, initial event risk value, authentication trust gating coefficient and permission deviation modulation coefficient are input into the adaptive time decay layer of the improved Hawkes risk propagation model to generate event adaptive time decay parameters. The access security event sequence, initial event risk value, authentication trust gating coefficient, permission deviation modulation coefficient, and event adaptive time decay parameter are input into the self-excited risk propagation layer of the improved Hawkes risk propagation model to generate the access subject risk intensity sequence. The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trusted state update layer of the improved Hawkes risk propagation model to generate the updated trusted state of the access subject. Based on the updated trusted state of the access subject, the access subject risk intensity sequence, and the historical trusted state of the access subject, network security detection results are generated. Based on the network security detection results, generate network security detection and early warning results, collect corresponding handling feedback data for the network security detection and early warning results, and adjust the recovery range of the trusted status of the next access subject based on the handling feedback data.
2. The network security detection and early warning method based on access authentication according to claim 1, characterized in that, The formation of the access security basic data includes: Obtain access authentication data and access behavior data to obtain time-series correlation data; The time-series correlated data is preprocessed and written into the access security basic data. The preprocessing includes merging duplicate records, filling in missing fields, unifying field formats, and normalizing numerical fields.
3. The network security detection and early warning method based on access authentication according to claim 1, characterized in that, The formation of the access security event sequence includes: Based on access security basic data, generate access authentication results, authentication trust gating coefficients, permission deviation descriptors, and permission deviation modulation coefficients; The access authentication results, permission deviation descriptions, and access behavior data are bound together as access security events, forming a sequence of access security events.
4. The network security detection and early warning method based on access authentication according to claim 1, characterized in that, The calculation of the initial value of the event risk includes: Read access security events from the access security event sequence, determine the event type of the access security event based on the access authentication result, permission deviation description, and access behavior data, and generate the basic event risk quantity based on the event type; Based on the access authentication results, determine the impact of authentication anomalies, generate a comprehensive permission deviation based on the permission deviation description, generate a resource-sensitive impact based on the actual accessed resources in the access behavior data, generate an operation impact based on the actual operation type, and generate a frequency anomaly impact based on the actual access frequency and the upper limit of the authorized access frequency. Based on the basic risk quantity of the event, the impact quantity of authentication anomalies, the comprehensive deviation quantity of permissions, the impact quantity of resource sensitivity, the impact quantity of operation, and the impact quantity of frequency anomalies, candidate values of event risk are generated. Based on the actual access time difference between the current access security event and the previous access security event, the change in the permission deviation description quantity, and the change in the access authentication result, continuous offset of the event is generated. The event risk calibration value is generated based on the cumulative permission deviation, the continuous event offset, and the reverse value of the authentication trust gating coefficient. The event risk calibration value is then used to calibrate the event risk candidate value to obtain the initial event risk value.
5. The network security detection and early warning method based on access authentication according to claim 1, characterized in that, The generation of the event adaptive time decay parameter includes: The access security event sequence, initial event risk value, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the adaptive time decay layer of the improved Hawkes risk propagation model. The adaptive time decay layer includes an event time interval construction unit, a risk persistence unit, a trust degradation adjustment unit, a deviation persistence adjustment unit, a session density adjustment unit, and a decay parameter output unit. The improved Hawkes risk propagation model includes an adaptive time decay layer, a self-excited risk propagation layer, and a trusted state update layer. In the adaptive time decay layer, the actual access time of the current access security event and the actual access time of the historical access security event are read from the access security event sequence through the event time interval construction unit, and the event time interval between the current access security event and the historical access security event is calculated. The risk persistence unit reads the initial event risk value corresponding to the historical access security event, as well as the relationship between the initial event risk value change from the historical access security event to the current access security event, and generates the risk persistence quantity. The trusted degradation adjustment unit reads the authentication trusted gating coefficient corresponding to the current access security event and the authentication trusted gating coefficient corresponding to the previous access security event, and generates a trusted degradation adjustment quantity. Input the permission deviation modulation coefficient into the deviation duration adjustment unit, and generate the permission deviation duration based on the permission deviation modulation coefficient; In the session-intensive adjustment unit, session event intensity is generated based on the number of historical access security events and session duration. The event adaptive time decay parameter is generated by taking the event time interval, risk persistence amount, trust degradation adjustment amount, permission deviation persistence amount, and session event density amount as inputs to the decay parameter output unit.
6. The network security detection and early warning method based on access authentication according to claim 1, characterized in that, The generation of the access subject risk intensity sequence includes: The access security event sequence, initial event risk value, authentication trust gating coefficient, permission deviation modulation coefficient, and event adaptive time decay parameter are input into the self-excited risk propagation layer of the improved Hawkes risk propagation model. The self-excited risk propagation layer includes a basic risk state construction unit, an event link continuity gating unit, an authentication-permission coupling trigger kernel generation unit, an asymmetric self-excited triggering unit, and a risk intensity sequence output unit. In the self-excited risk propagation layer, the basic risk state of the current access security event is generated by reading the initial value of the event risk and the permission deviation modulation coefficient corresponding to the current access security event through the basic risk intensity construction unit. The access subject identifier, session identifier, actual accessed resources, actual operation type, and actual access time of historical access security events and current access security events in the access security event sequence are input into the event link continuity gating unit, and an event link continuity gating quantity is generated. The authentication-permission coupling triggering core generation unit reads the initial event risk value corresponding to the historical access security event, the initial event risk value corresponding to the current access security event, the authentication trust gating coefficient corresponding to the historical access security event, the permission deviation modulation coefficient corresponding to the current access security event, and the permission deviation modulation coefficient corresponding to the historical access security event, and generates the authentication-permission coupling triggering core. In the asymmetric self-excitation triggering unit, based on the event adaptive time decay parameter, the event link continuity gating quantity, and the authentication-authorization coupling triggering core, the asymmetric self-excitation triggering strength of historical access security events on the current access security event is generated; The risk intensity sequence output unit aggregates the basic risk status of the current access security event with the asymmetric self-excitation trigger intensity corresponding to all historical access security events prior to the current access security event to generate the access subject risk intensity corresponding to the current access security event, and forms the access subject risk intensity sequence according to the order of the access security event sequence.
7. The network security detection and early warning method based on access authentication according to claim 1, characterized in that, The generation of the network security detection results includes: The access subject risk intensity sequence, authentication trust gating coefficient, and permission deviation modulation coefficient are input into the trust state update layer of the improved Hawkes risk propagation model. The trust state update layer includes a risk change parsing unit, a trust descent gate generation unit, a trust recovery gate generation unit, a trust state recursion unit, and a detection result output unit. In the trusted state update layer, the risk intensity of the access subject corresponding to the current access security event and the risk intensity of the access subject corresponding to the previous access security event are read from the access subject risk intensity sequence by the risk change parsing unit, and the risk change quantity is generated. Input the risk change, the authentication trust gating coefficient, and the permission deviation modulation coefficient into the trust descent gate generation unit to generate the trust descent gate value. The trusted recovery gate generation unit reads the risk change and the authentication trusted gating coefficient to generate the trusted recovery gate value. In the trusted state recursion unit, an updated trusted state of the access subject is generated based on the trusted state of the access subject corresponding to the previous access security event, the trusted decline threshold, the trusted recovery threshold, and the risk intensity of the access subject corresponding to the current access security event. The detection result output unit reads the updated access subject's trust status, access subject risk intensity sequence, authentication trust gating coefficient, permission deviation modulation coefficient, and historical access subject trust status, and generates network security detection results.
8. A network security detection and early warning method based on access authentication according to claim 1, characterized in that, The adjustment of the recovery range of the trusted state of the access subject includes: Read the network security detection results, generate a set of risks to be warned, and select the risk result with the highest risk intensity value from the set of risks to be warned as the dominant risk result; Based on the dominant risk results, early warning information and response strategies are generated and incorporated into the network security detection and early warning results; Based on the disposal execution results after the disposal strategy is implemented, the risk intensity of the access entity after disposal, and the trust status of the access entity after disposal, disposal feedback data is generated. The effective disposal quantity is generated based on the difference between the risk intensity of the access entity before disposal and the risk intensity of the access entity after disposal, and the recovery range of the trust status of the access entity in the next round is adjusted based on the effective disposal quantity.