Micro-segmentation-based access control method, apparatus, system, device, and storage medium
By dividing system resources into multiple isolation domains and using intelligent agent technology to generate micro-isolation strategies, the problem of insufficient protection of internal network security in the cloud environment is solved, realizing automated and adaptive security control of user access and improving the internal protection capability of the network.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- CHINA MOBILE GROUP DESIGN INST
- Filing Date
- 2025-12-09
- Publication Date
- 2026-06-18
AI Technical Summary
Existing network perimeter protection methods cannot effectively guarantee internal network security in a cloud environment. They lack protection against advanced persistent threats and new types of attacks, rendering traditional protection frameworks ineffective and leaving internal networks without effective means to resist lateral movement.
The system resources are logically divided into multiple isolation domains. By acquiring and analyzing network metrics, user requests and request content information, a pre-trained policy generation model is used to generate micro-isolation policies to control user access. Intelligent agent technology is used for autonomous decision-making and policy generation.
It effectively prevents attackers from moving laterally, improves internal network security, provides automated and adaptive security protection, reduces human configuration errors, and enhances the level of automation in network security management.
Smart Images

Figure CN2025140936_18062026_PF_FP_ABST
Abstract
Description
Micro-segmentation access control methods, devices, systems, equipment, and storage media
[0001] Cross-reference to related applications
[0002] This application claims priority to Chinese Patent Application No. 202411819754.X, filed in China on December 11, 2024, the entire contents of which are incorporated herein by reference. Technical Field
[0003] This application relates to the field of network security, specifically to a micro-segmentation access control method, apparatus, system, device, and storage medium. Background Technology
[0004] With the development of cloud computing and virtualization technologies, more and more enterprises are migrating their data and business to cloud environments. Cloud workloads, which contain sensitive data and business information, face blurred network boundaries in the cloud environment. The complex network access environment and the massive number of network assets present new challenges to enterprise security. Current security measures, including firewalls, Web Application Firewalls (WAFs), and Intrusion Prevention Systems (IPSs), are primarily used for network boundary protection, and their effectiveness in protecting east-west traffic in the cloud environment is hampered.
[0005] With the emergence of new attack methods such as Advanced Persistent Threat (APT) attacks, zero-day vulnerabilities, and malicious encrypted traffic, security frameworks centered on network perimeter protection have lost their protective effect. Once the internal network is breached, there is a lack of effective means to resist lateral movement, and the internal security of the network cannot be effectively guaranteed. Summary of the Invention
[0006] Based on this, this application provides a micro-segmentation access control method, apparatus, system, device, and storage medium to address the shortcomings of current security protection systems used for network boundary protection that cannot effectively guarantee the security of the network interior.
[0007] To achieve the above objectives, embodiments of this application provide a micro-segmentation access control method, including:
[0008] Obtain network metric statistics, user request statistics, and request content information for the isolated domains; wherein, system resources are logically divided into several of the aforementioned isolated domains;
[0009] Extract the network features from the network indicator statistics, the request features from the request statistics, and the content features from the request content information, respectively.
[0010] The network features, request features, and content features are input into a pre-trained policy generation model to obtain a micro-segmentation policy; wherein, the user's access to the isolated domain is controlled by the isolated domain according to the micro-segmentation policy.
[0011] To achieve the above objectives, embodiments of this application also provide another micro-segmentation access control method, including:
[0012] The system acquires network metric statistics, user request statistics, and request content information for the isolated domains and sends them to the intelligent control center, so that the intelligent control center executes the micro-segmentation access control method as described in any of the above embodiments; wherein, the system resources are logically divided into several isolated domains.
[0013] The micro-segmentation policy is obtained from the intelligent control center, and the user's access is controlled according to the micro-segmentation policy.
[0014] To achieve the above objectives, embodiments of this application also provide a micro-segmentation access control device, comprising:
[0015] The information acquisition module is used to acquire network indicator statistics of the isolation domain, user request statistics, and request content information; wherein, the system resources are logically divided into several isolation domains.
[0016] The feature extraction module is used to extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information, respectively.
[0017] The policy generation module is used to input the network features, the request features, and the content features into a pre-trained policy generation model to obtain a micro-segmentation policy; wherein, the user's access to the isolated domain is controlled by the isolated domain according to the micro-segmentation policy.
[0018] To achieve the above objectives, embodiments of this application also provide a micro-segmentation access control system, including an intelligent agent module and an intelligent control center;
[0019] The intelligent proxy module is used to obtain network indicator statistics, user request statistics, and request content information of the isolated domain, and send them to the intelligent control center; wherein, the system resources are logically divided into several isolated domains;
[0020] The intelligent control center is used to extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information, respectively; input the network features, the request features, and the content features into a pre-trained strategy generation model to obtain a micro-segmentation strategy, and then send the micro-segmentation strategy to the intelligent agent module.
[0021] The intelligent proxy module is also used to control the user's access according to the micro-segmentation policy.
[0022] To achieve the above objectives, embodiments of this application also provide a micro-segmentation access control device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor. When the processor executes the computer program, it implements the micro-segmentation access control method as described in any of the above embodiments.
[0023] To achieve the above objectives, embodiments of this application also provide a non-transient computer-readable storage medium, the computer-readable storage medium including a stored computer program, wherein, when the computer program is executed, it controls the device where the computer-readable storage medium is located to perform the micro-segmentation access control method as described in any of the above embodiments.
[0024] To achieve the above objectives, embodiments of this application also provide a computer program product, including a computer program / instructions, which, when executed by a processor, implement the micro-segmentation access control method as described in any of the above embodiments.
[0025] Compared with related technologies, the micro-segmentation access control method, apparatus, system, device, and storage medium disclosed in this application firstly divides system resources logically into several isolation domains. For each isolation domain, network indicator statistics, user request statistics, and request content information are obtained. Then, network features from the network indicator statistics, request features from the request statistics, and content features from the request content information are extracted. Finally, the network features, request features, and content features are input into a pre-trained policy generation model to obtain the user's micro-segmentation policy within that isolation domain. This micro-segmentation policy serves as a security protection measure when the isolation domain is accessed by the user. Therefore, this embodiment effectively ensures internal network security by logically dividing system resources into multiple isolation domains and generating corresponding micro-segmentation policies for each user using relevant information within each domain. The micro-segmentation policies are then used for resource access control, thus ensuring network security. Attached Figure Description
[0026] To more clearly illustrate the technical solution of this application, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0027] Figure 1 is a flowchart illustrating a micro-segmentation access control method according to an embodiment of this application;
[0028] Figure 2 is a schematic diagram of the structure of network indicator statistical information provided in an embodiment of this application;
[0029] Figure 3 is a schematic diagram of the structure of request statistics information provided in an embodiment of this application;
[0030] Figure 4 is a schematic diagram of the structure of a request content information provided in an embodiment of this application;
[0031] Figure 5 is a schematic diagram of the architecture of a micro-isolated intelligent control algorithm provided in an embodiment of this application;
[0032] Figure 6 is a schematic diagram of a micro-segmentation access control device provided in an embodiment of this application;
[0033] Figure 7 is a schematic diagram of data interaction of a micro-segmentation access control system provided in an embodiment of this application;
[0034] Figure 8 is a schematic diagram of the structure of a micro-isolation access control device provided in an embodiment of this application. Detailed Implementation
[0035] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0036] Currently, with the emergence of new attack methods such as Advanced Persistent Threat (APT) attacks, zero-day vulnerabilities, and malicious encrypted traffic, security frameworks centered on perimeter protection have lost their effectiveness. Once an internal network is breached, there is a lack of effective means to defend against lateral movement. Traditional perimeter-based protection, such as Virtual Private Networks (VPNs), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAFs), relies on rule-based detection and analysis mechanisms. However, the exponential growth in cloud network service complexity and network complexity has weakened the effectiveness of these protective measures. Currently, there is a lack of effective automated management methods for comprehensive network security control. Furthermore, manually configuring policies for security management is labor-intensive and prone to errors.
[0037] Based on this, this application provides a micro-segmentation access control method. Referring to Figure 1, Figure 1 is a flowchart illustrating a micro-segmentation access control method provided in this application. Specifically, the micro-segmentation access control method includes steps S11 to S13:
[0038] S11. Obtain network indicator statistics, user request statistics, and request content information for the isolated domains; wherein, the system resources are logically divided into several isolated domains.
[0039] Specifically, isolation domain statistics, request statistics, and request content information are used as input parameters for the intelligent control algorithm. The micro-isolation intelligent control algorithm is used to generate micro-isolation strategies. This method is applied to the intelligent control center of the micro-isolation access control system. The information in step S11 is obtained from the intelligent agent module located in the isolation domain. 1. The network indicator statistics of the isolation domain are time-series based statistical data, including data on traffic, bandwidth, and other indicators of the isolation domain. The structure is shown in Figure 2, including inbound traffic, outbound traffic, number of Internet Protocol (IP) accesses, number of accessing users, inbound bandwidth, outbound bandwidth, network protocols, and network ports, etc. The network indicator statistics of the isolation domain are data obtained from time-series statistical monitoring of relevant indicators of the isolation domain. Since these monitoring items are sequences that change over time, an outlier detection method (ARIMA) can be used for each monitoring item, i.e., detecting whether the indicator status of different monitoring items is normal at a certain time. 2. User request statistics information includes metrics related to the source of access requests to isolated domains, such as user information, historical access information, access time sequence information, and access link information. The structure is shown in Figure 3, including user information, historical access counts, historical access time periods, access traffic, user security status, and request link information. Request statistics are the statistical information for the corresponding access requests. The request source can be an individual user or inter-domain access. By extracting features from these request statistics, relevant request information characteristics can be obtained, such as whether there is identity forgery, whether the requester is accessing the isolated domain normally, whether there is hacking behavior, or dangerous access actions. 3. Request content information is information related to the access request, including request time, request content, and request protocol, as shown in Figure 4. Request content information is the specific information related to the current access request, including request time, request content, request protocol, and request port. By extracting request content feature information, characteristic information representing the trustworthiness of the request content information can be obtained, such as whether there are malicious requests or dangerous request information such as Structured Query Language (SQL) injection.
[0040] Optionally, the network metric statistics include at least one of traffic information, number of visitors, bandwidth information, network protocol information, and network port information; the request statistics include at least one of user basic information, user historical access count, user historical access time period, user access traffic, user access operation, user security status, and user request link status; the request content information includes request content, and the request content information also includes at least one of request time, request protocol, and request port.
[0041] S12. Extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information, respectively.
[0042] Specifically, feature engineering is performed through the context module of the intelligent control center. Feature engineering refers to extracting network features from network indicator statistics, request features from request statistics, and content features from request content information. The execution result of feature engineering is used as feature information related to a user accessing the isolated domain.
[0043] S13. Input the network features, the request features, and the content features into a pre-trained policy generation model to obtain a micro-segmentation policy; wherein, the user's access to the isolation domain is controlled by the isolation domain according to the micro-segmentation policy.
[0044] Specifically, network features, request features, and content features are used as inputs to the policy generation model. The model is then used to infer the corresponding micro-segmentation policy, which can be used by the isolated domain to control access to the corresponding user.
[0045] Compared with related technologies, this embodiment logically divides system resources into multiple isolation domains. For each isolation domain, relevant information within the domain is used to generate a corresponding micro-isolation policy for each user. Access control of resources is performed using this micro-isolation policy. In cases where attackers may control certain vulnerable single points, because this embodiment has divided system resources into small isolation domains and set corresponding micro-isolation policies for each user in each isolation domain, it can prevent attackers from moving laterally and provides effective protection for internal network security.
[0046] In one optional implementation, the step of inputting the network features, the request features, and the content features into a pre-trained policy generation model to obtain a micro-segmentation policy includes:
[0047] The network features, the request features, and the content features are input into a pre-trained agent based on a large model; wherein, the policy generation model is an agent based on a large model.
[0048] The security level of the isolation domain is determined based on the network characteristics; the user security level is determined based on the request characteristics and the content characteristics.
[0049] The network features, the isolation domain security level, the request features, the content features, the user security level, and the historical memory information of the large model are fused to obtain fused features;
[0050] A micro-segmentation strategy is generated based on the fusion features.
[0051] It is worth noting that the architecture of the micro-isolation intelligent control algorithm is shown in Figure 5. The algorithm is executed through the intelligent control center of the micro-isolation access control system. The algorithm mainly uses an intelligent agent as its core. The intelligent agent uses Large Language Model (LLM) technology as its main body or brain to perform automatic planning and has autonomous decision-making capabilities to solve complex problems.
[0052] Specifically, the process of generating a micro-segmentation strategy based on network characteristics, request characteristics, and content characteristics is as follows:
[0053] 1. The security level DS of the isolation domain is evaluated based on the large model classification algorithm. The formula is as follows: DS = LLM(SN,X);
[0054] Where SN represents the network metric statistics feature (i.e., network characteristic) of the isolation domain, and X represents the network metric statistics. For example, the isolation domain security level is divided into Level 1, Level 2, and Level 3. The overall security control strategy of the isolation domain gradually strengthens from Level 1 to Level 3. For instance, Level 1 uses a service control mode, managing 20% of critical ports and reducing risk by 80%; Level 2 uses a business control mode, defining policies according to business roles and managing ports accessed by businesses; and Level 3 uses a host control mode, configuring policies for each business port for robust protection. It is worth noting that the classification of isolation domain security levels and the corresponding security control strategies are not limited to the above specific examples and can be set according to actual circumstances; no restrictions are imposed here.
[0055] 2. Determine the user's security level (US) by extracting request and content features based on the information related to the user's requests. For example, user security levels are divided into Level 1, Level 2, and Level 3. From Level 1 to Level 3, the security control policies for this user in the isolation domain gradually increase. For instance, Level 1 uses point-to-point management, specifying access from a specific IP address; Level 2 uses precise management, specifying control information such as ports and protocols; and Level 3 uses a strong control mode, adding functions such as request content and traffic detection to filter malicious requests and traffic, thus strengthening control. It is worth noting that the user security level division and corresponding security control policies are not limited to the above specific examples and can be set according to actual circumstances; no restrictions are imposed here.
[0056] 3. Feature fusion is performed on network characteristics, isolation domain security level, request characteristics, content characteristics, user security level, and historical memory information of the large model to obtain fused features. Micro-isolation strategies are then generated based on these fused features. The historical memory information of the large model includes its past thinking and execution strategies for handling various events (i.e., previous micro-isolation strategies), execution results, and other information.
[0057] Furthermore, the feature fusion of the network features, the isolation domain security level, the request features, the content features, the user security level, and the large model historical memory information to obtain fused features includes:
[0058] An isolation domain information set is formed based on the network characteristics and the isolation domain security level;
[0059] A user information set is formed based on the request characteristics, the content characteristics, and the user security level;
[0060] A self-attention mechanism is used to fuse the isolated domain information set, the user information set, and the large model historical memory information to obtain fused features.
[0061] Specifically, the process of feature fusion and generating micro-segmentation strategies based on the fused features is as follows:
[0062] Based on the large model, an adaptive micro-segmentation strategy is calculated for each user who needs to access the isolation domain. The network is isolated in an automated, adaptive, and minimization manner. The micro-segmentation strategy P is generated by the following formula: P = LLM(DG,UG,H).
[0063] Here, DG is a set of information including the security level of the isolation domain and related feature data (i.e., network features); UG is a set of information including the user's security level, user request information, and request content-related feature data (i.e., request features and content features); and H is the historical memory information of the large model, which contains information such as the large model's thinking and execution strategies and execution results in handling various events in the past. When iteratively optimizing the micro-isolation strategy using the large model, a self-attention mechanism is used to fuse DG, UG, and H. Furthermore, since user request information and request content information contain temporal features, and the statistical information of the isolation domain has different degrees of influence on the two temporal features, it is necessary to reset the weights of the three features in the large model's computation process using a self-attention mechanism. This yields the information features that have the greatest impact on the correct result, and based on these features, effective memory information is generated and stored in the context module to facilitate the better generation of the corresponding micro-isolation strategy. The following algorithm is used:
[0064] Furthermore, the micro-isolation strategies generated by the large model through the above-mentioned micro-isolation strategy generation formula are divided into normal mode, control mode, limited control mode, and emergency mode. The specific descriptions of each mode are as follows:
[0065] 1. Normal Mode: Suitable for daily operating environments. In this mode, the system's security assessment is in a stable state, no abnormal behavior or potential threats are detected, and authenticated users are allowed to access the corresponding isolated domain according to their security level. Basic security measures such as firewall rules, authentication and authorization are implemented, and known secure behaviors are responded to quickly with reduced latency.
[0066] 2. Control Mode: When the system detects suspicious activity or security incidents, it will automatically switch to control mode. This mode aims to limit the lateral movement capabilities of potential attackers and further investigate and detect related security incidents. This includes increasing monitoring of user activity, including more frequent logging and auditing, implementing stricter access control for certain sensitive resources or high-risk areas, potentially restricting specific types of traffic or access within specific time periods, and dynamically adjusting firewall rules and other network controls to block possible attack paths.
[0067] 3. Limited Control Mode: When a new user is added to the isolated domain, the system automatically sets a limited control micro-isolation policy for this new user. This means that access to the new user is allowed with the principle of minimization, but the detection of relevant security events and packet filtering rules are strengthened to collect relevant access information of this user. After a period of time, the system refreshes the new micro-isolation policy and exits the limited control mode.
[0068] 4. Emergency Mode: When a major security incident occurs or a serious threat is confirmed, the system enters emergency mode. The goal of this mode is to take swift action to prevent the threat from spreading and mitigate damage. It automatically isolates affected systems or network segments, strengthens the inspection of all incoming and outgoing traffic, and implements stricter packet filtering rules.
[0069] These strategy patterns can be automatically adjusted by large model algorithms based on real-time security situation, historical statistics, isolation domain security level, and user security level. In this way, the system can effectively cope with various security challenges without affecting normal business operations.
[0070] In one optional implementation, the step of extracting the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information respectively includes:
[0071] Analyze each monitoring item in the network indicator statistics to identify abnormal monitoring items, and use the abnormal monitoring items as network features.
[0072] Feature extraction is performed on the request statistics to obtain user behavior preference tags and user access link features, and the user behavior preference tags and user access link features are used as request features;
[0073] A preset rule engine is invoked to identify the request content information, and normal requests and abnormal requests are identified in the request content information; positive sample features of the normal requests and negative sample features of the abnormal requests are extracted, and the positive sample features and negative sample features are used as the content features of the request content information.
[0074] Specifically, the feature engineering for extracting network metric statistics, request statistics, and request content information related to the isolated domain through the context module of the intelligent control center is as follows:
[0075] 1. Analyze the data changes of each monitoring item in the network indicator statistics information, identify abnormal monitoring items, and use the abnormal monitoring items as network features;
[0076] 2. Extract user behavior preference tags, i.e., behavior feature items BN, based on request statistics. This extraction is performed using big data technology, aggregating data by user and time dimensions, and statistically analyzing user access patterns to isolated domains, such as access frequency, time period, traffic, and operation preferences. Then, based on these preferences, extract relevant user behavior feature items using the K-Means clustering algorithm. Calculate user access link features RN based on historical time-series user access link information using a Long Short-Term Memory Network-Attention mechanism (LSTM-Attention). This indicates the user's hopping patterns when accessing isolated domains, such as the previous hop address and the number of hops during access. Use an LSTM layer to capture the temporal features of user access link information, and add an Attention mechanism on top of the LSTM layer to extract key features from the user access link information. The formula for extracting important feature items from request statistics is as follows, where the request feature of the request statistics is denoted as QN: QN=BN∪RN;
[0077] 3. Collect request information (i.e. request content information) within a certain period of time in the isolated domain, and identify whether there are abnormal requests based on the rule engine of the context module. Mark normal requests as positive samples and abnormal requests as negative samples. Extract positive sample features and negative sample features, and use the positive sample features and negative sample features as content features of request content information.
[0078] In one optional implementation, the positive sample features of the normal request and the negative sample features of the abnormal request are extracted in the following manner:
[0079] The Transformer model was used to extract features from the normal request and the abnormal request respectively.
[0080] Keywords were extracted from both normal and abnormal requests based on the term frequency-reverse document frequency technique.
[0081] The positive sample features of the normal request are determined based on the keywords of the normal request and the features of the normal request extracted by the Transformer model.
[0082] The negative sample features of the abnormal request are determined based on the keywords of the abnormal request and the features of the abnormal request extracted by the Transformer model.
[0083] Specifically, feature extraction is performed using the Transformer model based on positive samples (i.e., normal requests) and negative samples (i.e., abnormal requests), respectively. The extracted positive sample features are denoted as TPN, and the negative sample features as TNN. The term frequency–inverse document frequency (TF-IDF) method is used to extract the keyword weights for both positive and negative samples. The weights are sorted from largest to smallest, and the top N keywords in the positive samples are taken as positive features IPN, and the top N keywords in the negative samples are taken as negative features INN. The features extracted by the Transformer model and the TF-IDF method are then combined. The formulas for calculating the positive sample features NN and the negative sample features AN are as follows: NN = TPN∪IPN; AN = TNN∪INN.
[0084] In one optional implementation, the anomaly monitoring item is determined in the following way:
[0085] The abnormal monitoring items are defined as those that have reached a set condition for a set number of consecutive days in the network indicator statistics information; wherein, the set condition is that the ranking of the number of abnormalities in a day is higher than a set rank.
[0086] Calculate the mutation rate of each monitoring item, and determine that the abnormal monitoring items include a set number of monitoring items with the largest mutation rate.
[0087] Specifically, anomaly monitoring items are determined in the following ways:
[0088] In the statistical information of network indicators of the isolated domain, the top K monitoring items with the most anomalies in each monitoring item per day are recorded as important feature candidates CN if the number of consecutive days in which these monitoring items appear exceeds M.
[0089] The average mutation rate of abnormal indicators over a certain period of time is calculated as follows: This is the ratio of the increase in the average value of abnormal data when an anomaly occurs to the increase in the average value of normal data for the monitored items during this period.
[0090] Among them, avg(x a ) represents the average of normal data, and avg(x) represents the average of abnormal data;
[0091] The top Z monitoring items with the largest average mutation rate of abnormal indicators are selected as important feature candidates CM;
[0092] The formula for extracting network feature SN based on network indicator statistics of the isolated domain is as follows: SN=CN∪CM.
[0093] In one optional implementation, the content features of the requested content information are extracted in the following manner:
[0094] A preset rule engine is invoked to identify the request content information, and normal requests and abnormal requests are identified in the request content information; positive sample features of the normal requests and negative sample features of the abnormal requests are extracted, and the positive sample features and the negative sample features are used as the content features of the request content information;
[0095] The user security level is determined in the following way:
[0096] Based on the large model classification algorithm, the user security level is determined according to the request features, the positive sample features, the negative sample features, the request statistics, and the request content information.
[0097] Specifically, the user security level (US) is assessed based on a large model classification algorithm, using the following formula: DS = LLM(QN,NN,AN,Y,Z);
[0098] Wherein, QN represents the user's request statistics features (i.e., request features), NN represents normal request features (i.e., positive sample features), AN represents abnormal request features (i.e., negative sample features), Y represents the set of request statistics, and Z represents the set of request content information. User security levels are divided into three levels: Level 1, Level 2, and Level 3. From Level 1 to Level 3, the security control policies for the isolated domains for each user become progressively stronger. For example, Level 1 uses point-to-point management, specifying access from a specific IP address; Level 2 uses precise management, specifying control information such as ports and protocols; and Level 3 uses a strong control mode, adding functions such as request content and traffic detection to filter malicious requests and traffic, thus strengthening control. It is worth noting that the user security level classification and specific security control policies can be set according to actual circumstances and are not limited here.
[0099] In one optional implementation, the micro-segmentation policy includes at least one of request IP restriction rules, access port control rules, request protocol control rules, and traffic control rules. It is understood that the isolation domain can control user access in terms of request IP, access port, request protocol, and traffic.
[0100] Compared with related technologies, the embodiments of this application provide a zero-trust micro-segmentation access control method. Under the zero-trust architecture, by introducing intelligent agents, system resources are divided into multiple logical micro-isolation domains. All traffic that needs to enter or leave this isolation domain must pass through the intelligent proxy module. At the same time, the micro-segmentation intelligent control algorithm is used to generate the micro-segmentation policy for the corresponding isolation domain, and the micro-segmentation policy is continuously optimized in the subsequent continuous operation, thereby improving the overall security of the enterprise's business systems.
[0101] This application also provides a micro-segmentation access control method, including:
[0102] The system acquires network metric statistics, user request statistics, and request content information for the isolated domains and sends them to the intelligent control center, so that the intelligent control center executes the micro-segmentation access control method as described in any of the above embodiments; wherein, the system resources are logically divided into several isolated domains.
[0103] The micro-segmentation policy is obtained from the intelligent control center, and the user's access is controlled according to the micro-segmentation policy.
[0104] Compared with related technologies, this embodiment logically divides system resources into multiple isolation domains. For each isolation domain, relevant information within the domain is used to generate a corresponding micro-isolation policy for each user. This micro-isolation policy is then used to control access to resources, effectively ensuring network security.
[0105] Referring to Figure 6, this application embodiment also provides a micro-segmentation access control device, including:
[0106] The information acquisition module 21 is used to acquire network indicator statistics of the isolation domain, user request statistics, and request content information; wherein, the system resources are logically divided into several isolation domains.
[0107] Feature extraction module 22 is used to extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information, respectively.
[0108] The policy generation module 23 is used to input the network features, the request features, and the content features into a pre-trained policy generation model to obtain a micro-segmentation policy; wherein, the user's access to the isolated domain is controlled by the isolated domain according to the micro-segmentation policy.
[0109] In one implementation, the strategy generation module 23 is specifically used for:
[0110] The network features, the request features, and the content features are input into a pre-trained agent based on a large model; wherein, the policy generation model is an agent based on a large model.
[0111] The security level of the isolation domain is determined based on the network characteristics; the user security level is determined based on the request characteristics and the content characteristics.
[0112] The network features, the isolation domain security level, the request features, the content features, the user security level, and the historical memory information of the large model are fused to obtain fused features;
[0113] A micro-segmentation strategy is generated based on the fusion features.
[0114] In one implementation, the feature fusion of the network features, the isolation domain security level, the request features, the content features, the user security level, and the large model historical memory information to obtain fused features includes:
[0115] An isolation domain information set is formed based on the network characteristics and the isolation domain security level;
[0116] A user information set is formed based on the request characteristics, the content characteristics, and the user security level;
[0117] A self-attention mechanism is used to fuse the isolated domain information set, the user information set, and the large model historical memory information to obtain fused features.
[0118] In one embodiment, the feature extraction module 22 is specifically used for:
[0119] Analyze each monitoring item in the network indicator statistics to identify abnormal monitoring items, and use the abnormal monitoring items as network features.
[0120] Feature extraction is performed on the request statistics to obtain user behavior preference tags and user access link features, and the user behavior preference tags and user access link features are used as request features;
[0121] A preset rule engine is invoked to identify the request content information, and normal requests and abnormal requests are identified in the request content information; positive sample features of the normal requests and negative sample features of the abnormal requests are extracted, and the positive sample features and negative sample features are used as the content features of the request content information.
[0122] In one implementation, the positive sample features of the normal request and the negative sample features of the abnormal request are extracted in the following manner:
[0123] The Transformer model was used to extract features from the normal request and the abnormal request respectively.
[0124] Keywords were extracted from both normal and abnormal requests based on the term frequency-reverse document frequency technique.
[0125] The positive sample features of the normal request are determined based on the keywords of the normal request and the features of the normal request extracted by the Transformer model.
[0126] The negative sample features of the abnormal request are determined based on the keywords of the abnormal request and the features of the abnormal request extracted by the Transformer model.
[0127] In one implementation, the anomaly monitoring item is determined in the following way:
[0128] The abnormal monitoring items are defined as those that have reached a set condition for a set number of consecutive days in the network indicator statistics information; wherein, the set condition is that the ranking of the number of abnormalities in a day is higher than a set rank.
[0129] Calculate the mutation rate of each monitoring item, and determine that the abnormal monitoring items include a set number of monitoring items with the largest mutation rate.
[0130] In one implementation, the content features of the requested content information are extracted in the following manner:
[0131] A preset rule engine is invoked to identify the request content information, and normal requests and abnormal requests are identified in the request content information; positive sample features of the normal requests and negative sample features of the abnormal requests are extracted, and the positive sample features and the negative sample features are used as the content features of the request content information;
[0132] The user security level is determined in the following way:
[0133] Based on the large model classification algorithm, the user security level is determined according to the request features, the positive sample features, the negative sample features, the request statistics, and the request content information.
[0134] In one implementation, the network metric statistics include at least one of traffic information, number of visitors, bandwidth information, network protocol information, and network port information; the request statistics include at least one of user basic information, user historical access count, user historical access time period, user access traffic, user access operation, user security status, and user request link status; the request content information includes request content, and the request content information further includes at least one of request time, request protocol, and request port.
[0135] In one implementation, the micro-segmentation policy includes at least one of request IP restriction rules, access port control rules, request protocol control rules, and flow control rules.
[0136] It is worth noting that the working principle of the micro-segmentation access control device provided in the above embodiments can be found in the workflow of the micro-segmentation access control method provided in any of the above embodiments, and will not be repeated here.
[0137] Compared with related technologies, this embodiment logically divides system resources into multiple isolation domains. For each isolation domain, relevant information within the domain is used to generate a corresponding micro-isolation policy for each user. This micro-isolation policy is then used to control access to resources, effectively ensuring network security.
[0138] This application also provides a micro-isolation access control system, including an intelligent agent module and an intelligent control center; wherein, the system resources are logically divided into several isolation domains;
[0139] The intelligent proxy module is used to obtain network indicator statistics of the isolated domain, user request statistics and request content information, and send them to the intelligent control center;
[0140] The intelligent control center is used to extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information respectively; input the network features, the request features, and the content features into a pre-trained strategy generation model to obtain a micro-segmentation strategy, and then send the micro-segmentation strategy to the intelligent agent module.
[0141] The intelligent proxy module is also used to control the user's access according to the micro-segmentation policy.
[0142] Specifically, referring to the data interaction of the micro-isolation access control system shown in Figure 7, the micro-isolation access control system includes an intelligent control center and an intelligent agent module. The system resources are divided into multiple isolation domains, such as isolation domain A and isolation domain B. Isolation domain A contains system resource A, and isolation domain B contains system resource B.
[0143] The intelligent proxy module is deployed on the server where the system resources reside. As a distributed proxy module, it forms micro-isolation domains with the system resources, used to collect access request information (such as request statistics and request content information) and network metric statistics for each isolation domain. The intelligent control center is deployed on a secure intranet and interacts with the intelligent proxy module through a secure interface. The intelligent agent in the intelligent control center, based on a large model, uses a micro-isolation intelligent control algorithm to generate micro-isolation policies for each isolation domain. These micro-isolation policies include request IP restrictions, access port control, request protocol control, and traffic control. Through the control of the intelligent control center, each isolation domain can be intelligently and finely controlled, preventing the lateral movement of malicious requests.
[0144] Furthermore, the micro-segmentation access control system also includes an intelligent policy center and an identity management center deployed on a secure intranet. The micro-segmentation access control system intercepts access requests from isolated domains through intelligent proxy modules and collects relevant information about the isolated domains. Then, the intelligent control center performs large-scale model calculations to generate specific micro-segmentation policies to process the requests.
[0145] Specifically, the functions of each part of the micro-segmentation access control system are as follows:
[0146] Intelligent Control Center: Responsible for providing large-scale model calculation capabilities and calculating micro-isolation strategies through micro-isolation intelligent control algorithms;
[0147] The intelligent proxy module is responsible for collecting statistics on access requests to the isolated domain (such as user request statistics and request content information), isolated domain statistical indicators (such as isolated domain network indicator statistics), and processing isolated domain requests through the isolated gateway.
[0148] Intelligent Policy Center: Responsible for providing configuration capabilities such as intelligent proxy module access request processing strategies and large model calculation strategies in the isolated domain;
[0149] Identity Management Center: Responsible for providing capabilities such as identity verification for isolated domain requests, identity information management and storage.
[0150] The intelligent agent module comprises an isolation gateway, an execution module, a model training module, and a statistics module. The intelligent agent module controls access requests to the isolated domain through the isolation gateway, while the execution module receives the large model calculation results from the intelligent control center and distributes execution strategies (i.e., micro-isolation strategies) to the isolation gateway.
[0151] Isolation Gateway: Responsible for handling access requests to the isolation domain and processing the corresponding requests according to the policies issued by the execution module;
[0152] Execution module: Responsible for receiving the large model calculation results from the intelligent control center and issuing the corresponding execution strategy to the isolation gateway for execution;
[0153] Model training module: responsible for model training of data within the isolated domain, which is then reported to the intelligent control center for large-scale model calculations;
[0154] Statistics module: Responsible for the statistics of the isolated domain itself, including statistics of isolated domain statistical indicators, isolated domain topology and other information.
[0155] The intelligent control center comprises an interface module, an LLM model, a thinking module, and a context module. The intelligent control center obtains relevant information about the isolation domain through the interface module, then processes and summarizes the data through the context module before inputting it into the LLM model. The LLM model outputs the micro-isolation strategy for the isolation domain based on the execution path planned by the thinking module.
[0156] Interface module: Responsible for providing large model interface capabilities, including receiving reported data, large model calculation interfaces, etc.
[0157] LLM model: responsible for large model calculations and calculating micro-isolation strategies for isolation domains;
[0158] Thinking module: Responsible for planning the execution process of the large model and correcting the execution path of the large model in a timely manner;
[0159] Context module: Responsible for processing data, performing feature engineering operations such as feature extraction and feature fusion.
[0160] It is worth noting that the working principle of the micro-segmented access control system provided in the above embodiments can be found in the workflow of the micro-segmented access control method provided in any of the above embodiments, and will not be repeated here.
[0161] Compared with related technologies, this embodiment logically divides system resources into multiple isolation domains. For each isolation domain, relevant information within the domain is used to generate a corresponding micro-isolation policy for each user. This micro-isolation policy is then used to control access to resources, effectively ensuring network security.
[0162] For example, in one specific embodiment, the micro-segmentation access control method of this application can be deployed in a service access authorization scenario across Public Land Mobile Network (PLMN) and Network Function (NF) as defined by relevant protocols. When a service consumer of the source PLMN needs to access a service producer of the target PLMN, the service communication proxy (SCP) and security edge protection proxy (SEPP) of the source PLMN, as intelligent proxy modules of the micro-segmentation access control system in this application, aggregate and forward service requests from different isolation domains.
[0163] The Network Repository Function (NRF) and related security entities in the target PLMN serve as the intelligent control center of the micro-isolation access control system in this application. Based on information such as network attributes, NF identity, PLMN relationship, and historical access status carried in the request, it generates fine-grained service access authorization policies and issues them in the form of access tokens and N32 protection policies. These policies are then executed by the SCP / SEPP of the source PLMN at the PLMN boundary, thereby realizing granular access control based on the isolation domain.
[0164] Specifically, in this embodiment, the Service-Based Architecture (SBA) domain inside the source PLMN is regarded as one isolated domain; the SBA domain inside the target PLMN is regarded as another isolated domain.
[0165] The intelligent agent module is deployed at the NF Service Consumer and SCP / SEPP of the source PLMN to aggregate and monitor service call requests across PLMNs. When it receives a business request from the user side or upstream NF, it collects network metric statistics, request statistics, and request content information, including traffic size, access time, accessed NF / API, source / target PLMN, protocol type (such as HTTP / 2over TLS / N32), and encapsulates them into a policy evaluation request, which is then reported to the intelligent control center.
[0166] The intelligent control center is deployed inside the target PLMN and logically encompasses the NRF and its cooperating security functional entities. After receiving a policy evaluation request from the intelligent agent module, the intelligent control center parses and normalizes the network metrics, access NF types, cross-PLMN relationships, user / terminal identities, service slice information, and historical access records carried in the request, thereby extracting network features, request features, and content features for subsequent micro-segmentation policy generation.
[0167] Based on the extracted network features, request features, and content features, combined with the isolation domain security level, user security level, and historical authorization records, the intelligent control center obtains the fused features for NF service access authorization. Among them, the isolation domain security level can correspond to factors such as cross-PLMN trust relationship, N32 protection strength, and the importance of the security domain where the target NF is located; the user security level can correspond to factors such as the network where the NF Service Consumer is located, identity authentication results, and historical behavioral risks.
[0168] The intelligent control center outputs a micro-segmentation policy for cross-PLMN NF service access. In this embodiment, the micro-segmentation policy can be specifically manifested as: request IP restriction rules between NF Service Consumer and target NF; access port control rules; request protocol control rules; and traffic control rules.
[0169] After generating the micro-segmentation policy, the intelligent control center distributes the policy to the intelligent agent module.
[0170] In this embodiment, the issuance and execution of policies are bound by access tokens and N32 protection contexts. The source PLMN's SCP / SEPP checks and executes the policy during subsequent service request forwarding. When a request does not meet the restrictions on IP, port, protocol, or traffic in the micro-segmentation policy, the intelligent proxy module can directly reject or adjust the request at the PLMN boundary, thereby achieving granular control over access between isolated domains.
[0171] Referring to Figure 8, this application embodiment also provides a micro-segmented access control device, including a processor 31, a memory 32, and a computer program stored in the memory 32 and configured to be executed by the processor 31. When the processor 31 executes the computer program, it implements the steps as described in the above-described micro-segmented access control method embodiments, such as S11 to S13 in Figure 1; or, when the processor 31 executes the computer program, it implements the functions of each module in the above-described device embodiments. For example, the computer program can be divided into one or more modules, which are stored in the memory 32 and executed by the processor 31 to complete this application. The one or more modules can be a series of computer program instruction segments capable of performing specific functions, which describe the execution process of the computer program in the micro-segmented access control device. For example, the computer program can be divided into multiple modules, and the specific working process of each module can be referred to the working process of the micro-segmented access control device described in the above embodiments, which will not be repeated here.
[0172] The micro-segmented access control device can be a computing device such as a desktop computer, laptop, handheld computer, or cloud server. The micro-segmented access control device may include, but is not limited to, a processor 31 and a memory 32. Those skilled in the art will understand that the micro-segmented access control device may also include input / output devices, network access devices, buses, etc.
[0173] The processor 31 can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor. The processor 31 is the control center of the micro-isolated access control device, connecting various parts of the entire micro-isolated access control device via various interfaces and lines.
[0174] The memory 32 can be used to store the computer programs and / or modules. The processor 31 implements various functions of the micro-segmented access control device by running or executing the computer programs and / or modules stored in the memory 32 and calling the data stored in the memory 32. The memory 32 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, at least one application program required for a function (such as image playback function), etc.; the data storage area may store data created according to the use of the mobile phone, etc. In addition, the memory 32 may include high-speed random access memory, and may also include non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other volatile solid-state storage device.
[0175] If the modules integrated into the micro-segmented access control device are implemented as software functional units and sold or used as independent products, they can be stored in a non-transient computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by the processor 31, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include: any entity or device capable of carrying the computer program code, recording media, USB flash drives, portable hard drives, magnetic disks, optical disks, computer memory, read-only memory (ROM), random access memory (RAM), electrical carrier signals, telecommunication signals, and software distribution media, etc.
[0176] This application also provides a computer program product, including a computer program / instruction, which, when executed by a processor, implements the micro-segmentation access control method as described in any of the above embodiments.
[0177] The above description represents optional embodiments of this application. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of this application, and these improvements and modifications are also considered to be within the scope of protection of this application.
Claims
1. A micro-segmentation access control method, comprising: Obtain network metric statistics, user request statistics, and request content information for the isolated domains; wherein, system resources are logically divided into several of the aforementioned isolated domains; Extract the network features from the network indicator statistics, the request features from the request statistics, and the content features from the request content information, respectively. The network features, request features, and content features are input into the policy generation model to obtain a micro-segmentation policy; wherein, the user's access to the isolated domain is controlled by the isolated domain according to the micro-segmentation policy.
2. The micro-segmentation access control method as described in claim 1, wherein, The step of inputting the network features, request features, and content features into the strategy generation model to obtain the micro-segmentation strategy includes: The network features, request features, and content features are input into a large-model-based agent; wherein, the policy generation model is a large-model-based agent. The security level of the isolation domain is determined based on the network characteristics; the user security level is determined based on the request characteristics and the content characteristics. The network features, the isolation domain security level, the request features, the content features, the user security level, and the historical memory information of the large model are fused to obtain fused features; A micro-segmentation strategy is generated based on the fusion features.
3. The micro-segmentation access control method as described in claim 2, wherein, The process of fusing the network features, the isolation domain security level, the request features, the content features, the user security level, and the large model historical memory information to obtain fused features includes: An isolation domain information set is formed based on the network characteristics and the isolation domain security level; A user information set is formed based on the request characteristics, the content characteristics, and the user security level; A self-attention mechanism is used to fuse the isolated domain information set, the user information set, and the large model historical memory information to obtain fused features.
4. The micro-segmentation access control method as described in claim 1, wherein, The extraction of network features from the network indicator statistics, request features from the request statistics, and content features from the request content information includes: Analyze each monitoring item in the network indicator statistics to identify abnormal monitoring items, and use the abnormal monitoring items as network features. Feature extraction is performed on the request statistics to obtain user behavior preference tags and user access link features, and the user behavior preference tags and user access link features are used as request features; A preset rule engine is invoked to identify the request content information, and normal requests and abnormal requests are identified in the request content information; positive sample features of the normal requests and negative sample features of the abnormal requests are extracted, and the positive sample features and negative sample features are used as the content features of the request content information.
5. The micro-segmentation access control method as described in claim 4, wherein, The positive sample features of the normal requests and the negative sample features of the abnormal requests are extracted in the following way: The Transformer model was used to extract features from the normal request and the abnormal request respectively. Keywords were extracted from both normal and abnormal requests based on the term frequency-reverse document frequency technique. The positive sample features of the normal request are determined based on the keywords of the normal request and the features of the normal request extracted by the Transformer model. The negative sample features of the abnormal request are determined based on the keywords of the abnormal request and the features of the abnormal request extracted by the Transformer model.
6. The micro-segmentation access control method as described in claim 4, wherein, The anomaly monitoring items are determined in the following ways: The abnormal monitoring items are defined as those that have reached a set condition for a set number of consecutive days in the network indicator statistics information; wherein, the set condition is that the ranking of the number of abnormalities in a day is higher than a set rank. Calculate the mutation rate of each monitoring item, and determine that the abnormal monitoring items include a set number of monitoring items with the largest mutation rate.
7. The micro-segmentation access control method as described in claim 2, wherein, The content features of the requested content information are extracted in the following ways: A preset rule engine is invoked to identify the request content information, and normal requests and abnormal requests are identified in the request content information; positive sample features of the normal requests and negative sample features of the abnormal requests are extracted, and the positive sample features and the negative sample features are used as the content features of the request content information; The user security level is determined in the following way: Based on the large model classification algorithm, the user security level is determined according to the request features, the positive sample features, the negative sample features, the request statistics, and the request content information.
8. The micro-segmentation access control method as described in claim 1, wherein, The network metric statistics include at least one of traffic information, number of visitors, bandwidth information, network protocol information, and network port information; the request statistics include at least one of user basic information, user historical access count, user historical access time period, user access traffic, user access operation, user security status, and user request link information; the request content information includes request content, and the request content information also includes at least one of request time, request protocol, and request port.
9. The micro-segmentation access control method as described in claim 1, wherein, The micro-segmentation strategy includes at least one of the following: request IP restriction rules, access port control rules, request protocol control rules, and flow control rules.
10. The micro-segmentation access control method as described in claim 1, wherein the micro-segmentation strategy is divided into normal mode, control mode, limited control and emergency mode.
11. A micro-segmentation access control method, comprising: Obtain network metric statistics, user request statistics, and request content information of the isolated domain, and send them to the intelligent control center so that the intelligent control center executes the micro-segmentation access control method as described in any one of claims 1 to 10; The micro-segmentation policy is obtained from the intelligent control center, and the user's access is controlled according to the micro-segmentation policy.
12. A micro-segmentation access control device, comprising: The information acquisition module is used to acquire network indicator statistics of the isolation domain, user request statistics, and request content information; wherein, the system resources are logically divided into several isolation domains. The feature extraction module is used to extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information, respectively. The policy generation module is used to input the network features, the request features, and the content features into a pre-trained policy generation model to obtain a micro-segmentation policy; wherein, the user's access to the isolated domain is controlled by the isolated domain according to the micro-segmentation policy.
13. A micro-isolated access control system, comprising an intelligent agent module and an intelligent control center; The intelligent proxy module is used to acquire network indicator statistics of the isolated domain, user request statistics, and request content information, and send them to the intelligent control center; wherein, System resources are logically divided into several isolation domains; The intelligent control center is used to extract the network features of the network indicator statistics, the request features of the request statistics, and the content features of the request content information, respectively; input the network features, the request features, and the content features into a pre-trained strategy generation model to obtain a micro-segmentation strategy, and then send the micro-segmentation strategy to the intelligent agent module. The intelligent proxy module is also used to control the user's access according to the micro-segmentation policy.
14. A micro-segmentation access control device, comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor, when executing the computer program, implements the micro-segmentation access control method as claimed in any one of claims 1 to 11.
15. A non-transient computer-readable storage medium, the computer-readable storage medium comprising a stored computer program, wherein, When the computer program is executed, it controls the device containing the computer-readable storage medium to perform the micro-segmentation access control method as described in any one of claims 1 to 11.
16. A computer program product comprising a computer program / instructions that, when executed by a processor, implement the micro-segmentation access control method as described in any one of claims 1 to 11.