Research On Behavior Analysis And Trust Evaluation Of The Access Subject In The Concept Of Zero Trust

As the representative of the new generation of cybersecurity solution,zero trust takes "Never Trust,Always Verify" as the core idea,and expects to conduct continuous behavior analysis and trust evaluation through linkage analysis of as many data sources as possible,so as to achieve dynamic and fine-grained access control.Zero trust introduces the coupling relationship between entities in real scenarios into the definition of access subjects,so the access subject is defined as an organic whole composed of entities such as users and terminals and treated as the object of behavior analysis and trust evaluation.Thus,relevance between entities is required to be included in the behavior analysis and trust evaluation process of access subjects.Compared with traditional cybersecurity solutions,zero trust gets rid of the dependence on network architecture,and the cybersecurity protection system based on this concept is immune to the change of network architecture.It is a very meaningful and forward-looking research point to study the behavior analysis and trust evaluation of access subjects in zero trust.However,the existing researches on behavior analysis and trust evaluation have always taken a kind of entity as the research object,which does not fully meet the needs of zero trust.Therefore,in this paper,we introduce UEBA technology into the behavior analysis process of the access subject,and design a model for behavior characterizing and associating.Besides,we propose an anomaly detection scheme of the access subject.Then the trust evaluation model of the access subject is designed on this basis and the protection idea of paying attention to other entities associated with abnormal entities to prevent potential threats as well as the analysis method of the relationship between entities are proposed.The main work of this paper is as follows:(1)A general model for behavior characterizing and associating of the access subject based on the attributed graph is proposed and its generation steps are given too.And it has been verified on a specific data set.The model can be applied to different data sources,associated and aggregated multisource heterogeneous data,so as to realize the whole process tracking of the activities of the access subject,and provide a good foundation for the analysis of the access subject’s behavior.(2)A multi-baseline comparison based on OCSVM for anomaly detection of access subjects is proposed,which overcomes the limitation of a single entity by constructing group analysis and provides anomaly indicators reflecting the degree of anomaly.Experiments show that this scheme can effectively detect unknown anomalies without relying on prior knowledge,and the designed anomaly indicators can be used as a reliable basis for anomaly review and processing.(3)In order to get fine-grained trust evaluation results,a logistic regression-based access subject trust evaluation model is proposed.The model evaluates the trust of the access subject according to its behavior analysis results,and the result is reflected in the form of trust score in a limited continuous interval.Experiments show that the model is reasonable and feasible.(4)The protection idea of paying attention to other entities associated with abnormal entities to prevent potential threats is proposed,and an entity association analysis method based on heterogeneous information network is designed.The method uses heterogeneous information network as an analytical tool to mine the associations between entities based on the interaction activity records between entities.The experimental results show that this method can effectively find other entities with strong correlation with abnormal entities,and this kind of protection idea is of great significance to improve the security protection capability of the security system.