This work is licensed under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.

1. Introduction

The term ZT (zero trust) is now commonly used in a variety of contexts [1]. In order to solve the failure problem of traditional boundary-based security protection architecture, the ZT identity security solution creates a new dynamic virtual identity boundary. Large scale, diversity, complexity, and high value characterize the data, which includes user personal privacy data, enterprise data with high commercial value, and important data related to national government security. Data have evolved into a key component of the digital economy, a national basic resource and strategic resource, and a useful tool for social governance [2, 3].

The traditional enterprise information security system is based on border protection and intrusion detection. That is to say, it is through deploying firewall, intrusion prevention system, and web application firewall at the boundary between intranet and Internet to conduct intrusion detection and access control of attacks from the Internet [4−6]. ZT is a brand-new security concept, which subverts the paradigm of network security; breaks the concept of network boundary, devices, and applications; and establishes the application-level security protection system [7]. Enterprises’ efforts to practice in this field are not only the premise of sustained and sound development, but also the due responsibility and mission. Each business department of the Ministry of Environment has various requirements for high-value data and hopes that it can be used conveniently locally after obtaining it. How to solve the problems of trustworthiness and controllability in the process of data distribution and sharing and the safety and reliability of data in user terminals and ensure the safety of the whole life cycle of data distribution and use is a very challenging technical problem.

The concept and idea of DD originated in the field of computer science research, and it was then gradually introduced into the field of control science research. [8, 9]. The components and key technologies of the ZT security network architecture are described in this paper, as well as an unsupervised learning clustering algorithm. Replacing representative classes with common class mean values creates representative points with some individuality. The weighted distance between sample points and representative points is defined as heuristic knowledge, which is used as the similarity measure between sample points and classes, and the quantitative value of each dimension index’s contribution to classification is extracted. The alarms generated periodically and continuously are false alarms, according to security incident statistics, so a statistic-based deaggregation algorithm is proposed.

2. Related Work

Technology and its application are profoundly and extensively influencing and changing the human society, and even reconstructing the human society. Data become a new factor of production, which contains huge economic value. With the movement of cloud workload, enterprises need to automatically classify and track data according to the specific cloud environment. Literature [10] applies SPSA (Complex Perturbation Stochastic Approximation) algorithm to optimize the parameters of state feedback controller in servo system, thus improving the output performance of the system. Literature [11] combines SPSA algorithm with fuzzy neural network for wind speed prediction of wind power generation system, and SPSA algorithm is used to train multilayer feedforward neural network to improve the performance of multilayer magic network. Literature [12, 13] applies model-free adaptive control method to discrete single-input single-output system and uses real-time input and output data to optimize controller parameters to improve the output tracking performance of the system. Literature [14] analyzes the control strategy of nonminimum phase system based on reference feedback tuning method. [15] Under the condition that it is difficult for the controlled object to establish an accurate mathematical model, the virtual feedback regulation algorithm is applied to the sewage treatment process control. Literature [16] puts forward the lazy learning algorithm to build learning model, instead of the traditional mechanical learning algorithm using prior training data to build learning model. Literature [17] proposes a recursive lazy learning control strategy based on the damped magnetorheological model. How to embed offline data into online control, effectively combine it with online data, organically combine the advantages of mathematical model with those of DD, and complement each other’s travel advantages will be a significant research work.

The ZT identity security solution follows the security logic of “authenticating devices and users first, then accessing services,” with the goal of creating new scenarios suitable for cloud computing, big data, mobile computing, and other scenarios, as well as providing deep dynamic and trusted access control for API calling and other scenarios. For association analysis [5], literature [18] proposed an attack description language, and his research became the pioneer of attack description language. The CEP (Context-based Event Correlator) event correlation analysis system was proposed in the literature [19], and it has evolved into a series of event correlation analysis services, including security events. However, the findings of the research did not have much of an impact at this point. By analyzing causality between attacks, literature [20] proposed a multistep correlation analysis. The attack scene is also built using the association analysis method proposed in document [21], which defines the association rules of preconditions and consequences between attack steps. Literature [22] proposes a security alarm correlation system based on alarm attribute similarity, which constructs a security event correlation analysis system using manually defined probability similarity between intrusion events and minimum matching rules. Literature [23] proposed two clustering and association methods for IDS (Intrusion Detection Systems) alarm correlation analysis, which took into account similarity and causality and partially solved the problem.

3. Research Method

3.1. ZT Security Architecture

For a long time, network security has caused certain troubles to people’s normal study and work, and also severely restricted the development of Internet technology. In the network environment lacking security, information and data in the network system are facing great risks of leakage. Therefore, it is necessary to strengthen the network security management, optimize the network environment through network security maintenance, so that the information and data stored in the network can be safely protected, and avoid the dangers of virus invasion and control.

The essence of ZT architecture is to build an identity-based dynamic trusted access control system between access subjects and objects, as shown in Figure 1.

[figure omitted; refer to PDF]

Under ZT framework, the access object is the core protected resource, and a protection surface is built for the protected resources, which include but are not limited to key information infrastructure such as business applications, service interfaces, operation functions, and data. Access subjects include identified digital entities such as personnel, equipment, applications, and systems. In a certain access context, these entities can be combined and bound to further clarify and limit the subjects.

Although security policy and access control will be returned to a single instance rather than the network itself in some ways, the hybrid cloud architecture design will not easily meet the traditional network segmentation mode. Real-time, near-real-time continuous nonawareness verification is carried out in the process of users accessing services by continuously evaluating the activity of user accounts, the security of terminals used by users, the behavior of users operating terminals, and the behavior of users accessing services, in order to ensure identity security without affecting users’ use. Data acquisition is the first step in DD security. According to their sources, data can be classified as internal or external. Internal data include internal traffic, network and security equipment logs, host logs, database logs, business system logs, domain name information, discovered vulnerabilities, asset owner, baseline configuration, and security equipment configuration, among other things. External data are primarily based on external threat information, manufacturer-provided rule base upgrades, and so on. All types of logs can be correlated according to time after deduplication to form a snapshot of the entire information system operation at a specific point in time.

In an enterprise, the logical components that make up ZT network deployment can be used as services. The reference frame of logical components is shown in Figure 2, which shows the basic relationship between components and their interactions.

[figure omitted; refer to PDF]

PDP (policy decide point) is divided into two logical components, namely, PE (policy engine) and PA (policy administrator).

PEP (Policy Enforcement Point) linkage is responsible for establishing the logical connection between clients and resources and generating any authentication tokens or vouchers used by clients to access enterprise resources. It is the policy decision point of ZT architecture control plane. Permission decision is no longer based on simple static rules, but based on context attributes, trust levels, and security policies.

Every system (belonging to the object) released by an enterprise has an installed client on the subject to coordinate the connection, and each object has a gateway program directly in front, so that the object only communicates with the gateway; acts as the reverse agent of the object; is responsible for enabling, monitoring, and finally terminating the connection between the subject and the object; is the gateway to ensure safe access; and is the policy enforcement point of dynamic access control capability.

Data will involve different stages in the whole life cycle, and each stage will face different security risks. Therefore, focus on the entire life cycle of data, from three levels of organization construction, personnel ability, and technical support, and build the overall framework of data security system around the principle of three synchronizations of security (synchronous planning, synchronous construction, and synchronous operation), as shown in Figure 3.

[figure omitted; refer to PDF]

According to the needs, the data in each security domain on the terminal can be partially or completely backed up to the remote server, supporting real-time backup and regular backup and providing version management function to ensure that the data can be traced back on the timeline. Support the encryption of backup data, provide the sharing function of data in the same security domain, and ensure that the shared data are stored and used according to the security domain policy, and all related data flow behaviors are monitored in real time and audited afterwards.

When using the public Internet to access the enterprise intranet, the data plane captures the network access, authenticates the users and devices, and then sends an access authorization request to the control plane once the authentication is complete. The control plane component verifies the request’s data, analyzes and evaluates the access subject’s trust level using a fine-grained business management and control strategy, determines the access authorization level, issues the authorization judgment result in the form of a control strategy, reconfigures the data plane, and grants the request of the minimum access right all at the same time.

The level of protection has shifted from network to application protection. Because ZT network believes the network is untrustworthy, it no longer strengthens network-level protection measures to address risks, instead focusing on application-level protection, including authentication, access control, and encryption for service applications. The goal is to eliminate unauthorized lateral movement access in the network, particularly within the internal network.

3.2. DD-Based ZT Key Algorithm

3.2.1. Behavior Trust Value Measurement Algorithm

Trust evaluation is the core practice of ZT architecture to build trust from scratch. Through the trust evaluation engine, the ability of identity-based trust evaluation can be realized.

Although the boundary of user behavior trust level is fuzzy and user behavior is very random, user behavior is approximately normal distribution, so this paper introduces the normal cloud theory into the measurement of user behavior trust. Normal cloud theory can realize the uncertain transformation from qualitative concept to quantitative representation.

In this paper, the cloud fuzzy evaluation theory is used to quantitatively map the collected multidimensional network monitoring data to specific trust metrics, which provides a reliable means for the realization of dynamic metrics in ZT access control [24]. Firstly, the related concepts of trust cloud and cloud drop in cloud theory are given below.

According to the requirement of security intensity, each metric has $z$ intervals based on the user role. The higher the metric, the higher its credibility, in which the minimum and maximum values of the $i$-th interval are $a{i}_{\min },a{i}_{\max }$, and the behavior data standard is quantified as the trust value $\epsilon$:$$\begin{array}{}\text{(1)}& \epsilon =a{i}_{\max }+\theta \times ai-a{i}_{\min },\end{array}$$where when $i\ge z/2$, $\theta$ is the percentage of the number of behavior data in the $i$-th interval whose user metric value is greater than or equal to the total metric data. In $i<z/2$, $\theta$ is the percentage of the number of behavior data whose user measurement value is less than the $i$-th interval to the total measurement data.

Using the actual normal trust cloud synthesizer, take the expectation, entropy, super entropy of the obtained $m$ metrics normal trust subclouds and the weight ${\gamma }_i{\displaystyle {\sum }_{i=1}^m{\gamma }_i=1}$ of each index as input, and get the expectation, entropy, and super entropy of the actual normal trust cloud as follows:$$\begin{array}{}\text{(2)}& \begin{array}{c}Ex={\displaystyle {\sum }_{i=1}^{m}E{x}_i\times {\gamma }_i}\\ En=\sqrt{{\displaystyle {\sum }_{i=1}^{m}E{n}_i^2\times {\gamma }_i}}\\ He={\displaystyle {\sum }_{i=1}^{m}H{e}_i\times {\gamma }_i}\end{array}.\end{array}$$

Compare the similarity between the actual normal trust cloud and the standard normal trust cloud, and take the trust level represented by the standard normal cloud with the highest similarity as the user’s trust level.

The behavior trust-based access decision agent can provide fine-grained access control based on the user’s role, the level of trust that users in that role have, and the confidentiality of resources. Managers of human resources departments in businesses, for example, can access all resources within their authority if they have a high level of trust, but they cannot access high-level resources if they have a low level of trust or access the network if they have a low level of trust.

3.2.2. Secure Event Aggregation Algorithm

The network-based model searches for activities with network attack characteristics by monitoring the data flow on the network in real time. The two models are complementary, and the network-based model can objectively reflect network activities and especially can monitor the blind spots of system audit [25]. The system-based model can monitor all kinds of activities in the system more accurately. The network-based model is limited by the switching network, while the system-based model is not affected by the switching network.

For $N$ sample points in the $d$-dimensional normalized space, divide them into $P$ initial classifications, and calculate $y_{i}i=1\sim N$ for each sample:$$\begin{array}{}\text{(3)}& \text{sum}{y}_i={\displaystyle \sum _{j=1}^d{y}_{ij}}.\end{array}$$

If $N$ samples are divided into $P$ classes, calculate for each $y_i$:$$\begin{array}{}\text{(4)}& 1+\frac{P-1\text{sum}{y}_i-M_I}{M_A-M_I}.\end{array}$$

If the nearest positive integer to the calculated value is $K$, then $y_i$ is classified into the $K$-th class.

Because a large number of alarms occur continuously with time, the attributes of alarms in this kind of alarms are basically the same, and they last for more than one day, even with time consistency, they happen continuously. This kind of alarm is called the trend class; that is, the alarm that occurs continuously over time.

There is also a part of the alarm interval that occurs in large numbers for a period of time, and it has a certain periodicity, which is called periodic term. In this case, if the alarm removal rule is generated, the real alarm may be removed, resulting in missing report. To avoid this problem, this section constructs a $F$ distribution model to test the authenticity of the period.

For the time series $xt:t\in N$, suppose there is a period $p$, grouping the series:$$\begin{array}{}\text{(5)}& xi,xp+i,x2p+i\cdots xn-1p+i\stackrel{\Delta }{=}{y}_{i1},y_{i2},\dots ,y_{\text{in}}1\le i\le p.\end{array}$$

According to statistical knowledge, $F$ obeys the $F$ distribution with the degree of freedom of $p-1,np-p$.

Given confidence $\alpha$, put forward hypothesis test:$$\begin{array}{c}\text{(6)}& H_0:F\ge F_{\alpha }p-1,np-p,H_0:F<F_{\alpha }p-1,np-p.\end{array}$$

$F$-test can confirm the periodicity of time series, so as to ensure that alarms without relevant properties will not be deleted, thus avoiding the occurrence of missing reports.

4. Results Analysis and Discussion

4.1. Similarity Analysis of Trust Cloud

The behavior-based access decision agent creates access policies based on the user’s trust level and deploys access decision middleware, which can design decision functions for user roles based on different security requirements and trust levels. Users’ historical behavior measurement data should be saved. When users first log in to the network, the behavior measurement agent evaluates their initial trust level based on the database’s historical behavior measurement data.

Network traffic behavior trust metrics, resource access behavior trust metrics, and security characteristics behavior trust metrics are the three parts of this paper’s user behavior trust metrics. The first two indicators are used to measure covert attacks and control access to resources based on the level of trust. The third index is used to assess users’ overt aggression and quickly deny users’ unauthorized access.

The similarity between the actual normal trust cloud and the standard normal trust cloud is calculated as shown in Figure 4, so the user belongs to the general trust level.

[figure omitted; refer to PDF]

In practical application, the actual behavior of legitimate users will be disturbed by random disturbance, which makes the calculated trust value approximately obey normal distribution.

In this paper, in the process of converting the user measurement data from quantitative to qualitative, the similarity between the actual trust cloud and the standard trust cloud is obtained by using the similarity calculation method, and the trust level with the highest similarity is selected as the user level, and hierarchical access control is implemented for users, so as to dynamically adjust their access rights.

Figure 5 shows that the algorithm in this paper has the least number of misclassified samples and stable results. The algorithm is relatively simple, repeatable, and real-time.

[figure omitted; refer to PDF]

Data degradation in special scenarios can realize the short-term outsourcing process of one-to-one authorization and the long-term outsourcing right acquisition process. Both of them need to be approved and authorized, and the outgoing path is limited to a special channel, so as to ensure that the whole process of monitoring and auditing, outgoing data, and outgoing process can meet the requirements of security policy.

Conduct a comprehensive audit of data access operations in the terminal security environment. It includes multidimensional audit of a series of important events such as file operation, network operation, program operation, data flow, data sharing, data transmission, location change of terminal equipment, and login time. Thanks to the deep integration with the whole system, the integrity and effectiveness of its audit data are greatly improved. At the same time, compared with the traditional bypass monitoring methods, its audit degree, function, and quality also show obvious advantages.

To sum up, the access control method based on the dynamic measurement of user behavior in this paper is more effective in preventing covert attacks and has higher control granularity.

4.2. Security Event Aggregation Analysis

Alarm data are the detection result of intrusion detection system to attack behavior, but it is mostly aimed at a single attack behavior, plus factors such as false alarm, false alarm, and repeated alarm, and there is no complete correspondence between alarm data and attack behavior. The goal of this paper is to reduce the burden of network security administrators in processing and analyzing alarm data, so that the processing results can better reflect the attack behavior and harm.

Most of the collected original alarm data of security incidents come from the data collection experimental platform. Figure 6 shows the statistics of the collected original security incident alarms.

[figure omitted; refer to PDF]

The ZT mode strategy in the cloud complements the network’s identity management and licensing efforts. It works with network behaviors and other tools to isolate and control workload interactions. The security team can build a coordinated trust policy based on the identity and privilege definitions evaluated and strengthened by the virtual machine management platform and software-defined infrastructure using tools like instance mirroring and container grouping, as well as tools available from major IaaS and PaaS vendors.

From beginning to end, the ZT architecture assumes that the network is full of external and internal threats and that trust cannot be determined solely by the network’s location. It switches from network-centric access control to identity-centric access control. The network boundary is collapsing, and it is no longer possible to distinguish between internal and external networks. This change is unavoidable. As a result, simply construct the internal network in accordance with the concept of Internet security, and the most common solution for business Internet security protection is based on identity and access control. As a result, ZT security considers identity and access control to be the foundation of trust reconstruction.

Figure 7 depicts the statistical chart of the number of alarms collected in the test platform within 10 days before and after being processed by the system.

[figure omitted; refer to PDF]

In order to realize ZT mode in the cloud, enterprises should combine network and identity licensing strategies, especially paying attention to the behavior analysis of supporting applications. No cloud provider can fully cover these functions, which will cause some enterprises to turn to third-party agent-based tools, and these tools include independent policy controllers, which can evaluate network, identity, application behavior, and settings when making access control decisions.

ZT architecture pays attention to the construction of service protection plane, which protects resources. All service access requests should be encrypted with full traffic and forced authorization, and relevant mechanisms of service security access should work at the application protocol layer as much as possible.

The removal rate and aggregation rate are used to reflect the efficiency of removal algorithm and aggregation algorithm respectively, as shown in Figure 8.

[figure omitted; refer to PDF]

Because of the network platform’s resource sharing and openness, it is very easy for network hackers to infiltrate users’ computers. Hackers, as opposed to network viruses, are senior network technicians with professional network knowledge and more experience in network operation and computer business than ordinary users. As a result, hackers can easily attack personal computers, steal information from users, prevent users from opening and using normal programs, tamper with users’ data, and even, in extreme cases, cause users’ computers or networks to crash. To determine whether the computer system has been illegally invaded, intrusion detection simply compares current activity to previously established files to see if it conforms to the activity rules. The difficulty lies in the creation of activity files, which must include not only complete statistics of normal activities but also intrusion activity calculations. In general, there are still some issues with intrusion detection technology at this stage that need to be addressed by related technicians in order to improve the use of intrusion detection technology in network security maintenance.

Figure 9 shows the change diagram of the alarm number from the original alarm to the alarm number after removal and classification.

[figure omitted; refer to PDF]

The information and event management system promotes the idea of applying data analysis to solve network security problems to the global level, shortens the response period of security events, and greatly improves the efficiency of security operation and maintenance. However, making good use of the security information and event management system requires analysts to have a high professional level.

At present, artificial intelligence technology has been widely used in autonomous driving, image recognition, machine translation, and other fields. By using artificial intelligence technology in the field of network security, the power of network security experts can be freed from the massive low-value repeated security event analysis and disposal work and can better focus on the analysis of those really important major threat events.

It can be clearly seen from Figure 10 that the removal rate of the removal module is 0, because this step is mainly to remove those alarms that meet the periodic terms.

[figure omitted; refer to PDF]

Through the experiments of the algorithm proposed in this paper on different platforms, one conclusion can be drawn: this algorithm has remarkable effect on false alarm removal in large-scale actual networks, and the whole algorithm is completely real-time and can effectively and timely provide accurate information to administrators.

Professional security operation and maintenance personnel are always a scarce resource. Many large-scale non-Internet enterprises generally have the problem of insufficient ability and manpower of security personnel. This makes it difficult for enterprises to find security risks and hidden attacks hidden in massive data in time in daily security operation and maintenance work. Received information about security threats from the outside world is also at a loss. How to make good use of these data, find hidden clues, find hidden assets that are not in the asset database, identify security threats and attack attempts that cannot be detected by traditional security devices, and then respond quickly to security incidents is the primary goal of DD security.

The adaptive access control capability provided by ZT is open and platform-based, and enterprises can gradually migrate their businesses to ZT, and all the businesses that move in will have this adaptive security capability, so ZT will become the endogenous capability of enterprise business processes and continue to empower enterprise network security.

5. Conclusion

ZT is a brand-new security technology concept. When data become a new factor of production, traditional security systems based on network boundaries are unable to meet data protection requirements. This paper proposes a data security system guided by ZT technology of DD based on an analysis of the concept, key technologies, and ZT technology theory of DD security. Given that most user behaviors follow a normal distribution, a cloud-based user behavior measurement algorithm is developed, which maps quantitative user behavior data to user trust levels, allowing for more accurate measurement of user behavior credibility and improved discrimination of user misoperation behaviors. The characteristics of alarm generation in a real network environment are examined in this paper, and it is discovered that a large number of alarms generated periodically in continuous time are false alarms, whereas real threats are sudden and unpredictable. As a result, most false alarms can be eliminated if the periodic term can be accurately removed.

The method in this paper can remove the majority of alarms in the experiment, but the base number of alarms after removal is still quite large, so the next step is to combine some more accurate methods, such as alarm aggregation and pattern recognition, in order to truly discover security events in real time. Although DD security is seen as a viable way to deal with future security threats, it still faces numerous challenges in its final implementation. This will necessitate the collaboration of security vendors and users.

Acknowledgments

This study was supported by the Shenzhen Fundamental Research Program under grant number 20210317191843003 and by Shaanxi Provincial Key R & D Program (2021ZDLGY05-01).