CN114423007A

CN114423007A - Terminal access point determining method, terminal access point determining device, electronic equipment and storage medium

Info

Publication number: CN114423007A
Application number: CN202210083239.4A
Authority: CN
Inventors: 崔宝江; 王子奇; 徐洁
Original assignee: Beijing University of Posts and Telecommunications
Current assignee: Beijing University of Posts and Telecommunications
Priority date: 2022-01-25
Filing date: 2022-01-25
Publication date: 2022-04-29

Abstract

The application provides a method, a device, an electronic device and a storage medium for determining a terminal access point, wherein the determining method comprises the following steps: receiving a service access requirement sent by a target user through a user terminal; at least one access point in a coverage range corresponding to the position information of the target user; predicting the access situation of each access point by using an access situation prediction model to obtain the prediction situation information corresponding to each access point; evaluating the trust level of the target user to obtain the trust level information of the target user; and determining a target access point from at least one access point according to the trust level information of the target user and the prediction situation information of each access point, and sending the target access point to the user terminal so that the user terminal can access the micro-service application through the target access point. According to the determination method and the determination device, the service quality of the network and the experience quality of the user can be improved, and the safety capability of the network and the safety experience of the user can be improved.

Description

Terminal access point determining method, terminal access point determining device, electronic equipment and storage medium

Technical Field

The present application relates to the field of wireless service support and network security, and in particular, to a method and an apparatus for determining a terminal access point, an electronic device, and a storage medium.

Background

With the development of network technology, authentication and access control technologies have been developed to meet user requirements and improve network performance. The selection of an access point is a core link of authentication and access control technology, and the selection of the access point is to select among a plurality of available wireless access points.

In the existing access authentication mode, the user terminal often selects the access point with the strongest signal strength for access, so that the security risk of the pseudo base station exists. Meanwhile, due to different services, the number of access terminals and the bandwidth occupation of different access points are different. Therefore, if the user terminal selects the access point with the strongest signal for accessing according to the traditional mode, the overall throughput and security of the network are necessarily reduced, and the service quality of the network and the experience quality of the user are reduced.

Disclosure of Invention

In view of this, an object of the present application is to provide a method, an apparatus, an electronic device and a storage medium for determining a terminal access point, which implement prediction of an access situation and evaluation of a user trust level by combining information such as user requirements, network situation, and user behavior, and further implement optimal reasoning for the access point, so that the determined access point meets the user requirements and the user trust level, thereby improving accuracy of determining the access point, effectively improving quality of service of a network and quality of experience of a user, and improving security capability of the network and security experience of the user.

In a first aspect, an embodiment of the present application provides a method for determining a terminal access point, where the method for determining includes:

receiving a service access requirement sent by a target user through a user terminal; wherein the service access requirements comprise target service requirements, security requirements and service quality requirements;

determining at least one access point in a coverage range corresponding to the position information based on the position information of the target user;

predicting the access situation of each access point by using a pre-constructed access situation prediction model to obtain the prediction situation information corresponding to each access point;

evaluating the trust level of the target user according to the service access requirement and a pre-constructed user trust evaluation model to obtain the trust level information of the target user;

and determining a target access point from at least one access point according to the trust level information of the target user and the prediction situation information of each access point, and sending the target access point to the user terminal so that the user terminal accesses the micro-service application through the target access point.

Further, the access situation prediction model is constructed through the following steps:

for each historical user accessed to the network, performing parameter extraction on the network situation information of the historical user in each historical service access time window to obtain the network historical situation information associated with the historical user; the network historical situation information related to the historical user comprises user identity description parameters, network security description parameters, network performance description parameters and authentication scheme description parameters;

acquiring historical access information generated by the historical user under the historical access behavior;

and training the constructed time sequence analysis model by using the network historical situation information and the historical access information of each historical user to obtain the access situation prediction model.

Further, the predicting the access situation of each access point by using the access situation prediction model constructed in advance to obtain the prediction situation information corresponding to each access point includes:

constructing a user behavior portrait by using historical access information of each historical user;

determining predicted access behavior information of the target user under the service access requirement based on the user behavior representation, the service access requirement and time information of the target user for sending the service access requirement through the user terminal;

and determining the corresponding predicted situation information of each access point by utilizing the access situation prediction model based on the predicted access behavior information.

Further, the user trust evaluation model is constructed by:

acquiring historical access requirements of the historical user and access information generated by the historical user under historical access behaviors;

associating the historical access requirement of each historical user with the historical access information of the historical user, and calculating the behavior deviation degree of each historical user under each historical access information;

constructing a first association analysis sub-model based on the historical access requirements, the historical access information and the behavior deviation degree; the first association analysis submodel is used for representing historical access information of each historical user under each historical access requirement and behavior deviation degree of each historical user under different historical access information;

correlating the historical access information of each historical user with the network historical situation information, and calculating the network situation influence degree of each historical user under each network historical situation information;

constructing a second association analysis sub-model based on the historical access information, the network historical situation information and the network situation influence degree; the second association analysis submodel is used for representing network historical situation information of each historical user under each historical access requirement and the network situation influence degree of each historical user under different network historical situation information;

and obtaining the user trust evaluation model based on the first association analysis submodel and the second association analysis submodel.

Further, the evaluating the trust level of the target user according to the service access requirement and a pre-established user trust evaluation model to obtain the trust level information of the target user includes:

according to each historical service access requirement of the target user, determining historical access information corresponding to each historical service access requirement of the target user and behavior deviation degree of the target user under each historical access information by using a first association analysis submodel in the user trust evaluation model;

according to each piece of historical access information of the target user, determining network historical situation information of the target user under each historical access requirement and network situation influence degree of the target user under each network historical situation information by using a second association analysis submodel in the user trust evaluation model;

and determining trust level information of the target user according to the behavior deviation degree of the target user under each historical access information and the network situation influence degree of the target user under each network historical situation information.

Further, the determining a target access point from at least one access point according to the trust level information of the target user and the prediction situation information of each access point includes:

judging whether the trust level information of the target user reaches a preset level threshold value;

if so, integrating the target service requirement, the security requirement and the service quality requirement of the target user, and taking the access point with the highest integrated rating in the plurality of access points as the target access point; the comprehensive rating represents the comprehensive rating corresponding to the business service, the safety capability and the service quality index of each access point;

if not, sequencing each access point by using the security degree of each access point, and taking the access point with the highest security level in the plurality of access points as the target access point; wherein the security level indicates a level corresponding to the configured security measures of each access point.

Further, after the target access point is determined from at least one access point according to the trust level information of the target user and the predicted situation information of each access point, the determining method further includes:

if so, integrating the target service requirement, the security requirement and the service quality requirement of the target user, and taking the access scheme with the highest integrated rating in the plurality of access schemes as a target access scheme; the comprehensive rating represents the comprehensive rating corresponding to the access authentication efficiency and the safety protection capability of each access scheme;

if not, sequencing each access scheme by using the access verification severity of each access scheme, and taking the access scheme with the highest access verification severity in the plurality of access schemes as a target access scheme; the access verification severity represents the complexity of a verification algorithm of each access scheme and the attribute, the quantity and the perfection of an authentication factor provided by a required target user;

and sending the target access scheme to the user terminal so that the user terminal provides required authentication information according to the target access scheme.

In a second aspect, an embodiment of the present application further provides a device for determining a terminal access point, where the device for determining includes:

the service access requirement receiving module is used for receiving a service access requirement sent by a target user through a user terminal; wherein the service access requirements comprise target service requirements, security requirements and service quality requirements;

an access point determining module, configured to determine, based on the location information of the target user, at least one access point in a coverage area corresponding to the location information;

the predicted situation information determining module is used for predicting the access situation of each access point by using a pre-constructed access situation prediction model to obtain the predicted situation information corresponding to each access point;

the trust level information determining module is used for evaluating the trust level of the target user according to the service access requirement and a pre-established user trust evaluation model to obtain the trust level information of the target user;

and the target access point determining module is used for determining a target access point from at least one access point according to the trust level information of the target user and the prediction situation information of each access point, and sending the target access point to the user terminal so that the user terminal can access the micro-service application through the target access point.

In a third aspect, an embodiment of the present application further provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions being executed by the processor to perform the steps of the method for determining a terminal access point as described above.

In a fourth aspect, the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for determining an access point of a terminal are performed as described above.

Compared with the determining method in the prior art, the determining method for the terminal access point has the advantages that the user trust evaluation model and the network state prediction model are built, the user requirements, the network situation, the user behaviors and other information are combined, the prediction of the access situation and the user trust are achieved, the optimization of the access point and the access scheme under the complex access scene, the complex user requirements and the complex network situation is achieved, the traditional authentication framework is expanded to the service level, the requirements of the security and the service quality of the access authentication of the user are better met, the network security capability and the throughput are maximized, and meanwhile the user access is controlled to guarantee the network security. By combining the user requirements, the user trust state and the network state multidimensional factors, integrating the user habits and behavior characteristics and carrying out access point optimization through a time sequence analysis model, the method not only can meet the requirements of the service quality and the experience quality of the user, but also can optimize the network performance and the network safety capability, thereby improving the overall service level and the safety capability of the network.

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.

Fig. 1 is a flowchart illustrating a method for determining an access point of a terminal according to an embodiment of the present disclosure;

fig. 2 is a schematic structural diagram of a device for determining a terminal access point according to an embodiment of the present disclosure;

fig. 3 is a schematic structural diagram of another apparatus for determining an access point of a terminal according to an embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. Every other embodiment that can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present application falls within the protection scope of the present application.

The 6G (6th generation wireless systems, sixth generation mobile communication technology) network will face the trend of cloud, and will realize intelligent connection and connection of three-dimensional dense coverage on the basis of the existing fifth generation mobile communication network. The design of the fifth generation mobile communication network is mainly oriented to 3 scenes: the enhanced mobile broadband, the high reliability and the low time delay and the mass machine communication realize the mutual interconnection between people, objects and the objects and between people and the objects. In this case, authentication is used as a first layer of security guarantee of a Mobile Communication network, and 5G (5th Generation Mobile Communication Technology, fifth Generation Mobile Communication Technology) proposes two authentication frameworks, which are 5G-AKA and EAP-AKA', respectively, and aims to provide a unified access authentication capability, realize unification of an authentication parameter distribution form, an authentication parameter and key parameter Generation form, an access authentication scenario, and an authentication framework, ensure that a secure authentication mechanism and flow are provided for different types of terminals, and lay a foundation for secure service access.

Authentication and access control is a concept that is generated on top of conventional access authentication. With the development of network technology, authentication and access control technologies have been developed to meet user requirements and improve network performance. Authentication access point selection and authentication scheme selection are core links of authentication and access control technology, the authentication access point selection is to select among a plurality of available APs, and the authentication scheme selection is to select a proper access authentication protocol and algorithm for a user. Authentication and access control can be divided into two directions, namely, user side direction and network side direction, the former is more concerned with user requirements, the latter is more concerned with network states, the existing research aiming at access point selection is more inclined to the latter, and the selection aiming at access schemes is more inclined to the former.

The appeal of heterogeneous network convergence is long, and with the development of wireless communication technology, various heterogeneous and differential networks jointly provide ubiquitous and heterogeneous communication services for users. With the development of 5G/6G related technologies, network performance and service level are improved by performing multi-dimensional fusion such as overlay fusion, service fusion, user fusion, system fusion, and system fusion between heterogeneous networks, which has become a focus of attention in the industry in recent years. Coverage fusion, namely forming supplementary coverage among heterogeneous networks, expanding the overall coverage range of the network and enabling the network to have expandability; service fusion, namely, similar and dissimilar network service is provided while supporting the traditional service, and the expansion of service capability is realized; user fusion, namely, the same user identity (code number) is used for providing service, the user identity is unique and is charged uniformly, a user side accesses services as required, and a network side schedules network resources as required; the system is integrated, namely the same or similar architecture, transmission and exchange technologies are adopted, so that the infrastructure construction cost is saved; and system integration, namely a heterogeneous network forms a unified whole, provides a user-insensitive consistent service, and adopts cooperative resource scheduling, consistent service quality and satellite-to-ground seamless roaming.

Cloud-based is a software architecture idea on a cloud-based basis, and a set of methodologies for practicing software development based on the cloud. Microservice (or microservice architecture) is a cloud-native architecture approach in which a single application is composed of many loosely-coupled and independently deployable smaller components or services. Under the trend and background of 6G network cloud, future network services, even authentication and access control, are more service-oriented and service-based, that is, selectable authentication is provided for users in a micro-service mode, and access authentication and control are performed according to the service types expected to be accessed by the users.

According to the research summary, with the start of the 6G research, the current 5G access authentication schemes 5G-AKA and EAP-AKA' have a certain single-curing problem, and are relatively poor in expandability and difficult to adapt to the access authentication requirements of future multi-type terminals. Meanwhile, the 6G network faces a clouding trend, more service-oriented services are accessed by users, and different service slices have different service quality and safety requirements; heterogeneous networks are deeply converged, access points are densely covered, and the load and the safety state of different access points influence the access experience of users and the comprehensive throughput of the network.

Based on this, the embodiment of the present application provides a method for determining a terminal access point, which solves the problems in the prior art that a user side faces a security risk of a pseudo base station, the overall performance and security of a network side are reduced, and the network service quality and the user experience quality are poor due to the fact that a user terminal selects an access point with the strongest signal for access according to a traditional manner.

Referring to fig. 1, fig. 1 is a flowchart illustrating a method for determining an access point of a terminal according to an embodiment of the present disclosure. As shown in fig. 1, a method for determining a terminal access point according to an embodiment of the present application includes:

s101, receiving a service access requirement sent by a target user through a user terminal.

It should be noted that the target user refers to a user who currently wants to access the network. The user terminal refers to a mobile terminal used by a user when accessing a network, such as a mobile phone, a computer, a satellite terminal, and an internet of things device, and is not specifically limited in this application. The business access requirements include target business requirements, security requirements, and quality of service requirements. Specifically, the target service requirement refers to the service that the target user expects to access. The security requirement refers to a requirement for security in the network, for example, the security requirement may include a security requirement of an authentication scheme, a security protection capability requirement of the network, and the like, and is not particularly limited in this application. The QoS requirement refers to a QoS (Quality of Service) requirement, and mainly focuses on a bandwidth requirement, a delay requirement, a packet loss rate requirement, and the like of a Service, and is not specifically limited in this application. As an optional implementation manner, the service access requirement may also include user identity information, for example, the user identity information may include an identity ID stated by the user, user fingerprint information that is identified by the access network side and that is not tampered with by the user, and the application is not particularly limited.

For the above step S101, in a specific implementation, in response to a click operation of a target user on a specific key through a user terminal, a service access requirement sent by the target user through the user terminal is received.

S102, based on the position information of the target user, at least one access point in a coverage range corresponding to the position information is determined.

The location information refers to location information where the target user is located when accessing the network. The coverage area refers to a coverage area of a signal corresponding to the position information. An access point refers to a device for a wireless local area network user terminal to access a network. Here, the access point may include WiFi, a base station, a satellite, etc., and the application is not limited thereto.

For the above step S102, in a specific implementation, at least one access point in a coverage area corresponding to the location information is determined according to the current location information of the target user. Here, since the 6G network access point will achieve dense coverage, for a single location of the target user, there will be different access points for coverage, such as WiFi, base station, satellite, etc., where all the access points within the coverage range corresponding to the location information are determined according to the location information of the target user.

S103, predicting the access situation of each access point by using a pre-constructed access situation prediction model to obtain the prediction situation information corresponding to each access point.

It should be noted that the access situation refers to a change of the access point and the network due to the user access when the user accesses the network through a certain access point, where the access situation includes a situation of the network and a situation of the access point. As an example, the situation of the access point may be information such as how many users are accessing the access point, resource occupation of the access point, and average packet loss rate and time delay of accessing through the access point, and the situation of the network may include average packet loss rate and time delay, which is not specifically limited in this application. The access situation prediction model is used for predicting the access situation information of the comprehensive multiple users generated in the target service access time window when the target user accesses a certain access point. Specifically, the predicted situation information may also include the situation of the network and the situation of the access point.

For the above step S103, in a specific implementation, after at least one access point is determined, the access situation of each access point is predicted by using a pre-established access situation prediction model, so as to obtain the predicted situation information corresponding to each access point.

As an alternative implementation, the access situation prediction model is constructed by the following steps:

a: for each historical user accessed to the network, performing parameter extraction on the network situation information of the historical user in each historical service access time window to obtain the network historical situation information associated with the historical user; the network historical situation information associated with the historical user comprises user identity description parameters, network security description parameters, network performance description parameters and authentication scheme description parameters.

It should be noted that the historical users refer to all users accessing the network during the historical time. The historical service access time window refers to the time window of accessing service when the historical user accesses the network, and can be considered as a time range, such as 20: 00 to 21:00 access networks, so in the history information 20: 00 to 21:00 is a historical service access time window. The network situation information refers to a security situation and a performance situation of the network, the security situation may be a frequency of attacks, a security level of the network to be accessed, a threat to be suffered, and the like, and the performance situation may be a load, a resource condition, a time delay, a packet loss rate, and the like of the network or the access point, which is not specifically limited in this application. The network historical situation information refers to network situation information associated when a historical user accesses the network through the access point within a historical service access time window. The network historical situation information comprises user identity description parameters, network security description parameters, network performance description parameters and authentication scheme description parameters. The user identity description parameters are used for realizing the description of the user identity and comprise the identity information description which is acquired by the access point and can not be tampered by the user; the network security description parameter is used for describing the security state of the network in an appointed time window; the network performance description parameter is used for describing the performance of the network in an appointed time window; the authentication scheme description parameters are used for describing performances of calculation overhead, bandwidth overhead, time delay overhead and the like of different authentication schemes. The parameter definition of the network history situation information is shown in table 1.

TABLE 1 parameter definition of network historical situation information

For the step a, in a specific implementation, for each historical user accessing the network, parameter extraction is performed on the network situation information of the historical user in each historical service access time window, so as to obtain each network historical situation information in the table 1.

B: and acquiring access information generated by the historical user under the historical access behavior.

It should be noted that the historical access behavior refers to access behavior performed by a historical user after accessing the network through the access point. The access information refers to access information generated by a historical user when performing historical access behavior. Specifically, the access information may include service access start time, service access duration, service type of access, historical access point, historical access scheme, average occupied bandwidth, peak occupied bandwidth, and threat level of historical user. The service access starting time refers to the starting time of a historical user when accessing the target service; the service access duration refers to the duration of the historical user when accessing the target service; the accessed service type refers to the type of the target service accessed by the historical user; the historical access point refers to an access point used by a historical user for accessing the network; the historical access scheme refers to an access scheme used by a historical user for accessing the network; the average bandwidth occupied and the peak bandwidth occupied describe the bandwidth occupied by the historical user when accessing the network. The threat level refers to the threat level of a historical user to the network, and specifically, the threat level is calculated according to the sensitive security event record. The threat level calculation is shown in the following equation:

where i denotes a security event classification, count (event)_i) Indicates the number of occurrences of a security event i, w_iAnd (4) representing the threat weight corresponding to the security event i, wherein threshold is a preset threat level threshold. Obviously, the network side cannot allow the user to still allow the user to perform service access after initiating the explicit and high-risk behavior, so that part of the high-risk behavior (such as the backdoor of the uploaded trojan horse) should be assigned as threshold and block the user access in time. Therefore, the final calculation result of the formula is: if the user initiates a clear and high-risk behavior, the threat level is threshold; if the threat level of the user is lower, the weight calculation is taken as the standard; if the user does not initiate the definite and high-risk behavior, but the comprehensive threat level of the initiated suspected attack events exceeds the threshold, the threat level is also assigned as the threshold.

In the specific implementation of the step B, for each historical user accessing the network, various access information generated by the historical user under the historical access behavior is acquired.

C: and training the constructed time sequence analysis model by using the network historical situation information and the historical access information of each historical user to obtain the access situation prediction model.

And C, training the constructed time sequence analysis model by using the network historical situation information and the historical access information of each historical user to obtain the access situation prediction model in specific implementation. Specifically, how to train the time series analysis model by using the known parameters is described in detail in the prior art, and is not described herein again.

After the access situation prediction model is built, the access situation of each access point can be predicted by using the built access situation prediction model. For step S103, the predicting the access situation of each access point by using the access situation prediction model that is constructed in advance to obtain the predicted situation information corresponding to each access point includes:

and step 1031, constructing a user behavior representation by using the historical access information of each historical user.

It should be noted that, tagging of User behavior portraits (User profiles), i.e., User information, is to perfectly abstract a business complete picture of a User by collecting and analyzing data of main information such as User social attributes, living habits, consumption behaviors, and the like. The user behavior portrait provides enough information basis, and can quickly find more extensive feedback information such as accurate user groups and user requirements. Specifically, the user behavior representation may include access habits of the user, for example, which service the user is accustomed to accessing at, and even the bandwidth occupied by the user when accessing the service, which may be described by the user behavior representation, and the application is not limited in particular.

In the specific implementation, the step 1031 uses the historical access information of each historical user accessing the network to construct a user behavior representation. Specifically, how to use the known data of each user to construct the user behavior representation is described in detail in the prior art, and is not described herein again.

Step 1032, based on the user behavior representation, the service access requirement and the time information of the service access requirement sent by the target user through the user terminal, determining the predicted access behavior information of the target user under the service access requirement.

It should be noted that, the time information that the target user sends the service access requirement through the user terminal refers to the time when the target user requests to access the network on the user terminal, for example, the time information may be 15:30, and the application is not limited in particular. The predicted access behavior information refers to predicted access behaviors that may occur to the target user under the current service access requirement.

In specific implementation, the user behavior representation constructed in step 1032 and the time information of the service access requirement sent by the target user through the user terminal are used to determine the predicted access behavior information of the target user under the current service access requirement in step 1032. Here, since the user behavior profile describes what kind of service is frequently accessed by the historical user habit in what time period and under what kind of requirements, the constructed user behavior profile can be directly utilized to predict the predicted access behavior information that the target user may possibly execute based on the service access requirement and the time information of the service access requirement sent by the target user through the user terminal. For example, it can be known from the user behavior representation that when most historical users send service access demands A at 15:30, the generated access behavior information is B, and therefore when the service access demands sent by target users at 15:30 are also A, the predicted access behavior information of the target users under the service access demands can be predicted to be B.

And 1033, determining the corresponding predicted situation information of each access point by using the access situation prediction model based on the predicted access behavior information.

In specific implementation, the step 1033 is performed by using the constructed access situation prediction model to predict the prediction situation information corresponding to each access point. Here, since the access situation prediction model is constructed based on the network historical situation information and the historical access information of the historical user, after the predicted access behavior information of the target user is determined in step 1032, the predicted access behavior information is input into the constructed access situation prediction model, and the network situation of the target user after accessing to each access point is predicted, that is, the predicted situation information corresponding to each access point is determined.

And S104, evaluating the trust level of the target user according to the service access requirement and a pre-established user trust evaluation model to obtain the trust level information of the target user.

It should be noted that the user trust evaluation model refers to a model for evaluating trust level information of a user. Trust level information refers to the degree to which a target user may be trusted by the network.

For the above step S104, in specific implementation, the trust level of the target user is evaluated according to the service access requirement sent by the target user through the user terminal and the pre-established user trust evaluation model, so as to obtain the trust level information of the target user.

As an alternative embodiment, the user trust evaluation model is constructed by:

a: for each historical user accessed to the network, extracting parameters of network situation information of the historical user in each historical service access time window to obtain network historical situation information associated with the historical user; the network historical situation information associated with the historical user comprises user identity description parameters, network security description parameters, network performance description parameters and authentication scheme description parameters.

Here, the description of step a may refer to the description of step a, and the same technical effect may be achieved, which is not described in detail herein.

b: and acquiring historical access requirements of the historical user and access information generated by the historical user under the historical access behavior.

It should be noted that the historical access requirement refers to an access requirement sent by a user terminal of a historical user when the historical user accesses a network within a historical time, and the historical access requirement may also include a historical service requirement, a historical security requirement, and a historical quality of service requirement.

And step b, acquiring the historical access requirements of each historical user accessed into the network and the access information generated by the historical user under the historical access behavior. Here, for the description of obtaining the access information generated by the historical user under the historical access behavior, reference may be made to the description of the access information generated by the historical user under the historical access behavior in step B, and the same technical effect may be achieved, which is not described in detail herein.

c: and associating the historical access requirement of each historical user with the historical access information of the historical user, and calculating the behavior deviation degree of each historical user under each historical access information.

It should be noted that the behavior deviation degree refers to a degree that the access requirement sent by the user is inconsistent with the generated access behavior.

And c, in specific implementation, for each historical user, associating the historical access requirement of the historical user with the historical access information, and calculating the behavior deviation degree of the historical user under each generated historical access information according to the historical access requirement and the historical access information of the historical user. Here, in specific implementation, the access requirements and the access information of some historical users are corresponding, for example, the historical access requirement of a certain historical user a requests to access the service a in a certain behavior pattern, and the historical access information of the historical user a also indicates that the historical user a accesses the service a in the historical access requirement following an agreed behavior pattern, and at this time, it is considered that the access requirement of the historical user a does not deviate from the access behavior, and the behavior deviation degree is low. However, it is also possible that the historical access requirement of a certain historical user B at a certain time is to request to access the service a, but the historical access information of the historical user B indicates that the historical user B does not access the service a, and may access other services, or performs some operations that do not conform to the agreed behavior pattern, such as port scanning, during the access process, it is considered that the access requirement of the historical user B deviates from the access behavior, and the behavior deviation degree is high. As an alternative embodiment, the actual deviation degree of the historical access requirement of the historical user from the historical access behavior may be calculated by a preset deviation degree algorithm, and the more deviation, the higher the deviation is, the higher the degree of inconsistency between the requirement and the behavior is, the less trusted the system is.

d: and constructing a first association analysis sub-model based on the historical access requirement, the historical access information and the behavior deviation degree.

It should be noted that the first association analysis submodel is an association analysis model of user requirements and user behaviors, where the first association analysis submodel is used to characterize historical access information of each historical user under each historical access requirement, and a degree of deviation of behavior of each historical user under different historical access information.

For the step d, in a specific implementation, the historical access requirement, the historical access information and the behavior deviation degree of each historical user are used to construct a first association analysis sub-model, that is, the historical access requirement, the historical access information and the behavior deviation degree of each historical user are associated through the identity ID of the historical user and stored in the first association analysis sub-model in a mapping relationship.

e: and associating the historical access information of each historical user with the network historical situation information, and calculating the network situation influence degree of each historical user under each network historical situation information.

The network situation influence degree refers to the degree of influence of the user on the network and the access point when accessing the network through the access point.

And e, when the step e is specifically implemented, for each historical user, associating the historical access information of the historical user with the network historical situation information, and calculating the network situation influence degree of the historical user under each generated network historical situation information according to the historical access information and the network historical situation information of the historical user. Here, in specific implementation, for example, after a certain historical user C accesses the network, a DoS (Denial of Service) attack is initiated, where the DoS attack refers to a defect of intentionally attacking a network protocol implementation or exhausting resources of an attacked object by a brute force means directly, so as to make a target computer or the network fail to provide normal services or resource access, so that a target system Service system stops responding or even crashes, and when the historical user initiates the DoS attack, resources and performance of the network are seriously degraded, and therefore, the degree of influence of the historical user on the network is recorded. Or a certain historical user D maliciously occupies bandwidth resources to download certain files, although the behavior cannot be considered as a network attack, the network situation is also influenced. As an optional implementation manner, the influence degree of the historical user on the network situation may be calculated through a preset network situation influence degree algorithm.

f: and constructing a second association analysis sub-model based on the historical access information, the network historical situation information and the network situation influence degree.

It should be noted that the second association analysis submodel is an association analysis model of the user and the network situation, where the second association analysis submodel is used to characterize the network historical situation information of each historical user under each historical access requirement, and the network situation influence degree of each historical user under different network historical situation information.

And f, in specific implementation, constructing a second association analysis sub-model by using the historical access information, the network historical situation information and the network situation influence degree of each historical user, namely associating the historical access information, the network historical situation information and the network situation influence degree of each historical user through the identity ID of the historical user, and storing the association analysis sub-model in a mapping relationship.

g: and obtaining the user trust evaluation model based on the first association analysis submodel and the second association analysis submodel.

And g, combining the first association analysis sub-model and the second association analysis sub-model to obtain a user trust evaluation model in specific implementation.

After the user trust evaluation model is built, the trust level of the target user can be evaluated by using the built user trust evaluation model. For step S104, the evaluating the trust level of the target user according to the service access requirement and a pre-established user trust evaluation model to obtain the trust level information of the target user includes:

step 1041, according to each historical service access requirement of the target user, determining historical access information corresponding to each historical service access requirement of the target user and a behavior deviation degree of the target user under each historical access information by using a first association analysis submodel in the user trust evaluation model.

For the above step 1041, in a specific implementation, since the historical access requirement and the historical access information of each historical user in the first association analysis submodel in the user trust evaluation model are both associated, the historical access information corresponding to each historical service access requirement of the target user may be determined based on each historical service access requirement of the target user by using the first association analysis submodel, for example, the historical access requirement the same as the historical service access requirement of the target user may be found in the first association analysis submodel, the historical access information associated with the historical access requirement may be determined, and the historical access information is used as the historical access information of the target user under the historical service access requirement. And for each historical access information of the target user, determining a behavior deviation degree associated with the historical access information based on the historical access information, and taking the behavior deviation degree as the behavior deviation degree of the target user.

And 1042, according to each historical access information of the target user, determining the network historical situation information of the target user under each historical access requirement and the network situation influence degree of the target user under each network historical situation information by using a second association analysis sub-model in the user trust evaluation model.

For step 1042, in a specific implementation, since the historical access information and the network historical situation information of each historical user in the second association analysis submodel in the user trust evaluation model are both associated, the second association analysis submodel may be used to determine the network historical situation information corresponding to each historical access information of the target user based on each historical access information of the target user, for example, the historical access information that is the same as the historical access information of the target user may be found in the second association analysis submodel, the network historical situation information associated with the historical access information is determined, and the network historical situation information is used as the network historical situation information of the target user under the historical access information. And aiming at the network historical situation information of the target user, determining the network situation influence degree associated with the network historical situation information based on the network historical situation information, and taking the behavior deviation degree as the network situation influence degree of the target user.

Step 1043, determining trust level information of the target user according to the behavior deviation degree of the target user under each historical access information and the network situation influence degree of the target user under each network historical situation information.

For the above step 1043, in a specific implementation, after determining the behavior deviation degree of the target user under each historical access information and the network situation influence degree of the target user under each network historical situation information, determining the trust level information of the target user according to the behavior deviation degree and the network situation influence degree of the target user. Specifically, the trust level information of the target user may be determined by using a preset trust level algorithm. Here, the trust level information of the target user is evaluated according to all historical access requirements and all historical access behaviors of the target user, so that the accuracy of the trust level information evaluation can be improved.

S105, determining a target access point from at least one access point according to the trust level information of the target user and the prediction situation information of each access point, and sending the target access point to the user terminal so that the user terminal can access the micro-service application through the target access point.

It should be noted that the target access point refers to an access point used by the target user when accessing the network. The micro service application refers to a micro service for providing relevant services for target users in an internet platform.

For the step S105, in a specific implementation, according to the trust level information of the target user and the predicted situation information of each access point, a target access point is determined from at least one access point, and the target access point is sent to the user terminal, so that the user terminal can access the micro-service application through the selected target access point.

For step S105, the determining a target access point from at least one access point according to the trust level information of the target user and the predicted situation information of each access point includes:

step 1051, judging whether the trust level information of the target user reaches a preset level threshold value.

It should be noted that the preset level threshold refers to a level threshold preset in advance, or dynamically adjusted around the preset value, and is used for determining whether the target user can be trusted.

As for the above step 1051, in a specific implementation, it is determined whether the trust level information of the target user reaches a preset level threshold according to the trust level information of the target user, if so, step 1052 is executed, and if not, step 1053 is executed.

Step 1052, if yes, synthesizing the target service requirement, security requirement and service quality requirement of the target user, and taking the access point with the highest comprehensive rating in the multiple access points as the target access point.

It should be noted that the integrated rating represents an integrated rating corresponding to the service, security capability, and service quality index of each access point. Specifically, the comprehensive rating of the access point may be determined according to the predicted situation information of the access point, for example, if the packet loss rate and the time delay in the predicted situation information of the access point are low, the access requirement of the user on a specific service can be met, and the requirement of the user on the security protection capability can be met, the comprehensive rating of the access point is considered to be high.

For the above step 1052, in a specific implementation, if the trust level information of the target user reaches the preset level threshold, it is determined that the target user can be trusted by the network, and the access point with the highest comprehensive rating and most meeting the requirements of the target user among the multiple access points can be used as the target access point, so as to provide the target access point with the optimal comprehensive throughput, the lowest delay and the optimal security capability for the target user, and meet the requirements of the target user.

And 1053, if not, sequencing each access point by using the security degree of each access point, and taking the access point with the highest security level in the plurality of access points as the target access point.

It should be noted that the security level indicates a level corresponding to the configured security measures of each access point. Specifically, the security level of the access point may be determined according to the configured security measures of the access point, for example, if the ground base station may be configured with many security devices, the security level of the ground base station access point may be considered to be higher, and if the satellite access point is resource-limited and cannot deploy a large number of configured security devices, the security level of the satellite access point may be considered to be lower.

For step 1053, in a specific implementation, if the trust level information of the target user does not reach the preset level threshold, it is determined that the target user cannot be trusted by the network, and at this time, the security level of each access point is used to sequence each access point, and the access point with the highest security level among the plurality of access points is used as the target access point, so that the target user accesses the access point with more complete security measures, and the user identity is verified more strictly.

As an optional implementation manner, after the target access point is pushed to the target user, the target access scheme needs to be pushed to the target user, so that the target user provides information required by the target access scheme through the target access point, access authentication is implemented, and the micro-service application is accessed. According to the determination method provided by the application, after the target access point is determined from at least one access point according to the trust level information of the target user and the prediction situation information of each access point, the determination method further comprises the following steps:

(1) judging whether the trust level information of the target user reaches a preset level threshold value;

(2) if so, integrating the target service requirement, the security requirement and the service quality requirement of the target user, and taking the access scheme with the highest integrated rating in the multiple access schemes as the target access scheme.

Here, the access scheme may be considered as an access authentication algorithm, such as existing SIM (Subscriber Identity Module) card based authentication, or cross-layer authentication combining physical layer information, and the like, and is not limited in this application. These access authentication algorithms have different algorithm flows and require different information from the user, and thus may be considered as different access schemes, for example, if it is a telephone call service, the access scheme may be SIM card based authentication. If network management, network operation and other operations are involved, the user needs to be highly trusted and can be required to perform authentication combined with physical layer information. And the comprehensive rating represents the comprehensive rating corresponding to the access authentication efficiency and the safety protection capability of each access scheme. When the access authentication efficiency of the access scheme is higher and the security protection capability is higher, the comprehensive rating of the access scheme is considered to be higher.

For the step (2), in specific implementation, if the trust level information of the target user reaches the preset level threshold, the target user is considered to be trusted by the network, and the access scheme with the highest comprehensive rating in the multiple access schemes may be determined as the target access scheme, that is, the access scheme with the highest access authentication efficiency and the highest security protection capability.

(3) If not, sequencing each access scheme by using the access verification severity of each access scheme, and taking the access scheme with the highest access verification severity in the plurality of access schemes as a target access scheme.

Here, the access authentication strictness indicates the complexity of an authentication algorithm of each access scheme, and the attribute, number, and sophistication of authentication factors required to be provided by a target user.

For the step (3), in specific implementation, if the trust level information of the target user does not reach the preset level threshold, it is determined that the target user cannot be trusted by the network, and an access scheme with the highest access verification severity in the multiple access schemes may be used as the target access scheme.

(4) And sending the target access scheme to the user terminal so that the user terminal provides required authentication information according to the target access scheme.

Here, the authentication information refers to information provided by the user terminal for authentication according to the target access scheme. For example, when the target access scheme is an access scheme with a low verification severity, the authentication information may be a password of the target user, and when the target access scheme is an access scheme with a high verification severity, the authentication information may be a biometric feature such as a fingerprint of the target user.

In the specific implementation of the step (4), after the target access scheme is determined, the target access scheme is sent to the user terminal, and the user terminal can provide authentication information through the pushed target access scheme, so that the target user is authenticated.

The method for determining the terminal access point, provided by the embodiment of the application, comprises the steps of determining at least one access point according to position information of a target user, and predicting the access situation of each access point by using a pre-constructed access situation prediction model to obtain the prediction situation information corresponding to each access point; and finally, determining a target access point from at least one access point according to the trust level information of the target user and the prediction situation information of each access point, and sending the target access point to the user terminal so that the user terminal accesses the micro-service application through the target access point. Compared with the determining method in the prior art, the determining method for the terminal access point has the advantages that the user trust evaluation model and the network state prediction model are built, the user requirements, the network situation, the user behaviors and other information are combined, the prediction of the access situation and the user trust are achieved, the optimization of the access point and the access scheme under the complex access scene, the complex user requirements and the complex network situation is achieved, the traditional authentication framework is expanded to the service level, the requirements of the security and the service quality of the access authentication of the user are better met, the network security capability and the throughput are maximized, and meanwhile the user access is controlled to guarantee the network security. By combining the user requirements, the user trust state and the network state multidimensional factors, integrating the user habits and behavior characteristics and carrying out access point optimization through a time sequence analysis model, the method not only can meet the requirements of the service quality and the experience quality of the user, but also can optimize the network performance and the network safety capability, thereby improving the overall service level and the safety capability of the network.

Referring to fig. 2 and fig. 3, fig. 2 is a schematic structural diagram of a device for determining a terminal access point according to an embodiment of the present disclosure, and fig. 3 is a schematic structural diagram of another device for determining a terminal access point according to an embodiment of the present disclosure. As shown in fig. 2, the determination device 200 includes:

a service access requirement receiving module 201, configured to receive a service access requirement sent by a target user through a user terminal; wherein the service access requirements comprise target service requirements, security requirements and service quality requirements;

an access point determining module 202, configured to determine, based on the location information of the target user, at least one access point in a coverage area corresponding to the location information;

the predicted situation information determining module 203 is configured to predict the access situation of each access point by using a pre-established access situation prediction model to obtain predicted situation information corresponding to each access point;

a trust level information determining module 204, configured to evaluate the trust level of the target user according to the service access requirement and a pre-established user trust evaluation model, so as to obtain trust level information of the target user;

and the target access point determining module 205 is configured to determine a target access point from at least one access point according to the trust level information of the target user and the predicted situation information of each access point, and send the target access point to the user terminal, so that the user terminal accesses the micro-service application through the target access point.

Further, as shown in fig. 3, the determining apparatus 200 includes an access situation prediction model constructing module 206, where the access situation prediction model constructing module 206 constructs the access situation prediction model by:

Further, when the predicted situation information determining module 203 is configured to predict the access situation of each access point by using a pre-constructed access situation prediction model to obtain the predicted situation information corresponding to each access point, the predicted situation information determining module 203 is further configured to:

Further, as shown in fig. 3, the determining apparatus 200 includes a user trust evaluation model building module 207, and the user trust evaluation model building module 207 builds the user trust evaluation model by:

Further, when the trust level information determining module 204 is configured to evaluate the trust level of the target user according to the service access requirement and a pre-established user trust evaluation model to obtain the trust level information of the target user, the trust level information determining module 204 is further configured to:

Further, when the target access point determining module 205 is configured to determine a target access point from at least one access point according to the trust level information of the target user and the predicted situation information of each access point, the target access point determining module 205 is further configured to:

Further, as shown in fig. 3, the determining apparatus 200 includes a target access scheme determining module 208, and the target access scheme determining module 208 is configured to:

Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 4, the electronic device 400 includes a processor 410, a memory 420, and a bus 430.

The memory 420 stores machine-readable instructions executable by the processor 410, when the electronic device 400 runs, the processor 410 communicates with the memory 420 through the bus 430, and when the machine-readable instructions are executed by the processor 410, the steps of the method for determining the terminal access point in the embodiment of the method shown in fig. 1 can be executed, so that the problems that a user side faces a security risk of a pseudo base station, the overall performance and security of a network side are reduced, and the network service quality and the user experience quality are poor due to the fact that the user terminal selects an access point with the strongest signal for access in a traditional manner in the prior art are solved.

An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the step of the method for determining a terminal access point in the method embodiment shown in fig. 1 may be executed, so as to solve the problems that, in the prior art, a user side faces a security risk of a pseudo base station, overall performance and security of a network side are reduced, and quality of network service and quality of user experience are poor due to a user terminal selecting an access point with a strongest signal for access according to a conventional manner.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.

Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method for determining an access point of a terminal is characterized by comprising the following steps:

2. The method of claim 1, wherein the access situation prediction model is constructed by:

3. The method according to claim 2, wherein the predicting the access situation of each access point by using the access situation prediction model that is constructed in advance to obtain the predicted situation information corresponding to each access point comprises:

4. The determination method according to claim 1, characterized in that the user trust evaluation model is constructed by:

5. The method according to claim 4, wherein the evaluating the trust level of the target user according to the service access requirement and a pre-constructed user trust evaluation model to obtain the trust level information of the target user comprises:

6. The method of claim 1, wherein the determining a target access point from at least one access point according to the trust level information of the target user and the predicted situation information of each access point comprises:

7. The method of claim 1, wherein after determining the target access point from the at least one access point based on the trust level information of the target user and the predicted situation information of each access point, the method further comprises:

8. An apparatus for determining an access point of a terminal, the apparatus comprising:

9. An electronic device, comprising: processor, memory and bus, said memory storing machine-readable instructions executable by said processor, said processor and said memory communicating over said bus when the electronic device is running, said machine-readable instructions when executed by said processor performing the steps of the method of determining a terminal access point according to any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when being executed by a processor, carries out the steps of the method for determining an access point for a terminal according to any one of claims 1 to 7.