Heterogeneous identity trust management method based on risk assessment

Abstract

The cross-trust domain environment in which heterogeneous identity alliances are located often does not have a completely trusted centralized trust root, and different trust domains and entities also have specific security requirements. In view of the above problems, we believe that trust measurement of cross-domain identities based on risk assessment is an effective method to achieve decentralized proof of user identities in heterogeneous cyberspace. There are various risk assessment models. We choose the more mature attack graph theory in the existing research to apply to the new field of cross-trust domain management of heterogeneous identities. We propose an attribute attack graph evaluation model to evaluate cross-domain identities through risk measurement of attributes. In addition, heterogeneous identity alliances also have architectural risks, especially the risk of decentralized underlying structures. In response to this problem, we identify the risk of the identity alliance infrastructure, and combine the risk assessment and presentation system design to verify the principle.

Keywords

Heterogeneous identity alliance attribute attack graph proof of identity cyber security assessment trust management

1 Introduction

With the rapid development of the mobile Internet, social network applications and their ecosystems are gradually emerging. It is committed to providing platform users with online communication services such as text, pictures, voice, and video. Relying on the advantages of online user data accumulation, social users’ own accounts are continuously recognized by offline merchants, institutions, and alliances, resulting in many heterogeneous cross-trust domain identity interactive verification application scenarios. However, this heterogeneous identity cross-trust domain negotiation brings the convenience of multi-site login for the same account, and also introduces certain risks for user identity authentication in heterogeneous cyberspace. Problems such as user identity fraud and difficulty in evaluating the identity trust level have become increasingly serious highlight [1]. In the case of widespread security threats and abnormal behaviors, risk management of user identity security attributes is an effective way to ensure information security and control heterogeneous identity trust negotiation. Therefore, how to assess the risk status of heterogeneous identities across trust domains has become our focus.

Information security risk assessment has always been one of the research hotspots in cyberspace security. Current risk assessment techniques rely more on prior knowledge and lack autonomy and controllability [2]. The network risk assessment technology for static data has the limitation of non-real-time and unable to detect dynamic operation threats [3], and the risk assessment using attack graphs will cause the problem of disorderly growth of network state combinations [4], which greatly increases researchers analyze the difficulty of the attack graph. The attack graph-based risk analysis method is a network intrusion relationship graph based on an intrusion rule base and a vulnerability threat base. Although the overhead in generating attack graphs by graph theory is significantly smaller in time and space than the model detection method, the exponential expansion problem of the combination of attack states still cannot be effectively solved [5]. Another drawback of the commonly used method for automatic generation of attack graphs by model detectors is that the time complexity increases infinitely with the increase in the number of network nodes and threats, and it is difficult to solve the big space state problem [6].

1.1 Contributions

In this paper, we propose a cross-domain identity risk assessment strategy based on attribute attack graphs and a systemic risk assessment system for heterogeneous identity alliances for the problem of heterogeneous identity proofs.

In the cross-domain identity authentication of heterogeneous networks, it is difficult for the traditional public key cryptosystem and the new network system to communicate with each other. It is imperative to study decentralized heterogeneous identity certification methods. Based on the ubiquitous expression of identity attributes, we integrate the security hierarchy analysis of attributes into the attack graph, and use the risk analysis method of the attack graph to evaluate cross-domain identities. The method of quantifying threats is constructing an attribute attack graph. The attribute attack graph consists of attribute nodes, attack nodes, and edges between the two. The calculated attribute attack graph, vulnerability, and asset value are used to evaluate the probability and security events of security events loss, which helps to strengthen the security of identity attributes; Quantitatively calculate the attribute risk value of heterogeneous identities, and provide an evaluation basis for identity attribute proofs. Once the risk of cross-trust domain authentication increases, it will interfere with the heterogeneous identity interactive negotiation.

In addition to the cross-domain identity risk analysis proof, the security risk measurement of heterogeneous identity alliance is also a work of this paper. According to the characteristics of the basic database of heterogeneous identity alliances, we identify the factors related to the risks of alliance architecture. The overall architecture of the decentralized heterogeneous identity alliance management system consists of three layers: the underlying blockchain layer, the virtual layer, and the P2P storage layer. We analyze and evaluate system risks from three levels: one is the architectural risk assessment of the blockchain system, the other is the alliance members ‘own risks and the danger to other alliance members when cross-domain access is made, and the third is the alliance members’ Social networks, telecommunications networks, etc.).

Based on the above-mentioned cross-domain identity risk assessment principles and the threats faced by heterogeneous identity alliances, we use a visual mapping algorithm to establish a risk imaging model of heterogeneous identity alliance architecture, presenting the results of the alliance architecture risk assessment and risk level. The risk assessment presentation system consists of heterogeneous identity alliance members and identity management centers. Heterogeneous identity alliance members send identity verification requests, risk assessment requests, and query requests. The identity management center returns different results according to different requests after receiving requests from federation members.

1.2 Paper organization

The remainder of this paper is organized as follows. In section 2, we summarize the related works of identity trust management. The details of identity evaluation and heterogeneous identity alliance risk identification are elaborated in sections 3 and 4, respectively. Section 5 is dedicated to analyzing the scheme by experiments. Finally, we conclude this paper in section 6.

2 Related works

2.1 Proof of identity

For the identification of identity attributes in a heterogeneous environment, the University of Melbourne uses a third-party liberalized blind signature scheme [7] to achieve anonymous processing of cross-domain identity interactions, and theoretically proves that the security attributes of user cross-domain negotiation will not be violated. At the ACM SIGSAC conference, the IMDEA Institute proposed a fully automatic identity encryption based on multilinearity [8], and used the calculation of the encryption structure to verify the correctness of the security evidence. Aiming at the problems of traditional trust negotiation rules with strict description, low negotiation success rate and low efficiency, many scholars have proposed in recent years based on fuzzy logic [9], finite automata [10], trust ticket database [11] or trust evaluation module. Automatic trust negotiation scheme [12]. In general, the academic community currently lacks mature solutions for attribute certification and publishing in a cross-domain heterogeneous identity alliance environment. The current common method is to use the attribute-based remote certification method [13], and the task of attribute certification is assigned to a trusted certificate issuer. This attribute certificate issuer issues the security attribute certificate based on the integrity, and is responsible for the decision maker of the access decision. The domain access decision is performed according to the attribute integer.

The user attribute certification of heterogeneous environment is still in the exploratory stage. The research focuses on the risk assessment of heterogeneous identity alliances. It is difficult to quantitatively describe uncertain factors such as randomness and ambiguity. Therefore, how to establish a quantifiable risk assessment index system is a big problem. To solve this problem, the solution of this article is to construct an attribute-based attack graph to perform quantitative risk analysis on cross-domain identities, combined with heterogeneous identity alliance risk level protection mechanisms, to provide coordinated guarantees for systems and users in heterogeneous environments.

For the risk evaluation of heterogeneous identity alliance architecture, some scholars have proposed the CIM model [14], which is a new scheme for the quantitative evaluation of risk factor combinations in modern risk analysis methods. In terms of practical applications, there are currently many different risk assessment guides and tools, such as NIST’s FIPS65, DoJ’s SRAG, automated risk assessment tools, CRAMM, RA and other risk analysis tools [15]. Other studies have proposed a series of theories and methods such as fuzzy autonomous trust model [16], fuzzy trust assessment model based on local information [17], trust model based on cloud model theory and risk assessment model [18], which provide the heterogeneous research on the risk assessment of identity alliance architecture and the credibility evaluation of heterogeneous identity alliance users valuable foundation and experience.

2.2 Cyber security assessment

Security threat assessment is an important part of intelligence analysis. It predicts existing or potential hazards of information systems and their possible consequences based on threat information, helps users understand the current security situation, and develops targeted response measures to improve response emergencies. Yu et al. [19] gave a security evaluation method based on the attack graph model that can analyze the success probability of the attack sequence and the risk of system loss. Jian-Jun W et al. [20] used plug-in technology and combined with vulnerability threat information to establish an evaluation model for quantitative analysis of system security status. BASS [21] uses multi-sensor data fusion technology to process the raw data collected in the distributed heterogeneous network equipment, so as to identify the source of the attack, the degree of threat danger, and the target system to evaluate the security situation of the network, No practical application model is proposed. Li-Na Z et al. [22] proposed a hierarchical network security threat situation assessment model based on IDS alarm information and network performance indicators to achieve quantitative assessment of network security, but this model is not suitable for large-scale network system evaluation. Hengzhi C et al. [23] uses the ID3 decision tree algorithm and Boltzmann machine neural network algorithm to classify the data for military intelligence threat assessment for the application scenario of military intelligence analysis.

According to the real-time nature of the assessment results, network security assessment can be divided into static security assessment and dynamic security assessment. The static safety assessment [24 –26] treats the evaluated object as a stationary object to be evaluated. Different evaluation methods analyze and evaluate the object to be evaluated from different angles, and give the entire object’s safety degree. The static security assessment object has certain stability and will not change in real time. Therefore, this method cannot dynamically deal with network security emergencies, and it is not sensitive to threat information discovered on the network in real time and is not dynamic. Dynamic security assessment [27 –31] regards the object to be evaluated as a dynamically changing process, and establishes a corresponding real-time dynamic extraction analysis model for the safety-related features presented in the dynamic process, and realizes the object to be evaluated through continuous data analysis assessment of current security posture. Dynamic security assessment is a relatively new research topic, and it is also a hot topic in the field of current network security research.

Network security assessment is divided into qualitative assessment and quantitative assessment according to the form of assessment results. Qualitative evaluation [32, 33] refers to the use of inductive analysis on the evaluation target to analyze and process various factors and attributes of the evaluation target. The qualitative evaluation method mainly judges the system security status based on non-quantitative data such as the researcher’s knowledge and experience. Generally, the original data is obtained through surveys, and then the data is encoded and sorted through the analytical framework deduced by theory to obtain an evaluation. In conclusion, Quantitative evaluations [34 –36] use quantitative indicators to describe the security status of the system. Generally, they are calculated based on the magnitude of various factors that affect system security, but not all factors can be represented by numbers, and the relationship between various factors is also difficult to compare, and the same factor has different values in different dimensions.

In the area of LAN-oriented security assessment, [37] proposed a hierarchical network system security threat situation quantitative evaluation model. The model is divided into four levels: network system, host, service, and attack vulnerability from top to bottom. “First, first, then the whole” evaluation strategy. [38] proposed a network security assessment model based on the security state domain. The model divided the impact of the attack into changes in attack capabilities and environmental changes. A mathematical model was established through the causal relationship between the two, and the trend of the security state domain was proposed. The concept of index uses Matlab to perform surface fitting of attack trends, and then divides the security state domain and evaluates network security. Literature [39] proposed a network security threat assessment method based on approximate weight calculation, and established a threat assessment model based on “threat impact on assets-security attributes-attacks”. This method uses a hierarchical computing model to assess the risk level of threats. Starting from the given interval judgment matrix, the interval judgment matrix is uniformly approximated to a general digital judgment matrix, and the approximate weights of the elements of each layer are obtained.

In terms of security assessment for large-scale networks, Literature [40] proposed an agent-based online monitoring and assessment framework for large-scale network weaknesses and attack impacts. This framework assesses network security threats from the part and system levels: The system components are divided into three types: client, router, and server. The security assessment of the client mainly examines changes in the data transmission rate, the security assessment of the router mainly examines the use of the buffer, and the security assessment of the server mainly examines the change in the length of the connection queue; Its system-level threat is measured by the ratio of the number of parts to the total number of parts working under abnormal conditions. Literature [41] proposed a hierarchical protection-oriented dynamic risk assessment model for large-scale networks. This model attempts to automatically identify and quantify the dynamic risk elements of large-scale networks. Among them, the identification and quantification of asset elements is achieved through resource management systems and business support systems in large-scale networks. The identification and quantification of vulnerability elements is achieved through a security status indicator system maintained by expert systems. Quantification is achieved through a fault and malicious behavior signature database maintained by an expert system.

3 Identity evaluation based on attribute attack graph

3.1 Scheme

As Fig. 1 shows, the scheme of the heterogeneous identity risk assessment method based on attribute attack graph proposed in this paper includes the following points:(1) Mining heterogeneous identity person attribute design attribute attack graph, vulnerability and asset value;(2) Calculate the probability of a security event from the attribute attack map and vulnerability calculation, and calculate the security event loss from the vulnerability and asset value calculation;(3) The probability of heterogeneous identity risk is calculated by integrating the possibility of security events and the loss of security events.

Fig. 1

Heterogeneous identity risk assessment flowchart.

The attributes of user identity are divided into seven types of evaluation indicators: registration information, virtual network account number, terminal information, communication relationship, group relationship, key website traces and orders, search history.

Aiming at the sensitive attribute data of heterogeneous identities, we establish a series of attack rules for illegally obtaining attributes. In response to the user’s own privacy disclosure behavior, we identified the vulnerability database.

We quantify threats by constructing attribute attack graphs. The attribute attack graph consists of attribute nodes, attack nodes, and edges between them. Attribute nodes are classified abstract descriptions of user attributes, and attack nodes are attacks generated in accordance with attack rules. The attribute node and the attack node are connected by a directed edge. The attribute node is the premise and result of the attack node. The directed edge from the attribute node to the attack node represents the premises relationship, and the directed edge from the attack node to the attribute node represents the result relationship.

We calculate the probability of node occurrence in a large-scale attack graph with loops, and derive a multi-step maximum risk adjacency matrix through a matrix multiplication operation. Then, we superimpose the maximum risk adjacency matrix from step 1 to n to generate the global maximum risk adjacency matrix, and finally calculate the risk probability of all nodes.

The value of the asset is quantified through three aspects of confidentiality, integrity, and availability, taking a value between 1 and 10. The larger the value, the greater the loss. The specific value is determined according to user concerns and privacy customization. We use the constructed vulnerability database to evaluate vulnerability, and assign values from the dimensions of attack complexity, authentication times, attack methods, confidentiality, integrity, and availability.

We use the calculated attribute attack map, vulnerability, and asset value to evaluate the possibility of security events and the loss of security events to help secure the security of identity attributes. We quantitatively calculate the attribute risk value of heterogeneous identities, provide an evaluation basis for identification of identity attributes, and intervene in the negotiation of heterogeneous identities once the risk of cross-trust domain authentication increases.

3.2 Analytic hierarchy process

The top level of the risk assessment analytic model is a comprehensive risk index, which is determined by the probability of a security event and the loss of a security event. The values of security event probability and security event loss are determined by relevant elements of user identity attributes. According to the above analytic hierarchy model, the risk assessment process for the identity of heterogeneous network users is as follows: The first is to identify and assign various elements of user identity attributes, including: asset value identification and quantification, vulnerability identification and quantification, and threat identification. And quantification, among which the vulnerability includes two aspects: “the degree of damage to the assets” and “the ease of being used”. The second is to calculate the loss of security incidents based on the quantified results of the “degree of damage to assets” of asset value and vulnerability. The third is to calculate the probability of security incidents based on the quantified results of the “easiness of exploitation” of threat measurement and vulnerability. The fourth is to calculate the risks that assets face in terms of confidentiality, integrity, and availability based on the loss of security events and the likelihood of security events.

In application scenarios such as social networks, telecommunications networks, and e-government networks, the asset value of risk assessment can be regarded as the identity attribute information that is oriented towards user concerns. In order to facilitate the quantitative measurement of user identity, we divide the attributes of social users into seven types of evaluation indicators: registration information, virtual network account numbers, terminal information, communication relationships, group relationships, key website traces and orders, and search history. For each type of evaluation index, focus on mining related evaluation elements and the basic attributes of each element. For example, the evaluation elements of the registration information are basic information, mobile phone number information, bank information, vehicle information, spouse information, and household registration information. The basic information focuses on attributes such as name, gender, place of origin, and place of residence, while the mobile phone number information focuses on attributes such as operator and mobile phone number.

Aiming at the sensitive attribute data of social network users, we have established a series of attack rules for illegally obtaining attributes, such as illegally obtaining user ID numbers and trying to investigate user background information. In response to the user’s own privacy disclosure behavior, we identified the vulnerability database. The vulnerability database focuses on the user’s privacy protection, such as the leakage of a sensitive information that the user is concerned about.

3.3 Attribute attack graph

We quantify the threat by constructing an attribute attack graph. The attribute attack graph consists of attribute nodes, attack nodes, and edges in between. Attribute nodes are classified abstract descriptions of user attributes. Attack nodes are attacks generated in accordance with attack rules. Attribute nodes and attack nodes relate to directed edges. The attribute node is the premise and result of the attack node. The directed edge from the attribute node to the attack node represents the premises relationship, and the directed edge from the attack node to the attribute node represents the result relationship. An attacking node can only produce an attack if its premise is satisfied. The attack graph consisting of attribute nodes, attack nodes, and edges reflects the security status of the network, and gives the dependency relationship of each vulnerability in the network. This method analyzes the threats that the user identity may face according to the attribute attack graph, calculates the risk probability, and finds security measures to reduce or eliminate the threats. The attack graph generation module takes various security elements as input, and generates nodes and edges of the attack graph by matching these security factors to the attack pattern. For the attack graph to depict all possible targets of the attacker, we must first generate a global attack graph. The global attack map depicts all attack paths that can be used by the attacker from the perspective of the attacker’s maximum access to network security elements. The global attack graph can find all nodes that may be at risk in the network, but there may be loops in the global attack graph, and in large-scale networks, the global attack graph is too large to analyze and calculate. For this reason, based on the global attack graph, we also need to generate the target optimal attack subgraph. The target optimal attack subgraph is an attack graph that clearly targets the target node and eliminates loops. The graph only contains the attack path to the target node, so the size of the attack graph is controlled.

In a large-scale attack graph with a loop, starting from the target node and back to the initial node, it can generate all attack paths from the initial node to the target node. Discard attacks that are not related to the target and form a subgraph of the global attack graph. During the reverse generation of the subgraph, a tracking set is introduced to record all the attribute node sets that have been generated according to the current path. When the attribute node to be generated by the attack behavior is already in this tracking set, it indicates that a loop will be generated, and the attack behavior is invalid. The rows and columns of the risk adjacency matrix are the attribute nodes in the attribute attack graph, and the elements in the matrix are the probability of an attack occurring between the two relevant attribute nodes in the attack graph. The element a (i, j) in the single-step maximum risk adjacency matrix represents the maximum probability of a one-step attack from the i attribute node to the j attribute node. The element value in the single-step maximum risk matrix relates to the independent risk probability of multiple attack nodes that may exist between the two attribute nodes in the row and column, and the maximum value is used as the element value. Multi-step maximum risk adjacency matrix is derived through matrix multiplication operation, and the maximum risk adjacency matrix from 1 to n steps is superimposed to generate a global maximum risk adjacency matrix, and the risk probability of all nodes is calculated.

We use the calculated attribute attack map, vulnerability, and asset value to evaluate the probability of security events and the loss of security events. The security protection measures taken by this threat determine that the loss of a security event is determined by the value of the asset and the degree of damage to the vulnerability, which helps to strengthen the security of identity attributes. The calculation method for calculating the social user attribute risk value is the superposition of security event probability and security event loss, taking full account of user privacy custom requirements, providing an evaluation basis for identity attribute proof, and once the cross-trust domain authentication risk increases, it will interfere with the social user’s Interactive negotiation.

4 Heterogeneous identity alliance risk identification

4.1 Infrastructure

According to the characteristics of the basic database of heterogeneous identity alliances, we identified the factors related to the risks of the alliance architecture. The basic database design of heterogeneous identity alliance is as follows:

1). Alliance user base database

Alliance users are registered on the blockchain, and the blockchain stores the basic block Block0 < AID, alliance name, URL>, which mainly provides index information.

2). Individual user base database

When the user separately registers to the system, he needs to provide identity verification (name and ID number, call the simulated population database interface through verification and check), and record the basic information block Block0 < UID, name, ID number > .

When the user registers with the alliance member AID1, the additional attribute information is filled in according to the identity template requirements of AID1, and all information is stored as information block Block1 < AID1, attribute 1, attribute 2,...>. Registering multiple AIDs has multiple blocks.

One UID can belong to multiple AIDs, and one AID can include multiple UIDs.

In addition to the basic information blocks stored by individual users, when registering with the alliance, attribute 1 and attribute 2 in Block1 can store the user’s behavior information, login status, and operation permissions in the alliance AID. A series of operations and online statuses performed by a user from logging in to the alliance system to exiting the alliance system through identity authentication will be recorded in the corresponding individual user Block1 attribute list. Among them, the attribute information of individual users in Block1 can be summarized according to the AHP analytic hierarchy method with different priority classification standards. The more important information has a larger inherent risk weight ratio, while conventional information has a smaller risk weight or no risk-inducing factors. Individual user Block0 generally does not contain risk information, and is generally the basic attributes such as the authentication information that individual users must use to log in to the alliance system. Risk items are easily generated when the information in the underlying database interacts with upper-level behaviors, but this is an essential element for recording risks. Table 1 is a preliminary design table of the attributes of the individual user Block 1.

Table 1
Personal membership template properties for alliance users

Alliance ID

User ID

Password

Name

Age

Address

Telephone number

ID card

Number of logins

Log in time

Token

3. Organization / Institutional basic database

When an organization / institution is separately registered in the system, it is necessary to provide an organization’s legal person social credit code (the name of the organization / institution, the legal person’s social credit code), and record the basic information block Block0 < AID, organization name, legal person’s social credit code > .When an organization / institution registers with AID1, it fills in additional attribute information in accordance with the identity template requirements of AID1, and stores all the information as Block1 < AID1, attribute 1, attribute 2,...>. Registering multiple AIDs has multiple blocks.

One UID can belong to multiple AIDs, and one AID can include multiple UIDs.

Attribute 1 and Attribute 2 in the organization / institution Block1 are similar to individual users, and can store the behavior information, login status, and operation authority of the organization / institution in the alliance AID. A series of operations and online status performed by the organization / institution from the login alliance system to the exit alliance system through identity authentication will be recorded to the corresponding organizational structure Block1. Among them, the identity and attribute information of the organization / institution can be classified according to the AHP analytic hierarchy process with different priorities. The more important information has a larger inherent risk weight ratio, while conventional information has a smaller risk weight or no risk-inducing factors. Organization / Institution Block0 generally does not contain risk information, and its attributes are shown in Table 2.

Table 2

Alliance organization / institution identity template attributes

Alliance ID

Organization ID

Password

name of association

Organization Address

Organization establishment time

Organizational legal representative

Number of logins

Token

4. Equipment basic database

When the device is separately registered to the system, it needs to provide the device’s unique identification verification (such as network card, MAC address, mobile device IMEI), and record the basic information block Block0 < EID, device name, unique identification code > .

When the device is registered to the alliance member AID1, the additional attribute information is filled in according to the identity template requirement of AID1, and all information is stored as information block Block1 < AID1, attribute 1, attribute 2,...>. Registering multiple AIDs has multiple blocks.

Device Block1 attribute design refers to network device data related to heterogeneous identity alliance architecture, such as switches, routers, firewalls, and so on. The device itself has certain risk factors due to its environment. Whether the network node is in a central location affects the device’s workload. When the network traffic is too large, the device’s working efficiency will be directly affected. The outdated version of the device will cause a relatively increased risk factor. The device itself also has threat sources such as external interference. Network instability, signal interference, magnetic interference, and external impacts directly affect the performance of the device. These are the physical properties that the device database must consider. In addition, the unique configuration parameters, network interface, and operating environment of the device are also considered in the consideration of risk factors. Individual users accessing the alliance will communicate through different network devices, so there will be a service response link, and there will be risk factors with different security levels. To measure the risk factors of the equipment, the equipment base database is used to query and call. Its attribute design is shown in Table 3.

Table 3

Alliance device attribute table

Alliance ID
Device ID
name of device
Password
IP address
MAC address
Gateway
the port number
Transfer Protocol
function
flow
version

The heterogeneous identity alliance system does not replace the current user identity such as social networks, telecommunications networks, or e-government networks, but adds an identity interface to provide compatible real-life services, and the user registration information is the same as in reality, and can directly enter the heterogeneous Network database. Some users can choose to log in to network services in the old way, which has nothing to do with the alliance system. If users choose to join the alliance system, the alliance follows the above agreement for those users who join the system within the alliance.

4.2 Risk analysis

At the level of alliance architecture, the alliance body is a decentralized heterogeneous identity alliance management system. The overall system architecture consists of three layers: the underlying blockchain layer, the virtual layer, and the P2P storage layer.

Blockchain layer: Alliance user entities and individual user entities register to the blockchain, and each block stores identity information.

Virtual layer: Provides the interface of the entire system to users and alliances.

Storage layer: stores the identity files of alliances, maps individual user clusters to each alliance, and evaluates the credibility of different identity attributes.

In heterogeneous identity alliance risk assessment, in addition to those risks that cross the identity management system, we should also consider the application risks of blockchain technology. Because the blockchain has the characteristics of immature new technology and difficult to control risks, we need to dynamically track risks in order to identify new risks in a timely manner based on changes in the external environment or adjust the system architecture of identified risks. Therefore, we analyze and evaluate the system risk from three levels: one is the architectural risk assessment of the blockchain system, the other is the alliance members’ own risks and the danger to other alliance members when cross-domain access is made, and the third is the alliance members in other systems (Social networks, telecommunications networks, etc.) Risks caused by identity leakage.

For members of the alliance, we refer to the national information security level protection standard “GBT22239 Information Security Technology Information System Security Level Protection Basic Requirements”, and examine the possible risk factors of their identity system should include the following options:

In terms of network security, factors that need to be examined include structural security, access control, intrusion prevention, malicious code prevention, security auditing, and network equipment protection.

In terms of application security, factors that need to be examined include identity authentication, access control, resource control, software fault tolerance, communication confidentiality, identity authentication, and communication integrity.

In terms of host security, factors that need to be examined include identity authentication, access control, resource control, intrusion prevention, malicious code prevention, and security auditing.

Because users will conduct cross-domain access between alliance members, it is necessary to consider the risk factors for the alliance system when users cross-domain access. Alliance members need to establish a corresponding database for cross-domain access. The security items that need to be checked are active alliance members and destination alliance members. Each individual alliance member also includes the identity level, security level, and business category. Due to the different attributes of each alliance member, the potential risk factors of cross-domain access are analyzed as follows.

Unauthorized access may occur in terms of access rights settings. Due to the different attributes (identity level, security level, business category, etc.) of each alliance member, the alliance member will audit the user who accesses himself, and authenticate the user in multiple ways. This approach reduces some security risks for cross-domain access, but also increases other security risks. Because cross-domain access to another federation member from a federation member has different attributes (identity level, security level, business category, etc.), cross-domain permission settings should also be different, which can easily lead to incorrect permission settings, especially from security Low-level alliance members cross-domain access to alliance members with high security levels are prone to risk. And if different access methods are set for cross-domain access for every two alliance members, it will take time and resources for a certain scale alliance.

Because cross-domain access from low-security alliance members to high-security alliance members is subject to fewer access restrictions, the identity authentication system of high-security alliance members will become the preferred target for hacking. Once the attack is successful, it will pose a great threat to other members of the alliance system.

5 Experiment analysis

5.1 Experimental scheme

We build a heterogeneous identity alliance architecture risk imaging model based on the threats, vulnerability, risk data, and association relationships between heterogeneous identity alliances, and use a visual mapping algorithm to present the risk assessment results and risk levels of the alliance architecture. According to the results of risk assessment, risk evasion shall be done in advance according to the risk emergency strategy.

The risk assessment presentation system consists of heterogeneous identity alliance members and identity management centers. Heterogeneous identity alliance members send identity verification requests, risk assessment requests, and query requests. The identity management center returns different results according to different requests after receiving requests from federation members.

5.1.1. Heterogeneous identity alliance members

Heterogeneous identity alliance members are composed of each system and each user of the system in a heterogeneous network environment. A user needs to send a request to the identity management center to log in to each system. The identity management center returns a pass to the user after confirming the user’s identity information. The user can use this communication certificate to perform related operations in all systems of the heterogeneous identity alliance. Before logging in to each system, the user can obtain the risk evaluation results of the identity management center. The evaluation results can be displayed in the browser, or the corresponding query can be performed through the query module of the identity management center. Users can do a good job of risk aversion in advance according to the results of risk assessment and risk emergency strategies.

Each system in the heterogeneous identity alliance can send a request to the identity management center to judge the user’s access risk according to the communication certificate provided by the user, and perform corresponding risk evasion according to the result.

5.1.2. Identity management center

The identity management center consists of an identity verification module, a risk assessment module, and a query module. Perform corresponding operations according to requests from heterogeneous identity alliance members.

The authentication module provides the function of verifying the user’s identity. When the user uses his own ID and corresponding password to make a login request, the authentication center verifies the user’s identity and gives the user a heterogeneous identity alliance pass. The user can rely on the communication certificate to perform the corresponding operations in the system under heterogeneous identity alliance. Passes sent by the Identity Management Center are random numbers generated by the system and will be invalid after use to avoid the risk of reuse. Each time the generated passport is bound to the user ID in the database of the identity management center, the identity management center can query the user’s information by virtue of the passport. When a user logs in to each heterogeneous system with a passport, the heterogeneous system sends a request to the identity management center after obtaining the user’s passport to verify the correctness of the user’s identity. The identity management center verifies the identity of the user after receiving the request, and returns the user ID to the heterogeneous system.

The risk evaluation module provides the function of risk evaluation for heterogeneous identity alliance members. The risk evaluation module performs risk assessment on users and systems according to the risk evaluation index information of users and systems. The risk assessment includes user-to-system risk and system-to-user risk. The results of these two types of assessments will be returned to the system and the user, respectively. The system and users who have obtained the results can take corresponding risk aversion measures according to the results of the risk assessment.

The query module is an interface that the identity management center opens to users and systems. Users and systems in the alliance can query the results of risk assessment. For example, users in the alliance can query the risk value of the system before accessing a system, or they can query their own risk value to the system.

5.1 Experimental interface

5.2.1. User authentication interface

The user initiates a login request to a system (member) in the alliance. If there is no token information in the request, the user is redirected to the identity management center. The identity management center verifies the user’s login request information, returns the token to the user after the verification, and returns the token to the alliance member system. The user repeats the request step after receiving the token, and the member system in the alliance system carrying the token request can pass the verification and then access the system resources.

5.2.2. System risk assessment interface

The heterogeneous identity alliance risk assessment system complies with the basic requirements of national information system security level protection (GB / T 22239). The technical requirements of the system are proposed from the aspects of network security, host security, and application security. The management requirements of the system include security management systems, the security management organization, personnel security management, system construction management, and system operation and maintenance management are proposed in several aspects. The technical requirements and management requirements of the system are two inseparable parts to ensure the security of the information system. The system security attributes are determined by expert scoring, and then the comprehensive scoring algorithm is used to finally calculate the risk value of various systems.

5.2.3. Risk query interface

Heterogeneous identity alliance members can query each other, users can also query alliance members, and query the corresponding comprehensive risk value by querying the object ID. The alliance member carries the target alliance member ID to query the counterparty’s risk value, the target user ID carries the target alliance member ID to query the user’s risk value, and the user carries the target alliance member ID to query the opponent’s risk value.

5.2 Experimental data

The verification data is used as the final visualized implementation method, and the data provided by the data interface of each module of the heterogeneous identity alliance risk assessment should be passed as parameter values to the verification system. The system analyzes the threats and vulnerabilities of alliance trust management through mathematical modeling, sets weights, and calculates the risk value of the quantified system. After the user passes the identity verification module of the identity management center, he can send a risk assessment request to the risk assessment module. After the response to the request is successful, the identity management center can evaluate the final risk evaluation level through standard risk evaluation indicators, and feedback the risk perspective to present the interface.

The system must ensure the authenticity and integrity of the data source when calling the interface data. Defective or tampered data will cause some data to be doubted during data verification, which will affect the final rating and cause inaccurate judgment results. The authenticity and integrity of the data can be protected by encrypting the data. The verification data must ensure that the data itself is credible, and the verification system can calculate the risk assessment value most effectively.

The systematic risk assessment needs to consider the threat and vulnerability of the alliance system. Threat is a potential source of events that can lead to negative results for affiliate organizations. Threat sources are divided into human subjective factors and environmental factors. Human subjective factors are divided into malicious behaviors and non-malicious behaviors. Malicious actions such as unauthorized actions, posting sensitive information, and impersonating identities. If the source of the threat is malicious, it is obviously more potentially harmful than a non-malicious threat. Environmental factors are divided into external interference and internal system defects. External interference is force majeure for the safety of irrelevant systems, such as signal interference and network interruptions. Internal system defects refer to prototype system vulnerabilities, such as inherent insufficiency in system design. This issue should be fully considered at the beginning of design.

The data verification mode is an interface provided by the identity management center for the graphical representation of risk assessment results. Users can log in to the heterogeneous identity alliance system through identity authentication to view their own risk ratings in the alliance system, and they can also view the risk ratings of current alliance members. Only two-way transparent risk assessment can reduce and avoid risks most effectively. The visual presentation is to display data such as the user’s or system’s real-time status attributes and risk values in a concise graphical identification method in the query window. The user’s risk assessment results need to list the user’s basic attributes, risk assessment time, risk level, and items with risk one by one, so that the user can see at a glance when inquiring. The administrator needs to present the operating status of each system and the risk value of the system when querying the risk assessment results. Finally, the user or administrator can observe the security operation status of the heterogeneous identity federation system by visualizing the results.

5.4 Experimental results

In the analysis of the attribute attack graph, we apply the algorithm in this paper to calculate the optimal atomic attack repair set and optimal initial condition repair set of the target resource set, respectively, and compare them with the algorithms in [4] and [5]. Analyze the changing trend of CPU running time of each algorithm.

In order to analyze the time-varying trend of each algorithm, this experimental simulation generates 5 attribute attack graphs of different scales for experiments, which are numbered A, B, C, D, and E. The scale of the attribute attack graphs gradually increases, as shown in Table 4. Among them, AG represents the number of each attack graph, M0 represents the number of initial condition nodes, M represents the total number of all condition nodes, Mg represents the number of target condition nodes of the target resource set, K represents the number of atomic attack nodes, and L represents Total number of attack graph edges.

Table 4
Scale parameter of attribute attack graph

AG M₀ M M_g K L

A 21 55 6 66 254

B 33 157 9 179 742

C 45 273 14 292 1152

D 64 381 19 398 1796

E 78 490 27 547 2284

AG	M₀	M	M_g	K	L
A	21	55	6	66	254
B	33	157	9	179	742
C	45	273	14	292	1152
D	64	381	19	398	1796
E	78	490	27	547	2284

We perform experiments on attribute attack graphs of different scales and obtain the running time of each algorithm as shown in Fig. 2.

Fig. 2

Performance trend of attribute attack graph algorithm.

The figure are the experimental results of using the optimal initial condition repair set algorithm, the optimal atomic attack repair set algorithm, the algorithm in [4], and the algorithm in [5] for the attribute attack graphs of different scales. Among them, L1 is the CPU time curve of the optimal initial condition repair set algorithm, L2 is the CPU time curve of the optimal atomic attack repair set algorithm, L3 is the CPU time curve of the algorithm in Application Literature [4], and L4 is the CPU time curve using the algorithm in [5], the ordinate axis takes a logarithmic scale with a base of 10.

It can be seen from the performance trend graph that the algorithms in this paper have high time efficiency and less time. The CPU running time increases polynomial with the increase of the size of the attack graph. Given the effective attack path length of the algorithm in [4], the CPU running time increases polynomial with the size of the attack graph, but the CPU time spent in each set of experiments is much higher than the algorithm in this paper. However, the performance of the algorithm in [5] is low, the CPU time spent in each group of experiments is longer, and it increases exponentially as the size of the attack graph increases.

The experimental results show that the algorithm in this paper has higher actual running efficiency, and the CPU running time is significantly lower than the algorithm running time in [4] and [5]. As the attack graph size increases, the polynomial complexity increases.

6 Conclusion

Aiming at the problem that the same root of trust does not exist in the process of user interaction and negotiation in heterogeneous networks, in order to ensure the security of mutual evaluation of users, a heterogeneous identity proof method based on risk assessment is proposed. This method uses the construction of attribute attack graph to assess the risk situation of heterogeneous network users. The purpose is to provide identification basis for cross-trust domain user interaction and negotiation, and to build a risk evaluation system for cross-trust domain user identity attributes in a decentralized heterogeneous environment. From the technical point of view, intelligent early warning of user identity and behavior is made. First, this method proposes a risk assessment framework for heterogeneous network users based on attribute attack graphs, which includes modules for identity expression modeling, attribute attack graph generation, risk calculation, and security hardening. It does not need to rely on traditional electronic certificate authorities to authenticate users. Rather, the precise measurement of identity attributes is used to judge user credibility and the security of cross-negotiation, so it is compatible with the decentralized characteristics of heterogeneous cyberspace. Secondly, this method formalizes the identification information of social users such as registration information, virtual network account numbers, terminal information, communication relationships, group relationships, key website traces and orders, search history, etc. Combining the sensitive attribute data and privacy leakage behaviors of heterogeneous network users to form an attribute attack graph model. Thirdly, in view of the problem that the existence of loops in the attribute attack graph brings computational complexity to the security analysis, we propose a method of clearing loops, using a reverse search algorithm to generate the optimal attribute attack subgraph without loops, and generating the maximum based on this graph. The risk adjacency matrix is used to calculate the node risk probability, thereby eliminating redundant nodes as much as possible to achieve the purpose of simplifying the calculation amount.

In addition to the cross-domain identity risk analysis proof, the security risk measurement of heterogeneous identity alliance is also a work of this paper. According to the characteristics of the basic database of heterogeneous identity alliances, we identified the factors related to the risks of the alliance architecture. The overall architecture of the decentralized heterogeneous identity alliance management system consists of three layers: the underlying blockchain layer, the virtual layer, and the P2P storage layer. We analyze and evaluate the system risk from three levels: one is the architectural risk assessment of the blockchain system, the other is the alliance members’ own risks and the danger to other alliance members when cross-domain access is made, and the third is that the alliance members are in other systems (Social networks, telecommunications networks, etc.).

Based on the above-mentioned cross-domain identity risk assessment principles and the threats faced by heterogeneous identity alliances, we use a visual mapping algorithm to establish a risk imaging model of heterogeneous identity alliance architecture to present the results of the alliance architecture risk assessment and the risk level. The risk assessment presentation system consists of heterogeneous identity alliance members and identity management centers. Heterogeneous identity alliance members send identity verification requests, risk assessment requests, and query requests. The identity management center returns different results according to different requests after receiving requests from federation members.

Footnotes

Acknowledgments

This work was supported by the National Key Research and Development Program of China under Grants 2017YFB0802300 and 2017YFC0803700.

References

Bachenheimer

S.I.

, Dowding

and Skipworth

, Identity theft and fraud protection system and method, U.S. Patent 9,582,802, Feb. 28, 2017.

Duan

, Cai

, Wang

, et al., A Novel Network Security Risk Assessment Approach by Combining Subjective and Objective Weights under Uncertainty, Applied Sciences3(8) (2018).

Brame

, Static risk factors and criminal recidivism, Handbook on Risk and Need Assessment. Routledge, (2016), 83–108.

Yang

, Jin

and Fang

, Security risk assessment based on bayesian multi-step attack graphs, Journal of Computational Information Systems11(11) (2015), 3911–3918.

Kaynar

and Sivrikaya

, Distributed attack graph generation, IEEE Transactions on Dependable and Secure Computing5(13) (2015), 519–532.

Cook

, Shaw

, Hawrylak

, et al., Scalable attack graph generation, in Proceedings of the 11th Annual Cyber and Information Security Research Conference, ACM, Oak Ridge, TN, USA, (2016), 21.

Exploring mobile banking services for user behavior in intention adoption: using new hybrid MADM model, Service Business9(3) (2015), 541–565.

Barthe

, Grégoire

and Schmidt

, Automated proofs of pairing-based cryptography, in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM, Denver, CO, USA, (2015), 1156–1168.

Hamdi

A.A.-J.

and Tawfik

A.S.

, Transparent predictive modelling of catalytic hydrodesulfurization using an interval type-2 fuzzy logic, Journal of Cleaner Production (2019), 231.

10.

Lamperti

, Temporal determinization of mutating finite automata: Reconstructing or restructuring, Software: Practice and Experience, (2020), 50.

11.

Ahmed

and Xiang

, Trust Ticket Deployment: A Notion of a Data Owner’s Trust in Cloud Computing, in IEEE International Conference on Trust, IEEE, Liverpool, UK, (2012).

12.

Krishnamurthy

, Bender

A.C.

and Wills

C.E.

, Tailored Protection of Personally Identifiable Information, U.S. Patent Application 15,631,087, Oct. 5, (2017).

13.

Damien

, Comment on ‘Attribute-Based Signatures for Supporting Anonymous Certification’ by N. Kaaniche and M. Laurent (ESORICS 2016), The Computer Journal12(12).

14.

McDermott

T.E.

, Stephan

E.G.

and Gibson

T.D.

, Alternative database designs for the distribution common information model, in 2018 IEEE/PES Transmission and Distribution Conference and Exposition (T&D), IEEE, Denver, CO, USA, (2018), 1–9.

15.

Eling

and Wirfs

J.H.

, Modelling and management of cyber risk, International Actuarial Association Life Section, 2015.

16.

Singh

and Verma

A.K.

, A fuzzy-based trust model for flying ad hoc networks (FANETs), International Journal of Communication Systems3 (2018).

17.

Yan

, Cheng

and Tao

, A trust evaluation model towards cloud manufacturing, The International Journal of Advanced Manufacturing Technology84(1-4) (2016), 133–146.

18.

Liu

H.C.

, Li

, Song

, et al., Failure mode and effect analysis using cloud model theory and PROMETHEE method, IEEE Transactions on Reliability66(4) (2017), 1058–1072.

19.

Y.-J.

, Liu

Z.-S.

, Pan

Z.-S.

, et al., The Network Attack Graph Analysis Based on Graph Kernel, Journal of Military Communications Technology, (2016).

20.

Jian-Jun

and De-Li

, An Evaluation Model for Outsourcing Information Systems Vulnerability based on AHP and PROMETHEEII, Journal of Industrial Engineering and Engineering Management24(2) (2010), 94–99.

21.

Bass

, Multisensor, data fusion for next generation distributed intrusion detection systems, in Proceedings of the 1999 IRIS National Symposiumon Sensor and Data Fusion, Washington, USA, (1999), 24–27.

22.

Li-Na

, Zuo-Chang

and Li

, Research on hierarchical network security threat situation assessment, Application Research of Computers, (2011).

23.

Hengzhi

, Jijun

, Mingsheng

X.U.

, et al., Research on security detection algorithm applied to mobile operating systems, Modern Electronics Technique, (2019).

24.

Swarup

K.S.

and Corthis

P.B.

, Power system static security assessment using self-organizing neural network, Journal of the Indian Institute of Science86(4) (2013), 327.

25.

Razavi

J.N.

, Kalantar

and Motaghi

, A Novel Approach for Pricing of Power Losses and Congestion Management Based on Static Security Assessment and Voltage Stability, International Journal of Management-Theory and Applications (IREMAN)1(2) (2013), 119–125.

26.

Mehta

A.K.

, Bhattacharya

and Ray

, Application of Support Vector Network for Power System Static Security Evaluation, International Journal of Energy Optimization and Engineering (IJEOE)4(1) (2015), 55–67.

27.

Liu

, Sun

, Rather

Z.H.

, et al., A systematic approach for dynamic security assessment and the corresponding preventive control scheme based on decision trees, IEEE Transactions on Power Systems29(2) (2014), 717–730.

28.

, Dong

Z.Y.

, Zhao

J.H.

, et al., A reliable intelligent system for real-time dynamic security assessment of power systems, IEEE Transactions on Power Systems27(3) (2012), 1253–1263.

29.

Poolsappasit

, Dewri

and Ray

, Dynamic security risk management using bayesian attack graphs, IEEE Transactions on Dependable and Secure Computing9(1) (2012), 61–74.

30.

Liu

Y.L.

and Yu

Y.X.

, Probabilistic steady-state and dynamic security assessment of power transmission system, Science China Technological Sciences56(5) (2013), 1198–1207.

31.

Chychykina

, Styczynski

Z.A.

, Heyde

C.O.

, et al., Power system instability prevention and remedial measures with online Dynamic Security Assessment, in 2015 IEEE Eindhoven PowerTech, Eindhoven, Netherlands, (2017), 1–5.

32.

Kotenko

and Chechulin

, Common framework for attack modeling and security evaluation in SIEM systems, in 2012 IEEE International Conference on Green Computing and Communications (GreenCom), Besancon, France (2012), 94–101.

33.

Kotenko

and Chechulin

, Attack modeling and security evaluation in SIEM systems, International Transactions on Systems Science and Applications8 (2012), 129–147.

34.

Okamura

, Tokuzane

and Dohi

, Quantitative security evaluation for software system from vulnerability database, Journal of Software Engineering and Applications6(4) (2013), 15.

35.

Biggio

, Fumera

and Roli

, Security evaluation of pattern classifiers under attack, IEEE Transactions on Knowledge and Data Engineering26(4) (2014), 984–996.

36.

A.H.

, Tippenhauer

N.O.

, Chen

, et al., CyberSAGE: a tool for automatic security assessment of cyber-physical systems, Quantitative Evaluation of Systems, Springer International Publishing, (2014), 384–387.

37.

Wang

, Chen

, Feng

, et al., Research on Network Security Situation Assessment and Quantification Method Based on Analytic Hierarchy Process, Wireless Personal Communications, (2018).

38.

Chen

, Chen

, Xia

, et al., N – 1 security assessment approach based on the steady-state security distance, Generation Transmission & Distribution Iet9(15) (2015), 2419–2426.

39.

Wang

, Liu

S.Y.

, Zhang

, et al., Threat assessment method with uncertain attribute weight based on intuitionistic fuzzy multi-attribute decision, Tien Tzu Hsueh Pao/acta Electronica Sinica42(12) (2014), 2509–2514.

40.

, Zhang

, Wang

, et al., Multitask Learning-Based Security Event Forecast Methods for Wireless Sensor Networks, Journal of Sensors, (2016).

41.

Kalinin

M.O.

, Krundyshev

V.M.

, Rezedinova

E.Y.

, et al., Hierarchical Software-Defined Security Management for Large-Scale Dynamic Networks, Automatic Control & Computer Sciences52(8) (2018), 906–911.

Heterogeneous identity trust management method based on risk assessment

Abstract

Keywords

1 Introduction

1.1 Contributions

1.2 Paper organization

2 Related works

2.1 Proof of identity

2.2 Cyber security assessment

3 Identity evaluation based on attribute attack graph

3.1 Scheme

3.3 Attribute attack graph

4 Heterogeneous identity alliance risk identification

4.1 Infrastructure

Table 1 Personal membership template properties for alliance users Alliance ID User ID Password Name Age Address Telephone number ID card Number of logins Log in time Token

5 Experiment analysis

5.1 Experimental scheme

5.1.1. Heterogeneous identity alliance members

5.1.2. Identity management center

5.1 Experimental interface

5.2.1. User authentication interface

5.2.2. System risk assessment interface

5.2.3. Risk query interface

5.2 Experimental data

5.4 Experimental results

Table 4 Scale parameter of attribute attack graph AG M0 M Mg K L A 21 55 6 66 254 B 33 157 9 179 742 C 45 273 14 292 1152 D 64 381 19 398 1796 E 78 490 27 547 2284

Footnotes

Acknowledgments

References

Table 1
Personal membership template properties for alliance users

Alliance ID

User ID

Password

Name

Age

Address

Telephone number

ID card

Number of logins

Log in time

Token

Table 4
Scale parameter of attribute attack graph

AG M₀ M M_g K L

A 21 55 6 66 254

B 33 157 9 179 742

C 45 273 14 292 1152

D 64 381 19 398 1796

E 78 490 27 547 2284