Processing math: 100%
  • 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
高级检索

工业物联网零信任安全研究综述

王航宇, 吕飞, 程裕亮, 吕世超, 孙德刚, 孙利民

王航宇, 吕飞, 程裕亮, 吕世超, 孙德刚, 孙利民. 工业物联网零信任安全研究综述[J]. 计算机研究与发展. DOI: 10.7544/issn1000-1239.202440840
引用本文: 王航宇, 吕飞, 程裕亮, 吕世超, 孙德刚, 孙利民. 工业物联网零信任安全研究综述[J]. 计算机研究与发展. DOI: 10.7544/issn1000-1239.202440840
Wang Hangyu, Lü Fei, Cheng Yuliang, Lü Shichao, Sun Degang, Sun Limin. A Review of Zero Trust Security Research in Industrial Internet of Things[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202440840
Citation: Wang Hangyu, Lü Fei, Cheng Yuliang, Lü Shichao, Sun Degang, Sun Limin. A Review of Zero Trust Security Research in Industrial Internet of Things[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202440840
王航宇, 吕飞, 程裕亮, 吕世超, 孙德刚, 孙利民. 工业物联网零信任安全研究综述[J]. 计算机研究与发展. CSTR: 32373.14.issn1000-1239.202440840
引用本文: 王航宇, 吕飞, 程裕亮, 吕世超, 孙德刚, 孙利民. 工业物联网零信任安全研究综述[J]. 计算机研究与发展. CSTR: 32373.14.issn1000-1239.202440840
Wang Hangyu, Lü Fei, Cheng Yuliang, Lü Shichao, Sun Degang, Sun Limin. A Review of Zero Trust Security Research in Industrial Internet of Things[J]. Journal of Computer Research and Development. CSTR: 32373.14.issn1000-1239.202440840
Citation: Wang Hangyu, Lü Fei, Cheng Yuliang, Lü Shichao, Sun Degang, Sun Limin. A Review of Zero Trust Security Research in Industrial Internet of Things[J]. Journal of Computer Research and Development. CSTR: 32373.14.issn1000-1239.202440840

工业物联网零信任安全研究综述

基金项目: 北京市自然科学基金项目(L234033)
详细信息
    作者简介:

    王航宇: 1997年生. 博士研究生. 主要研究方向为IIoT中的访问控制和零信任安全

    吕飞: 1987年生. 博士,工程师. 主要研究方向为工业物联网防护

    程裕亮: 2002年生. 硕士研究生. 主要研究方向为访问控制、零信任、信息安全

    吕世超: 1985年生. 博士,高级工程师. 主要研究方向为工控系统主动防御、主动监测与安全增强

    孙德刚: 1970年生. 博士,教授,博士生导师. 主要研究方向为电磁泄漏防护、无线通信技术和高安全级别信息系统防护技术

    孙利民: 1966年生. 博士,教授,博士生导师,CCF高级会员. 主要研究方向为工控安全、物联网安全

    通讯作者:

    吕飞(lvfei@iie.ac.cn

  • 中图分类号: TP393.08

A Review of Zero Trust Security Research in Industrial Internet of Things

Funds: This work was supported by Beijing Natural Science Foundation (L234033).
More Information
    Author Bio:

    Wang Hangyu: born in 1997. PhD candidate. His main research interests include access control and zero-trust security in IIoT

    Lü Fei: born in 1987. PhD, engineer. His mian research interests include the protection of the IIoT

    Cheng Yuliang: born in 2002. Master candidate. His main research interests include access control and zero-trust security and information security

    Lü Shichao: born in 1985. PhD, senior engineer. His research interests include active defense, proactive monitoring, and security enhancement for ICS

    Sun Degang: born in 1970. PhD, professor, PhD supervisor. His main research interests include electromagnetic leakage protection, wireless communication technology and high security level information system protection technology

    Sun Limin: born in 1966. PhD, professor, PhD supervisor, senior member of CCF. His main research interests include ICS security and IoT security

  • 摘要:

    工业物联网(industrial Internet of things,IIoT)正面临着日益严峻的安全威胁,传统边界型安全模型已无法应对复杂多变的需求. 零信任作为一种新兴的安全模型,以“绝不信任,始终认证”为核心原则,逐渐受到关注. 然而,零信任在IIoT中的研究与应用仍处于起步阶段,亟需更加全面且系统的探索. 系统综述了近年来工业领域零信任的发展与应用,重点分析其核心技术与实践场景,并明确当前研究趋势和未来方向. 首先介绍了工业零信任的基本概念和原则,为后续讨论奠定理论基础. 随后,系统梳理了工业零信任架构的迁移与评估方法,并总结了身份认证、软件定义边界、微隔离、信道安全及信任评估等关键技术,这些技术构成了工业零信任的核心支撑体系. 此外,深入探讨了访问控制在零信任中的关键作用及其在权限管理中的价值. 结合IIoT的典型应用场景,进一步分析零信任在复杂环境中的实践优势,最后总结了工业零信任的现存挑战和未来发展.

    Abstract:

    The Industrial Internet of Things (IIoT) faces increasingly severe security threats, and traditional perimeter-based security models are no longer adequate to address evolving and complex demands. Zero trust, an emerging security model centered on the core principle of “never trust, always verify,” has gradually gained attention. However, the research and application of zero trust in the IIoT domain are still in their early stages, necessitating more comprehensive and systematic exploration. This paper provides a systematic review of the development and applications of zero trust in the industrial sector, with a focus on analyzing its core technologies and practical scenarios while identifying current research trends and future directions. The paper introduces the basic concepts and principles of industrial zero trust, establishing a theoretical foundation for subsequent discussions. It then systematically outlines the migration strategies and evaluation methods for industrial zero trust architectures and summarizes key technologies, including authentication, software-defined perimeters, micro-segmentation, secure communication channels, and trust evaluation, collectively forming the core supporting framework of industrial zero trust. Furthermore, this paper delves into the critical role of access control within the zero trust model and its value in fine-grained permission management. By examining typical IIoT application scenarios, the paper further explores the practical advantages of zero trust in complex environments. Finally, it identifies existing challenges in industrial zero trust and discusses potential future development directions.

  • 随着人类日益增长的能源需求和不可再生资源的枯竭,核聚变能源由于其清洁性和安全性作为解决长期能源需求的解决方案,越来越受到人类社会的关注,目前正在建设中的国际热核实验反应堆(international thermonuclear experimental reactor,ITER)是实现核聚变能和平应用的重要里程碑. 磁约束核聚变是产生热核聚变能的最重要方法之一[1-2]. 在反应堆中实现和维持等离子体聚变过程具有巨大的科学和技术挑战,其中针对等离子体稳定性的研究有助于理解、预测、控制和减轻等离子体破坏的威胁,是优化燃烧等离子体运行模式,改善等离子体约束和输运的重要保障,是设计和制造先进的核聚变装置的重要依据.

    数值模拟是等离子体稳定性研究中的关键方法之一,相比理论研究,它能够分析复杂的物理过程,而相比实验研究,它更加经济和灵活. 在等离子体物理数值模拟研究中,回旋动理学理论经常被用来研究在拉莫尔半径空间尺度下的动理学不稳定性和湍流传输[3-5]. 在回旋动理学理论中,通过回旋平均方法将描述分布函数的方程维度从6维降低到5维,使得其特别适用于研究更长时间尺度下的等离子体不稳定性和湍流传输物理过程.

    粒子网格法(particle in cell,PIC)由于其良好的可扩展性、物理守恒性、波粒相互作用描述准确性等优势,在众多回旋动理学模拟算法中具有广泛适用度和应用前景[6-8]. 基于PIC算法的突出特点,科研学者在解决特定时空尺度物理问题的同时,逐步向多时空尺度耦合的非线性复杂物理模拟演进. 其对磁约束核聚变高性能数值模拟中涉及的程序架构、计算性能、算法优化、并行效率都提出了前所未有的挑战. 许多科研学者尝试借助异构平台的计算性能满足回旋动理学PIC代码日益增长的算力需求,在移植优化和数值算法上作出了诸多努力.

    GTC代码是早期受益于异构并行计算的代码之一,基于CUDA在天河一号上展示2~3倍的加速[9]. 基于OPENACC在Titan上展示了2~3倍的加速,在Summit上展示了3~4倍的加速[10]. 基于Intel Xeon Phi加速器,在天河二号上展示了2~5倍的加速[11]. ORB5代码基于OPENACC,在Tesla P100 GPU和Tesla V100 GPU的Summit中分别获得了4倍和5倍的加速[12].

    在上述研究中,通常着重考虑了等离子体中电子对模型的贡献,针对电子的模拟,凭借访存规则等优势可以获得较高的计算性能加速. 而聚变产物Alpha粒子与动理学离子类似,回旋半径较大,必须在回旋运动轨迹上进行回旋平均,从而带来大量非规则的网格数据访存,对访存性能提出了很高的要求. 文献显示在只有动理学离子和绝热电子的情况下,异构移植给整体性能带来了负面的优化[13]. 考虑到聚变产物Alpha粒子的约束和输运是磁约束聚变能否成功的关键. 本文重点聚焦于以Alpha粒子为代表的回旋动理学代码的异构移植和性能优化.

    本文的移植优化及分析测试在天河新一代超级计算机上进行. 天河新一代超级计算机使用异构处理器MT-3000[14],它包含16个CPU,4个加速集群(簇),96个控制核心和1 536个加速核心,理论计算密度高达145FLOPB. 每个加速核心以超长指令字(very long instruction word, VLIW)方式工作,每16个加速器核心和1个控制核心被组织成1个加速阵列,以SIMD指令控制. MT-3000具有混合的存储器层次结构,包括每个集群的GSM(6MB),HBSM(48MB),DDR(32GB)存储器,每个加速阵列的AM(768KB)和SM(64KB)片上存储器为加速核供给数据. 其架构如图1所示.

    图  1  MT-3000架构图
    Figure  1.  The architecture diagram of MT-3000

    在异构处理器MT-3000上移植程序时有2个挑战:一方面,如何高效使用复杂的内存结构高效的将数据传递到加速阵列;另一方面,如何充分发挥高计算密度特性. 这2方面的挑战需要在程序移植优化时打破传统基于CPU的程序设计结构更多地强调计算性能的作用,从而实现整体性能的提高.

    VirtEx是基于PIC算法开发的回旋动理学模拟代码,已成功用于分析线性电阻撕裂不稳定性[15]. 代码按照PIC方法,将带电粒子以拉格朗日法描述,对应在连续相空间的分布函数采样点;而场信息以欧拉法描述,采用结构化网格描述平衡场,采用非结构化网格描述扰动场[16]. VirtEx代码的并行化策略是通过在环形方向上将模拟区域划分为不同的子域实现空间并行化,每个子域由1组进程管理. 该组中的每个进程拥有子区域内的场信息副本,并在该子域内将粒子按照进程编号进行并行划分.

    VirtEx代码的主要结构如图2所示,其主循环使用2阶龙格-库塔算法,在每个循环中,通过函数Push更新粒子在相空间的位置,其可以更加细致的分为粒子对场信息的回旋平均函数PG(push gather)和粒子位置更新函数PI(push interpolation);通过函数Locate计算粒子位置和扰动场网格之间插值的权重系数;通过函数Charge计算在非结构化扰动网格上的分布函数矩. 而其他热点部分主要是对非结构化网格上的扰动场更新和粒子MPI通信等操作. 其中3个函数PushLocateCharge为代码的热点,共占主循环时间的85%以上.

    图  2  VirtEx代码的主要结构及热点分布
    Figure  2.  Main structure of the VirtEx code and hotspot distribution

    3个热点函数中涉及的算法如下所示:

    算法1. 函数PushGather回旋平均算法.

    输入:环向格点权重wzpart, 径向格点权重wppart, 极向格点权重wtpart, 格点编号jtpart, 扰动电场gradphi;

    输出:回旋平均扰动场wpgc.

    for (mp=0; mp<mpmax; mp++)/*粒子循环*/

    for(igyro=0;igyro<ngyro;igyro++) /*回旋平均 循环*/

    读取粒子所在的格点权重及索引;

    以索引读取gradphi

    计算临时变量e

    end for

    累加计算wpgc,供函数PI使用*/

    end for

    算法2. 函数PushInterpolation粒子位置更新算法.

    输入:相空间坐标zpart, 历史相空间坐标zpart0,回旋平均扰动场wpgc

    输出:相空间坐标zpart.

    for (mp=0; mp<mpmax; mp++)/*粒子循环*/

    读取粒子信息 zpart ,wpgc

    插值获取网格信息、电场、磁场等;

    计算场对粒子的作用;

    推动粒子更新速度位置信息;

    end for

    算法3. 函数Locate粒子到场的插值权重系数算法.

    输入:相空间坐标zpart

    输出:环向格点权重wzpart, 径向格点权重wppart, 极向格点权重wtpart, 格点编号jtpart.

    for (mp=0; mp<mpmax; mp++)/*粒子循环*/

    for(igyro=0; igyro<ngyro; igyro++)/*回旋平均 循环*/

    读取粒子信息zpart

    读取网格信息;

    计算粒子插值权重;

    end for

    end for

    算法4. 函数Charge非结构化扰动网格上的分布函数矩算法.

    输入:环向格点权重wzpart, 径向格点权重wppart, 极向格点权重wtpart, 格点编号jtpart

    输出:电流密度density.

    for (mp=0; mp<mpmax; mp++)/*粒子循环*/

    插值获取网格信息、电场、磁场;

    for(igyro=0; igyro<ngyro; igyro++)/*回旋平均 循环*/

    读取粒子插值权重;

    计算粒子对于周围格点的扰动量;

    粒子信息向网格上规约到density

    end for

    end for

    上述3个热点函数中的4个算法外层循环体均围绕粒子展开,且粒子间具有良好的独立性,面向异构处理器MT-3000异构移植工作主要围绕粒子循环的向量指令集改写展开.

    同时,为了更好适配向量指令集的访存特性,在数据结构上做了改写,将粒子数据使用SOA(struct of array)数据结构标识,网格数据使用AOS(array of struct)数据结构. 粒子数据具有数量多,独立性好的特性,配合SOA数据结构更适用于发挥向量指令运算的优势;而网格数据数量远远小于粒子数,访存量巨大,AOS的数据结构能够充分发挥内存局部性. 针对数据结构的改写工作为后续程序的性能优化提供了重要的保障.

    基于上述对于程序热点函数的分析,回旋动理学PIC数值模拟算法涉及粒子与网格数据间的大量访存,尤其在面向扰动场网格数据的访存操作中存在非规则访问和原子写操作,二者对于访存性能提出了艰难的挑战,几个热点函数的访存与计算量统计如表1所示.

    表  1  VirtEx热点函数的初始计算密度统计
    Table  1.  Initial calculated density statistics of VirtEx hot spot function
    函数 浮点计算量/FLO 访存量/B 计算密度/FLOPB
    PG 269mp 232mp 1.15
    PI 462mp 224mp 1.98
    Locate 238mp 200mp 1.17
    Charge 158mp 200mp 0.75
    注:变量mp表示粒子数量,变量前系数为热点函数中每个粒子计算访存量的统计值.
    下载: 导出CSV 
    | 显示表格

    因此,如何将计算密度在1~2 FLOPB的访存密集型模块,通过性能优化策略发挥高计算密度型异构设备的计算性能,是关键性的研究内容,也是本文的研究重点. 在本章中通过中间变量的即时计算,基于SM片上存储的软件缓存设计,热点函数合并3种优化方法展开介绍.

    在传统基于CPU的程序设计中,开发者更倾向于主动寻找公用数据预先计算并暂存于内存中,利用多级高速缓存,通过索引获取数据,通过增加访存量换取计算量的减少. 然而,这种优化方法并不适合于基于宽向量计算的高计算密度型异构设备,大量引入访存会限制计算能力的发挥,同时使用索引的非规则访存模式也不适用于向量计算. 因此,考虑到新架构的特点,本文采用了与传统方法截然相反的优化方法来提高计算性能.

    在VirtEx中,磁场、温度、密度、安全因子等中间变量可以将预计算转换为即时计算,引入热点函数中,按照每个粒子对中间变量的需求完成计算. 该操作可以有效减少热点函数中的规则访存和非规则访存,降低流水线中断次数,避免由于按索引访问所带来的向量重组操作.

    通过热点函数分析,可以进行优化的中间变量重要分为2类. 一类以每个径向网格上的极向网格点数mtheta为例,该函数可以在热点函数中完成即时计算:

    mthetai=2Floor(πriΔl+0.5). (1)

    另一类中间变量却难以直接解析化表达,例如粒子在非结构化扰动场网格中的位置索引信息igrid,其形式为

    igridi=1+i1j=0mthetai, (2)
    mthetai=2πrΔl+δi=ai+b+δi. (3)

    如式(2)所示,变量igrid的计算基于变量mtheta的累加式,而由于函数Floor引入的不连续性,导致变量igrid的数学公式不能通过简单的变换和积分得出.

    由于极向格点数远大于1,且径向格点在r坐标描述下是均匀的,当残差δi1igrid同样可以表示为

    igridi=ai2+bi+c+ri, (4)

    其中残差r远小于二次函数部分. 为了能够构建igrid的解析表达式,采用多项式来拟合二次函数的部分,而残差可以通过周期函数f来降低到0.5以下,如图3所示. 从而igrid的解析表达式可以表示为如下的形式:

    图  3  位置索引变量igrid真实值与数值拟合的对比
    Figure  3.  Comparison of the real value and numerical fitting of the location index variable igrid
    igridi=Round[ai2+bi+c+f(i)]. (5)

    得益于对平衡剖面信息的解析化表达和即时计算,函数PushInterpolation和函数Locate中的随机内存访问过程得到减少. 只有热点函数PushGather中存在针对扰动场回旋平均的随机内存访问,在下面的章节中会论述相应的优化方法.

    在基于CPU的通用架构中,内置的缓存机制允许开发者在编程时无需关注高速缓存,更多的是将其视为自动化的访存系统. 而在MT-3000处理器中,考虑到性能,内存和SM/AM之间,以及SM/AM和向量寄存器之间的数据交换需要由程序员手动控制. 在处理内存的随机访问时,依赖DMA接口操作需要依赖索引和数据,造成了内存带宽的浪费. 为了解决这个问题,本文针对加速阵列内部片上存储SM设计软缓存机制,充分发挥内存结构和内存局部性的优势.

    在VirtEx热点函数中有2个非规则访问,其中一个是在函数Push中涉及到对扰动场网格数据的非规则访问,另一个是在函数Charge中涉及到对扰动场网格数据更新的原子写操作.

    函数Charge通过累加操作(+=)将粒子信息到网格上,由于粒子分散在子域内的多个进程,且网格数远小于粒子数,这将涉及到原子操作. 读/写锁是MT-3000处理器中解决数据竞争的重要方法,因此基于读/写锁设计了1种多级同步的软件缓存机制,首先在SM中进行细粒度(如单字)更新,不涉及任何同步操作;其次,使用读写锁保证缓存块在被换出时不会受到数据竞争. 同时完成缓存块从SM到主存储器的累加操作.

    函数PushGaher主要通过4点回旋平均算法获取粒子在回旋运动轨迹上的扰动场信息. 由于片上缓存空间有限,回旋平均算法的随机访问性质会对主存带来巨大的访存开销. 因此基于片上SM存储设计了1种软件缓存机制,该机制通过粒子索引将网格数据按照缓存块读入,如果向量宽度内所有粒子的索引均在缓存块内命中,组装网格数据向量传到向量寄存器完成向量计算;如果索引未在缓存块命中,按照所需索引完成缓存块数据的更新. 同时考虑到性能和局部性的平衡,设计64个缓存块并使用哈希作为缓存块的标识.

    在软件缓存机制的实施后,非规则访存被有效转化,访存带宽的压力得到了缓解. 为缓存命中问题. 进一步地,考虑到回旋平均算法需获取轨迹上每1点的扰动场信息,由于粒子在速度空间分布的随机性,在更新粒子位置后,极坐标方向的粒子分布会被分散,从而扰乱粒子在非结构化扰动场网格上的分布. 程序现有的基于粒子所在径向网格点的排序算法,由于加速阵列中的片上存储空间有限,该算法不足以支撑高计算密度的异构设备,导致缓存命中率的降低.

    图4显示了排序算法优化前后,粒子序号与相应的非结构化网格序号之间的关系,其中psi排序是原始的径向排序算法,igrid排序是改进的排序算法,按照粒子所在的网格点排序,增强了空间局部性. 优化后的排序采用桶式排序算法,每个桶对应于粒子所属的网格点,由于粒子运动的对称性,每个桶的容量总是与每个网格的粒子数同序,因此该算法的复杂性与原来的psi排序同样是O(N).

    图  4  不同排序算法下的粒子格点编号对比
    Figure  4.  Comparison of particle lattice numbers under different sorting algorithms

    不同排序算法下针对扰动场变量gradphi的缓存命中率,如表2所示,在64个缓存块和1 024 B缓存块大小的情况下,扰动场变量gradphi在没有粒子排序的情况下命中率为77.99%,接近于psi排序下的84.47%,而采用igrid排序可以获得99.15%的缓存命中率,得益于超高的缓存命中率,针对变量gradphi的非规则访问可以被近似视作规则访问.

    表  2  不同排序算法下针对扰动场变量gradphi的缓存命中率
    Table  2.  Cache Hit Rate for Disturbance Field Variable gradphi Under Different Sorting Algorithms
    排序算法缓存命中率/%
    不排序77.99
    psi排序84.47
    igrid排序99.15
    下载: 导出CSV 
    | 显示表格

    通过热点函数面向异构加速器MT-3000的移植以及上述几种优化方式的应用. 非规则访存操作已经被近似消除,减轻了访存带宽的压力. 在经过优化后,热点函数PGPILocate的浮点计算量、访存量以及计算密度的统计数据如表3所示,其中mp表示粒子数量,考虑到每个粒子相同的操作,其在统计中作为系数表示. 从数据上可以看出,由于函数PG中的回旋平均操作主要涉及内存访问,其计算密度仅为1.39;而时间占比最高的函数PI,考虑到基于粒子的计算特点,计算密度仅为12.4;而函数Locate在经过变量即时计算优化后,计算密度达到56.3. 综上所述,时间占比高达40%的函数Push的计算密度需要进一步提高计算访存比.

    表  3  热点函数合并优化后计算密度统计
    Table  3.  Hot Spot Function is Merged and Optimized to Calculate the Density Statistics
    函数 浮点计算量/FLO 访存量/B 计算密度/FLOPB
    PG 277mp 198.64mp 1.39
    PI 1 888mp 152mp 12.4
    Locate 12 161mp 216mp 56.3
    PushOpt 14 326mp 134.64mp 106.4
    注:变量mp表示粒子数量,变量前系数为热点函数中每个粒子计算访存量的统计值.
    下载: 导出CSV 
    | 显示表格

    函数PG,PILocate在PIC算法中是计算粒子运动的3个相关函数,函数Locate负责计算插值系数,函数PG负责获取网格数据,函数PI负责推动粒子,三者在算法上具备可合并性. 将函数Locate引入到函数Push中,并将函数PGPI合并,合并后输入仅为粒子信息和网格信息,输出为粒子信息,减少了对于大量中间变量的读写. 优化函数PushOpt的计算密度达到106.4 FLOPB,进一步缩小了与理论值的差距.

    在该这个基准算例测试中,我们用1个MPI进程控制1个MT-3000加速集群(簇),在天河新一代超算系统上使用120个节点上的480个MPI进程和480个簇. 该基准测试使用了1.23 × 106个网格,模拟了2.5 × 109个粒子.

    表4显示了CPU版本和优化版本之间在主循环和热点函数上的性能对比,CPU版本的3个主要的热点函数的占比达到86.06%. 结果显示,基于MT-3000处理器的应用加速效果良好,总体速度提高了4.2倍,其中函数Push和函数Locate分别实现了10.9倍和13.3倍的加速,在具有原子操作的函数Charge实现了16.2倍的性能提升.

    表  4  基准算例的性能表现
    Table  4.  The Performance of Benchmark Examples
    热点函数 CPU版本 优化后版本 加速比
    计算时间/s 占比/% 计算时间/s 占比/%
    主循环 845.63 100 201.46 100 4.2
    Push 323.86 38.30 29.64 14.71 10.9
    Locate 128.69 15.22 9.67 4.80 13.3
    Charge 275.19 32.54 16.98 8.43 16.2
    下载: 导出CSV 
    | 显示表格

    本节展示了优化后的VirtEx程序的弱扩展性测试结果. 在弱扩展性测试中,基准测试为120个节点,使用了3.86 × 105个网格,模拟了3.7 × 109个粒子. 随着节点数增加至3 840个,模拟的粒子数也相应的增加到了1.18 × 1011. 经过多轮测试取平均后的并行效率,如图5所示,在天河新一代超算系统的3 840个节点5 898 240个加速器核心上,其并行效率为88.4%,展示了良好的弱扩展性.

    图  5  120个节点到3 840个节点的弱扩展性测试结果
    Figure  5.  Weak scalability test results from 120 to 3 840 nodes

    基于天河新一代超算系统的异构加速器MT-3000对大规模并行磁约束聚变回旋动理学模拟代码VirtEx进行代码移植和性能优化,围绕高计算密度型系统和访存密集型应用间存在的矛盾. 通过中间变量的即时计算、定制化的软件缓存设计、空间局部性优化、热点函数合并等优化策略,并通过数据分析验证了优化的合理性. 同时在基准测试中,VirtEx的优化显示了良好的加速效果,其中函数Push提速10.9倍,函数Locate提速13.3倍,函数Charge提速16.2倍,从而使整个程序提速4.2倍. 并且在3 840个节点的5 898 240个加速器核心上展示了良好的可扩展性,并行效率为88.4%.

    作者贡献声明:李青峰负责程序设计、移植、测试,并撰写论文;李跃岩负责设计并实现优化算法;栾钟治负责程序瓶颈分析和解决方案提供;张文禄提供了针对程序原理和算法方面的指导;龚春叶提供了针对异构加速设备的优化指导;郑刚提供了系统测试环境及保障工作;康波提供了共性技术的指导;孟祥飞负责设计研究方案并把控研究进度.

  • 图  1   工业零信任逻辑框架图

    Figure  1.   Logical framework diagram of industrial zero trust

    图  2   工业零信任架构图

    Figure  2.   Industrial zero trust architecture diagram

    图  3   4种SDP框架模型

    Figure  3.   Four SDP framework models

    表  1   相关零信任综述的优缺点

    Table  1   Advantages and Disadvantages of Related Zero Trust Reviews

    相关综述主要贡献局限性
    文献[7,16]描述和总结零信任的基本架构及技术组成未能涵盖近年出现的新兴技术
    文献[17-18]总结了网络环境下零信任的发展与应用未深入探讨物联网领域的零信任研究
    文献[19-21]探讨了零信任技术的发展路线和未来方向缺乏具体技术应用和实际案例的分析
    文献[22]围绕信息安全中的信任概念概述了ZTA缺乏零信任具体场景和技术实现研究
    文献[5]简要概述当前工业领域零信任的发展趋势未对零信任技术和应用展开深入研究
    文献[23]概述IIoT中零信任面对的挑战与应用特征缺少对零信任技术的细节和实际应用的探讨
    下载: 导出CSV

    表  2   持续认证方案对比

    Table  2   Comparison of Continuous Authentication Solutions

    特点初始阶段持续认证阶段优点缺点
    固定时间间隔认证[49-50]静态密码体制认证利用XOR,Hash等轻量级操作,
    每隔固定时间间隔认证
    管理简单、可用性高安全性低、漏报率高
    异常行为认证[51-52]Oauth2.0等认证协议持续监控,检测到异常行为时启用协议认证及时性强、准确度高追溯性差
    动态方案实时认证[53-54]设备指纹相互认证利用密钥刷新机制或基于评价值等动态方案实时认证及时性强、追溯性强、准确度高成本高、兼容性差
    下载: 导出CSV

    表  3   AI技术在信任评估的应用

    Table  3   Application of AI Technologies in TE

    信任评估的AI技术应用方式
    联邦学习[77,81]零信任中央协调器从各组织独立的联邦学习模型中收集信任属性并统一进行信任评估
    强化学习[48,82]将历史的决策结果和主体行为作为关键因素参与;信任参数的计算与评估方法的更新
    深度学习[64,83]结合神经网络等技术,以行为分析与模式识别为基础;对信任参数进行自适应更新
    监督学习[78,84]利用标记数据训练模型,学习输入与输出间的关系,逐步提高信任参数的预测精度,并优化信任评估机制
    无监督学习[85-86]完全依赖未标记的数据,通过分析数据中的内在结构和模式进行信任参数的更新
    下载: 导出CSV

    表  4   ZTA在组织部署阶段的难点与问题

    Table  4   Challenges and Issues of ZTA in Organizational Deployment Stage

    问题/难点详细叙述
    应用程序开发[66,132]零信任相较于其他安全模式的差异性致使企业需要开发新的零信任内部应用程序
    网络技术的阻碍[8,69]部分点对点通信技术几乎默认特权行为的横向移动(windows的P2P技术等),这会对网络环境下的零信任实现有极大的阻碍
    转型成本[21,133]零信任对数据处理及存储的要求较高,某些企业可能无法支付高昂的技术升级成本
    团队协调[127,134]组织内的管理问题相当重要,零信任的覆盖范围广,这要求需要协调好组织间的关系
    遗留设施冲突[8,127]ZTA在搭建过程中可能会同不同协议、型号、数字化程度的遗留设施具有技术冲突,如何平衡新旧设施十分困难
    孤岛问题[128]ZTA增量部署可能在出现“ZTA孤岛”
    时间开销[28,75,118,125]ZTA保护系统时产生大量时间开销
    下载: 导出CSV
  • [1]

    Cui Jie, Zhu Yihu, Hong Zhong, et al. Efficient blockchain-based mutual authentication and session key agreement for cross-domain IIoT[J]. IEEE Internet of Things Journal, 2024, 11(9): 16325−16338

    [2]

    May M C, Glatter D, Arnold D, et al. IIoT system canvas - from architecture patterns towards an IIoT development framework[J]. Journal of Manufacturing Systems, 2024, 72: 437−459

    [3]

    Hu Yujiao, Jia Qingmin, Yao Yuan, et al. Industrial internet of things intelligence empowering smart manufacturing: A literature review[J]. IEEE Internet of Things Journal, 2024, 11(11): 19143−19167

    [4]

    Hai Tao, Sarkar A, Aksoy M, et al. Complex-valued hyperchaos-assisted vector-valued artificial neural key coordination for improving security in the industrial internet of things[J/OL]. Engineering Applications of Artificial Intelligence, 2024[2024-09-30]. https://doi.org/10.1016/j.engappai.2023.107561

    [5]

    Li Shan, Iqbal M, Saxena N. Future industry internet of things with zero-trust security[J]. Information Systems Frontiers, 2024, 26: 1653−1666 doi: 10.1007/s10796-021-10199-5

    [6]

    Stafford V A. Zero trust architecture[EB/OL]. NIST Special Publication, 2020[2024-09-30]. https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

    [7]

    Buck C, Olenberger C, Schweizer A, et al. Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust[J/OL]. Computers & Security, 2021[2024-09-30]. https://doi.org/10.1016/j.cose.2021.102436

    [8]

    Haber M J, Haber M J. Privileged Attack Vectors[M]. Berkeley, CA: Apress, 2020: 295−304

    [9]

    Enterprise D D. Department of defense global information grid architectural vision[EB/OL]. 2007[2024-09-30]. https://acqnotes.com/Attachments/DoD%20GIG%20Architectural%20Vision,%20June%2007.pdf

    [10]

    Kindervag J, Balaouras S. No more chewy centers: Introducing the zero trust model of information security[EB/OL]. 2010[2024-09-30]. https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf

    [11]

    Bilger B, Boehme A, Flores B, et al. Software defined perimeter working group SDP specification 1.0[EB/OL]. Cloud security alliance, (2014-04-30)[2024-09-30]. https://cloudsecurityalliance.org/download/artifacts/sdp-specification-v1-0

    [12]

    Ward R, Beyer B. Beyondcorp: A new approach to enterprise security[J]. The Magazine of USENIX & SAGE, 2014, 39(6): 6−11

    [13]

    Weinberg A I, Cohen K. Zero trust implementation in the emerging technologies era: Survey[J]. arXiv preprint, arXiv: 2401.09575, 2024

    [14]

    Cunningham C, Blankenship J, Balaouras S, et al. The zero trust eXtended (ZTX) ecosystem[EB/OL]. 2018[2024-09-30]. https://www.cisco.com/c/dam/m/en_sg/solutions/security/pdfs/forrester-ztx.pdf

    [15]

    MacDonald N, Orans L, Skorupa J. The future of network security is in the cloud[EB/OL]. (2019-8-30)[2024-09-30]. https://vertassets.blob.core.windows.net/download/4b40e73f/4b40e73f-a2f0-4e01-93ce-351e5512590a/gartner_wp___sase___the_future_of_network_security_is_in_the_cloud_08_30_19.pdf

    [16]

    Syed N F, Shah S W, Shaghaghi A, et al. Zero trust architecture (ZTA): A comprehensive survey[J]. IEEE Access, 2022, 10: 57143−57179

    [17]

    Dhiman P, Saini N, Gulzar Y, et al. A review and comparative analysis of relevant approaches of zero trust network model[J/OL]. Sensors, 2024[2024-09-30]. https://doi.org/10.3390/s24041328

    [18]

    Sarkar S, Choudhary G, Shandilya S K, et al. Security of zero trust networks in cloud computing: A comparative review[J/OL]. Sustainability, 2022[2024-09-30]. https://doi.org/10.3390/su141811213

    [19]

    Tsai M, Lee S, Shieh S W. Strategy for implementing of zero trust architecture[J]. IEEE Transactions on Reliability, 2024, 73(1): 93−100 doi: 10.1109/TR.2023.3345665

    [20]

    Bertino E, Brancik K. Services for zero trust architectures: A research roadmap[C]//Proc of the IEEE Int Conf on Web Services (ICWS). Piscataway, NJ: IEEE, 2021: 14−20

    [21]

    Fernandez E B, Brazhuk A. A critical analysis of zero trust architecture (ZTA)[J/OL]. Computer Standards & Interfaces, 2024[2024-09-30]. https://papers.ssrn.com/sol3/Delivery.cfm?abstractid=4210104

    [22]

    Kang Hongzhaoning, Liu Gang, Wang Quan, et al. Theory and application of zero trust security: A brief survey[J/OL]. Entropy, 2023[2024-09-30]. https://www.mdpi.com/1099-4300/25/12/1595/pdf

    [23]

    Federici F, Martintoni D, Senni V. A zero-trust architecture for remote access in industrial IoT infrastructures[J/OL]. Electronics, 2023[2024-09-30]. https://www.mdpi.com/2079-9292/12/3/566/pdf

    [24]

    Phiayura P, Teerakanok S. A comprehensive framework for migrating to zero trust architecture[J]. IEEE Access, 2023, 11: 19487−19511 doi: 10.1109/ACCESS.2023.3248622

    [25]

    Collier Z A, Sarkis J. The zero trust supply chain: Managing supply chain risk in the absence of trust[J]. International Journal of Production Research, 2021, 59(11): 3430−3445

    [26]

    Loftus M, Vezina A, Doten R, et al. The arrival of zero trust: What does it mean?[J]. Communications of the ACM, 2023, 66(2): 56−62

    [27]

    National Security Agency. Embracing a zero trust security model[EB/OL]. (2021-02-25)[2024-09-30]. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

    [28]

    Wang Tao, Kang Li, Duan Jiang. Dynamic fine-grained access control scheme for vehicular ad hoc networks[J/OL]. Computer Networks, 2021[2024-09-30]. https://doi.org/10.1016/j.comnet.2021.107872

    [29]

    Yeoh W, Liu M, Shore M, et al. Zero trust cybersecurity: Critical success factors and A maturity assessment framework[J/OL]. Computers & Security, 2023[2024-09-30]. https://www.sciencedirect.com/science/article/pii/S016740482300322Xs

    [30]

    Xu Mingyang, Guo Junli, Yuan Haoyu, et al. Zero-trust security authentication based on SPA and endogenous security architecture[J/OL]. Electronics, 2023[2024-09-30]. https://www.mdpi.com/2079-9292/12/4/782/pdf

    [31]

    Bello Y, Hussein A R, Ulema M, et al. On sustained zero trust conceptualization security for mobile core networks in 5G and beyond[J]. IEEE Transactions on Network and Service Management, 2022, 19(2): 1876−1889 doi: 10.1109/TNSM.2022.3157248

    [32]

    Alagappan A, Venkatachary S K, Andrews L J B. Augmenting zero trust network architecture to enhance security in virtual power plants[J]. Energy Reports, 2022, 8(1): 1309−1320

    [33]

    Sultana M, Hossain A, Laila F, et al. Towards developing a secure medical image sharing system based on zero trust principles and blockchain technology[J]. BMC Medical Informatics and Decision Making, 2020, 20: 1−10 doi: 10.1186/s12911-019-1002-x

    [34]

    Zanasi C, Russo S. Flexible zero trust architecture for the cybersecurity of industrial IoT infrastructures[J/OL]. Ad Hoc Networks, 2024[2024-09-30]. https://doi.org/10.1016/j.adhoc.2024.103414

    [35]

    Chen Xu, Feng Wei, Ge Ning, et al. Zero trust architecture for 6G security[J]. IEEE Network, 2023, 38(4): 224−232

    [36]

    Zaid B, Sayeed A, Bala P, et al. Toward secure and resilient networks: A zero-trust security framework with quantum fingerprinting for devices accessing network[J/OL]. Mathematics, 2023[2024-09-30]. https://doi.org/10.3390/math11122653

    [37]

    Szymanski T H. The “cyber security via determinism” paradigm for a quantum safe zero trust deterministic internet of things (IoT)[J]. IEEE Access, 2022, 10: 45893−45930 doi: 10.1109/ACCESS.2022.3169137

    [38]

    Li Peirong, Ou Wei, Liang Haozhe, et al. A zero trust and blockchain-based defense model for smart electric vehicle chargers[J/OL]. Journal of Network and Computer Applications, 2023[2024-09-30]. https://doi.org/10.1016/j.jnca.2023.103599

    [39]

    Gai Keke, She Yufeng, Zhu Liehuang, et al. A blockchain-based access control scheme for zero trust cross-organizational data sharing[J]. ACM Transactions on Internet Technology, 2023, 23(3): 1−25

    [40]

    Daah C, Qureshi A, Awan I, et al. Enhancing zero trust models in the financial industry through blockchain integration: A proposed framework[J/OL]. Electronics, 2024[2024-09-30]. https://doi.org/10.3390/electronics13050865

    [41]

    Ali B, Gregory M A, Li Shuo, et al. Implementing zero trust security with dual fuzzy methodology for trust-aware authentication and task offloading in multi-access edge computing[J/OL]. Computer Networks, 2024[2024-09-30]. https://doi.org/10.1016/j.comnet.2024.110197

    [42]

    McIntosh T, Kayes A S M, Chen Y P P, et al. Dynamic user-centric access control for detection of ransomware attacks[J/OL]. Computers & Security, 2021[2024-09-30]. https://doi.org/10.1016/j.cose.2021.102461

    [43]

    Filip I D, Ionite C, González-Cebrián A, et al. SMARDY: Zero-trust FAIR marketplace for research data[C]//Proc of IEEE Int Conf on Big Data. Piscataway, NJ: IEEE, 2022: 1535−1541

    [44]

    Liu Haiqing, Ai Ming, Huang Rong, et al. Identity authentication for edge devices based on zero-trust architecture[J/OL]. Concurrency and Computation: Practice and Experience, 2022[2024-09-30]. https://doi.org/10.1002/cpe.7198

    [45]

    Rivera J J D, Khan T A, Akbar W, et al. Secure enrollment token delivery for zero trust networks using blockchain[C/OL]//Proc of the 23rd Asia-Pacific Network Operations and Management Symp (APNOMS). Piscataway, NJ: IEEE, 2022[2024-09-30]. https://doi.org/10.23919/APNOMS56106.2022.9919940

    [46]

    Fang He, Zhu Yongxu, Zhang Yan, et al. Decentralized edge collaboration for seamless handover authentication in zero-trust IoV[J]. IEEE Transactions on Wireless Communications, 2024, 23(8): 8760−8772 doi: 10.1109/TWC.2024.3354064

    [47]

    Ge Yunfei, Zhu Quanyuan. GAZETA: GAme-theoretic zEro-trust authentication for defense against lateral movement in 5G IoT networks[J]. IEEE Transactions on Information Forensics and Security, 2023, 19: 540−554

    [48]

    Cheng Ruizhi, Chen Songqing, Han Bo. Towards zero-trust security for the metaverse[J]. IEEE Communications Magazine, 2023, 62(2): 156−162

    [49]

    Anderson J, Huang Qiqing, Cheng Long, et al. A zero trust architecture for connected and autonomous vehicles[J]. IEEE Internet Computing, 2023, 27(5): 7−14 doi: 10.1109/MIC.2023.3304893

    [50]

    Meng Lei, Huang Daochao, An Jiahang, et al. A continuous authentication protocol without trust authority for zero trust architecture[J]. China Communications, 2022, 19(8): 198−213 doi: 10.23919/JCC.2022.08.015

    [51]

    Shen Quan, Endpoint security reinforcement via integrated zero-trust systems: A collaborative approach[J/OL]. Computers & Security, 2024[2024-09-30]. https://doi.org/10.1016/j.cose.2023.103537

    [52]

    Liu Yizhong, Xing Xinxin, Tong Ziheng, et al. Secure and scalable cross-domain data sharing in zero-trust cloud-edge-end environment based on sharding blockchain[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 21(4): 2603−2618

    [53]

    Shah S W, Syed N F, Shaghaghi A, et al. LCDA: Lightweight continuous device-to-device authentication for a zero trust architecture (ZTA)[J/OL]. Computers & Security, 2021[2024-09-30]. https://doi.org/10.1016/j.cose.2021.102351

    [54]

    Chen Lu, Sun Yuwei, Sun Zhixin. A mobile internet multi-level two-way identity authentication scheme based on zero trust[C]//Proc of IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys). Piscataway, NJ: IEEE, 2021: 1650−1656

    [55]

    Singh J, Refaey A, Shami A. Multilevel security framework for NFV based on software defined perimeter[J]. IEEE Network, 2020, 34(5): 114−119 doi: 10.1109/MNET.011.1900563

    [56]

    Chen Baozhan, Qiao Siyuan, Zhao Jie, et al. A security awareness and protection system for 5G smart healthcare based on zero-trust architecture[J]. IEEE Internet of Things Journal, 2020, 8(13): 10248−10263

    [57]

    Moubayed A, Refaey A, Shami A. Software-defined perimeter (sdp): State of the art secure solution for modern networks[J]. IEEE Network, 2019, 33(5): 226−233 doi: 10.1109/MNET.2019.1800324

    [58]

    Sedjelmaci H, Tourki K, Ansari N. Enabling 6G security: The synergy of zero trust architecture and artificial intelligence[J]. IEEE Network, 2023, 38(3): 171−177

    [59]

    Bradatsch L, Miroshkin O, Kargl F. ZTSFC: A service function chaining-enabled zero trust architecture[J]. IEEE Access, 2023, 11: 125307−125327 doi: 10.1109/ACCESS.2023.3330706

    [60]

    Huang Wenhua, Xie Xuemin, Wang Ziying, et al. ZT-Access: A combining zero trust access control with attribute-based encryption scheme against compromised devices in power IoT environments[J/OL]. Ad Hoc Networks, 2023[2024-09-30]. https://doi.org/10.1016/j.adhoc.2023.103161

    [61]

    Wang Liang, Ma Hailong, Li Ziyong, et al. A data plane security model of SR-BE/TE based on zero-trust architecture[J/OL]. Scientific Reports, 2022[2024-09-30]. https://www.nature.com/articles/s41598-022-24342-y

    [62]

    Zanasi C, Magnanini F, Russo S, et al. A zero trust approach for the cybersecurity of industrial control systems[C/OL]//Proc of the IEEE 21st Int Symp on Network Computing and Applications (NCA). Piscataway, NJ: IEEE, 2022[2024-09-30]. https://doi.org/10.1109/NCA57778.2022.10013559

    [63]

    Lei Wenxin, Pang Zhibo, Wen Hong, et al. Physical layer enhanced zero-trust security for wireless industrial internet of things[J]. IEEE Transactions on Industrial Informatics, 2023, 20(3): 4327−4336

    [64]

    Wu Anbin, Feng Zhiyong, Li Xiaohong, et al. ZTWeb: Cross site scripting detection based on zero trust[J/OL]. Computers & Security, 2023[2024-09-30]. https://doi.org/10.1016/j.cose.2023.103434

    [65]

    Konduru P, Nethravathi N P. Secure and energy-efficient routing protocol based on micro-segmentation and batch authentication[J/OL]. Computer Networks, 2024[2024-09-30]. https://doi.org/10.1016/j.comnet.2024.110293

    [66]

    Hong Sungmin, Xu Lei, Huang Jianwei, et al. SysFlow: Toward a programmable zero trust framework for system security[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 2794−2809 doi: 10.1109/TIFS.2023.3264152

    [67]

    Zhang Jingci, Zheng Jun, Zhang Zhang, et al. Hybrid isolation model for device application sandboxing deployment in zero trust architecture[J]. Int Journal of Intelligent Systems, 2022, 37(12): 11167−11187 doi: 10.1002/int.23037

    [68]

    Bradatsch L, Haeberle M, Steinert B, et al. Secure service function chaining in the context of zero trust security[C]//Proc of the IEEE 47th Conf on Local Computer Networks (LCN). Piscataway, NJ: IEEE, 2022: 123−131

    [69]

    Csikor L, Ramachandran S, Lakshminarayanan A. ZeroDNS: Towards better zero trust security using DNS[C]//Proc of the 38th Annual Computer Security Applications Conf. New York: ACM, 2022: 699−713

    [70]

    Ahmed A, Shoufan A. Formal verification of light-weight security protocol and data model for chip-to-chip zero trust[J]. IEEE Access, 2023, 11: 60335−60348 doi: 10.1109/ACCESS.2023.3285630

    [71]

    Tsai W C. Field-programmable gate array-based implementation of zero-trust stream data encryption for enabling 6G-narrowband internet of things massive device access[J/OL]. Sensors, 2024[2024-09-30]. https://doi.org/10.3390/s24030853

    [72]

    Wang Jin, Chen Jiahao, Xiong N, et al. S-BDS: An effective blockchain-based data storage scheme in zero-trust IoT[J]. ACM Transactions on Internet Technology, 2023, 23(3): 1−23

    [73]

    Ameer S, Gupta M, Bhatt S, et al. Bluesky: Towards convergence of zero trust principles and score-based authorization for IoT enabled smart systems[C]//Proc of the 27th ACM on Symp on Access Control Models and Technologies. New York: ACM, 2022: 235−244

    [74]

    Park U H, Hong J, Kim A, et al. Endpoint device risk-scoring algorithm proposal for zero trust[J/OL]. Electronics, 2023[2024-09-30]. https://doi.org/10.3390/electronics12081906

    [75]

    Wang Jiuru, Wang Zhiyuan, Song Jingcheng, et al. Attribute and user trust score-based zero trust access control model in IoV[J/OL]. Electronics, 2023[2024-09-30]. https://doi.org/10.3390/electronics12234825

    [76]

    Wang Zhiqiang, Yu Xinyue, Xue Peiyang, et al. Research on medical security system based on zero trust[J/OL]. Sensors, 2023[2024-09-30]. https://doi.org/10.3390/s23073774

    [77]

    Al S A M, Rizwan A, Sánchez-Chero M, et al. Blockchain-enabled federated learning for prevention of power terminals threats in IoT environment using edge zero-trust model[J]. The Journal of Supercomputing, 2024, 80(6): 7849−7875 doi: 10.1007/s11227-023-05763-6

    [78]

    Fu Peiyu, Wu Jun, Lin Xi, et al. ZTEI: Zero-trust and edge intelligence empowered continuous authentication for satellite networks[C]//Proc of IEEE Conf on Global Communications (GLOBECOM). Piscataway, NJ: IEEE, 2022: 2376−2381

    [79]

    Wang Peng, Xu Ning, Zhang Haibin, et al. Dynamic access control and trust management for blockchain-empowered IoT[J]. IEEE Internet of Things Journal, 2021, 9(15): 12997−13009

    [80]

    N’goran R, Tetchueng J L, Pandry G, et al. Trust assessment model based on a zero trust strategy in a community cloud environment[J]. Engineering, 2022, 14(11): 479−496 doi: 10.4236/eng.2022.1411036

    [81]

    Ramezanpour K, Jagannath J. Intelligent zero trust architecture for 5G/6G networks: Principles, challenges, and the role of machine learning in the context of O-RAN[J/OL]. Computer Networks, 2022[2024-09-30]. 10.1109/LCN53696.2022. 9843821

    [82]

    García-Teodoro P, Camacho J, Maciá-Fernández G, et al. A novel zero-trust network access control scheme based on the security profile of devices and users[J/OL]. Computer Networks, 2022[2024-09-30]. https://doi.org/10.1016/j.comnet.2022.109068

    [83]

    Nkoro E C, Njoku J N, Nwakanma C I, et al. Zero-trust marine cyberdefense for IoT-based communications: An explainable approach[J/OL]. Electronics, 2024[2024-09-30]. https://doi.org/10.3390/electronics13020276

    [84]

    Akbar W, Rivera J J D, Ahmed K T, et al. Software defined perimeter monitoring and blockchain-based verification of policy mapping[C/OL]//Proc of the 23rd Asia-Pacific Network Operations and Management Symp(APNOMS). Piscataway, NJ: IEEE, 2022[2024-09-30]. https://doi.org/10.23919/APNOMS56106.2022.9919959

    [85]

    Gudala L, Shaik M, Venkataramanan S. Leveraging machine learning for enhanced threat detection and response in zero trust security frameworks: An exploration of real-time anomaly identification and adaptive mitigation strategies[J]. Journal of Artificial Intelligence Research, 2021, 1(2): 19−45

    [86]

    He Yuanhang, Huang Daochao, Chen Lei, et al. A survey on zero trust architecture: Challenges and future trends[J/OL]. Wireless Communications and Mobile Computing, 2022[2024-09-30]. https://doi.org/10.1155/2022/6476274

    [87]

    Ouaddah A, Mousannif H, Abou Elkalam A, et al. Access control in the Internet of things: Big challenges and new opportunities[J/OL]. Computer Networks, 2017[2024-09-30]. https://doi.org/10.1016/j.comnet.2016.11.007

    [88]

    Sandhu R, Samarati P. Authentication, access control, and audit[J]. ACM Computing Surveys (CSUR), 1996, 28(1): 241−243

    [89]

    Lampson B W. Dynamic protection structures[C]//Proc of the Fall Joint Computer Conf. New York: ACM, 1969: 27−38

    [90]

    Hao Xiaohan, Ren Wei, Fei Yangyang, et al. A blockchain-based cross-domain and autonomous access control scheme for internet of things[J]. IEEE Transactions on Services Computing, 2022, 16(2): 773−786

    [91]

    Lindqvist H. Mandatory access control [D]. Sweden: Department of Computing Science, Umea University, 2006

    [92]

    Wang Baoyi, Zhang Shaomi. An organization and task based access control model for workflow system[C]//Proc of the Asia-Pacific Web Conf. Berlin: Springer, 2007: 485−490

    [93]

    Hu Donghui, Hu Chunya, Fan Yuqi, et al. oGBAC — A group based access control framework for information sharing in online social networks[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 18(1): 100−116

    [94]

    Ray I, Kumar M. Towards a location-based mandatory access control model[J]. Computers & Security, 2006, 25(1): 36−44

    [95]

    Anutariya C, Chatvichienchai S, Iwiahara M, et al. A rule-based xml access control model[C]//Proc of the 2nd Int Workshop on Rules and Rule Markup Languages for the Semantic Web(RuleML). Berlin: Springer, 2003: 35−48

    [96]

    Andriotis P, Stringhini G, Sasse M A. Studying users’ adaptation to Android’s run-time fine-grained access control system[J]. Journal of Information Security and Applications, 2018, 40(1): 31−43

    [97]

    Bertino E. RBAC models — Concepts and trends[J]. Computers & Security, 2003, 22(6): 511−514

    [98]

    Bakar A A, Ismail R, Jais J. A review on extended role based access control (E-RBAC) model in pervasive computing environment[C]//Proc of the 1st Int Conf on Networked Digital Technologies. Piscataway, NJ: IEEE, 2009: 533−535

    [99]

    Pal S, Jadidi Z. Protocol-based and hybrid access control for the IoT: Approaches and research opportunities[J/OL]. Sensors, 2021[2024-09-30]. https://doi.org/10.3390/s21206832

    [100]

    Shin S H, Park M J, Kim IT W, et al. Architecture for enhancing communication security with RBAC IoT protocol-based microgrids[J/OL]. Sensors, 2024[2024-09-30]. https://doi.org/10.3390/s24186000

    [101]

    Zaidi T, Usman M, Aftab M U, et al. Fabrication of flexible role-based access control based on blockchain for Internet of things use cases[J]. IEEE Access, 2023, 11: 106315−106333

    [102]

    Xu Zhengnan, Dong Guofang, Yang Ruicheng. RBAC-based one-to-many authentication and key negotiation scheme in smart factory[J]. IEEE Access, 2024, 12: 189202−189218

    [103]

    Yuan E, Tong J. Attributed based access control (ABAC) for web services[C]// Proc of the IEEE Int Conf on Web Services (ICWS'05). Piscataway, NJ: IEEE, 2005: 569−578

    [104]

    Shang Siyuan, Wang Xiaohan, Liu Aodi. ABAC policy mining method based on hierarchical clustering and relationship extraction[J/OL]. Computers & Security, 2024[2024-09-30]. https://doi.org/10.1016/j.cose.2024.103717

    [105]

    Chen Zhonghua, Goyal S B, Rajawat A S. Smart contracts attribute-based access control model for security & privacy of IoT system using blockchain and edge computing[J]. The Journal of Supercomputing, 2024, 80(2): 1396−1425

    [106]

    Cremonezi B, Vieira A B, Nacif J, et al. Identity management for Internet of Things: Concepts, challenges and opportunities[J]. Computer Communications, 2024, 224: 72−94

    [107]

    Alshehri S, Bamasag O. Aac-IoT: Attribute access control scheme for IoT using lightweight cryptography and hyperledger fabric blockchain[J/OL]. Applied Sciences, 2022[2024-09-30]. https://doi.org/10.3390/app12168111

    [108]

    Pathak A, Al-Anbagi I, Hamilton H J. TABI: Trust-based ABAC mechanism for edge-IoT using blockchain technology[J]. IEEE Access, 2023, 11: 36379−36398

    [109]

    Ragothaman K, Wang Y, Rimal B, et al. Access control for IoT: A survey of existing research, dynamic policies and future directions[J/OL]. Sensors, 2023[2024-09-30]. https://doi.org/10.3390/s23041805

    [110]

    Patil P, Sangeetha M, Bhaskar V. Blockchain for IoT access control, security and privacy: A review[J]. Wireless Personal Communications, 2021, 117(3): 1815−1834

    [111]

    Salehi A, Han Runchao, Rudolph C, et al. DACP: Enforcing a dynamic access control policy in cross-domain environments[J/OL]. Computer Networks, 2023[2024-09-30]. https://doi.org/10.1016/j.comnet.2023.110049

    [112]

    Zhang Qingyang, Zhong Hong, Cui Jie, et al. AC4AV: A flexible and dynamic access control framework for connected and autonomous vehicles[J]. IEEE Internet of Things Journal, 2020, 8(3): 1946−1958

    [113]

    Singh A, Dhanaraj R K, Ali M A, et al. Transfer fuzzy learning enabled Streebog cryptographic substitution permutation based zero trust security in IIoT[J]. Alexandria Engineering Journal, 2023, 81: 449−459

    [114]

    Kobayashi N. Zero trust security framework for IoT actuators[C]//Proc of the 47th IEEE Annual Computers, Software, and Applications Conf (COMPSAC). Piscataway, NJ: IEEE, 2023: 1285−1292

    [115] 冯景瑜,于婷婷,王梓莹,等. 电力物联场景下抗失陷终端威胁的边缘零信任模型[J]. 计算机研究与发展,2022,59(5):1120−1132 doi: 10.7544/issn1000-1239.20211129

    Feng Jingyu, Yu Tingting, Wang Ziying, et al. An edge zero-trust model against compromised terminals threats in power IoT environments[J]. Journal of Computer Research and Development, 2022, 59(5): 1120−1132(in Chinese) doi: 10.7544/issn1000-1239.20211129

    [116]

    Hao Min, Tan Beihai, Wang Siming, et al. Exploiting blockchain for dependable services in zero-trust vehicular networks[J/OL]. Frontiers of Computer Science, 2024[2024-09-30]. https://link.springer.com/10.1007/s11704-023-2495-0

    [117]

    Cui Qimei, Zhu Zengbao, Ni Wei, et al. Edge-intelligence-empowered, unified authentication and trust evaluation for heterogeneous beyond 5G systems[J]. IEEE Wireless Communications, 2021, 28(2): 78−85

    [118]

    Tian Minqiu, Li Zifu, Li Fenghua, et al. A terminal security authentication protocol for zero-trust satellite IoT[C]//Proc of the IEEE Int Conf on Trust, Security and Privacy in Computing and Communications (TrustCom). Piscataway, NJ: IEEE, 2022: 299−306

    [119]

    Pokhrel S R. Poster: Orbital ZTA! Secure satellite communication networks with zero trust architecture[C]//Proc of the ACM SIGCOMM Conf: Posters and Demos. New York: ACM, 2024: 33−35

    [120]

    Falco G, Gordon N G. A zero-trust satellite services marketplace enabling space infrastructure as a service[J]. IEEE Access, 2024, 12: 71066−71075 doi: 10.1109/ACCESS.2024.3403483

    [121]

    Kulkarni A, Hazari N A, Niamat M. A zero trust-based framework employed by blockchain technology and ring oscillator physical unclonable functions for security of field programmable gate array supply chain[J]. IEEE Access, 2024, 12: 89322−89338 doi: 10.1109/ACCESS.2024.3418572

    [122]

    Stern A, Wang H, Rahman F, et al. Aced-it: Assuring confidential electronic design against insider threats in a zero-trust environment[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2021, 41(10): 3202−3215

    [123]

    Buras B, Xanthopoulos C, Butler K, et al. Zero trust approach to IC manufacturing and testing[C]//Proc of the IEEE Int Test Conf (ITC). Piscataway, NJ : IEEE, 2022: 583−586

    [124]

    Belwafi K, Alshamsi H, Ahmed A, et al. Enhancing circuit authentication through secure isolation[C/OL]//Proc of the IEEE Int Symp on Circuits and Systems (ISCAS). Piscataway, NJ: IEEE, 2024[2024-09-30]. https://doi.org/10.1109/ISCAS58744.2024.10558551

    [125]

    Deric A, Holcomb D. Know time to die–integrity checking for zero trust chiplet-based systems using between-die delay PUFs[J/OL]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022[2024-09-30]. https://doi.org/10.46586/tches.v2022.i3.391-412

    [126]

    Michael J B, Dinolt G C, Cohen F B, et al. Can you trust zero trust?[J]. Computer, 2022, 55(8): 103−105

    [127]

    Loftus M, Vezina A, Doten R, et al. The arrival of zero trust: What does it mean?[J]. Communications of the ACM, 2023, 66(2): 56−62 doi: 10.1145/3573129

    [128]

    Bertino E. Zero trust architecture: Does it help?[J]. IEEE Security & Privacy, 2021, 19(5): 95−96

    [129]

    Swearingen M T, Michael J B, Weiss J, et al. Resilient without zero trust[J]. Computer, 2024, 57(1): 120−122

    [130]

    Sengupta B, Lakshminarayanan A. Distritrust: Distributed and low-latency access validation in zero-trust architecture[J/OL]. Journal of Information Security and Applications, 2021[2024-09-30]. https://doi.org/10.1016/j.jisa.2021.103023

    [131]

    Ferretti L, Magnanini F, Andreolini M, et al. Survivable zero trust for cloud computing environments[J/OL]. Computers & Security, 2021[2024-09-30]. https://doi.org/10.1016/j.cose.2021.102419

    [132]

    Dubin R. Content disarm and reconstruction of RTF files: A zero file trust methodology[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 1461−1472 doi: 10.1109/TIFS.2023.3241480

    [133]

    Adahman Z, Malik A W, Anwar Z. An analysis of zero-trust architecture and its cost-effectiveness for organizational security[J/OL]. Computers & Security, 2022[2024-02-20]. https://doi.org/10.1016/j.cose.2022.102911

    [134]

    Spencer M, Pizio D. The de-perimeterisation of information security: The jericho forum, zero trust, and narrativity[J/OL]. Social Studies of Science, 2023[2024-09-30]. https://doi.org/10.1177/03063127231221107

图(3)  /  表(4)
计量
  • 文章访问数:  45
  • HTML全文浏览量:  6
  • PDF下载量:  16
  • 被引次数: 0
出版历程
  • 收稿日期:  2024-10-30
  • 修回日期:  2025-03-26
  • 录用日期:  2025-04-02
  • 网络出版日期:  2025-04-02

目录

/

返回文章
返回