为解决传统舰船网络安全边界模糊、终端自身安全防护能力薄弱等问题,研究舰船物联网终端的零信任安全架构设计与漏洞检测方法。构建舰船物联网终端零信任安全架构,终端层利用零信任客户端(Zero Trust Client,ZTC)获取物联网终端行为数据、漏洞数据,提交给边缘层后,通过信任存储引擎保存至区块链。在零信任引擎的3个虚拟机上部署策略引擎(Policy Engine,PE)、策略管理员(Policy Administrator,PA)、策略执行点(Policy Enforcement Point,PEP)零信任组件,由漏洞检测模块调用终端漏洞数据,通过特征提取与相似度比对实现终端漏洞检测。信任评估模块利用LSTM网络处理终端行为数据,生成规则化信任因素,采用Beta分布量化信任因素,生成基础信任值,结合漏洞检测结果与时间衰减因子确定动态信任值,实现失陷终端识别、隔离以及可信终端的认证,将认证结果提交云层,由其提供与终端权限相符的资源与服务。实验结果表明:该方法可实现终端漏洞的准确检测,决策参数为0.5时,F1 score指标为0.90;可实现失陷终端的隔离以及可信终端的认证。
To address issues such as the blurred cybersecurity boundaries of traditional naval vessels and the weak inherent security capabilities of terminals, this research explores the design of a zero-trust security architecture and vulnerability detection methods for naval IoT terminals. A zero-trust security architecture for naval IoT terminals is constructed. At the terminal layer, the Zero Trust Client (ZTC) acquires behavioral and vulnerability data from IoT terminals. This data is submitted to the edge layer and stored on the blockchain via a trust storage engine. Three virtual machines within the zero-trust engine host the Policy Engine (PE), Policy Administrator (PA), and Policy Enforcement Point (PEP) components. The vulnerability detection module retrieves terminal vulnerability data, performing vulnerability detection through feature extraction and similarity comparison. The Trust Assessment Module utilizes an LSTM network to process terminal behavioral data, generating rule-based trust factors. These factors are quantified using a Beta distribution to produce a baseline trust value. Combined with vulnerability detection results and a time decay factor, this determines a dynamic trust value. This enables the identification and isolation of compromised terminals, as well as the authentication of trusted terminals. Authentication results are submitted to the cloud layer, which then provides resources and services aligned with the terminal's permissions. Experimental results demonstrate that this method achieves accurate vulnerability detection with an F1 score of 0.90 at a decision threshold of 0.5. It also enables compromised terminal isolation and authenticates trusted terminals.
2025,47(23): 189-193 收稿日期:2025-6-30
DOI:10.3404/j.issn.1672-7649.2025.23.030
分类号:U66;TP391
作者简介:徐增勇(1982-),男,副教授,研究方向为控制理论与控制工程
参考文献:
[1] 左伟平, 蒋丽英. 物联网技术在智能船舶设备状态监测与故障诊断中的应用[J]. 船舶工程, 2025, 47(5): 172.
ZUO W P, JIANG L Y. Application of internet of things technology in status monitoring and fault diagnosis of intelligent ship equipment[J]. Ship Engineering, 2025, 47(5): 172.
[2] 董重重, 赵聪, 吴悠, 等. 面向物联网终端设备的零信任动态评估方法[J]. 计算机与现代化, 2024, 46(11): 41-45+53.
DONG C C, ZHAO C, WU Y, et al. Zero trust dynamic evaluation method for IoT terminal devices[J]. Computers and Modernization, 2024, 46(11): 41-45+53.
[3] 王作广, 李超, 赵利. 基于零信任的网络数据安全保护框架与实现[J]. 计算机应用, 2025, 45(4): 1232-1240.
WANG Z G, LI C, ZHAO L. Network data security protection framework and implementation based on zero trust[J]. Computer Application, 2025, 45(4): 1232-1240.
[4] 蒋屹新, 匡晓云, 杨祎巍, 等. 基于零信任模型的网络安全防御策略动态优化的研究与实现[J]. 现代计算机, 2024, 30(23): 128-132.
JIANG Y X, KUANG X Y, YANG Y W, et al. Research and implementation of dynamic optimization of network security defense strategy based on zero trust model[J]. Modern computers, 2024, 30(23): 128-132.
[5] 顾智敏, 王梓莹, 郭静, 等. 雾化零信任组件的5G电力失陷终端威胁检测[J]. 计算机工程, 2023, 49(2): 161-168.
GU Z M, WANG Z Y, GUO J, et al. 5G power outage terminal threat detection using atomized zero trust components[J]. Computer Engineering, 2023, 49(2): 161-168.
[6] 刘思尧, 贾博, 李斌, 等. 基于可信计算的物联网设备安全研究[J]. 信息与电脑(理论版), 2022, 34(17): 226-228+232.
LIU S Y, JIA B, LI B, et al. Research on the security of IoT devices based on trusted computing[J]. Information and Computers (Theoretical Edition), 2022, 34(17): 226-228+232.
