Disclosure of Invention
The invention aims to provide an information security architecture of an electric mobile internet of things and a use method thereof, which are used for solving one or more technical problems. The information security architecture of the electric power mobile internet of things can improve the operation security of a power grid and avoid the electric power internet of things from being threatened by security.
In order to achieve the above purpose, the invention adopts the following technical scheme:
the invention provides an information security architecture of electric power mobile internet of things, which comprises the following components:
the perception layer is based on a block chain design and is used for perceiving, collecting and identifying data;
the network layer is designed based on dynamic security association and is used for accessing and transmitting data;
the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data;
and the application layer is designed based on the challenge sample detection model and is used for data processing and data application.
A further improvement of the present invention is that the perception layer based on the blockchain design includes:
a sensor device for sensing and collecting data;
the system comprises a consensus node, a feedback mechanism and a control unit, wherein the consensus node is a network structure with a plurality of node branches, and the tail end of the consensus node is provided with the feedback mechanism; the consensus node is used for carrying out safety verification on data transmitted by the sensor equipment for a plurality of times and carrying out consistency verification on the data according to a preset formula or an evaluation mechanism; the return mechanism is used for returning the data passing the security verification and the consistency verification;
the verification node is used for verifying information between the inside and the outside of the sensor equipment;
and the storage node is a node network capable of storing information and is used for connecting the sensor equipment and the data center.
A further improvement of the present invention is that the perception layer based on the blockchain design further comprises:
and the synchronous node is a display mechanism processed by the information security system and is used for displaying the security of the information.
The invention further improves that the network layer based on the dynamic security association design adopts a security association authentication architecture based on shared dynamic;
the security association authentication architecture based on the sharing dynamic comprises distributed heterogeneous wireless networks, and each heterogeneous wireless network is provided with an authentication server for authenticating the mobile terminal.
The invention further improves that the step of authenticating the mobile terminal specifically comprises the following steps:
an authentication server in a network where a subscription service of a mobile terminal is located is a home authentication server of the mobile terminal; when the mobile terminal roams to an external network, an authentication server of the network where the mobile terminal is located is a local authentication server; in a heterogeneous wireless network, each access router shares the same static security association with authentication servers in the network, all local authentication servers being connected to each other by dynamic security association;
when the mobile terminal is positioned in the home network, establishing a static security association with a local authentication server; when the mobile terminal roams to the external network, a dynamic security association is established with the local authentication server.
A further improvement of the present invention is that the validity period T of the dynamic security association SA Expressed as:
T SA =T au +T S +T th ,
wherein T is au T is the required authentication time S For service time, T th A time threshold for dynamic security association.
A further improvement of the invention is that, in the platform layer based on data desensitization and big data processing design,
a data desensitization method is adopted to realize the privacy protection of a platform layer;
converting the structured data storage into a semi-structured or unstructured data storage, and compressing all the existing data information; or converting the information into a preset structure through a big data calculation mode.
A further improvement of the present invention is that the data desensitization method is one or more of data aggregation, data sampling and data sampling.
A further improvement of the invention is that, in the application layer designed based on the challenge sample detection model,
the challenge sample-based detection model is constructed by using an artificial intelligence algorithm, and the algorithm is a neural network training-based or threshold-based method;
in the detection model based on the countermeasure sample, the countermeasure sample is added in the training set; reducing the magnitude of the network gradient using a defensive distillation method; the inputs are randomly adjusted.
The invention provides a use method of an information security architecture of an electric mobile internet of things, which comprises the following steps:
the perception layer captures data about flow states or environmental conditions, and verifies and identifies the transmitted data based on a blockchain technology so as to ensure the safety and consistency of the data;
the network layer acquires data from the sensing layer and realizes the transmission and switching of the data in different networks based on dynamic security association;
the platform layer acquires data from the network layer and realizes mining, calculation and storage of the data based on data desensitization and big data processing;
the application layer acquires data from the platform layer, performs unified safety detection on the data based on the countermeasure sample detection model, and the data through the safety detection are used for various preset intelligent terminals.
Compared with the prior art, the invention has the following beneficial effects:
the existing information security architecture of the electric power Internet of things cannot ensure the overall security when processing complex data, so that the information security evaluation parameters of the information security architecture are low; in order to strengthen the information security of the electric power Internet of things, the invention discloses an information security architecture of the electric power mobile Internet of things, which is designed with a perception layer based on a blockchain technology, a network layer based on a dynamic security association technology, a platform layer based on a big data technology and an application layer based on an antagonistic sample detection model, so that the whole electric power Internet of things architecture has the advantages of high security performance and high data processing efficiency, the information security of an electric power Internet of things terminal can be ensured, the electric power Internet of things is prevented from being subjected to security threat, the operation security of a power grid is improved, and the economic benefit of an electric power enterprise is maintained.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the attached drawing figures:
the electric power Internet of things terminal is various in types, and can be divided into a distribution transformer terminal, an FTU/DTU, a secondary integration terminal, a metering meter terminal of an electricity utilization system and a user meter rear intelligent home terminal according to service scenes; according to asset attribution and attack damage results, the method can be mainly divided into a power distribution terminal belonging to a power grid asset and a user intelligent home terminal belonging to a user asset. The results of the attack and destruction of the internet of things terminal are obviously different, wherein the attack and destruction of the power distribution terminal affects the direct associated user power supply, and the power distribution terminal invades the production control area to cause a large number of user power failures, and the attack and destruction of the intelligent home terminal mainly relates to user privacy information disclosure.
An important characteristic of the electric power internet of things is the ubiquitous electric power communication network, a large number of public network protocols are deployed in the electric power communication network, the supervision level of the electric power network is improved, and an applicable platform is provided for most internet attack means. And by combining with the architecture of the electric power Internet of things, the identity authentication risk faced by the electric power Internet of things is analyzed. Along with the evolution of the open interconnection of the electric power Internet of things, the electric power Internet of things has massive network connection, and particularly under the mobile, ubiquitous, mixed and wide area interconnection environments, a large number of internal and external network data acquisition, control and management equipment such as a sensing device, a mobile terminal, a video monitoring device, a smart electric meter, a charging pile and an office computer are deployed in the electric power Internet of things, and how to identify the electric power Internet of things, so that the service system can accurately position massive electric power equipment is a problem which must be faced by preventing the identification from being wrongly recognized and malicious counterfeit access.
The blockchain mainly comprises three parts of point-to-point networking, account book structure and consensus mechanism. The distributed general ledger is disclosed in the whole network, and is managed in a decentralization mode, the nodes of the users of the whole network are agreed through a consensus mechanism, the network is controlled by the users of the whole network together, and only a majority of users agree that a certain change can be made. Each node locally stores a copy of a distributed general ledger, records all legal and commonly known transactions in the point-to-point network, and any node can find the transaction information of a certain user through the local ledger.
The electric power internet of things terminal is located at the bottommost layer of the cloud management side end system, is a key node for connecting the physical world and the digital world, adopts various types of sensing equipment to realize state sensing in various heterogeneous network environments, has complex safety conditions, and faces the challenge of access safety. With the development of the intelligent power grid, the power grid faces to the problem of processing mass data, and the blockchain and the big data have great potential value in the intelligent power grid. In the information security architecture of the electric power internet of things disclosed by the embodiment of the invention, the concepts of block chains, big data and artificial intelligence are fused, and the whole architecture is built in computer equipment in a stage division mode, so that the information acquisition effect of a data center can be enhanced, and the capability of the internet of things equipment for calculating and processing data is stably improved.
The architecture provided by the embodiment of the invention can be applied to the business requirements in the fields of public security, police application and police informatization, and an police Internet of things system can be constructed based on the proposed architecture.
Referring to fig. 1, an information security architecture for electric mobile internet of things according to an embodiment of the present invention includes:
a perception layer, comprising: the device comprises a data acquisition module, an edge calculation module and a sensing equipment module; the sensing layer is used for sensing, collecting, identifying and the like of data;
a network layer, comprising: wire transmission and wireless transmission; the network layer is used for accessing and transmitting data;
a platform layer, comprising: data mining, data storage and data calculation; the platform layer is used for data carrying up and down, including data mining, data storage and the like;
an application layer, comprising: various intelligent terminals; the application layer is used for data processing and data application.
(1) In the embodiment of the invention, the perception layer design based on the block chain technology:
the information security design of the sensing layer is mainly used for preventing the sensor device from being attacked maliciously, and in general, an interconnected node device can be designed to connect the sensor device with the data center, as shown in fig. 2.
In the device shown in fig. 2, the consensus node is a network structure with a plurality of node branches, and the security of the data is ensured by repeatedly verifying the data transmitted in the sensor device. Meanwhile, the consensus node can also carry out consistency check on the data conducted through the transmission node according to a certain formula or evaluation mechanism, and a return mechanism is needed at the tail of the consensus node to return the data passing through the consensus node to an original sample. The main function of the verification node is to perform information verification between the inside and the outside of the sensor, so that an information processing device in the sensor can correctly process the relation between hardware and software and transmit data generated by combining the hardware and the software to the node.
When the access control policy is uploaded in plain text, it may leak some sensitive information about the data user. If the mapping function from the attribute to the access control matrix can be removed, the entire attribute will be hidden in the anonymous access control structure, and the mapping function will be reconstructed when the data user decrypts the data.
The storage node is a node network capable of temporarily storing information, and in general, the storage mode can temporarily connect a data center with a sensor device and set up a bridge for communication between the two. The last synchronous node is a display mechanism processed by the information security system, if the security of the information is displayed in the synchronous node, the information can be completely transmitted to the data center, otherwise, the information has a certain hidden danger and needs to be repeatedly verified or directly deleted.
(2) In the embodiment of the invention, the network layer design based on the dynamic security association technology:
the design of the network layer starts from the secure access of the terminal under the heterogeneous network, and the dynamic security association technology is introduced to improve the mobile authentication architecture.
When a traditional authentication architecture mobile terminal based on static security association is switched, an external network proxy (FA, foreign Agent) sends out consultation information, the mobile terminal adds a network access identifier (NAI, network Access Identifier), a challenge response and other information into a mobile IP request, the external network proxy starts an authentication protocol through an external network authentication center (FAC, foreign Authentication Center) to generate a VAC mobile registration request message, wherein the VAC mobile registration request message comprises the registration request message of the mobile terminal, the FAC analyzes the NAI, finds out the address of a main network authentication center (HAC, home Authentication Center) of the mobile terminal, starts an AAA protocol and waits for approval of the HAC. The HAC verifies the certificate information of the mobile terminal and if the verification is successful, the mobile terminal is assigned a home address. The problem of Security Association (SA) remains essentially between two different static networks. In the embodiment of the invention, an authentication architecture based on shared dynamic rather than static security association is adopted. The architecture mainly comprises distributed heterogeneous wireless networks, wherein each network has an authentication server for authenticating the mobile terminal. The mobile terminal subscribes to a service in a network, and an authentication Server in the network is a home authentication Server (HAS, home Authentication Server) of the mobile terminal, and when the mobile terminal roams to a foreign network, the authentication Server in the network where the mobile terminal is located is called a Local Authentication Server (LAS).
In a wireless network, each Access Router (AR) shares the same static security association with an authentication server in the network. When the mobile terminal is located in the home network, establishing static security association with the HAS; but when the mobile terminal roams to an external network, a dynamic security association is established with the LAS, and all the LAS are also connected to each other through the dynamic association.
Alternatively, mobile terminals in heterogeneous networks may exhibit different mobility states, which are generalized to high mobility and low mobility. Because a low Mobility Terminal (MTLM) may cover less area than a high mobility node (MTLM) for a certain period of time, it generates less inter-domain handover authentication than a high mobility terminal, and it generates more intra-domain handover authentication than a high mobility node. The high mobility node always accesses the new external network frequently, establishes a new security association for inter-domain handover authentication, and the low mobility terminal can dynamically reuse the established SA when in intra-domain authentication.
The validity period of the SA can be expressed as:
T SA =T au +T S +T th (1)
wherein T is au T is the required authentication time S For service time, T th Is the time threshold for dynamic SA.
By setting up a higher time threshold for low mobility terminals, high mobility nodes are givenPoint-set lower time threshold such that T of low mobility terminal SA Longer, T of high mobility node SA Shorter.
By setting up a variable time threshold for the validity period of the security association, the authentication delay is reduced at the low mobility node, the bandwidth efficiency is improved, and for the high mobility node, the average value and the privacy exposure possibility of the security association are reduced under the condition that certain authentication delay and bandwidth efficiency are maintained, and the security performance of the mobile terminal switched between different networks is effectively improved.
(3) In the embodiment of the invention, the platform layer design based on the big data technology:
1) Privacy protection: the security of the platform layer mainly guarantees the security of information in the processes of calculation, storage and transmission, and the platform layer must adopt proper security strategies to ensure the privacy and the security of the information in the ubiquitous electric power internet of things, so that the security requirement of the privacy protection of the platform layer is met by adopting a data desensitization technology.
Data desensitization generally involves several methods:
data aggregation: data aggregation is a collection of statistical techniques (e.g., summation, counting, averaging, maximum and minimum) that, when applied to attributes in micro-data, produce results that can represent all records in the original dataset.
Illustratively, the data aggregation usage should be noted in the following aspects:
a) Data aggregation may reduce the usefulness of the data; because statistics are obtained, the characteristics of the independent data records cannot be reflected.
b) Data aggregation is very effective for re-identification attacks; the output of the data aggregation is a "statistic" that facilitates the overall reporting or analysis of the data without revealing any individual records.
Sampling data: data sampling is the analysis and evaluation of the original data set by selecting a representative subset of the data set, which is an important method to improve the effectiveness of data desensitization techniques.
Illustratively, the data sampling technique is selected and used with attention to the following aspects:
a) The methods for extracting the samples from the data set are quite different and need to be selected according to the characteristics of the data set and the expected use scene.
b) Data sampling is often used for preprocessing of data desensitization, and random sampling of the data set can increase the uncertainty in identifying the particular personal information data body, thereby improving the effectiveness of other data desensitization techniques for subsequent applications.
c) Data sampling can simplify the amount of computation on a data set, so when data desensitizing a data set of a large sample, sampling is performed first, and then data desensitization is performed by adopting a specific technology, and attention is paid to the fact that the sample should not lose important data.
Deterministic encryption: deterministic encryption is a non-random symmetric encryption; when applied in a data desensitization process, deterministic encryption replaces the identifier value in the micro data with the encryption result.
Illustratively, the selection and use of deterministic encryption techniques should be noted in several respects:
a) Deterministic encryption can ensure that data is truly available, i.e., that encrypting the same two data with the same key will produce two identical ciphertexts.
b) The deterministic encryption can ensure the usefulness of the data in the aspects of statistical processing and privacy anti-mining to a certain extent, and can also generate micro data for accurate matching search, data association and analysis. Analysis of deterministic encryption results is limited to checking whether the data values are equal.
c) The re-identification attack on deterministic encryption is mainly an attack when the key use right is not provided; the relevance attack can be applied to ciphertext which is deterministically encrypted by adopting the same key, and the success or failure of the attack depends on the choice of encryption algorithm parameters to a great extent.
2) Data storage
In the platform layer, to enhance information security, it is necessary to convert structured data storage into semi-structured or unstructured data storage in some special way, and to compress all existing data information or to convert such information into a more easily handled structure by the calculation mode of big data. Such data generally has the characteristics of high value, high density and high storage efficiency, and is more suitable for the Internet of things system with smaller memory quantity than the prior data. And the specific information of the electric mobile Internet of things is combined, so that the structural system of big data can be referred.
As shown in fig. 3, the whole system can be divided into four parts, namely an initialization stage of the database, and in this stage, the system flow saves all the existing data information and stores the data information in the database to prevent the data from being lost. The second part is an added storage part of data, and in this stage, a part of data information can be added to the electric power internet of things information security terminal by the computer, which is also a core part of the whole data storage model. It is necessary here to first calculate whether these data are larger than the database can store, if so, it is possible to enter the third part, if there is insufficient memory, it is necessary to return to the stage of initializing the database. If the database is abnormal, the database initialization stage needs to be returned, and if the database is not abnormal, the data indexing step of the fourth stage can be performed. The data index is mainly to add data information in the information security terminal of the electric power internet of things, place the data information in a proper position, update a catalog file of a database and give an address of newly added data. After all the above algorithms are implemented, the storage of network data can be initially completed.
(4) In the embodiment of the invention, the design of an application layer based on an countermeasure sample detection model:
in the application layer, the electric power internet of things can face mass data generated by various intelligent applications, and the importance of the safety performance of the electric power internet of things is self-evident. Therefore, in the design of the application layer, an antagonistic sample detection model is constructed by using artificial intelligence algorithms such as machine learning, deep learning and the like. There are many algorithms for detection models, which can be broadly divided into neural network training-based and threshold-based approaches. The process of constructing the training-based model is to collect a normal sample and a malicious sample, extract characteristics of the normal sample and the malicious sample, and obtain the model through a certain training process. And constructing a parameter model of the data in a mode of constructing a model based on the threshold value, and carrying out hypothesis testing according to the parameter model to determine the optimal threshold value. Finally, a plurality of models are selected according to the requirements of the application scene, and a specific flow is shown in fig. 4.
The evaluation and selection of the detection model can be considered from three directions: algorithm performance, detection capability, and complexity of the input data. The algorithm performance analysis comprises detecting the space-time complexity of the algorithm and the robustness of the algorithm. The defense technique in terms of improving the robustness of the model is built on a model that performs equally well under antagonistic and normal inputs, making the model less sensitive to uncorrelated changes in inputs, effectively regularizing the model to reduce attack surfaces, and limiting the response to non-manifold disturbances. By way of example, the following 3 classes of defense methods against attacks can be introduced to enhance the robustness of the model: (1) data expansion: training again by adding an countermeasure sample in the training set, so that the robustness of the model is improved; (2) regularization method: the defensive distillation method is used for reducing the magnitude of the network gradient and improving the discovery capability of small-amplitude disturbance countermeasure samples; (3) data randomization processing: a method of canceling disturbances by making random adjustments to the input.
The detection capability of the model can be analyzed from the false positive rate, the false negative rate and the universality of the algorithm. The complexity of the input data, namely the dimension, precision and scale of the data of the feature data required in the process of training the model, can affect the efficiency of the generation and use of the model.
The application method of the electric power mobile internet of things information security architecture provided by the embodiment of the invention comprises the following steps:
step 1, capturing data related to flow states or environmental conditions by a perception layer sensor, repeatedly verifying the data transmitted in a common node sensor device of a network structure with a plurality of node branches, and ensuring the safety of the data;
step 2, the data received from the sensor appears in an analog form, is summarized and converted into a digital form, and realizes the transmission and switching of the data in different networks through a shared dynamic security association authentication architecture;
and 3, entering data into a platform layer from a network layer, and completing the processes of mining, calculating, storing and the like of the data in the platform layer supported by a data desensitization technology.
And 4, enabling the data to enter an application layer, carrying out unified safety detection on the data by an anti-sample detection model of the application layer, filtering malicious data, and finally applying the data to the intelligent terminal.
In summary, the embodiment of the invention specifically discloses an information security architecture of an electric mobile internet of things and a use method thereof. Specifically, in order to strengthen the information security of the electric power internet of things, the embodiment of the invention provides a whole set of electric power internet of things information security overall architecture; the sensor is prevented from being easily attacked by malicious attacks, and the information security of the sensing layer is enhanced; the network layer is designed based on a dynamic security association technology, and a variable time threshold is set for the effective period of the security association, so that authentication delay is reduced at a low mobility node, bandwidth efficiency is improved, average numerical value and privacy exposure possibility of the security association are reduced, and the security performance of switching of the mobile terminal between different networks is effectively improved; the platform layer is designed based on a privacy protection technology and a big data technology, sensitive data in mass data are processed by utilizing a data desensitization technology, and the abnormal rate of the data storage process is reduced, so that the platform layer has high data security and high data storage efficiency; and an application layer is designed based on the construction of the countermeasure sample detection model, and the countermeasure sample detection model is constructed by carrying out feature extraction on data, so that the malicious sample recognition rate of the terminal of the application layer is improved, and the information security of the terminal of the electric power Internet of things is enhanced. Summarizing, the information security architecture of the electric power internet of things disclosed by the embodiment of the invention is designed in a layering manner in detail, and the technologies such as a block chain, big data, dynamic security association, privacy protection, an countermeasure sample detection model and the like are utilized to design and improve a perception layer, a network layer, a platform layer and an application layer in detail, so that the whole electric power internet of things architecture has the advantages of high security performance and high data processing efficiency.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.