CN114205816B - Electric power mobile internet of things information security architecture and application method thereof - Google Patents

Electric power mobile internet of things information security architecture and application method thereof Download PDF

Info

Publication number
CN114205816B
CN114205816B CN202111525756.4A CN202111525756A CN114205816B CN 114205816 B CN114205816 B CN 114205816B CN 202111525756 A CN202111525756 A CN 202111525756A CN 114205816 B CN114205816 B CN 114205816B
Authority
CN
China
Prior art keywords
data
network
layer
information
electric power
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111525756.4A
Other languages
Chinese (zh)
Other versions
CN114205816A (en
Inventor
曹靖怡
朱亚运
姜琳
王海翔
缪思薇
张晓娟
蔺子清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202111525756.4A priority Critical patent/CN114205816B/en
Publication of CN114205816A publication Critical patent/CN114205816A/en
Application granted granted Critical
Publication of CN114205816B publication Critical patent/CN114205816B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/10Detection; Monitoring
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/20Analytics; Diagnosis
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Biomedical Technology (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an electric power mobile internet of things information security architecture and a use method thereof, wherein the electric power mobile internet of things information security architecture comprises the following components: the perception layer is based on a block chain design and is used for perceiving, collecting and identifying data; the network layer is designed based on dynamic security association and is used for accessing and transmitting data; the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data; and the application layer is designed based on the challenge sample detection model and is used for data processing and data application. The information security architecture of the electric power mobile internet of things can improve the operation security of a power grid and avoid the electric power internet of things from being threatened by security.

Description

Electric power mobile internet of things information security architecture and application method thereof
Technical Field
The invention belongs to the technical field of information security of the electric power Internet of things, and particularly relates to an information security architecture of the electric power mobile Internet of things and a use method thereof.
Background
In recent years, the demand of social electric power energy is continuously increased, and the electric power industry is promoted to realize rapid development; the electric power internet of things takes the modern intelligent power grid technology as a support, and combines the modern advanced information, communication and sensing technologies to realize deep fusion of intelligent power grid information flow, electric power flow and service flow, so that important technical support is provided for stable operation of the electric power industry. The wide application of the electric power Internet of things promotes the real-time monitoring and sensing of the operation of the intelligent power grid, and provides important guarantee for the safety and stability of the operation of the power grid; in addition, the application coverage range of the electric power Internet of things is wide, the complexity of an electric power system is greatly improved, and higher requirements on safety are provided.
The structural layer of the information security technology of the electric power Internet of things mainly comprises a sensing layer for comprehensively sensing the whole network electric power, a network layer for transmitting data to various networks, a platform layer for various stored data of the power network and an application layer for visualizing various data. In the security architecture of the electric power internet of things, the security performance of the data of the internet of things has very important influence in an application system, and the security of the data directly influences the accuracy and the security of the transmission data of the electric power equipment. Different performances are provided between the Internet of things and the Internet, and the Internet of things has extremely strict requirements on the safety of data information. Compared with the Internet, the Internet of things is required to have higher network stability performance in terms of data information and reliability about network connection.
With the sustainable development of socioeconomic performance, power network systems have been increasingly used. In the application process of the electric power Internet of things, various types of data information can be generated, and the traditional security architecture can not meet the requirements of secure transmission and storage of mass data; the method is particularly explanatory, and the perception layer of the traditional security architecture has higher probability of being attacked by malicious attacks because different types of perception terminals are mostly deployed on the same perception node; the network layer of the traditional security architecture is mainly used for transmitting, processing and utilizing information, and is easy to cause the problem of security performance when a large number of mobile terminals are switched among different networks; the platform layer of the traditional security architecture mainly guarantees the security of information in the processes of calculation, storage and transmission, but the platform layer without adopting a proper security policy is difficult to guarantee the privacy and security of information in the electric power internet of things, and in addition, the efficiency of data storage is lower; the application layer of the traditional security architecture faces a large number of intelligent terminals, and is easy to suffer malicious attacks like the perception layer.
Disclosure of Invention
The invention aims to provide an information security architecture of an electric mobile internet of things and a use method thereof, which are used for solving one or more technical problems. The information security architecture of the electric power mobile internet of things can improve the operation security of a power grid and avoid the electric power internet of things from being threatened by security.
In order to achieve the above purpose, the invention adopts the following technical scheme:
the invention provides an information security architecture of electric power mobile internet of things, which comprises the following components:
the perception layer is based on a block chain design and is used for perceiving, collecting and identifying data;
the network layer is designed based on dynamic security association and is used for accessing and transmitting data;
the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data;
and the application layer is designed based on the challenge sample detection model and is used for data processing and data application.
A further improvement of the present invention is that the perception layer based on the blockchain design includes:
a sensor device for sensing and collecting data;
the system comprises a consensus node, a feedback mechanism and a control unit, wherein the consensus node is a network structure with a plurality of node branches, and the tail end of the consensus node is provided with the feedback mechanism; the consensus node is used for carrying out safety verification on data transmitted by the sensor equipment for a plurality of times and carrying out consistency verification on the data according to a preset formula or an evaluation mechanism; the return mechanism is used for returning the data passing the security verification and the consistency verification;
the verification node is used for verifying information between the inside and the outside of the sensor equipment;
and the storage node is a node network capable of storing information and is used for connecting the sensor equipment and the data center.
A further improvement of the present invention is that the perception layer based on the blockchain design further comprises:
and the synchronous node is a display mechanism processed by the information security system and is used for displaying the security of the information.
The invention further improves that the network layer based on the dynamic security association design adopts a security association authentication architecture based on shared dynamic;
the security association authentication architecture based on the sharing dynamic comprises distributed heterogeneous wireless networks, and each heterogeneous wireless network is provided with an authentication server for authenticating the mobile terminal.
The invention further improves that the step of authenticating the mobile terminal specifically comprises the following steps:
an authentication server in a network where a subscription service of a mobile terminal is located is a home authentication server of the mobile terminal; when the mobile terminal roams to an external network, an authentication server of the network where the mobile terminal is located is a local authentication server; in a heterogeneous wireless network, each access router shares the same static security association with authentication servers in the network, all local authentication servers being connected to each other by dynamic security association;
when the mobile terminal is positioned in the home network, establishing a static security association with a local authentication server; when the mobile terminal roams to the external network, a dynamic security association is established with the local authentication server.
A further improvement of the present invention is that the validity period T of the dynamic security association SA Expressed as:
T SA =T au +T S +T th
wherein T is au T is the required authentication time S For service time, T th A time threshold for dynamic security association.
A further improvement of the invention is that, in the platform layer based on data desensitization and big data processing design,
a data desensitization method is adopted to realize the privacy protection of a platform layer;
converting the structured data storage into a semi-structured or unstructured data storage, and compressing all the existing data information; or converting the information into a preset structure through a big data calculation mode.
A further improvement of the present invention is that the data desensitization method is one or more of data aggregation, data sampling and data sampling.
A further improvement of the invention is that, in the application layer designed based on the challenge sample detection model,
the challenge sample-based detection model is constructed by using an artificial intelligence algorithm, and the algorithm is a neural network training-based or threshold-based method;
in the detection model based on the countermeasure sample, the countermeasure sample is added in the training set; reducing the magnitude of the network gradient using a defensive distillation method; the inputs are randomly adjusted.
The invention provides a use method of an information security architecture of an electric mobile internet of things, which comprises the following steps:
the perception layer captures data about flow states or environmental conditions, and verifies and identifies the transmitted data based on a blockchain technology so as to ensure the safety and consistency of the data;
the network layer acquires data from the sensing layer and realizes the transmission and switching of the data in different networks based on dynamic security association;
the platform layer acquires data from the network layer and realizes mining, calculation and storage of the data based on data desensitization and big data processing;
the application layer acquires data from the platform layer, performs unified safety detection on the data based on the countermeasure sample detection model, and the data through the safety detection are used for various preset intelligent terminals.
Compared with the prior art, the invention has the following beneficial effects:
the existing information security architecture of the electric power Internet of things cannot ensure the overall security when processing complex data, so that the information security evaluation parameters of the information security architecture are low; in order to strengthen the information security of the electric power Internet of things, the invention discloses an information security architecture of the electric power mobile Internet of things, which is designed with a perception layer based on a blockchain technology, a network layer based on a dynamic security association technology, a platform layer based on a big data technology and an application layer based on an antagonistic sample detection model, so that the whole electric power Internet of things architecture has the advantages of high security performance and high data processing efficiency, the information security of an electric power Internet of things terminal can be ensured, the electric power Internet of things is prevented from being subjected to security threat, the operation security of a power grid is improved, and the economic benefit of an electric power enterprise is maintained.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description of the embodiments or the drawings used in the description of the prior art will make a brief description; it will be apparent to those of ordinary skill in the art that the drawings in the following description are of some embodiments of the invention and that other drawings may be derived from them without undue effort.
FIG. 1 is a schematic diagram of an information security architecture for power mobile networking in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of a sense layer node in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a network information storage flow in an embodiment of the present invention;
FIG. 4 is a schematic diagram of a construction flow of an challenge sample detection model according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the attached drawing figures:
the electric power Internet of things terminal is various in types, and can be divided into a distribution transformer terminal, an FTU/DTU, a secondary integration terminal, a metering meter terminal of an electricity utilization system and a user meter rear intelligent home terminal according to service scenes; according to asset attribution and attack damage results, the method can be mainly divided into a power distribution terminal belonging to a power grid asset and a user intelligent home terminal belonging to a user asset. The results of the attack and destruction of the internet of things terminal are obviously different, wherein the attack and destruction of the power distribution terminal affects the direct associated user power supply, and the power distribution terminal invades the production control area to cause a large number of user power failures, and the attack and destruction of the intelligent home terminal mainly relates to user privacy information disclosure.
An important characteristic of the electric power internet of things is the ubiquitous electric power communication network, a large number of public network protocols are deployed in the electric power communication network, the supervision level of the electric power network is improved, and an applicable platform is provided for most internet attack means. And by combining with the architecture of the electric power Internet of things, the identity authentication risk faced by the electric power Internet of things is analyzed. Along with the evolution of the open interconnection of the electric power Internet of things, the electric power Internet of things has massive network connection, and particularly under the mobile, ubiquitous, mixed and wide area interconnection environments, a large number of internal and external network data acquisition, control and management equipment such as a sensing device, a mobile terminal, a video monitoring device, a smart electric meter, a charging pile and an office computer are deployed in the electric power Internet of things, and how to identify the electric power Internet of things, so that the service system can accurately position massive electric power equipment is a problem which must be faced by preventing the identification from being wrongly recognized and malicious counterfeit access.
The blockchain mainly comprises three parts of point-to-point networking, account book structure and consensus mechanism. The distributed general ledger is disclosed in the whole network, and is managed in a decentralization mode, the nodes of the users of the whole network are agreed through a consensus mechanism, the network is controlled by the users of the whole network together, and only a majority of users agree that a certain change can be made. Each node locally stores a copy of a distributed general ledger, records all legal and commonly known transactions in the point-to-point network, and any node can find the transaction information of a certain user through the local ledger.
The electric power internet of things terminal is located at the bottommost layer of the cloud management side end system, is a key node for connecting the physical world and the digital world, adopts various types of sensing equipment to realize state sensing in various heterogeneous network environments, has complex safety conditions, and faces the challenge of access safety. With the development of the intelligent power grid, the power grid faces to the problem of processing mass data, and the blockchain and the big data have great potential value in the intelligent power grid. In the information security architecture of the electric power internet of things disclosed by the embodiment of the invention, the concepts of block chains, big data and artificial intelligence are fused, and the whole architecture is built in computer equipment in a stage division mode, so that the information acquisition effect of a data center can be enhanced, and the capability of the internet of things equipment for calculating and processing data is stably improved.
The architecture provided by the embodiment of the invention can be applied to the business requirements in the fields of public security, police application and police informatization, and an police Internet of things system can be constructed based on the proposed architecture.
Referring to fig. 1, an information security architecture for electric mobile internet of things according to an embodiment of the present invention includes:
a perception layer, comprising: the device comprises a data acquisition module, an edge calculation module and a sensing equipment module; the sensing layer is used for sensing, collecting, identifying and the like of data;
a network layer, comprising: wire transmission and wireless transmission; the network layer is used for accessing and transmitting data;
a platform layer, comprising: data mining, data storage and data calculation; the platform layer is used for data carrying up and down, including data mining, data storage and the like;
an application layer, comprising: various intelligent terminals; the application layer is used for data processing and data application.
(1) In the embodiment of the invention, the perception layer design based on the block chain technology:
the information security design of the sensing layer is mainly used for preventing the sensor device from being attacked maliciously, and in general, an interconnected node device can be designed to connect the sensor device with the data center, as shown in fig. 2.
In the device shown in fig. 2, the consensus node is a network structure with a plurality of node branches, and the security of the data is ensured by repeatedly verifying the data transmitted in the sensor device. Meanwhile, the consensus node can also carry out consistency check on the data conducted through the transmission node according to a certain formula or evaluation mechanism, and a return mechanism is needed at the tail of the consensus node to return the data passing through the consensus node to an original sample. The main function of the verification node is to perform information verification between the inside and the outside of the sensor, so that an information processing device in the sensor can correctly process the relation between hardware and software and transmit data generated by combining the hardware and the software to the node.
When the access control policy is uploaded in plain text, it may leak some sensitive information about the data user. If the mapping function from the attribute to the access control matrix can be removed, the entire attribute will be hidden in the anonymous access control structure, and the mapping function will be reconstructed when the data user decrypts the data.
The storage node is a node network capable of temporarily storing information, and in general, the storage mode can temporarily connect a data center with a sensor device and set up a bridge for communication between the two. The last synchronous node is a display mechanism processed by the information security system, if the security of the information is displayed in the synchronous node, the information can be completely transmitted to the data center, otherwise, the information has a certain hidden danger and needs to be repeatedly verified or directly deleted.
(2) In the embodiment of the invention, the network layer design based on the dynamic security association technology:
the design of the network layer starts from the secure access of the terminal under the heterogeneous network, and the dynamic security association technology is introduced to improve the mobile authentication architecture.
When a traditional authentication architecture mobile terminal based on static security association is switched, an external network proxy (FA, foreign Agent) sends out consultation information, the mobile terminal adds a network access identifier (NAI, network Access Identifier), a challenge response and other information into a mobile IP request, the external network proxy starts an authentication protocol through an external network authentication center (FAC, foreign Authentication Center) to generate a VAC mobile registration request message, wherein the VAC mobile registration request message comprises the registration request message of the mobile terminal, the FAC analyzes the NAI, finds out the address of a main network authentication center (HAC, home Authentication Center) of the mobile terminal, starts an AAA protocol and waits for approval of the HAC. The HAC verifies the certificate information of the mobile terminal and if the verification is successful, the mobile terminal is assigned a home address. The problem of Security Association (SA) remains essentially between two different static networks. In the embodiment of the invention, an authentication architecture based on shared dynamic rather than static security association is adopted. The architecture mainly comprises distributed heterogeneous wireless networks, wherein each network has an authentication server for authenticating the mobile terminal. The mobile terminal subscribes to a service in a network, and an authentication Server in the network is a home authentication Server (HAS, home Authentication Server) of the mobile terminal, and when the mobile terminal roams to a foreign network, the authentication Server in the network where the mobile terminal is located is called a Local Authentication Server (LAS).
In a wireless network, each Access Router (AR) shares the same static security association with an authentication server in the network. When the mobile terminal is located in the home network, establishing static security association with the HAS; but when the mobile terminal roams to an external network, a dynamic security association is established with the LAS, and all the LAS are also connected to each other through the dynamic association.
Alternatively, mobile terminals in heterogeneous networks may exhibit different mobility states, which are generalized to high mobility and low mobility. Because a low Mobility Terminal (MTLM) may cover less area than a high mobility node (MTLM) for a certain period of time, it generates less inter-domain handover authentication than a high mobility terminal, and it generates more intra-domain handover authentication than a high mobility node. The high mobility node always accesses the new external network frequently, establishes a new security association for inter-domain handover authentication, and the low mobility terminal can dynamically reuse the established SA when in intra-domain authentication.
The validity period of the SA can be expressed as:
T SA =T au +T S +T th (1)
wherein T is au T is the required authentication time S For service time, T th Is the time threshold for dynamic SA.
By setting up a higher time threshold for low mobility terminals, high mobility nodes are givenPoint-set lower time threshold such that T of low mobility terminal SA Longer, T of high mobility node SA Shorter.
By setting up a variable time threshold for the validity period of the security association, the authentication delay is reduced at the low mobility node, the bandwidth efficiency is improved, and for the high mobility node, the average value and the privacy exposure possibility of the security association are reduced under the condition that certain authentication delay and bandwidth efficiency are maintained, and the security performance of the mobile terminal switched between different networks is effectively improved.
(3) In the embodiment of the invention, the platform layer design based on the big data technology:
1) Privacy protection: the security of the platform layer mainly guarantees the security of information in the processes of calculation, storage and transmission, and the platform layer must adopt proper security strategies to ensure the privacy and the security of the information in the ubiquitous electric power internet of things, so that the security requirement of the privacy protection of the platform layer is met by adopting a data desensitization technology.
Data desensitization generally involves several methods:
data aggregation: data aggregation is a collection of statistical techniques (e.g., summation, counting, averaging, maximum and minimum) that, when applied to attributes in micro-data, produce results that can represent all records in the original dataset.
Illustratively, the data aggregation usage should be noted in the following aspects:
a) Data aggregation may reduce the usefulness of the data; because statistics are obtained, the characteristics of the independent data records cannot be reflected.
b) Data aggregation is very effective for re-identification attacks; the output of the data aggregation is a "statistic" that facilitates the overall reporting or analysis of the data without revealing any individual records.
Sampling data: data sampling is the analysis and evaluation of the original data set by selecting a representative subset of the data set, which is an important method to improve the effectiveness of data desensitization techniques.
Illustratively, the data sampling technique is selected and used with attention to the following aspects:
a) The methods for extracting the samples from the data set are quite different and need to be selected according to the characteristics of the data set and the expected use scene.
b) Data sampling is often used for preprocessing of data desensitization, and random sampling of the data set can increase the uncertainty in identifying the particular personal information data body, thereby improving the effectiveness of other data desensitization techniques for subsequent applications.
c) Data sampling can simplify the amount of computation on a data set, so when data desensitizing a data set of a large sample, sampling is performed first, and then data desensitization is performed by adopting a specific technology, and attention is paid to the fact that the sample should not lose important data.
Deterministic encryption: deterministic encryption is a non-random symmetric encryption; when applied in a data desensitization process, deterministic encryption replaces the identifier value in the micro data with the encryption result.
Illustratively, the selection and use of deterministic encryption techniques should be noted in several respects:
a) Deterministic encryption can ensure that data is truly available, i.e., that encrypting the same two data with the same key will produce two identical ciphertexts.
b) The deterministic encryption can ensure the usefulness of the data in the aspects of statistical processing and privacy anti-mining to a certain extent, and can also generate micro data for accurate matching search, data association and analysis. Analysis of deterministic encryption results is limited to checking whether the data values are equal.
c) The re-identification attack on deterministic encryption is mainly an attack when the key use right is not provided; the relevance attack can be applied to ciphertext which is deterministically encrypted by adopting the same key, and the success or failure of the attack depends on the choice of encryption algorithm parameters to a great extent.
2) Data storage
In the platform layer, to enhance information security, it is necessary to convert structured data storage into semi-structured or unstructured data storage in some special way, and to compress all existing data information or to convert such information into a more easily handled structure by the calculation mode of big data. Such data generally has the characteristics of high value, high density and high storage efficiency, and is more suitable for the Internet of things system with smaller memory quantity than the prior data. And the specific information of the electric mobile Internet of things is combined, so that the structural system of big data can be referred.
As shown in fig. 3, the whole system can be divided into four parts, namely an initialization stage of the database, and in this stage, the system flow saves all the existing data information and stores the data information in the database to prevent the data from being lost. The second part is an added storage part of data, and in this stage, a part of data information can be added to the electric power internet of things information security terminal by the computer, which is also a core part of the whole data storage model. It is necessary here to first calculate whether these data are larger than the database can store, if so, it is possible to enter the third part, if there is insufficient memory, it is necessary to return to the stage of initializing the database. If the database is abnormal, the database initialization stage needs to be returned, and if the database is not abnormal, the data indexing step of the fourth stage can be performed. The data index is mainly to add data information in the information security terminal of the electric power internet of things, place the data information in a proper position, update a catalog file of a database and give an address of newly added data. After all the above algorithms are implemented, the storage of network data can be initially completed.
(4) In the embodiment of the invention, the design of an application layer based on an countermeasure sample detection model:
in the application layer, the electric power internet of things can face mass data generated by various intelligent applications, and the importance of the safety performance of the electric power internet of things is self-evident. Therefore, in the design of the application layer, an antagonistic sample detection model is constructed by using artificial intelligence algorithms such as machine learning, deep learning and the like. There are many algorithms for detection models, which can be broadly divided into neural network training-based and threshold-based approaches. The process of constructing the training-based model is to collect a normal sample and a malicious sample, extract characteristics of the normal sample and the malicious sample, and obtain the model through a certain training process. And constructing a parameter model of the data in a mode of constructing a model based on the threshold value, and carrying out hypothesis testing according to the parameter model to determine the optimal threshold value. Finally, a plurality of models are selected according to the requirements of the application scene, and a specific flow is shown in fig. 4.
The evaluation and selection of the detection model can be considered from three directions: algorithm performance, detection capability, and complexity of the input data. The algorithm performance analysis comprises detecting the space-time complexity of the algorithm and the robustness of the algorithm. The defense technique in terms of improving the robustness of the model is built on a model that performs equally well under antagonistic and normal inputs, making the model less sensitive to uncorrelated changes in inputs, effectively regularizing the model to reduce attack surfaces, and limiting the response to non-manifold disturbances. By way of example, the following 3 classes of defense methods against attacks can be introduced to enhance the robustness of the model: (1) data expansion: training again by adding an countermeasure sample in the training set, so that the robustness of the model is improved; (2) regularization method: the defensive distillation method is used for reducing the magnitude of the network gradient and improving the discovery capability of small-amplitude disturbance countermeasure samples; (3) data randomization processing: a method of canceling disturbances by making random adjustments to the input.
The detection capability of the model can be analyzed from the false positive rate, the false negative rate and the universality of the algorithm. The complexity of the input data, namely the dimension, precision and scale of the data of the feature data required in the process of training the model, can affect the efficiency of the generation and use of the model.
The application method of the electric power mobile internet of things information security architecture provided by the embodiment of the invention comprises the following steps:
step 1, capturing data related to flow states or environmental conditions by a perception layer sensor, repeatedly verifying the data transmitted in a common node sensor device of a network structure with a plurality of node branches, and ensuring the safety of the data;
step 2, the data received from the sensor appears in an analog form, is summarized and converted into a digital form, and realizes the transmission and switching of the data in different networks through a shared dynamic security association authentication architecture;
and 3, entering data into a platform layer from a network layer, and completing the processes of mining, calculating, storing and the like of the data in the platform layer supported by a data desensitization technology.
And 4, enabling the data to enter an application layer, carrying out unified safety detection on the data by an anti-sample detection model of the application layer, filtering malicious data, and finally applying the data to the intelligent terminal.
In summary, the embodiment of the invention specifically discloses an information security architecture of an electric mobile internet of things and a use method thereof. Specifically, in order to strengthen the information security of the electric power internet of things, the embodiment of the invention provides a whole set of electric power internet of things information security overall architecture; the sensor is prevented from being easily attacked by malicious attacks, and the information security of the sensing layer is enhanced; the network layer is designed based on a dynamic security association technology, and a variable time threshold is set for the effective period of the security association, so that authentication delay is reduced at a low mobility node, bandwidth efficiency is improved, average numerical value and privacy exposure possibility of the security association are reduced, and the security performance of switching of the mobile terminal between different networks is effectively improved; the platform layer is designed based on a privacy protection technology and a big data technology, sensitive data in mass data are processed by utilizing a data desensitization technology, and the abnormal rate of the data storage process is reduced, so that the platform layer has high data security and high data storage efficiency; and an application layer is designed based on the construction of the countermeasure sample detection model, and the countermeasure sample detection model is constructed by carrying out feature extraction on data, so that the malicious sample recognition rate of the terminal of the application layer is improved, and the information security of the terminal of the electric power Internet of things is enhanced. Summarizing, the information security architecture of the electric power internet of things disclosed by the embodiment of the invention is designed in a layering manner in detail, and the technologies such as a block chain, big data, dynamic security association, privacy protection, an countermeasure sample detection model and the like are utilized to design and improve a perception layer, a network layer, a platform layer and an application layer in detail, so that the whole electric power internet of things architecture has the advantages of high security performance and high data processing efficiency.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (2)

1. An electric mobile internet of things information security system, comprising:
the perception layer is based on a block chain design and is used for perceiving, collecting and identifying data;
the network layer is designed based on dynamic security association and is used for accessing and transmitting data;
the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data;
the application layer is designed based on the countermeasure sample detection model and is used for data processing and data application;
the perception layer based on the blockchain design comprises:
a sensor device for sensing and collecting data;
the network formed by the consensus nodes is a network structure with a plurality of node branches, and the tail of the consensus nodes is provided with a return mechanism; the consensus node is used for carrying out safety verification on data transmitted by the sensor equipment for a plurality of times and carrying out consistency verification on the data according to a preset formula or an evaluation mechanism; the return mechanism is used for returning the data passing the security verification and the consistency verification;
the verification node is used for verifying information between the inside and the outside of the sensor equipment;
the storage node is a node capable of storing information and is used for connecting the sensor equipment with a data center;
the perception layer based on the blockchain design further comprises:
the synchronous node is a display node processed by the information security system and is used for displaying the security of the information;
the network layer based on the dynamic security association design adopts a security association authentication system based on sharing dynamic;
the security association authentication system based on the sharing dynamic comprises distributed heterogeneous wireless networks, wherein each heterogeneous wireless network is provided with an authentication server for authenticating the mobile terminal;
the step of authenticating the mobile terminal specifically comprises the following steps:
an authentication server in a network where a subscription service of a mobile terminal is located is a home authentication server of the mobile terminal; when the mobile terminal roams to an external network, an authentication server of the network where the mobile terminal is located is a local authentication server; in a heterogeneous wireless network, each access router shares the same static security association with authentication servers in the network, all local authentication servers being connected to each other by dynamic security association;
when the mobile terminal is positioned in the home network, establishing a static security association with a local authentication server; when the mobile terminal roams to the external network, establishing dynamic security association with a local authentication server;
validity period T of the dynamic security association SA Expressed as:
T SA =T au +T S +T th
wherein T is au T is the required authentication time S For service time, T th A time threshold that is a dynamic security association;
in the platform layer based on the data desensitization and big data processing design,
a data desensitization method is adopted to realize the privacy protection of a platform layer;
converting the structured data storage into a semi-structured or unstructured data storage, and compressing all the existing data information; or converting the information into a preset structure through a big data calculation mode;
the data desensitization method is one or more of data aggregation and data sampling;
in the application layer designed based on the challenge sample detection model,
the challenge sample-based detection model is constructed by using an artificial intelligence algorithm, and the algorithm is a neural network training-based or threshold-based method;
in the detection model based on the countermeasure sample, the countermeasure sample is added in the training set; reducing the magnitude of the network gradient using a defensive distillation method; the inputs are randomly adjusted.
2. A method of using the power mobile internet of things information security system of claim 1, comprising the steps of:
the perception layer captures data about flow states or environmental conditions, and verifies and identifies the transmitted data based on a blockchain technology so as to ensure the safety and consistency of the data;
the network layer acquires data from the sensing layer and realizes the transmission and switching of the data in different networks based on dynamic security association;
the platform layer acquires data from the network layer and realizes mining, calculation and storage of the data based on data desensitization and big data processing;
the application layer acquires data from the platform layer, performs unified safety detection on the data based on the countermeasure sample detection model, and the data through the safety detection are used for various preset intelligent terminals.
CN202111525756.4A 2021-12-14 2021-12-14 Electric power mobile internet of things information security architecture and application method thereof Active CN114205816B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111525756.4A CN114205816B (en) 2021-12-14 2021-12-14 Electric power mobile internet of things information security architecture and application method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111525756.4A CN114205816B (en) 2021-12-14 2021-12-14 Electric power mobile internet of things information security architecture and application method thereof

Publications (2)

Publication Number Publication Date
CN114205816A CN114205816A (en) 2022-03-18
CN114205816B true CN114205816B (en) 2023-08-08

Family

ID=80653484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111525756.4A Active CN114205816B (en) 2021-12-14 2021-12-14 Electric power mobile internet of things information security architecture and application method thereof

Country Status (1)

Country Link
CN (1) CN114205816B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002161A (en) * 2022-06-09 2022-09-02 北银金融科技有限责任公司 Thing networking finance integrated management system based on block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN111404914A (en) * 2020-03-11 2020-07-10 南京邮电大学 Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN113132318A (en) * 2019-12-31 2021-07-16 中国电力科学研究院有限公司 Active defense method and system for information safety of power distribution automation system master station
CN113392429A (en) * 2021-05-26 2021-09-14 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device
CN113542339A (en) * 2020-12-23 2021-10-22 南方电网数字电网研究院有限公司 Electric power Internet of things safety protection design method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10542046B2 (en) * 2018-06-07 2020-01-21 Unifyvault LLC Systems and methods for blockchain security data intelligence

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN113132318A (en) * 2019-12-31 2021-07-16 中国电力科学研究院有限公司 Active defense method and system for information safety of power distribution automation system master station
CN111404914A (en) * 2020-03-11 2020-07-10 南京邮电大学 Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN113542339A (en) * 2020-12-23 2021-10-22 南方电网数字电网研究院有限公司 Electric power Internet of things safety protection design method
CN113392429A (en) * 2021-05-26 2021-09-14 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device

Also Published As

Publication number Publication date
CN114205816A (en) 2022-03-18

Similar Documents

Publication Publication Date Title
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
Li et al. RETRACTED ARTICLE: Information security model of block chain based on intrusion sensing in the IoT environment
US20200412767A1 (en) Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks
US11212299B2 (en) System and method for monitoring security attack chains
US20220078210A1 (en) System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces
Xing et al. Survey on botnet detection techniques: Classification, methods, and evaluation
Li et al. Trust model to enhance security and interoperability of cloud environment
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
Sala et al. Measurement-calibrated graph models for social network experiments
Faisal et al. Securing advanced metering infrastructure using intrusion detection system with data stream mining
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
Sun et al. Network security technology of intelligent information terminal based on mobile internet of things
CN110046297B (en) Operation and maintenance violation identification method and device and storage medium
CN109218321A (en) A kind of network inbreak detection method and system
CN109191021A (en) The correlation rule matching process and device of power grid anomalous event
Liu et al. A privacy-preserving resource trading scheme for Cloud Manufacturing with edge-PLCs in IIoT
Alghayadh et al. A hybrid intrusion detection system for smart home security
CN110620820A (en) Ubiquitous power Internet of things intelligent management system
He et al. AppFA: a novel approach to detect malicious android applications on the network
CN114205816B (en) Electric power mobile internet of things information security architecture and application method thereof
Bai et al. Evolution of transaction pattern in Ethereum: A temporal graph perspective
Liu et al. A GAN-based data injection attack method on data-driven strategies in power systems
Lin et al. Dynamic network security situation prediction based on bayesian attack graph and big data
Shan et al. NeuPot: A neural network-based honeypot for detecting cyber threats in industrial control systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Cao Jingyi

Inventor after: Zhu Yayun

Inventor after: Jiang Lin

Inventor after: Wang Haixiang

Inventor after: Miao Siwei

Inventor after: Zhang Xiaojuan

Inventor after: Lin Ziqing

Inventor before: Cao Jingyi

Inventor before: Zhu Yayun

Inventor before: Jiang Lin

Inventor before: Wang Haixiang

Inventor before: Miao Siwei

Inventor before: Zhang Xiaojuan

Inventor before: Lin Ziqing

CB03 Change of inventor or designer information