CN114222293A - Network data security protection method and device, storage medium and terminal equipment - Google Patents
Network data security protection method and device, storage medium and terminal equipment Download PDFInfo
- Publication number
- CN114222293A CN114222293A CN202111574599.6A CN202111574599A CN114222293A CN 114222293 A CN114222293 A CN 114222293A CN 202111574599 A CN202111574599 A CN 202111574599A CN 114222293 A CN114222293 A CN 114222293A
- Authority
- CN
- China
- Prior art keywords
- network
- security
- data
- heterogeneous data
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000003860 storage Methods 0.000 title claims abstract description 21
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 39
- 239000011159 matrix material Substances 0.000 claims description 28
- 230000007704 transition Effects 0.000 claims description 28
- 238000012545 processing Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 7
- 230000002457 bidirectional effect Effects 0.000 abstract description 4
- 238000010295 mobile communication Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012549 training Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 4
- 238000009826 distribution Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 239000010410 layer Substances 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000007476 Maximum Likelihood Methods 0.000 description 1
- 238000002940 Newton-Raphson method Methods 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000012792 core layer Substances 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to the field of mobile communications technologies, and in particular, to a network data security protection method and apparatus, a storage medium, and a terminal device. The method comprises the following steps: acquiring multi-element heterogeneous data of a network slice of a target network; inputting the multivariate heterogeneous data into a trained network security prediction model to obtain corresponding security trust parameters; when the security trust parameter is lower than a preset threshold value, generating a public key by using an encryption algorithm, and verifying the validity of the public key; and when the validity of the public key is verified, encrypting the multivariate heterogeneous data by using the encryption algorithm to generate ciphertext data. According to the technical scheme, bidirectional authentication enhancement can be performed on the network data with the security risk, and then security protection can be performed on the network data.
Description
Technical Field
The present disclosure relates to the field of mobile communications technologies, and in particular, to a network data security protection method, a network data security protection device, a storage medium, and a terminal device.
Background
The 5G technology has been widely applied in a variety of application scenarios. Compared with 3G, 4G and 5G technologies, although the technology has great improvement in data protection, the security hole problem still exists and becomes a critical security problem threatening the security of 5G networks. During the application of the 5G network, the network transmission is read out more quickly, but the security effect which is expected to be achieved by people cannot be achieved in the aspect of security. Currently, some security holes cannot be completely filled, so that the probability of network attack is greatly increased, and meanwhile, the protection of personal privacy is not facilitated.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to a network data security protection method, a network data security protection device, a storage medium, and a terminal device, which are capable of performing security protection on network data, so as to overcome at least some of the defects caused by the limitations and drawbacks of the related art.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to a first aspect of the present disclosure, there is provided a network data security protection method, including:
acquiring multi-element heterogeneous data of a network slice of a target network;
inputting the multivariate heterogeneous data into a trained network security prediction model to obtain corresponding security trust parameters;
when the security trust parameter is lower than a preset threshold value, generating a public key by using an encryption algorithm, and verifying the validity of the public key;
and when the validity of the public key is verified, encrypting the multivariate heterogeneous data by using the encryption algorithm to generate ciphertext data.
In an exemplary embodiment of the present disclosure, the method further comprises:
the network security prediction model is constructed in advance, and parameters of the network security prediction model are determined; the network security prediction model is constructed based on a hidden Markov model.
In an exemplary embodiment of the present disclosure, the determining the network security prediction model parameters includes:
defining model variables of the network security prediction model; wherein the model variables include: the method comprises the following steps that (1) a hidden state Q of a server, a multivariate heterogeneous data sample W of a 5G network slice, a probability A of a 5G network in a safe state at an initial moment, a safe state transition matrix S and an observable state transition probability matrix Z are obtained;
initializing a model parameter lambda; wherein λ ═ (a, S, Z);
the model parameter λ is calculated based on a maximum expectation algorithm.
In an exemplary embodiment of the present disclosure, the calculating the model parameter λ based on the maximum expectation algorithm includes:
and representing the probability A of the 5G network in the safety state at the initial moment based on the preset network safety state and the characteristics of the multi-element heterogeneous data.
In an exemplary embodiment of the present disclosure, the calculating the model parameter λ based on the maximum expectation algorithm includes:
and representing the observable state transition probability matrix Z by using the probability that the 5G network is in a safe state at each moment.
In an exemplary embodiment of the present disclosure, the calculating the model parameter λ based on the maximum expectation algorithm includes:
and representing the safety state transition matrix S based on the probability that the multivariate heterogeneous data of the 5G network slice is in a safety state at the moment t.
In an exemplary embodiment of the present disclosure, the acquiring the multivariate heterogeneous data of the 5G network slice includes:
and acquiring multi-element heterogeneous data corresponding to each network slice from the divided 5G network slices through an SDN controller.
According to a second aspect of the present disclosure, there is provided a network data security protection apparatus, including:
the multi-element heterogeneous data acquisition module is used for acquiring multi-element heterogeneous data of the network slice of the target network;
the safety trust parameter calculation module is used for inputting the multivariate heterogeneous data into a trained network safety prediction model to obtain corresponding safety trust parameters;
the public key verification module is used for generating a public key by using an encryption algorithm and verifying the validity of the public key when the security trust parameter is lower than a preset threshold value;
and the encryption processing module is used for encrypting the multivariate heterogeneous data by using the encryption algorithm to generate ciphertext data when verifying the validity of the public key.
According to a third aspect of the present disclosure, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the network data security protection method described above.
According to a fourth aspect of the present disclosure, there is provided a terminal device comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the above-described network data security protection method via execution of the executable instructions.
In the network data security protection method provided by the embodiment of the disclosure, multivariate heterogeneous data of network slices are collected, a trained network security prediction model is used for calculating the multivariate heterogeneous data to obtain corresponding security trust parameters, and when the security trust parameters of the multivariate heterogeneous data are judged to be lower than a preset threshold value, a public key after validity verification is used for encrypting the multivariate heterogeneous data to obtain corresponding ciphertext data. By calculating and judging the security trust parameters of the multi-element heterogeneous data, the public key can be utilized to carry out bidirectional authentication enhancement on the multi-element heterogeneous data, thereby realizing the security protection on the network data.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 is a schematic diagram schematically illustrating a network data security protection method in an exemplary embodiment of the disclosure;
FIG. 2 schematically illustrates a system architecture diagram in an exemplary embodiment of the disclosure;
fig. 3 is a schematic diagram schematically illustrating a network data security protection method flow in an exemplary embodiment of the disclosure;
fig. 4 schematically illustrates a schematic diagram of a physical random access channel resource management apparatus in an exemplary embodiment of the disclosure;
fig. 5 schematically illustrates a composition diagram of a terminal device in an exemplary embodiment of the present disclosure;
fig. 6 schematically illustrates a schematic diagram of a storage medium in an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In the related technology, a series of network safety hidden dangers exist in the big data era, new network safety problems are brought by the appearance of the 5G network, the problems put forward higher requirements on the safety of the future 5G network, the safety problems are not solved well, the development of the 5G network is seriously restricted, great difficulty is brought to 5G service providers, and meanwhile, the user experience and the safety guarantee of vast network users are influenced. Some foreign studies of scholars show that, although the 5G system has a great improvement in data protection compared with 3G and 4G versions, the security hole problem still exists and becomes a critical security problem threatening the security of the 5G network. Research shows that the 4G system has the functions of receiving and sending short messages, receiving and making calls and the like, the 5G system cannot be changed, and meanwhile, the 5G system cannot be changed in functions and using modes in the exchange and transmission process of pictures and videos. However, the application of the 5G network provides possibility for the automatic vehicle development and the application of the Internet of things equipment. During the application of the 5G network, the network is faster, but the security effect which is expected to be achieved by the user cannot be achieved in the aspect of security. Currently, some security holes cannot be completely filled, so that the probability of network attack is greatly increased, and meanwhile, the protection of personal privacy is not facilitated.
In view of the above drawbacks and deficiencies in the prior art, the exemplary embodiment provides a network data security protection method, which can be applied to network slice data of a 5G network to encrypt data and implement security protection of the 5G network data. Referring to fig. 1, the network data security protection method may include the following steps:
s11, acquiring multi-element heterogeneous data of the network slice of the target network;
s12, inputting the multivariate heterogeneous data into a trained network security prediction model to obtain corresponding security trust parameters;
s13, when the security trust parameter is lower than the preset threshold value, generating a public key by using an encryption algorithm, and carrying out validity verification on the public key;
and S14, when the validity of the public key is verified, encrypting the multivariate heterogeneous data by using the encryption algorithm to generate ciphertext data.
In the network data security protection method provided by the present exemplary embodiment, multivariate heterogeneous data of a network slice is acquired, a trained network security prediction model is used to calculate the multivariate heterogeneous data to obtain a corresponding security trust parameter, and when the security trust parameter of the multivariate heterogeneous data is judged to be lower than a preset threshold value, a public key after validity verification is used to encrypt the multivariate heterogeneous data to obtain corresponding ciphertext data. By calculating and judging the security trust parameters of the multi-element heterogeneous data, the public key can be utilized to carry out bidirectional authentication enhancement on the multi-element heterogeneous data, thereby realizing the security protection on the network data.
Hereinafter, the steps of the network data security protection method in this exemplary embodiment will be described in more detail with reference to the drawings and the embodiments.
In this exemplary embodiment, referring to the application scenario shown in fig. 2, a network architecture applicable to the network data security protection method is provided, where the network architecture may include a terminal device 201, an access network 21, and a core network 22; the access network 21 includes a base station 202; the core network 22 includes a backbone network 221, a telecommunications closet 222, and so on; and data transmission is carried out between the access network and the core network through the bearer network. The network device 201 may be a terminal device on the user side, such as a smart terminal device such as a mobile phone and a tablet computer.
In step S11, multivariate heterogeneous data of the network slice of the target network is collected.
In this exemplary embodiment, the target network described above may be a 5G network; for example, it may be a 5G network of a certain network range, such as a network range divided by selecting wireless access points or hardware devices. For 5G networks, a network slice is a virtualized logical private network, and can be customized according to different service requirements. A Mobility Management Entity (MME) in Long Term Evolution (LTE) is decomposed into: an AMF entity, a Security Anchor Function (SEAF) entity, a Session Management Function (SMF) entity, etc. The AMF entity is used for access control authorization, mobility and registration management. For example: the AMF entity may assign the network slice to the terminal device. The SMF entity may be logically divided into a plurality of logical SMFs, each of which belongs to one network slice. In practice, one network slice may include a plurality of logical SMFs, and one network slice may also include other logical network elements.
In particular, multivariate heterogeneous data of 5G Network slices can be collected by an SDN (Software Defined Network) controller. The network slice may be core network subnet slice data, access network subnet slice data, transport network subnet slice data, and so on. The multivariate heterogeneous data can be network performance information for embodying the network performance of each network element.
For an access network subnetwork slice, the multiple heterogeneous data may include radio resource status data, such as one or more of a free RB, a free sector, a maximum number of supported cells, a maximum throughput (DL + UL), a maximum number of RRC connected users, a single gbnodebs maximum data radio bearer, an uplink-downlink ratio, a spectrum efficiency, an Xn traffic ratio, and the like. For a network slice of a transmission network, the multivariate heterogeneous data thereof may include transmission resource status data, such as one or more of idle access layer bandwidth, idle aggregation layer bandwidth, idle core layer bandwidth, bearer network latency, single hop average latency, device forwarding latency, time synchronization requirement (e.g., 350ns), and the like. For a network slice of a core network, the multi-element heterogeneous data may include core network resource status data, such as one or more of idle CPUs, idle memory, idle storage, and the like.
In step S12, the multivariate heterogeneous data is input into the trained network security prediction model to obtain corresponding security trust parameters.
In this example embodiment, the network security prediction model may be pre-constructed, and parameters of the network security prediction model may be determined; the network security prediction model is constructed based on a hidden Markov model.
Specifically, the network security prediction model K may be established based on a hidden markov model: k ═ Q, W, a, S, Z. Defining a model variable; q is a hidden state of the server, W is a multivariate heterogeneous data sample of a 5G network slice, A is the probability that the network is in a safe state at the initial moment, S is a safe state transition matrix, and Z is an observable state transition probability matrix. The server may be a server of a core network, for example, a cloud server in a backbone network. Wherein Q is a hidden state of the server, satisfies Markov property, and is a state hidden in the Markov model. W is a multivariate heterogeneous data sample of a 5G network slice, the external expression characteristic representation of the sample data is associated with an implicit state in the model, and an observable state can be obtained through direct observation. A is the probability that the network is in the secure state at the initial time, and represents the probability matrix of the hidden state at the initial time t equal to 1. S is a safety state transition matrix and describes transition probabilities among various states in the model. Z is an observable state transition probability matrix, and Z is an observable state transition probability matrix and represents the probability that the observed state is in the designated state at the moment t under an implicit state condition.
In this example embodiment, when a network security prediction model is built based on a hidden markov model, multivariate heterogeneous data of different sub-network slices can be collected in advance as sample data. For example, a certain proportion of the multivariate heterogeneous data collected in step S11 is selected as sample data.
After the network security prediction model is built based on the hidden markov model, the determining parameters of the network security prediction model may include:
step S21, defining model variables of the network security prediction model; wherein the model variables include: the method comprises the following steps that (1) a hidden state Q of a server, a multivariate heterogeneous data sample W of a 5G network slice, a probability A of a 5G network in a safe state at an initial moment, a safe state transition matrix S and an observable state transition probability matrix Z are obtained;
step S22, initializing a model parameter lambda; wherein λ ═ (a, S, Z);
in step S23, the model parameter λ is calculated based on the maximum expectation algorithm.
Specifically, first, the network security prediction model parameter λ ═ (a, S, Z) may be initialized. Wherein, because A conforms to normal distribution, the initial value of A is set to 0.6826; each element in S and Z is set to 1.
Then, the network security prediction model parameter λ can be solved according to the EM algorithm. EM algorithms (Expectation-Maximization algorithms) are a class of optimization algorithms that perform Maximum Likelihood Estimation (MLE) by iteration, and are often used as a substitute for Newton-Raphson methods for parameter Estimation of probabilistic models containing latent variables (latent variables) or missing data (incomplete data). Specifically, the optimization formula of the EM algorithm is as follows:
therefore, the network security prediction model parameter λ is solved according to the above equation:
wherein λ is(t+1)A network security prediction model parameter, λ, at time t +1(t)For the network security prediction model parameters at the time t, p is probability, p (W, Q | lambda) is joint distribution, and p (Q | W, lambda)(t)) Is a conditional distribution.
In some exemplary embodiments, the probability a that the 5G network is in the security state at the initial time may be represented based on a preset network security state, and the characteristics of the multivariate heterogeneous data. Specifically, the probability a that the network is in the security state at the initial time is:
wherein i is the type of the safety state, including three types of high, medium and low, and the safety state values are respectively set to 5, 3 and 1; n ═ 1, 2 … i; and q is the external expression characteristic of the multi-element heterogeneous data sample combination of the 5G network slice and is used for observing the data state.
Since A has constraint conditions, the Lagrange multiplier method can be used for solving A, and the method comprises the following steps:
p(W|λ(t))+η=0
therefore, the temperature of the molten metal is controlled,
in some example embodiments, the security state transition matrix S may be represented based on a probability that the 5G network slice-based multivariate heterogeneous data is in a security state at time t. Specifically, the security state transition matrix S is:
S=[sij]n×n,sij=p(W,i=j|λ(t))
wherein i and j are the number of rows and columns of the element S of the security state transition matrix, respectively, and n is the number of rows and columns of the security state transition matrix S.
In some exemplary embodiments, the observable state transition probability matrix Z may be represented by the probability that the 5G network is in a secure state at each time. Specifically, the observable state transition probability matrix Z is:
Z=[zij]g×h,zij=p(at=i|at+1=j)(1≤i≤g,1≤j≤l)
wherein i and j are the number of rows and columns of the observable state transition probability matrix element Z, g and h are the number of rows and columns of the observable state transition probability matrix Z, atAnd at+1The probabilities that the network is in the security state at time t and time t +1 are respectively.
By training the parameter λ ═ a, S, Z, one can find Q that maximizes P (Q | W, λ).
In the exemplary embodiment, after the hidden markov model-based network security prediction model and the model parameters thereof are trained, multivariate heterogeneous data can be input into the network security prediction model, and a security trust value is output through the network security prediction model. Wherein the range of security trust values is (0, 1). The larger the security trust value is, the more secure and trusted is indicated; and if the security trust value is greater than or equal to 0.5, the data security is high.
In step S13, when the security trust parameter is lower than the preset threshold value, a public key is generated by using an encryption algorithm, and the validity of the public key is verified.
In the exemplary embodiment, after the security trust value of the multi-component heterogeneous data is obtained, the security trust value may be compared with a preset threshold value. For example, the threshold value may be configured to be 0.5. If the security trust value is less than 0.5, executing a signcryption algorithm to generate a public key; if the security trust value is greater than or equal to 0.5, no processing is required. For example, a client corresponding to one 5G slice a executes a signcryption algorithm to generate a public key, and then the public key is transmitted to a 5G server corresponding to another 5G slice B. The client may be, for example, a terminal device in a core network or an access network.
The signcryption algorithm may specifically include the following steps: inputting public system parameter params, plaintext message m, sender identity SID and its private key, receiver identity RID and its public key, and returning back to cipher text.
In step S14, when the validity of the public key is verified, the multivariate heterogeneous data is encrypted by the encryption algorithm to generate ciphertext data.
In this example embodiment, the server may perform validity verification on the public key. Specifically, the server may verify the validity of the public key according to the service request time. For example, if the service request time is less than or equal to 0.2 seconds, the public key is judged to be legal; and if the data is legal, the client is instructed to execute a signcryption algorithm to generate a ciphertext from the multivariate heterogeneous data of the 5G network slice so as to complete the safety protection of the data. Or if the service request time is more than 0.2 second, the public key is judged to be illegal, and the client is instructed to regenerate the public key.
In this exemplary embodiment, in order to verify and explain the technical effect of the technical scheme of the method, the embodiment selects a conventional technical scheme to perform a comparison test with the method, compares the test results by a scientific demonstration means, and verifies the actual effect of the method.
In order to verify that the method has better security prediction capability and protection performance compared with the conventional technical scheme, the conventional technical scheme and the method are adopted to perform malicious access on the virtual machine respectively in the embodiment.
The experimental environment is as follows: and configuring an 8GB memory, programming by using Matlab, and randomly generating a virtual network in the virtual machine by using a GT-ITM tool.
Malicious access to the virtual machine is added in the experiment, each round is one per 100 time units, each round accesses the host for 10 times, the first round contains 1 piece of malicious information, then each round adds 1 piece of malicious information, and so on, in order to verify the credibility and the effectiveness of the method, the method is compared with the situation that 2 pieces of malicious information are added in each round, and the safety state value is measured in real time, wherein the results are shown in the following table 1.
TABLE 1
Specifically, as can be seen from comparison of the network protection results shown in table 1, with the increase of malicious information, the method still maintains a higher security state value, and the actual security state results of the prediction results are consistent.
Referring to fig. 3, in the network data security protection method provided by the present disclosure, multivariate heterogeneous data of a 5G network slice is collected by an SDN controller; establishing a network security prediction model based on the collected multivariate heterogeneous data of the 5G network slice, and acquiring network security prediction model parameters through an EM (effective electromagnetic) algorithm; inputting the collected multivariate heterogeneous data of the 5G network slices into a network security prediction model, and outputting a security trust value through the network security prediction model; if the security trust value is less than 0.5, a public key is generated by executing a signcryption algorithm through the client side, and the public key is transmitted to the server; and the server verifies the validity of the public key according to the service request time, and if the public key is legal, the client is instructed to execute a signcryption algorithm to generate a ciphertext from the multivariate heterogeneous data of the 5G network slice so as to complete the safety protection of the data. The method comprises the steps of carrying out safety prejudgment on 5G network slice data in the transmission process by establishing a network safety prediction model, and encrypting the slice data when the safety trust value of the slice data is lower than a preset threshold value, so as to increase the protection of data safety; the safety requirements of 5G network heterogeneity and diversity can be met, and meanwhile, a bidirectional authentication enhancement mechanism is realized by combining a signcryption algorithm. The method disclosed by the invention can be applied to an application scene of data in a mode of transmitting the data faster based on a 5G uRLLC (unified modeling language) high-reliability low-delay scene and the like, and is applied to safety protection in a data transmission process after a 5G slicing technology.
It is to be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Further, referring to fig. 4, in the present exemplary embodiment, a network data security protection apparatus 40 is further provided, including: the system comprises a multivariate heterogeneous data acquisition module 401, a security trust parameter calculation module 402, a public key verification module 403 and an encryption processing module 404. Wherein the content of the first and second substances,
the multivariate heterogeneous data collection module 401 can be used to collect multivariate heterogeneous data of a network slice of a target network.
The security trust parameter calculation module 402 may be configured to input the multivariate heterogeneous data into a trained network security prediction model to obtain a corresponding security trust parameter.
The public key verification module 403 may be configured to generate a public key by using an encryption algorithm when the security trust parameter is lower than a preset threshold, and perform validity verification on the public key.
The encryption processing module 404 may be configured to encrypt the multiple heterogeneous data by using the encryption algorithm to generate ciphertext data when verifying the validity of the public key.
In this exemplary embodiment, the network data security protection device 40 further includes: and a model building module.
The model construction module can be used for constructing the network security prediction model in advance and determining parameters of the network security prediction model; the network security prediction model is constructed based on a hidden Markov model.
In this exemplary embodiment, the model building module may include: and a parameter training module.
The parameter training module can be used for defining model variables of the network security prediction model; wherein the model variables include: the method comprises the following steps that (1) a hidden state Q of a server, a multivariate heterogeneous data sample W of a 5G network slice, a probability A of a 5G network in a safe state at an initial moment, a safe state transition matrix S and an observable state transition probability matrix Z are obtained; initializing a model parameter lambda; wherein λ ═ (a, S, Z); the model parameter λ is calculated based on a maximum expectation algorithm.
In this exemplary embodiment, the parameter training module may be configured to represent, based on a preset network security state and characteristics of the multivariate heterogeneous data, a probability a that the 5G network is in a security state at an initial time.
In this exemplary embodiment, the parameter training module may be configured to represent the observable state transition probability matrix Z by using a probability that the 5G network is in a safe state at each time.
In this exemplary embodiment, the parameter training module may be configured to represent the security state transition matrix S based on a probability that the multivariate heterogeneous data of the 5G network slice is in the security state at time t.
In this exemplary embodiment, the multivariate heterogeneous data acquisition module 401 may be configured to acquire multivariate heterogeneous data corresponding to each network slice from the divided 5G network slices through the SDN controller.
The specific details of each module in the network data security protection device have been described in detail in the corresponding network data security protection method, and therefore are not described herein again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, there is also provided a computer system capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
The terminal device 500 according to this embodiment of the present invention is described below with reference to fig. 5. The terminal device 500 shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, terminal device 900 is embodied in a general purpose computing device. The components of terminal device 500 may include, but are not limited to: the at least one processing unit 610, the at least one memory unit 620, and a bus 630 that couples the various system components including the memory unit 620 and the processing unit 610.
Wherein the storage unit stores program code that is executable by the processing unit 610 to cause the processing unit 610 to perform steps according to various exemplary embodiments of the present invention as described in the above section "exemplary methods" of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The computer system 600 may also communicate with one or more external devices 50 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the computer system 600, and/or with any devices (e.g., router, modem, etc.) that enable the computer system 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. The display unit 640 may also be connected through an input/output (I/O) interface 650. Moreover, computer system 600 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network such as the Internet) via network adapter 660. As shown, network adapter 660 communicates with the other modules of computer system 600 via bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computer system 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
Referring to fig. 6, a program product 60 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.
Claims (10)
1. A network data security protection method is characterized by comprising the following steps:
acquiring multi-element heterogeneous data of a network slice of a target network;
inputting the multivariate heterogeneous data into a trained network security prediction model to obtain corresponding security trust parameters;
when the security trust parameter is lower than a preset threshold value, generating a public key by using an encryption algorithm, and verifying the validity of the public key;
and when the validity of the public key is verified, encrypting the multivariate heterogeneous data by using the encryption algorithm to generate ciphertext data.
2. The method of claim 1, wherein the method further comprises:
the network security prediction model is constructed in advance, and parameters of the network security prediction model are determined; the network security prediction model is constructed based on a hidden Markov model.
3. The method for securing network data according to claim 2, wherein the determining parameters of the network security prediction model comprises:
defining model variables of the network security prediction model; wherein the model variables include: the method comprises the following steps that (1) a hidden state Q of a server, a multivariate heterogeneous data sample W of a 5G network slice, a probability A of a 5G network in a safe state at an initial moment, a safe state transition matrix S and an observable state transition probability matrix Z are obtained;
initializing a model parameter lambda; wherein λ ═ (a, S, Z);
the model parameter λ is calculated based on a maximum expectation algorithm.
4. The method according to claim 3, wherein the calculating a model parameter λ based on a maximum expectation algorithm comprises:
and representing the probability A of the 5G network in the safety state at the initial moment based on the preset network safety state and the characteristics of the multi-element heterogeneous data.
5. The method according to claim 3, wherein the calculating a model parameter λ based on a maximum expectation algorithm comprises:
and representing the observable state transition probability matrix Z by using the probability that the 5G network is in a safe state at each moment.
6. The method according to claim 3, wherein the calculating a model parameter λ based on a maximum expectation algorithm comprises:
and representing the safety state transition matrix S based on the probability that the multivariate heterogeneous data of the 5G network slice is in a safety state at the moment t.
7. The method for network data security protection according to claim 1, wherein the collecting the multivariate heterogeneous data of the 5G network slice comprises:
and acquiring multi-element heterogeneous data corresponding to each network slice from the divided 5G network slices through an SDN controller.
8. A network data security apparatus, the apparatus comprising:
the multi-element heterogeneous data acquisition module is used for acquiring multi-element heterogeneous data of the network slice of the target network;
the safety trust parameter calculation module is used for inputting the multivariate heterogeneous data into a trained network safety prediction model to obtain corresponding safety trust parameters;
the public key verification module is used for generating a public key by using an encryption algorithm and verifying the validity of the public key when the security trust parameter is lower than a preset threshold value;
and the encryption processing module is used for encrypting the multivariate heterogeneous data by using the encryption algorithm to generate ciphertext data when verifying the validity of the public key.
9. A storage medium having stored thereon a computer program which, when executed by a processor, implements a network data security method according to any one of claims 1 to 7.
10. A terminal device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the network data security protection method of any one of claims 1 to 7 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111574599.6A CN114222293A (en) | 2021-12-21 | 2021-12-21 | Network data security protection method and device, storage medium and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111574599.6A CN114222293A (en) | 2021-12-21 | 2021-12-21 | Network data security protection method and device, storage medium and terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114222293A true CN114222293A (en) | 2022-03-22 |
Family
ID=80704889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111574599.6A Withdrawn CN114222293A (en) | 2021-12-21 | 2021-12-21 | Network data security protection method and device, storage medium and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114222293A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160012235A1 (en) * | 2014-02-10 | 2016-01-14 | Vivo Security Inc. | Analysis and display of cybersecurity risks for enterprise data |
| CN105471668A (en) * | 2014-09-10 | 2016-04-06 | 阿里巴巴集团控股有限公司 | Environment information collection method and device for network access party |
| US20160218933A1 (en) * | 2015-01-27 | 2016-07-28 | Sri International | Impact analyzer for a computer network |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN112616124A (en) * | 2020-12-03 | 2021-04-06 | 广东电力通信科技有限公司 | Electric power Internet of things safety management method and system based on 5G network slice |
| CN113282759A (en) * | 2021-04-23 | 2021-08-20 | 国网辽宁省电力有限公司电力科学研究院 | Network security knowledge graph generation method based on threat information |
| FR3111506A1 (en) * | 2020-06-19 | 2021-12-17 | Orange | System and method for monitoring at least a slice of a communications network |
| CN114301795A (en) * | 2021-11-15 | 2022-04-08 | 南京翌淼信息科技有限公司 | Network data security identification method and system |
-
2021
- 2021-12-21 CN CN202111574599.6A patent/CN114222293A/en not_active Withdrawn
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160012235A1 (en) * | 2014-02-10 | 2016-01-14 | Vivo Security Inc. | Analysis and display of cybersecurity risks for enterprise data |
| CN105471668A (en) * | 2014-09-10 | 2016-04-06 | 阿里巴巴集团控股有限公司 | Environment information collection method and device for network access party |
| US20160218933A1 (en) * | 2015-01-27 | 2016-07-28 | Sri International | Impact analyzer for a computer network |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| FR3111506A1 (en) * | 2020-06-19 | 2021-12-17 | Orange | System and method for monitoring at least a slice of a communications network |
| CN112616124A (en) * | 2020-12-03 | 2021-04-06 | 广东电力通信科技有限公司 | Electric power Internet of things safety management method and system based on 5G network slice |
| CN113282759A (en) * | 2021-04-23 | 2021-08-20 | 国网辽宁省电力有限公司电力科学研究院 | Network security knowledge graph generation method based on threat information |
| CN114301795A (en) * | 2021-11-15 | 2022-04-08 | 南京翌淼信息科技有限公司 | Network data security identification method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sun et al. | Blockchain-enabled wireless Internet of Things: Performance analysis and optimal communication node deployment | |
| Lu et al. | Blockchain and federated learning for 5G beyond | |
| CN107359998B (en) | A kind of foundation and operating method of portable intelligent password management system | |
| CN107483383B (en) | Data processing method, terminal, background server and storage medium | |
| US9641340B2 (en) | Certificateless multi-proxy signature method and apparatus | |
| CN111898137A (en) | Private data processing method, equipment and system for federated learning | |
| CN112104619A (en) | Data access control system and method based on outsourcing ciphertext attribute encryption | |
| CN111612167A (en) | Joint training method, device, equipment and storage medium of machine learning model | |
| EP3379444A1 (en) | User attribute matching method and terminal | |
| KR20190079186A (en) | Method for security communication in Network Functional Virtualization and System thereof | |
| Olakanmi et al. | FELAS: fog enhanced look ahead secure framework with separable data aggregation scheme for efficient information management in internet of things networks | |
| CN111767411A (en) | Knowledge graph representation learning optimization method and device and readable storage medium | |
| CN113645294B (en) | Message acquisition method and device, computer equipment and message transmission system | |
| CN114301795B (en) | Network data security identification method and system | |
| CN116502732B (en) | Federal learning method and system based on trusted execution environment | |
| CN114222293A (en) | Network data security protection method and device, storage medium and terminal equipment | |
| Meng | Security and Performance Tradeoff Analysis of Offloading Policies in Mobile Cloud Computing | |
| Sun et al. | Performance analysis on wireless blockchain IoT system | |
| CN114258017A (en) | Mutually exclusive slice access method, device, electronic equipment and computer readable medium | |
| Leu et al. | Improving security levels of IEEE802. 16e authentication by Involving Diffie-Hellman PKDS | |
| CN109417558B (en) | Method, device and system for managing network slices | |
| Hou | Request Control of Web Service-Based Sampling System With Multiple Smart Sensors | |
| CN114745151B (en) | Electric power 5G network slice authentication message matching method and device based on edge calculation | |
| Mothlabeng et al. | Enhanced data integrity encryption algorithm for cloud computing | |
| CN113055345B (en) | Block chain-based data security authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220322 |