CN115242454B - Real-time video data integrity protection method and system - Google Patents
Real-time video data integrity protection method and system Download PDFInfo
- Publication number
- CN115242454B CN115242454B CN202210732846.9A CN202210732846A CN115242454B CN 115242454 B CN115242454 B CN 115242454B CN 202210732846 A CN202210732846 A CN 202210732846A CN 115242454 B CN115242454 B CN 115242454B
- Authority
- CN
- China
- Prior art keywords
- video
- data
- hmac
- mask
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 238000004364 calculation method Methods 0.000 claims abstract description 59
- 238000007781 pre-processing Methods 0.000 claims abstract description 25
- 238000004891 communication Methods 0.000 claims abstract description 20
- 238000012545 processing Methods 0.000 claims description 76
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000005192 partition Methods 0.000 claims description 10
- 239000004973 liquid crystal related substance Substances 0.000 claims description 4
- 230000035945 sensitivity Effects 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 238000011156 evaluation Methods 0.000 claims description 3
- 238000007493 shaping process Methods 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 3
- 238000009827 uniform distribution Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000003044 adaptive effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000005457 optimization Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000017525 heat dissipation Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/234—Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
- H04N21/23418—Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving operations for analysing video streams, e.g. detecting features or characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/44—Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
- H04N21/44008—Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving operations for analysing video streams, e.g. detecting features or characteristics in the video stream
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/647—Control signaling between network components and server or clients; Network processes for video distribution between server and clients, e.g. controlling the quality of the video stream, by dropping packets, protecting content from unauthorised alteration within the network, monitoring of network load, bridging between two different networks, e.g. between IP and wireless
- H04N21/64715—Protecting content from unauthorized alteration within the network
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
The invention relates to the technical field of data integrity protection, and discloses a real-time video data integrity protection method and a real-time video data integrity protection system. The method comprises the following steps: s1, generating a dynamic mask; s2, preprocessing video frame data; s3, HMAC parameter decision; s4, HMAC calculation. The invention solves the problem that the communication performance and the safety are difficult to effectively balance in the prior art, and obviously improves the integrity protection safety of the real-time video data.
Description
Technical Field
The invention relates to the technical field of data integrity protection, in particular to a real-time video data integrity protection method and system.
Background
The video communication technology based on IMS generally takes public IP communication networks such as Internet and the like as basic bearing, and shares and transmits real-time video data among a plurality of nodes through the public IP communication networks of interconnection multipoint, thereby realizing real-time video services such as video telephone, video conference, video monitoring and the like and realizing long-distance real-time multimedia communication among the multipoint.
Because most of real-time video communication services rely on the public internet to perform data transmission, various illegal attacks from malicious users in the internet can be faced in the transmission process, video tampering is one of the most threatening attack means which can be adopted for the real-time video communication services, by controlling the middle node of a video data transmission path, the video data flowing through the node is illegally tampered according to the intention of an attacker, and video streams inconsistent with a source end are forged by adopting modes such as frame-by-frame substitution and the like and sent to a target end, so that the effect of spoofing a receiving end by tampering the video data is achieved.
In the prior art, aiming at real-time video tampering attack, an HMAC-based video data integrity protection method is mostly adopted, namely, a verification field calculated by an HMAC algorithm is added at the end of each frame of video data packet sent by a source end, after a receiving end receives the video data packet, the same algorithm is firstly adopted to carry out integrity verification on the received video data, the same algorithm is adopted to carry out comparison with the verification field added at the end of the video data packet, and if the same algorithm is adopted, the video data is proved not to be tampered in the transmission process, so that the video data can be safely received. However, in the practical application process, the prior art has two disadvantages: the HMAC-based integrity protection algorithm is based on a public HASH algorithm, the possibility of being broken exists, meanwhile, communication performance balance must be considered synchronously in practical application, the HASH algorithm with shorter output length is generally adopted, collision probability is improved, safety is further reduced, and once the HMAC algorithm based on HASH is broken, the expected video data integrity protection effect cannot be achieved; secondly, HMAC calculation has higher demands on hardware resources, and continuous high-strength HMAC calculation aiming at real-time video streams can bring higher performance and heat dissipation pressure to various embedded video terminals while improving video data transmission safety, and finally bring adverse effects to smooth running of video communication services.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a real-time video data integrity protection method and a real-time video data integrity protection system, which solve the problems that the safety strength is low and the optimal balance between the safety and the communication performance is difficult to achieve in the prior art.
The invention solves the problems by adopting the following technical scheme:
a real-time video data integrity protection method adds a preprocessing step of video data replacement based on a dynamic mask before performing frame-by-frame HMAC processing on video frame data.
As a preferred technical scheme, the method comprises the following steps:
s1, dynamic mask generation: after each frame of video frame data to be protected is input, a dynamic mask for preprocessing the video data of the frame is generated according to a preset mode;
s2, preprocessing video frame data: bit-wise AND is carried out on the generated dynamic mask and the original video frame data to be protected, so that video frame data subjected to mask pretreatment is obtained;
s3, HMAC parameter decision: dynamically selecting HMAC parameters for carrying out HMAC calculation on the video data of the frame according to the current real-time system running state;
s4, HMAC calculation: and performing HMAC calculation on the video data of the frame by utilizing the preprocessed video frame data and the HMAC parameters dynamically selected.
As a preferred technical solution, in step S1, for the same frame of video data, the transmitting end of the video data and the receiving end of the video data use the same mask to preprocess the video data, where the same mask is generated by a preset or by the same algorithm and parameters; the method for agreeing the same mask of the sending end and the receiving end in advance comprises the following steps: the transmitting end and the receiving end agree n sets of mask sequences in advance, each set of mask sequence comprises m numbered mask data, and the numbers are respectively 1 to m; the method comprises the steps that a transmitting end and a receiving end remotely negotiate a mask sequence number adopted by a current session through a video protocol before video communication, and then the i-number mask data in a corresponding mask sequence is adopted for the i-th frame of video data in the current session; when the number of video frames exceeds the preset number of mask data, the mask data are recycled as required, and the m x k+i frame video data adopt the i number mask data in the corresponding mask sequence; wherein n is more than or equal to 2 and n is a positive integer, m is more than or equal to 2 and m is a positive integer, k is more than or equal to 1 and k is a positive integer, i represents a mask data number, and i is more than or equal to 1 and less than or equal to m.
As a preferred technical solution, in step S1, the method for generating the same mask of the transmitting end and the receiving end by the same algorithm and parameters includes: generating a required mask bit by adopting a random number function rand () with a uniform distribution characteristic, generating 1 bit each time, and taking a value of 0 or 1, wherein a sending end and a receiving end ensure that the generated mask is the same by inputting the same random number seeds; wherein, for each bit of the determined sequence number in the mask, the random number seed is an unsigned shaping number represented by 16 bits with the bit of the sequence number as a starting point in the corresponding original video frame data; when the last 15 bits of the mask are calculated, the original video frame data is circularly extended, so that the random number seeds with the length of 16 bits can be taken out.
As a preferable technical solution, in step S2, the rules of data preprocessing are: and from the 1 st bit of the video frame data to the maximum length of the video frame data, enabling the video frame data and the dynamic mask to be bit-phase-locked to obtain preprocessed video frame data, and using the preprocessed video frame data to replace the original video frame data to participate in subsequent HMAC calculation.
As a preferred technical solution, in step S3, dynamically selecting an HMAC parameter adaptively changed from frame to perform HMAC calculation on the preprocessed video frame data, including the following steps:
s31, selecting 5 HMAC algorithms including MD5, SHA256, SHA512, SHA3-256 and SHA3-512 as 5 HMAC parameters with increasing intensities;
s32, before HMAC processing is carried out on each frame of video data by a sending end, the states of three dimensions of computing resource allowance, video processing delay and security risk associated with the current video frame are scored in real time, and the score interval of each dimension is [0,100];
s33, calculating average division of three dimensions, selecting an MD5 algorithm when the partition is [0,20], selecting an SHA256 algorithm when the partition is [21, 40], selecting an SHA512 algorithm when the partition is [41,60], selecting an SHA3-256 algorithm when the partition is [61,80], and selecting an SHA3-512 algorithm when the partition is [81,100 ].
As a preferred technical solution, in step S32, the method for calculating the resource margin dimension score is as follows: evaluating in a mode of comparing with the recent statistical running time of the session, wherein different sessions adopt different evaluation parameters; the specific method comprises the following steps: for MD5, SHA256, SHA512, SHA3-256, SHA3-512 total 5 HMAC algorithms, respectively measuring 5 reference operation time T in advance base ={T base1 ,T base2 ,T base3 ,T base4 ,T base5 -a }; at the beginning of each video session, a resource margin dimension score S is calculated 1 Initializing to 100 and initializing separately for this session the recent statistical run times T of the 5 algorithms n ={T 1 ,T 2 ,T 3 ,T 4 ,T 5 }=T base Wherein n represents the sequence numbers of 5 HMAC algorithms; recording calculation time T when the transmitting end completes HMAC calculation of the video frame data of the session once, and comparing T with the recent statistical running time T of the algorithm X Comparing, if t>T X The latest calculation of the resource margin dimension score S 1 =S 1 -1, if t<T X The latest calculation of the resource margin dimension score S 1 =S 1 +1,S 1 Is limited to the value of [0,100]]Inside; finally, T is used to update the recent statistical running time of the session, so that T is X =0.99T X +0.01t for the next calculation; wherein X is the serial number of the HMAC algorithm adopted at this time, and X is more than or equal to 1 and less than or equal to 5.
As a preferred technical solution, in step S32, the method for calculating the video processing delay dimension score is as follows: when each frame of video data is generated, a transmitting end records the generation time of the video frame data, when the video frame data is transmitted from a network interface, the transmission time of the video frame data is recorded, the difference between the transmission time and the generation time is the real-time processing time delay of the video data of the current node, after each new video frame data is transmitted, the time delay is updated, the higher time delay indicates that the node has greater congestion, and lighter HMAC parameters are needed to be adopted; when calculating the specific score of the video processing delay dimension, scoring strategies with different delay sensitivities are adopted aiming at video I frames, P frames and B frames with different information magnitudes, and the specific method comprises the following steps: a delay low-sensitivity strategy is adopted for B frames with less information, and when the processing delay T=0-100 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-T>100ms, video processing delay dimension score S 2 =0; for the P frame with moderate information quantity, a delay middle sensitive strategy is adopted, when the processing delay T=0-50 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-2T>At 50ms, the video processing delay dimension score S 2 =0; the delay high-sensitivity strategy is adopted for the I frame with higher information quantity, and when the processing delay T=0-33 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-3T>33ms, the video processing delay dimension score s2=0.
As a preferred technical solution, in step S32, the method for calculating the security risk dimension score is as follows: adopting a risk score rapid approximation mode based on unequal weight index change; the specific method comprises the following steps: setting the risk attenuation index A to be a smaller value of 1.01, and setting the risk growth index B to be a larger value of 2; at the beginning of a session, security risk dimension score S 3 Initializing to 100, representing a high risk environment, triggering a risk attenuation once every time the transmitting end successfully transmits video frame data, and obtaining a new security risk dimension score S 3new =S 3 (1/A) The method comprises the steps of carrying out a first treatment on the surface of the Every time the receiving end detects a tampered message, the sending end is informed, one-time risk growth is triggered, and a new security risk dimension score S is generated 3new =S 3 (B) When HMAC parameters are selected for each frame of video frame data, the transmitting end adopts the current latest security risk dimension score S 3 HMAC parameters are calculated.
The real-time video data integrity protection system is based on the real-time video data integrity protection method and is characterized by comprising a dynamic mask generation module, a video frame data preprocessing module, an HMAC parameter decision module and an HMAC calculation module which are connected in sequence;
wherein, the liquid crystal display device comprises a liquid crystal display device,
dynamic mask generation module: after each frame of video frame data to be protected is input, a dynamic mask for preprocessing the video data of the frame is generated according to a preset mode;
video frame data preprocessing module: the method comprises the steps of generating dynamic masks and original video frame data to be protected according to bit sums to obtain video frame data subjected to mask pretreatment;
HMAC parameter decision module: the HMAC parameter is used for dynamically selecting the HMAC parameter for carrying out HMAC calculation on the video data of the frame according to the current real-time system running state;
HMAC calculation module: the HMAC calculation is performed on the video data of the frame by utilizing the preprocessed video frame data and the dynamically selected HMAC parameters.
Compared with the prior art, the invention has the following beneficial effects:
(1) According to the invention, a preprocessing step of video data replacement based on the dynamic mask is introduced in HMAC calculation, so that even if an attacker breaks the HMAC algorithm for integrity protection and parameters thereof, under the condition that the dynamic mask cannot be mastered, correct integrity calculation cannot be carried out on tampered video data, and the tampered behavior cannot pass through the integrity check of a receiving end, thereby effectively improving the safety performance of video data integrity protection.
(2) Aiming at the same video session data, the self-adaptive HMAC parameter is used for replacing the constant HMAC parameter, on one hand, the protection parameter of real-time jump makes a potential attacker more difficult to master the rule, and the difficulty of breaking the integrity protection algorithm is increased; on the other hand, HMAC parameter selection taking account of communication state can realize organic dynamic balance between security performance and communication performance: when the computing resource allowance is larger, the video processing time delay is smaller, and the security risk is larger, the HMAC parameters with higher intensity are adopted, so that higher security performance is provided; when the computing resource margin is smaller, the video processing delay is larger, and the security risk is lower, the HMAC parameters with lower intensity are adopted, so that stronger communication performance is provided.
Drawings
Fig. 1 is a schematic structural diagram of a real-time video data integrity protection system according to the present invention.
Fig. 2 is a schematic diagram of a process flow of dynamic mask generation.
Fig. 3 is a schematic diagram of a process flow for video data replacement based on dynamic masks.
FIG. 4 is a process flow diagram of dynamic adaptation of HMAC parameters.
Fig. 5 is a schematic diagram of a computing flow for computing resource margin dimension scores.
Fig. 6 is a schematic diagram of a video processing delay dimension score calculation flow.
Fig. 7 is a schematic diagram of a security risk dimension score calculation flow.
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but embodiments of the present invention are not limited thereto.
Example 1
In order to overcome the above-mentioned drawbacks of the prior art, the present invention provides a method for integrity protecting real-time video data based on HMAC, which increases two optimization mechanisms of mask-based dynamic data replacement and HMAC protection parameter adaptive adjustment, thereby effectively improving the security performance and processing performance of integrity protecting video data.
The invention discloses a real-time video data integrity protection method, which comprises the steps of adding a preprocessing step when HMAC is adopted to carry out integrity protection on real-time video data transmitted through a network, carrying out mask processing on data to be protected by using a private mask agreed by a transceiver, carrying out integrity protection calculation on the video data subjected to the mask processing, and adaptively selecting integrity protection parameters with proper strength for different video frame data in the same session according to the communication performance and the safety state of the current session. The invention has the positive effects that: the video data processed by the private mask has larger uncertainty, so that an attacker cannot perform correct integrity calculation on the tampered video data under the condition that the attacker cannot grasp the dynamic mask, and the tampered behavior cannot pass the integrity check of the receiving end, thereby effectively improving the safety performance of the integrity protection of the video data; meanwhile, compared with a constant HMAC parameter, the self-adaptively changed HMAC parameter can improve or reduce the calculation intensity for integrity protection according to the requirement, so that the organic dynamic balance between the safety performance and the communication performance is realized.
The key points of the most important technical scheme of the invention are as follows:
the technical scheme is characterized in that 1: adding a preprocessing step of video data replacement based on dynamic mask: before HMAC processing is carried out on video frame data frame by frame, a preprocessing step of video data replacement based on a dynamic mask is added, a contracted mask is adopted to carry out bit-wise and processing on the video frame data, then HMAC calculation is carried out on the video frame data after the mask processing, a calculation result is used as an integrity protection field of the video frame data, and a receiving end judges whether the video data is illegally tampered in the transmission process or not through checking the field;
the technical scheme is characterized in that 2: dynamic adaptive variation of HMAC parameters: for the same video session stream, different HMAC algorithms are used to form HMAC parameter combinations, the different combinations represent different HMAC operation intensities, and when HMAC calculation is performed on different video frame data in the same session, HMAC parameters with different operation intensities are adaptively selected for the different video frame data in the same session based on factors of real-time changes such as resource occupancy rate, video processing delay, security state and the like. When the computing resource allowance is larger, the video processing time delay is smaller, and the security risk is larger, the HMAC parameters with higher intensity are adopted, so that higher security performance is provided; when the computing resource margin is smaller, the video processing delay is larger, and the security risk is lower, the HMAC parameters with lower intensity are adopted, so that stronger communication performance is provided.
(1) For the key point of the 1 st technical scheme, the preprocessing step for video data replacement based on the dynamic mask is characterized in that: the length of the dynamically generated mask is not smaller than the maximum length of the video frame data, and the video frame data and the mask are enabled to be in bit-to-bit correspondence from the 1 st bit to the maximum length of the video frame data, the length of the data after phase-to-phase is consistent with the length of the original video frame data, and the data after phase-to-phase is used as the preprocessed video data to participate in subsequent HMAC calculation.
(2) For the key point of the 1 st technical scheme, the preprocessing step for video data replacement based on the dynamic mask is characterized in that: for the same frame of video data, the sending end and the receiving end use the same mask to preprocess the video data, and the same mask can be agreed in advance or can be generated by the same algorithm and parameters.
(3) For the key point of the 1 st technical scheme, the preprocessing step for video data replacement based on the dynamic mask is characterized in that: the mask that pre-processes video frame data is dynamically changed from frame to frame, and the mask that pre-processes current frame data should be different from the mask that pre-processes the previous frame data.
(4) For the key point of the 1 st technical scheme, the mask characteristics of the same mask characteristics of the transmitting end and the receiving end, which are agreed in advance, are as follows: the transmitting end and the receiving end agree 10 sets of mask sequences in advance, each set of mask sequence comprises 100 numbered mask data, the numbers are respectively 1 to 100, and the length of each mask data is not less than 8000 bytes. The transmitting end and the receiving end remotely negotiate the mask sequence number adopted by the session through a video protocol before video communication, then adopt the number 1 mask data in the corresponding mask sequence for the number 1 video data in the session, adopt the number 2 mask data in the corresponding mask sequence for the number 2 video data, and the mask data is recycled, namely, adopt the number 1 mask data in the corresponding mask sequence for the number 101 video data, and so on. The number of mask sequences, the number of mask data in the mask sequences, and the mask data length may be set as desired according to the use scenario.
(5) For the key point of the 1 st technical scheme, the mask characteristics of the same transmitting end and the same receiving end generated by the same algorithm and parameters are as follows: the random number function rand () with the uniform distribution characteristic is adopted to generate the required mask bit by bit, 1 bit is generated each time, the value is 0 or 1, and the sending end and the receiving end ensure that the generated mask is the same through the same random number seed. For each bit of the determined sequence number in the mask, the random number seed used is an unsigned shaped number represented by 16 bits starting from the sequence number bit in the corresponding original video frame data. When the last 15 bits of the mask are calculated, the original video frame data is circularly extended, so that the random number seeds with the length of 16 bits can be taken out. The random number algorithm and the random number seed generation method can be set according to the use scene as required.
(6) For the 2 nd technical scheme, the dynamic adaptive variation characteristic of the HMAC parameter is as follows: selecting 5 HASH algorithms including MD5, SHA256, SHA512, SHA3-256 and SHA3-512 as HMAC parameters with increasing intensity, scoring the data of three dimensions including computing resource allowance, video processing delay and security risk associated with the current video frame in real time before HMAC processing is carried out on each frame of video data at a transmitting end, wherein each dimension is divided into [0,100], finally calculating average division of the three dimensions, selecting the MD5 algorithm when dividing into [0,20], selecting the SHA256 algorithm when dividing into [21, 40], selecting the SHA512 algorithm when dividing into [41,60], selecting the SHA3-256 algorithm when dividing into [61,80], and selecting the SHA3-512 algorithm when dividing into [81,100 ].
(7) For the key point of the 2 nd technical scheme, the calculating method for calculating the dimension score of the resource allowance is characterized in that: the method adopts a mode of comparing with the recent statistical running time of the session to evaluate, and different sessions adopt different evaluation parameters. Specifically, 5 reference calculation times T are measured in advance for 5 HASH algorithms including MD5, SHA256, SHA512, SHA3-256, and SHA3-512 base ={T base1 ,T base2 ,T base3 ,T base4 ,T base5 At the beginning of each video session, a computational resource margin dimension score S1 is initialized to 100, and the recent statistical run times T of 5 algorithms are initialized individually for that session n ={T 1 ,T 2 ,T 3 ,T 4 ,T 5 }=T base Where n represents the sequence numbers of the 5 HASH algorithms. Recording calculation time t after the sending end finishes HMAC calculation of video frame data once, comparing the calculation time t with the recent statistical running time of the algorithm, and if t>T X The latest calculation of the resource margin dimension score S 1 =S 1 -1, if t<T X The latest calculation of the resource margin dimension score S 1 =S 1 +1, wherein X is the sequence number of an integrity protection HASH algorithm adopted by the video data of the frame, S 1 Is limited to the value of [0,100]]Inside. Finally, T is used to update the recent statistical running time of the session, so that T is X =0.99T X +0.01t for the next calculation.
(8) For the 2 nd technical proposal, the video processing delay dimension score calculating method is characterized in that: when each frame of video data is generated, the transmitting end records the generation time of the video frame data, when the video frame data is transmitted from the network interface, the transmitting time of the video frame data is recorded, the difference between the transmitting time and the generation time is the real-time processing time delay of the video data of the current node, after each new video frame data is transmitted, the time delay is updated, the higher time delay indicates that the node has greater congestion, and lighter HMAC parameters are needed to be adopted so as to improve the throughput of the system.
(9) For the 2 nd technical proposal, the video processing delay dimension score calculating method is characterized in that: aiming at video I frames, P frames and B frames with different information magnitudes, scoring strategies with different time delay sensitivities are adopted. The specific method is that a delay low sensitivity strategy is adopted for B frames with less information quantity, when the processing delay T=0-100 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-T>100ms, video processing delay dimension score S 2 =0; for the P frame with moderate information quantity, a delay middle sensitive strategy is adopted, when the processing delay T=0-50 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-2T>At 50ms, the video processing delay dimension score S 2 =0; the delay high-sensitivity strategy is adopted for the I frame with higher information quantity, and when the processing delay T=0-33 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-3T>33ms, video processing delay dimension score S 2 =0。
(10) For the 2 nd technical scheme, the security risk dimension score calculating method is characterized in that: and adopting a risk score rapid approximation mode based on unequal weight index change. The specific method comprises setting risk attenuation index A to be 1.01 with smaller value, setting risk growth index B to be 2 with larger value, initializing security risk dimension score S3 to be 100 at the beginning of session to represent high risk environment, triggering risk attenuation once every time a transmitting end successfully transmits video frame data, and obtaining new security risk dimension score S 3new =S 3 (1/A) The method comprises the steps of carrying out a first treatment on the surface of the When the receiving end detects a tampered message, the receiving end is communicated withKnowing the sender, triggering one-time risk growth, and new security risk dimension score S 3new =S 3 (B) And each video frame data transmitted by the transmitting end adopts the current latest security risk dimension score S3 to calculate the HMAC parameter.
Example 2
As further optimization of embodiment 1, as shown in fig. 1 to 7, this embodiment further includes the following technical features on the basis of embodiment 1:
the real-time video data integrity protection system comprises a video frame data preprocessing module, a dynamic mask generation module, an HMAC parameter decision module and an HMAC calculation module, wherein the modules are interconnected through an internal functional interface, and integrity protection processing is carried out on video data frame by frame.
After the video frame data to be protected is input into the system, the video frame data to be protected is firstly sent to a video frame data preprocessing module, partial bits in the video frame are subjected to data replacement based on a dynamic mask, and before that, a dynamic mask generation module generates a dynamic mask for replacing the video data of the frame by adopting a unified algorithm of a transmitting end and a receiving end according to data information carried in the video frame, so that the consistency of behaviors of the transmitting end and the receiving end is ensured; then, the HMAC parameter decision module makes comprehensive decision on the adopted HMAC parameters according to the statistical information of 3 dimensions of computing resources, processing delay and security risk, adaptively selects an appropriate integrity protection HASH algorithm, and sends the HMAC parameter decision module and video frame data into the HMAC calculation module; finally, the HMAC calculation module completes HMAC calculation for the video data of the frame, the video data and the integrity protection check data obtained by calculation are sent to the subsequent processing module together, for a sending end, the video frame data and the check data are packaged together to form a video message, the video message is sent to a network, for a receiving end, the video frame data and the check data are compared with check fields carried in the video message, and whether the video of the frame is tampered or not is judged.
The processing of the video frame data by the method mainly comprises 6 parts of dynamic mask generation, video frame data replacement, HMAC parameter self-adaptive adjustment, calculation of resource allowance dimension score statistics, video processing delay dimension score statistics and security risk dimension score statistics.
As shown in fig. 2, the step of generating a dynamic mask for each frame of video data is: 1. traversing the video frame bit by bit starting from bit 1 of the video frame data until the video data ends; 2. if the last 15 bits of the video frame data are traversed currently, circularly extending the video frame, namely connecting a section of data of the initial part of the video frame to the end of the video frame, so that at least 16 continuous bits of data can be read from the last bit of the original video frame data; 3. for each bit in the process of traversing the video frame, taking the bit as a start, and reading 16 bits backwards to obtain a 2-byte unsigned shaping number X; 4. the shaped number X is used as a random seed to generate a 1-bit mask value. 5. When traversing to the end of the original video data, the length of the outputted mask is just equal to the length of the video frame data to be protected, and the dynamic mask is successfully generated.
As shown in fig. 3, when the video frame data is permuted based on the dynamic mask, the dynamic mask with the same length as the video frame data is aligned with the video frame data by bits, then the preprocessing of the original video frame data is completed by bit phase, and the preprocessed data is sent to the HMAC calculation module for HMAC calculation.
As shown in fig. 4, the HMAC parameter can dynamically adapt according to the current statistical information of 3 dimensions of computing resources, processing delay and security risk, and automatically select a HASH algorithm with optimally balanced communication performance and security performance. The self-adaptive selection process is obtained by scoring 3 dimensions of the computing resource allowance, the video processing delay and the security risk in real time, and finally, the current optimal integrity protection HASH algorithm is obtained by calculating average score S of the 3 dimensions and mapping the score S by the steps.
As shown in fig. 5, the step of statistically calculating the resource margin dimension score is: 1. after receiving the video frame data newly, judging whether the video frame data belongs to a new session, if so, initializing the recent statistical running time { T } of the session 1 ,T 2 ,T 3 ,T 4 ,T 5 -a }; 2. for each frame of video data, the actual time consumption T for performing HMAC calculation on each frame of video data is counted, and the recent statistical running time T of the same HASH algorithm as the session is counted X Comparing, calculating a resource allowance dimension score S according to the comparison result 1 Updating; 3. based on the actual time consumption T calculated by the HMAC, the method passes through the formula T X =0.99T X +0.01T for the recent statistical run time T of the same HASH algorithm for this session X And updating.
As shown in fig. 6, the step of counting the video processing delay dimension score is: 1. after newly receiving video frame data, firstly judging the frame type of the video frame data, and respectively processing the video frame data according to three video frame types with different information magnitudes of B frames, P frames and I frames; 2. recording processing time delay T of video frame data from generation to transmission, and scoring S of video processing time delay dimension according to a preset judgment formula 2 And updating.
As shown in fig. 7, the step of counting the security risk dimension score is: 1. initializing a security risk dimension score S 3 100; 2. triggering a risk decay every time a frame of processed video data is successfully transmitted, and a new security risk dimension score S 3new =S 3 (1/A) Wherein a is a predefined risk attenuation index of 1.01; 3. every time the receiving end detects a tampered message, the sending end is informed, one-time risk growth is triggered, and a new security risk dimension score S is generated 3new =S 3 (B) Wherein B is a predefined risk growth index 2.
As described above, the present invention can be preferably implemented.
All of the features disclosed in all of the embodiments of this specification, or all of the steps in any method or process disclosed implicitly, except for the mutually exclusive features and/or steps, may be combined and/or expanded and substituted in any way.
The foregoing description of the preferred embodiment of the invention is not intended to limit the invention in any way, but rather to cover all modifications, equivalents, improvements and alternatives falling within the spirit and principles of the invention.
Claims (8)
1. A real-time video data integrity protection method is characterized in that a preprocessing step of video data replacement based on a dynamic mask is added before video frame data is subjected to frame-by-frame HMAC processing;
the method comprises the following steps:
s1, dynamic mask generation: after each frame of video frame data to be protected is input, a dynamic mask for preprocessing the video data of the frame is generated according to a preset mode;
s2, preprocessing video frame data: bit-wise AND is carried out on the generated dynamic mask and the original video frame data to be protected, so that video frame data subjected to mask pretreatment is obtained;
s3, HMAC parameter decision: dynamically selecting HMAC parameters for carrying out HMAC calculation on the video data of the frame according to the current real-time system running state;
s4, HMAC calculation: performing HMAC calculation on the video data of the frame by utilizing the preprocessed video frame data and the HMAC parameters dynamically selected;
in step S3, dynamically selecting an HMAC parameter adaptively changing from frame to perform HMAC calculation on the preprocessed video frame data, including the following steps:
s31, selecting 5 HMAC algorithms including MD5, SHA256, SHA512, SHA3-256 and SHA3-512 as 5 HMAC parameters with increasing intensities;
s32, before HMAC processing is carried out on each frame of video data by a sending end, the states of three dimensions of computing resource allowance, video processing delay and security risk associated with the current video frame are scored in real time, and the score interval of each dimension is [0,100];
s33, calculating average division of three dimensions, selecting an MD5 algorithm when the partition is [0,20], selecting an SHA256 algorithm when the partition is [21, 40], selecting an SHA512 algorithm when the partition is [41,60], selecting an SHA3-256 algorithm when the partition is [61,80], and selecting an SHA3-512 algorithm when the partition is [81,100 ].
2. The method according to claim 1, wherein in step S1, for the same frame of video data, the same mask is used by the transmitting end of the video data and the receiving end of the video data to preprocess the video data, and the same mask is generated by a predetermined or by the same algorithm and parameters; the method for agreeing the same mask of the sending end and the receiving end in advance comprises the following steps: the transmitting end and the receiving end agree n sets of mask sequences in advance, each set of mask sequence comprises m numbered mask data, and the numbers are respectively 1 to m; the method comprises the steps that a transmitting end and a receiving end remotely negotiate a mask sequence number adopted by a current session through a video protocol before video communication, and then the i-number mask data in a corresponding mask sequence is adopted for the i-th frame of video data in the current session; when the number of video frames exceeds the preset number of mask data, the mask data are recycled as required, and the m x k+i frame video data adopt the i number mask data in the corresponding mask sequence; wherein n is more than or equal to 2 and n is a positive integer, m is more than or equal to 2 and m is a positive integer, k is more than or equal to 1 and k is a positive integer, i represents a mask data number, and i is more than or equal to 1 and less than or equal to m.
3. The method for protecting the integrity of real-time video data according to claim 2, wherein in step S1, the method for generating the same mask of the transmitting end and the receiving end by the same algorithm and parameters is as follows: generating a required mask bit by adopting a random number function rand () with a uniform distribution characteristic, generating 1 bit each time, and taking a value of 0 or 1, wherein a sending end and a receiving end ensure that the generated mask is the same by inputting the same random number seeds; wherein, for each bit of the determined sequence number in the mask, the random number seed is an unsigned shaping number represented by 16 bits with the bit of the sequence number as a starting point in the corresponding original video frame data; when the last 15 bits of the mask are calculated, the original video frame data is circularly extended, so that the random number seeds with the length of 16 bits can be taken out.
4. A method for protecting the integrity of real-time video data according to claim 3, wherein in step S2, the rules of data preprocessing are: and from the 1 st bit of the video frame data to the maximum length of the video frame data, enabling the video frame data and the dynamic mask to be bit-phase-locked to obtain preprocessed video frame data, and using the preprocessed video frame data to replace the original video frame data to participate in subsequent HMAC calculation.
5. The method for protecting the integrity of real-time video data according to claim 4, wherein in step S32, the method for calculating the resource margin dimension score is as follows: evaluating in a mode of comparing with the recent statistical running time of the session, wherein different sessions adopt different evaluation parameters; the specific method comprises the following steps: for the total of 5 HMAC algorithms of MD5, SHA256, SHA512, SHA3-256 and SHA3-512, 5 reference calculation times T are respectively measured in advance base ={T base1 ,T base2 ,T base3 ,T base4 ,T base5 -a }; at the beginning of each video session, a resource margin dimension score S is calculated 1 Initializing to 100 and initializing separately for this session the recent statistical run times T of the 5 algorithms n ={T 1 ,T 2 ,T 3 ,T 4 ,T 5 }=T base Wherein n represents the sequence numbers of 5 HMAC algorithms; recording calculation time T when the transmitting end completes HMAC calculation of the video frame data of the session once, and comparing T with the recent statistical running time T of the algorithm X Comparing, if t>T X The latest calculation of the resource margin dimension score S 1 =S 1 -1, if t<T X The latest calculation of the resource margin dimension score S 1 =S 1 +1,S 1 Is limited to the value of [0,100]]Inside; finally, T is used to update the recent statistical running time of the session, so that T is X =0.99T X +0.01t for the next calculation; wherein X is the serial number of the HMAC algorithm adopted at this time, and X is more than or equal to 1 and less than or equal to 5.
6. The method for protecting the integrity of real-time video data according to claim 4, wherein in step S32, the method for calculating the video processing delay dimension score is as follows: at the transmitting endRecording the generation time of the video frame data when each frame of video data is generated, recording the transmission time of the video frame data when the video frame data is transmitted from a network interface, wherein the difference between the transmission time and the generation time is the real-time processing delay of the video data of the current node, after each new video frame data is transmitted, the delay is updated, the higher delay indicates that the node has greater congestion, and lighter HMAC parameters are needed to be adopted; when calculating the specific score of the video processing delay dimension, scoring strategies with different delay sensitivities are adopted aiming at video I frames, P frames and B frames with different information magnitudes, and the specific method comprises the following steps: a delay low-sensitivity strategy is adopted for B frames with less information, and when the processing delay T=0-100 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-T>100ms, video processing delay dimension score S 2 =0; a delay middle sensitive strategy is adopted for P frames with moderate information quantity, and when the processing delay T=0-50 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-2T>At 50ms, the video processing delay dimension score S 2 =0; the delay high-sensitivity strategy is adopted for the I frame with higher information quantity, and when the processing delay T=0-33 ms, the dimension score S of the video processing delay is obtained 2 When the processing time delay T is 1-3T>33ms, the video processing delay dimension score s2=0.
7. The method for protecting the integrity of real-time video data according to claim 4, wherein in step S32, the method for calculating the security risk dimension score is as follows: adopting a risk score rapid approximation mode based on unequal weight index change; the specific method comprises the following steps: setting the risk attenuation index A to be a smaller value of 1.01, and setting the risk growth index B to be a larger value of 2; at the beginning of a session, security risk dimension score S 3 Initializing to 100, representing a high risk environment, triggering a risk attenuation once every time the transmitting end successfully transmits video frame data, and obtaining a new security risk dimension score S 3new =S 3 (1/A) The method comprises the steps of carrying out a first treatment on the surface of the Every time the receiving end detects a tampered message, the sending end is informed, one-time risk growth is triggered, and a new security risk dimension score S is generated 3new =S 3 (B) When HMAC parameters are selected for each frame of video frame data, the transmitting end adopts the current latest security risk dimension score S 3 HMAC parameters are calculated.
8. A real-time video data integrity protection system based on the method of any one of claims 1 to 7, comprising a dynamic mask generation module, a video frame data preprocessing module, an HMAC parameter decision module, and an HMAC calculation module connected in sequence;
wherein, the liquid crystal display device comprises a liquid crystal display device,
dynamic mask generation module: after each frame of video frame data to be protected is input, a dynamic mask for preprocessing the video data of the frame is generated according to a preset mode;
video frame data preprocessing module: the method comprises the steps of generating dynamic masks and original video frame data to be protected according to bit sums to obtain video frame data subjected to mask pretreatment;
HMAC parameter decision module: the HMAC parameter is used for dynamically selecting the HMAC parameter for carrying out HMAC calculation on the video data of the frame according to the current real-time system running state;
HMAC calculation module: the HMAC calculation is performed on the video data of the frame by utilizing the preprocessed video frame data and the dynamically selected HMAC parameters.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210732846.9A CN115242454B (en) | 2022-06-27 | 2022-06-27 | Real-time video data integrity protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210732846.9A CN115242454B (en) | 2022-06-27 | 2022-06-27 | Real-time video data integrity protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115242454A CN115242454A (en) | 2022-10-25 |
| CN115242454B true CN115242454B (en) | 2023-05-12 |
Family
ID=83668714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210732846.9A Active CN115242454B (en) | 2022-06-27 | 2022-06-27 | Real-time video data integrity protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115242454B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229208A (en) * | 2018-01-08 | 2018-06-29 | 华侨大学 | A kind of public audit method of more copy datas in cloud storage service |
| CN109829443A (en) * | 2019-02-23 | 2019-05-31 | 重庆邮电大学 | Video behavior recognition methods based on image enhancement Yu 3D convolutional neural networks |
| CN111783148A (en) * | 2020-06-30 | 2020-10-16 | 中国工商银行股份有限公司 | Justice-supporting lightweight multi-copy data cloud auditing method and device |
| CN113423103A (en) * | 2021-06-02 | 2021-09-21 | 西安电子科技大学 | Unified lightweight traceable security data transmission method for D2D auxiliary communication |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8358812B2 (en) * | 2010-01-25 | 2013-01-22 | Apple Inc. | Image Preprocessing |
| CA3151157A1 (en) * | 2019-09-16 | 2021-03-25 | Stuart Saunders | System, method, apparatus, and computer program product for utilizing machine learning to process an image of a mobile device to determine a mobile device integrity status |
-
2022
- 2022-06-27 CN CN202210732846.9A patent/CN115242454B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229208A (en) * | 2018-01-08 | 2018-06-29 | 华侨大学 | A kind of public audit method of more copy datas in cloud storage service |
| CN109829443A (en) * | 2019-02-23 | 2019-05-31 | 重庆邮电大学 | Video behavior recognition methods based on image enhancement Yu 3D convolutional neural networks |
| CN111783148A (en) * | 2020-06-30 | 2020-10-16 | 中国工商银行股份有限公司 | Justice-supporting lightweight multi-copy data cloud auditing method and device |
| CN113423103A (en) * | 2021-06-02 | 2021-09-21 | 西安电子科技大学 | Unified lightweight traceable security data transmission method for D2D auxiliary communication |
Non-Patent Citations (1)
| Title |
|---|
| 外包数据完整性审计综述;林莉;《网络空间安全》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115242454A (en) | 2022-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110377002B (en) | Self-adaptive in-vehicle CAN bus safety control method and system | |
| CN106657107B (en) | Adaptive starting ddos defense method and system based on trust value in SDN | |
| CN108574668B (en) | DDoS attack flow peak value prediction method based on machine learning | |
| Ji et al. | A novel covert channel based on length of messages | |
| CN104967610B (en) | A kind of timeslot-based watermark hopping communication means | |
| Hayes et al. | Improved coexistence and loss tolerance for delay based TCP congestion control | |
| WO2021213395A1 (en) | Fast source and path verification method based on random authentication and embedding | |
| Ramezan et al. | Analysis of proof-of-work-based blockchains under an adaptive double-spend attack | |
| CN115333825A (en) | Defense method aiming at gradient attack of federal learning neurons | |
| CN112261021B (en) | DDoS attack detection method under software defined Internet of things | |
| CN115242454B (en) | Real-time video data integrity protection method and system | |
| CN109067774B (en) | Security access system based on trust token and security access method thereof | |
| CN110247911A (en) | A kind of Traffic anomaly detection method and system | |
| Mare et al. | Adapt-lite: Privacy-aware, secure, and efficient mhealth sensing | |
| CN112601217A (en) | Data security transmission method based on ant colony optimization and proxy re-encryption | |
| CN105245525B (en) | Collusion resistant group key distribution method based on hash algorithm in WSN | |
| CN111447588A (en) | Vehicle networking safety communication method and system based on terminal information hopping and application | |
| US20200076740A1 (en) | Methods and systems for transmission control protocol (tcp) communications | |
| WO2011004838A1 (en) | Scrambling method and communication apparatus | |
| CN116155477A (en) | IPsec anti-replay method and system based on dynamic sliding window | |
| CN107454069B (en) | Inter-domain routing system mimicry protection method based on AS security alliance | |
| CN116340986A (en) | Block chain-based privacy protection method and system for resisting federal learning gradient attack | |
| CN106209788B (en) | The detection method of random linear network encoding altered data in a kind of spatial information net | |
| Li et al. | TCP-PPCC: Online-learning proximal policy for congestion control | |
| CN110392051A (en) | A kind of covert timing channel robust construction method based on active packet loss |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |