CN106209850A - Big data information network adaptive security guard system based on trust computing - Google Patents
Big data information network adaptive security guard system based on trust computing Download PDFInfo
- Publication number
- CN106209850A CN106209850A CN201610550122.7A CN201610550122A CN106209850A CN 106209850 A CN106209850 A CN 106209850A CN 201610550122 A CN201610550122 A CN 201610550122A CN 106209850 A CN106209850 A CN 106209850A
- Authority
- CN
- China
- Prior art keywords
- data
- matrix
- trust
- module
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000003044 adaptive effect Effects 0.000 title claims abstract description 10
- 238000011084 recovery Methods 0.000 claims abstract description 35
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000005516 engineering process Methods 0.000 claims abstract description 23
- 239000011159 matrix material Substances 0.000 claims description 54
- 238000000034 method Methods 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 13
- 230000006399 behavior Effects 0.000 claims description 12
- 230000011218 segmentation Effects 0.000 claims description 10
- 238000007781 pre-processing Methods 0.000 claims description 9
- 238000011157 data evaluation Methods 0.000 claims description 8
- 230000008878 coupling Effects 0.000 claims description 7
- 238000010168 coupling process Methods 0.000 claims description 7
- 238000005859 coupling reaction Methods 0.000 claims description 7
- 238000005295 random walk Methods 0.000 claims description 7
- 238000007726 management method Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 230000002155 anti-virotic effect Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000013500 data storage Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 230000009897 systematic effect Effects 0.000 claims description 3
- 238000007596 consolidation process Methods 0.000 claims description 2
- 230000006872 improvement Effects 0.000 claims description 2
- 230000015572 biosynthetic process Effects 0.000 claims 1
- 238000005259 measurement Methods 0.000 claims 1
- 230000006978 adaptation Effects 0.000 abstract 1
- 238000007405 data analysis Methods 0.000 abstract 1
- 238000011156 evaluation Methods 0.000 abstract 1
- 238000004891 communication Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
nullThe invention discloses big data information network adaptive security guard system based on trust computing,This guard system is in data acquisition、Data store and recover、A kind of trusted system is built on the basis of attack-response etc.,By brand-new block combiner and the algorithm of innovation,Big data analysis and trusted technology have been used in big data information network self adaptation security protection system by success,This system is from based on believable data acquisition、Data store and recovery starts,The data of attack-response unit have been believable,The network security of guarantee information,Control credible and secure,Improving data processing speed、Promote Information Security、Save the aspects such as memory space and all there is remarkable result,Achieve the credible evaluation to protecting information safety,Enhance management and the control storing and recovering information security,Enhance reliability and the credibility of protecting information safety.
Description
Technical field
The present invention relates to big data fields, be specifically related to big data information network adaptive security based on trust computing and prevent
Protecting system.
Background technology
In recent years, along with Information technology fast development and with all trades and professions collision and the spark that produces, to people's
Life, the mode of production bring unprecedented change, and then the development of Information technology causes the emphasis pass in each field of every profession and trade.Crowd
In many emerging science and technology, cloud computing and big data be by of concern be also the most typical two representatives, and two
The big data platform in high in the clouds that person combines more becomes focus of attention in sciemtifec and technical sphere, and more and more penetrates into actual life
In, and the security privacy protection of this big data platform in high in the clouds is become the heavily guarantee of its value dimension.
About the concept of trust computing, give defined below in ISO/IEC 15408 standard: one believable group
The behavior of part, operation or process is predictable under any operating condition, and can resist application software, virus well
And the destruction that certain Physical Interference causes.The basic ideas of trust computing be introduce safety chip on a hardware platform (can
Letter console module) improve the safety of terminal system, say, that on each terminal platform, implant a root of trust, allow meter
Calculation machine to operating system nucleus layer, more all builds trusting relationship from BIOS to application layer;Based on this, expand on network,
Set up corresponding trust chain, hence into the computer immunity epoch.When terminal is under attack, self-protection, oneself can be realized
Management and self-recovery.
Trust computing is to calculate and trust computing based on hardware security module support under is widely used in communication system
Platform, the safety overall to improve system, trust computing is that behavior safety is given birth to, and behavior safety should include: the machine of behavior
Close property, the integrity of behavior, the feature such as verity of behavior.Trust computing includes the concept of 5 cores, it may be assumed that key, safety are defeated
Entering output, bin shielding etc., wherein the utilization of secret key is the most important thing of trusted system, and data store and key in recovery
Safety, is the basic guarantee of whole credible and secure guard system.
Summary of the invention
For the problems referred to above, the present invention provides big data information network adaptive security based on trust computing to protect system
System.
The purpose of the present invention realizes by the following technical solutions:
Big data information network adaptive security guard system based on trust computing, is characterized in that, including data acquisition
Unit, trust data store and recovery unit, attack-response unit and expert's Support Library;
(1) hardware node during described data acquisition unit unit certification carries out the network of information, it is judged that network is hard
Part node credibility, sets up the trusting relationship of gathered information, gathers network net everywhere by distributed acquisition system
Network security event information, on the basis of CDIF reference format, carries out unifying lattice for the data come from each equipment, systematic collection
Formula is changed, and the information format after conversion is defined as between each subsystem the unified event format of communication, for global trust environment
Structure provide basis, build trust data platform;Described data acquisition unit is the starting point of chain-of-trust, and it is provided with data and sends out
Send application program, trust data stores and recovery unit, expert database and attack-response unit be provided with data receiver and
Sending application program, data are transmitted by 3G mode, and after 3G module powers on, described trust data platform is to each list above-mentioned
Unit and expert database carry out upper electro-detection;
(2) described trust data stores and recovery unit includes that data preprocessing module, data memory module, data are recovered
Module and data evaluation module: (2-1) data preprocessing module, for the extensive number collecting described data acquisition unit
According to classifying, it specifically performs following two operation: is classified data by K-means cluster, with cluster centre is
Catalogue is set up in entitled each classification;Repeat above categorizing process, data are finely divided, form the subclassification under classification, and
Form the multistage catalogue of data, form measurable quantized data;
(2-2) data memory module, be one containing crypto-operation trust data store module, by cipher key technique,
Hardware access controls technology and storage encryption technology ensures system and the trust state of data, by the digital signature technology of software
Revising the possible application program adding spyware by making system can recognize that through third party, it includes that data split submodule
Block, data encryption submodule and cloud storage submodule:
A, data segmentation submodule, for the data of storage are split, its specifically following operation of execution:
When needs storage data r, first it is divided into length to be n part r of h data r in this locality1, r2..., rn,
Then at finite field ZPMiddle by each riIt is divided into n sub-block r respectivelyi,1, ri,2...ri,n, wherein p > 2h, then for jth
Block ri,j=ri.(ri,1.ri,2....ri,j-1)-1Modp, wherein mod represents complementation operator;
By { ri,1.ri,2....ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2...pnBuild linear phase
Pass relation, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,n=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,...,c2,n,...,cn,1,
cn,2,...,cn,n, show its dependency relation by the form of matrix, order The most above-mentioned system of linear equations is expressed as A × R=C;
Matrix R is carried out as the following formula secondary be mixed to get new Matrix C ': A × R × A=C ';
B, data encryption submodule, for being encrypted to improve the safety of data to the data of storage, it is specifically held
The following operation of row:
Call secret key generating function, according to each aijValue and user input security parameter λ value, export decryption key
To { KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiShare, by decryption key KDIt is stored in user local;
A is inputted to pseudo random sequence generator by calculating Cloud Serverij, generate and aijIdentify Tag one to oneij,
Call homomorphic encryption iunctions, input cryptographic keys and each a simultaneouslyijCorresponding data value Vij, generate ciphertext Zij, easily know
TagijAnd cijIt is n × n matrix, is designated as Tag and Z matrix respectively;As the following formula C ' is carried out mixed once encryption with Tag matrix
Obtain C ": Tag × C '=C ";Then as the following formula with Z matrix C " is carried out secondary Hybrid Encryption and obtains C " ': C " × Z=C " ';Appoint
Meaning randomly generates B Virtual vector, wherein B >=2n, arranges in C " ' by this Virtual vector randomly, obtains a N1×N2's
Matrix Q, wherein N1And N2Being all higher than n, described Virtual vector is used for covering up real n value, further enhances the safety of data
Property;
C, cloud storage submodule, store, by obtain for the data after encryption are uploaded to store Cloud Server
A, C, C ', C ", C " ', Q, Tag, Z, C " ' concrete random walk when obtaining matrix Q and described Virtual vector upload to storage
Deposit Cloud Server;
(2-3) data recovery module, will store recovery and the taking-up of data for the request according to user, referred herein
User includes validated user and disabled user;
(2-4) the data categorizing process in pretreatment module, the data in data memory module are divided by data evaluation module
Cut and exercise supervision with the classification matching process in ciphering process, data recovery module and evaluate, provide data for follow-up improvement
Support, stored by data acquisition unit, trust data and recovery unit jointly builds trust data and provides platform, build entirety
Trusted context;
(3) described attack-response unit uses active response technology and the security attack to being subject to of the passive response technology to carry out
Accordingly, described active response technology includes cancelling connection, open circuit response, response is answered in SYN bag position, shielding occurs the internal master abused
Machine, described passive response technology refers to automatically notify, when an intrusion is detected, system can send alert notification to manager, collaborative
Fire wall, router, switch, Anti-Virus constitute response and the Integrative security system of early warning complementation, at overall credible ring
Border builds a kind of believable attack-response system;;
(4) described expert's Support Library collects all information of security protection process, provides needs for management personnel simultaneously
Knowledge and instrument, it includes described calculating Cloud Server, described storage Cloud Server and local data base, is one and takes based on cloud
Business device support platform, described expert's Support Library also provides for trusted software system, described trusted software system be operating system and
Application software provides the interface using trust data platform, provides integrity degree to described trust data platform subsequent software simultaneously
Amount, and the specific behavior of uncontrollable operating system is carried out behavior auditing and analysis;It is soft that described subsequent software includes that core loads
Part and uncontrollable operating system software.
Preferably, described data recovery module includes classification matched sub-block and coupling fault-tolerant submodule: a, classification coupling
Submodule, its specifically following operation of execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, obtain Matrix C " ' after inversely rejecting Virtual vector according to this random walk1;
By C " '1Comparing with the C " ' recalled from storage server, if do not mated, reporting an error, if coupling, under would entering
One step;
By C " '1According to the reverse function write in advance and the matrix Z recalled from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step does not mate and all reports an error, and enters next after the match is successful with C respectively
Step;
Recall matrix A, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function deciphering finished in advance, obtain decryption key KD', KD' with decryption key K being stored in this localityDCompare
Relatively, if KD' with decryption key K being stored in this localityDMatch, then Cloud Server sends storage data r obtained to user,
Data r are thus recovered;
B, mate fault-tolerant submodule:
If KD' with KDCannot mate, report an error and data r obtained are preserved in the time t set, if
In time t, user matches secret key again, then directly data r are sent to user, otherwise lose this data r.
The invention have the benefit that
(1) big data and cloud computing similarly are that the positive and negative of one piece of coin is the same by device to combine, with cloud
It is calculated as support and processes big data problem;
(2) arrange data preprocessing module large-scale data is classified, it is possible to be effectively improved computational efficiency, during minimizing
Between cost;
(3) first data average mark is cut, more each sub-block is split, due in C the value of arbitrary element not only with in R
Jth shows pass, also with R in other show pass, relatedness is strong, and pseudo-random function and Homomorphic Encryption Scheme is organically tied
Being combined in matrix encryption, stealer goes for the complete information of data r, not only to crack secret key and random function,
And the value of each element in matrix must be obtained, and full detail at ability recovery, the secure data storage of this cipher mode
Deposit and recover, can effectively prevent malice unauthorised broken person for the acquisition of security protection system effective information, be greatly reinforced peace
The credibility of full protection system;
(4) being arranged into randomly in Matrix C " ' by the Virtual vector randomly generated, can effectively cover up real n value, this enters
One step improves the difficulty of decoding, and this is particularly important for the scheme dividing equally segmentation, also further increases safety
The credibility of guard system;
(5) recover each step in data procedures all to compare with the data stored, reduce serious forgiveness, and recover
The key come must match with the decryption key being stored in this locality, could really obtain data, and this essence is a kind of dynamic
Multiple trust amount;After one secondary data is recovered unsuccessfully, loss recovery data out the most immediately, but take the side kept in
Formula, reduces the calculating intensity of system.
Accompanying drawing explanation
The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings
Other accompanying drawing.
Fig. 1 is the structured flowchart of big data information network adaptive security guard system based on trust computing;
Fig. 2 is that trust data stores and the structured flowchart of recovery unit.
Reference: data acquisition unit-1;Trust data stores and recovery unit-2;Attack-response unit-3;Expert
Support Library-4;Data preprocessing module-21;Data memory module-22;Data recovery module-23;Data evaluation module-24;Number
According to segmentation submodule-221;Data encryption submodule-222;Cloud storage submodule 223 classification matched sub-block-231;Coupling is held
Wrong submodule-232.
Detailed description of the invention
The invention will be further described with the following Examples.
Based on trust computing big data information network adaptive security guard system as shown in Figure 1, including data acquisition
Collection unit 1, trust data store and recovery unit 2, attack-response unit 3 and expert's Support Library 4.
(1) hardware node during the certification of described data acquisition unit 1 carries out the network of information, it is judged that the network hardware saves
Point credibility, sets up the trusting relationship of gathered information, gathers network network everywhere by distributed acquisition system and pacifies
Total event information, on the basis of CDIF reference format, the data for coming from each equipment, systematic collection carry out consolidation form and turn
Change, and the information format after changing is defined as between each subsystem the structure that the unified event format of communication is global trust environment
Basis is provided, builds trust data platform;Described data acquisition unit is the starting point of chain-of-trust, and it is provided with data transmission applications
Program, trust data stores and recovery unit, expert database and attack-response unit are provided with data receiver and transmission should
By program, data are transmitted by 3G mode, and after 3G module powers on, described trust data platform is to above-mentioned unit and specially
Family data base carries out upper electro-detection;
(2) as in figure 2 it is shown, described trust data stores and recovery unit 2 includes that data preprocessing module 21, data store
Module 22, data recovery module 23 and data evaluation module 24:(2-1) data preprocessing module 21, for described data acquisition
The large-scale data that collection unit 1 collects is classified, and it specifically performs following two operation: cluster logarithm by K-means
According to classifying, it is that catalogue is set up in entitled each classification with cluster centre, repeats above categorizing process, data are carried out carefully
Point, form the subclassification under classification, and form the multistage catalogue of data;
(2-2) data memory module 22, including data segmentation submodule 221, data encryption submodule 222 and cloud storage
Module 223:
A, data segmentation submodule 221, for the data of storage are split, its specifically following operation of execution:
When needs storage data r, first it is divided into length to be n part r of h data r in this locality1, r2..., rn,
Then at finite field ZPMiddle by each riIt is divided into n sub-block r respectivelyi,1, ri,2...ri,n, wherein p > 2h, then for jth
Block ri,j=ri.(ri,1.ri,2....ri,j-1)-1Modp, wherein mod represents complementation operator;
By { ri,1.ri,2....ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2...pnBuild linear phase
Pass relation, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,n=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,...,c2,n,...,cn,1,
cn,2,...,cn,n, show its dependency relation by the form of matrix, order The most above-mentioned system of linear equations is expressed as A × R=C;
Matrix R is carried out as the following formula secondary be mixed to get new Matrix C ': A × R × A=C ';
B, data encryption submodule 222, for being encrypted to improve the safety of data to the data of storage, it is concrete
Operation below performing:
Call secret key generating function, according to each aijValue and user input security parameter λ value, export decryption key
To { KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiShare, by decryption key KDIt is stored in user local;
A is inputted to pseudo random sequence generator by calculating Cloud Serverij, generate and aijIdentify Tag one to oneij,
Call homomorphic encryption iunctions, input cryptographic keys and each a simultaneouslyijCorresponding data value Vij, generate ciphertext Zij, easily know
TagijAnd cijIt is n × n matrix, is designated as Tag and Z matrix respectively;As the following formula C ' is carried out mixed once encryption with Tag matrix
Obtain C ": Tag × C '=C ";Then as the following formula with Z matrix C " is carried out secondary Hybrid Encryption and obtains C " ': C " × Z=C " ';Appoint
Meaning randomly generates B Virtual vector, wherein B >=2n, arranges in C " ' by this Virtual vector randomly, obtains a N1×N2's
Matrix Q, wherein N1And N2Being all higher than n, described Virtual vector is used for covering up real n value, further enhances the safety of data
Property;
C, cloud storage submodule 223, store for the data after encryption are uploaded to store Cloud Server, will obtain
A, C, C ', C ", C " ', Q, Tag, Z, C " ' concrete random walk when obtaining matrix Q and described Virtual vector upload to
Store Cloud Server;
(2-3) data recovery module 23, will store the recovery of data and taking-up for the request according to user, and it includes point
Level matched sub-block 231 and mate fault-tolerant submodule 232, user referred herein includes validated user and disabled user:
A, classification matched sub-block 231, its specifically following operation of execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, obtain Matrix C " ' after inversely rejecting Virtual vector according to this random walk1;
By C " '1Comparing with the C " ' recalled from storage server, if do not mated, reporting an error, if coupling, under would entering
One step;
By C " '1According to the reverse function write in advance and the matrix Z recalled from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step does not mate and all reports an error, and enters next after the match is successful with C respectively
Step;
Recall matrix A, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function deciphering finished in advance, obtain decryption key KD', KD' with decryption key K being stored in this localityDCompare
Relatively, if KD' with decryption key K being stored in this localityDMatch, then Cloud Server sends storage data r obtained to user,
Data r are thus recovered;
B, mate fault-tolerant submodule 232:
If KD' with KDCannot mate, report an error and data r obtained are preserved in the time t set, if
In time t, user matches secret key again, then directly data r are sent to user, otherwise lose this data r;
(2-4) data evaluation module 24, to the data categorizing process in data preprocessing module 21, data memory module 22
In data segmentation and ciphering process, data recovery module 23 in classification matching process exercise supervision and evaluate, for follow-up
Improve and data support is provided, stored by data acquisition unit, trust data and recovery unit jointly builds trust data and provides
Platform, builds overall trusted context;
(3) described attack-response unit 3 uses active response technology and passive response technology to enter the security attack being subject to
Row is corresponding, and described active response technology includes cancelling connection, open circuit response, response is answered in SYN bag position, shielding occurs internal abuse
Main frame, described passive response technology refers to automatically notify, when an intrusion is detected, system can send alert notification to manager, association
Same fire wall, router, switch, Anti-Virus constitute response and the Integrative security system of early warning complementation, credible in entirety
Environment builds a kind of believable attack-response system;
(4) described expert's Support Library 4 collects all information of security protection process, provides needs for management personnel simultaneously
Knowledge and instrument, it includes described calculating Cloud Server, described storage Cloud Server and local data base, is one and takes based on cloud
Business device support platform, described expert's Support Library also provides for trusted software system, described trusted software system be operating system and
Application software provides the interface using trust data platform, provides integrity degree to described trust data platform subsequent software simultaneously
Amount, and the specific behavior of uncontrollable operating system is carried out behavior auditing and analysis;It is soft that described subsequent software includes that core loads
Part and uncontrollable operating system software.
In the network self-adapting security protection system of this embodiment, big data and cloud computing similarly are by (1) device
The positive and negative of one piece of coin equally combines, and processes big data problem with cloud computing for support;
(2) arrange data preprocessing module 21 large-scale data is classified, it is possible to be effectively improved computational efficiency, reduce
Time cost;
(3) first data average mark is cut, more each sub-block is split, due in C the value of arbitrary element not only with in R
Jth shows pass, also with R in other show pass, relatedness is strong, and pseudo-random function and Homomorphic Encryption Scheme is organically tied
Being combined in matrix encryption, stealer goes for the complete information of data r, not only to crack secret key and random function,
And the value of each element in matrix must be obtained, and full detail at ability recovery, the secure data storage of this cipher mode
Deposit and recover, can effectively prevent malice unauthorised broken person for the acquisition of security protection system effective information, be greatly reinforced peace
The credibility of full protection system;
(4) being arranged into randomly in Matrix C " ' by the Virtual vector randomly generated, can effectively cover up real n value, this enters
One step improves the difficulty of decoding, and this is particularly important for the scheme dividing equally segmentation, also further increases safety
The credibility of guard system;
(5) recover each step in data procedures all to compare with the data stored, reduce serious forgiveness, and recover
The key come must match with the decryption key being stored in this locality, could really obtain data, and this essence is a kind of dynamic
Multiple trust amount;;After one secondary data is recovered unsuccessfully, loss recovery data out the most immediately, but take the side kept in
Formula, reduces the calculating intensity of system.
Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected
Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.
Claims (2)
1. big data information network adaptive security guard system based on trust computing, is characterized in that, including data acquisition list
Unit, trust data store and recovery unit, attack-response unit and expert's Support Library;
(1) hardware node during described data acquisition unit certification carries out the network of information, it is judged that network hardware node can
Reliability, sets up the trusting relationship of gathered information, gathers network network security thing everywhere by distributed acquisition system
Part information, on the basis of CDIF reference format, carries out consolidation form conversion for the data come from each equipment, systematic collection,
And the information format after conversion is defined as between each subsystem the unified event format communicated, the structure for global trust environment carries
For basis, build trust data platform;Described data acquisition unit is the starting point of chain-of-trust, and it is provided with data transmission applications journey
Sequence, trust data stores and recovery unit, expert database and attack-response unit are provided with data receiver and send application
Program, data are transmitted by 3G mode, and after 3G module powers on, described trust data platform is to above-mentioned unit and expert
Data base carries out upper electro-detection;
(2) described trust data stores and recovery unit, is used for ensureing that data can not arbitrarily be obtained, including data prediction mould
Block, data memory module, data recovery module and data evaluation module:
(2-1) data preprocessing module, classifies for the large-scale data collecting described data acquisition unit, its tool
Body performs following operation: is classified data by K-means cluster, is that mesh is set up in entitled each classification with cluster centre
Record, repeats above categorizing process, data is finely divided, the subclassification under formation classification, and forms the multistage catalogue of data, shape
Become measurable quantized data;
(2-2) data memory module, is that a trust data containing crypto-operation stores module, by cipher key technique, hardware
Access control technology and storage encryption technology ensure system and the trust state of data, will be made by the digital signature technology of software
System can recognize that through third party revises may add spyware application program, it include data segmentation submodule,
Data encryption submodule and cloud storage submodule:
A, data segmentation submodule, for the data of storage are split, its specifically following operation of execution:
When needs storage data r, first it is divided into length to be n part r of h data r in this locality1, r2..., rn, then
At finite field ZPMiddle by each riIt is divided into n sub-block r respectivelyi,1, ri,2…ri,n, wherein p > 2h, then for jth sub-block ri,j
=ri.(ri,1.ri,2....ri,j-1)-1Modp, wherein mod represents complementation operator;
By { ri,1.ri,2....ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2…pnBuild linear correlation pass
System, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,n=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,…,c2,n,…,cn,1,cn,2,…,
cn,n, show its dependency relation by the form of matrix, order The most above-mentioned system of linear equations is expressed as A × R=C;
Matrix R is carried out as the following formula secondary be mixed to get new Matrix C ': A × R × A=C ';
B, data encryption submodule, for the data of storage are encrypted to improve the safety of data, its specifically perform with
Lower operation:
Call secret key generating function, according to each aijValue and user input security parameter λ value, export decryption key pair
{KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiShare, by decryption key KDIt is stored in user local;
A is inputted to pseudo random sequence generator by calculating Cloud Serverij, generate and aijIdentify Tag one to oneij, simultaneously
Call homomorphic encryption iunctions, input cryptographic keys and each aijCorresponding data value Vij, generate ciphertext Zij, easily know Tagij
And cijIt is n × n matrix, is designated as Tag and Z matrix respectively;As the following formula C ' is carried out with Tag matrix mixed once encryption and obtains C
": Tag × C '=C ";Then as the following formula with Z matrix C " is carried out secondary Hybrid Encryption and obtains C " ': C " × Z=C " ';Arbitrarily with
Machine produces B Virtual vector, wherein B >=2n, arranges in C " ' by this Virtual vector randomly, obtains a N1×N2Matrix
Q, wherein N1And N2Being all higher than n, described Virtual vector is used for covering up real n value, further enhances the safety of data;
C, cloud storage submodule, store for the data after encryption are uploaded to store Cloud Server, A, C, the C that will obtain
', C ", C " ', Q, Tag, Z, C " ' concrete random walk when obtaining matrix Q and described Virtual vector upload to store cloud clothes
Business device;
(2-3) data recovery module, will store recovery and taking-up, the user referred herein of data for the request according to user
Including validated user and disabled user;
(2-4) data evaluation module, to the data categorizing process in pretreatment module, the data in data memory module segmentation and
Classification matching process in ciphering process, data recovery module exercises supervision and evaluates, and provides data support for follow-up improvement,
Overall trusted context is jointly built by data acquisition unit, trust data storage and recovery unit and data evaluation module;
(3) described attack-response unit uses active response technology and the security attack to being subject to of the passive response technology to carry out phase
Should, described active response technology includes cancelling connection, open circuit responds, response is answered in SYN bag position, the master of the internal abuse of shielding generation
Machine, described passive response technology refers to automatically notify, when an intrusion is detected, system can send alert notification to manager, collaborative
Fire wall, router, switch, Anti-Virus constitute response and the Integrative security system of early warning complementation, whole built
Body trusted context is set up a kind of believable attack-response system;
(4) described expert's Support Library collects all information of security protection process, provides the knowledge of needs for management personnel simultaneously
And instrument, it includes described calculating Cloud Server, described storage Cloud Server and local data base, be one based on Cloud Server
Support platform;Described expert's Support Library also provides for trusted software system, and described trusted software system is operating system and application
Software provides the interface using trust data platform, provides integrity measurement to described trust data platform subsequent software simultaneously,
And the specific behavior of uncontrollable operating system is carried out behavior auditing and analysis;Described subsequent software include core load software and
Uncontrollable operating system software.
Big data information network adaptive security guard system based on trust computing the most according to claim 1, it is special
Levying and be, described data recovery module includes classification matched sub-block and coupling fault-tolerant submodule: a, classification matched sub-block, its tool
Body operates below performing:
User sends request to be needed to recover data r, random walk when recalling matrix Q, generator matrix Q from storage server and
Virtual vector, obtains Matrix C " ' after inversely rejecting Virtual vector according to this random walk1;
By C " '1Comparing with the C " ' recalled from storage server, if do not mated, reporting an error, if coupling, enter next step;
By C " '1Obtain respectively according to the reverse function write in advance and the matrix Z recalled from storage server and matrix Tag
Go out out C "1With C '1, and " and C ' compares, and either step does not mate and all reports an error, and enters next step after the match is successful with C respectively;
Recall matrix A, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand A is used
The decryption function deciphering finished in advance, obtains decryption key KD', KD' with decryption key K being stored in this localityDCompare, as
Really KD' with decryption key K being stored in this localityDMatch, then Cloud Server sends calculated storage data r to user, this
Sample has just recovered data r;
B, mate fault-tolerant submodule:
If KD' with KDCannot mate, report an error and data r obtained are preserved, if in the time in the time t set
In t, user matches secret key again, then directly data r are sent to user, otherwise lose this data r.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610550122.7A CN106209850B (en) | 2016-07-13 | 2016-07-13 | Big data information network self-adaptive safety protection system based on trusted computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610550122.7A CN106209850B (en) | 2016-07-13 | 2016-07-13 | Big data information network self-adaptive safety protection system based on trusted computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106209850A true CN106209850A (en) | 2016-12-07 |
| CN106209850B CN106209850B (en) | 2017-03-22 |
Family
ID=57477819
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610550122.7A Expired - Fee Related CN106209850B (en) | 2016-07-13 | 2016-07-13 | Big data information network self-adaptive safety protection system based on trusted computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106209850B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911716A (en) * | 2017-04-14 | 2017-06-30 | 中国民航大学 | A kind of RSA Hill mixed encryption methods based on plaintext random division |
| CN107302546A (en) * | 2017-08-16 | 2017-10-27 | 北京奇虎科技有限公司 | Big data platform safety accesses system, method and electronic equipment |
| CN108200067A (en) * | 2018-01-05 | 2018-06-22 | 国网山东省电力公司聊城供电公司 | Big data information network adaptive security guard system based on trust computing |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
| CN110034855A (en) * | 2019-04-10 | 2019-07-19 | 国网辽宁省电力有限公司 | A kind of information transfer check method and system |
| CN112272185A (en) * | 2020-10-30 | 2021-01-26 | 江苏智云领创信息咨询有限公司 | Method for sharing computer information and mobile terminal data |
| CN113301011A (en) * | 2021-04-13 | 2021-08-24 | 麦荣章 | Information security management system based on cloud service |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064596A (en) * | 2006-04-28 | 2007-10-31 | 富士通株式会社 | Data protection system, method, and program |
| US20130111218A1 (en) * | 2011-10-31 | 2013-05-02 | Spectra Logic Corporation | Encryption redundancy in a storage element array |
| CN105516340A (en) * | 2015-12-30 | 2016-04-20 | 中国农业大学 | Cloud storage data recoverability verification method and system |
-
2016
- 2016-07-13 CN CN201610550122.7A patent/CN106209850B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064596A (en) * | 2006-04-28 | 2007-10-31 | 富士通株式会社 | Data protection system, method, and program |
| US20130111218A1 (en) * | 2011-10-31 | 2013-05-02 | Spectra Logic Corporation | Encryption redundancy in a storage element array |
| CN105516340A (en) * | 2015-12-30 | 2016-04-20 | 中国农业大学 | Cloud storage data recoverability verification method and system |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911716A (en) * | 2017-04-14 | 2017-06-30 | 中国民航大学 | A kind of RSA Hill mixed encryption methods based on plaintext random division |
| CN106911716B (en) * | 2017-04-14 | 2020-05-01 | 中国民航大学 | RSA-Hill mixed encryption method based on plaintext random segmentation |
| CN107302546A (en) * | 2017-08-16 | 2017-10-27 | 北京奇虎科技有限公司 | Big data platform safety accesses system, method and electronic equipment |
| CN108200067A (en) * | 2018-01-05 | 2018-06-22 | 国网山东省电力公司聊城供电公司 | Big data information network adaptive security guard system based on trust computing |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
| CN110034855A (en) * | 2019-04-10 | 2019-07-19 | 国网辽宁省电力有限公司 | A kind of information transfer check method and system |
| CN110034855B (en) * | 2019-04-10 | 2021-12-14 | 国网辽宁省电力有限公司 | Information transmission checking method and system |
| CN112272185A (en) * | 2020-10-30 | 2021-01-26 | 江苏智云领创信息咨询有限公司 | Method for sharing computer information and mobile terminal data |
| CN113301011A (en) * | 2021-04-13 | 2021-08-24 | 麦荣章 | Information security management system based on cloud service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106209850B (en) | 2017-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106209850B (en) | Big data information network self-adaptive safety protection system based on trusted computing | |
| Kumar et al. | A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing | |
| Keshk et al. | A privacy-preserving-framework-based blockchain and deep learning for protecting smart power networks | |
| Faisal et al. | Securing advanced metering infrastructure using intrusion detection system with data stream mining | |
| CN110413652B (en) | Big data privacy retrieval method based on edge calculation | |
| CN106202945A (en) | A kind of doctors and patients information management system of high security | |
| Alluhaybi et al. | A survey: agent-based software technology under the eyes of cyber security, security controls, attacks and challenges | |
| Soni et al. | An empirical client cloud environment to secure data communication with alert protocol | |
| CN106130777A (en) | System safeguarded by a kind of industrial equipment based on cloud computing | |
| CN116074123A (en) | Method for safely transmitting digital information of Internet of things | |
| Zhao et al. | Garbage in, garbage out: Poisoning attacks disguised with plausible mobility in data aggregation | |
| Schumacher et al. | A fundamental framework for network security | |
| Yadav et al. | Big data hadoop: Security and privacy | |
| Anitha Ruth et al. | Secure data storage and intrusion detection in the cloud using MANN and dual encryption through various attacks | |
| Cho | Efficient Autonomous Defense System Using Machine Learning on Edge Device. | |
| Keshk et al. | Privacy-preserving techniques for protecting large-scale data of cyber-physical systems | |
| Sugitha et al. | Block chain fostered cycle‐consistent generative adversarial network framework espoused intrusion detection for protecting IoT network | |
| Abdi et al. | The Role of Deep Learning in Advancing Proactive Cybersecurity Measures for Smart Grid Networks: A Survey | |
| Priya et al. | Implementation of hybrid cryptographic schemes in a cloud environment for enhanced medical data security | |
| Naeem | Analysis of Network Security in IoT-based Cloud Computing Using Machine Learning | |
| CN105957398A (en) | Parking lot parking space release management system | |
| Jiang et al. | Anomaly Detection and Access Control for Cloud-Edge Collaboration Networks. | |
| Gerard et al. | MAD-Malicious Activity Detection Framework in Federated Cloud Computing | |
| CN105959327A (en) | Member information processing system | |
| CN106130820A (en) | A kind of big data platform system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Zubin Inventor after: Tang Lingli Inventor after: Huang Lianyue Inventor after: Zheng Junming Inventor after: Chen Yongming Inventor after: Chen Jianhao Inventor after: Song Junhao Inventor after: He Zhongzhu Inventor after: Xie Ming Inventor after: Hu Jijun Inventor after: Weng Xiaoyun Inventor after: Yuan Yong Inventor after: Deng Gefeng Inventor after: Mo Yinghong Inventor after: Xie Jing Inventor after: Zhang Peng Inventor before: Chen Zubin Inventor before: Tang Lingli Inventor before: Huang Lianyue Inventor before: Zheng Junming Inventor before: Chen Yongming Inventor before: Chen Jianhao Inventor before: Song Junhao Inventor before: Xie Ming Inventor before: Hu Jijun Inventor before: Weng Xiaoyun Inventor before: Yuan Yong Inventor before: Deng Gefeng Inventor before: Mo Yinghong Inventor before: Xie Jing Inventor before: Zhang Peng |
|
| COR | Change of bibliographic data | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20170203 Address after: 530000 Xingning, Nanning District, democratic road, No. 6, Applicant after: GUANGXI POWER GRID CO., LTD. Address before: 530000 Xingning, Nanning District, democratic road, No. 6, Applicant before: He Zhongzhu |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Big data information network self-adaptive safety protection system based on trusted computing Effective date of registration: 20180420 Granted publication date: 20170322 Pledgee: China Co truction Bank Corp Nanning democratic sub branch Pledgor: GUANGXI POWER GRID CO., LTD. Registration number: 2018990000304 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170322 Termination date: 20200713 |