Big data information network adaptive security guard system based on trust computing
Technical field
The present invention relates to big data field, and in particular to the big data information network adaptive security based on trust computing is prevented
Protecting system.
Background technology
In recent years, with fast development and its spark for colliding with all trades and professions and producing of Information technology, give people
Life, the mode of production bring unprecedented change, and then the development of Information technology causes the emphasis pass in each field of every profession and trade.In crowd
In many emerging science and technology, cloud computing and big data are most to receive of concern to be also two representatives the most typical, and two
The high in the clouds big data platform that person combines more becomes focus of attention in sciemtifec and technical sphere, and more and more penetrates into actual life
In, and become the guarantee again of its value dimension to the protection of the security privacy of this high in the clouds big data platform.
About the concept of trust computing, give in 15408 standards of ISO/IEC defined below:One believable group
The behavior of part, operation or process is predictable under any operating condition, and can resist application software, virus well
And the destruction that certain Physical Interference is caused.The basic ideas of trust computing are that introducing safety chip (can on a hardware platform
Letter console module) improving the safety of terminal system, that is to say, that a root of trust is implanted on each terminal platform, allows meter
Calculation machine all builds trusting relationship from BIOS to operating system nucleus layer, then to application layer;Based on this, expand on network,
Corresponding trust chain is set up, hence into the computer immunity epoch.When terminal is under attack, be capable of achieving self-protection, self
Management and self-recovery.
Trust computing is to calculate and widely using the trust computing under supporting based on hardware security module in communication system
Platform, the safety overall to improve system, trust computing are given birth to for behavior safety, and behavior safety should include:The machine of behavior
The features such as close property, the integrity of behavior, the verity of behavior.Trust computing includes the concept of 5 cores, i.e.,:Key, safety are defeated
Enter output, bin shielding etc., wherein secret key with the most important thing for being trusted system, data storage and key in recovering
Safety, is the basic guarantee of whole credible and secure guard system.
The content of the invention
For the problems referred to above, the present invention provides the big data information network adaptive security protection system based on trust computing
System.
The purpose of the present invention employs the following technical solutions to realize:
Based on the big data information network adaptive security guard system of trust computing, it is characterized in that, including data acquisition
Unit, trust data storage and recovery unit, attack-response unit and expert's Support Library;
(1) data acquisition unit unit certification carries out the hardware node in the network of information, judges that network is hard
Part node credibility, is set up the trusting relationship of gathered information, is gathered network net everywhere by distributed acquisition system
Network security event information, on the basis of CDIF reference formats, for the data come from each equipment, systematic collection carry out unifying lattice
Formula is changed, and the unified event format that the information format after conversion is defined as communicating between each subsystem, is global trust environment
Structure provide basis, build trust data platform;Starting point of the data acquisition unit for chain-of-trust, which is provided with data and sends out
Send application program, trust data storage and recovery unit, expert's Support Library and attack-response unit be provided with data receiver and
Application program is sent, data are transmitted by 3G modes, in 3G module after electricity, the trust data platform is to above-mentioned each list
Unit and expert's Support Library carry out electro-detection;
(2) the trust data storage and recovery unit include data preprocessing module, data memory module, data recovery
Module and data evaluation module:(2-1) data preprocessing module, for the extensive number collected to the data acquisition unit
According to being classified, which specifically performs following two operations:Data are classified by K-means clusters, with cluster centre be
Catalogue is set up in entitled each classification;Repeat above categorizing process, data are finely divided, form the subclassification under classification, and
The multistage catalogue of data is formed, measurable quantized data is formed;
(2-2) data memory module, is a trust data storage module containing crypto-operation, by cipher key technique,
Hardware access control technology and storage encryption technology ensure the trust state of system and data, by the digital signature technology of software
The system of causing can recognize that and the application program that may add spyware is changed through third party, which includes data segmentation submodule
Block, data encryption submodule and cloud storage submodule:
A, data segmentation submodule, split for the data to storing, and operate below its concrete execution:
When data storage r is needed, locally it is being divided into length to be the n parts r of h data r first1, r2..., rn,
Then in finite field ZPIt is middle by each riN sub-block r is divided into respectivelyi,1, ri,2…ri,n, wherein p > 2h, then for j-th sub
Block ri,j=ri.ri,1.ri,2…·ri,j-1)-1Modp, wherein mod represent complementation operator;
By { ri,1.ri,2…·ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2…pnBuild linear phase
Pass relation, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,2=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,…,c2,n,…,cn,1,
cn,2,…,cn,n, its dependency relation is shown with the form of matrix, make Then above-mentioned system of linear equations is expressed as A
× R=C;
Matrix R is carried out as the following formula it is secondary be mixed to get new Matrix C ':A × R × A=C ';
B, data encryption submodule, are encrypted for the data to storing to improve the safety of data, and which is specifically held
Row is following to be operated:
Secret key generating function is called, according to each aijValue and user input security parameter λ value, export decryption key
To { KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiIt is shared, by decryption key KDIt is stored in user local;
A is input into by calculating Cloud Server to pseudo random sequence generatorij, generate and aijOne-to-one mark Tagij,
Homomorphic encryption iunctions, input cryptographic keys and each a is called simultaneouslyijCorresponding data value Vij, generate ciphertext Zij, easily know
TagijAnd cijN × n matrix is, Tag and Z matrixes are designated as respectively;Mixed once encryption is carried out to C ' as the following formula with Tag matrixes
Obtain C ":Tag × C '=C ";Then as the following formula C " is carried out by secondary Hybrid Encryption and is obtained C " ' with Z matrixes:C " × Z=C " ';Appoint
Meaning randomly generates B Virtual vector, and wherein B >=2n randomly arranges the Virtual vector in C " ', obtains a N1×N2's
Matrix Q, wherein N1And N2N is all higher than, the Virtual vector is used for covering up real n values, further enhances the safety of data
Property;
C, cloud storage submodule, are stored for the data after encryption are uploaded to storage Cloud Server, by what is obtained
A, C, C ', C ", C " ', Q, Tag, Z, concrete random walk when obtaining matrix Q by C " ' and the Virtual vector upload to storage
Deposit Cloud Server;
(2-3) data recovery module, will store the recovery and taking-up of data for the request according to user, and which includes classification
Matched sub-block and the fault-tolerant submodule of matching, user referred herein include validated user and disabled user:
A, classification matched sub-block, operate below its concrete execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, inversely reject according to the random walk and obtain Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter down if matching
One step;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next after the match is successful with C respectively
Step;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function decryption finished in advance, decryption key K is obtainedD', KD' be stored in local decryption key KDCompared
Compared with if KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user,
Data r are thus recovered;
B, the fault-tolerant submodule of matching:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if
In time t, user matches secret key again, then data r are sent to user directly, otherwise loses data r;
(2-4) data evaluation module, to the data categorizing process in pretreatment module, the data in data memory module point
Cut and exercise supervision and evaluate with the classification matching process in ciphering process, data recovery module, data are provided for follow-up improvement
Support, trust data is built jointly by data acquisition unit, trust data storage and recovery unit platform is provided, built overall
Trusted context;
(3) the attack-response unit is carried out to the security attack being subject to using active response technology and passive response technology
Response, the active response technology include that response, the master of the internal abuse of shielding generation are answered in revocation connection, open circuit response, SYN bags position
Machine, the passive response technology refer to notice automatically, and when an intrusion is detected, system can send alert notification to manager, collaboration
Fire wall, router, switch, Anti-Virus constitute the complementary Integrative security system of response and early warning, in overall credible ring
A kind of believable attack-response system is built in border;;
(4) expert's Support Library collects all information of security protection process, while providing what is needed for management personnel
Knowledge and instrument, which is included the calculating Cloud Server, the storage Cloud Server and local data base, is one and is taken based on cloud
The support platform of business device, expert's Support Library also provide trusted software system, the trusted software system be operating system and
Application software provides the interface using trust data platform, while providing integrity degree to the trust data platform subsequent software
Amount, and the specific behavior to uncontrollable operating system carries out behavior auditing and analysis;The subsequent software includes that core loading is soft
Part and uncontrollable operating system software.
Preferably, the data recovery module includes being classified matched sub-block and the fault-tolerant submodule of matching:A, classification matching
Submodule, operates below its concrete execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, inversely reject according to the random walk and obtain Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter down if matching
One step;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next after the match is successful with C respectively
Step;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function decryption finished in advance, decryption key K is obtainedD', KD' be stored in local decryption key KDCompared
Compared with if KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user,
Data r are thus recovered;
B, the fault-tolerant submodule of matching:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if
In time t, user matches secret key again, then data r are sent to user directly, otherwise loses data r.
Beneficial effects of the present invention are:
(1) it is like to combine as the positive and negative of one piece of coin by big data and cloud computing in device, with cloud
It is calculated as relying on and processes big data problem;
(2) arrange data preprocessing module to classify large-scale data, computational efficiency can be effectively improved, during reduction
Between cost;
(3) first data average mark is cut, then each sub-block is split, due to arbitrary element in C value not only with R in
Jth shows pass, and also other with R to show pass, relatedness is strong, and pseudo-random function and Homomorphic Encryption Scheme are organically tied
Close in matrix encryption, stealer goes for the complete information of data r, and not only secret key and random function will be cracked,
And must obtain the value of each element in matrix, could full detail at recovery, the secure data storage of this cipher mode
Deposit and recover, can effectively prevent malice unauthorised broken person for the acquisition of security protection system effective information, greatly reinforce peace
The credibility of full protection system;
(4) Virtual vector for randomly generating randomly is arranged in Matrix C " ', can effectively covers up real n values, this enters
One step improves the difficulty of decoding, and this is particularly important for the scheme respectively split, and also further increases safety
The credibility of guard system;
(5) in recovering data procedures, each step is compared with the data of storage, is reduced serious forgiveness, and is recovered
The key for coming must match with local decryption key is stored in, and could really obtain data, and this essence is a kind of dynamic
Multiple trust amount;After the failure of data recovery, not loss recovery data out immediately, but take temporary side
Formula, reduces the calculating intensity of system.
Description of the drawings
Using accompanying drawing, the invention will be further described, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for one of ordinary skill in the art, on the premise of not paying creative work, can be being obtained according to the following drawings
Other accompanying drawings.
Fig. 1 is the structured flowchart of the big data information network adaptive security guard system based on trust computing;
Fig. 2 is the structured flowchart of trust data storage and recovery unit.
Reference:Data acquisition unit -1;Trust data is stored and recovery unit -2;Attack-response unit -3;Expert
Support Library -4;Data preprocessing module -21;Data memory module -22;Data recovery module -23;Data evaluation module -24;Number
According to segmentation submodule -221;Data encryption submodule -222;Cloud storage submodule 223 is classified matched sub-block -231;Matching is held
Wrong submodule -232.
Specific embodiment
The invention will be further described with the following Examples.
Big data information network adaptive security guard system based on trust computing as shown in Figure 1, adopts including data
The storage of collection unit 1, trust data and recovery unit 2, attack-response unit 3 and expert's Support Library 4.
(1) 1 certification of the data acquisition unit carries out the hardware node in the network of information, judges network hardware section
Point credibility, sets up the trusting relationship of gathered information, gathers network network peace everywhere by distributed acquisition system
Total event information, on the basis of CDIF reference formats, turns for the data come from each equipment, systematic collection carry out consolidation form
Change, and by the information format after changing be defined as the unified event format that communicates between each subsystem into global trust environment structure
Basis is provided, trust data platform is built;Starting point of the data acquisition unit for chain-of-trust, which is provided with data transmission applications
Program, trust data storage and recovery unit, expert's Support Library and attack-response unit are provided with data receiver and send answers
With program, data are transmitted by 3G modes, and in 3G module after electricity, the trust data platform is to above-mentioned unit and specially
Family's Support Library carries out electro-detection;
(2) as shown in Fig. 2 trust data storage and recovery unit 2 include data preprocessing module 21, data storage
Module 22, data recovery module 23 and data evaluation module 24:(2-1) data preprocessing module 21, for adopting to the data
The large-scale data that collection unit 1 is collected is classified, and which specifically performs following two operations:Logarithm is clustered by K-means
According to being classified, catalogue is set up by entitled each classification of cluster centre, repeat above categorizing process, data are carried out carefully
Point, the subclassification under classification is formed, and forms the multistage catalogue of data;
(2-2) data memory module 22, including data segmentation submodule 221, data encryption submodule 222 and cloud storage
Module 223:
A, data segmentation submodule 221, split for the data to storing, and operate below its concrete execution:
When data storage r is needed, locally it is being divided into length to be the n parts r of h data r first1, r2..., rn,
Then in finite field ZPIt is middle by each riN sub-block r is divided into respectivelyi,1, ri,2…ri,n, wherein p > 2h, then for j-th sub
Block ri,j=ri.ri,1.ri,2…·ri,j-1)-1Modp, wherein mod represent complementation operator;
By { ri,1.ri,2…·ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2…pnBuild linear phase
Pass relation, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,n=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,…,c2,n,…,cn,1,
cn,2,…,cn,n, its dependency relation is shown with the form of matrix, make Then above-mentioned system of linear equations is expressed as A
× R=C;
Matrix R is carried out as the following formula it is secondary be mixed to get new Matrix C ':A × R × A=C ';
B, data encryption submodule 222, are encrypted for the data to storing to improve the safety of data, and which is concrete
Perform following operation:
Secret key generating function is called, according to each aijValue and user input security parameter λ value, export decryption key
To { KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiIt is shared, by decryption key KDIt is stored in user local;
A is input into by calculating Cloud Server to pseudo random sequence generatorij, generate and aijOne-to-one mark Tagij,
Homomorphic encryption iunctions, input cryptographic keys and each a is called simultaneouslyijCorresponding data value Vij, generate ciphertext Zij, easily know
TagijAnd cijN × n matrix is, Tag and Z matrixes are designated as respectively;Mixed once encryption is carried out to C ' as the following formula with Tag matrixes
Obtain C ":Tag × C '=C ";Then as the following formula C " is carried out by secondary Hybrid Encryption and is obtained C " ' with Z matrixes:C " × Z=C " ';Appoint
Meaning randomly generates B Virtual vector, and wherein B >=2n randomly arranges the Virtual vector in C " ', obtains a N1×N2's
Matrix Q, wherein N1And N2N is all higher than, the Virtual vector is used for covering up real n values, further enhances the safety of data
Property;
C, cloud storage submodule 223, are stored for the data after encryption are uploaded to storage Cloud Server, will be obtained
A, C, C ', C ", C " ', Q, Tag, Z, concrete random walk when obtaining matrix Q by C " ' and the Virtual vector upload to
Storage Cloud Server;
(2-3) data recovery module 23, will store the recovery and taking-up of data for the request according to user, and which includes point
Level matched sub-block 231 and the fault-tolerant submodule 232 of matching, user referred herein include validated user and disabled user:
A, classification matched sub-block 231, operate below its concrete execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, inversely reject according to the random walk and obtain Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter down if matching
One step;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next after the match is successful with C respectively
Step;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function decryption finished in advance, decryption key K is obtainedD', KD' be stored in local decryption key KDCompared
Compared with if KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user,
Data r are thus recovered;
B, match fault-tolerant submodule 232:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if
In time t, user matches secret key again, then data r are sent to user directly, otherwise loses data r;
(2-4) data evaluation module 24, to the data categorizing process in data preprocessing module 21, data memory module 22
In data segmentation and ciphering process, the classification matching process in data recovery module 23 exercise supervision and evaluate, be follow-up
Improve and data support is provided, trust data offer is built jointly by data acquisition unit, trust data storage and recovery unit
Platform, builds overall trusted context;
(3) the attack-response unit 3 is entered to the security attack being subject to using active response technology and passive response technology
Row is responded, and the active response technology includes that revocation connection, open circuit response, SYN bags position are answered response, shield the internal abuse of generation
Main frame, the passive response technology refer to notice automatically, and when an intrusion is detected, system can send alert notification to manager, association
Same fire wall, router, switch, Anti-Virus constitute the complementary Integrative security system of response and early warning, overall credible
A kind of believable attack-response system is built in environment;
(4) expert's Support Library 4 collects all information of security protection process, while providing what is needed for management personnel
Knowledge and instrument, which is included the calculating Cloud Server, the storage Cloud Server and local data base, is one and is taken based on cloud
The support platform of business device, expert's Support Library also provide trusted software system, the trusted software system be operating system and
Application software provides the interface using trust data platform, while providing integrity degree to the trust data platform subsequent software
Amount, and the specific behavior to uncontrollable operating system carries out behavior auditing and analysis;The subsequent software includes that core loading is soft
Part and uncontrollable operating system software.
In the network self-adapting security protection system of this embodiment, in (1) device by big data and cloud computing it is like
The positive and negative of one piece of coin equally combines, and processes big data problem with cloud computing as relying on;
(2) arrange data preprocessing module 21 to classify large-scale data, computational efficiency can be effectively improved, reduce
Time cost;
(3) first data average mark is cut, then each sub-block is split, due to arbitrary element in C value not only with R in
Jth shows pass, and also other with R to show pass, relatedness is strong, and pseudo-random function and Homomorphic Encryption Scheme are organically tied
Close in matrix encryption, stealer goes for the complete information of data r, and not only secret key and random function will be cracked,
And must obtain the value of each element in matrix, could full detail at recovery, the secure data storage of this cipher mode
Deposit and recover, can effectively prevent malice unauthorised broken person for the acquisition of security protection system effective information, greatly reinforce peace
The credibility of full protection system;
(4) Virtual vector for randomly generating randomly is arranged in Matrix C " ', can effectively covers up real n values, this enters
One step improves the difficulty of decoding, and this is particularly important for the scheme respectively split, and also further increases safety
The credibility of guard system;
(5) in recovering data procedures, each step is compared with the data of storage, is reduced serious forgiveness, and is recovered
The key for coming must match with local decryption key is stored in, and could really obtain data, and this essence is a kind of dynamic
Multiple trust amount;;After the failure of data recovery, not loss recovery data out immediately, but take temporary side
Formula, reduces the calculating intensity of system.
Finally it should be noted that above example is only illustrating technical scheme, rather than to present invention guarantor
The restriction of shield scope, although having made to explain to the present invention with reference to preferred embodiment, one of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.