CN106209850B - Big data information network self-adaptive safety protection system based on trusted computing - Google Patents
Big data information network self-adaptive safety protection system based on trusted computing Download PDFInfo
- Publication number
- CN106209850B CN106209850B CN201610550122.7A CN201610550122A CN106209850B CN 106209850 B CN106209850 B CN 106209850B CN 201610550122 A CN201610550122 A CN 201610550122A CN 106209850 B CN106209850 B CN 106209850B
- Authority
- CN
- China
- Prior art keywords
- data
- matrix
- storage
- trust
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000011084 recovery Methods 0.000 claims abstract description 39
- 230000004044 response Effects 0.000 claims abstract description 37
- 238000005516 engineering process Methods 0.000 claims abstract description 23
- 238000013500 data storage Methods 0.000 claims abstract description 22
- 239000011159 matrix material Substances 0.000 claims description 59
- 238000000034 method Methods 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 17
- 230000006399 behavior Effects 0.000 claims description 12
- 238000005295 random walk Methods 0.000 claims description 10
- 238000007781 pre-processing Methods 0.000 claims description 9
- 230000011218 segmentation Effects 0.000 claims description 9
- 230000003044 adaptive effect Effects 0.000 claims description 8
- 238000011157 data evaluation Methods 0.000 claims description 8
- 238000007726 management method Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 230000002155 anti-virotic effect Effects 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000000295 complement effect Effects 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 230000005611 electricity Effects 0.000 claims description 3
- 230000009897 systematic effect Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000007596 consolidation process Methods 0.000 claims description 2
- 230000006872 improvement Effects 0.000 claims description 2
- 230000015572 biosynthetic process Effects 0.000 claims 1
- 238000005259 measurement Methods 0.000 claims 1
- 238000007405 data analysis Methods 0.000 abstract 1
- 238000013480 data collection Methods 0.000 abstract 1
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a big data information network self-adaptive safety protection system based on trusted computing. The protection system is a trusted system which is constructed on the basis of data collection, data storage and recovery, attack response and the like; and big data analysis and trusted technology are applied to the big data information network self-adaptive safety protection system via brand new module combination and innovative algorithms. Based on collection, storage and recovery of trusted data, data of an attack response unit is trusted, network safety of information is ensured, control is trusted and safe, the data processing speed and data safety are improved, the storage space is saved, the trusted degree of information safety protection is evaluated, the safety of storage and recovery information is managed and controlled, and the reliability and trusted performance of the information safety protection are enhanced.
Description
Technical field
The present invention relates to big data field, and in particular to the big data information network adaptive security based on trust computing is prevented
Protecting system.
Background technology
In recent years, with fast development and its spark for colliding with all trades and professions and producing of Information technology, give people
Life, the mode of production bring unprecedented change, and then the development of Information technology causes the emphasis pass in each field of every profession and trade.In crowd
In many emerging science and technology, cloud computing and big data are most to receive of concern to be also two representatives the most typical, and two
The high in the clouds big data platform that person combines more becomes focus of attention in sciemtifec and technical sphere, and more and more penetrates into actual life
In, and become the guarantee again of its value dimension to the protection of the security privacy of this high in the clouds big data platform.
About the concept of trust computing, give in 15408 standards of ISO/IEC defined below:One believable group
The behavior of part, operation or process is predictable under any operating condition, and can resist application software, virus well
And the destruction that certain Physical Interference is caused.The basic ideas of trust computing are that introducing safety chip (can on a hardware platform
Letter console module) improving the safety of terminal system, that is to say, that a root of trust is implanted on each terminal platform, allows meter
Calculation machine all builds trusting relationship from BIOS to operating system nucleus layer, then to application layer;Based on this, expand on network,
Corresponding trust chain is set up, hence into the computer immunity epoch.When terminal is under attack, be capable of achieving self-protection, self
Management and self-recovery.
Trust computing is to calculate and widely using the trust computing under supporting based on hardware security module in communication system
Platform, the safety overall to improve system, trust computing are given birth to for behavior safety, and behavior safety should include:The machine of behavior
The features such as close property, the integrity of behavior, the verity of behavior.Trust computing includes the concept of 5 cores, i.e.,:Key, safety are defeated
Enter output, bin shielding etc., wherein secret key with the most important thing for being trusted system, data storage and key in recovering
Safety, is the basic guarantee of whole credible and secure guard system.
The content of the invention
For the problems referred to above, the present invention provides the big data information network adaptive security protection system based on trust computing
System.
The purpose of the present invention employs the following technical solutions to realize:
Based on the big data information network adaptive security guard system of trust computing, it is characterized in that, including data acquisition
Unit, trust data storage and recovery unit, attack-response unit and expert's Support Library;
(1) data acquisition unit unit certification carries out the hardware node in the network of information, judges that network is hard
Part node credibility, is set up the trusting relationship of gathered information, is gathered network net everywhere by distributed acquisition system
Network security event information, on the basis of CDIF reference formats, for the data come from each equipment, systematic collection carry out unifying lattice
Formula is changed, and the unified event format that the information format after conversion is defined as communicating between each subsystem, is global trust environment
Structure provide basis, build trust data platform;Starting point of the data acquisition unit for chain-of-trust, which is provided with data and sends out
Send application program, trust data storage and recovery unit, expert's Support Library and attack-response unit be provided with data receiver and
Application program is sent, data are transmitted by 3G modes, in 3G module after electricity, the trust data platform is to above-mentioned each list
Unit and expert's Support Library carry out electro-detection;
(2) the trust data storage and recovery unit include data preprocessing module, data memory module, data recovery
Module and data evaluation module:(2-1) data preprocessing module, for the extensive number collected to the data acquisition unit
According to being classified, which specifically performs following two operations:Data are classified by K-means clusters, with cluster centre be
Catalogue is set up in entitled each classification;Repeat above categorizing process, data are finely divided, form the subclassification under classification, and
The multistage catalogue of data is formed, measurable quantized data is formed;
(2-2) data memory module, is a trust data storage module containing crypto-operation, by cipher key technique,
Hardware access control technology and storage encryption technology ensure the trust state of system and data, by the digital signature technology of software
The system of causing can recognize that and the application program that may add spyware is changed through third party, which includes data segmentation submodule
Block, data encryption submodule and cloud storage submodule:
A, data segmentation submodule, split for the data to storing, and operate below its concrete execution:
When data storage r is needed, locally it is being divided into length to be the n parts r of h data r first1, r2..., rn,
Then in finite field ZPIt is middle by each riN sub-block r is divided into respectivelyi,1, ri,2…ri,n, wherein p > 2h, then for j-th sub
Block ri,j=ri.ri,1.ri,2…·ri,j-1)-1Modp, wherein mod represent complementation operator;
By { ri,1.ri,2…·ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2…pnBuild linear phase
Pass relation, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,2=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,…,c2,n,…,cn,1,
cn,2,…,cn,n, its dependency relation is shown with the form of matrix, make Then above-mentioned system of linear equations is expressed as A
× R=C;
Matrix R is carried out as the following formula it is secondary be mixed to get new Matrix C ':A × R × A=C ';
B, data encryption submodule, are encrypted for the data to storing to improve the safety of data, and which is specifically held
Row is following to be operated:
Secret key generating function is called, according to each aijValue and user input security parameter λ value, export decryption key
To { KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiIt is shared, by decryption key KDIt is stored in user local;
A is input into by calculating Cloud Server to pseudo random sequence generatorij, generate and aijOne-to-one mark Tagij,
Homomorphic encryption iunctions, input cryptographic keys and each a is called simultaneouslyijCorresponding data value Vij, generate ciphertext Zij, easily know
TagijAnd cijN × n matrix is, Tag and Z matrixes are designated as respectively;Mixed once encryption is carried out to C ' as the following formula with Tag matrixes
Obtain C ":Tag × C '=C ";Then as the following formula C " is carried out by secondary Hybrid Encryption and is obtained C " ' with Z matrixes:C " × Z=C " ';Appoint
Meaning randomly generates B Virtual vector, and wherein B >=2n randomly arranges the Virtual vector in C " ', obtains a N1×N2's
Matrix Q, wherein N1And N2N is all higher than, the Virtual vector is used for covering up real n values, further enhances the safety of data
Property;
C, cloud storage submodule, are stored for the data after encryption are uploaded to storage Cloud Server, by what is obtained
A, C, C ', C ", C " ', Q, Tag, Z, concrete random walk when obtaining matrix Q by C " ' and the Virtual vector upload to storage
Deposit Cloud Server;
(2-3) data recovery module, will store the recovery and taking-up of data for the request according to user, and which includes classification
Matched sub-block and the fault-tolerant submodule of matching, user referred herein include validated user and disabled user:
A, classification matched sub-block, operate below its concrete execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, inversely reject according to the random walk and obtain Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter down if matching
One step;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next after the match is successful with C respectively
Step;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function decryption finished in advance, decryption key K is obtainedD', KD' be stored in local decryption key KDCompared
Compared with if KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user,
Data r are thus recovered;
B, the fault-tolerant submodule of matching:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if
In time t, user matches secret key again, then data r are sent to user directly, otherwise loses data r;
(2-4) data evaluation module, to the data categorizing process in pretreatment module, the data in data memory module point
Cut and exercise supervision and evaluate with the classification matching process in ciphering process, data recovery module, data are provided for follow-up improvement
Support, trust data is built jointly by data acquisition unit, trust data storage and recovery unit platform is provided, built overall
Trusted context;
(3) the attack-response unit is carried out to the security attack being subject to using active response technology and passive response technology
Response, the active response technology include that response, the master of the internal abuse of shielding generation are answered in revocation connection, open circuit response, SYN bags position
Machine, the passive response technology refer to notice automatically, and when an intrusion is detected, system can send alert notification to manager, collaboration
Fire wall, router, switch, Anti-Virus constitute the complementary Integrative security system of response and early warning, in overall credible ring
A kind of believable attack-response system is built in border;;
(4) expert's Support Library collects all information of security protection process, while providing what is needed for management personnel
Knowledge and instrument, which is included the calculating Cloud Server, the storage Cloud Server and local data base, is one and is taken based on cloud
The support platform of business device, expert's Support Library also provide trusted software system, the trusted software system be operating system and
Application software provides the interface using trust data platform, while providing integrity degree to the trust data platform subsequent software
Amount, and the specific behavior to uncontrollable operating system carries out behavior auditing and analysis;The subsequent software includes that core loading is soft
Part and uncontrollable operating system software.
Preferably, the data recovery module includes being classified matched sub-block and the fault-tolerant submodule of matching:A, classification matching
Submodule, operates below its concrete execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, inversely reject according to the random walk and obtain Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter down if matching
One step;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next after the match is successful with C respectively
Step;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function decryption finished in advance, decryption key K is obtainedD', KD' be stored in local decryption key KDCompared
Compared with if KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user,
Data r are thus recovered;
B, the fault-tolerant submodule of matching:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if
In time t, user matches secret key again, then data r are sent to user directly, otherwise loses data r.
Beneficial effects of the present invention are:
(1) it is like to combine as the positive and negative of one piece of coin by big data and cloud computing in device, with cloud
It is calculated as relying on and processes big data problem;
(2) arrange data preprocessing module to classify large-scale data, computational efficiency can be effectively improved, during reduction
Between cost;
(3) first data average mark is cut, then each sub-block is split, due to arbitrary element in C value not only with R in
Jth shows pass, and also other with R to show pass, relatedness is strong, and pseudo-random function and Homomorphic Encryption Scheme are organically tied
Close in matrix encryption, stealer goes for the complete information of data r, and not only secret key and random function will be cracked,
And must obtain the value of each element in matrix, could full detail at recovery, the secure data storage of this cipher mode
Deposit and recover, can effectively prevent malice unauthorised broken person for the acquisition of security protection system effective information, greatly reinforce peace
The credibility of full protection system;
(4) Virtual vector for randomly generating randomly is arranged in Matrix C " ', can effectively covers up real n values, this enters
One step improves the difficulty of decoding, and this is particularly important for the scheme respectively split, and also further increases safety
The credibility of guard system;
(5) in recovering data procedures, each step is compared with the data of storage, is reduced serious forgiveness, and is recovered
The key for coming must match with local decryption key is stored in, and could really obtain data, and this essence is a kind of dynamic
Multiple trust amount;After the failure of data recovery, not loss recovery data out immediately, but take temporary side
Formula, reduces the calculating intensity of system.
Description of the drawings
Using accompanying drawing, the invention will be further described, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for one of ordinary skill in the art, on the premise of not paying creative work, can be being obtained according to the following drawings
Other accompanying drawings.
Fig. 1 is the structured flowchart of the big data information network adaptive security guard system based on trust computing;
Fig. 2 is the structured flowchart of trust data storage and recovery unit.
Reference:Data acquisition unit -1;Trust data is stored and recovery unit -2;Attack-response unit -3;Expert
Support Library -4;Data preprocessing module -21;Data memory module -22;Data recovery module -23;Data evaluation module -24;Number
According to segmentation submodule -221;Data encryption submodule -222;Cloud storage submodule 223 is classified matched sub-block -231;Matching is held
Wrong submodule -232.
Specific embodiment
The invention will be further described with the following Examples.
Big data information network adaptive security guard system based on trust computing as shown in Figure 1, adopts including data
The storage of collection unit 1, trust data and recovery unit 2, attack-response unit 3 and expert's Support Library 4.
(1) 1 certification of the data acquisition unit carries out the hardware node in the network of information, judges network hardware section
Point credibility, sets up the trusting relationship of gathered information, gathers network network peace everywhere by distributed acquisition system
Total event information, on the basis of CDIF reference formats, turns for the data come from each equipment, systematic collection carry out consolidation form
Change, and by the information format after changing be defined as the unified event format that communicates between each subsystem into global trust environment structure
Basis is provided, trust data platform is built;Starting point of the data acquisition unit for chain-of-trust, which is provided with data transmission applications
Program, trust data storage and recovery unit, expert's Support Library and attack-response unit are provided with data receiver and send answers
With program, data are transmitted by 3G modes, and in 3G module after electricity, the trust data platform is to above-mentioned unit and specially
Family's Support Library carries out electro-detection;
(2) as shown in Fig. 2 trust data storage and recovery unit 2 include data preprocessing module 21, data storage
Module 22, data recovery module 23 and data evaluation module 24:(2-1) data preprocessing module 21, for adopting to the data
The large-scale data that collection unit 1 is collected is classified, and which specifically performs following two operations:Logarithm is clustered by K-means
According to being classified, catalogue is set up by entitled each classification of cluster centre, repeat above categorizing process, data are carried out carefully
Point, the subclassification under classification is formed, and forms the multistage catalogue of data;
(2-2) data memory module 22, including data segmentation submodule 221, data encryption submodule 222 and cloud storage
Module 223:
A, data segmentation submodule 221, split for the data to storing, and operate below its concrete execution:
When data storage r is needed, locally it is being divided into length to be the n parts r of h data r first1, r2..., rn,
Then in finite field ZPIt is middle by each riN sub-block r is divided into respectivelyi,1, ri,2…ri,n, wherein p > 2h, then for j-th sub
Block ri,j=ri.ri,1.ri,2…·ri,j-1)-1Modp, wherein mod represent complementation operator;
By { ri,1.ri,2…·ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2…pnBuild linear phase
Pass relation, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,n=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,…,c2,n,…,cn,1,
cn,2,…,cn,n, its dependency relation is shown with the form of matrix, make Then above-mentioned system of linear equations is expressed as A
× R=C;
Matrix R is carried out as the following formula it is secondary be mixed to get new Matrix C ':A × R × A=C ';
B, data encryption submodule 222, are encrypted for the data to storing to improve the safety of data, and which is concrete
Perform following operation:
Secret key generating function is called, according to each aijValue and user input security parameter λ value, export decryption key
To { KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiIt is shared, by decryption key KDIt is stored in user local;
A is input into by calculating Cloud Server to pseudo random sequence generatorij, generate and aijOne-to-one mark Tagij,
Homomorphic encryption iunctions, input cryptographic keys and each a is called simultaneouslyijCorresponding data value Vij, generate ciphertext Zij, easily know
TagijAnd cijN × n matrix is, Tag and Z matrixes are designated as respectively;Mixed once encryption is carried out to C ' as the following formula with Tag matrixes
Obtain C ":Tag × C '=C ";Then as the following formula C " is carried out by secondary Hybrid Encryption and is obtained C " ' with Z matrixes:C " × Z=C " ';Appoint
Meaning randomly generates B Virtual vector, and wherein B >=2n randomly arranges the Virtual vector in C " ', obtains a N1×N2's
Matrix Q, wherein N1And N2N is all higher than, the Virtual vector is used for covering up real n values, further enhances the safety of data
Property;
C, cloud storage submodule 223, are stored for the data after encryption are uploaded to storage Cloud Server, will be obtained
A, C, C ', C ", C " ', Q, Tag, Z, concrete random walk when obtaining matrix Q by C " ' and the Virtual vector upload to
Storage Cloud Server;
(2-3) data recovery module 23, will store the recovery and taking-up of data for the request according to user, and which includes point
Level matched sub-block 231 and the fault-tolerant submodule 232 of matching, user referred herein include validated user and disabled user:
A, classification matched sub-block 231, operate below its concrete execution:
User sends request to be needed to recover data r, recalls random road when matrix Q, generator matrix Q from storage server
Footpath and Virtual vector, inversely reject according to the random walk and obtain Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter down if matching
One step;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag
Respectively obtain out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next after the match is successful with C respectively
Step;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand
By the A decryption function decryption finished in advance, decryption key K is obtainedD', KD' be stored in local decryption key KDCompared
Compared with if KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user,
Data r are thus recovered;
B, match fault-tolerant submodule 232:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if
In time t, user matches secret key again, then data r are sent to user directly, otherwise loses data r;
(2-4) data evaluation module 24, to the data categorizing process in data preprocessing module 21, data memory module 22
In data segmentation and ciphering process, the classification matching process in data recovery module 23 exercise supervision and evaluate, be follow-up
Improve and data support is provided, trust data offer is built jointly by data acquisition unit, trust data storage and recovery unit
Platform, builds overall trusted context;
(3) the attack-response unit 3 is entered to the security attack being subject to using active response technology and passive response technology
Row is responded, and the active response technology includes that revocation connection, open circuit response, SYN bags position are answered response, shield the internal abuse of generation
Main frame, the passive response technology refer to notice automatically, and when an intrusion is detected, system can send alert notification to manager, association
Same fire wall, router, switch, Anti-Virus constitute the complementary Integrative security system of response and early warning, overall credible
A kind of believable attack-response system is built in environment;
(4) expert's Support Library 4 collects all information of security protection process, while providing what is needed for management personnel
Knowledge and instrument, which is included the calculating Cloud Server, the storage Cloud Server and local data base, is one and is taken based on cloud
The support platform of business device, expert's Support Library also provide trusted software system, the trusted software system be operating system and
Application software provides the interface using trust data platform, while providing integrity degree to the trust data platform subsequent software
Amount, and the specific behavior to uncontrollable operating system carries out behavior auditing and analysis;The subsequent software includes that core loading is soft
Part and uncontrollable operating system software.
In the network self-adapting security protection system of this embodiment, in (1) device by big data and cloud computing it is like
The positive and negative of one piece of coin equally combines, and processes big data problem with cloud computing as relying on;
(2) arrange data preprocessing module 21 to classify large-scale data, computational efficiency can be effectively improved, reduce
Time cost;
(3) first data average mark is cut, then each sub-block is split, due to arbitrary element in C value not only with R in
Jth shows pass, and also other with R to show pass, relatedness is strong, and pseudo-random function and Homomorphic Encryption Scheme are organically tied
Close in matrix encryption, stealer goes for the complete information of data r, and not only secret key and random function will be cracked,
And must obtain the value of each element in matrix, could full detail at recovery, the secure data storage of this cipher mode
Deposit and recover, can effectively prevent malice unauthorised broken person for the acquisition of security protection system effective information, greatly reinforce peace
The credibility of full protection system;
(4) Virtual vector for randomly generating randomly is arranged in Matrix C " ', can effectively covers up real n values, this enters
One step improves the difficulty of decoding, and this is particularly important for the scheme respectively split, and also further increases safety
The credibility of guard system;
(5) in recovering data procedures, each step is compared with the data of storage, is reduced serious forgiveness, and is recovered
The key for coming must match with local decryption key is stored in, and could really obtain data, and this essence is a kind of dynamic
Multiple trust amount;;After the failure of data recovery, not loss recovery data out immediately, but take temporary side
Formula, reduces the calculating intensity of system.
Finally it should be noted that above example is only illustrating technical scheme, rather than to present invention guarantor
The restriction of shield scope, although having made to explain to the present invention with reference to preferred embodiment, one of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.
Claims (2)
1. the big data information network adaptive security guard system based on trust computing, is characterized in that, including data acquisition list
Unit, trust data storage and recovery unit, attack-response unit and expert's Support Library;
(1) the data acquisition unit certification carries out the hardware node in the network of information, judges that network hardware node can
Reliability, is set up the trusting relationship of gathered information, is gathered network network security thing everywhere by distributed acquisition system
Part information, on the basis of CDIF reference formats, for the data come from each equipment, systematic collection carry out consolidation form conversion,
And the unified event format for being defined as communicating between each subsystem by the information format after conversion, it is that the structure of global trust environment is carried
For basis, trust data platform is built;Starting point of the data acquisition unit for chain-of-trust, which is provided with data transmission applications journey
Sequence, trust data storage and recovery unit, expert's Support Library and attack-response unit are provided with data receiver and send application
Program, data are transmitted by 3G modes, and in 3G module after electricity, the trust data platform is to above-mentioned unit and expert
Support Library carries out electro-detection;
(2) the trust data storage and recovery unit, for ensureing that data arbitrarily can not be obtained, including data prediction mould
Block, data memory module, data recovery module and data evaluation module:
(2-1) data preprocessing module, for classifying to the large-scale data that the data acquisition unit is collected, its tool
Body performs following operation:Data are classified by K-means clusters, mesh is set up by entitled each classification of cluster centre
Record, repeats above categorizing process, data is finely divided, the subclassification under formation classification, and forms the multistage catalogue of data, shape
Into measurable quantized data;
(2-2) data memory module, is a trust data storage module containing crypto-operation, by cipher key technique, hardware
Access control technology and storage encryption technology ensure the trust state of system and data, will be made by the digital signature technology of software
System can recognize that through third party change may add spyware application program, it include data segmentation submodule,
Data encryption submodule and cloud storage submodule:
A, data segmentation submodule, split for the data to storing, and operate below its concrete execution:
When data storage r is needed, locally it is being divided into length to be the n parts r of h data r first1, r2..., rn, then
In finite field ZPIt is middle by each riN sub-block r is divided into respectivelyi,1, ri,2...ri,n, wherein p > 2h, then for j-th sub-block
ri,j=ri.(ri,1.ri,2....ri,j-1)-1Modp, wherein mod represent complementation operator;
By { ri,1.ri,2....ri,n-1Be set as being initial piecemeal collection, it is mapped to set { p1,p2...pnBuild linear correlation pass
System, represents system of linear equations with following formula:
ai1r1,1+ai2r1,2+…+ainr1,n=ci,1
ai1r2,1+ai2r2,2+…+ainr2,n=ci,2
……
ai1rn,1+ai2rn,2+…+ainrn,n=ci,n
Wherein aijIt is from finite field ZPIn arbitrarily choose, draw c by that analogy2,1,c2,2,...,c2,n,...,cn,1,
cn,2,...,cn,n, its dependency relation is shown with the form of matrix, make Then above-mentioned system of linear equations is expressed as A
× R=C;
Matrix R is carried out as the following formula it is secondary be mixed to get new Matrix C ':A × R × A=C ';
B, data encryption submodule, are encrypted for the data to storing to improve the safety of data, which is concrete perform with
Lower operation:
Secret key generating function is called, according to each aijValue and user input security parameter λ value, export decryption key pair
{KE, KD, and by cryptographic keys KEWith calculating Cloud Server HiIt is shared, by decryption key KDIt is stored in user local;
A is input into by calculating Cloud Server to pseudo random sequence generatorij, generate and aijOne-to-one mark Tagij, while
Call homomorphic encryption iunctions, input cryptographic keys and each aijCorresponding data value Vij, generate ciphertext Zij, easily know Tagij
And cijN × n matrix is, Tag and Z matrixes are designated as respectively;Carry out mixed once encryption with Tag matrixes as the following formula to C ' and obtain C
“:Tag × C '=C ";Then as the following formula C " is carried out by secondary Hybrid Encryption and is obtained C " ' with Z matrixes:C " × Z=C " ';Arbitrarily with
Machine produces B Virtual vector, and wherein B >=2n randomly arranges the Virtual vector in C " ', obtains a N1×N2Matrix
Q, wherein N1And N2N is all higher than, the Virtual vector is used for covering up real n values, further enhances the safety of data;
C, cloud storage submodule, are stored for the data after encryption are uploaded to storage Cloud Server, by A, C, C for obtaining
', C ", C " ', Q, Tag, Z, concrete random walk when obtaining matrix Q by C " ' and the Virtual vector upload to storage cloud clothes
Business device;
(2-3) data recovery module, will store the recovery and taking-up of data for the request according to user, and which includes classification matching
Submodule and the fault-tolerant submodule of matching, user referred herein include validated user and disabled user:
A, classification matched sub-block, operate below its concrete execution:
User sends request to be needed to recover data r, random walk when recalling matrix Q, generator matrix Q from storage server and
Virtual vector, inversely rejects according to the random walk and obtains Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter next step if matching;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag are obtained respectively
To go out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next step after the match is successful with C respectively;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand A is used
The decryption function decryption finished in advance, obtains decryption key KD', KD' be stored in local decryption key KDIt is compared, such as
Fruit KD' be stored in local decryption key KDMatch, then Cloud Server sends storage data r for obtaining to user, thus
Data r are recovered;
B, the fault-tolerant submodule of matching:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if in the time
In t, user matches secret key again, then data r are sent to user directly, otherwise loses data r;
(2-4) data evaluation module, to the data categorizing process in pretreatment module, the data in data memory module segmentation and
Classification matching process in ciphering process, data recovery module exercises supervision and evaluates, and provides data support for follow-up improvement,
Overall trusted context is built jointly by data acquisition unit, trust data storage and recovery unit and data evaluation module;
(3) the attack-response unit is rung to the security attack being subject to using active response technology and passive response technology
Should, the active response technology includes that response, the master of the internal abuse of shielding generation are answered in revocation connection, open circuit response, SYN bags position
Machine, the passive response technology refer to notice automatically, and when an intrusion is detected, system can send alert notification to manager, collaboration
Fire wall, router, switch, Anti-Virus constitute the complementary Integrative security system of response and early warning, whole what is built
A kind of believable attack-response system is set up in body trusted context;
(4) expert's Support Library collects all information of security protection process, while providing the knowledge for needing for management personnel
And instrument, which includes the calculating Cloud Server, the storage Cloud Server and local data base, is one and is based on Cloud Server
Support platform;Expert's Support Library also provides trusted software system, and the trusted software system is operating system and application
Software provides the interface using trust data platform, while integrity measurement is provided to the trust data platform subsequent software,
And the specific behavior to uncontrollable operating system carries out behavior auditing and analysis;The subsequent software include core loading software and
Uncontrollable operating system software.
2. the big data information network adaptive security guard system based on trust computing according to claim 1, which is special
Levying is, the data recovery module includes being classified matched sub-block and the fault-tolerant submodule of matching:A, classification matched sub-block, its tool
Body performs following operation:
User sends request to be needed to recover data r, random walk when recalling matrix Q, generator matrix Q from storage server and
Virtual vector, inversely rejects according to the random walk and obtains Matrix C " ' after Virtual vector1;
By C " '1Compare with the C " ' recalled from storage server, report an error if mismatching, enter next step if matching;
By C " '1The matrix Z recalled according to the reverse function for writing in advance and from storage server and matrix Tag are obtained respectively
Go out out C "1With C '1, and " and C ' compares, and either step is mismatched and reported an error, and enters next step after the match is successful with C respectively;
Matrix A is recalled, on the one hand according to the reversibility of matrix A according to R=A-1C‘A-1Obtain storing data r, on the other hand A is used
The decryption function decryption finished in advance, obtains decryption key KD', KD' be stored in local decryption key KDIt is compared, such as
Fruit KD' be stored in local decryption key KDMatch, then Cloud Server sends calculated storage data r to user, this
Sample has just recovered data r;
B, the fault-tolerant submodule of matching:
If KD' with KDCannot match, report an error and data r for obtaining are preserved in the time t of setting, if in the time
In t, user matches secret key again, then data r are sent to user directly, otherwise loses data r.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610550122.7A CN106209850B (en) | 2016-07-13 | 2016-07-13 | Big data information network self-adaptive safety protection system based on trusted computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610550122.7A CN106209850B (en) | 2016-07-13 | 2016-07-13 | Big data information network self-adaptive safety protection system based on trusted computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106209850A CN106209850A (en) | 2016-12-07 |
| CN106209850B true CN106209850B (en) | 2017-03-22 |
Family
ID=57477819
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610550122.7A Expired - Fee Related CN106209850B (en) | 2016-07-13 | 2016-07-13 | Big data information network self-adaptive safety protection system based on trusted computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106209850B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911716B (en) * | 2017-04-14 | 2020-05-01 | 中国民航大学 | RSA-Hill mixed encryption method based on plaintext random segmentation |
| CN107302546B (en) * | 2017-08-16 | 2021-05-21 | 北京奇虎科技有限公司 | Big data platform security access system and method and electronic equipment |
| CN108200067A (en) * | 2018-01-05 | 2018-06-22 | 国网山东省电力公司聊城供电公司 | Big data information network adaptive security guard system based on trust computing |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
| CN110034855B (en) * | 2019-04-10 | 2021-12-14 | 国网辽宁省电力有限公司 | Information transmission checking method and system |
| CN112272185A (en) * | 2020-10-30 | 2021-01-26 | 江苏智云领创信息咨询有限公司 | Method for sharing computer information and mobile terminal data |
| CN113301011A (en) * | 2021-04-13 | 2021-08-24 | 麦荣章 | Information security management system based on cloud service |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064596A (en) * | 2006-04-28 | 2007-10-31 | 富士通株式会社 | Data protection system, method, and program |
| CN105516340A (en) * | 2015-12-30 | 2016-04-20 | 中国农业大学 | Cloud storage data recoverability verification method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8495387B2 (en) * | 2011-10-31 | 2013-07-23 | Spectra Logic Corporation | Encryption redundancy in a storage element array |
-
2016
- 2016-07-13 CN CN201610550122.7A patent/CN106209850B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064596A (en) * | 2006-04-28 | 2007-10-31 | 富士通株式会社 | Data protection system, method, and program |
| CN105516340A (en) * | 2015-12-30 | 2016-04-20 | 中国农业大学 | Cloud storage data recoverability verification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106209850A (en) | 2016-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106209850B (en) | Big data information network self-adaptive safety protection system based on trusted computing | |
| Kumar et al. | A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing | |
| US20200201679A1 (en) | Systems, devices, and methods for selecting a distributed framework | |
| Abuagoub | IoT security evolution: challenges and countermeasures review | |
| Soni et al. | An empirical client cloud environment to secure data communication with alert protocol | |
| Anitha Ruth et al. | Secure data storage and intrusion detection in the cloud using MANN and dual encryption through various attacks | |
| Shende et al. | Long short-term memory (LSTM) deep learning method for intrusion detection in network security | |
| Hsu et al. | Enhancing file entropy analysis to improve machine learning detection rate of ransomware | |
| Momand et al. | A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: deep learning, datasets, and attack taxonomy | |
| Cho | Efficient Autonomous Defense System Using Machine Learning on Edge Device. | |
| Alazab et al. | Deep learning for cyber security applications: A comprehensive survey | |
| Akter et al. | A Noble Security Analysis of Various Distributed Systems | |
| Sugitha et al. | Block chain fostered cycle‐consistent generative adversarial network framework espoused intrusion detection for protecting IoT network | |
| Keshk et al. | Privacy-preserving techniques for protecting large-scale data of cyber-physical systems | |
| CN112448916B (en) | Privacy protection method for preventing GAN model attack and protecting CDL training information | |
| Naeem | Analysis of Network Security in IoT-based Cloud Computing Using Machine Learning | |
| Jiang et al. | Anomaly Detection and Access Control for Cloud-Edge Collaboration Networks. | |
| Alajlan et al. | Malicious behavior detection in cloud using self‐optimized dynamic kernel convolutional neural network | |
| KN | The Intelligent Information Integrity Model to Ensure the Database Protection Using Blockchain in Cloud Networking | |
| Namane et al. | Grid and cloud computing security: A comparative survey | |
| Priya et al. | Implementation of hybrid cryptographic schemes in a cloud environment for enhanced medical data security | |
| Singh et al. | A hybrid artificial immune system for IDS based on SVM and belief function | |
| Chennam et al. | An Overview of Cyber Physical System (CPS) Security, Threats, and Solutions | |
| Abdi et al. | The Role of Deep Learning in Advancing Proactive Cybersecurity Measures for Smart Grid Networks: A Survey | |
| Avdagić et al. | The effects of combined application of SOM, ANFIS and Subtractive Clustering in detecting intrusions in computer networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Zubin Inventor after: Tang Lingli Inventor after: Huang Lianyue Inventor after: Zheng Junming Inventor after: Chen Yongming Inventor after: Chen Jianhao Inventor after: Song Junhao Inventor after: He Zhongzhu Inventor after: Xie Ming Inventor after: Hu Jijun Inventor after: Weng Xiaoyun Inventor after: Yuan Yong Inventor after: Deng Gefeng Inventor after: Mo Yinghong Inventor after: Xie Jing Inventor after: Zhang Peng Inventor before: Chen Zubin Inventor before: Tang Lingli Inventor before: Huang Lianyue Inventor before: Zheng Junming Inventor before: Chen Yongming Inventor before: Chen Jianhao Inventor before: Song Junhao Inventor before: Xie Ming Inventor before: Hu Jijun Inventor before: Weng Xiaoyun Inventor before: Yuan Yong Inventor before: Deng Gefeng Inventor before: Mo Yinghong Inventor before: Xie Jing Inventor before: Zhang Peng |
|
| COR | Change of bibliographic data | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20170203 Address after: 530000 Xingning, Nanning District, democratic road, No. 6, Applicant after: GUANGXI POWER GRID CO., LTD. Address before: 530000 Xingning, Nanning District, democratic road, No. 6, Applicant before: He Zhongzhu |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Big data information network self-adaptive safety protection system based on trusted computing Effective date of registration: 20180420 Granted publication date: 20170322 Pledgee: China Co truction Bank Corp Nanning democratic sub branch Pledgor: GUANGXI POWER GRID CO., LTD. Registration number: 2018990000304 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170322 Termination date: 20200713 |