CN111586044A - Network data protection method aiming at privacy leakage and corresponding firewall - Google Patents

Network data protection method aiming at privacy leakage and corresponding firewall Download PDF

Info

Publication number
CN111586044A
CN111586044A CN202010381329.2A CN202010381329A CN111586044A CN 111586044 A CN111586044 A CN 111586044A CN 202010381329 A CN202010381329 A CN 202010381329A CN 111586044 A CN111586044 A CN 111586044A
Authority
CN
China
Prior art keywords
data
privacy
attribute
user
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010381329.2A
Other languages
Chinese (zh)
Other versions
CN111586044B (en
Inventor
娈靛浆
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202010381329.2A priority Critical patent/CN111586044B/en
Publication of CN111586044A publication Critical patent/CN111586044A/en
Application granted granted Critical
Publication of CN111586044B publication Critical patent/CN111586044B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a network data protection method aiming at privacy leakage and a corresponding firewall, which are characterized in that whether privacy-related equipment borne by data supports the category of privacy data or not is judged by detecting the identified privacy data, the intention of user transmission is analyzed, and if the related privacy-related equipment does not support the category of the privacy data, the privacy leakage is judged; the technical means of resource safety dynamic layering is introduced, the privacy-related equipment with privacy leakage is removed from the corresponding safety layering, and the safety layering can be dynamically adjusted in real time according to the state of the physical equipment; and a technical means of dynamically adjusting the attribute domain is introduced to reduce the probability of being attacked, so that the service data of different users can be better protected.

Description

Network data protection method aiming at privacy leakage and corresponding firewall
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network data protection method for privacy leakage and a corresponding firewall.
Background
The existing network data transmission mechanism is easy to cause privacy data leakage of users or services. A common privacy disclosure detection method is to detect whether there is transmission of private data. However, transmitting private data does not necessarily mean privacy disclosure, and transmission intended by a non-user may result in privacy disclosure. It becomes important that a transmission mechanism or system can accurately determine the transmission intention of the user.
Meanwhile, the traditional network architecture hierarchy is not divided from the network security perspective, and is divided from the network transmission perspective, so that the network security is in urgent need of enhancement.
Therefore, a targeted network protection method and a corresponding firewall are urgently needed.
Disclosure of Invention
The invention aims to provide a network data protection method aiming at privacy leakage and a corresponding firewall, solves the problem that the existing transmission mechanism is difficult to accurately judge the transmission intention of a user, introduces a technical means of resource safety dynamic layering, and better protects service data of different users.
In a first aspect, the present application provides a method for protecting network data against privacy leakage, the method comprising:
defining the designated network resources as a data extraction layer, a network transmission layer, a service analysis layer and a master control node;
the data extraction layer comprises: safely classifying the underlying physical equipment according to the borne service attributes, and classifying the underlying physical equipment into common equipment and privacy-related equipment; the method comprises the steps that common equipment is listed into a common safety hierarchy, privacy-related equipment is listed into a privacy safety hierarchy, the common safety hierarchy does not carry out data transmission encryption, and the privacy-related safety hierarchy carries out data transmission first attribute encryption;
wherein the data extraction layer further comprises: acquiring the working states of all the physical equipment periodically, activating dormant physical equipment and sleeping failed physical equipment; the reactivated physical equipment is classified into different safety hierarchies according to different classifications, and the physical equipment which enters the dormancy is removed from the corresponding safety hierarchies; removing corresponding security layers from the privacy-related equipment with privacy disclosure;
the network transport layer comprises: dynamically dividing different attribute domains according to user attributes, carrying out privacy-related judgment on transmission data of different attribute domains across domains, judging whether the transmission data comprise privacy keywords or not, and if so, determining the transmission data as the privacy data; dividing the privacy data into a plurality of categories according to different services, and associating the transmission data with the corresponding categories according to privacy keywords in the transmission data;
wherein the network transport layer further comprises: performing second attribute encryption based on the user attribute on the privacy data; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the data extraction layer;
the attribute encryption setting is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting data, and sending a user identity identifier carried by the data and an attribute domain identifier to which a user belongs to a cloud server, wherein the cloud server searches a corresponding attribute private key according to the user identity identifier and the attribute domain identifier, and encrypts the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the master control node;
the business analysis layer comprises: establishing a detection model, and associating different privacy-related devices with a supportable data set, wherein the supportable data set comprises a plurality of privacy data categories; detecting the identified privacy data, judging whether the privacy-related equipment carried by the data supports the category of the privacy data, if so, judging that the detection result is legal, otherwise, judging that the detection result is illegal, and revealing the privacy; notifying the data extraction layer of privacy-related equipment with privacy disclosure;
wherein, the service analysis layer further comprises: performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the master control node issues an instruction for acquiring the working state of the physical equipment, issues an instruction for sleeping the physical equipment, issues an instruction for repartitioning the attribute domain, responds to the service request, returns the result of the service request, interacts with the cloud server, and stores the key used in the encryption process;
the main control node also counts the number of physical devices under the jurisdiction of each attribute domain, and if the number of the physical devices under the jurisdiction of a certain attribute domain is larger than a preset threshold value, the physical devices under the attribute domain with high service correlation with other attribute domains are re-divided into a new attribute domain; the preset threshold is obtained by calculating a first variance value and a first average value of the number of the related physical devices according to the number of the physical devices administered in each attribute domain and then obtaining the threshold according to the first variance value and the first average value.
With reference to the first aspect, in a first possible implementation manner of the first aspect, after the re-dividing the physical device in the attribute domain, which has a high degree of service correlation with other attribute domains, into a new attribute domain, the method further includes:
and counting the number of the physical devices under the jurisdiction of each attribute domain again, calculating a second variance value and a second average value related to the number of the physical devices, and obtaining a new threshold value according to the second variance value and the second average value.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the network transport layer further includes performing security audit on the important network node, the network boundary, and the remote access user behavior by using access control and intrusion detection, checking freshness of the field device authentication data by using a timestamp or a counter in combination with integrity check, and detecting whether the data is tampered.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the master control node further includes risk assessment, attack association analysis, and situation awareness, performs active defense, and cooperates with data mining and big data analysis in the cloud server to locate a network vulnerability and discover a potential threat and attack.
In a second aspect, the present application provides a firewall for network data protection against privacy leakage, the firewall comprising: the data extraction layer, the network transmission layer, the service analysis layer and the main control node are respectively and correspondingly defined as appointed network resources of the data extraction layer, the network transmission layer, the service analysis layer and the main control node;
the data extraction layer comprises: safely classifying the underlying physical equipment according to the borne service attributes, and classifying the underlying physical equipment into common equipment and privacy-related equipment; the method comprises the steps that common equipment is listed into a common safety hierarchy, privacy-related equipment is listed into a privacy safety hierarchy, the common safety hierarchy does not carry out data transmission encryption, and the privacy-related safety hierarchy carries out data transmission first attribute encryption;
wherein the data extraction layer further comprises: acquiring the working states of all the physical equipment periodically, activating dormant physical equipment and sleeping failed physical equipment; the reactivated physical equipment is classified into different safety hierarchies according to different classifications, and the physical equipment which enters the dormancy is removed from the corresponding safety hierarchies; removing corresponding security layers from the privacy-related equipment with privacy disclosure;
the network transport layer comprises: dynamically dividing different attribute domains according to user attributes, carrying out privacy-related judgment on transmission data of different attribute domains across domains, judging whether the transmission data comprise privacy keywords or not, and if so, determining the transmission data as the privacy data; dividing the privacy data into a plurality of categories according to different services, and associating the transmission data with the corresponding categories according to privacy keywords in the transmission data;
wherein the network transport layer further comprises: performing second attribute encryption based on the user attribute on the privacy data; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the data extraction layer;
the attribute encryption setting is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting data, and sending a user identity identifier carried by the data and an attribute domain identifier to which a user belongs to a cloud server, wherein the cloud server searches a corresponding attribute private key according to the user identity identifier and the attribute domain identifier, and encrypts the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the master control node;
the business analysis layer comprises: establishing a detection model, and associating different privacy-related devices with a supportable data set, wherein the supportable data set comprises a plurality of privacy data categories; detecting the identified privacy data, judging whether the privacy-related equipment carried by the data supports the category of the privacy data, if so, judging that the detection result is legal, otherwise, judging that the detection result is illegal, and revealing the privacy; notifying the data extraction layer of privacy-related equipment with privacy disclosure;
wherein, the service analysis layer further comprises: performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the master control node issues an instruction for acquiring the working state of the physical equipment, issues an instruction for sleeping the physical equipment, issues an instruction for repartitioning the attribute domain, responds to the service request, returns the result of the service request, interacts with the cloud server, and stores the key used in the encryption process;
the main control node also counts the number of physical devices under the jurisdiction of each attribute domain, and if the number of the physical devices under the jurisdiction of a certain attribute domain is larger than a preset threshold value, the physical devices under the attribute domain with high service correlation with other attribute domains are re-divided into a new attribute domain; the preset threshold is obtained by calculating a first variance value and a first average value of the number of the related physical devices according to the number of the physical devices administered in each attribute domain and then obtaining the threshold according to the first variance value and the first average value.
With reference to the second aspect, in a first possible implementation manner of the second aspect, after the re-dividing the physical device in the attribute domain, which has a high service correlation with other attribute domains, into a new attribute domain, the method further includes:
and counting the number of the physical devices under the jurisdiction of each attribute domain again, calculating a second variance value and a second average value related to the number of the physical devices, and obtaining a new threshold value according to the second variance value and the second average value.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the network transport layer further includes performing security audit on the important network node, the network boundary, and the remote access user behavior by using access control and intrusion detection, checking freshness of the authentication data of the field device by using a timestamp or a counter in combination with integrity check, and detecting whether the data is tampered.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the master control node further includes risk assessment, attack association analysis, and situational awareness, performs active defense, and cooperates with data mining and big data analysis in the cloud server to locate a network vulnerability and discover a potential threat and attack.
The invention provides a network data protection method aiming at privacy leakage and a corresponding firewall, which are characterized in that whether privacy-related equipment borne by data supports the category of privacy data or not is judged by detecting the identified privacy data, the intention of user transmission is analyzed, and if the related privacy-related equipment does not support the category of the privacy data, the privacy leakage is judged; the technical means of resource safety dynamic layering is introduced, the privacy-related equipment with privacy leakage is removed from the corresponding safety layering, and the safety layering can be dynamically adjusted in real time according to the state of the physical equipment; and a technical means of dynamically adjusting the attribute domain is introduced to reduce the probability of being attacked, so that the service data of different users can be better protected.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a general flow diagram of a method of network data protection against privacy disclosure in accordance with the present invention;
fig. 2 is an architecture diagram of a firewall for network data protection against privacy leakage according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a general flowchart of a method for protecting network data against privacy leakage provided by the present application, the method including:
defining the designated network resources as a data extraction layer, a network transmission layer, a service analysis layer and a master control node;
the data extraction layer comprises: safely classifying the underlying physical equipment according to the borne service attributes, and classifying the underlying physical equipment into common equipment and privacy-related equipment; the method comprises the steps that common equipment is listed into a common safety hierarchy, privacy-related equipment is listed into a privacy safety hierarchy, the common safety hierarchy does not carry out data transmission encryption, and the privacy-related safety hierarchy carries out data transmission first attribute encryption;
wherein the data extraction layer further comprises: acquiring the working states of all the physical equipment periodically, activating dormant physical equipment and sleeping failed physical equipment; the reactivated physical equipment is classified into different safety hierarchies according to different classifications, and the physical equipment which enters the dormancy is removed from the corresponding safety hierarchies; removing corresponding security layers from the privacy-related equipment with privacy disclosure;
the network transport layer comprises: dynamically dividing different attribute domains according to user attributes, carrying out privacy-related judgment on transmission data of different attribute domains across domains, judging whether the transmission data comprise privacy keywords or not, and if so, determining the transmission data as the privacy data; dividing the privacy data into a plurality of categories according to different services, and associating the transmission data with the corresponding categories according to privacy keywords in the transmission data;
wherein the network transport layer further comprises: performing second attribute encryption based on the user attribute on the privacy data; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the data extraction layer;
the attribute encryption setting is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting data, and sending a user identity identifier carried by the data and an attribute domain identifier to which a user belongs to a cloud server, wherein the cloud server searches a corresponding attribute private key according to the user identity identifier and the attribute domain identifier, and encrypts the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the master control node;
the business analysis layer comprises: establishing a detection model, and associating different privacy-related devices with a supportable data set, wherein the supportable data set comprises a plurality of privacy data categories; detecting the identified privacy data, judging whether the privacy-related equipment carried by the data supports the category of the privacy data, if so, judging that the detection result is legal, otherwise, judging that the detection result is illegal, and revealing the privacy; notifying the data extraction layer of privacy-related equipment with privacy disclosure;
wherein, the service analysis layer further comprises: performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the master control node issues an instruction for acquiring the working state of the physical equipment, issues an instruction for sleeping the physical equipment, issues an instruction for repartitioning the attribute domain, responds to the service request, returns the result of the service request, interacts with the cloud server, and stores the key used in the encryption process;
the main control node also counts the number of physical devices under the jurisdiction of each attribute domain, and if the number of the physical devices under the jurisdiction of a certain attribute domain is larger than a preset threshold value, the physical devices under the attribute domain with high service correlation with other attribute domains are re-divided into a new attribute domain; the preset threshold is obtained by calculating a first variance value and a first average value of the number of the related physical devices according to the number of the physical devices administered in each attribute domain and then obtaining the threshold according to the first variance value and the first average value.
In some preferred embodiments, after the re-dividing the physical device in the attribute domain, which has a high service correlation with other attribute domains, into a new attribute domain, the method further includes:
and counting the number of the physical devices under the jurisdiction of each attribute domain again, calculating a second variance value and a second average value related to the number of the physical devices, and obtaining a new threshold value according to the second variance value and the second average value.
In some preferred embodiments, the data extraction layer, the network transport layer, the service analysis layer and the master node are deployed on different devices, and the devices cooperate with each other.
The deployment is on different devices, each layer can be a device, and the different devices transmit through a special secure transmission protocol. The special secure transport protocol may be a special header added on the basis of a general transport protocol, and the header carries a field for indicating an encryption algorithm or a key.
The described deployment is on different devices, it can be that data extraction layer, network transmission layer and service analysis layer are integrated on one device, and the main control node is deployed on a network intermediate device, and the different devices can be transferred by means of special safety transmission protocol.
The master control node may not be fixed to one network intermediate device, and may be dynamically adjusted to other network intermediate devices according to the current load condition and service type of the network intermediate device.
The data extraction layer, the network transmission layer, the service analysis layer and the master control node may not be a fixed deployment mode, and the deployment may be dynamically adjusted according to the situation. The situation described here may be network congestion, attack scope, etc.
Before the activation of the dormant physical device, the physical device is instructed to upload a self state code, if the state code is a non-fault code, the physical device is judged to be recovered to be normal, and the physical device is activated.
The physical device may further include a first encryption key solidified in the chip, which means that a first digital encryption is performed in a hardware encryption chip of the physical device, where the key is fixed and unchangeable.
In some preferred embodiments, the network transport layer further comprises using access control, intrusion detection, security auditing of important network nodes, network boundaries, remote access user behavior, checking the freshness of field device authentication data and detecting whether the data is tampered with using timestamps or counters in conjunction with integrity checks.
In some preferred embodiments, the clustering algorithm that may be used for the data fusion includes a K-Means algorithm, a mean-shift clustering algorithm, a density-based clustering algorithm, or a agglomerative-level clustering algorithm.
In some preferred embodiments, the master control node further comprises risk assessment, attack association analysis and situation awareness, performs active defense, cooperates with data mining and big data analysis in the cloud server, locates network vulnerabilities and discovers potential threats and attacks.
Fig. 2 is an architecture diagram of a firewall for network data protection against privacy leakage provided in the present application, the firewall including: the data extraction layer, the network transmission layer, the service analysis layer and the main control node are respectively and correspondingly defined as appointed network resources of the data extraction layer, the network transmission layer, the service analysis layer and the main control node;
the data extraction layer comprises: safely classifying the underlying physical equipment according to the borne service attributes, and classifying the underlying physical equipment into common equipment and privacy-related equipment; the method comprises the steps that common equipment is listed into a common safety hierarchy, privacy-related equipment is listed into a privacy safety hierarchy, the common safety hierarchy does not carry out data transmission encryption, and the privacy-related safety hierarchy carries out data transmission first attribute encryption;
wherein the data extraction layer further comprises: acquiring the working states of all the physical equipment periodically, activating dormant physical equipment and sleeping failed physical equipment; the reactivated physical equipment is classified into different safety hierarchies according to different classifications, and the physical equipment which enters the dormancy is removed from the corresponding safety hierarchies; removing corresponding security layers from the privacy-related equipment with privacy disclosure;
the network transport layer comprises: dynamically dividing different attribute domains according to user attributes, carrying out privacy-related judgment on transmission data of different attribute domains across domains, judging whether the transmission data comprise privacy keywords or not, and if so, determining the transmission data as the privacy data; dividing the privacy data into a plurality of categories according to different services, and associating the transmission data with the corresponding categories according to privacy keywords in the transmission data;
wherein the network transport layer further comprises: performing second attribute encryption based on the user attribute on the privacy data; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the data extraction layer;
the attribute encryption setting is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting data, and sending a user identity identifier carried by the data and an attribute domain identifier to which a user belongs to a cloud server, wherein the cloud server searches a corresponding attribute private key according to the user identity identifier and the attribute domain identifier, and encrypts the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the master control node;
the business analysis layer comprises: establishing a detection model, and associating different privacy-related devices with a supportable data set, wherein the supportable data set comprises a plurality of privacy data categories; detecting the identified privacy data, judging whether the privacy-related equipment carried by the data supports the category of the privacy data, if so, judging that the detection result is legal, otherwise, judging that the detection result is illegal, and revealing the privacy; notifying the data extraction layer of privacy-related equipment with privacy disclosure;
wherein, the service analysis layer further comprises: performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the master control node issues an instruction for acquiring the working state of the physical equipment, issues an instruction for sleeping the physical equipment, issues an instruction for repartitioning the attribute domain, responds to the service request, returns the result of the service request, interacts with the cloud server, and stores the key used in the encryption process;
the main control node also counts the number of physical devices under the jurisdiction of each attribute domain, and if the number of the physical devices under the jurisdiction of a certain attribute domain is larger than a preset threshold value, the physical devices under the attribute domain with high service correlation with other attribute domains are re-divided into a new attribute domain; the preset threshold is obtained by calculating a first variance value and a first average value of the number of the related physical devices according to the number of the physical devices administered in each attribute domain and then obtaining the threshold according to the first variance value and the first average value.
In some preferred embodiments, after the re-dividing the physical device in the attribute domain, which has a high service correlation with other attribute domains, into a new attribute domain, the method further includes:
and counting the number of the physical devices under the jurisdiction of each attribute domain again, calculating a second variance value and a second average value related to the number of the physical devices, and obtaining a new threshold value according to the second variance value and the second average value.
In some preferred embodiments, the data extraction layer, the network transport layer, the service analysis layer and the master node are deployed on different devices, and the devices cooperate with each other.
In some preferred embodiments, the network transport layer further comprises using access control, intrusion detection, security auditing of important network nodes, network boundaries, remote access user behavior, checking the freshness of field device authentication data and detecting whether the data is tampered with using timestamps or counters in conjunction with integrity checks.
In some preferred embodiments, the clustering algorithm that may be used for the data fusion includes a K-Means algorithm, a mean-shift clustering algorithm, a density-based clustering algorithm, or a agglomerative-level clustering algorithm.
In some preferred embodiments, the master control node further comprises risk assessment, attack association analysis and situation awareness, performs active defense, cooperates with data mining and big data analysis in the cloud server, locates network vulnerabilities and discovers potential threats and attacks.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (8)

1. A method of network data protection against privacy disclosure, the method comprising:
defining the designated network resources as a data extraction layer, a network transmission layer, a service analysis layer and a master control node;
the data extraction layer comprises: safely classifying the underlying physical equipment according to the borne service attributes, and classifying the underlying physical equipment into common equipment and privacy-related equipment; the method comprises the steps that common equipment is listed into a common safety hierarchy, privacy-related equipment is listed into a privacy safety hierarchy, the common safety hierarchy does not carry out data transmission encryption, and the privacy-related safety hierarchy carries out data transmission first attribute encryption;
wherein the data extraction layer further comprises: acquiring the working states of all the physical equipment periodically, activating dormant physical equipment and sleeping failed physical equipment; the reactivated physical equipment is classified into different safety hierarchies according to different classifications, and the physical equipment which enters the dormancy is removed from the corresponding safety hierarchies; removing corresponding security layers from the privacy-related equipment with privacy disclosure;
the network transport layer comprises: dynamically dividing different attribute domains according to user attributes, carrying out privacy-related judgment on transmission data of different attribute domains across domains, judging whether the transmission data comprise privacy keywords or not, and if so, determining the transmission data as the privacy data; dividing the privacy data into a plurality of categories according to different services, and associating the transmission data with the corresponding categories according to privacy keywords in the transmission data;
wherein the network transport layer further comprises: performing second attribute encryption based on the user attribute on the privacy data; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the data extraction layer;
the attribute encryption setting is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting data, and sending a user identity identifier carried by the data and an attribute domain identifier to which a user belongs to a cloud server, wherein the cloud server searches a corresponding attribute private key according to the user identity identifier and the attribute domain identifier, and encrypts the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the master control node;
the business analysis layer comprises: establishing a detection model, and associating different privacy-related devices with a supportable data set, wherein the supportable data set comprises a plurality of privacy data categories; detecting the identified privacy data, judging whether the privacy-related equipment carried by the data supports the category of the privacy data, if so, judging that the detection result is legal, otherwise, judging that the detection result is illegal, and revealing the privacy; notifying the data extraction layer of privacy-related equipment with privacy disclosure;
wherein, the service analysis layer further comprises: performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the master control node issues an instruction for acquiring the working state of the physical equipment, issues an instruction for sleeping the physical equipment, issues an instruction for repartitioning the attribute domain, responds to the service request, returns the result of the service request, interacts with the cloud server, and stores the key used in the encryption process;
the main control node also counts the number of physical devices under the jurisdiction of each attribute domain, and if the number of the physical devices under the jurisdiction of a certain attribute domain is larger than a preset threshold value, the physical devices under the attribute domain with high service correlation with other attribute domains are re-divided into a new attribute domain; the preset threshold is obtained by calculating a first variance value and a first average value of the number of the related physical devices according to the number of the physical devices administered in each attribute domain and then obtaining the threshold according to the first variance value and the first average value.
2. The method of claim 1, wherein: after the physical device with high service correlation with other attribute domains in the attribute domain is re-divided into a new attribute domain, the method further includes:
and counting the number of the physical devices under the jurisdiction of each attribute domain again, calculating a second variance value and a second average value related to the number of the physical devices, and obtaining a new threshold value according to the second variance value and the second average value.
3. The method according to any one of claims 1-2, wherein: the network transport layer also includes the steps of using access control, intrusion detection, using timestamps or counters in combination with integrity checks to check the freshness of field device authentication data and to detect whether the data has been tampered with.
4. A method according to any one of claims 1-3, characterized in that: the main control node further comprises risk assessment, attack association analysis and situation awareness, active defense is conducted, and the active defense is matched with data mining and big data analysis in the cloud server to locate network vulnerabilities and discover potential threats and attacks.
5. A firewall for network data protection against privacy leakage, the firewall comprising: the data extraction layer, the network transmission layer, the service analysis layer and the main control node are respectively and correspondingly defined as appointed network resources of the data extraction layer, the network transmission layer, the service analysis layer and the main control node;
the data extraction layer comprises: safely classifying the underlying physical equipment according to the borne service attributes, and classifying the underlying physical equipment into common equipment and privacy-related equipment; the method comprises the steps that common equipment is listed into a common safety hierarchy, privacy-related equipment is listed into a privacy safety hierarchy, the common safety hierarchy does not carry out data transmission encryption, and the privacy-related safety hierarchy carries out data transmission first attribute encryption;
wherein the data extraction layer further comprises: acquiring the working states of all the physical equipment periodically, activating dormant physical equipment and sleeping failed physical equipment; the reactivated physical equipment is classified into different safety hierarchies according to different classifications, and the physical equipment which enters the dormancy is removed from the corresponding safety hierarchies; removing corresponding security layers from the privacy-related equipment with privacy disclosure;
the network transport layer comprises: dynamically dividing different attribute domains according to user attributes, carrying out privacy-related judgment on transmission data of different attribute domains across domains, judging whether the transmission data comprise privacy keywords or not, and if so, determining the transmission data as the privacy data; dividing the privacy data into a plurality of categories according to different services, and associating the transmission data with the corresponding categories according to privacy keywords in the transmission data;
wherein the network transport layer further comprises: performing second attribute encryption based on the user attribute on the privacy data; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the data extraction layer;
the attribute encryption setting is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting data, and sending a user identity identifier carried by the data and an attribute domain identifier to which a user belongs to a cloud server, wherein the cloud server searches a corresponding attribute private key according to the user identity identifier and the attribute domain identifier, and encrypts the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the master control node;
the business analysis layer comprises: establishing a detection model, and associating different privacy-related devices with a supportable data set, wherein the supportable data set comprises a plurality of privacy data categories; detecting the identified privacy data, judging whether the privacy-related equipment carried by the data supports the category of the privacy data, if so, judging that the detection result is legal, otherwise, judging that the detection result is illegal, and revealing the privacy; notifying the data extraction layer of privacy-related equipment with privacy disclosure;
wherein, the service analysis layer further comprises: performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the master control node issues an instruction for acquiring the working state of the physical equipment, issues an instruction for sleeping the physical equipment, issues an instruction for repartitioning the attribute domain, responds to the service request, returns the result of the service request, interacts with the cloud server, and stores the key used in the encryption process;
the main control node also counts the number of physical devices under the jurisdiction of each attribute domain, and if the number of the physical devices under the jurisdiction of a certain attribute domain is larger than a preset threshold value, the physical devices under the attribute domain with high service correlation with other attribute domains are re-divided into a new attribute domain; the preset threshold is obtained by calculating a first variance value and a first average value of the number of the related physical devices according to the number of the physical devices administered in each attribute domain and then obtaining the threshold according to the first variance value and the first average value.
6. The firewall according to claim 5, wherein after re-dividing the physical device in the attribute domain with high service correlation with other attribute domains into a new attribute domain, further comprising:
and counting the number of the physical devices under the jurisdiction of each attribute domain again, calculating a second variance value and a second average value related to the number of the physical devices, and obtaining a new threshold value according to the second variance value and the second average value.
7. The firewall according to any one of claims 5-6, wherein the network transport layer further comprises employing access control, intrusion detection, security auditing of important network nodes, network boundaries, remote access user behavior, checking freshness of field device authentication data using timestamps or counters in combination with integrity checks and detecting whether data has been tampered with.
8. The firewall according to any one of claims 5 to 7, wherein the master node further comprises risk assessment, attack association analysis, situational awareness, active defense, data mining in cloud servers, big data analysis, localization of network vulnerabilities and discovery of potential threats and attacks.
CN202010381329.2A 2020-05-08 2020-05-08 Network data protection method aiming at privacy leakage and corresponding firewall Active CN111586044B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010381329.2A CN111586044B (en) 2020-05-08 2020-05-08 Network data protection method aiming at privacy leakage and corresponding firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010381329.2A CN111586044B (en) 2020-05-08 2020-05-08 Network data protection method aiming at privacy leakage and corresponding firewall

Publications (2)

Publication Number Publication Date
CN111586044A true CN111586044A (en) 2020-08-25
CN111586044B CN111586044B (en) 2021-03-23

Family

ID=72126403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010381329.2A Active CN111586044B (en) 2020-05-08 2020-05-08 Network data protection method aiming at privacy leakage and corresponding firewall

Country Status (1)

Country Link
CN (1) CN111586044B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1486088A (en) * 2002-09-23 2004-03-31 国际商业机器公司 Key allocation method and device in conditional receiving system
CN101847190A (en) * 2010-05-31 2010-09-29 北京测腾信息技术有限公司 Method and system for ferrying data safely
US20110161147A1 (en) * 2009-12-30 2011-06-30 Motorola, Inc. Stimulus/response-based binding of identifiers across information domains while maintaining confidentiality
CN103905402A (en) * 2012-12-27 2014-07-02 北京中船信息科技有限公司 A secrecy safety management method based on security labels
WO2016205560A1 (en) * 2015-06-16 2016-12-22 Datto, Inc. Hybrid cloud methods, apparatus and systems for secure file sharing and synchronization with backup and server virtualization
CN106375346A (en) * 2016-11-14 2017-02-01 北京邮电大学 Condition-based broadcast agent re-encryption data protection method for cloud environment
CN106656997A (en) * 2016-11-09 2017-05-10 湖南科技学院 Mobile social network based agent proxy re-encryption cross-domain friend-making privacy protection method
CN110636500A (en) * 2019-08-27 2019-12-31 西安电子科技大学 Access control system and method supporting cross-domain data sharing and wireless communication system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1486088A (en) * 2002-09-23 2004-03-31 国际商业机器公司 Key allocation method and device in conditional receiving system
US20110161147A1 (en) * 2009-12-30 2011-06-30 Motorola, Inc. Stimulus/response-based binding of identifiers across information domains while maintaining confidentiality
CN101847190A (en) * 2010-05-31 2010-09-29 北京测腾信息技术有限公司 Method and system for ferrying data safely
CN103905402A (en) * 2012-12-27 2014-07-02 北京中船信息科技有限公司 A secrecy safety management method based on security labels
WO2016205560A1 (en) * 2015-06-16 2016-12-22 Datto, Inc. Hybrid cloud methods, apparatus and systems for secure file sharing and synchronization with backup and server virtualization
CN106656997A (en) * 2016-11-09 2017-05-10 湖南科技学院 Mobile social network based agent proxy re-encryption cross-domain friend-making privacy protection method
CN106375346A (en) * 2016-11-14 2017-02-01 北京邮电大学 Condition-based broadcast agent re-encryption data protection method for cloud environment
CN110636500A (en) * 2019-08-27 2019-12-31 西安电子科技大学 Access control system and method supporting cross-domain data sharing and wireless communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
齐龙 等: "面向信息设备的电子密级标识技术研究", 《机械设计与制造》 *

Also Published As

Publication number Publication date
CN111586044B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
US9294489B2 (en) Method and apparatus for detecting an intrusion on a cloud computing service
CN111464563B (en) Protection method of industrial control network and corresponding device
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN108337219B (en) Method for preventing Internet of things from being invaded and storage medium
Sabri et al. Identifying false alarm rates for intrusion detection system with data mining
CN113411295A (en) Role-based access control situation awareness defense method and system
Mangrulkar et al. Network attacks and their detection mechanisms: A review
CN113411297A (en) Situation awareness defense method and system based on attribute access control
KR102414334B1 (en) Method and apparatus for detecting threats of cooperative-intelligent transport road infrastructure
CN111586045B (en) Attribute encryption and dynamic security layer protection method and corresponding firewall
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
CN111585813B (en) Management method and system of network nodes in Internet of things environment
Liang et al. Collaborative intrusion detection as a service in cloud computing environment
CN110213301B (en) Method, server and system for transferring network attack plane
Rajawat et al. Analysis assaulting pattern for the security problem monitoring in 5G‐enabled sensor network systems with big data environment using artificial intelligence/machine learning
Agrawal et al. A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS.
CN111586044B (en) Network data protection method aiming at privacy leakage and corresponding firewall
CN116232770A (en) Enterprise network safety protection system and method based on SDN controller
Potteti et al. Intrusion detection system using hybrid Fuzzy Genetic algorithm
KR20130033161A (en) Intrusion detection system for cloud computing service
Amar et al. Log file's centralization to improve cloud security
CN111586047B (en) Safety management method and system for centralized network data
CN110958267B (en) Method and system for monitoring threat behaviors in virtual network
Satam An anomaly behavior analysis intrusion detection system for wireless networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant