CN112347515A - Data detection and safety isolation method for edge operating system - Google Patents
Data detection and safety isolation method for edge operating system Download PDFInfo
- Publication number
- CN112347515A CN112347515A CN202011304893.0A CN202011304893A CN112347515A CN 112347515 A CN112347515 A CN 112347515A CN 202011304893 A CN202011304893 A CN 202011304893A CN 112347515 A CN112347515 A CN 112347515A
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal
- operating system
- isolation
- edge operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a data detection and security isolation method facing an edge operating system. And performing abnormal behavior analysis on the uplink data or the downlink data in the edge operating system, and if the analyzed uplink data or the analyzed downlink data are abnormal, performing data security isolation on the corresponding uplink data or the corresponding downlink data in the edge operating system. The invention can solve the problem of the deficiency of the existing edge operating system in the aspects of data detection and analysis and data safety protection.
Description
Technical Field
The invention belongs to the technical field of industrial automation control safety, and particularly relates to a data detection and safety isolation method for an edge operating system.
Background
With the development of industrial automation, an 'edge layer' in an industrial internet architecture has gradually attracted attention of people, more edge operating systems are generated, the edge operating systems face massive data, the data resources come from sensors, data machine tools, special intelligent production equipment or equipment, and also come from a PLC (programmable logic controller), a DCS (distributed control system), an IPC (industrial personal computer), an embedded system and the like, and the data have heterogeneity and possibly bring potential safety hazards. In addition, the edge operating system needs to manage heterogeneous computing resources downward for massive data, and also needs to process a large amount of heterogeneous data and multiple application loads upward, which requires that the edge operating system has stronger timeliness and security.
At present, the traditional edge operating system mainly performs encrypted transmission on data by means of boundary defense such as an industrial firewall and an industrial gatekeeper, but only can prevent data leakage or tampering. The quality of real-time data cannot be guaranteed without analyzing and processing the data, if the data of the equipment is abnormal, the data cannot be fed back and solved in time, and the uplink and downlink data cannot be in a safe and credible environment. Therefore, the edge operating system is required to ensure the safety of data transmission, storage and application while improving the efficiency of data processing.
In view of this, in order to improve data quality and security, the invention provides a data detection and security isolation method and system for an edge operating system, which add an abnormal behavior analysis function of data on a data security isolation mechanism, so as to determine the nature of abnormal data in collected data and make protection treatment, thereby improving the deficiency of the current edge operating system in the aspect of data security.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a data detection and security isolation method for an edge operating system, which is used for solving the problems of data detection analysis and data security protection of the existing edge operating system.
In order to achieve the purpose, the technical scheme of the invention is as follows: a data detection and safety isolation method facing an edge operating system analyzes abnormal behaviors of uplink data or downlink data in the edge operating system, and if the analyzed uplink data or downlink data are abnormal, performs data safety isolation on corresponding uplink data or downlink data in the edge operating system.
In an embodiment of the present invention, the abnormal behavior analysis is specifically implemented as follows:
step S11, data preprocessing: matching and extracting the accessed uplink data or downlink data through the rule file, and then carrying out normalization processing; after the data is subjected to normalization processing, enriching processing needs to be carried out on attributes which are depended on by subsequent analysis;
step S12, real-time anomaly detection: processing the real-time data stream after data preprocessing, detecting the data content according to a detection rule, and extracting the characteristic data of abnormal behaviors;
step S13, determining the cause of the abnormal behavior: comparing whether the detected data behavior and the abnormal behavior have deviation or not by a method comprising rule matching and setting an abnormal degree threshold value, so as to judge the reason causing the abnormal behavior;
step S14, protection processing: and selecting to trigger alarm, automatically filtering data, cutting off a communication link or clearing and repairing abnormal data according to a processing strategy so as to realize protective processing of abnormal behaviors.
In an embodiment of the present invention, the data security isolation is implemented as follows:
based on a Docker container isolation technology, uplink data and downlink data in an edge operating system are stored in computing nodes located in different memory spaces according to an isolation strategy, security isolation is performed by means of a system kernel to ensure that the uplink data and the downlink data cannot be accessed and called by mistake, and specifically, resource isolation is performed through name-space, resource limitation is performed through cgroup, and authority limitation is performed through capability.
Compared with the prior art, the invention has the following beneficial effects:
1. the data detection technology for abnormal behavior analysis provided by the invention can be used for preprocessing the accessed original data to form the characteristics of abnormal data, and then further determining the abnormality as the reasons of malicious attack, botnet, faulty equipment and the like, so as to realize abnormal behavior tracing, make different protection treatment aiming at different abnormal reasons, and further improve the effect and quality of data processing.
2. The data security isolation technology provided by the invention defines security isolation rules, distinguishes address spaces between different nodes of uplink data and downlink data, and is isolated through three aspects of resource isolation, resource limitation (priority allocation, resource statistics and task control) and authority limitation, so that data cannot be checked among containers, mutual influence cannot be caused, and the security of the data is ensured.
Drawings
Fig. 1 is a schematic diagram of the data security isolation technique of the present invention.
Fig. 2 is a general flow chart of abnormal behavior analysis.
Detailed Description
The technical scheme of the invention is specifically explained below with reference to the accompanying drawings.
The invention provides a data detection and safety isolation method facing an edge operating system, which is used for analyzing abnormal behaviors of uplink data or downlink data in the edge operating system, and if the analyzed uplink data or downlink data are abnormal, carrying out data safety isolation on corresponding uplink data or downlink data in the edge operating system.
The following is a specific implementation of the present invention.
The basic principle of the data detection and security isolation method facing the edge operating system in the embodiment of the present invention is shown in fig. 1, and the following is specifically described:
(1) the invention adopts a data security isolation technology to perform abnormal behavior analysis and data security isolation processing on the uplink data and the downlink data in the edge operation system.
(2) The object of the abnormal behavior analysis function service is valid data after data collection or data preprocessing. The credibility of the data change is analyzed by modeling the data relation. And (2) extracting characteristic data of abnormal behaviors (such as virus risk attack behaviors and equipment communication fault behaviors) aiming at the abnormal data part, analyzing the abnormal behaviors of the uplink and downlink data by adopting a method of rule matching or setting an abnormal degree threshold value and the like, and automatically performing protective processing on the edge layer once the credibility of data change is reduced to a certain degree, such as triggering alarm, automatically filtering the data or cutting off a communication link according to a processing strategy, or clearing and repairing the abnormal part of data.
(3) The data security isolation function is to divide the uplink data and the downlink data analyzed by two different data main bodies of the edge operating system into memory spaces of different computing nodes respectively based on the Docker container isolation technology. The technique defines a set of security isolation policy rules to guide the partitioning of address spaces between different nodes and the restriction of different data bodies to read and write operations in different spaces.
In order to realize the functions, the invention is realized by the following technical means and measures:
one of the features of the present invention is: and an abnormal behavior analysis technology is provided to process abnormal data in the uplink and downlink data streams, so that the data quality is improved.
By detecting the real-time data stream and mining and analyzing historical data, abnormal behavior detection based on characteristics is carried out, and then more hidden and complicated attacking behaviors are identified. By collecting and correlating information such as network information, equipment information, application information, vulnerability information, real-time network traffic, security events and the like, mining and analyzing the collected historical data, learning a normal data flow behavior baseline by means of intelligent analysis, identifying abnormal attack behaviors and equipment abnormal states by utilizing the comparison of the baseline and the real-time data flow behaviors, and visually displaying abnormal alarms and abnormal access paths in a visual mode.
As shown in fig. 2, the general process of the abnormal behavior analysis is: detecting abnormal data, and analyzing the collected information to obtain characteristic data of virus attack and equipment or communication fault; judging the reason of the abnormal behavior, and comparing whether the detected data behavior and the abnormal behavior have deviation or not by methods such as rule matching or setting an abnormal degree threshold value and the like so as to judge the reason causing the abnormal behavior; and (4) making protection treatment, and automatically making protective treatment by the edge layer once the credibility of the data change is reduced to a certain degree, such as triggering an alarm, automatically filtering data or cutting off a communication link according to a treatment strategy, or clearing and repairing abnormal data.
1. Detection of anomalous data
(1) The data preprocessing refers to: the accessed original data is matched and extracted through the rule file, the data content is assembled according to a uniform format to form a normalized event, and uniform standardized processing is carried out on the data such as different time formats, event grades, event names and the like. After the data is normalized, enriching the attribute depended on by the subsequent analysis is needed, wherein the enriching comprises the following steps: and backfilling physical position information, equipment information and the like according to the IP positioning.
(2) The real-time anomaly detection is as follows: the real-time data stream is processed and the data content is detected according to detection rules, for example, illegal port access is detected according to registered allowed open ports, illegal requests are detected according to authority rules, abnormal behaviors are detected according to request frequency and equipment rules, and the like.
2. Determining the cause of abnormal behavior
The historical data and the safety event data are learned based on algorithms such as statistics and clustering, a normal service access model can be formed by learning an access rule aiming at application, the model is converted into a rule to be applied to real-time anomaly detection, and subsequent data are analyzed in real time. Meanwhile, abnormal data behaviors are found by comparing indexes such as a packet number range, a byte range, a flow number, a connection frequency and a connection range of the data stream, malicious attacks, botnets, faulty equipment and the like can be determined according to abnormal characteristics, and then abnormal behavior tracing is achieved.
3. Make a protection disposition
The method realizes the protective treatment of abnormal behaviors, including triggering alarm, automatically filtering data or a tangent point communication link and the like, and displays the abnormal behaviors to users in a visual form, including the display, inquiry, statistics, treatment management, equipment, vulnerability, malicious IP and other information registration of alarm events.
The second technical characteristic of the invention is that: the provided data security technology is based on a Docker container isolation technology, stores uplink data and downlink data in an edge operating system in computing nodes located in different memory spaces according to a certain isolation strategy, and performs security isolation by means of a system kernel to ensure that the uplink data and the downlink data are not accessed and called by errors. Specifically, the isolation is performed by name-space, the resource limitation is performed by cgroup, and the authority limitation is performed by capability. The division of address spaces among different containers and the limitation of reading and writing operations of different address spaces by uplink and downlink data are guided by establishing a set of security isolation rules.
1. Resource isolation
The Docker container uses 6 kinds of namespace isolations provided in the Linux kernel, including a UTS namespace, an IPC namespace, a PID namespace, a Network namespace, a Mount namespace, and a User namespace:
(1) the UTS namespace is responsible for the isolation of the host name and the domain name, so that the containers have the host name and the domain name of the containers and can be regarded as an independent network node.
(2) The IPC naming space is responsible for the isolation of semaphores, message queues and shared memories, and comprises a system IPC identifier and a file system for realizing a POSIX message queue, so that processes in the same IPC naming space are visible, and different processes are invisible;
(3) the PID name space is responsible for the isolation of PID numbers of the processes, the processes under different PID name spaces can have the same PID, and each PID name space has an independent counting program.
(4) The Network namespace is responsible for the isolation of Network resources, and the isolation is not really Network isolation, but the Network of the container is isolated, and the container is used as an independent Network entity to communicate with the outside.
(5) The Mount namespace is responsible for isolation of Mount points, and file structures under different Mount namespaces are not affected by each other when changed.
(6) The User namespace refers to the isolation of identifiers and attributes which are responsible for safety correlation, and comprises a User ID, a User group ID, a root directory, a key, special permissions and the like, and the namespace technology supports a process to have permissions of different levels inside and outside a container.
2. Resource restriction
The system realizes group processes and manages the total consumption of resources thereof through a cgroup, shares available hardware resources to a container and limits the use of a memory and a CPU of the container, and the cgroup provides the following 4 functions:
(1) and (3) resource limitation: the total amount of resources used by the task is limited, and a prompt is given if the application exceeds an upper limit quota during running;
(2) and (3) priority allocation: controlling the priority of the task process according to the number of the distributed CPU time slices and the IO bandwidth of the disk;
(3) and (3) resource statistics: counting the resource usage of the system, such as the use conditions of a CPU, a memory and the like;
(4) and task control: and suspending and restoring the task.
3. Authority restriction
The technology supports the concept of separating the rights of different units of a super-user, which can be individually enabled and disabled, i.e. capability. Capability can be given to the normal process so that it can do what the root user can do. When the kernel verifies whether the process has a certain right, the kernel does not verify whether the process is a privileged process (the valid user ID is 0) or a non-privileged process (the valid user ID is not 0), but verifies whether the process has the capability of performing the operation. Unreasonable disabling of capabilities can lead to application crashes. At present, Docker starts a strict capability restriction right by default, and simultaneously supports a developer to change the default setting of the Docker through a command line, thereby ensuring the availability and ensuring the safety of the Docker.
All running containers first share a base file system image and once data needs to be written to a file system, it is directed to write to another specific file system associated with the container. Such a mechanism avoids one container from seeing the data of another container and the containers cannot affect the other containers by modifying the contents of the file system.
The above are preferred embodiments of the present invention, and all changes made according to the technical scheme of the present invention that produce functional effects do not exceed the scope of the technical scheme of the present invention belong to the protection scope of the present invention.
Claims (3)
1. A data detection and safety isolation method facing an edge operating system is characterized in that abnormal behavior analysis is carried out on uplink data or downlink data in the edge operating system, and if the analyzed uplink data or downlink data are abnormal, data safety isolation is carried out on corresponding uplink data or downlink data in the edge operating system.
2. The method for data detection and security isolation oriented to the edge operating system according to claim 1, wherein the abnormal behavior analysis is implemented as follows:
step S11, data preprocessing: matching and extracting the accessed uplink data or downlink data through the rule file, and then carrying out normalization processing; after the data is subjected to normalization processing, enriching processing needs to be carried out on attributes which are depended on by subsequent analysis;
step S12, real-time anomaly detection: processing the real-time data stream after data preprocessing, detecting the data content according to a detection rule, and extracting the characteristic data of abnormal behaviors;
step S13, determining the cause of the abnormal behavior: comparing whether the detected data behavior and the abnormal behavior have deviation or not by a method comprising rule matching and setting an abnormal degree threshold value, so as to judge the reason causing the abnormal behavior;
step S14, protection processing: and selecting to trigger alarm, automatically filtering data, cutting off a communication link or clearing and repairing abnormal data according to a processing strategy so as to realize protective processing of abnormal behaviors.
3. The method for data detection and security isolation for an edge operating system according to claim 1, wherein the data security isolation is implemented as follows:
based on a Docker container isolation technology, uplink data and downlink data in an edge operating system are stored in computing nodes located in different memory spaces according to an isolation strategy, security isolation is performed by means of a system kernel to ensure that the uplink data and the downlink data cannot be accessed and called by mistake, and specifically, resource isolation is performed through name-space, resource limitation is performed through cgroup, and authority limitation is performed through capability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011304893.0A CN112347515A (en) | 2020-11-20 | 2020-11-20 | Data detection and safety isolation method for edge operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011304893.0A CN112347515A (en) | 2020-11-20 | 2020-11-20 | Data detection and safety isolation method for edge operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112347515A true CN112347515A (en) | 2021-02-09 |
Family
ID=74364300
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011304893.0A Pending CN112347515A (en) | 2020-11-20 | 2020-11-20 | Data detection and safety isolation method for edge operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112347515A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105959144A (en) * | 2016-06-02 | 2016-09-21 | 中国科学院信息工程研究所 | Safety data acquisition and anomaly detection method and system facing industrial control network |
| CN107643940A (en) * | 2017-09-26 | 2018-01-30 | 华为技术有限公司 | Container creation method, relevant device and computer-readable storage medium |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
-
2020
- 2020-11-20 CN CN202011304893.0A patent/CN112347515A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105959144A (en) * | 2016-06-02 | 2016-09-21 | 中国科学院信息工程研究所 | Safety data acquisition and anomaly detection method and system facing industrial control network |
| CN107643940A (en) * | 2017-09-26 | 2018-01-30 | 华为技术有限公司 | Container creation method, relevant device and computer-readable storage medium |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113347205B (en) | Method and device for detecting service access request | |
| US9166988B1 (en) | System and method for controlling virtual network including security function | |
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| CN115733681A (en) | Data security management platform for preventing data loss | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| EP3149582B1 (en) | Method and apparatus for a scoring service for security threat management | |
| CN111726353A (en) | Sensitive data grading protection method and grading protection system based on numerical control system | |
| EP3272097B1 (en) | Forensic analysis | |
| CN112887268B (en) | Network security guarantee method and system based on comprehensive detection and identification | |
| CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
| CN110324323A (en) | A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system | |
| CN111614639A (en) | Network security analysis method based on boundary theory | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| CN113132318A (en) | Active defense method and system for information safety of power distribution automation system master station | |
| CN106339629A (en) | Application management method and device | |
| CN110798353B (en) | Network behavior risk perception and defense method based on behavior characteristic big data analysis | |
| CN114553471A (en) | Tenant safety management system | |
| CN114218194A (en) | Data bank safety system | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN117319064A (en) | Network space safety management and control system based on trusted computing | |
| CN112769739B (en) | Database operation violation processing method, device and equipment | |
| CN111740973A (en) | Intelligent defense system and method for block chain service and application | |
| CN112347515A (en) | Data detection and safety isolation method for edge operating system | |
| CN105120010A (en) | Anti-stealing method for virtual machine under cloud environment | |
| CN112291263A (en) | Data blocking method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |