CN112800428A - Method and device for judging safety state of terminal equipment - Google Patents

Method and device for judging safety state of terminal equipment Download PDF

Info

Publication number
CN112800428A
CN112800428A CN202110053180.XA CN202110053180A CN112800428A CN 112800428 A CN112800428 A CN 112800428A CN 202110053180 A CN202110053180 A CN 202110053180A CN 112800428 A CN112800428 A CN 112800428A
Authority
CN
China
Prior art keywords
data
training
model
safety state
target terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110053180.XA
Other languages
Chinese (zh)
Other versions
CN112800428B (en
Inventor
于文海
祖立军
郭伟
乐旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202110053180.XA priority Critical patent/CN112800428B/en
Publication of CN112800428A publication Critical patent/CN112800428A/en
Priority to PCT/CN2021/128867 priority patent/WO2022151815A1/en
Application granted granted Critical
Publication of CN112800428B publication Critical patent/CN112800428B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a device for judging the safety state of terminal equipment, wherein the method comprises the following steps: the target terminal equipment acquires state data to be judged of unknown threats; the target terminal equipment inputs the state data to be judged to a first safety state judgment model of unknown threat to obtain a first judgment result output by the first safety state judgment model; the first safety state judgment model is obtained by performing machine learning training on the labeled data of unknown threats of the plurality of terminal devices by the plurality of terminal devices and the server.

Description

Method and device for judging safety state of terminal equipment
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method and an apparatus for determining a security state of a terminal device.
Background
Terminal devices are involved in many application scenarios. For example, the proportion of the china mobile payment is gradually increased, and more terminal devices participate in the mobile payment. The state data of the terminal equipment can reflect the current safety state of the terminal equipment, so that the safety state of the terminal equipment can be judged by a method for collecting the state data of the terminal equipment.
In the current scheme, the known threat of the terminal device can be checked to determine whether the terminal device is safe according to the corresponding safety judgment model, and if the terminal device is safe according to the attack means aiming at tampering files, the safety judgment model of file change can be used for judging whether the terminal device is safe. However, unknown threat detection for uncertain attack approaches is limited. At present, unknown threat detection of terminal equipment is realized through big data statistics judgment. At present, state data of terminal equipment is collected firstly and then is transmitted to a server side in a unified mode, so that after the server side collects a large amount of state data of the terminal equipment, big data statistics can be formed, and then safety state judgment is carried out. However, after the server acquires the state data of a large number of terminal devices, it is difficult to ensure that the state data of the terminal devices are not abused. Therefore, it is difficult to determine the security status of the terminal device while ensuring the privacy of the status data of the terminal device.
Disclosure of Invention
The invention provides a method and a device for judging the security state of terminal equipment, which solve the problem of judging the security state of the terminal equipment under the condition of ensuring the privacy and the security of the state data of the terminal equipment in the prior art.
In a first aspect, the present invention provides a method for determining a security status of a terminal device, including:
the target terminal equipment acquires state data to be judged of unknown threats; the target terminal equipment is any one of a plurality of terminal equipment;
the target terminal equipment inputs the state data to be judged to a first safety state judgment model of unknown threat to obtain a first judgment result output by the first safety state judgment model;
the first safety state judgment model is obtained by performing machine learning training on a plurality of terminal devices and a server side based on labeled data of unknown threats of the plurality of terminal devices; in any round of machine learning training, any terminal device in the multiple terminal devices is used for sending local training parameters of the turbine machine learning training to a server, the server is used for fusing the local training parameters of the multiple terminal devices in the turbine machine learning training to obtain fused training parameters, and the fused training parameters are sent to the multiple terminal devices, so that the multiple terminal devices are updated based on the fused training parameters or used as model parameters of the first safety state judgment model.
In the above manner, the first safety state judgment model is obtained by performing machine learning training on the plurality of terminal devices and the server based on labeled data of unknown threats of the plurality of terminal devices, and in any turbine learning training, any terminal device only sends local training parameters of the turbine learning training to the server, and the server fuses the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters, so that the plurality of terminal devices are updated based on the fused training parameters, and in the process, the state data of the plurality of terminal devices do not need to be transmitted, so that privacy of the state data cannot be leaked, and the fused training parameters of each round take the local training parameters of each terminal device into account, so that the accuracy of the first safety state judgment model is also ensured, therefore, after the target terminal device obtains the to-be-judged state data of the unknown threat, the to-be-judged state data is input into the first safety state judgment model of the unknown threat, so that the first judgment result output by the first safety state judgment model can be directly obtained, the to-be-judged state data does not need to be uploaded to the server, and the judgment on the safety state of the terminal device is realized under the condition that the privacy safety of the state data of the terminal device is ensured.
Optionally, the target terminal device obtains tagged data of the unknown threat of the target terminal device according to the following manner:
the target terminal equipment acquires the label-free data of the unknown threat of the target terminal equipment;
and the target terminal equipment acquires the tagged data based on the non-tagged data.
In the method, after the non-tag data of the unknown threat of the target terminal device is obtained, the tagged data is obtained based on the non-tag data and is converted into the non-tag data, and the characteristic of the non-tag data of the unknown threat is reserved.
Optionally, the obtaining, by the target terminal device, the tagged data based on the non-tagged data includes:
the target terminal device inputs the label-free data into at least one second safety state judgment model of known threats to obtain at least one second judgment result output by the at least one second safety state judgment model;
and the target terminal equipment determines the label value of the non-label data according to the at least one second judgment result, so that the non-label data is converted into the labeled data.
In the method, at least one second judgment result is obtained through the at least one second safety state judgment model, so that the characteristics of corresponding known threats can be found, and the tagged data can be obtained more accurately.
Optionally, the obtaining, by the target terminal device, the tagged data based on the non-tagged data includes:
the target terminal equipment obtains first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm based on the label-free data; the data volume of the first cluster clustering data is smaller than that of the second cluster clustering data;
the target terminal device sets the label value of the first cluster clustering data as a first label value and sets the label value of the second cluster clustering data as a second label value, so that the label-free data is converted into the labeled data; the first tag value characterizing data is unsafe data and the second tag value characterizing data is secure data.
In the above manner, the target terminal device obtains the first cluster data and the second cluster data of the non-tag data according to a preset clustering algorithm based on the non-tag data, so as to adaptively distinguish safe data and unsafe data according to the data amount of the cluster data, and mark a tag, thereby providing a method for automatically setting a tag.
Optionally, the target terminal device obtains the first security state judgment model according to the following method:
in any turbine learning training, the target terminal device obtains a second local training parameter of a safety state training model based on the tagged data of the unknown threat and a first local training parameter of the safety state training model;
the target terminal equipment sends the second local training parameters to the server;
the target terminal equipment obtains a fusion training parameter from the server; the fusion training parameters are obtained by the server side based on local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the target terminal device takes the fusion training parameter as the first local training parameter again, and returns the labeled data of the unknown threat and the first local training parameter of the safety state training model to the target terminal device to obtain a second local training parameter of the safety state training model;
and if the safety state training model meets the preset convergence condition, the target terminal device takes the fusion training parameter as a model parameter of the safety state training model, and takes the safety state training model at the moment as the first safety state judgment model.
Optionally, after obtaining the first determination result output by the first safety state determination model, the method further includes:
and the target terminal equipment sends the first judgment result to the server side.
Optionally, the tagged data of the unknown threats of the plurality of terminal devices all have the same data characteristic dimension.
In a second aspect, the present invention provides a device for determining a security status of a terminal device, including:
the acquisition module is used for acquiring state data to be judged of unknown threats of the target terminal equipment; the target terminal equipment is any one of a plurality of terminal equipment;
the processing module is used for inputting the state data to be judged to a first safety state judgment model of unknown threat and obtaining a first judgment result output by the first safety state judgment model;
the first safety state judgment model is obtained by performing machine learning training on a plurality of terminal devices and a server side based on labeled data of unknown threats of the plurality of terminal devices; in any round of machine learning training, any terminal device in the multiple terminal devices is used for sending local training parameters of the turbine machine learning training to a server, the server is used for fusing the local training parameters of the multiple terminal devices in the turbine machine learning training to obtain fused training parameters, and the fused training parameters are sent to the multiple terminal devices, so that the multiple terminal devices are updated based on the fused training parameters or used as model parameters of the first safety state judgment model.
Optionally, the obtaining module obtains tagged data of the unknown threat of the target terminal device according to the following manner:
acquiring label-free data of the unknown threat of the target terminal equipment;
and acquiring the tagged data based on the non-tagged data.
Optionally, the obtaining module is specifically configured to:
inputting the label-free data into at least one second safety state judgment model of a known threat to obtain at least one second judgment result output by the at least one second safety state judgment model;
and determining a label value of the non-label data according to the at least one second judgment result, so as to convert the non-label data into the labeled data.
Optionally, the obtaining module is specifically configured to: based on the label-free data, obtaining first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm; the data volume of the first cluster clustering data is smaller than that of the second cluster clustering data;
setting a label value of the first cluster data to a first label value, and setting a label value of the second cluster data to a second label value, thereby converting the non-label data into the labeled data; the first tag value characterizing data is unsafe data and the second tag value characterizing data is secure data.
Optionally, the obtaining module obtains the first safety state judgment model according to the following method:
in any turbine learning training, obtaining a second local training parameter of a safety state training model based on the tagged data of the unknown threat and a first local training parameter of the safety state training model; sending the second local training parameter to the server; acquiring a fusion training parameter from the server; the fusion training parameters are obtained by the server side based on local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the fusion training parameter is used as the first local training parameter again, and labeled data based on the unknown threat and the first local training parameter of the safety state training model are returned to obtain a second local training parameter of the safety state training model;
and if the safety state training model meets the preset convergence condition, taking the fusion training parameter as a model parameter of the safety state training model, and taking the safety state training model at the moment as the first safety state judgment model.
Optionally, the obtaining module is further configured to: and sending the first judgment result to the server.
Optionally, the tagged data of the unknown threats of the plurality of terminal devices all have the same data characteristic dimension.
The advantageous effects of the second aspect and the various optional apparatuses of the second aspect may refer to the advantageous effects of the first aspect and the various optional methods of the first aspect, and are not described herein again.
In a third aspect, the present invention provides a computer device comprising a program or instructions for performing the method of the first aspect and the alternatives of the first aspect when the program or instructions are executed.
In a fourth aspect, the present invention provides a storage medium comprising a program or instructions which, when executed, is adapted to perform the method of the first aspect and the alternatives of the first aspect.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic flowchart illustrating steps of a method for determining a security status of a terminal device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a terminal device in a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating obtaining of the first security state judgment model in the method for judging security state of a terminal device according to the embodiment of the present invention;
fig. 4 is a schematic diagram of a cloud service architecture in a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a specific process corresponding to a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating implementation of federal learning in a terminal device in a method for determining a security status of a terminal device according to an embodiment of the present invention;
fig. 7 is a schematic diagram illustrating implementation of federal learning at a server in a method for determining a security status of a terminal device according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a timing sequence step corresponding to a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a security state determining apparatus of a terminal device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a method for determining a security state of a terminal device.
Step 101: and the target terminal equipment acquires the state data to be judged of the unknown threat.
The target terminal device is any one of a plurality of terminal devices.
Step 102: and the target terminal equipment inputs the state data to be judged to a first safety state judgment model of unknown threat, and obtains a first judgment result output by the first safety state judgment model.
In steps 101 to 102, the status data to be determined may be, for example, CPU status data, process status data, and the like.
The first safety state judgment model is obtained by performing machine learning training on a plurality of terminal devices and a server side based on labeled data of unknown threats of the plurality of terminal devices; in any round of machine learning training, any terminal device in the multiple terminal devices is used for sending local training parameters of the turbine machine learning training to a server, the server is used for fusing the local training parameters of the multiple terminal devices in the turbine machine learning training to obtain fused training parameters, and the fused training parameters are sent to the multiple terminal devices, so that the multiple terminal devices are updated based on the fused training parameters or used as model parameters of the first safety state judgment model.
It should be noted that, in particular, tagged data of unknown threats of the plurality of terminal devices all have the same data characteristic dimension. In addition, the above machine learning method is not limited, and horizontal federal learning may be employed.
Obviously, in the methods of steps 101 to 102, in order to solve the problem of using the private data, it is ensured that the private data of the terminal device is not uploaded to the cloud when the first security state judgment model is trained, and is only used by the terminal device. Therefore, the method of steps 101 to 102 ensures that private data is not leaked and used maliciously from the technical framework.
In addition, the machine learning method solves the problem of uploading of private data, and meanwhile, provides an iteration method of an unknown threat model of the terminal device, and generally, the unknown threat is more in dimensionality due to data acquisition and is difficult to capture due to unknown purposes. Then under the method of step 101 to step 102, more dimensional data can be collected under the condition of solving the privacy problem. And the data is labeled through the result of the safety state judgment model with known threat, and the training of the model can be localized, so that the safety state judgment model at the terminal side is continuously trained and iterated.
It should be noted that, in the conventional scheme, the unknown threat detection requires a large amount of auxiliary data, because more dimensions of data are needed to assist in discovery and detection since it is an unknown threat. However, with the increasing importance of privacy protection, the way of uploading a large amount of private data to the cloud for use is more and more difficult to accept, so in the methods of step 101 to step 102, the problem of training a security state judgment model at a terminal is solved by introducing the machine learning method, and then the data tagging method of the security state judgment model with known threats is assisted, so that the judgment of the security state of the terminal device can be more complete.
In an optional implementation manner, the target terminal device obtains tagged data of an unknown threat of the target terminal device according to the following manner:
step (1): the target terminal device obtains the tag-free data of the unknown threat of the target terminal device.
Step (2): and the target terminal equipment acquires the tagged data based on the non-tagged data.
It should be noted that, in the step (2), the label may be added to the non-label data in different manners, so as to obtain the labeled data.
In an alternative embodiment, step (2) may specifically be:
the target terminal device inputs the label-free data into at least one second safety state judgment model of known threats to obtain at least one second judgment result output by the at least one second safety state judgment model;
and the target terminal equipment determines the label value of the non-label data according to the at least one second judgment result, so that the non-label data is converted into the labeled data.
For example, the at least one second security state determination model is 3 second security state determination models, and the 3 second security state determination models are respectively used for: the first safety state judgment model is used for detecting the threat on the aspect A, the second safety state judgment model is used for detecting the threat on the aspect B, and the second safety state judgment model is used for detecting the threat on the aspect C.
For the state data to be judged of the unknown threat, the threats in the aspects of A, B and C may exist, so that whether the corresponding threats exist in the unknown threat can be located through comprehensive detection.
In another alternative embodiment, step (2) may specifically be:
the target terminal equipment obtains first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm based on the label-free data; and the target terminal equipment sets the label value of the first cluster clustering data as a first label value and sets the label value of the second cluster clustering data as a second label value, so that the label-free data is converted into the labeled data.
The data volume of the first cluster clustering data is smaller than that of the second cluster clustering data; the first tag value characterizing data is unsafe data and the second tag value characterizing data is secure data.
For example, the unlabeled data includes 100 pieces of data, and after clustering, second cluster data including 95 pieces of data and first cluster data including 4 pieces of data are obtained, and 1 piece of data is an isolated point; then, based on a principle, more data is normal, and less data is abnormal, the second cluster data is judged to be safe data, and the tag value is set to be the second tag value, and the first cluster data is judged to be safe data, and the tag value is set to be the first tag value.
It should be noted that after step 102, the following steps may also be performed:
and the target terminal equipment sends the first judgment result to the server side.
It should be noted that, when the target terminal device is an intelligent payment device, the structure thereof is as shown in fig. 2.
Fig. 2 is a system framework diagram of the terminal device, and the core functions of the system of the terminal device are mainly divided into four parts, namely data acquisition, model judgment, model learning and data uploading. The method comprises the following specific steps:
data acquisition: the data acquisition module is mainly responsible for acquiring data information of the terminal equipment. Including known threat data and unknown threat data. Known threat data includes, for example, root detection, hook frame detection, simulator environment detection, and the like. The unknown threat data is data relevant to the system operation, the data can not definitely determine the malicious state of the system, but when the system is attacked, the data can be changed. The unknown threat data reflects the security state of the current terminal device more from the perspective of system state changes. Such as CPU state data, memory state data, process state data, etc.
And (3) judging a model: the model judging module is mainly used for judging the safety state by utilizing the data collected by the data collecting module. Including a known threat determination model (i.e., the second security determination model) and an unknown threat determination model (i.e., the first security determination model). While the unknown threat decision model is trained by machine learning, it may also be cold-started, as shown in fig. 2 as an initial model that is modeled by simulation data in a laboratory environment.
It should be noted that, taking federal learning as an example, the cold start mode is shown in fig. 3.
FIG. 3 illustrates a process for training an initial model in a laboratory environment. Firstly, training data including normal behavior data and abnormal behavior data needs to be simulated for an actual security scene. The normal behavior data describes under what state and data values the terminal device can be considered secure; the abnormal behavior data, in contrast, describes what terminal device data values the terminal is not secure.
Further, an algorithm engineer creates an algorithm model based on the understanding of the data, inputs the simulation data into the algorithm model, adjusts the model according to the result, and finally obtains an initial unknown threat determination model according with the simulation data result. This model is used for cold start of the terminal device.
Model learning: another core module in the terminal device is a model learning module. This module is responsible for the federally learned terminal equipment portion. One link in which federal learning is important is model iteration, and model training of the terminal equipment in the iteration link provides model data for learning of the back end. However, if federal learning is used, the specific machine learning algorithm must be a supervised learning algorithm. Data and corresponding labels must be provided during model training.
In the solution of the embodiment of the present invention, a data module collects a large amount of data as data input of unknown threats, and the data can be divided into several dimensions, such as: environment safety data (WIFI address information, base station information, IP address information), hardware safety data (debugging port use condition, CPU use state, memory use state and the like), flow safety data (outlet flow data, inlet flow data) and software safety data (system process state, software service data and the like).
And one mode of labeling is to label through the output of the known threat module, the output of the known threat is a score, and the mode is relatively simple and intuitive and can directly train unknown threat data.
In addition, a labeling mode needs continuous discovery and operation of unknown threats and is relatively complex. Firstly, unsupervised clustering needs to be carried out on unknown threat data of the terminal equipment, then the problems reflected by the data can be distinguished, and then the problems are graded or manually graded through safe operation. And after the grading and the manual grading are completed, providing the grading and the manual grading for the terminal equipment for reasoning and labeling. The above process can be done in a laboratory environment since the terminal device privacy data is used.
One of the two labeling modes of the unknown threats is short-term effect, and the other mode needs continuous optimization in long-term operation. Can be combined with each other according to actual conditions.
And (3) data uploading: the data uploading module is mainly used for uploading an unknown threat judgment model trained by the terminal equipment to the cloud, and in addition, the terminal equipment also has partial non-private or privacy-removed data which needs auxiliary judgment by the aid of the cloud. The data uploading module is simply a communication module for exchanging data between the terminal device and the cloud terminal.
In an optional implementation manner, the target terminal device obtains the first security state judgment model according to the following manner:
in any round of machine learning training, the following steps are performed:
step (a): and the target terminal equipment obtains a second local training parameter of the safety state training model based on the labeled data of the unknown threat and the first local training parameter of the safety state training model.
Step (b): and the target terminal equipment sends the second local training parameters to the server.
Step (c): and the target terminal equipment obtains the fusion training parameters from the server side.
The fusion training parameters are obtained by the server side based on the local training parameters sent by the plurality of terminal devices.
Step (d): and (c) if the safe state training model does not meet the preset convergence condition, the target terminal equipment takes the fusion training parameter as the first local training parameter again, and the step (a) is returned.
A step (e): and if the safety state training model meets the preset convergence condition, the target terminal device takes the fusion training parameter as a model parameter of the safety state training model, and takes the safety state training model at the moment as the first safety state judgment model.
The above process is a training and learning process inside the terminal device.
On the other hand, the frame diagram of the cloud service also has a matched functional module, taking federal learning as an example, as shown in fig. 4 specifically.
Fig. 4 is a framework diagram of a cloud service. Comprises several core functional modules: the cloud threat assessment module, the federal learning module, the data storage module and the external interface module.
Cloud threat determination module: since a large amount of data is judged and trained in the terminal device, a small amount of data terminal devices cannot be completely judged, such as public network IP data. For some devices, the movement of the device itself is a very serious security problem, such as intelligent automatic container collection. Therefore, the cloud is required to monitor whether the public network IP information of the terminal device changes. As described above, although a large amount of data is judged and trained on the terminal device through federal learning for privacy protection, a small amount of data still needs to be judged in the cloud. Therefore, from the point of view of completeness of the scheme, a cloud threat determination module must be provided at the cloud, that is, the cloud threat determination module is used for determining data other than the state data of the terminal device, such as network data of the terminal device.
A federal learning module: the federal learning module of the terminal equipment mainly has the functions of inputting data of the terminal equipment and outputting a judgment model for the data of the terminal equipment. And the federal learning module of the cloud is used for training the model uploaded by the terminal equipment. The input of the module is the model uploaded by the terminal equipment, and the output is the new model trained on the input models. The federal learning module at the cloud controls the whole process of federal learning. The training of the terminal device federal learning model can not be carried out in real time, firstly, the real-time training data volume is small, so that the good effect cannot be achieved, and secondly, more system resources can be consumed due to model training. It is common to select the late night time and train the data accumulated during the day centrally. The frequency of the federal learning procedure in steps 101 through 102 is once a day. Before the federal learning process starts each time, the terminal equipment needs to negotiate with the cloud end to determine whether the current terminal equipment is added into the federal learning process of the current round. The cloud end can carry out screening according to certain conditions, and select enough terminal equipment to participate in the federal learning process.
A data storage module: the data, the model, the log and the judgment result of the cloud of the terminal equipment are uniformly and structurally stored in the database, and the hot data can be backed up to the redis for facilitating the access of other modules in order to use the data. The data storage module provides relevant data to the external interface module for use.
External interface module: the main function of this module is mainly to provide it to the service user. For example, a service user inquires the safety score of the terminal equipment and acquires the detailed information of each safety dimension. The module provides data to the outside in two ways, one can be in a page form, and the states of all terminal devices are directly displayed through the page; the other is an API calling mode, and the safety score of the terminal equipment and even the specific information of each safety dimension are obtained in an API inquiry mode.
In addition, the cloud terminal also has some conventional functions, such as terminal device log monitoring, terminal device crash processing and the like.
It should be noted that the cloud determination module, the conventional service module, the storage module and the external interface module of the cloud can be replaced or deleted, and the core function of the whole scheme is not affected. The most core function of the cloud is federated learning, so the cloud framework diagram in the most extreme case can only comprise a federated learning model.
More specifically, a specific process of the method for determining the security state of the terminal device according to the embodiment of the present invention may be as shown in fig. 5.
Step (5-1): in a laboratory environment, an algorithm engineer understands a model through simulated unknown threat data to construct a model algorithm, trains an initial unknown threat judgment model through simulated positive and negative samples, and uses the model for cold start of the unknown threat judgment model of the terminal equipment.
Step (5-2): the unknown threat determination initial model generated in the step (5-1) needs to be deployed to each terminal device before the terminal is actually used online, so that the unknown threat determination model can take effect when the security situation awareness function is used.
Step (5-3): the step enters the circular processing of terminal security situation perception. When the terminal equipment actually runs, terminal data can be collected at fixed time intervals for threat judgment. Where a portion of the data is used for known threat determination. Known threats refer to common attack means such as root mobile phones and hook frames. Another part of the data is used for unknown threat decision-making, where the decision model for unknown threats is initially the model generated in the laboratory in the first step.
Step (5-4): when the appointed time is reached, and the current terminal is selected by the cloud to be the terminal of the federal learning process in the current round, the data collected in the current day are processed, the training data set takes the judgment result of the known threat as a label, and the collected data full set is taken as data. Inputting the data into a learning frame of the terminal, training a local unknown threat model, and clearing data of the day after training is finished. In addition, if the current terminal is not selected by the cloud to become a participating terminal of the federal learning process in the current round, the data stored in the current day needs to be cleared immediately.
Step (5-5): after each terminal participating in federal learning finishes training, each terminal uploads the locally trained model to the cloud, and the cloud needs to wait for the model of the terminal to be uploaded. The situation that the terminal training fails or the terminal network is disconnected and cannot be uploaded can occur. And if the number of the terminal models obtained by the cloud does not meet a threshold condition, the federal learning of the current round fails. And if the threshold condition is met, starting the federal learning of the cloud end, and training the model uploaded by the terminal by the federal learning module of the cloud end server.
Step (5-6): the federal learning module in the cloud is often trained in a separate hardware environment because machine learning may require CPU acceleration. Therefore, the real federal learning training module and the control logic are often separated, the control logic inputs the unknown threat model uploaded by the terminal into the federal learning training module, and an optimized unknown threat judgment model is output after learning is completed.
Step (5-7): after the federal learning process of the cloud is finished, the cloud can issue the optimized unknown threat judgment model to all online terminal devices, and after the terminal devices acquire the updated unknown threat judgment model issued by the cloud, the terminal devices replace the original old model with the new model, so that the new model is deployed and used.
Step (5-8): after the new model is deployed, the federal learning module enters a periodic iteration process, and the steps (5-3) to (5-7) are executed in a circulating mode every day until the model is stable.
Further, an implementation diagram of federal learning at a terminal device is shown in fig. 6.
At a mobile phone end, the function of federal learning is realized in an SDK form, the federal learning function is communicated with a detection module through an API (application program interface), data generated by data acquisition and terminal threat judgment can be stored in a data warehouse established by a terminal, the federal learning SDK takes data in the data warehouse through the API and controls a training process of the terminal through a state and process control module. After the training of the terminal model is completed, the terminal model needs to be uploaded to a cloud server through a communication module, but before transmission, model encryption needs to be performed through an encryption and decryption module in order to ensure the safety of model data.
Further, an implementation diagram of federal learning at the server side is shown in fig. 7.
After the federal learning server receives the model data uploaded by the terminal through the communication module of the cloud, the model data is decrypted through the encryption and decryption module, and before cloud aggregation, whether the model data of the terminal is correct or not needs to be verified through the model verification module. And finally, performing aggregation training on the model of the terminal equipment through a federal learning aggregation module to generate a new unknown threat judgment model.
Therefore, the process flow of the terminal device and the server side is shown in fig. 8 in combination with the above processes.
Step (8-1): and judging whether the data in the data warehouse is updated or not, and confirming whether the current terminal equipment meets the condition of starting federal learning or not.
Step (8-2): and if the starting condition is met, the terminal equipment registers to the server and tells the server that the current terminal equipment can perform federal learning.
Step (8-3): when the cloud end judges that the number of the terminal devices added into the federate learning in the current round meets the threshold requirement, the cloud end (server end) can inform the terminal devices to start the federate learning process in the current round.
Step (8-4): when the terminal equipment receives a flow instruction of starting federated learning by the cloud, a federated learning module of the terminal equipment reads data in a data warehouse and trains the data in the terminal equipment. And after the training is finished, the terminal equipment uploads the unknown threat judgment model trained in the current round to the cloud.
Step (8-5): the cloud end waits for model uploading of the terminal equipment after starting the federal learning process, and starts a model aggregation process when the number of models uploaded by the terminal equipment meets the minimum requirement of model aggregation under the condition that all terminal equipment uploads terminal equipment models or overtime; otherwise, if the cloud end waits for overtime and the number of the models returned by the terminal equipment received by the cloud end is not enough to start model aggregation, the federated learning of the current round is considered to fail.
Step (8-6): and if the aggregation of the cloud model is finished smoothly, the cloud sends the aggregated model to all terminal devices, and informs all terminal devices to update and deploy a new unknown threat judgment model. And ending the federal learning process.
As shown in fig. 9, the present invention provides a security state determination apparatus for a terminal device, including:
an obtaining module 901, configured to obtain state data to be determined of an unknown threat of a target terminal device; the target terminal equipment is any one of a plurality of terminal equipment;
a processing module 902, configured to input the state data to be determined to a first security state determination model of an unknown threat, and obtain a first determination result output by the first security state determination model;
the first safety state judgment model is obtained by performing machine learning training on a plurality of terminal devices and a server side based on labeled data of unknown threats of the plurality of terminal devices; in any round of machine learning training, any terminal device in the multiple terminal devices is used for sending local training parameters of the turbine machine learning training to a server, the server is used for fusing the local training parameters of the multiple terminal devices in the turbine machine learning training to obtain fused training parameters, and the fused training parameters are sent to the multiple terminal devices, so that the multiple terminal devices are updated based on the fused training parameters or used as model parameters of the first safety state judgment model.
Optionally, the obtaining module 901 obtains tagged data of the unknown threat of the target terminal device according to the following manner:
acquiring label-free data of the unknown threat of the target terminal equipment;
and acquiring the tagged data based on the non-tagged data.
Optionally, the obtaining module 901 is specifically configured to:
inputting the label-free data into at least one second safety state judgment model of a known threat to obtain at least one second judgment result output by the at least one second safety state judgment model;
and determining a label value of the non-label data according to the at least one second judgment result, so as to convert the non-label data into the labeled data.
Optionally, the obtaining module 901 is specifically configured to: based on the label-free data, obtaining first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm; the data volume of the first cluster clustering data is smaller than that of the second cluster clustering data;
setting a label value of the first cluster data to a first label value, and setting a label value of the second cluster data to a second label value, thereby converting the non-label data into the labeled data; the first tag value characterizing data is unsafe data and the second tag value characterizing data is secure data.
Optionally, the obtaining module 901 obtains the first security state judgment model according to the following manner:
in any turbine learning training, obtaining a second local training parameter of a safety state training model based on the tagged data of the unknown threat and a first local training parameter of the safety state training model; sending the second local training parameter to the server; acquiring a fusion training parameter from the server; the fusion training parameters are obtained by the server side based on local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the fusion training parameter is used as the first local training parameter again, and labeled data based on the unknown threat and the first local training parameter of the safety state training model are returned to obtain a second local training parameter of the safety state training model;
and if the safety state training model meets the preset convergence condition, taking the fusion training parameter as a model parameter of the safety state training model, and taking the safety state training model at the moment as the first safety state judgment model.
Optionally, the obtaining module 901 is further configured to: and sending the first judgment result to the server.
Optionally, the tagged data of the unknown threats of the plurality of terminal devices all have the same data characteristic dimension.
Based on the same inventive concept, embodiments of the present invention further provide a computer device, which includes a program or an instruction, and when the program or the instruction is executed, the method for determining the security state of the terminal device and any optional method provided in the embodiments of the present invention are executed.
Based on the same inventive concept, embodiments of the present invention further provide a computer-readable storage medium, which includes a program or an instruction, and when the program or the instruction is executed, the method for determining the security state of the terminal device and any optional method provided in the embodiments of the present invention are executed.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for judging the safety state of terminal equipment is characterized by comprising the following steps:
the target terminal equipment acquires state data to be judged of unknown threats; the target terminal equipment is any one of a plurality of terminal equipment;
the target terminal equipment inputs the state data to be judged to a first safety state judgment model of unknown threat to obtain a first judgment result output by the first safety state judgment model;
the first safety state judgment model is obtained by performing machine learning training on a plurality of terminal devices and a server side based on labeled data of unknown threats of the plurality of terminal devices; in any round of machine learning training, any terminal device in the multiple terminal devices is used for sending local training parameters of the turbine machine learning training to a server, the server is used for fusing the local training parameters of the multiple terminal devices in the turbine machine learning training to obtain fused training parameters, and the fused training parameters are sent to the multiple terminal devices, so that the multiple terminal devices are updated based on the fused training parameters or used as model parameters of the first safety state judgment model.
2. The method of claim 1, wherein the target terminal device obtains tagged data of the unknown threat of the target terminal device in the following manner:
the target terminal equipment acquires the label-free data of the unknown threat of the target terminal equipment;
and the target terminal equipment acquires the tagged data based on the non-tagged data.
3. The method of claim 2, wherein the target terminal device obtaining the tagged data based on the non-tagged data comprises:
the target terminal device inputs the label-free data into at least one second safety state judgment model of known threats to obtain at least one second judgment result output by the at least one second safety state judgment model;
and the target terminal equipment determines the label value of the non-label data according to the at least one second judgment result, so that the non-label data is converted into the labeled data.
4. The method of claim 2, wherein the target terminal device obtaining the tagged data based on the non-tagged data comprises:
the target terminal equipment obtains first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm based on the label-free data; the data volume of the first cluster clustering data is smaller than that of the second cluster clustering data;
the target terminal device sets the label value of the first cluster clustering data as a first label value and sets the label value of the second cluster clustering data as a second label value, so that the label-free data is converted into the labeled data; the first tag value characterizing data is unsafe data and the second tag value characterizing data is secure data.
5. The method of claim 1, wherein the target terminal device obtains the first security state decision model by:
in any turbine learning training, the target terminal device obtains a second local training parameter of a safety state training model based on the tagged data of the unknown threat and a first local training parameter of the safety state training model;
the target terminal equipment sends the second local training parameters to the server;
the target terminal equipment obtains a fusion training parameter from the server; the fusion training parameters are obtained by the server side based on local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the target terminal device takes the fusion training parameter as the first local training parameter again, and returns the labeled data of the unknown threat and the first local training parameter of the safety state training model to the target terminal device to obtain a second local training parameter of the safety state training model;
and if the safety state training model meets the preset convergence condition, the target terminal device takes the fusion training parameter as a model parameter of the safety state training model, and takes the safety state training model at the moment as the first safety state judgment model.
6. The method according to any one of claims 1 to 5, wherein after obtaining the first determination result output by the first safety state determination model, further comprising:
and the target terminal equipment sends the first judgment result to the server side.
7. The method of any of claims 1 to 5, wherein the tagged data of unknown threats for the plurality of terminal devices all have the same data characteristic dimension.
8. A security state judgment device of a terminal device, comprising:
the acquisition module is used for acquiring state data to be judged of unknown threats of the target terminal equipment; the target terminal equipment is any one of a plurality of terminal equipment;
the processing module is used for inputting the state data to be judged to a first safety state judgment model of unknown threat and obtaining a first judgment result output by the first safety state judgment model;
the first safety state judgment model is obtained by performing machine learning training on a plurality of terminal devices and a server side based on labeled data of unknown threats of the plurality of terminal devices; in any round of machine learning training, any terminal device in the multiple terminal devices is used for sending local training parameters of the turbine machine learning training to a server, the server is used for fusing the local training parameters of the multiple terminal devices in the turbine machine learning training to obtain fused training parameters, and the fused training parameters are sent to the multiple terminal devices, so that the multiple terminal devices are updated based on the fused training parameters or used as model parameters of the first safety state judgment model.
9. A computer device comprising a program or instructions that, when executed, perform the method of any of claims 1 to 7.
10. A computer-readable storage medium comprising a program or instructions which, when executed, perform the method of any of claims 1 to 7.
CN202110053180.XA 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment Active CN112800428B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110053180.XA CN112800428B (en) 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment
PCT/CN2021/128867 WO2022151815A1 (en) 2021-01-15 2021-11-05 Method and apparatus for determining security state of terminal device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110053180.XA CN112800428B (en) 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment

Publications (2)

Publication Number Publication Date
CN112800428A true CN112800428A (en) 2021-05-14
CN112800428B CN112800428B (en) 2023-08-01

Family

ID=75809522

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110053180.XA Active CN112800428B (en) 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment

Country Status (2)

Country Link
CN (1) CN112800428B (en)
WO (1) WO2022151815A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114064359A (en) * 2021-11-12 2022-02-18 广州泳泳信息科技有限公司 Cross-platform multi-machine-room distributed database backup system
WO2022151815A1 (en) * 2021-01-15 2022-07-21 中国银联股份有限公司 Method and apparatus for determining security state of terminal device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115329985B (en) * 2022-09-07 2023-10-27 北京邮电大学 Unmanned cluster intelligent model training method and device and electronic equipment
CN117811845B (en) * 2024-02-29 2024-05-24 浪潮电子信息产业股份有限公司 Threat detection and model training method, threat detection and model training device, threat detection system, electronic equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111310938A (en) * 2020-02-10 2020-06-19 深圳前海微众银行股份有限公司 Semi-supervision-based horizontal federal learning optimization method, equipment and storage medium
WO2020229684A1 (en) * 2019-05-16 2020-11-19 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concepts for federated learning, client classification and training data similarity measurement
CN112070180A (en) * 2020-09-30 2020-12-11 南方电网科学研究院有限责任公司 Power grid equipment state judgment method and device based on information physical bilateral data
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN112217626A (en) * 2020-08-24 2021-01-12 中国人民解放军战略支援部队信息工程大学 Network threat cooperative defense system and method based on intelligence sharing

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10970402B2 (en) * 2018-10-19 2021-04-06 International Business Machines Corporation Distributed learning preserving model security
CN110113348A (en) * 2019-05-14 2019-08-09 四川长虹电器股份有限公司 A method of Internet of Things threat detection is carried out based on machine learning
CN112800428B (en) * 2021-01-15 2023-08-01 中国银联股份有限公司 Method and device for judging safety state of terminal equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020229684A1 (en) * 2019-05-16 2020-11-19 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concepts for federated learning, client classification and training data similarity measurement
CN111310938A (en) * 2020-02-10 2020-06-19 深圳前海微众银行股份有限公司 Semi-supervision-based horizontal federal learning optimization method, equipment and storage medium
CN112217626A (en) * 2020-08-24 2021-01-12 中国人民解放军战略支援部队信息工程大学 Network threat cooperative defense system and method based on intelligence sharing
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN112070180A (en) * 2020-09-30 2020-12-11 南方电网科学研究院有限责任公司 Power grid equipment state judgment method and device based on information physical bilateral data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王蓉;马春光;武朋;: "基于联邦学习和卷积神经网络的入侵检测方法", 信息网络安全, no. 04, pages 47 - 54 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022151815A1 (en) * 2021-01-15 2022-07-21 中国银联股份有限公司 Method and apparatus for determining security state of terminal device
CN114064359A (en) * 2021-11-12 2022-02-18 广州泳泳信息科技有限公司 Cross-platform multi-machine-room distributed database backup system

Also Published As

Publication number Publication date
CN112800428B (en) 2023-08-01
WO2022151815A1 (en) 2022-07-21

Similar Documents

Publication Publication Date Title
CN112800428B (en) Method and device for judging safety state of terminal equipment
Mallapuram et al. Smart city: The state of the art, datasets, and evaluation platforms
CN109543992A (en) Intelligent polling method, device, intelligent terminal and server
CN104142661B (en) Trained using the data based on cloud for industrial automation system
CN108304942B (en) Intelligent processing method and system for secondary system abnormity of intelligent substation
CN116416706A (en) Data acquisition method and device
CN104541293A (en) Architecture for client-cloud behavior analyzer
CN115511501A (en) Data processing method, computer equipment and readable storage medium
CN109902373A (en) A kind of area under one's jurisdiction Fault Diagnosis for Substation, localization method and system
CN103441990A (en) Protocol state machine automatic inference method based on state fusion
CN110148066A (en) A kind of intellectual water meter management system and method
WO2014042753A1 (en) Generating and evaluating expert networks
CN112367678A (en) Micro base station monitoring method and device and storage medium
Dokhnyak et al. Intelligent Smart Home System Using Amazon Alexa Tools.
CN117172749A (en) Rail transit inspection maintenance worker management method, device, equipment and storage medium
Mateen et al. Software QualityAssurance in Internet of Things
CN116954565A (en) Smart city message platform publishing method
CN115496180A (en) Training method, generating method and device of network traffic characteristic sequence generating model
CN116595690A (en) Computer network performance evaluation model construction method, system, equipment and medium based on knowledge fusion graph neural network
WO2013034448A1 (en) Method and system for optimizing and streamlining troubleshooting
CN115480843A (en) Service processing method and device, electronic equipment and nonvolatile storage medium
Chren Towards multi-layered reliability analysis in smart grids
CN115080445B (en) Game test management method and system
CN107786528B (en) Application login method and device and communication system
CN110544182A (en) Power distribution communication network fusion control method and system based on machine learning technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant