CN112800428B - Method and device for judging safety state of terminal equipment - Google Patents

Method and device for judging safety state of terminal equipment Download PDF

Info

Publication number
CN112800428B
CN112800428B CN202110053180.XA CN202110053180A CN112800428B CN 112800428 B CN112800428 B CN 112800428B CN 202110053180 A CN202110053180 A CN 202110053180A CN 112800428 B CN112800428 B CN 112800428B
Authority
CN
China
Prior art keywords
data
model
terminal equipment
training
target terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110053180.XA
Other languages
Chinese (zh)
Other versions
CN112800428A (en
Inventor
于文海
祖立军
郭伟
乐旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202110053180.XA priority Critical patent/CN112800428B/en
Publication of CN112800428A publication Critical patent/CN112800428A/en
Priority to PCT/CN2021/128867 priority patent/WO2022151815A1/en
Application granted granted Critical
Publication of CN112800428B publication Critical patent/CN112800428B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a device for judging the safety state of terminal equipment, wherein the method comprises the following steps: the target terminal equipment acquires state data to be judged of unknown threats; the target terminal equipment inputs the state data to be judged into a first safety state judgment model of unknown threat, and a first judgment result output by the first safety state judgment model is obtained; the first security state judgment model is obtained by machine learning training of a plurality of terminal devices and a server based on labeled data of unknown threats of the plurality of terminal devices.

Description

Method and device for judging safety state of terminal equipment
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method and an apparatus for determining a security state of a terminal device.
Background
Terminal devices are involved in many application scenarios. For example, the proportion of chinese mobile payments is gradually increasing, and more terminal devices participate in mobile payments. The state data of the terminal equipment can reflect the safety state of the current terminal equipment, so the safety state of the terminal equipment can be judged by a method for collecting the state data of the terminal equipment.
In the current scheme, the known threat of the terminal equipment can be used for checking whether the terminal equipment is safe or not according to a corresponding safety judgment model, for example, if the terminal equipment is safe or not according to an attack means for tampering with the file, the terminal equipment can be judged to be safe or not according to the safety judgment model of file change. However, unknown threat detection for uncertain means of attack is more limited. At present, unknown threat detection of terminal equipment is realized through big data statistics judgment. At present, the state data of the terminal equipment is collected and then uniformly transmitted to the server, so that the server can form big data statistics after collecting a large amount of state data of the terminal equipment, and then safety state judgment is carried out. However, after the server acquires the status data of a large number of terminal devices, it is difficult to ensure that the status data of the terminal devices are not misused. Therefore, how to judge the security state of the terminal device becomes a difficult problem under the condition of guaranteeing the privacy security of the state data of the terminal device.
Disclosure of Invention
The invention provides a method and a device for judging the safety state of terminal equipment, which solve the problem of judging the safety state of the terminal equipment under the condition that the privacy safety of state data of the terminal equipment is ensured in the prior art.
In a first aspect, the present invention provides a method for determining a security state of a terminal device, including:
the target terminal equipment acquires state data to be judged of unknown threats; the target terminal equipment is any one of a plurality of terminal equipment;
the target terminal equipment inputs the state data to be judged into a first safety state judgment model of unknown threat, and a first judgment result output by the first safety state judgment model is obtained;
the first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices by a server; in any turbine learning training, any one of the plurality of terminal devices is configured to send local training parameters of the turbine learning training to a server, where the server is configured to fuse the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters, and send the fused training parameters to the plurality of terminal devices, so that the plurality of terminal devices update or use the fused training parameters as model parameters of the first security state judgment model.
In the above manner, the first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices and a server, and in any one of the turbine learning training, any one of the terminal devices only sends local training parameters of the turbine learning training to the server, and the server fuses the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters, so that the plurality of terminal devices update on the basis of the fused training parameters, state data of the plurality of terminal devices do not need to be transferred in the process, privacy of the state data is not revealed, and the fused training parameters of each round also consider the local training parameters of each terminal device, so that the accuracy of the first security state judgment model is also ensured.
Optionally, the target terminal device obtains tagged data of unknown threats of the target terminal device in the following manner:
the target terminal equipment acquires unlabeled data of unknown threats of the target terminal equipment;
and the target terminal equipment acquires the tagged data based on the untagged data.
In the method, after the unlabeled data of the unknown threat of the target terminal equipment is obtained, the labeled data is obtained based on the unlabeled data, the labeled data is converted into the unlabeled data, and the characteristics of the unlabeled data of the unknown threat are reserved.
Optionally, the target terminal device obtains the tagged data based on the untagged data, including:
the target terminal equipment inputs the unlabeled data into at least one second safety state judgment model of known threat, and at least one second judgment result output by the at least one second safety state judgment model is obtained;
and the target terminal equipment determines the label value of the label-free data according to the at least one second judging result, so that the label-free data is converted into the labeled data.
In the method, at least one second judging result is obtained through the at least one second safety state judging model, so that the characteristics of the corresponding known threat can be found, and the labeled data can be obtained more accurately.
Optionally, the target terminal device obtains the tagged data based on the untagged data, including:
the target terminal equipment obtains first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm based on the label-free data; the data volume of the first clustered data is smaller than the data volume of the second clustered data;
the target terminal device sets a tag value of the first clustered data as a first tag value, and sets a tag value of the second clustered data as a second tag value, so that the unlabeled data is converted into the labeled data; the first tag value characterization data is unsafe data and the second tag value characterization data is safe data.
In the above manner, the target terminal device obtains the first clustered data and the second clustered data of the non-label data according to a preset clustering algorithm based on the non-label data, so as to adaptively distinguish the security data from the unsafe data according to the data amount of the clustered data, and label the safe data and the unsafe data, thereby providing a method for automatically setting labels.
Optionally, the target terminal device obtains the first security state judgment model in the following manner:
In any turbine learning training, the target terminal equipment obtains second local training parameters of the safety state training model based on the labeled data of the unknown threat and the first local training parameters of the safety state training model;
the target terminal equipment sends the second local training parameters to the server;
the target terminal equipment obtains fusion training parameters from the server; the fusion training parameters are obtained by the server based on the local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the target terminal equipment re-uses the fusion training parameters as the first local training parameters, and returns the first local training parameters of the safety state training model and the tagged data of the unknown threat to the target terminal equipment to obtain second local training parameters of the safety state training model;
and if the safety state training model meets the preset convergence condition, the target terminal equipment takes the fusion training parameters as model parameters of the safety state training model, and takes the safety state training model at the moment as the first safety state judging model.
Optionally, after the obtaining the first determination result output by the first security state determination model, the method further includes:
and the target terminal equipment sends the first judgment result to the server.
Optionally, the tagged data of the unknown threats of the plurality of terminal devices all have the same data feature dimension.
In a second aspect, the present invention provides a security state determining apparatus for a terminal device, including:
the acquisition module is used for acquiring to-be-judged state data of unknown threats of the target terminal equipment; the target terminal equipment is any one of a plurality of terminal equipment;
the processing module is used for inputting the state data to be judged into a first safety state judgment model of unknown threat to obtain a first judgment result output by the first safety state judgment model;
the first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices by a server; in any turbine learning training, any one of the plurality of terminal devices is configured to send local training parameters of the turbine learning training to a server, where the server is configured to fuse the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters, and send the fused training parameters to the plurality of terminal devices, so that the plurality of terminal devices update or use the fused training parameters as model parameters of the first security state judgment model.
Optionally, the obtaining module obtains tagged data of unknown threats of the target terminal device in the following manner:
acquiring unlabeled data of unknown threats of the target terminal equipment;
and acquiring the tagged data based on the untagged data.
Optionally, the acquiring module is specifically configured to:
inputting the unlabeled data into at least one second security state judgment model of known threat, and obtaining at least one second judgment result output by the at least one second security state judgment model;
and determining a tag value of the non-tag data according to the at least one second judging result, so as to convert the non-tag data into the tagged data.
Optionally, the acquiring module is specifically configured to: based on the unlabeled data, acquiring first clustered data and second clustered data of the unlabeled data according to a preset clustering algorithm; the data volume of the first clustered data is smaller than the data volume of the second clustered data;
setting a tag value of the first clustered data to a first tag value, and setting a tag value of the second clustered data to a second tag value, thereby converting the unlabeled data to the labeled data; the first tag value characterization data is unsafe data and the second tag value characterization data is safe data.
Optionally, the obtaining module obtains the first security state judgment model in the following manner:
in any turbine learning training, obtaining second local training parameters of the safety state training model based on the labeled data of the unknown threat and the first local training parameters of the safety state training model; transmitting the second local training parameters to the server; obtaining fusion training parameters from the server; the fusion training parameters are obtained by the server based on the local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the fusion training parameters are re-used as the first local training parameters, and the steps of obtaining second local training parameters of the safety state training model based on the labeled data of the unknown threat and the first local training parameters of the safety state training model are returned;
and if the safety state training model meets the preset convergence condition, taking the fusion training parameters as model parameters of the safety state training model, and taking the safety state training model at the moment as the first safety state judging model.
Optionally, the acquiring module is further configured to: and sending the first judgment result to the server.
Optionally, the tagged data of the unknown threats of the plurality of terminal devices all have the same data feature dimension.
The advantages of the foregoing second aspect and the advantages of the foregoing optional apparatuses of the second aspect may refer to the advantages of the foregoing first aspect and the advantages of the foregoing optional methods of the first aspect, and will not be described herein.
In a third aspect, the present invention provides a computer device comprising a program or instructions which, when executed, is operable to perform the above-described first aspect and the respective alternative methods of the first aspect.
In a fourth aspect, the present invention provides a storage medium comprising a program or instructions which, when executed, is adapted to carry out the above-described first aspect and the respective alternative methods of the first aspect.
These and other aspects of the invention will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic step flow diagram of a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a terminal device architecture in a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 3 is a schematic diagram of acquiring the first security state judgment model in the security state judgment method of the terminal device according to the embodiment of the present invention;
fig. 4 is a schematic diagram of a cloud service architecture in a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 5 is a specific flow diagram corresponding to a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 6 is a schematic diagram of implementing federal learning in a terminal device in a method for determining a security status of the terminal device according to an embodiment of the present invention;
fig. 7 is a schematic diagram of implementing federal learning at a server in a method for determining a security status of a terminal device according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a timing sequence step corresponding to a method for determining a security state of a terminal device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a security status determining device of a terminal device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, an embodiment of the present invention provides a method for determining a security state of a terminal device.
Step 101: and the target terminal equipment acquires the state data to be judged of the unknown threat.
The target terminal device is any one of a plurality of terminal devices.
Step 102: and the target terminal equipment inputs the state data to be judged into a first safety state judgment model of unknown threat, and obtains a first judgment result output by the first safety state judgment model.
In steps 101 to 102, for example, the state data to be determined may be CPU state data, process state data, and the like.
The first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices by a server; in any turbine learning training, any one of the plurality of terminal devices is configured to send local training parameters of the turbine learning training to a server, where the server is configured to fuse the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters, and send the fused training parameters to the plurality of terminal devices, so that the plurality of terminal devices update or use the fused training parameters as model parameters of the first security state judgment model.
It should be noted that, specifically, the tagged data of the unknown threats of the plurality of terminal devices all have the same data feature dimension. In addition, the above machine learning method is not limited, and for example, horizontal federal learning may be employed.
Obviously, in the method from step 101 to step 102, in order to solve the problem of using the private data, it is ensured that the private data of the terminal device is not uploaded to the cloud end and is only used in the terminal device during the training of the first security state judgment model. Therefore, the methods from step 101 to step 102 ensure that the private data is not leaked and maliciously used from the technical framework.
In addition, the machine learning method solves the problem of uploading the privacy data, and simultaneously provides a method for iterating an unknown threat model of the terminal equipment, wherein generally, unknown threats are difficult to capture due to more acquired data dimensions. Then under the method of steps 101-102, more dimensionality of data can be collected in the case of solving privacy concerns. And the data is labeled according to the result of the security state judgment model with known threat, so that the training of the model can be localized, and the security state judgment model at the terminal side can be continuously trained and iterated.
It should be noted that in the conventional scheme, the detection of an unknown threat requires a large amount of auxiliary data, since the threat is unknown, more dimension data is required to assist in the discovery and detection. However, with the increasing importance of privacy protection, the method of uploading a large amount of privacy data to the cloud end for use is more and more difficult to accept, so in the methods from step 101 to step 102, the problem of training a security state judgment model at the terminal is solved by introducing the machine learning method, and the data labeling method of the security state judgment model of the known threat is assisted, so that the judgment of the security state of the terminal equipment is more complete.
In an alternative embodiment, the target terminal device obtains tagged data of unknown threats of the target terminal device in the following manner:
step (1): the target terminal device obtains unlabeled data of unknown threats of the target terminal device.
Step (2): and the target terminal equipment acquires the tagged data based on the untagged data.
It should be noted that, in step (2), the label may be added to the unlabeled data in different manners, so as to obtain the labeled data.
In an alternative embodiment, the step (2) may specifically be:
the target terminal equipment inputs the unlabeled data into at least one second safety state judgment model of known threat, and at least one second judgment result output by the at least one second safety state judgment model is obtained;
and the target terminal equipment determines the label value of the label-free data according to the at least one second judging result, so that the label-free data is converted into the labeled data.
For example, the at least one second security state judgment model is 3 second security state judgment models, and the 3 second security state judgment models are respectively used for: and detecting a second security state judgment model of the threat in the aspect A, detecting a second security state judgment model of the threat in the aspect B and detecting a second security state judgment model of the threat in the aspect C.
Then, for the to-be-judged state data of the unknown threat, the threat in the aspect A, the threat in the aspect B and the threat in the aspect C can exist, so that whether the unknown threat has the threat in the corresponding aspect can be positioned through comprehensive detection.
In another alternative embodiment, the step (2) may specifically be:
The target terminal equipment obtains first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm based on the label-free data; the target terminal device sets a tag value of the first clustered data to a first tag value and sets a tag value of the second clustered data to a second tag value, so that the unlabeled data is converted into the labeled data.
The data volume of the first clustered data is smaller than the data volume of the second clustered data; the first tag value characterization data is unsafe data and the second tag value characterization data is safe data.
For example, the unlabeled data includes 100 ten thousand pieces of data, after clustering, a second clustered data including 95 ten thousand pieces of data is obtained, and the first clustered data including 4 ten thousand pieces of data, and 1 ten thousand pieces of data are isolated points; then based on a principle, more data is normal, less data is abnormal, it is determined that the second clustered data is safe data, the tag value is set to the second tag value, and it is determined that the first clustered data is safe data, the tag value is set to the first tag value.
It should be noted that, after step 102, the following steps may also be performed:
and the target terminal equipment sends the first judgment result to the server.
It should be noted that, when the target terminal device is an intelligent payment device, its structure is shown in fig. 2.
Fig. 2 is a system frame diagram of a terminal device, and on the system of the terminal device, core functions mainly include four parts of data acquisition, model judgment, model learning and data uploading. The method comprises the following steps:
and (3) data acquisition: the data acquisition module is mainly responsible for acquiring data information of the terminal equipment. Including known threat data and unknown threat data. Threat data is known to include, for example, root detection, hook frame detection, simulator environment detection, and the like. Unknown threat data are relevant data when the system runs, and the data cannot definitely judge the malicious state of the system, but when the system is attacked, the data can change. The unknown threat data reflects the security state of the current terminal device more from the perspective of system state changes. Such as CPU state data, memory state data, process state data, etc.
Model judgment: the model judging module is mainly used for judging the safety state by utilizing the data acquired by the data acquisition module. Including a known threat assessment model (i.e., a second security assessment model) and an unknown threat assessment model (i.e., a first security assessment model). The unknown threat decision model is trained by machine learning, then it may also be cold-started, as shown in fig. 2 as an initial model that is modeled by simulation data in a laboratory environment.
In the case of federal learning, the cold start mode is shown in fig. 3.
FIG. 3 depicts the process of training an initial model in a laboratory environment. First, training data needs to be simulated for an actual security scenario, which includes normal behavior data and abnormal behavior data. The normal behavior data describe what states and data values the terminal device can be considered secure; the abnormal behavior data, in contrast, describes under what terminal equipment data values the terminal is unsafe.
Further, the algorithm engineer creates an algorithm model based on understanding the data, inputs the simulated data into the algorithm model, and adjusts the model according to the result, finally obtains an initial unknown threat judgment model conforming to the result of the simulated data. This model is used for cold start of the terminal equipment.
Model learning: the module of another core in the terminal device is a model learning module. This module is responsible for the terminal equipment part of federal learning. One link of federal learning is the iteration of the model, and model training of the terminal equipment in the iteration link provides model data for learning of the back end. However, if federal learning is used, the specific machine learning algorithm must be a supervised learning algorithm. Data and corresponding labels must be provided at model training.
In the scheme of the embodiment of the invention, the data module collects a large amount of data as data input of unknown threats, and the data can be divided into several dimensions, such as: environmental security data (WIFI address information, base station information, IP address information), hardware security data (debug port usage, CPU usage status, memory usage status, etc.), traffic security data (egress traffic data, ingress traffic data) and software security data (system process status, software traffic data, etc.).
One way of tagging is to tag the unknown threat data by the output of a known threat module, which is a score, and this way is relatively simple and intuitive and can directly train the unknown threat data.
Yet another way of tagging requires the continued discovery and operation of unknown threats, which is relatively complex. Firstly, unsupervised clustering is carried out on unknown threat data of terminal equipment, so that problems reflected by the data can be distinguished, and then the problems are classified or manually scored through safe operation. After grading and manual scoring are completed, the grading and manual scoring are provided for terminal equipment for reasoning and labeling. The above process can be done in a laboratory environment first because the data is private to the terminal device.
The two labeling modes of the unknown threats are characterized by short-term effect and continuous optimization in long-term operation. Can be used in combination with each other according to actual conditions.
Uploading data: the data uploading module is mainly used for uploading an unknown threat judgment model trained by the terminal equipment to the cloud, and in addition, the terminal equipment also has partial non-private or privacy-removed data which needs auxiliary judgment by the cloud. The data uploading module is simply a communication module for exchanging data between the terminal device and the cloud.
In an alternative embodiment, the target terminal device obtains the first security state judgment model in the following manner:
in any of the turbine learning exercises, the following steps are performed:
step (a): and the target terminal equipment obtains second local training parameters of the safety state training model based on the labeling data of the unknown threat and the first local training parameters of the safety state training model.
Step (b): and the target terminal equipment sends the second local training parameters to the server.
Step (c): and the target terminal equipment obtains the fusion training parameters from the server.
The fusion training parameters are obtained by the server based on the local training parameters sent by the plurality of terminal devices.
Step (d): and (c) if the safety state training model does not meet a preset convergence condition, the target terminal equipment re-uses the fusion training parameters as the first local training parameters, and returns to the step (a).
Step (e): and if the safety state training model meets the preset convergence condition, the target terminal equipment takes the fusion training parameters as model parameters of the safety state training model, and takes the safety state training model at the moment as the first safety state judging model.
The process is a training learning process inside the terminal equipment.
On the other hand, the framework of the cloud service also has matched functional modules, and takes federal learning as an example, as shown in fig. 4.
Fig. 4 is a framework diagram of a cloud service. Comprises several core functional modules: the cloud threat judgment system comprises a cloud threat judgment module, a federal learning module, a data storage module and an external interface module.
Cloud threat determination module: since a large amount of data is determined and trained at the terminal device, a small portion of the data terminal devices themselves cannot be completely determined, such as public network IP data. For some devices, the movement of the device itself is a very serious security problem, such as intelligent automated containers. Therefore, whether the public network IP information of the terminal equipment is changed or not needs to be monitored by the cloud. As described above, although in the present solution, for privacy protection reasons, a large amount of data is determined and trained in the terminal device through federal learning, there is still a small amount of data that must be determined in the cloud. Therefore, from the view point of the scheme integrity, there must be a cloud threat determination module at the cloud, that is, the cloud threat determination module is configured to determine data other than the state data of the terminal device, such as network data of the terminal device.
Federal learning module: the federal learning module of the terminal equipment has the main functions of inputting data of the terminal equipment and outputting a judging model for the data of the terminal equipment. The federal learning module in the cloud end trains the model uploaded by the terminal equipment. The input of this module is the model uploaded by the terminal device and the output is the new model trained on these input models. The cloud federal learning module controls the whole federal learning process. Training of the federal learning model of the terminal equipment is not performed in real time, firstly because the real-time training data volume is small and cannot have a good effect, and secondly because the model training consumes more system resources. It is common to choose late night time to train the data set accumulated for one day. The frequency of the federal learning process in steps 101 to 102 is once a day. Before the federal learning process starts each time, the terminal equipment needs to negotiate with the cloud to confirm whether the current terminal equipment joins the federal learning process of the round. The cloud end can screen according to certain conditions, and a sufficient number of terminal devices are selected to participate in the federal learning process.
And a data storage module: the data, the model, the log and the cloud judgment results of the terminal equipment are uniformly and structurally stored in the database, and in order to use the data conveniently, the hot data can be backed up one time to the redis for facilitating access of other modules. The data storage module provides relevant data to the external interface module for use.
An external interface module: the main function of this module is mainly to provide to the service consumer. And if the service user inquires the security score of the terminal equipment, and acquires the detailed information of each security dimension. The module provides data to the outside in two modes, one can be in the form of a page, and the states of all terminal devices are directly displayed through the page; the other is an API calling mode, and the security score of the terminal equipment and even the specific information of each security dimension are obtained through an API query mode.
In addition, the cloud end has some conventional functions, such as log monitoring of terminal equipment, crash processing of the terminal equipment and the like.
It should be noted that, the cloud end judging module of the cloud end, the conventional service module, the storage module and the external interface module can be replaced or deleted, and the core function of the whole scheme is not affected. The most core function of the cloud is federal learning, so that the cloud frame diagram can only comprise a federal learning model under the most extreme condition.
More specifically, a specific process of the method for determining the security state of the terminal device provided by the embodiment of the present invention may be shown in fig. 5.
Step (5-1): in a laboratory environment, an algorithm engineer constructs a model algorithm through a simulated unknown threat data understanding model, and trains an initial unknown threat judgment model through a simulated positive and negative sample, wherein the model is used for cold starting of the unknown threat judgment model of the terminal equipment.
Step (5-2): the unknown threat determination initial model generated in the step (5-1) needs to be deployed into each terminal device before the terminal is actually used in a line, so that the unknown threat determination model can be validated when the security situation awareness function is used.
Step (5-3): the step enters a cyclic processing of terminal security situation awareness. When the terminal equipment actually operates, terminal data are collected at fixed time intervals to carry out threat judgment. Wherein a portion of the data is used for known threat decisions. The known threat refers to common attack means such as root mobile phones, hook frameworks and the like. An additional portion of the data may be subjected to an unknown threat determination where the model of the unknown threat determination is initially a laboratory generated model in the first step.
Step (5-4): when the appointed time is reached, and the current terminal is selected by the cloud to become the terminal of the federal learning process of the round, the data collected on the same day are processed, the training data set takes the judgment result of the known threat as a label, and the collected data set is taken as data. And inputting the data into a learning framework of the terminal, training a local unknown threat model, and clearing the data of the current day after the training is finished. In addition, if the current terminal is not selected by the cloud to become a participating terminal of the federal learning process of the current round, the data stored in the current day needs to be cleared immediately.
Step (5-5): after the training of each terminal participating in federal learning is completed, each terminal uploads the locally trained model to the cloud, and the cloud needs to wait for the model uploading of the terminal. Wherein, the terminal training fails, or the terminal network is disconnected and can not be uploaded. If the number of the terminal models obtained by the cloud end does not meet a threshold condition, the federal learning of the round fails. If the threshold condition is met, the federal learning of the cloud is started, and the federal learning module of the cloud server trains the model uploaded by the terminal.
Step (5-6): the federal learning module in the cloud tends to train in a separate hardware environment, as machine learning may require acceleration of the CPU. The real federal learning training module and the control logic are often separated, the control logic inputs the unknown threat model uploaded by the terminal into the federal learning training module, and an optimized unknown threat judgment model is output after learning is completed.
Step (5-7): after the federal learning process of the cloud is completed, the cloud transmits the optimized unknown threat judgment model to all online terminal equipment, and after the terminal equipment acquires the updated unknown threat judgment model transmitted by the cloud, the new model replaces the original old model, so that the deployment and the use of the new model are completed.
Step (5-8): after the new model is deployed, the federal learning module enters a periodical iteration process, and steps (5-3) to (5-7) are circularly executed every day until the model is stabilized.
Further, a schematic diagram of the implementation of federal learning at the terminal device is shown in fig. 6.
At the mobile phone end, the function of federal learning is realized in an SDK form, the function is communicated with the detection module through an API, data generated by data acquisition and terminal threat judgment can be stored in a data warehouse established by the terminal, the federal learning SDK takes the data in the data warehouse through the API, and the state and flow control module controls the training flow of the terminal. After the training of the terminal model is completed, the model needs to be uploaded to a cloud server through a communication module, but before transmission, the model needs to be encrypted through an encryption and decryption module in order to ensure the safety of the model data.
Further, a schematic diagram of implementation of federal learning at the server side is shown in fig. 7.
After the server side of federal learning receives the model data uploaded by the terminal through the communication module of the cloud, the model data is decrypted through the encryption and decryption module, and before cloud aggregation, whether the model data of the terminal is correct or not needs to be verified through the model verification module. And finally, performing aggregation training on the model of the terminal equipment through a federal learning aggregation module to generate a new unknown threat judgment model.
So, in summary, the step flow of the combination of the terminal device and the server is shown in fig. 8.
Step (8-1): and judging whether the data in the data warehouse is updated or not, and confirming whether the current terminal equipment meets the condition of starting federal learning or not.
Step (8-2): if the starting condition is met, the terminal equipment registers to the server, and the server is informed that the current terminal equipment can perform federal learning.
Step (8-3): when the cloud judges that the number of the terminal devices added into the federal learning in the round meets the threshold requirement, the cloud (server side) can inform the terminal devices to start the federal learning process in the round.
Step (8-4): when the terminal equipment receives a flow instruction for starting federation learning by the cloud, a federation learning module of the terminal equipment can read data in a data warehouse and train the terminal equipment. After training is completed, the terminal equipment uploads the unknown threat judgment model trained by the round to the cloud.
Step (8-5): the cloud end waits for the model uploading of the terminal equipment after the federal learning process is started, and when the number of the models uploaded by the terminal equipment meets the minimum requirement of model aggregation under the condition that all the terminal equipment has uploaded the terminal equipment model or is overtime, the cloud end starts the model aggregation process; otherwise, if the cloud waits for the timeout and the number of models returned by the cloud received by the terminal equipment is insufficient to start model aggregation, the federal learning of the round is considered to be failed.
Step (8-6): if the cloud model aggregation is successfully finished, the cloud transmits the aggregated models to all terminal devices, and notifies all terminal devices to update and deploy new unknown threat judgment models. The federal learning process ends.
As shown in fig. 9, the present invention provides a security state judging device of a terminal device, including:
an obtaining module 901, configured to obtain to-be-judged status data of an unknown threat of a target terminal device; the target terminal equipment is any one of a plurality of terminal equipment;
the processing module 902 is configured to input the state data to be determined to a first security state determination model of an unknown threat, and obtain a first determination result output by the first security state determination model;
the first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices by a server; in any turbine learning training, any one of the plurality of terminal devices is configured to send local training parameters of the turbine learning training to a server, where the server is configured to fuse the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters, and send the fused training parameters to the plurality of terminal devices, so that the plurality of terminal devices update or use the fused training parameters as model parameters of the first security state judgment model.
Optionally, the obtaining module 901 obtains tagged data of an unknown threat of the target terminal device in the following manner:
acquiring unlabeled data of unknown threats of the target terminal equipment;
and acquiring the tagged data based on the untagged data.
Optionally, the acquiring module 901 is specifically configured to:
inputting the unlabeled data into at least one second security state judgment model of known threat, and obtaining at least one second judgment result output by the at least one second security state judgment model;
and determining a tag value of the non-tag data according to the at least one second judging result, so as to convert the non-tag data into the tagged data.
Optionally, the acquiring module 901 is specifically configured to: based on the unlabeled data, acquiring first clustered data and second clustered data of the unlabeled data according to a preset clustering algorithm; the data volume of the first clustered data is smaller than the data volume of the second clustered data;
setting a tag value of the first clustered data to a first tag value, and setting a tag value of the second clustered data to a second tag value, thereby converting the unlabeled data to the labeled data; the first tag value characterization data is unsafe data and the second tag value characterization data is safe data.
Optionally, the obtaining module 901 obtains the first security state judgment model in the following manner:
in any turbine learning training, obtaining second local training parameters of the safety state training model based on the labeled data of the unknown threat and the first local training parameters of the safety state training model; transmitting the second local training parameters to the server; obtaining fusion training parameters from the server; the fusion training parameters are obtained by the server based on the local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the fusion training parameters are re-used as the first local training parameters, and the steps of obtaining second local training parameters of the safety state training model based on the labeled data of the unknown threat and the first local training parameters of the safety state training model are returned;
and if the safety state training model meets the preset convergence condition, taking the fusion training parameters as model parameters of the safety state training model, and taking the safety state training model at the moment as the first safety state judging model.
Optionally, the acquiring module 901 is further configured to: and sending the first judgment result to the server.
Optionally, the tagged data of the unknown threats of the plurality of terminal devices all have the same data feature dimension.
Based on the same inventive concept, the embodiment of the present invention also provides a computer device, including a program or an instruction, when the program or the instruction is executed, the security state determining method of the terminal device and any optional method provided in the embodiment of the present invention are executed.
Based on the same inventive concept, the embodiments of the present invention also provide a computer readable storage medium including a program or an instruction, when the program or the instruction is executed, the security state determining method of the terminal device and any optional method provided in the embodiments of the present invention are executed.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (9)

1. A security state judging method of a terminal device, comprising:
the target terminal equipment acquires state data to be judged of unknown threats; the target terminal equipment is any one of a plurality of terminal equipment;
the target terminal equipment inputs the state data to be judged into a first safety state judgment model of unknown threat in the target terminal equipment, and a first judgment result output by the first safety state judgment model is obtained;
the first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices by a server; in any turbine learning training, any one of the plurality of terminal devices is used for sending local training parameters of the turbine learning training to a server, and the server is used for fusing the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters and sending the fused training parameters to the plurality of terminal devices, so that the plurality of terminal devices update or serve as model parameters of the first safety state judgment model based on the fused training parameters;
The target terminal device obtains tagged data of unknown threats of the target terminal device in the following manner:
the target terminal equipment acquires unlabeled data of unknown threats of the target terminal equipment;
and the target terminal equipment acquires the tagged data based on the untagged data.
2. The method of claim 1, wherein the target terminal device obtaining the tagged data based on the untagged data comprises:
the target terminal equipment inputs the unlabeled data into at least one second safety state judgment model of known threat, and at least one second judgment result output by the at least one second safety state judgment model is obtained;
and the target terminal equipment determines the label value of the label-free data according to the at least one second judging result, so that the label-free data is converted into the labeled data.
3. The method of claim 1, wherein the target terminal device obtaining the tagged data based on the untagged data comprises:
the target terminal equipment obtains first cluster clustering data and second cluster clustering data of the label-free data according to a preset clustering algorithm based on the label-free data; the data volume of the first clustered data is smaller than the data volume of the second clustered data;
The target terminal device sets a tag value of the first clustered data as a first tag value, and sets a tag value of the second clustered data as a second tag value, so that the unlabeled data is converted into the labeled data; the first tag value characterization data is unsafe data and the second tag value characterization data is safe data.
4. The method of claim 1, wherein the target terminal device obtains the first security state judgment model in the following manner:
in any turbine learning training, the target terminal equipment obtains second local training parameters of the safety state training model based on the labeled data of the unknown threat and the first local training parameters of the safety state training model;
the target terminal equipment sends the second local training parameters to the server;
the target terminal equipment obtains fusion training parameters from the server; the fusion training parameters are obtained by the server based on the local training parameters sent by the plurality of terminal devices;
if the safety state training model does not meet the preset convergence condition, the target terminal equipment re-uses the fusion training parameters as the first local training parameters, and returns the first local training parameters of the safety state training model and the tagged data of the unknown threat to the target terminal equipment to obtain second local training parameters of the safety state training model;
And if the safety state training model meets the preset convergence condition, the target terminal equipment takes the fusion training parameters as model parameters of the safety state training model, and takes the safety state training model at the moment as the first safety state judging model.
5. The method according to any one of claims 1 to 4, further comprising, after the obtaining the first determination result output by the first security state determination model:
and the target terminal equipment sends the first judgment result to the server.
6. The method of any of claims 1 to 4, wherein the tagged data of the plurality of end-device unknown threats all have the same data characteristic dimension.
7. A security state judgment apparatus of a terminal device, comprising:
the acquisition module is used for acquiring to-be-judged state data of unknown threats of the target terminal equipment; the target terminal equipment is any one of a plurality of terminal equipment;
the processing module is used for inputting the state data to be judged into a first safety state judgment model of unknown threat in the target terminal equipment to obtain a first judgment result output by the first safety state judgment model;
The first security state judgment model is obtained by performing machine learning training on the basis of labeled data of unknown threats of a plurality of terminal devices by a server; in any turbine learning training, any one of the plurality of terminal devices is used for sending local training parameters of the turbine learning training to a server, and the server is used for fusing the local training parameters of the plurality of terminal devices in the turbine learning training to obtain fused training parameters and sending the fused training parameters to the plurality of terminal devices, so that the plurality of terminal devices update or serve as model parameters of the first safety state judgment model based on the fused training parameters;
the acquisition module acquires tagged data of unknown threats of the target terminal device in the following manner:
acquiring unlabeled data of unknown threats of the target terminal equipment;
and acquiring the tagged data based on the untagged data.
8. A computer device comprising a program or instructions which, when executed, performs the method of any of claims 1 to 6.
9. A computer readable storage medium comprising a program or instructions which, when executed, performs the method of any of claims 1 to 6.
CN202110053180.XA 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment Active CN112800428B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110053180.XA CN112800428B (en) 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment
PCT/CN2021/128867 WO2022151815A1 (en) 2021-01-15 2021-11-05 Method and apparatus for determining security state of terminal device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110053180.XA CN112800428B (en) 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment

Publications (2)

Publication Number Publication Date
CN112800428A CN112800428A (en) 2021-05-14
CN112800428B true CN112800428B (en) 2023-08-01

Family

ID=75809522

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110053180.XA Active CN112800428B (en) 2021-01-15 2021-01-15 Method and device for judging safety state of terminal equipment

Country Status (2)

Country Link
CN (1) CN112800428B (en)
WO (1) WO2022151815A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800428B (en) * 2021-01-15 2023-08-01 中国银联股份有限公司 Method and device for judging safety state of terminal equipment
CN114064359B (en) * 2021-11-12 2023-03-31 广州泳泳信息科技有限公司 Cross-platform multi-machine-room distributed database backup system
CN115329985B (en) * 2022-09-07 2023-10-27 北京邮电大学 Unmanned cluster intelligent model training method and device and electronic equipment
CN117811845B (en) * 2024-02-29 2024-05-24 浪潮电子信息产业股份有限公司 Threat detection and model training method, threat detection and model training device, threat detection system, electronic equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020229684A1 (en) * 2019-05-16 2020-11-19 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concepts for federated learning, client classification and training data similarity measurement
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10970402B2 (en) * 2018-10-19 2021-04-06 International Business Machines Corporation Distributed learning preserving model security
CN110113348A (en) * 2019-05-14 2019-08-09 四川长虹电器股份有限公司 A method of Internet of Things threat detection is carried out based on machine learning
CN111310938A (en) * 2020-02-10 2020-06-19 深圳前海微众银行股份有限公司 Semi-supervision-based horizontal federal learning optimization method, equipment and storage medium
CN112217626B (en) * 2020-08-24 2022-11-18 中国人民解放军战略支援部队信息工程大学 Network threat cooperative defense system and method based on intelligence sharing
CN112070180B (en) * 2020-09-30 2024-01-19 南方电网科学研究院有限责任公司 Power grid equipment state judging method and device based on information physical bilateral data
CN112800428B (en) * 2021-01-15 2023-08-01 中国银联股份有限公司 Method and device for judging safety state of terminal equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020229684A1 (en) * 2019-05-16 2020-11-19 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concepts for federated learning, client classification and training data similarity measurement
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于联邦学习和卷积神经网络的入侵检测方法;王蓉;马春光;武朋;;信息网络安全(04);第47-54页 *

Also Published As

Publication number Publication date
CN112800428A (en) 2021-05-14
WO2022151815A1 (en) 2022-07-21

Similar Documents

Publication Publication Date Title
CN112800428B (en) Method and device for judging safety state of terminal equipment
CN109886290B (en) User request detection method and device, computer equipment and storage medium
CN109889512B (en) Charging pile CAN message abnormity detection method and device
KR20190017208A (en) Apparatus for serial port based cyber security vulnerability assessment and method for the same
CN104346571A (en) Security vulnerability management method and system and device
CN103901847A (en) Printing machine remote fault monitoring system and method
CN113313280B (en) Cloud platform inspection method, electronic equipment and nonvolatile storage medium
US11620200B2 (en) System and method for integration testing
CN103441990A (en) Protocol state machine automatic inference method based on state fusion
CN113568899A (en) Data optimization method based on big data and cloud server
US20080072321A1 (en) System and method for automating network intrusion training
CN110969082B (en) Clock synchronous test inspection method and system
CN117118761A (en) Deep defense system and method for penetrating intelligent automobile information security
Mateen et al. Software QualityAssurance in Internet of Things
CN114528392B (en) Block chain-based collaborative question-answering model construction method, device and equipment
CN106934563A (en) A kind of grid equipment accident treatment decision making device and method based on data analysis
CN114418092A (en) Block chain-based federal learning malicious node screening method
CN113992419A (en) User abnormal behavior detection and processing system and method thereof
Li et al. An Empirical Study on GAN‐Based Traffic Congestion Attack Analysis: A Visualized Method
CN115080445B (en) Game test management method and system
CN117539674B (en) Exception handling method, device, equipment and storage medium
CN115955334B (en) Network attack flow processing method and system based on edge calculation
CN114640606A (en) Abnormity processing method and controller for Internet of things card terminal
Monzer et al. Model-Based approach IDS design
CN115333885B (en) Smart home privacy protection method and device based on federal learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant