CN112995193A

CN112995193A - Abnormal node identification method, safety query method and device

Info

Publication number: CN112995193A
Application number: CN202110283303.9A
Authority: CN
Inventors: 陈文倩; 张旭高; 赵承刚; 肖新光
Original assignee: Beijing Antiy Network Technology Co Ltd
Current assignee: Beijing Antiy Network Technology Co Ltd
Priority date: 2021-03-17
Filing date: 2021-03-17
Publication date: 2021-06-18
Anticipated expiration: 2041-03-17
Also published as: CN112995193B; CN115242534A; CN115242534B

Abstract

The invention relates to an abnormal node identification method, a safety query method and a safety query device. The method and the device consider the influence of the abnormal node in the nodes with data interaction on other nodes, and enable the identification result to be more accurate when the abnormal state of the node is identified. In addition, after the abnormal state of each node is identified, a plurality of encrypted ciphertexts are generated according to the identification result, and the encrypted ciphertexts are transmitted through a plurality of channels in a one-to-one correspondence mode, so that the risk of privacy data leakage can be reduced.

Description

Abnormal node identification method, safety query method and device

Technical Field

The invention relates to the technical field of information security, in particular to an abnormal node identification method, a security query method and a security query device.

Background

The industrial internet of things is a collection of control sensors and controllers which integrate the functions of collecting, storing, processing and transmitting control information and data, and has an important role in improving the industrial production efficiency, reducing the production cost of enterprises and improving the reliability, continuity and stability of industrial manufacturing business as an information system. Therefore, whether an abnormal node exists in the industrial internet of things needs to be inquired and identified in time.

In the prior art, a main method for identifying abnormal nodes of an industrial internet of things comprises the following steps: a way of analyzing the weblog, a way of estimating based on bayesian parameters, a way of based on a rule module and a security sample database, etc. The recognition accuracy is low. Moreover, when the identification result is fed back to the inquiring person, the attacker is easy to intercept the identification result, and the private data is leaked.

In view of the above, it is desirable to provide an abnormal node identification method, a security query method and a device to solve the above disadvantages.

Disclosure of Invention

The invention aims to solve the technical problems of how to improve the accuracy of abnormal node identification and reduce the risk of private data leakage, and provides an abnormal node identification method, a safety query method and a safety query device aiming at the defects in the prior art.

In order to solve the above technical problem, the present invention provides an abnormal node identification method, including:

determining a network relation among n nodes in the industrial control Internet of things, and generating a node spread influence matrix according to the network relation; when the two nodes have a network relationship, representing that data interaction exists between the two nodes; the node sweep influence matrix is an n multiplied by n matrix;

determining at least one evaluation attribute for evaluating the node state of each node in the industrial control Internet of things, generating a node current state matrix in an ideal state and generating a node current state matrix in an actual state according to the at least one evaluation attribute for evaluating the node state of each node in the industrial control Internet of things; the node current state matrix is an n multiplied by m matrix; m is used for representing the number of the evaluation attributes; n and m are positive integers;

multiplying the node sweep influence matrix with the node current state matrix in the ideal state to obtain a node current state sweep matrix in the ideal state;

multiplying the node sweep influence matrix with the node current state matrix in the actual state to obtain a node current state sweep matrix in the actual state;

and identifying the abnormal state of each node in the n nodes according to the node current state wave matrix in the ideal state and the node current state wave matrix in the actual state.

Preferably, the generating a node-wave influence matrix according to the network relationship includes:

constructing a node relation matrix according to the network relation; the node relation matrix is an n multiplied by n matrix; aiming at the ith node and the jth node with network relation in the n nodes, when the ith node is a data sender and the jth node is a data receiver, the (j, i) th element a in the node relation matrix_jiIs 1, otherwise element a_jiIs 0; when i is j, a_ij＝a_ji1 is ═ 1; wherein i and j are both positive integers not greater than n;

calculating the influence value of each node according to the node relation matrix;

the (i, i) th element a in the node relation matrix is combined_iiAnd replacing the value of the node with the influence value of the ith node to obtain a node spread influence matrix.

Preferably, the first and second electrodes are formed of a metal,

the generating of the node status matrix in the ideal state includes:

determining a parameter range which is formed by two boundary values and corresponds to each evaluation index; wherein each of the evaluation attributes includes at least one evaluation index;

determining the larger boundary value of the two boundary values as an index data value corresponding to the evaluation index;

constructing an n x m-order node current state matrix according to the index data value corresponding to each evaluation index, and determining the constructed n x m-order node current state matrix as a node current state matrix in an ideal state;

and/or the presence of a gas in the gas,

the generating of the node status matrix in the actual state includes:

aiming at each evaluation index, collecting a current data value corresponding to the evaluation index; wherein each of the evaluation attributes includes at least one evaluation index;

determining the collected current data value as an index data value corresponding to the evaluation index;

and constructing an n x m-order node current state matrix according to the index data value corresponding to each evaluation index, and determining the constructed n x m-order node current state matrix as the node current state matrix in the actual state.

Preferably, the constructing a node presence matrix of order n × m includes:

for each of the n nodes, performing:

for each of the m evaluation attributes, performing:

determining at least one evaluation index included in the evaluation attribute;

determining the weight of each evaluation index in the evaluation attribute;

standardizing the index data value corresponding to each evaluation index to obtain the deviation index of each evaluation index;

calculating the current state evaluation index value corresponding to the evaluation attribute according to the weight of each evaluation index and the deviation index of each evaluation index;

obtaining m current situation evaluation index values corresponding to the node;

and determining m current situation evaluation index values corresponding to each node in the n nodes as elements in the node current situation matrix.

Preferably, identifying the abnormal state of each node in the n nodes according to the node current state conformance matrix in the ideal state and the node current state conformance matrix in the actual state includes:

for each node, performing:

acquiring a node current state evaluation vector in an ideal state corresponding to the node from the node current state sum matrix in the ideal state, and acquiring a node current state evaluation vector in an actual state corresponding to the node from the node current state sum matrix in the actual state;

calculating Euler-cosine similarity between the node current state evaluation vector in the ideal state and the node current state evaluation vector in the actual state;

and determining the abnormal state of the node according to the calculated Euler-cosine similarity and a set threshold.

The embodiment of the invention also provides a node state safety query method, which comprises the following steps:

when receiving a query request sent by a user, a data server sends an identification instruction to an identification server;

the identification server identifies the abnormal state of each node in the n nodes by using any one of the methods according to the identification instruction;

acquiring an original node number vector of each node, and performing vector replacement processing on the original node number vector corresponding to the node with the abnormal state to obtain a current node number vector corresponding to the abnormal node; determining an original node number vector corresponding to the node with the normal abnormal state as a current node number vector corresponding to the normal node;

generating a first number of sub-vectors according to the current node number vector of each node; the first number is the dimension number of the current node number vector; each subvector comprises n vector values;

performing, for each vector value in each subvector: generating a second number of encrypted ciphertexts for the vector value; the encrypted ciphertexts with the second number are correspondingly sent to the data server one by one through the channels with the second number;

the data server sends a third number of encrypted ciphertexts to the user so that the user can determine abnormal nodes according to the third number of encrypted ciphertexts; the third number is the product of the first number, the second number and n.

Preferably, the generating a first number of sub-vectors according to the current node number vector of each node includes:

the ith subvector is generated as follows: selecting a corresponding value in the ith dimension from each current node number vector, and writing the selected n corresponding values in the ith dimension into the ith sub-vector; i is a positive integer no greater than the first number;

and/or the presence of a gas in the gas,

the generating a second number of encrypted ciphertexts for the vector value includes:

randomly dividing the vector values into a second number of values; wherein the vector value is equal to the sum of a second number of values into which the vector value is randomly divided;

and encrypting each value randomly divided to obtain a second number of encrypted ciphertexts.

sending a query request to a data server, and receiving a third number of encrypted ciphertexts fed back by the data server according to the query request;

determining a second number of encrypted ciphertexts for representing each vector value in each sub-vector from the third number of encrypted ciphertexts;

for each vector value in each subvector, performing: restoring the vector value according to the second number of encrypted ciphertexts corresponding to the vector value;

determining the current node number vector of each node according to the obtained first number of sub-vectors;

and determining abnormal nodes according to the current node number vector of each node.

Preferably, before the sending the query request to the data server, the method further includes: receiving a first serial number sent by an identification server in advance; the first serial number is obtained by encrypting an original node number vector of each node by using a secure hash algorithm;

after the sending of the query request to the data server, further comprising: receiving a second serial number sent by the data server; the second serial number is obtained by encrypting the current node number vector of each node by using the secure hash algorithm;

before determining, after the sending the query request to the data server, a second number of encrypted ciphertexts for characterizing each vector value in each sub-vector from the third number of encrypted ciphertexts, the method further includes: comparing whether the first serial number is the same as the second serial number, if not, determining a second number of encrypted ciphertexts for representing each vector value in each sub-vector from the third number of encrypted ciphertexts;

and/or the presence of a gas in the gas,

before the sending the query request to the data server, further comprising: the method comprises the steps of receiving an original node number vector of each node sent by an identification server in advance;

the determining the abnormal node according to the current node number vector of each node includes:

for each node, performing:

comparing the current node number vector with the original node number vector of the node, and if the current node number vector is the same as the original node number vector, indicating that the node is a normal node; if not, the node is an abnormal node.

The embodiment of the present invention further provides an abnormal node identification apparatus, including:

the node spread influence matrix generation unit is used for determining the network relationship among n nodes in the industrial control Internet of things and generating a node spread influence matrix according to the network relationship; when the two nodes have a network relationship, representing that data interaction exists between the two nodes; the node sweep influence matrix is an n multiplied by n matrix;

the node status matrix generating unit is used for determining at least one evaluation attribute for evaluating the node state of each node in the industrial control Internet of things, generating a node status matrix in an ideal state according to the at least one evaluation attribute for evaluating the node state of each node in the industrial control Internet of things, and generating a node status matrix in an actual state; the node current state matrix is an n multiplied by m matrix; m is used for representing the number of the evaluation attributes; n and m are positive integers;

a node present-state-of-wave matrix generating unit, configured to multiply the node present-state-of-wave influence matrix with the node present-state matrix in the ideal state to obtain a node present-state-of-wave matrix in the ideal state; multiplying the node sweep influence matrix with the node current state matrix in the actual state to obtain a node current state sweep matrix in the actual state;

and the node state determining unit is used for identifying the abnormal state of each node in the n nodes according to the node current state conformance matrix in the ideal state and the node current state conformance matrix in the actual state.

The embodiment of the invention also provides a node state safety query system, which comprises:

the data server is used for receiving the query request sent by the user and sending an identification instruction to the identification server;

the identification server is used for executing the following operations:

according to the identification instruction, identifying the abnormal state of each node in the n nodes by using any one of the methods;

the data server is further configured to send a third number of encrypted ciphertexts to the user, so that the user determines an abnormal node according to the third number of encrypted ciphertexts; the third number is the product of the first number, the second number and n.

The embodiment of the present invention further provides a node state security query apparatus, including:

the interactive unit is used for sending a query request to a data server and receiving a third number of encrypted ciphertexts fed back by the data server according to the query request;

a determining unit, configured to determine, from the third number of encrypted ciphertexts, a second number of encrypted ciphertexts used for representing each vector value in each sub-vector;

a recovery unit configured to perform, for each vector value in each sub-vector: restoring the vector value according to the second number of encrypted ciphertexts corresponding to the vector value;

the determining unit is further configured to determine a current node number vector of each node according to the obtained first number of sub-vectors; and determining abnormal nodes according to the current node number vector of each node.

According to the abnormal node identification method, the safety query method and the safety query device provided by the embodiment of the invention, because data interaction exists among all nodes in the industrial Internet of things, if one node is an abnormal node, the abnormal node can generate the swept influence on the node which performs data interaction with the abnormal node, and the swept influence is considered when the node current state swept matrix in an ideal state and the node current state swept matrix in an actual state are calculated, so that the identification result obtained according to the node current state swept matrix in the ideal state and the node current state swept matrix in the actual state is more accurate. Furthermore, after the abnormal state of each node is identified, the node number vector of the abnormal node is subjected to replacement processing, the node number vector of the normal node is not processed, the current node number of the node is generated into a sub-vector, the vector value in the sub-vector is generated into a second number of encrypted ciphertexts, and the second number of channels are utilized to be sent to the data server in a one-to-one correspondence mode.

Drawings

Fig. 1 is a flowchart of an abnormal node identification method according to an embodiment of the present invention;

fig. 2 is a schematic diagram of a network relationship according to an embodiment of the present invention;

fig. 3 is a flowchart of a node state security query method according to a second embodiment of the present invention;

fig. 4 is a flowchart of a node state security query method according to a third embodiment of the present invention;

fig. 5 is an architecture diagram of an apparatus in which an abnormal node identifying device according to a fourth embodiment of the present invention is located;

fig. 6 is a structural diagram of an abnormal node identification apparatus according to a fourth embodiment of the present invention;

fig. 7 is a structural diagram of a node state security query system according to a fifth embodiment of the present invention;

fig. 8 is an architecture diagram of an apparatus in which a node state security device according to a sixth embodiment of the present invention is located;

fig. 9 is a structural diagram of a node state security apparatus according to a sixth embodiment of the present invention;

fig. 10 is a structural diagram of another node state security apparatus according to a sixth embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.

Example one

As shown in fig. 1, an abnormal node identification method provided in an embodiment of the present invention includes the following steps:

step 101: determining a network relationship among n nodes in the industrial control Internet of things, and generating a node spread influence matrix according to the network relationship; when the two nodes have a network relationship, representing that data interaction exists between the two nodes; the nodal sweep influence matrix is an n × n matrix.

The industrial control Internet of things comprises n nodes, wherein each node is mutually independent on the physical structure, but the data interaction exists among the nodes. If the node is abnormal, the influence on other nodes which carry out data interaction with the node can be generated, and therefore, the network relation among the n nodes in the industrial control Internet of things needs to be determined.

In an embodiment of the present invention, in order to make the network relationship between the n nodes clearer, the network relationship may be expressed by drawing a network relationship diagram, please refer to fig. 2, which is a schematic diagram of the network relationship between the n nodes in the industrial control internet of things. The network relationship graph can be generated by one of the following modes:

step A1: acquiring an industrial control Internet of things node set; wherein the set includes n nodes.

Step A2: establishing a network relation between nodes; if data interaction occurs between two nodes, the two nodes are considered to have a network relationship, the relationship is represented by a directed edge, and the directed edge is directed to a data receiver by a data sender.

The impact of the anomaly can be communicated to other nodes through network relationships. The abnormal influence degrees generated by different nodes are different, and the larger the node degree is, the more the node receives data, the more sensitive the sensing of the abnormal current situation of the node is; the larger the node out-degree is, the more the node transmits data outwards, and the larger the abnormal influence is.

In an embodiment of the present invention, the node-sum influence matrix may be generated at least by one of the following methods:

step B1, constructing a node relation matrix according to the network relation; the node relation matrix is an n multiplied by n matrix; aiming at the ith node and the jth node with network relation in the n nodes, when the ith node is a data sender and the jth node is a data receiver, the (j, i) th element a in the node relation matrix_jiIs 1, otherwise element a_jiIs 0; when i is j, a_ij＝a_ji1 is ═ 1; wherein i and j are both positive integers not greater than n.

The node relation matrix M is constructed as follows:

and step B2, calculating the influence value of each node according to the node relation matrix.

In the present embodiment, the influence value f of each node can be calculated at least by the following formula_i：

f_i＝k_i+a_ii (4)

Wherein the content of the first and second substances,

i is the node i degree;

the node i is out-degree; λ is the node influence coefficient. The node influence coefficient may be λ 0.85.

Step B3, the (i, i) th element a in the node relation matrix_iiAnd replacing the value of the node with the influence value of the ith node to obtain a node spread influence matrix.

The node sweep influence matrix G is as follows:

step 102: determining at least one evaluation attribute for evaluating the node state of each node in the industrial control Internet of things, generating a node current state matrix in an ideal state and generating a node current state matrix in an actual state according to the at least one evaluation attribute for evaluating the node state of each node in the industrial control Internet of things; the node current state matrix is an n multiplied by m matrix; m is used for representing the number of the evaluation attributes; n and m are positive integers.

The state of each node in the industrial control internet of things can be evaluated by at least one evaluation attribute. When different nodes correspond to different types, evaluation attributes corresponding to the different nodes may also be different, and therefore, the evaluation attribute corresponding to each node needs to be determined.

In an embodiment of the present invention, 4 evaluation attributes are exemplified for each node. The 4 evaluation attributes are:

(1) network status: and the node is in a network layer running state in the industrial control Internet of things.

(2) The current communication situation: and the communication stability of the nodes in the industrial control Internet of things.

(3) Energy status: and the energy consumption state of the nodes in the industrial control Internet of things.

(4) The current situation of the service: and the availability state of the nodes in the industrial control Internet of things.

In order to improve the objectivity of the evaluation, each evaluation attribute may further include several evaluation indexes, as shown in table 1.

Table 1:

the evaluation attribute is used for evaluating the node state, and the node state evaluated by the evaluation attribute can be represented by a node presence matrix, so that the node presence matrix can be constructed by using the evaluation attribute.

In an embodiment of the present invention, the node presence matrix may be constructed in at least one of the following ways:

step C1, for each of the n nodes, performs:

step C11, for each of the m evaluation attributes, performing:

and step C111, determining at least one evaluation index included in the evaluation attribute.

Please refer to table 1 for at least one evaluation index included in the evaluation attribute.

Step C112, determining the weight of each evaluation index in the evaluation attribute.

The influence degrees of different evaluation indexes on the node states are different, and the importance degree of the evaluation indexes can be reflected in a mode of distributing weights to the evaluation indexes. The weight of the evaluation index can be directly assigned according to an empirical value, and can also be determined by an analytic hierarchy process. When the weight of the evaluation index is determined by adopting an analytic hierarchy process, the method specifically comprises the following steps: the relative importance degree of each evaluation index is determined by adopting a scale of 1-9, and then the weight of the evaluation index is calculated.

Taking evaluation attribute as network status (w)₁) For example, a process of calculating a weight vector of an evaluation index will be described, and the process of assigning weights to evaluation indexes included in other evaluation attributes is the same. First, root ofEstablishing an evaluation index judgment matrix shown in the following table 2 according to experience or invitation experts, wherein the evaluation index judgment matrix is used for representing the relative importance degree of each evaluation index:

table 2:

then, the eigenvalue corresponding to the evaluation attribute is calculated by the analytic hierarchy process according to table 2. And finally, calculating the evaluation index weight according to the characteristic value corresponding to the evaluation attribute. The weights of the evaluation indexes shown in table 3 were obtained according to the above method.

TABLE 3 evaluation index weights

And step C113, standardizing the index data value corresponding to each evaluation index to obtain the deviation index of each evaluation index.

Each evaluation index has different physical meanings and quantization units, in order to quantize the state of each evaluation index, a deviation index is introduced to carry out standardization processing on index data of the evaluation index, the index data are quantized to an interval [0,1], and when the deviation index obtained after the standardization processing is 0, the evaluation index deviates from an ideal state to the greatest extent, and the current state of the evaluation index is worst; when the deviation index obtained after the normalization process is 1, it indicates that the evaluation index is in an ideal state.

In an embodiment of the present invention, in order to perform the normalization process on the index data value, it is necessary to determine a parameter range formed by two boundary values corresponding to each evaluation index, please refer to table 4, which is a parameter range corresponding to each evaluation index established based on a priori experience.

Table 4:

wherein, I_aAnd I_bThe index attributes are used for representing which standardized processing formula is used for carrying out standardized processing on the index data value of the evaluation index, wherein the index attributes are positive representations and are processed by using the standardized processing formula corresponding to the positive index, and the index attributes are negative representations and are processed by using the standardized processing formula corresponding to the negative index. The standardization processing formulas corresponding to the positive indexes and the negative indexes are as follows:

1) forward direction index

2) Negative direction index

Wherein, I_iAs an index of deviation of evaluation index, x_iIs an index data value of the evaluation index.

Step C114, calculating the current evaluation index value corresponding to the evaluation attribute according to the weight of each evaluation index and the deviation index of each evaluation index.

The coupling degree method can well represent the strength relation of the mutual influence among all the evaluation indexes, and the data are fused by combining the method and the linear weighting method, so that the mutual influence relation among different evaluation indexes can be reflected, the current evaluation index can be quantified, and the calculation formula is as follows:

X＝h×t,t＝w₁I₁+…+w_jI_j (8)

wherein X is a current situation evaluation index value, and h is a coupling degree value of the current situation evaluation index; k is the number of evaluation indexes; i is_jIs the deviation index of the jth evaluation index, j ═ 1, 2_jThe j-th evaluation index is a weight, j ═ 1, 2.

And step C12, obtaining m current situation evaluation index values corresponding to the node.

After the above steps C111 to C114 are performed for each evaluation attribute, m current evaluation index values corresponding to the node may be obtained, and a node current evaluation vector S ═ X (X) may be established using the current evaluation index values₁，X₂，X₃，X₄)。

And step C2, determining m current situation evaluation index values corresponding to each node in the n nodes as elements in the node current situation matrix.

Executing the above steps C11-C12 for each node, m current situation evaluation index values may be obtained for each node, and the following node current situation matrix is established by using the m current situation evaluation index values corresponding to each node:

the above-described method is a preferable method for constructing the node presence matrix, and other methods may be used in addition to the above-described method, for example, an average value of index data values corresponding to each evaluation index is determined as a presence evaluation index value of the evaluation attribute, the presence evaluation index value of the evaluation attribute is normalized, and the normalized presence evaluation index value is used as an element in the node presence matrix.

Since it is determined whether the node state is normal or abnormal, it is necessary to compare the actual state of the node with the ideal state. Therefore, it is necessary to generate a node presence matrix in an ideal state and a node presence matrix in an actual state.

Specifically, when generating the node presence matrix in an ideal state, the node presence matrix may be generated as follows: determining a parameter range which is formed by two boundary values and corresponds to each evaluation index; wherein each of the evaluation attributes comprises at least one evaluation index; determining the larger boundary value of the two boundary values as an index data value corresponding to the evaluation index; and constructing an n x m-order node current state matrix according to the index data value corresponding to each evaluation index, and determining the constructed n x m-order node current state matrix as the node current state matrix in an ideal state.

Wherein, the parameter range composed of two boundary values corresponding to each evaluation index can be determined by table 4, and the two boundary values I are used_aAnd I_bDetermining the index data value corresponding to the evaluation index by the boundary value with larger median value, i.e. two boundary values I_aAnd I_bOne of the higher-median cut-offs is taken as x_iSubstituting the value into the formula (5) or the formula (6), and executing the steps C1-C2 to obtain the node status matrix of the order of n multiplied by m, namely the node status matrix in an ideal state.

Specifically, when generating the node presence matrix in the actual state, the node presence matrix may be generated as follows: aiming at each evaluation index, collecting a current data value corresponding to the evaluation index; wherein each of the evaluation attributes comprises at least one evaluation index; determining the collected current data value as an index data value corresponding to the evaluation index; and constructing an n x m-order node current state matrix according to the index data value corresponding to each evaluation index, and determining the constructed n x m-order node current state matrix as the node current state matrix in the actual state.

When the state of the node needs to be identified, the current data value corresponding to each evaluation index needs to be collected, and the collected current data value is taken as x_iSubstituting the value into the formula (5) or the formula (6), and executing the steps C1-C2 to obtain the node status matrix of the order of n multiplied by m, namely the node status matrix in the actual state.

Step 103: and multiplying the node sum influence matrix with the node current state matrix in the ideal state to obtain the node current state sum matrix in the ideal state.

Step 104: and multiplying the node sum influence matrix with the node current state matrix in the actual state to obtain the node current state sum matrix in the actual state.

The data interaction relation exists among n nodes existing in the industrial control Internet of things, and the influence of the nodes with the network relation during abnormity can be ignored only by using the node current state matrix to identify the abnormal nodes, so that the node current state wave and matrix is constructed by combining the node current state matrix and the node wave and influence matrix, and the node current state wave and matrix is used as the input of the Euler-cosine similarity method to identify the abnormal nodes in the industrial control Internet of things.

Wherein, the node current state conformance matrix under the ideal state is calculated by the following formula (9):

the node present state sweep matrix in the actual state is calculated by the following formula (10):

R＝G·S_a (9)

R’＝G·S’_a (10)

wherein, R is used for representing the node present state wave matrix under the ideal state, G is used for representing the node wave influence matrix, and S_aThe node presence matrix is used for representing the node presence matrix in an ideal state, R 'is used for representing the node presence conformance matrix in an actual state, G is used for representing the node conformance influence matrix, S'_aThe node status matrix is used for representing the node status matrix in the actual state.

It is understood that the execution order of step 103 and step 104 may not be limited.

Step 105: and identifying the abnormal state of each node in the n nodes according to the node current state wave matrix in the ideal state and the node current state wave matrix in the actual state.

When the nodes in the industrial control Internet of things are in a normal state, stable linear correlation relations are kept among the evaluation index values of the nodes at different moments; on the contrary, if the node is abnormal, some evaluation attributes of the node will change significantly, the linear relationship between the evaluation index values of the nodes at different times will change, the current status of the node having the network relationship with the node will also change, and the influence caused by the change of the relationship can be expressed in the node spread influence matrix. Therefore, in this specification, the euler-cosine similarity method is used to calculate the deviation degree of the relevant vectors in the state-of-affairs wave matrix in the ideal state and the state-of-affairs wave matrix in the actual state, and evaluate the abnormal degree of the nodes in the industrial control internet of things, wherein the smaller the relevant coefficient of different node state-of-affairs evaluation vectors in the state-of-affairs wave matrix is, the larger the deviation of the state of the node corresponding to the node in the state-of-affairs evaluation vector is from the ideal state is, and the higher the abnormal degree of the node.

Specifically, in the embodiment of the present invention, step 105 may be executed in one of the following manners:

step D1, for each node, performs:

and D11, obtaining the current node evaluation vector in the ideal state corresponding to the node from the current node state sum matrix in the ideal state, and obtaining the current node evaluation vector in the actual state corresponding to the node from the current node state sum matrix in the actual state.

Since the node current state matrix is an n × m matrix and the node sweep influence matrix is an n × n matrix, the node current state sweep matrix is an n × m matrix, and each row in the node current state sweep matrix corresponds to a node current state evaluation vector of a node, i.e., a first row is a node current state evaluation vector of a first node and a second row is a node current state evaluation vector … … of a second node.

Taking the first node as an example, the content of the first row in the node current state sum matrix in the ideal state is determined as the node current state evaluation vector in the ideal state corresponding to the node, and the content of the first row in the node current state sum matrix in the actual state is determined as the node current state evaluation vector in the actual state corresponding to the node.

And D12, calculating the Euler-cosine similarity between the node current state evaluation vector in the ideal state and the node current state evaluation vector in the actual state.

The Euler-cosine similarity can be calculated by the following formula:

wherein, C_PQAnd P and Q are respectively the node current state evaluation vector in the ideal state and the node current state evaluation vector in the actual state, and both P and Q are m-dimensional vectors. C_PQThe closer to 1, the greater the correlation of the two vectors; c_PQThe closer to 0, the less correlated the two vectors are.

In order to further reduce the deviation of the two vectors in the quantization calculation, in an embodiment of the present invention, the euler-cosine similarity may be corrected by using the euclidean distance ratio, and preferably, the euler-cosine similarity is calculated by using the following formula:

wherein, C'_PQIs the Euler-cosine similarity, | P_kI and Q_kI is the modulus length of vector P and vector Q, respectively, k ═ 1, 2.

And D13, determining the abnormal state of the node according to the calculated Euler-cosine similarity and a set threshold.

After the euler-cosine similarity of each node is obtained through calculation, an abnormal value τ of each node can be calculated by using the following formula:

τ＝1-C'_PQ (13)

the preset threshold is set to 0.2 in this embodiment. If tau is more than 0.2 and less than or equal to 1, the node is an abnormal node; if tau is more than or equal to 0 and less than or equal to 0.2, the node is a normal node.

The abnormal state of each node can be determined by the steps D11-D13.

In the embodiment of the invention, because data interaction exists among all nodes in the industrial internet of things, if one node is an abnormal node, the abnormal node can generate the swept influence on the node which performs data interaction with the abnormal node, and the swept influence is considered when the node current state swept matrix in an ideal state and the node current state swept matrix in an actual state are calculated, so that the identification result obtained according to the node current state swept matrix in the ideal state and the node current state swept matrix in the actual state is more accurate.

Example two

Considering that when a user queries the state of each node in the industrial internet of things, the identification result is directly sent to the user, and privacy data may be leaked. Therefore, the embodiment of the invention provides a node state security query method to reduce the risk of privacy data leakage.

Referring to fig. 3, a node status security query method according to an embodiment of the present invention includes:

step 301: and when receiving the query request sent by the user, the data server sends an identification instruction to the identification server.

In order to improve data security and reduce the risk of private data leakage, when an inquiry request sent by a user is received, the authority of the user needs to be verified, and only after the user passes the verification, the step of sending an identification instruction to an identification server is executed.

In the embodiment of the invention, the method for verifying the authority of the user can be realized by adopting a digital certificate.

Specifically, a Public Key Infrastructure (PKI) is set to exist, two large prime numbers p and q are randomly selected, and a public key and a private key (pk, sk) of a user are generated in a data server by using a Pailler encryption algorithm. And generating a signature key pair (pk) of the user to be used for verification by using a signature authentication algorithm^*，sk^*). The user completes identity registration on the data server through a Certificate Authority (CA), and if the user is determined to be a trusted user, the CA contains (pk, pk)^*) To the user.

It should be noted that, for security reasons, the public key generated by the Paillier encryption algorithm needs to exceed 1024 bits.

Wherein, the query request includes: a query message, a signature of the query message by the user, and a digital certificate of the user.

The data server can determine that the user is a trusted user according to the digital certificate. Then, the signature in the inquiry request is verified by using a private key in the signature key pair, and if the signature is correct, the step of sending an identification instruction to the identification server is executed.

In an embodiment of the present invention, in order to prevent revisit attacks, the query request further needs to include a query timestamp, and when verifying that the query timestamp is the same as the current time point, the data server determines that the query request is not intercepted and sent by an attacker and does not belong to revisit, and then executes a signature verification process, so as to further improve the security of private data.

Step 302: the identification server identifies the abnormal state of each node in the n nodes by using any method in the first embodiment according to the identification instruction.

Step 303: acquiring an original node number vector of each node, and performing vector replacement processing on the original node number vector corresponding to the node with the abnormal state to obtain a current node number vector corresponding to the abnormal node; and determining the original node number vector corresponding to the node with the normal abnormal state as the current node number vector corresponding to the normal node.

Each node corresponds to an original node number vector:

the original node number vector for the first node is: d₁＝(d₁₁、d₁₂、……d_1k)；

The original node number vector for the second node is: d₂＝(d₂₁、d₂₂、……d_2k)；

……

The original node number vector of the nth node is: d_n＝(d_n1、d_n2、……d_nk)。

Assuming that the first node is an abnormal node and the other nodes are normal nodes, the original node number vector of the first node may be subjected to replacement processing, so that the current node number vector obtained after the replacement processing is different from the original node number vector, and the current node number vector of the normal node is the same as the original node number vector, which is convenient for a user to determine a node different from the original node number vector as an abnormal node by comparing the current node number vector of each node with the original node number vector.

Wherein the permutation process may be to transform the vector value in the original node number vector, for example, the current node number vector of the first node is d₁＝(c₁₁、c₁₂、……c_1k). It should be noted that, when transforming vector values, one or more of the vector values may be transformed.

Step 304: generating a first number of sub-vectors according to the current node number vector of each node; the first number is the dimension number of the current node number vector; each subvector includes n vector values.

In one embodiment of the present invention, the subvector may be generated by one of the following: the ith subvector is generated as follows: selecting a corresponding value in the ith dimension from each current node number vector, and writing the selected n corresponding values in the ith dimension into the ith sub-vector; i is a positive integer not greater than the first number. In step 303, the first number is k.

For example, the k subvectors generated are respectively:

1 st subvector: d'₁＝(d₁₁、d₂₁、……d_n1)

2 nd subvector: d'₂＝(d₁₂、d₂₂、……d_n2)

……

The kth subvector: d'_k＝(d_1k、d_2k、……d_nk)

Step 305: performing, for each vector value in each subvector: generating a second number of encrypted ciphertexts for the vector value; and correspondingly sending the encrypted ciphertexts with the second number to the data server one by one through the channels with the second number.

In one embodiment of the present invention, when generating the second number of encrypted ciphertexts for the vector value, the following method may be used: randomly dividing the vector values into a second number of values; wherein the vector value is equal to the sum of a second number of values into which the vector value is randomly divided; and encrypting each value randomly divided to obtain a second number of encrypted ciphertexts.

The manner of generating the encrypted ciphertext by the first vector value in the 1 st sub-vector in step 304 will be described by taking the example that the number n of nodes is equal to 2 and the number of channels is equal to 3.

Wherein the 1 st subvector is D'₁＝(d₁₁、d₂₁)。

Will vector value d₁₁Is randomly divided into 3 integers, d₁₁＝λ₁₁+μ₁₁+ν₁₁Respectively calculating by the following calculation formula to obtain 3 encrypted ciphertexts C_λ11，C_μ11，C_ν11。

C_λ11＝g_λ11r₁ ^N(modN²) (14)

C_μ11＝g_μ11r₂ ^N(modN²) (15)

C_ν11＝g_ν11r₃ ^N(modN²) (16)

Wherein g and N are public keys, r₁、r₂、r₃Are all random numbers less than N.

In this embodiment, the generation rule of the public keys g and N may be: two mutually independent large prime numbers p and q are chosen such that the greatest common divisor between pq and (p-1) (q-1) is 1. Where N ═ pq, λ is the least common multiple of (p-1) and (q-1). Randomly selecting an integer g epsilon Z_NLet L (g)^λmodN²) And between NIs 1, wherein l (x) is (x-1)/N. Wherein λ is the private key. The private key needs to be sent to the user in advance for storage, and the user can decrypt the encrypted ciphertext by using the private key after receiving the encrypted ciphertext.

And in order to ensure the safety of the encrypted ciphertext, the three encrypted ciphertexts are correspondingly sent to the data server through three channels one by one.

Step 306: the data server sends the third number of encrypted ciphertexts to the user so that the user can determine abnormal nodes according to the third number of encrypted ciphertexts; the third number is a product of the first number, the second number and n.

In an embodiment of the present invention, in order to improve the calculation efficiency when determining an abnormal node after decrypting an encrypted ciphertext by a user side, a secure hash algorithm may be used to encrypt an original node number vector of each node in advance to obtain a first sequence number a, and the first sequence number a is sent to the user. Then after the current node number vector of each node is obtained in step 303, encrypting the current node number vector of each node by using the same secure hash algorithm to obtain a second serial number B, and sending the second serial number B to a user, so that the user can compare whether A and B are the same, if so, the states of n nodes in the industrial control Internet of things are normal, and the encrypted ciphertext does not need to be decrypted; if the node is different, the abnormal node exists in the n nodes in the industrial control Internet of things, and the encrypted ciphertext needs to be decrypted at the moment.

According to the embodiment of the invention, the external attacker can not know the abnormal state of the node under the condition of not knowing the private key, and for the internal attacker, for example, a server on a channel, the current node number vector of the node can not be restored unless the servers on all the channels collude. The privacy of the data is effectively guaranteed, and the security of the private data is improved.

EXAMPLE III

Referring to fig. 4, a node status security query method provided in an embodiment of the present invention is located at a user side, and the method may include:

step 401: and sending a query request to a data server, and receiving a third number of encrypted ciphertexts fed back by the data server according to the query request.

Step 402: a second number of encrypted ciphertexts characterizing each vector value in each subvector is determined from the third number of encrypted ciphertexts.

Step 403: for each vector value in each subvector, performing: and recovering the vector value according to the second number of encrypted ciphertexts corresponding to the vector value.

The decryption process will be described by taking 3 encrypted ciphertexts as an example.

For example, for 3 encrypted ciphertexts C_λ11，C_μ11，C_ν11Multiplying the 3 encrypted ciphertexts to obtain: c ═ C_λ11*C_μ11*C_ν11。

Then, the plaintext message is recovered: d₁₁＝[L(c^λmodN²)/L(g^λmodN²)]modN². For the meaning of each parameter, please refer to the description of step 305 in the second embodiment, which is not repeated herein.

Step 404: and determining the current node number vector of each node according to the obtained first number of sub-vectors.

Step 405: and determining abnormal nodes according to the current node number vector of each node.

In an embodiment of the present invention, since the decryption process is complex and takes a long time to decrypt, in order to reduce the complexity, before step 401, further comprising: receiving a first sequence number A sent by an identification server in advance; the first serial number A is obtained by encrypting an original node number vector of each node by using a secure hash algorithm;

after the step 401 of sending the query request to the data server, the method further includes: receiving a second sequence number B sent by the data server; the second serial number B is obtained by encrypting the current node number vector of each node by using the secure hash algorithm;

after step 401, before step 402, further comprising: comparing whether the first serial number a and the second serial number B are the same, if not, executing step 402.

When the first serial number A and the second serial number B are the same, the states of n nodes in the industrial control Internet of things are normal, so that the encrypted ciphertext does not need to be decrypted;

when the first serial number A is different from the second serial number B, the abnormal node exists in the n nodes in the industrial control Internet of things, and therefore the encrypted ciphertext needs to be decrypted.

By comparing the first sequence number with the second sequence number, inefficient repeated calculation can be avoided, and query efficiency is improved.

In an embodiment of the present invention, according to step 404, a current node number vector of each node may be obtained, and in order to determine an abnormal node, before step 401, the method may further include: the method comprises the steps of receiving an original node number vector of each node sent by an identification server in advance;

then step 405 may include: for each node, performing: comparing the current node number vector with the original node number vector of the node, and if the current node number vector is the same as the original node number vector, indicating that the node is a normal node; if not, the node is an abnormal node.

Example four

As shown in fig. 5 and 6, an embodiment of the present invention provides an abnormal node identification apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 5, a hardware structure diagram of a device in which an abnormal node identification apparatus provided in the embodiment of the present invention is located is shown, where in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the device in which the apparatus is located in the embodiment may also include other hardware, such as a forwarding chip responsible for processing a packet, in general. Taking a software implementation as an example, as shown in fig. 6, as a logical apparatus, the apparatus is formed by reading, by a CPU of a device in which the apparatus is located, corresponding computer program instructions in a non-volatile memory into a memory for execution. The abnormal node identification device provided by the embodiment comprises:

a node spread influence matrix generating unit 601, configured to determine a network relationship among n nodes in the industrial control internet of things, and generate a node spread influence matrix according to the network relationship; when the two nodes have a network relationship, representing that data interaction exists between the two nodes; the node sweep influence matrix is an n multiplied by n matrix;

a node presence matrix generating unit 602, configured to determine at least one evaluation attribute used for evaluating a node state of each node in the industrial control internet of things, generate a node presence matrix in an ideal state according to the at least one evaluation attribute used for evaluating the node state of each node in the industrial control internet of things, and generate a node presence matrix in an actual state; the node current state matrix is an n multiplied by m matrix; m is used for representing the number of the evaluation attributes; n and m are positive integers;

a node present-state-of-wave matrix generating unit 603 configured to multiply the node present-state-of-wave influence matrix with the node present-state matrix in the ideal state to obtain a node present-state-of-wave matrix in the ideal state; multiplying the node sweep influence matrix with the node current state matrix in the actual state to obtain a node current state sweep matrix in the actual state;

the node state determining unit 604 is configured to identify an abnormal state of each node in the n nodes according to the node current state conformance matrix in the ideal state and the node current state conformance matrix in the actual state.

In an embodiment of the present invention, the node-sum influence matrix generating unit 601 is specifically configured to perform the following operations:

the (i, i) th element a in the node relation matrix_iiAnd replacing the value of the node with the influence value of the ith node to obtain a node spread influence matrix.

In an embodiment of the present invention, the node presence matrix generating unit 602, when generating the node presence matrix in the ideal state, is specifically configured to perform the following operations:

determining a parameter range which is formed by two boundary values and corresponds to each evaluation index; wherein each of the evaluation attributes comprises at least one evaluation index;

in an embodiment of the present invention, the node presence matrix generating unit 602, when generating the node presence matrix in the actual state, is specifically configured to perform the following operations:

aiming at each evaluation index, collecting a current data value corresponding to the evaluation index; wherein each of the evaluation attributes comprises at least one evaluation index;

In an embodiment of the present invention, the node presence matrix generating unit 602 is specifically configured to, when constructing an n × m-order node presence matrix, perform the following operations:

for each of the n nodes, performing:

for each of the m evaluation attributes, performing:

determining at least one evaluation index included in the evaluation attribute;

determining the weight of each evaluation index in the evaluation attribute;

In an embodiment of the present invention, the node status determining unit 604 is specifically configured to perform the following operations:

for each node, performing:

calculating the Euler-cosine similarity between the node current state evaluation vector in the ideal state and the node current state evaluation vector in the actual state;

EXAMPLE five

Referring to fig. 7, an embodiment of the present invention further provides a node status security query system, including:

a data server 701, configured to receive an inquiry request sent by a user, and send an identification instruction to an identification server 702;

the identification server 702 is configured to perform the following operations:

according to the identification instruction, identifying the abnormal state of each node in the n nodes by using any method in the first embodiment;

the data server 701 is further configured to send a third number of encrypted ciphertexts to the user, so that the user determines an abnormal node according to the third number of encrypted ciphertexts; the third number is a product of the first number, the second number and n.

In an embodiment of the present invention, when the identification server 702 generates the first number of sub-vectors according to the current node number vector of each node, the identification server is specifically configured to perform the following operations: the ith subvector is generated as follows: selecting a corresponding value in the ith dimension from each current node number vector, and writing the selected n corresponding values in the ith dimension into the ith sub-vector; i is a positive integer not greater than the first number.

In an embodiment of the present invention, when the recognition server 702 generates the second number of encrypted ciphertexts for the vector value, it is specifically configured to perform the following operations: randomly dividing the vector values into a second number of values; wherein the vector value is equal to the sum of a second number of values into which the vector value is randomly divided; and encrypting each value randomly divided to obtain a second number of encrypted ciphertexts.

EXAMPLE six

As shown in fig. 8 and 9, an embodiment of the present invention provides a node state security query apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 8, a hardware structure diagram of a device where a node state security query apparatus according to an embodiment of the present invention is located is shown, where in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 8, the device where the apparatus is located in the embodiment may also include other hardware, such as a forwarding chip responsible for processing a packet. Taking a software implementation as an example, as shown in fig. 9, as a logical apparatus, the apparatus is formed by reading a corresponding computer program instruction in a non-volatile memory into a memory by a CPU of a device in which the apparatus is located and running the computer program instruction. The node state security query device provided by this embodiment includes:

an interaction unit 901, configured to send a query request to a data server, and receive a third number of encrypted ciphertexts fed back by the data server according to the query request;

a determining unit 902, configured to determine, from the third number of encrypted ciphertexts, a second number of encrypted ciphertexts for characterizing each vector value in each sub-vector;

a restoring unit 903 configured to perform, for each vector value in each sub-vector: restoring the vector value according to the second number of encrypted ciphertexts corresponding to the vector value;

the determining unit 902 is further configured to determine, according to the obtained first number of sub-vectors, a current node number vector of each node; and determining abnormal nodes according to the current node number vector of each node.

In an embodiment of the present invention, the interaction unit 901 may further be configured to: receiving a first serial number sent by an identification server in advance; the first serial number is obtained by encrypting an original node number vector of each node by using a secure hash algorithm;

the interaction unit 901 may further be configured to: receiving a second serial number sent by the data server; the second serial number is obtained by encrypting the current node number vector of each node by using the secure hash algorithm;

referring to fig. 10, in an embodiment of the present invention, the node status security query apparatus may further include: a comparing unit 904, configured to compare whether the first serial number is the same as the second serial number, and if not, trigger the determining unit to perform a corresponding operation.

In an embodiment of the present invention, the interaction unit 901 may further be configured to: the method comprises the steps of receiving an original node number vector of each node sent by an identification server in advance;

the determining unit 902 is specifically configured to, when determining an abnormal node according to the current node number vector of each node, perform the following operations: for each node, performing: comparing the current node number vector with the original node number vector of the node, and if the current node number vector is the same as the original node number vector, indicating that the node is a normal node; if not, the node is an abnormal node.

It is to be understood that the illustrated configuration of the embodiment of the present invention does not constitute a specific limitation to an abnormal object detection apparatus. In other embodiments of the invention, an anomalous target detection device may include more or fewer components than shown, or some of the components may be combined, some of the components may be separated, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. An abnormal node identification method is characterized by comprising the following steps:

2. The method of claim 1, wherein generating a node-sweep impact matrix from the network relationships comprises:

3. The method of claim 1,

the generating of the node status matrix in the ideal state includes:

and/or the presence of a gas in the gas,

the generating of the node status matrix in the actual state includes:

4. The method of claim 3, wherein constructing the node presence matrix of order n x m comprises:

for each of the n nodes, performing:

for each of the m evaluation attributes, performing:

determining at least one evaluation index included in the evaluation attribute;

determining the weight of each evaluation index in the evaluation attribute;

5. The method according to any one of claims 1-4, wherein identifying the abnormal state of each of the n nodes according to the node status quoting matrix in the ideal state and the node status quoting matrix in the actual state comprises:

for each node, performing:

6. A node state security query method is characterized by comprising the following steps:

the identification server identifies the abnormal state of each node in the n nodes by using the method of any one of claims 1 to 5 according to the identification instruction;

7. The method of claim 6,

the generating a first number of sub-vectors according to the current node number vector of each node includes:

and/or the presence of a gas in the gas,

8. A node state security query method is characterized by comprising the following steps:

9. The method of claim 8,

before the sending the query request to the data server, further comprising: receiving a first serial number sent by an identification server in advance; the first serial number is obtained by encrypting an original node number vector of each node by using a secure hash algorithm;

and/or the presence of a gas in the gas,

for each node, performing:

10. An abnormal node identifying apparatus, comprising:

11. A node status security query system, comprising:

the identification server is used for executing the following operations:

identifying an abnormal state of each of the n nodes using the method of any one of claims 1-5 according to the identification instruction;

12. A node status security query apparatus, comprising: