CN113271598B - Edge safety protection architecture for electric power 5G network - Google Patents

Edge safety protection architecture for electric power 5G network Download PDF

Info

Publication number
CN113271598B
CN113271598B CN202110542142.0A CN202110542142A CN113271598B CN 113271598 B CN113271598 B CN 113271598B CN 202110542142 A CN202110542142 A CN 202110542142A CN 113271598 B CN113271598 B CN 113271598B
Authority
CN
China
Prior art keywords
mec
application
security
edge
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110542142.0A
Other languages
Chinese (zh)
Other versions
CN113271598A (en
Inventor
张小建
费稼轩
黄秀丽
王向群
顾智敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Global Energy Interconnection Research Institute
Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Global Energy Interconnection Research Institute
Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Global Energy Interconnection Research Institute, Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202110542142.0A priority Critical patent/CN113271598B/en
Publication of CN113271598A publication Critical patent/CN113271598A/en
Application granted granted Critical
Publication of CN113271598B publication Critical patent/CN113271598B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an edge safety protection architecture facing to a power 5G network, which comprises the following components: the method comprises the following steps that user equipment, an MEC system and an MEC service provider, wherein the MEC system comprises an MEC node, an MEC controller and an MEC basic platform, and the MEC system constructs an MEC edge node security environment through an edge computing body security reinforcement technology; in the data interaction process between the user equipment and the MEC system, the MEC controller is used for matching a preset edge calculation privacy protection strategy for the user equipment and providing a corresponding safety protection function, and meanwhile, the MEC node and the MEC controller work cooperatively to enhance privacy protection; the MEC service provider provides authentication and security protection of security relation for the user equipment and the MEC system through the edge computing south-north network interaction security technology. The edge safety protection improves the edge calculation safety and provides guarantee for the stable operation of the power equipment.

Description

Edge safety protection architecture for electric power 5G network
Technical Field
The invention relates to the technical field of network security, in particular to an edge security protection architecture for a power 5G network.
Background
The fifth generation mobile communication technology (5G) is taken as a core general technology of a new technological revolution and is tightly combined with industries such as big data, artificial intelligence, Internet of things and the like. The 5G application provides powerful support for energy Internet development. The characteristics of low time delay and high reliability of 5G enable wireless regulation and control of production control systems such as power monitoring systems and the like to be possible. Through the 5G network slicing technology, customized 'business private network' service can be created for users in the power industry, and the differentiated requirements of power grid business can be better met. The massive access capacity, the high bandwidth characteristic and the edge computing capacity of the 5G provide powerful support for the acquisition, transmission and on-site processing of the power Internet of things and video data.
In the power 5G network, edge computing security plays a very important role, the edge computing security relates to stable operation of thousands of power devices, and the edge computing security problems existing in the existing power 5G mainly include: the privacy information of the power access equipment reveals risks, 5G edge computing nodes sink and are deployed in a relatively unsafe physical environment, and the problems of mutual authentication and authority distribution among entities caused by service sink are solved. Therefore, how to overcome the edge computing safety problem existing in the power 5G has great significance for the application of 5G in the power grid.
Disclosure of Invention
In view of this, an embodiment of the present invention provides an edge security protection architecture for a power 5G network, so as to solve an edge computation security problem existing in the existing power 5G network.
In order to achieve the purpose, the invention provides the following technical scheme:
the embodiment of the invention provides an edge safety protection architecture for a power 5G network, which comprises the following steps: user equipment, MEC system and MEC service provider, MEC system includes MEC node, MEC controller and MEC basic platform, and MEC service provider provides application and authentication server, wherein:
the MEC system constructs an MEC edge node security environment through an edge computing body security reinforcement technology;
in the data interaction process between the user equipment and the MEC system, the MEC controller is used for matching a preset edge calculation privacy protection strategy for the user equipment and providing a corresponding safety protection function, and meanwhile, the MEC node and the MEC controller work cooperatively to enhance privacy protection;
the MEC service provider provides authentication and security protection of security relation for the user equipment and the MEC system through the edge computing south-north network interaction security technology.
Optionally, the enhancing privacy protection of the MEC by the cooperative work of the MEC node and the MEC controller includes:
monitoring the behavior of the application through the MEC node;
the application is supervised with the third party for communication by the MEC controller.
Optionally, the edge-to-edge computing south-to-north network interaction security technology includes establishing a trust model among the MEC system, the application and the user equipment, and the trust model establishes a trust closed loop by authenticating a security relationship among the MEC system, the application and the user equipment.
Optionally, the security relationship between the MEC system, the application and the user equipment is authenticated, including mutual authentication between the MEC system and the application, mutual authentication between the MEC system and the user, mutual authentication between the user and the application, mutual authentication between the MEC controller and the MEC node, and 5G network authentication MEC system, where:
the MEC system and the application are mutually authenticated through the MEC controller and the authentication server;
the method comprises the following steps that mutual authentication between an MEC system and a user is realized by the MEC controller and the user equipment when the user equipment applies for using an application/MEC controller to coordinate user allocation application through the MEC controller;
the mutual authentication between the user and the application is that the user equipment is connected to an authentication server through an MEC controller to carry out the mutual authentication between the user and the application;
and the MEC controller and the MEC node are mutually authenticated, the MEC controller represents an MEC system to authenticate the validity of the MEC node, and the MEC controller re-authenticates the MEC node with the changed state.
Optionally, the edge computing ontology security reinforcement technology includes hardware facility protection and information security protection, where:
the hardware facility protection comprises the construction of a safety environment in the starting process of the MEC node, the real-time measurement of the application in the running process of the MEC node and the measurement of the current active process;
the information security protection comprises a physical guard type architecture and a logical guard type architecture, and different MEC nodes are protected through the physical guard type architecture and the logical guard type architecture.
Optionally, the constructing of the security environment during the starting process of the MEC node, the real-time measurement of the application during the running process of the MEC node, and the measurement of the current active process include:
measuring and monitoring the integrity state of the upper environment of the operating system in real time by loading a measuring module and a monitoring module, and constructing a safe environment;
measuring an application program in the running process of the terminal system of the Internet of things in real time;
and acquiring the active process measurement information of the current system in real time.
Optionally, the physical concierge architecture includes: and a password processing module is arranged to form the isolation of the safety data and the non-safety data.
Optionally, the logic gatekeeper architecture includes: and the system software calls the security module to form protection on information and an execution environment.
Optionally, the edge-computing privacy protection policy includes:
network interface restrictions specifying the communication protocols, ports, addresses and traffic that an application can use;
interface call restrictions for defining interfaces and services that can be used by the application;
a data reading limit for formulating user data that can be read by the application;
virtual image restriction for prohibiting an application from using an illegal virtual image.
Optionally, the safety protection function includes:
the input control function is used for preventing the application from illegally reading the user privacy information and controlling the application to use the mobile edge service;
the network control function is used for forbidding the application to establish any illegal network connection, blocking the illegal access of a third party to the application, controlling a dangerous protocol to prevent the application from uploading data maliciously and limiting the uplink bandwidth and uploading frequency of the application;
the interface control function is used for forbidding an application programming interface with potential safety hazard;
the life cycle management function is used for the MEC node to carry out full life cycle management on the private information, and encrypting and storing the private information;
a configuration immutable function for maintaining a stable configuration of the application virtual environment;
and the state assertion function is used for recording the application behaviors in the log by the MEC node in real time and feeding back the user.
The technical scheme of the invention has the following advantages:
the embodiment of the invention provides an edge safety protection architecture for a power 5G network, which comprises the following steps: the MEC system comprises an MEC node, an MEC controller and an MEC basic platform, and the MEC service provider provides an application and authentication server, wherein the MEC system constructs an MEC edge node safety environment through an edge computing ontology safety reinforcement technology, and optimizes the problem that a 5G edge computing node sinks and deploys in a relatively unsafe physical environment; in the data interaction process between the user equipment and the MEC system, the MEC controller is used for matching a preset edge calculation privacy protection strategy for the user equipment and providing a corresponding safety protection function, and meanwhile, the MEC node and the MEC controller work cooperatively to enhance privacy protection, so that the privacy information leakage risk of the power access equipment is reduced; the MEC service provider provides authentication and security protection of security relation for the user equipment and the MEC system through edge computing north-south network interaction security technology, and solves the problems of mutual authentication and authority distribution among entities caused by service convergence. The edge computing safety is improved through multi-directional edge safety protection, and therefore powerful guarantee is provided for stable operation of power equipment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of an edge security protection architecture for a power 5G network according to an embodiment of the present invention;
fig. 2 is a schematic view of an application scenario of an edge computing privacy protection policy of an edge security protection architecture for a power 5G network according to an embodiment of the present invention;
fig. 3 is a schematic view of an application scenario of an edge computing south-north network interaction security technology of an edge security protection architecture for a power 5G network according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this embodiment, an edge security protection architecture for a power 5G network is provided, as shown in fig. 1, including: user equipment 3, MEC system 2 and MEC service provider 1, MEC system 2 includes MEC node, MEC controller and MEC basic platform, and MEC service provider 1 provides application and authentication server, wherein:
the MEC system 2 constructs an MEC edge node security environment through an edge computing ontology security reinforcement technology. Specifically, when the MEC node is started, the construction of the security environment of the MEC edge node is realized, when the MEC node runs, the safety of the MEC edge node in the running process is controlled, maintained and proved, and the node information safety is protected when the node runs.
In the data interaction process of the user equipment 3 and the MEC system 2, the MEC controller is used for matching a preset edge calculation privacy protection strategy for the user equipment 3 and providing a corresponding safety protection function, and meanwhile, the MEC node and the MEC controller work cooperatively to enhance privacy protection. Specifically, the exact privacy information generated by the edge computing application and the user interaction, such as the user identity, location, etc., is protected. Therefore, the edge computing security function focuses on privacy protection, and guarantees that privacy information of various power access devices is not arbitrarily leaked through the system.
The MEC service provider 1 provides authentication and security protection of security relationship for the user equipment 3 and the MEC system 2 through the edge computing south-north network interaction security technology. Specifically, in the resource configuration process, the MEC node and the user equipment 3 are authenticated, and the authentication process may be performed by the mobile edge coordinator, and the MEC node and the user equipment 3 with different permissions are faced to selectively open part of services. The MEC node further authenticates the applications running thereon, opening corresponding services to each different application.
Specifically, in an embodiment, the enhancing privacy protection of the MEC by the cooperative work of the MEC node and the MEC controller as described above includes, as shown in fig. 2:
monitoring the behavior of the application through the MEC node; the application is supervised with the third party for communication by the MEC controller. Specifically, when the user equipment 3 and the MEC system 2 perform interaction request application, the MEC controller automatically matches a preset privacy protection strategy and issues the strategy to the MEC node, the MEC node monitors application behaviors according to the privacy strategy, the MEC controller supervises application and third-party communication according to the strategy and shields privacy information to an upper service provider, and the process can effectively protect the privacy information of the user equipment and improve safety.
Specifically, in an embodiment, the edge-based north-south network interaction security technology includes, as shown in fig. 3, establishing a trust model among the MEC system 2, the application, and the user equipment 3, where the trust model establishes a trust closed loop by authenticating a security relationship among the MEC system 2, the application, and the user equipment 3.
Specifically, in an embodiment, the security relationship among the MEC system 2, the application and the user equipment 3 includes mutual authentication between the MEC system 2 and the application, mutual authentication between the MEC system 2 and the user, mutual authentication between the user and the application, mutual authentication between the MEC controller and the MEC node, and 5G network authentication MEC system 2, where:
the MEC system 2 and the application are mutually authenticated through the MEC controller and the authentication server to mutually authenticate the MEC system 2 and the application. Specifically, when the MEC controller receives a request of the MEC service provider 1, or the MEC service provider 1 receives a request of the user equipment 3 using the application from the MEC controller, the MEC system 2 and the application are mutually authenticated between the MEC controller and the authentication server of the MEC service provider 1.
The mutual authentication between the MEC system 2 and the user is that when the user equipment 3 applies to use the application/MEC controller to coordinate the user to distribute the application through the MEC controller, the MEC system 2 and the application are mutually authenticated through the MEC controller and the user equipment 3.
The mutual authentication between the user and the application is that the user equipment 3 is connected to the authentication server through the MEC controller to perform the mutual authentication between the user and the application. Specifically, after the mutual authentication between the MEC system 2 and the application and between the MEC system 2 and the user equipment 3 is completed, the user equipment 3 is connected to the authentication server of the MEC service provider 1 by using the MEC controller as a proxy, and performs the mutual authentication between the user equipment 3 and the application.
The MEC controller and the MEC node are mutually authenticated, the MEC controller represents the MEC system 2 to authenticate the validity of the MEC node, and the MEC controller authenticates the MEC node with the changed state again.
The 5G network authenticates the MEC system 2, specifically, the MEC system 2 is in an initialization stage, and the 5G network authenticates the MEC controller, so that the MEC system 2 is safe and reliable.
Specifically, in an embodiment, the edge computing ontology security enforcement technology includes hardware facility protection and information security protection, where:
the hardware facility protection comprises the construction of a safety environment in the starting process of the MEC node, the real-time measurement of the application in the running process of the MEC node and the measurement of the current active process.
The information security protection comprises a physical guard type architecture and a logical guard type architecture, and different MEC nodes are protected through the physical guard type architecture and the logical guard type architecture.
Specifically, the MEC edge node information security protection implements two different security architectures of hardware facility protection and information security protection according to different combination modes of the cryptographic technology and the user equipment 3, and the two security architectures have distinct characteristics and are respectively suitable for different power edge nodes.
Specifically, in an embodiment, the building of the security environment during the MEC node starting process, the application real-time measurement during the MEC node running process, and the measurement of the current active process include:
and measuring and monitoring the integrity state of the upper environment of the operating system in real time by loading the measuring module and the monitoring module, and constructing a safe environment. Specifically, after the kernel of the operating system is loaded successfully, the user equipment 3 loads the measurement module and the monitoring module in the kernel code, and is responsible for measuring and monitoring the integrity state of the upper environment of the operating system in real time to complete the secure environment boot. The safe environment boot process ensures the integrity of the loading of the components and modules after the system is started, finally ensures the safety of the execution environment of the application program above the operating system, and prohibits the unknown component modules or the tampered illegal component modules and software from being loaded and executed in the starting process.
And measuring the application program in the running process of the terminal system of the Internet of things in real time. Specifically, the application program in the running of the terminal system of the internet of things is measured in real time. Whenever an application is loaded and executed by the system, the measurement module at the kernel layer of the operating system can capture the application process immediately through the hook function of the operating system, acquire the file name of the application process, measure the code loaded by the program by using the domestic SM3 algorithm, acquire the hash value capable of identifying the characteristics of the application process, and feed the acquired information back to the interface of the user equipment 3 for monitoring and examination by an operator. Any application program process operated by the operating system can be reliably obtained by the application real-time measurement based on the operating system kernel, and each process is uniquely identified, so that the user equipment 3 operator can master the condition of the system for operating the application program in real time, and a data basis is provided for subsequent application monitoring and process control.
And acquiring the active process measurement information of the current system in real time. Specifically, the active process metric information of the current system running can be obtained in real time. After the process is loaded and executed by the operating system and before the process is terminated, the user equipment 3 displays the measurement value, the file name and other related information of the active process in a special active process list for monitoring by an operator. The function can enable an operator to quickly and conveniently know the running state of the current system, discover the running unknown or illegal process as early as possible, and take corresponding measures for the process.
Specifically, in an embodiment, the physical gatekeeper architecture includes: and a password processing module is arranged to form the isolation of the safety data and the non-safety data. Specifically, a password processing module is connected in series physically on an information channel inside the terminal to form physical entrance guard type password security processing, and a security architecture for isolating a 'red area' where the security data are located from a 'black area' where the non-security data are located is realized. The architecture has the following three characteristics: one is to ensure that there is no insecure data from the "black area" in the "red area"; secondly, all known and unknown network attacks from the 'black zone' can be blocked for the 'red zone', including zero-day vulnerability attacks and the like; thirdly, the security of the architecture is easy to prove.
Specifically, in an embodiment, the logic gatekeeper architecture includes: and the system software calls the security module to form protection on information and an execution environment. Specifically, on an information processing path inside the terminal, protection of information and protection of an execution environment are realized in a manner that system software calls a security module. The functions from the safe starting of the execution environment, the strengthening of the operating system, the dynamic measurement during the operation to the transmission encryption, the storage encryption, the application security, the input/output control and the like of the information are combined and called according to the actual required security functions, and the logic gatekeeper type security protection effect is achieved.
Specifically, in an embodiment, the edge-computing privacy protection policy includes:
network interface restrictions specifying the communication protocols, ports, addresses and traffic that an application can use.
And interface calling limits used for limiting the interfaces and services which can be used by the application.
Data reading limits for formulating user data that can be read by the application.
Virtual image restriction for prohibiting an application from using an illegal virtual image.
Specifically, after the application is subject to the behavior restriction of the network interface restriction, the interface call restriction and the data reading restriction, when the MEC node configures a corresponding virtual environment, the MEC node uses the virtual mirror restriction to prohibit the application from using an illegal virtual mirror, and in consideration of the low latency characteristic of the MEC, the MEC service provider 1 constructs the application in advance according to a possible privacy protection policy and provides the application to the MEC system 2 as a policy base. After receiving the information of the user equipment 3, the MEC controller matches the adapted privacy protection policy according to the policy repository.
Specifically, in an embodiment, the safety protection function includes:
and the input control function is used for preventing the application from illegally reading the private information of the user and controlling the application to use the mobile edge service.
And the network control function is used for forbidding the application to establish any illegal network connection, blocking the illegal access of a third party to the application, controlling a dangerous protocol to prevent the application from uploading data maliciously, and limiting the uplink bandwidth and the uploading frequency of the application.
And the interface control function is used for forbidding the application programming interfaces with potential safety hazards. Specifically, the precaution application uses the interfaces to operate other applications, establish a VPN channel to send data to a third party, and modify the security log of the MEC.
And the life cycle management function is used for the MEC node to carry out full life cycle management on the private information and encrypt and store the private information. Specifically, an anonymization technology is applied in a releasing stage of the privacy information, and an access control and random perturbation technology is applied in a using stage of the privacy information.
And the configuration immutable function is used for maintaining the stability of the configuration of the application virtual environment. In particular, a request to modify the configuration from a third party or application is denied.
And the state assertion function is used for recording the application behaviors in the log by the MEC node in real time and feeding back the user. Specifically, the MEC node records the application behavior in a log in real time, and provides an interface for querying the log to the user equipment 3, or periodically pushes the security status of the application to the user equipment 3.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (9)

1. An edge security protection architecture for a power 5G network, comprising: user equipment, an MEC system comprising an MEC node, an MEC controller and an MEC base platform, and an MEC service provider providing an application and an authentication server, wherein,
the MEC system constructs an MEC edge node security environment through an edge computing body security reinforcement technology;
the edge computing body security strengthening technology comprises hardware facility protection and information security protection, wherein,
the hardware facility protection comprises the construction of a security environment in the starting process of the MEC node, the real-time measurement of an application in the running process of the MEC node and the measurement of the current activity process;
the information security protection comprises a physical entrance guard type system structure and a logic entrance guard type system structure, and different MEC nodes are protected through the physical entrance guard type system structure and the logic entrance guard type system structure;
in the data interaction process between the user equipment and the MEC system, the MEC controller is used for matching a preset edge calculation privacy protection strategy for the user equipment and providing a corresponding safety protection function, and meanwhile, the MEC node and the MEC controller work cooperatively to enhance privacy protection;
the MEC service provider provides authentication and security protection of security relation for the user equipment and the MEC system through the edge computing south-north network interaction security technology.
2. The power 5G network oriented edge security protection architecture of claim 1, wherein the enhancing privacy protection of the MEC by the MEC node working in cooperation with the MEC controller comprises:
monitoring the application behavior through the MEC node;
the application is supervised with the third party for communication by the MEC controller.
3. The power 5G network-oriented edge security protection architecture of claim 1, wherein the through-edge computing north-south network interaction security technology comprises establishing a trust model among MEC systems, applications and user equipment, and the trust model establishes a trust closed loop by authenticating security relationships among the MEC systems, applications and user equipment.
4. The power 5G network oriented edge security protection architecture of claim 3, wherein the security relationships between the authentication MEC system, the application and the user equipment comprise MEC system and application mutual authentication, MEC system and user mutual authentication, user and application mutual authentication, MEC controller and MEC node mutual authentication, 5G network authentication MEC system,
the MEC system and the application are mutually authenticated through the MEC controller and the authentication server;
the method comprises the following steps that mutual authentication between an MEC system and a user is realized by the MEC controller and the user equipment when the user equipment applies for using an application/MEC controller to coordinate user allocation application through the MEC controller;
the mutual authentication between the user and the application is that the user equipment is connected to an authentication server through an MEC controller to carry out the mutual authentication between the user and the application;
and the MEC controller and the MEC node mutually authenticate that the MEC controller represents an MEC system to authenticate the validity of the MEC node, and the MEC controller re-authenticates the MEC node with the changed state.
5. The edge security protection architecture for power oriented 5G networks according to claim 1, wherein the security environment construction of the MEC node opening process, the application real-time measurement in the MEC node running process and the measurement of the current active process comprise:
measuring and monitoring the integrity state of the upper environment of the operating system in real time by loading a measuring module and a monitoring module, and constructing a safe environment;
measuring an application program in the running process of the terminal system of the Internet of things in real time;
and acquiring the active process measurement information of the current system in real time.
6. The power 5G network oriented edge security architecture of claim 1, wherein the physical gatekeeper architecture comprises: and a password processing module is arranged to form the isolation of the safety data and the non-safety data.
7. The power 5G network oriented edge security architecture of claim 1, wherein the logical gatekeeper architecture comprises: and calling the security module through system software to form protection on information and an execution environment.
8. The power 5G network oriented edge security protection architecture of claim 1, wherein the edge computing privacy protection policy comprises:
network interface restrictions specifying the communication protocols, ports, addresses and traffic that an application can use;
interface call restrictions for defining interfaces and services that can be used by the application;
a data reading limit for formulating user data that can be read by an application;
virtual image restriction for prohibiting an application from using an illegal virtual image.
9. The edge security architecture for power 5G networks according to claim 1, wherein the security protection function comprises:
the input control function is used for preventing the application from illegally reading the user privacy information and controlling the application to use the mobile edge service;
the network control function is used for forbidding the application to establish any illegal network connection, blocking the illegal access of a third party to the application, controlling a dangerous protocol to prevent the application from uploading data maliciously and limiting the uplink bandwidth and uploading frequency of the application;
the interface control function is used for forbidding the application programming interface with potential safety hazard;
the life cycle management function is used for the MEC node to carry out full life cycle management on the private information, and the private information is encrypted and stored;
a configuration immutable function for maintaining a stable configuration of the application virtual environment;
and the state assertion function is used for recording the application behaviors in the log by the MEC node in real time and feeding back the user.
CN202110542142.0A 2021-05-18 2021-05-18 Edge safety protection architecture for electric power 5G network Active CN113271598B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110542142.0A CN113271598B (en) 2021-05-18 2021-05-18 Edge safety protection architecture for electric power 5G network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110542142.0A CN113271598B (en) 2021-05-18 2021-05-18 Edge safety protection architecture for electric power 5G network

Publications (2)

Publication Number Publication Date
CN113271598A CN113271598A (en) 2021-08-17
CN113271598B true CN113271598B (en) 2022-09-27

Family

ID=77231480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110542142.0A Active CN113271598B (en) 2021-05-18 2021-05-18 Edge safety protection architecture for electric power 5G network

Country Status (1)

Country Link
CN (1) CN113271598B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924081B (en) * 2018-05-03 2021-04-30 深圳中泰智丰物联网科技有限公司 Method for protecting user privacy and resisting malicious users in Internet of things based on edge calculation
CN111371730B (en) * 2018-12-26 2021-11-30 中国科学院沈阳自动化研究所 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
WO2020185794A1 (en) * 2019-03-11 2020-09-17 Intel Corporation Multi-slice support for mec-enabled 5g deployments
US11258773B2 (en) * 2019-05-13 2022-02-22 Verizon Patent And Licensing Inc. System and method for providing a privacy layer to secure client data in a network
CN112533210A (en) * 2020-11-24 2021-03-19 侯涛 Safety protection system based on mobile edge calculation

Also Published As

Publication number Publication date
CN113271598A (en) 2021-08-17

Similar Documents

Publication Publication Date Title
US10757094B2 (en) Trusted container
US11245687B2 (en) Hardware-based device authentication
US9928360B2 (en) Hardware-based device authentication
CA2904748C (en) Systems and methods for identifying a secure application when connecting to a network
US8909930B2 (en) External reference monitor
US9305163B2 (en) User, device, and app authentication implemented between a client device and VPN gateway
CN112491788B (en) Security cloud proxy service platform, implementation method and Internet of things system
US20220232378A1 (en) System and method for providing a secure vlan within a wireless network
WO2023030000A1 (en) Wireless network connection access control method and apparatus, storage medium, and terminal
CN112866197A (en) Password edge calculation method and system for realizing security of terminal of Internet of things and terminal
Kilinc et al. Walldroid: Cloud assisted virtualized application specific firewalls for the android os
CN114398627A (en) Zero-trust-based power scheduling quantum password cloud application system and method
Alcaraz et al. OCPP in the spotlight: threats and countermeasures for electric vehicle charging infrastructures 4.0
CN113271598B (en) Edge safety protection architecture for electric power 5G network
Lei et al. Edge-enabled Zero Trust Architecture for ICPS with Spatial and Temporal Granularity
Varadharajan et al. Techniques for Enhancing Security in Industrial Control Systems
CN113742740A (en) Equipment behavior monitoring method and device and storage medium
Shamseddine et al. Mitigating rogue node attacks in edge computing
CN111371729A (en) Cloud computing based security protection method
Orellana et al. A Pattern for a Secure Actuator Node
Zwarico O‐RAN Security
US11784973B2 (en) Edge-based enterprise network security appliance and system
CN113691530B (en) Symmetric key generation management system, method, equipment and medium based on SGX
WO2024007096A1 (en) Privacy data protection method for android system
Umamahesh et al. Survey on Various Security Issues Associated with Cloud Authentication Techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant