CN114615002B - Controlled identification method and system for key infrastructure of operator - Google Patents

Abstract

The embodiment of the invention provides a method and a system for identifying controlled infrastructure of an operator, wherein the method comprises the following steps: for the public traffic information received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, acquires a detection result of the consensus node and broadcasts the detection result to other consensus nodes in the consensus node cluster; the consensus node cluster identifies whether the data acquisition node sending the public traffic message is controlled or not based on the consensus mechanism and the detection result of each consensus node. According to the method and the system for identifying the controlled key infrastructure of the operator, provided by the embodiment of the invention, the detection result is generated and broadcast by the random selection anomaly detection method, the common identification is carried out in the whole common identification node cluster based on the practical Bayesian protocol algorithm, whether the data acquisition node is controlled or not is identified, the identification efficiency and accuracy can be improved, and the high effectiveness and high reliability of identification and the expandability of the system can be ensured.

Description

Methods and systems for identifying controlled critical infrastructure of operators

Technical field

The present invention relates to the field of communication technology, and in particular to a method and system for identifying controlled key infrastructure of an operator.

Background technique

The security of the operator's critical infrastructure is very important. If the operator's critical infrastructure is controlled, it may have serious consequences. Currently, methods for identifying controlled critical infrastructure mainly include feature-based methods and statistical-based methods.

Using feature-based methods and/or statistics-based methods, a critical infrastructure controlled identification system can be established. The identification methods used by each node in the existing critical infrastructure controlled identification system include: methods based on statistical analysis and comparison, methods based on machine learning, and methods based on blockchain technology.

Moreover, for traditional single-node systems, when the system is attacked or recording fails, the failure of the node means the failure of the entire system; for cluster systems, although there may be many nodes recording, backing up data, or even multiple backups, these nodes There is mutual trust between them. When some nodes are controlled by hackers or a traitor node appears under attack, the cluster system cannot distinguish the traitor node, causing the system to fail.

In summary, the accuracy, validity and reliability of the identification results of existing operators' critical infrastructure controlled identification methods are low.

Contents of the invention

Embodiments of the present invention provide a method and system for identifying controlled critical infrastructure of an operator to solve the shortcoming of low accuracy of identification results in the existing technology and achieve identification with high accuracy, high effectiveness and high reliability. .

The embodiment of the present invention provides a method for identifying controlled critical infrastructure of an operator, including:

For the public traffic messages received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, obtains the detection result of the consensus node and sends it to other consensus nodes in the consensus node cluster. node broadcast;

The consensus node cluster identifies whether the data collection node sending the public traffic message is controlled based on the consensus mechanism and the detection results of each consensus node;

Wherein, the consensus node cluster includes (3f+1) non-overlapping consensus nodes, f is a positive integer; the public traffic message carries various traffic characteristics of the target area network.

According to the method for identifying controlled critical infrastructure of an operator according to an embodiment of the present invention, after obtaining the voting results of the consensus node and broadcasting them to other consensus nodes in the consensus node cluster, the method further includes:

Obtain the score of the voting results of each consensus node;

If it is determined that the score of the voting result of any consensus node meets the preset conditions, it is identified that any consensus node is controlled.

According to the method for identifying controlled critical infrastructure of an operator according to one embodiment of the present invention, for the public traffic messages received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, Before obtaining the detection results of the consensus node and broadcasting them to other consensus nodes in the consensus node cluster, it also includes:

According to the preset election algorithm, several groups of consensus node clusters are randomly selected from the consensus node pool;

Among them, any consensus node in any group of consensus node clusters is not in other consensus node clusters.

According to a method for identifying controlled key infrastructure of an operator according to an embodiment of the present invention, the consensus node cluster is based on the consensus mechanism and the detection results of each consensus node, and the specific steps of identifying whether the data collection node that sends the public traffic message is controlled. include:

The consensus node receives the detection results broadcast by the other consensus nodes, votes based on the detection results of the consensus node and the detection results broadcast by the other consensus nodes, obtains the voting results of the consensus node and sends them to the consensus node Broadcast to other consensus nodes in the cluster;

The consensus node receives the voting results broadcast by the other consensus nodes, and identifies whether the data collection node sending the public traffic message is controlled based on the voting results of the consensus node and the voting results broadcast by the other consensus nodes.

According to the method for identifying controlled critical infrastructure of an operator according to one embodiment of the present invention, if it is determined that the score of the voting result of any consensus node meets the preset conditions, then after identifying that any consensus node is controlled, include:

Treat any consensus node as an invalid node and delete any consensus node from the consensus node pool.

According to a method for identifying controlled critical infrastructure of an operator according to an embodiment of the present invention, the consensus node receives the voting results broadcast by the other consensus nodes, and according to the voting results of the consensus node and the voting results broadcast by the other consensus nodes , after identifying whether the data collection node sending the public traffic message is controlled, it also includes:

If the block-building node determines that the number of voting results broadcast by the received consensus node is not less than (2f+1), the area to be uploaded will be generated based on the result of identifying whether the data collection node that sent the public traffic message is controlled. Block, connect the block to be uploaded to the block queue;

After the uplink node cluster reaches consensus on each block to be uploaded in the block queue and succeeds, it adds each block to be uploaded to the blockchain;

Wherein, the block building node is a consensus node selected from each consensus node cluster according to a preset selection algorithm; the uplink node cluster includes any consensus node that has not been selected from the consensus node pool. (3f+1) unique consensus nodes selected from each consensus node in the cluster.

According to a method for identifying controlled critical infrastructure of an operator according to an embodiment of the present invention, the specific steps for each consensus node in the consensus node cluster to select an abnormal traffic detection method include:

According to the height of the blockchain, the number of each consensus node and the number of abnormal traffic detection methods, an abnormal traffic detection method is selected.

According to a method for identifying controlled critical infrastructure of an operator according to an embodiment of the present invention, multiple groups of consensus node clusters are randomly selected from a consensus node pool according to a preset election algorithm, and the number of consensus node clusters received for each consensus node cluster is Public traffic message, each consensus node in the consensus node cluster selects an abnormal traffic detection method, obtains the detection result of the consensus node and broadcasts it to other consensus nodes in the consensus node cluster, and also includes:

Any consensus node in the consensus node cluster, based on the filtering mechanism, receives traffic messages sent by data collection nodes within the preset range, and broadcasts them to other consensus nodes in the consensus node cluster;

If all consensus nodes in the consensus node cluster receive the traffic message, the traffic message is determined to be a public traffic message.

Embodiments of the present invention also provide a controlled identification system for operator critical infrastructure, including:

Multiple consensus nodes and multiple data collection nodes;

The data collection node is configured to obtain multiple traffic characteristics of the target area network based on the traffic information of the target area network, and send traffic messages carrying the multiple traffic characteristics of the target area network to the consensus node;

The consensus node is used to identify whether the data collection node is controlled and whether other consensus nodes are controlled based on the consensus mechanism and the traffic message.

The operator's critical infrastructure controlled identification system according to one embodiment of the present invention includes at least two layers of data collection nodes;

Each data collection node in the first layer is used to obtain multiple traffic characteristics of the first regional network based on the traffic information of the corresponding first regional network;

The second layer includes at least one data collection node; each data collection node in the second layer is used to obtain the third data collection node according to the traffic information of each second regional network according to a preset rotation algorithm. Various traffic characteristics of the second area network;

Wherein, the second area is a sub-area of the first area.

The method and system for identifying controlled key infrastructure of operators provided by the embodiments of the present invention generate and broadcast detection results by randomly selecting anomaly detection methods, and perform consensus based on the practical Byzantine agreement algorithm in the entire consensus node cluster to identify whether the data collection node Controlled, it can improve the identification efficiency and accuracy, ensure the high effectiveness and reliability of identification and the scalability of the system.

Description of drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.

Figure 1 is a schematic flow chart of a method for identifying controlled critical infrastructure of an operator provided by an embodiment of the present invention;

Figure 2 is a schematic structural diagram of an operator's key infrastructure controlled identification system provided by an embodiment of the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, rather than all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of the present invention.

In the description of the embodiments of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer" The orientation or positional relationship indicated by "" is based on the orientation or positional relationship shown in the drawings. It is only for the convenience of describing the embodiments of the present invention and simplifying the description, and does not indicate or imply that the system or component referred to must have a specific orientation. Constructed and operated in specific orientations and therefore should not be construed as limiting the embodiments of the invention. Furthermore, the terms “first”, “second” and “third” are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

In the description of the embodiments of the present invention, it should be noted that, unless otherwise clearly stated and limited, the terms "installation", "connection" and "connection" should be understood in a broad sense. For example, it can be a fixed connection or a fixed connection. Detachable connection, or integral connection; it can be a mechanical connection or an electrical connection; it can be a direct connection or an indirect connection through an intermediate medium; it can be an internal connection between two components. For those of ordinary skill in the art, the specific meanings of the above terms in the embodiments of the present invention can be understood in specific situations.

In order to overcome the above problems of the prior art, embodiments of the present invention provide a method and system for identifying controlled critical infrastructure of an operator. The inventive concept is to deploy two types of nodes based on the operator's network structure - data collection nodes and Consensus nodes, these two nodes can decouple the collection and detection functions of the entire network traffic information, thereby improving the flexibility and scalability of the system; the data collection nodes in the network are deployed according to specific deployment strategies to collect network traffic data characteristic information, and sends the traffic message to the consensus node; after receiving the traffic characteristic information sent by the collection node, the consensus node randomly selects an anomaly detection method to generate detection results, and then the detection results will be broadcast and circulated throughout the blockchain network. Based on the PBFT (Practical Byzantine Agreement) algorithm, consensus is carried out to identify whether the data collection node is controlled; the identification efficiency and accuracy are improved, and the effectiveness and reliability of the identification and the scalability of the system are ensured.

Figure 1 is a schematic flowchart of a method for identifying controlled critical infrastructure of an operator provided by an embodiment of the present invention. The method for identifying controlled critical infrastructure of an operator according to the embodiment of the present invention is described below with reference to FIG. 1 . As shown in Figure 1, the method includes: Step S101. For the public traffic messages received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, obtains the detection results of the consensus node and sends it to Broadcast to other consensus nodes in the consensus node cluster.

Among them, the consensus node cluster includes (3f+1) unique consensus nodes, f is a positive integer; the public traffic message carries various traffic characteristics of the target area network.

It should be noted that the method for identifying controlled operators' critical infrastructure provided by the embodiment of the present invention is suitable for the operator's critical infrastructure controlled identification system.

The operator's critical infrastructure controlled identification system consists of critical infrastructure. Key infrastructure includes at least two types: multiple consensus nodes and multiple data collection nodes.

The data collection node is used to obtain various traffic characteristics of the target area network based on the traffic information of the target area network, and send traffic messages carrying various traffic characteristics of the target area network to the consensus node.

A network connection is defined as a sequence of TCP packets from start to end within a certain period of time, and during this period, data is transferred from the source IP address to the destination IP address under a predefined protocol (such as TCP, UDP) . Each network connection is marked as normal (normal) or abnormal (attack), and abnormal types are subdivided into 4 major categories and a total of 39 attack types. Each connection record is described with 41 features, plus the final label, for a total of 42 items. The first 41 traffic characteristics are divided into 4 categories:

1) Basic characteristics of TCP connections (9 types in total)

2) Content characteristics of TCP connections (13 types in total)

3) Time-based network traffic statistical characteristics (9 types in total)

4) Host-based network traffic statistical characteristics (10 types in total)

The 4 exception types are:

DOS (denial-of-service), denial of service attacks, such as ping-of-death, syn flood, smurf, etc.; specific manifestations include creating a large flow of useless data, causing network congestion leading to the attacked host, causing the attacked host to Unable to communicate with the outside world normally. Taking advantage of the flaws in the service provided by the attacked host or the processing of repeated connections in the transmission protocol, repeated and high-frequency aggressive repeated service requests are issued, making the attacked host unable to process other normal requests in a timely manner. Taking advantage of the implementation flaws of the service program or transmission protocol provided by the attacked host, repeatedly sending malformed attack data causes the system to incorrectly allocate a large amount of system resources, leaving the host in a suspended state or even crashing.

R2L (unauthorized access from a remote machine to a local machine), unauthorized access from a remote host, such as guessing password; an attacker who does not have an account on the target host obtains local access to the machine and filters out data from the machine. Attack methods such as modifying data.

U2R (unauthorized access to local superuser privileges by a localunpivileged user), unauthorized access to local superuser privileges, such as buffer overflow attacks;

PROBING (surveillance and probing), probe attack, port monitoring or scanning, such as port-scan, ping-sweep, etc. It refers to an attack method that scans a computer network or DNS server to obtain valid IP addresses, active port numbers, host operating system types, and security weaknesses.

After the traffic collection node collects the characteristic data of the traffic, it encapsulates it into a message, attaches its own signature, and then sends it to the consensus node.

Each piece of traffic information can contain the following fields:

srcaddr: source IP address, such as 119.75.216.20.

dstaddr: destination IP address, such as 182.254.18.159.

srcport: TCP/UDP source port, such as 60221.

dstport: TCP/UDP destination port, such as 80, 443.

prot: protocol type, such as 6=TCP, 17=UDP.

First: Information flow start time.

Last: The time when the last packet of the information flow was received.

size: The total size of the information transmitted by the information flow, in byte.

PacketCount: The number of packets reported in the information flow.

The consensus node is used to identify whether the data collection node is controlled and whether other consensus nodes are controlled based on the consensus mechanism and traffic messages.

Specifically, for data collection nodes, when the data collection node is controlled by an attack, the system can identify abnormalities through consensus detection between different consensus nodes in the blockchain.

The consensus nodes in each consensus node cluster broadcast the traffic characteristic information <m,d> they received from the data collection node, vote to reach consensus and filter out the public set of messages <m1,m2,m3,m4,...> . Among them, m is the message and d is the summary.

Messages in the public collection of messages are public traffic messages.

Each consensus node independently processes each piece of traffic information in the public collection, and each piece of traffic information corresponds to a vector to record the results.

The consensus node integrates and packages multiple abnormal traffic detection methods and can be called by the consensus node at any time. Abnormal traffic detection methods can be upgraded and iterated at any time. When verifying abnormal traffic, each consensus node will randomly select a method from a variety of abnormal traffic detection methods preset by the system for independent verification.

Abnormal traffic detection methods can include:

Fixed threshold method: The administrator determines the traffic threshold within a unit time in advance, and the administrator manually inputs it into the system. The system calls the API and passes the parameters to the program.

Feature detection: Establish a feature library of all abnormal network behaviors, match the current traffic information features with the feature library, and determine whether the current network data is normal based on the matching results.

Statistical analysis: Analyze existing historical data records to obtain a benchmark for judgment, and then make judgments based on new network traffic data. For example, the ARIMA model is used to predict traffic to detect abnormal traffic.

Cluster analysis: Use classification methods to classify network traffic, and use decision tree methods to detect abnormal traffic.

Correlation analysis: Use fuzzy association rules to correlate and match traffic feature information, and detect abnormal traffic by building correlations between traffic features.

Detection analysis is performed according to the selected method, and the voting results are marked as 0 and 1 (0 represents normal, 1 represents abnormal) and recorded in a vector. Combine the node number i, message number k, message hash h, result r (r is 0 or 1), and own signature sig into one message and broadcast it.

Step S102: The consensus node cluster identifies whether the data collection node that sends the public traffic message is controlled based on the consensus mechanism and the detection results of each consensus node.

Specifically, after each consensus node receives the voting results broadcast by other consensus nodes, it verifies sig. If sig is true, the result is placed on the corresponding label of the vector (node number i).

The consensus node counts the voting results for the vector of each message. If the number of 1 is greater than 2f+1, the traffic characteristic information is abnormal. The IP, port, time and other information in the information are extracted for tracking, and the specific traffic collection is located. node area.

It should be noted that multiple consensus node clusters process traffic characteristics in parallel to ensure system performance. Each cluster has an IPtable filtering mechanism enabled to only receive traffic sent from specific collection nodes to avoid repeated reception. Therefore, there is no overlap between the traffic characteristics processed by each cluster. After each cluster packages the block, it is directly put into the queue, and other clusters will reach consensus on the block on the chain. There is no interference between multiple clusters and no need to wait for synchronization, which improves the performance of the entire system.

The embodiment of the present invention generates detection results by randomly selecting anomaly detection methods and broadcasts them, and performs consensus based on a practical Byzantine agreement algorithm in the entire consensus node cluster to identify whether the data collection node is controlled, which can improve identification efficiency and accuracy and ensure identification. High effectiveness and reliability as well as system scalability.

Based on the contents of the above embodiments, after obtaining the voting results of the consensus node and broadcasting them to other consensus nodes in the consensus node cluster, it also includes: obtaining the score of the voting results of each consensus node.

Specifically, for consensus nodes, the fraudulent behavior of consensus nodes can be identified through Byzantine agreement and reputation mechanisms. Consensus nodes with fraudulent behavior are the consensus nodes that are accused.

In order to ensure the security of the system, a node credit system is added, and a reputation mechanism is adopted, combined with an improved Byzantine protocol, to identify cheating consensus nodes. Vote on the voting results to determine whether there are traitor nodes. The reputation system scores votes and then identifies “traitor” nodes.

After each vote, the voting results of each consensus node will be scored. If the voting results of this consensus node are inconsistent with the consensus result, the score of this consensus node in this vote will be lower; if the consensus node is consistent with the consensus result, the score of this consensus node in this vote will be higher.

If it is determined that the score of the voting result of any consensus node meets the preset conditions, any consensus node is identified as being controlled.

Specifically, the score of each consensus node is recorded. By analyzing the score records, the credit quality of this consensus node can be identified.

By default, the rating can be very low.

If the credibility of a consensus node has always been very low, it can be considered a "traitor" node. It may have been attacked by a virus or controlled by hackers, and has committed fraud, and the consensus node will be charged.

The embodiment of the present invention continues to score the voting results of each consensus node, and identifies the controlled consensus node based on multiple scoring results, which can improve the identification efficiency and accuracy, and ensure the high effectiveness and reliability of the identification and system scalability.

Based on the contents of the above embodiments, for the public traffic messages received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, obtains the detection result of the consensus node, and sends it to the consensus node cluster. Before other consensus nodes broadcast, it also includes: randomly selecting several groups of consensus node clusters from the consensus node pool according to the preset election algorithm.

Among them, any consensus node in any group of consensus node clusters is not in other consensus node clusters.

Specifically, the node pool consists of all consensus nodes, the number of which is M=a(3f+1), excluding "traitor nodes" excluded by the node reputation mechanism. After the fake consensus nodes are troubleshooted, they can be rejoined. pre-selected node pool. Among them, a is a positive integer

The PRNG algorithm can be used to generate a random number R, and the selected node number K=R%n (n is the total number of remaining nodes in the current node pool). This is repeated 3f+1 times to select a group of consensus nodes.

Repeat the above steps to select multiple consensus node clusters. The number of groups of selected consensus node clusters is (a-1).

Each group of consensus node clusters receives traffic messages from different traffic collection domains for verification and processing. Different consensus node clusters choose to accept traffic messages sent by a specific range of data collection nodes by setting IPtables, and filter out messages sent by other data collection nodes to prevent different consensus node groups from receiving duplicate messages.

In the embodiment of the present invention, by selecting different consensus node groups, multiple consensus node groups process traffic data in parallel; consensus nodes in the same consensus node cluster can verify public traffic characteristics in parallel while building block nodes. The content of each traffic characteristic message in the message set S is verified.

Embodiments of the present invention can improve the performance and identification efficiency of the entire system by selecting different consensus node groups and multiple consensus node groups processing traffic data in parallel.

Based on the contents of the above embodiments, the consensus node cluster is based on the consensus mechanism and the detection results of each consensus node. The specific steps to identify whether the data collection node sending the public traffic message is controlled include: the consensus node receives the detection results broadcast by other consensus nodes, Voting is performed based on the detection results of the consensus node and the detection results broadcast by other consensus nodes, and the voting results of the consensus node are obtained and broadcast to other consensus nodes in the consensus node cluster.

Specifically, Practical Byzantine Agreement (PBFT) uses cryptography-related technologies (RSA signature algorithm, message verification code and digest) to ensure that the message transmission process cannot be tampered with and destroyed.

A node in the group is selected as a block-building node through a random algorithm. After that, as long as the block-building node does not switch, it is called a view, and a view represents a round of consensus process. Views are consecutively numbered integers that ensure the order of consensus within each consensus node group. The status of each consensus node contains the overall status of the service. The message log on the consensus node contains the messages accepted by the node, and an integer is used to represent the current view number of the consensus node.

The processing process of each group composed of multiple consensus node clusters is specifically the following four steps: determining a public collection of traffic characteristic messages, determining block building nodes, voting, and transferring invoices.

The steps to determine the common traffic characteristic message set are as follows:

Within a period of time, the data collection node begins to collect traffic data information in the entire network. After collecting most of the traffic data information within this time period, it starts broadcasting and broadcasts the traffic information to all nodes in the network. Consensus node. Each consensus node cluster that receives the traffic data information sent by the data collection node will first store the received traffic information.

According to the current network status information and the number of traffic data information received by a certain consensus node cluster, a temporary dynamic scanning amount N is randomly set for the corresponding consensus node cluster, and then the traffic data information received by the cluster is scanned. Scan out the N traffic messages, and then broadcast these N traffic messages to all other consensus nodes, and other consensus node clusters repeat the same operation.

After the consensus node cluster broadcasts the traffic message for a period of time, each cluster is given sufficient time to receive the traffic message sent by other consensus node clusters. The corresponding consensus node cluster then broadcasts the N traffic messages it has just broadcast. The traffic data message is compared with the traffic messages broadcast by other consensus nodes received within the time period to determine all common traffic data. These traffic data messages determine the public traffic characteristic message set S.

After each node receives the result broadcast by other nodes, it verifies sig. If sig is true, the result is placed on the corresponding label of the vector (node number i).

The block-building node broadcasts its own abnormal traffic verification results and the MD5 of the abnormal traffic verification method used to other consensus nodes to initiate consensus. After other consensus nodes receive the vote of the block-building node and verify the signature, it is recorded in the vector.

Block building nodes are consensus nodes that receive traffic messages from data collection nodes.

After receiving the information broadcast by the block-building node, the consensus node verifies and votes, and attaches its own signature. Then broadcast the results of your vote.

The specific process is:

The block-building node will assign a sequence number n to its own verification result of abnormal traffic within a period of time, and then broadcast its own verification result message to all other consensus nodes in the group, and append its own signature to it. The message vector vector format is < <PREPARE,view,n,digest,signature,methods>,message>, view is the view number, n is the traffic processing sequence number, digest is the traffic characteristic message and summary, signature is the signature field, including the signature of the building node, and at the same time The subsequent consensus nodes have reserved space for the signature of the message. methods is the method field, which contains the MD5 code of the detection method used by the block-building node to verify the traffic, and the MD5 code of the verification method used by the subsequent consensus nodes for verification. Space is reserved, and the message is traffic data characteristics and abnormal verification result messages.

When other consensus nodes in the group receive the verification result message of the block-building node, they check the validity of the message, and only when the following conditions are met, each consensus node will verify the processing results of the abnormal traffic by the block-building node and compare it with its own The processing results are compared and finally voted. The legality check conditions are:

a) The message signature is consistent with the block building node, and the digest is consistent with the digest of the message

b) The current view number is view

c) The consensus node has never received a message with sequence number n but a different digest in the view.

d) The sequence number n of the message must be between the upper and lower limits h and H of the watermark (the purpose of the watermark is to prevent a failed node from using a large sequence number to consume sequence number space)

After the verification is passed, the consensus node adds the voting results to the message, adds its own signature in the signature field, and adds the MD5 code of the detection method used for verification in the methods field, and adds the voting results and verification method MD5 Code and message information are written to its own message log.

The consensus node receives the voting results broadcast by other consensus nodes, and identifies whether the data collection node sending the public traffic message is controlled based on the voting results of the consensus node and the voting results broadcast by other consensus nodes.

Specifically, while the consensus node votes and broadcasts the traffic characteristic message sent from the block-building node, it will also receive the voting results broadcast by other consensus nodes. Consensus nodes will forward the voting results received from other consensus nodes. Each traffic characteristic message corresponds to a vector, which is used to store the voting results of all consensus nodes for the traffic characteristic message.

After the consensus node receives the voting result message sent by other consensus nodes, it will also verify the validity of the three conditions of whether the signature of the message is correct, whether the view number is consistent, and whether the message sequence number meets the waterline limit. If the verification passes, Write this preparation message into the message log, then add your own signature to the received voting result message from other consensus nodes in the signature field, and then broadcast it to other consensus nodes.

Each consensus node counts the votes it received. If it receives the same result from at least 2f+1 different consensus nodes, it will be regarded as the final result R.

Based on the contents of the above embodiments, if it is determined that the score of the voting result of any consensus node meets the preset conditions, then after identifying any consensus node to be controlled, it also includes: treating any consensus node as an invalid node, and starting from Delete any consensus node from the consensus node pool.

Specifically, once a consensus node's fraudulent behavior is discovered, it will be immediately excluded from the voting nodes, regarded as an invalid node, and deleted from the consensus node pool.

The embodiment of the present invention can improve the identification accuracy by treating the controlled consensus node as a failed node and deleting it from the consensus node pool.

Based on the contents of the above embodiments, after the consensus node receives the voting results broadcast by other consensus nodes, and identifies whether the data collection node sending the public traffic message is controlled based on the voting results of the consensus node and the voting results broadcast by other consensus nodes, it also includes : If the block-building node determines that the number of voting results broadcast by the received consensus node is not less than (2f+1), the block to be uploaded will be generated based on the result of identifying whether the data collection node that sent the public traffic message is controlled. , add the block to be uploaded to the block queue.

Among them, the building node is a consensus node selected from each consensus node cluster according to the preset selection algorithm.

Specifically, the blockchain is a data structure composed of blocks containing traffic characteristic message information linked in an orderly manner from back to front. The block body is divided into two parts: block head and block body. Each block header contains the hash of its parent block. This sequence of hashes linking each block to its parent creates a chain that goes all the way back to the first block. A block is a data result that aggregates traffic characteristic message information in the blockchain. The traffic characteristic message information here is mainly traffic data and its verification results.

The block itself mainly stores data information. It mainly includes data traffic information, as well as the consensus node’s judgment results on whether the traffic information is abnormal, and the MD5 code of the detection method used by the consensus node to verify abnormal traffic.

The block primary identifier is its cryptographic hash, a digital fingerprint obtained by hashing the block header twice using the SHA256 algorithm. The resulting hash value is called the block hash value. The block hash value can uniquely and clearly identify a block, and any node can independently obtain the block hash by simply hashing the block header. Hope value. The second way to identify a block is by its position in the blockchain, known as the "block height." The first block has a block height of 0. Therefore, blocks can be identified in two ways: block hash or block height.

When the consensus node calls the abnormal traffic detection method for verification, it can obtain the MD5 code of the detection method. The MD5 code of the detection method is broadcast together with the abnormal traffic verification results and the node signature. The MD5 code can be used as the identification of the detection method. The traffic information and abnormal traffic verification results are stored in the blockchain and can be traced and queried.

When each consensus node in the consensus node cluster reaches a consensus on the verification results of the traffic message, the block building node packages the traffic message and results into a block.

The steps to determine the building block node are as follows:

In order to determine the block-building nodes, a pre-selection index T is set, and T is combined with the node reputation system to establish a block-building node selection mechanism. Let P(0<P<1) be the reputation score of a node after each round of consensus, and e be the number of times this node is selected as a block-building node. Establish an exponential relationship like this:

T=P ^e

Each time a block-building node is selected, the pre-selection index T of each consensus node in the group is sorted, and the node with the highest pre-selection index is selected as the block-building node.

When a node's reputation score remains unchanged and remains relatively high, e will increase each time it becomes a block-building node, and its preselection index T will decrease. This ensures that the block-building nodes selected each time are not the same reputable nodes, so that every node with good reputation has the opportunity to be selected as a block-building node.

If a node's reputation score is relatively low, then P is relatively low, its preselection index T can be guaranteed to be relatively low, and the probability of being selected as a block-building node is relatively low.

Nodes with poor reputation scores in multiple consensuses may be cheating. Fraud will be identified based on the node reputation mechanism and cannot participate in voting. At the same time, it cannot join the node pool selected by the consensus node group. Wait until the consensus node is out of order and then rejoin the pre-selected node pool.

After the block-building node is determined, the node verifies the traffic characteristic message information, and broadcasts the verification result and the MD5 code of the abnormal traffic detection method to all consensus nodes.

The consensus nodes in the consensus node cluster consensus on the block. After the consensus is successful, the block will be put into the block queue as a block to be uploaded to the chain.

Each consensus node attaches a signature to R and broadcasts its own commit message <<COMMIT, view, n, digest(message), signature, methods> message> to other nodes. The block building nodes gather at least 2f+1 consensus nodes. The verified commit message indicates that this consensus proposal was successfully passed.

The block-building node creates a block based on this result, puts the block into the pre-block queue, and waits for the idle consensus node to agree on the parent block hash of each block to establish the final block.

After the chain node cluster reaches consensus on each block to be uploaded in the block queue and succeeds, each block to be uploaded is added to the blockchain.

Among them, the on-chain node cluster includes (3f+1) unique consensus nodes selected from the consensus nodes that have not been selected into any consensus node cluster in the consensus node pool.

Specifically, the uplink node cluster is selected from the remaining idle nodes in the consensus node pool, removes the block from the queue, and then uses the top block header hash of the current blockchain as the PreHash of the block, and then performs consensus and attaches sign. After the consensus is successful, the block becomes the new top block of the blockchain.

The test results confirmed by consensus will be recorded on the blockchain and can be traced back at any time. Based on the improved Byzantine consensus protocol, abnormal traffic is verified and processed, and a blockchain network is established to record abnormal information, which can be traced back at any time.

The embodiment of the present invention uses a Byzantine blockchain system to record and store abnormal information, and the blockchain structure ensures that the data is difficult to tamper with and is safe. Traffic characteristic information, detection results, and detection method summaries are all stored on the blockchain, which is extremely difficult to tamper with. The blockchain is a distributed database. Even if a node loses data, it can be restored from other nodes. The entire consensus system adopts a Byzantine fault-tolerant mechanism. An attacker must attack more than f nodes at the same time to attack the entire system, which is very difficult.

Based on the contents of the above embodiments, the specific steps for each consensus node in the consensus node cluster to select an abnormal traffic detection method include: based on the height of the blockchain, the number of each consensus node and the number of abnormal traffic detection methods. , select an abnormal traffic detection method.

Specifically, the data detection module of the consensus node has N independent detection methods, numbered 1-N. Among them, N is a positive integer. Each method is encapsulated in a class and only provides a simple function interface to the outside world.

When the consensus node detects the traffic data, in order to make the consensus nodes participating in the voting in this round use various detection methods as evenly as possible, before detecting the traffic data information, the consensus node first determines the abnormal traffic detection method used in this round through the following selection method. :

1) Get the current blockchain height H and node number K.

2) Calculate M=(H+K)%N+1, M is the abnormal traffic detection method number selected by this node.

The embodiment of the present invention selects an abnormal traffic detection method based on the height of the blockchain, the number of each consensus node, and the number of abnormal traffic detection methods, which can improve identification efficiency and accuracy.

Based on the contents of the above embodiments, according to the preset election algorithm, multiple groups of consensus node clusters are randomly selected from the consensus node pool, and for the public traffic messages received by each consensus node cluster, each consensus node in the consensus node cluster Select an abnormal traffic detection method, obtain the detection results of the consensus node and broadcast them to other consensus nodes in the consensus node cluster. It also includes: any consensus node in the consensus node cluster, based on the filtering mechanism, receives within the preset range The traffic messages sent by the data collection node are broadcast to other consensus nodes in the consensus node cluster.

Specifically, the data collection node receives the traffic information packet collected by the traffic information collection tool, and ensures that the data packet comes from a valid traffic source by checking the size of the packet, the version number, and whether the number of bytes received is sufficient to accommodate the header information. After receiving the valid data packet, the data collection node processes the received traffic information stream and packages the required data into the traffic characteristic message. Every once in a while, it is sent to all consensus nodes. Different from general data collection, the data collection nodes of this system will sign the traffic characteristic messages to improve the validity of the data.

If all consensus nodes in the consensus node cluster receive the traffic message, the traffic message will be determined as a public traffic message.

Specifically, for any traffic message, if all consensus nodes in the consensus node cluster receive the traffic message, the traffic message is a public traffic message.

The embodiment of the present invention identifies whether the data collection node sending the traffic message is controlled based on all consensus nodes receiving the traffic message, which can improve the identification efficiency and accuracy and ensure high effectiveness and reliability of identification.

The following is a description of the controlled identification system for operator's critical infrastructure provided by the embodiment of the present invention. The system for identifying controlled operator's critical infrastructure described below and the method for identifying controlled operator's critical infrastructure described above can correspond to each other.

Figure 2 is a schematic structural diagram of an operator's key infrastructure controlled identification system provided by an embodiment of the present invention. Based on the contents of the above embodiments, as shown in Figure 2, the system includes multiple consensus nodes 202 and multiple data collection nodes 201.

Specifically, the operator's critical infrastructure controlled identification system consists of critical infrastructure. Key infrastructure includes at least two types: multiple consensus nodes 202 and multiple data collection nodes 201.

The data collection node 201 is used to obtain various traffic characteristics of the target area network based on the traffic information of the target area network, and send traffic messages carrying the various traffic characteristics of the target area network to the consensus node.

Specifically, a network connection is defined as a sequence of TCP packets from start to end within a certain period of time, and during this period of time, data is transferred from the source IP address to the destination IP under a predefined protocol (such as TCP, UDP) Delivery of address. Each network connection is marked as normal (normal) or abnormal (attack), and abnormal types are subdivided into 4 major categories and a total of 39 attack types. Each connection record is described with 41 features, plus the final label, for a total of 42 items. The first 41 traffic characteristics are divided into 4 categories:

1) Basic characteristics of TCP connections (9 types in total)

2) Content characteristics of TCP connections (13 types in total)

3) Time-based network traffic statistical characteristics (9 types in total)

4) Host-based network traffic statistical characteristics (10 types in total)

The 4 exception types are:

DOS (denial-of-service), denial of service attacks, such as ping-of-death, syn flood, smurf, etc.; specific manifestations include creating a large flow of useless data, causing network congestion leading to the attacked host, causing the attacked host to Unable to communicate with the outside world normally. Taking advantage of the flaws in the service provided by the attacked host or the processing of repeated connections in the transmission protocol, repeated and high-frequency aggressive repeated service requests are issued, making the attacked host unable to process other normal requests in a timely manner. Taking advantage of the implementation flaws of the service program or transmission protocol provided by the attacked host, repeatedly sending malformed attack data causes the system to incorrectly allocate a large amount of system resources, leaving the host in a suspended state or even crashing.

R2L (unauthorized access from a remote machine to a local machine), unauthorized access from a remote host, such as guessing password; an attacker who does not have an account on the target host obtains local access to the machine and filters out data from the machine. Attack methods such as modifying data.

U2R (unauthorized access to local superuser privileges by a localunpivileged user), unauthorized access to local superuser privileges, such as buffer overflow attacks;

PROBING (surveillance and probing), probe attack, port monitoring or scanning, such as port-scan, ping-sweep, etc. It refers to an attack method that scans a computer network or DNS server to obtain valid IP addresses, active port numbers, host operating system types, and security weaknesses.

After the traffic collection node 201 collects the characteristic data of the traffic, it encapsulates it into a message, attaches its own signature, and then sends it to the consensus node.

Each piece of traffic information can contain the following fields:

srcaddr: source IP address, such as 119.75.216.20.

dstaddr: destination IP address, such as 182.254.18.159.

srcport: TCP/UDP source port, such as 60221.

dstport: TCP/UDP destination port, such as 80, 443.

prot: protocol type, such as 6=TCP, 17=UDP.

First: Information flow start time.

Last: The time when the last packet of the information flow was received.

size: The total size of the information transmitted by the information flow, in byte.

PacketCount: The number of packets reported in the information flow.

The consensus node 202 is used to identify whether the data collection node is controlled and whether other consensus nodes are controlled based on the consensus mechanism and traffic messages.

Specifically, for the public traffic messages received by each consensus node cluster, each consensus node 202 in the consensus node cluster selects an abnormal traffic detection method, obtains the detection result of the consensus node 202 and sends it to other consensus nodes in the consensus node cluster. 202 broadcast.

The consensus node cluster identifies whether the data collection node sending the public traffic message is controlled based on the consensus mechanism and the detection results of each consensus node.

The operator's critical infrastructure controlled identification system provided by the embodiment of the present invention is used to execute the operator's critical infrastructure controlled identification method provided by the above embodiments of the present invention. The operator's critical infrastructure controlled identification system includes various The specific methods and processes for the module to implement the corresponding functions are detailed in the above-mentioned embodiment of the operator's critical infrastructure controlled identification method, and will not be described again here.

The operator's critical infrastructure controlled identification system is used in the operator's critical infrastructure controlled identification methods of each of the foregoing embodiments. Therefore, the descriptions and definitions in the methods for identifying controlled critical infrastructure of operators in the foregoing embodiments can be used for the understanding of each execution module in the embodiments of the present invention.

The embodiment of the present invention generates detection results by randomly selecting anomaly detection methods and broadcasts them, and performs consensus based on a practical Byzantine agreement algorithm in the entire consensus node cluster to identify whether the data collection node is controlled, which can improve identification efficiency and accuracy and ensure identification. High effectiveness and reliability as well as system scalability.

Based on the contents of the above embodiments, the operator's critical infrastructure controlled identification system includes at least two layers of data collection nodes.

Specifically, based on the operator's network structure, at least two layers of data collection nodes can be deployed, corresponding to the network in different areas.

Each data collection node in the first layer is used to obtain various traffic characteristics of the first regional network based on the corresponding traffic information of the first regional network.

Specifically, the first area is generally a provincial area, and the first area network is a provincial area network (referred to as "provincial area network").

In each provincial network of an operator, the switching routes of provincial nodes on the tandem layer will be connected to all other provincial metropolitan area networks. A fixed number of data collection nodes are deployed at provincial nodes, and the number of provincial nodes in the operator's network topology is very limited, so the economic cost of deploying data collection nodes on each provincial node route is relatively small.

The second layer includes at least one data collection node; each data collection node in the second layer is used to obtain various data of the second regional network based on the traffic information of each second regional network according to the preset rotation algorithm. traffic characteristics.

The second area is a sub-area of the first area.

Specifically, the second area is generally a metropolitan area, and the second area network is a metropolitan area network ("metropolitan area network" for short).

Under each operator's provincial network, there will be more than ten metropolitan area networks. It is unrealistic and costly to deploy data collection nodes on each metropolitan area network. Based on this background, the following strategy is designed: set up a data collection node, which is connected to the routing traffic data monitoring tool equipment that detects the external exchange traffic information of each metropolitan area network, and then uses time slice rotation to collect the data. The collection node chooses to accept the traffic information transmitted by a specific metropolitan area network to the outside world, so that it can obtain the traffic information transmitted by this metropolitan area network to other metropolitan area networks in the province.

The specific strategy of the time slice rotation algorithm is: first, the data collection node selects a smaller time slice t, and monitors and records the amount of network traffic during this time period. After a round of time slice rotation, according to the amount of data transmitted externally by each metropolitan area network route in the previous round, different priorities are assigned to different metropolitan area networks and the time slice flow processing is sorted. The traffic data in the previous round is large. The node priority is higher, and the data collection node gives priority to detect the traffic data transmitted externally by this metropolitan area network route. At the same time, there is also an auxiliary strategy, which sets a time slice coefficient L. The initial time slice coefficient is a specific value. If a certain metropolitan area network route has a higher priority for many consecutive rounds, this metropolitan area network will be The time slice coefficient corresponding to the route is increased by a certain amount, so that the data collection node can have more time to collect the route traffic with more external transmission data. This can ensure that the traffic of a specific metropolitan area network is within the phase peak value. , can collect more traffic data information. In the same way, if the priority of a specific metropolitan area network route is low for many consecutive rounds, the time slice coefficient of the metropolitan area network route should be appropriately reduced, at least to the initial time slice coefficient. The time T for each metropolitan area network route to be monitored by the data collection node is:

T＝t×L

The time slice rotation deployment strategy can only ensure that most of the traffic transmitted within the province is collected by the data collection nodes, but cannot guarantee that all traffic information is collected. In this case, design a reasonable random deployment strategy and deploy some By using some data collection nodes through random rotation, and cooperating with the time slice rotation strategy, it can basically ensure that most of the traffic in the network is collected by the data collection nodes.

By deploying two layers of data collection nodes, the embodiment of the present invention can collect more comprehensive traffic data while deploying fewer data collection nodes, thereby enabling more accurate and comprehensive control of the operator's key infrastructure. Identify.

The system embodiments described above are only illustrative. The units described as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in One location, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. Persons of ordinary skill in the art can understand and implement the method without any creative effort.

Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the part of the above technical solution that essentially contributes to the existing technology can be embodied in the form of a software product. The computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., including a number of instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments or certain parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be used Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent substitutions are made to some of the technical features; however, these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. A method for identifying controlled critical infrastructure of an operator, which is characterized by including: According to the preset election algorithm, several groups of consensus node clusters are randomly selected from the consensus node pool; Among them, any consensus node in any group of consensus node clusters is not in other consensus node clusters; each group of the consensus node clusters receives traffic messages from different traffic collection domains, and different consensus node clusters are configured by setting IPtables Select to accept traffic messages sent by data collection nodes in the corresponding range, and filter messages sent by other data collection nodes; For each consensus node cluster to receive public traffic messages from data collection nodes, each consensus node in the consensus node cluster selects an abnormal traffic detection method, obtains the detection results of the consensus node, and sends the detection results to the consensus node cluster. Broadcast to other consensus nodes in The consensus node cluster identifies whether the data collection node sending the public traffic message is controlled based on the consensus mechanism and the detection results of the public traffic message by each consensus node; Wherein, the consensus node cluster includes 3f+1 non-duplicate consensus nodes, f is a positive integer; the public traffic message carries various traffic characteristics of the target area network; The consensus node cluster is based on the consensus mechanism and the detection results of each consensus node. The specific steps to identify whether the data collection node sending the public traffic message is controlled include: The consensus node receives the detection results broadcast by the other consensus nodes, votes based on the detection results of the consensus node and the detection results broadcast by the other consensus nodes, obtains the voting results of the consensus node and sends them to the consensus node Broadcast to other consensus nodes in the cluster; The consensus node receives the voting results broadcast by the other consensus nodes, and identifies whether the data collection node sending the public traffic message is controlled based on the voting results of the consensus node and the voting results broadcast by the other consensus nodes; If the block-building node determines that the number of voting results broadcast by the received consensus node is not less than 2f+1, the block to be uploaded will be generated based on the result of identifying whether the data collection node that sent the public traffic message is controlled. Connect the block to be uploaded to the block queue; After the uplink node cluster reaches consensus on each block to be uploaded in the block queue and succeeds, it adds each block to be uploaded to the blockchain; Wherein, the block building node is a consensus node selected from each consensus node cluster according to a preset selection algorithm; the uplink node cluster includes any consensus node that has not been selected from the consensus node pool. 3f+1 unique consensus nodes selected from each consensus node in the cluster; After obtaining the voting results of the consensus node and broadcasting them to other consensus nodes in the consensus node cluster, it also includes: Obtain the score of the voting results of each consensus node; If it is determined that the score of the voting result of any consensus node meets the preset conditions, it is identified that any consensus node is controlled; Wherein, regarding the score of the voting result of the consensus node, if the voting result of the consensus node is inconsistent with the consensus voting result, the score is low, and if the voting result of the consensus node is consistent with the consensus voting result, the score is high. 2. The method for identifying controlled critical infrastructure of an operator according to claim 1, characterized in that if it is determined that the score of the voting result of any consensus node satisfies the preset conditions, then any consensus node is identified After the node is controlled, it also includes: Treat any consensus node as an invalid node and delete any consensus node from the consensus node pool. 3. The method for identifying controlled critical infrastructure of operators according to claim 1, characterized in that the specific steps for each consensus node in the consensus node cluster to select an abnormal traffic detection method include: According to the height of the blockchain, the number of each consensus node and the number of abnormal traffic detection methods, an abnormal traffic detection method is selected. 4. The method for identifying controlled critical infrastructure of operators according to claim 1, characterized in that, according to the preset election algorithm, several groups of consensus node clusters are randomly selected from the consensus node pool, and the method for each group is A public traffic message received by a consensus node cluster. Each consensus node in the consensus node cluster selects an abnormal traffic detection method, obtains the detection result of the consensus node, and broadcasts it to other consensus nodes in the consensus node cluster. In between, it also includes: Any consensus node in the consensus node cluster, based on the filtering mechanism, receives traffic messages sent by data collection nodes within the preset range, and broadcasts them to other consensus nodes in the consensus node cluster; If all consensus nodes in the consensus node cluster receive the traffic message, the traffic message is determined to be a public traffic message. 5. A controlled identification system for key infrastructure of an operator, which is characterized by including: multiple consensus nodes and multiple data collection nodes; The data collection node is configured to obtain multiple traffic characteristics of the target area network based on the traffic information of the target area network, and send traffic messages carrying the multiple traffic characteristics of the target area network to the consensus node; The consensus node is used to identify whether the data collection node is controlled and whether other consensus nodes are controlled based on the consensus mechanism and the traffic message; The operator's critical infrastructure controlled identification system can implement the operator's critical infrastructure controlled identification method as described in any one of claims 1 to 4. 6. The operator's critical infrastructure controlled identification system according to claim 5, characterized in that it includes at least two layers of data collection nodes; Each data collection node in the first layer is used to obtain multiple traffic characteristics of the first regional network based on the traffic information of the corresponding first regional network; The second layer includes at least one data collection node; each data collection node in the second layer is used to obtain the third data collection node according to the traffic information of each second regional network according to a preset rotation algorithm. Various traffic characteristics of the second area network; Wherein, the second area is a sub-area of the first area.