CN114615002B - Controlled identification method and system for key infrastructure of operator - Google Patents

Abstract

The embodiment of the invention provides a method and a system for identifying controlled infrastructure of an operator, wherein the method comprises the following steps: for the public traffic information received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, acquires a detection result of the consensus node and broadcasts the detection result to other consensus nodes in the consensus node cluster; the consensus node cluster identifies whether the data acquisition node sending the public traffic message is controlled or not based on the consensus mechanism and the detection result of each consensus node. According to the method and the system for identifying the controlled key infrastructure of the operator, provided by the embodiment of the invention, the detection result is generated and broadcast by the random selection anomaly detection method, the common identification is carried out in the whole common identification node cluster based on the practical Bayesian protocol algorithm, whether the data acquisition node is controlled or not is identified, the identification efficiency and accuracy can be improved, and the high effectiveness and high reliability of identification and the expandability of the system can be ensured.

Description

Controlled identification method and system for key infrastructure of operator

Technical Field

The invention relates to the technical field of communication, in particular to a controlled identification method and system for key infrastructure of an operator.

Background

The security of the operator critical infrastructure, if controlled, can be of great importance. Currently, methods of identifying critical infrastructure controls mainly include feature-based methods and statistical-based methods.

A critical infrastructure controlled identification system may be established using feature-based methods and/or statistical-based methods. The identification method adopted by each node in the existing key infrastructure controlled identification system comprises the following steps: methods based on statistical analysis comparison, methods based on machine learning, and methods based on blockchain techniques.

Moreover, for a traditional single-node system, when the system is attacked or fails to record, the failure of the node means the failure of the whole system; for a clustered system, although there may be many nodes recording, backing up data, and even multiple backups, the nodes are trusted to each other, and when some nodes are hacked or attacked to traitor nodes, the clustered system cannot distinguish the traitor nodes, resulting in the failure of the system.

In conclusion, the accuracy, the effectiveness and the reliability of the identification result of the conventional method for identifying the key infrastructure of the operator are low.

Disclosure of Invention

The embodiment of the invention provides a controlled identification method and system for key infrastructure of an operator, which are used for solving the defect of lower accuracy of an identification result in the prior art and realizing identification with high accuracy, high effectiveness and high reliability.

The embodiment of the invention provides a controlled identification method for key infrastructure of an operator, which comprises the following steps:

for public traffic information received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, and a detection result of the consensus node is obtained and broadcasted to other consensus nodes in the consensus node cluster;

the consensus node cluster identifies whether a data acquisition node sending the public traffic message is controlled or not based on a consensus mechanism and detection results of all the consensus nodes;

wherein the consensus node cluster comprises (3f+1) non-repeated consensus nodes, and f is a positive integer; the public traffic message carries a plurality of traffic characteristics of the target area network.

According to an embodiment of the present invention, the method for identifying the controlled infrastructure of the operator, after obtaining the voting result of the consensus node and broadcasting the voting result to other consensus nodes in the consensus node cluster, further includes:

Obtaining scores of voting results of the consensus nodes;

and if the score of the voting result of any one of the consensus nodes is judged to meet the preset condition, identifying that any one of the consensus nodes is controlled.

According to an embodiment of the present invention, the method for identifying controlled operators critical infrastructure, before the common traffic message received by each common node cluster, each common node in the common node cluster selects an abnormal traffic detection method, obtains a detection result of the common node and broadcasts the detection result to other common nodes in the common node cluster, further includes:

according to a preset election algorithm, randomly selecting a plurality of groups of consensus node clusters from the consensus node pool;

wherein any consensus node in any group of consensus node clusters is not in other consensus node clusters.

According to an embodiment of the invention, the method for identifying the controlled key infrastructure of the operator, based on a consensus mechanism and detection results of all the consensus nodes, comprises the following specific steps of:

the consensus node receives the detection results broadcast by the other consensus nodes, votes according to the detection results of the consensus nodes and the detection results broadcast by the other consensus nodes, acquires the voting results of the consensus nodes and broadcasts the voting results to the other consensus nodes in the consensus node cluster;

And the consensus node receives the voting results broadcast by the other consensus nodes, and identifies whether the data acquisition node sending the public traffic message is controlled or not according to the voting results of the consensus node and the voting results broadcast by the other consensus nodes.

According to the method for identifying controlled operators key infrastructure according to one embodiment of the present invention, if it is determined that the score of the voting result of any one of the common nodes satisfies a preset condition, identifying that the any one of the common nodes is controlled further includes:

and taking any one of the consensus nodes as a failure node, and deleting the any one of the consensus nodes from the consensus node pool.

According to an embodiment of the present invention, the method for identifying a controlled carrier key infrastructure, after the consensus node receives the voting results broadcasted by the other consensus nodes, identifies whether the data collection node sending the common traffic message is controlled according to the voting results of the consensus node and the voting results broadcasted by the other consensus nodes, further includes:

if the block building node judges that the number of voting results broadcasted by the received consensus node is not less than (2f+1), generating a block to be uplink according to the result of identifying whether the data acquisition node for sending the public traffic message is controlled or not, and accessing the block to be uplink into a block queue;

After the upper chain link point cluster performs consensus and success on each block to be uplinked in the block queue, adding the block to be uplinked into a block chain;

the building block node is a consensus node selected from each consensus node cluster according to a preset selection algorithm; the upper chain link point cluster comprises (3f+1) non-repeated consensus nodes selected from the consensus nodes which are not selected into any consensus node cluster in the consensus node pool.

According to an embodiment of the invention, the method for identifying the controlled infrastructure of the operator comprises the following specific steps that each consensus node in the consensus node cluster selects an abnormal traffic detection method:

and selecting an abnormal flow detection method according to the height of the blockchain, the number of each consensus node and the number of the abnormal flow detection methods.

According to the method for identifying the controlled key infrastructure of the operator, according to a preset election algorithm, a plurality of groups of common node clusters are randomly selected from a common node pool, and an abnormal traffic detection method is selected for each common node in the common node clusters with the common traffic message received for each common node cluster, so that a detection result of the common node is obtained and broadcasted to other common nodes in the common node clusters, and the method further comprises:

Any consensus node in the consensus node cluster receives a flow message sent by a data acquisition node in a preset range based on a filtering mechanism and broadcasts the flow message to other consensus nodes in the consensus node cluster;

and if all the consensus nodes in the consensus node cluster receive the traffic message, determining the traffic message as a public traffic message.

The embodiment of the invention also provides a controlled identification system of the key infrastructure of the operator, which comprises the following steps:

a plurality of consensus nodes and a plurality of data acquisition nodes;

the data acquisition node is used for acquiring various flow characteristics of the target area network according to the flow information of the target area network and sending flow information carrying the various flow characteristics of the target area network to the consensus node;

the consensus node is used for identifying whether the data acquisition node is controlled or not and whether other consensus nodes are controlled or not based on a consensus mechanism and the flow message.

An operator key infrastructure controlled identification system according to one embodiment of the present invention comprises at least two layers of said data collection nodes;

each data acquisition node in the first layer is used for acquiring various flow characteristics of the first area network according to the flow information of the corresponding first area network;

The second layer comprises at least one data acquisition node; each data acquisition node in the second layer is used for acquiring various flow characteristics of each second area network according to a preset rotation algorithm and flow information of each second area network respectively;

wherein the second region is a sub-region of the first region.

According to the method and the system for identifying the controlled key infrastructure of the operator, provided by the embodiment of the invention, the detection result is generated and broadcast by the random selection anomaly detection method, the common identification is carried out in the whole common identification node cluster based on the practical Bayesian protocol algorithm, whether the data acquisition node is controlled or not is identified, the identification efficiency and accuracy can be improved, and the high effectiveness and high reliability of identification and the expandability of the system can be ensured.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a controlled identification method of an operator key infrastructure according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of an operator key infrastructure controlled identification system according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

In the description of the embodiments of the present invention, it should be noted that the terms "center," "upper," "lower," "left," "right," "vertical," "horizontal," "inner," "outer," and the like indicate or are based on the orientation or positional relationship shown in the drawings, merely to facilitate description of the embodiments of the present invention and to simplify the description, and do not indicate or imply that the system or element referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the embodiments of the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

In describing embodiments of the present invention, it should be noted that, unless explicitly stated and limited otherwise, the terms "mounted," "connected," and "connected" should be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in embodiments of the present invention will be understood in detail by those of ordinary skill in the art.

In order to overcome the problems in the prior art, the embodiment of the invention provides a method and a system for identifying controlled key infrastructure of an operator, and the invention has the advantages that two nodes, namely a data acquisition node and a consensus node, are deployed based on the network structure of the operator, and the two nodes can decouple the acquisition and detection functions of the whole network traffic information, so that the flexibility and the expansibility of the system are improved; the data acquisition nodes in the network are deployed according to a specific deployment strategy, acquire characteristic information of network flow data, and send flow information to the consensus node; after receiving the flow characteristic information sent by the acquisition node, the consensus node randomly selects an abnormal detection method to generate a detection result, then the detection result is broadcasted, performs consensus in the whole blockchain network based on a PBFT (practical Bayesian protocol) algorithm, and identifies whether the data acquisition node is controlled; the identification efficiency and accuracy are improved, and the identification effectiveness and reliability and the system expandability are ensured.

Fig. 1 is a flow chart of a controlled identification method for an operator key infrastructure according to an embodiment of the present invention. The following describes a method for operator critical infrastructure controlled identification according to an embodiment of the present invention in connection with fig. 1. As shown in fig. 1, the method includes: step S101, selecting an abnormal traffic detection method for each consensus node in the consensus node cluster according to the public traffic message received by each consensus node cluster, obtaining a detection result of the consensus node and broadcasting the detection result to other consensus nodes in the consensus node cluster.

The common node cluster comprises (3f+1) non-repeated common nodes, and f is a positive integer; the public traffic message carries a plurality of traffic characteristics of the target area network.

It should be noted that, the method for identifying the controlled infrastructure of the operator provided by the embodiment of the invention is suitable for the system for identifying the controlled infrastructure of the operator.

The operator critical infrastructure controlled identification system is constituted by a critical infrastructure. The key infrastructure includes at least two types: a plurality of consensus nodes and a plurality of data acquisition nodes.

The data acquisition node is used for acquiring various flow characteristics of the target area network according to the flow information of the target area network, and sending flow information carrying the various flow characteristics of the target area network to the consensus node.

A network connection is defined as a sequence of TCP packets from beginning to end over a certain time period and during this time period data is transferred under a predefined protocol (e.g. TCP, UDP) from a source IP address to a destination IP address. Each network connection is marked as normal (normal) or abnormal (attack), and the abnormal type is subdivided into 4 major classes for 39 attack types. Each connection record is described by 41 features, plus a final label (label), for a total of 42 entries. The first 41 flow characteristics fall into 4 broad categories:

1) TCP connection basic characteristics (9 kinds in total)

2) Content characterization of TCP connections (13 types in total)

3) Time-based network traffic statistics (9 kinds in total)

4) Host-based network traffic statistics (10 types total)

The 4 exception types are:

DOS (data of service), denial of service attacks such as ping-of-device, synflood, smurf, etc.; in particular, large-flow useless data are manufactured, so that network congestion to an attacked host is caused, and the attacked host cannot normally communicate with the outside. The defect that the attacked host provides service or processes repeated connection on a transmission protocol is utilized, and the attacked host repeatedly sends out aggressive repeated service requests at high frequency, so that the attacked host cannot process other normal requests in time. The system resources are allocated in a large amount by repeatedly sending malformed attack data to cause the host to be in a suspended state or even to be dead by utilizing the defects of the service program or the transmission protocol provided by the attacked host.

R2L (unauthorized access from a remote machine to a local machine), unauthorized access from a remote host, e.g., guessing password; an attacker without an account on the target host obtains the local access rights of the machine, and filters out the attack modes of data, modifying the data and the like from the machine.

U2R (unauthorized access to local superuser privileges by a local unpivileged user), unauthorized local superuser privileged access, e.g., buffer overflow attacks;

PROBING (surveillance and probing) probe attack, port monitoring or scanning, e.g. port-scan, ping-sweep, etc. The method refers to an attack mode of scanning a computer network or a DNS server to acquire a valid IP address, a movable port number, a host operating system type and security vulnerabilities.

After the flow collection node collects the characteristic data of the flow, the characteristic data is packaged into a message, and the message is attached with the signature of the message and then sent to the consensus node.

Each piece of traffic information may contain the following fields:

srcoaddr: IP address of source, e.g., 119.75.216.20.

dstaddr: destination IP address, e.g., 182.254.18.159.

srchport: ports of TCP/UDP origin, such as 60221.

dstport: the ports of the TCP/UDP destination are e.g. 80, 443.

prot: protocol type, such as 6=tcp, 17=udp.

First: information flow start time.

Last: the time when the last packet of the information stream was received.

size: the information stream conveys the total size of the information in bytes.

PacketCount: number of datagrams in the information stream.

And the consensus node is used for identifying whether the data acquisition node is controlled or not and whether other consensus nodes are controlled or not based on the consensus mechanism and the traffic message.

Specifically, for the data acquisition node, after the data acquisition node is controlled by an attack, the system can identify the abnormality through the consensus detection among different consensus nodes in the blockchain.

The consensus nodes in each consensus node cluster broadcast the flow characteristic information < m, d > received by the consensus nodes from the data acquisition nodes, and vote to reach a public set of consensus screening messages < m1, m2, m3, m4 >. Where m is the message and d is the digest.

The messages in the common set of messages are common traffic messages.

Each consensus node independently records each piece of flow information in the public set, and each piece of flow information corresponds to a vector and is used for recording a result.

The consensus node integrates and packages various abnormal flow detection methods and can be called by the consensus node at any time. The abnormal flow detection method can be upgraded and iterated at any time. When each consensus node verifies abnormal traffic, one method is randomly selected from a plurality of abnormal traffic detection methods preset by the system to perform independent verification.

The abnormal flow detection method may include:

fixed threshold method: the administrator determines a flow threshold value in a unit time in advance, the flow threshold value is manually input into the system by the administrator, and the system calls an API to transfer parameters to a program.

And (3) feature detection: and establishing feature libraries of all abnormal network behaviors, matching the current flow information features with the feature libraries, and judging whether the current network data is normal or not according to the matching result.

Statistical analysis: a judging standard is obtained through analysis aiming at the existing historical data record, and judgment is carried out on new network flow data. Such as by using ARIMA model predictive traffic methods.

And (3) cluster analysis: and classifying the network traffic by using a classification method, and detecting abnormal traffic by using a decision tree method.

Correlation analysis: and carrying out association matching on the flow characteristic information by using a fuzzy association rule, and detecting abnormal flow by constructing association relations among flow characteristics.

The detection analysis was performed according to the method chosen, and the voting results were marked as 0 and 1 (0 representing normal and 1 representing abnormal) and recorded in a vector. And combining the node number i, the message number k, the message hash h, the result r (r is 0 or 1) and the signature sig of the node into one message to be broadcast.

Step S102, the consensus node cluster identifies whether the data acquisition node sending the public traffic message is controlled or not based on the consensus mechanism and the detection result of each consensus node.

Specifically, after each consensus node receives the voting result broadcasted by other consensus nodes, if the sig is verified to be true, the result is placed on the corresponding label (the number i of the node) of the vector.

And the consensus node counts voting results of vector of each message, if the number of 1 is more than 2f+1, the flow characteristic information is abnormal, information such as ip, port and time in the information is extracted for tracking, and the information is positioned in a specific flow acquisition node area.

It should be noted that, the parallel processing of the flow characteristics by the plurality of common node clusters ensures the performance of the system. Each cluster has an IPtable filtering mechanism started, and only the data sent by a specific acquisition node is received, so that repeated reception is avoided, and therefore, no intersection exists between the traffic characteristics processed by each cluster. And after each cluster packages the blocks, the blocks are directly put into a queue, and the other clusters are used for consensus on the block uplink. The plurality of clusters have no interference, synchronous waiting is not needed, and the performance of the whole system is improved.

The embodiment of the invention generates the detection result by randomly selecting the anomaly detection method and broadcasts the detection result, carries out consensus in the whole consensus node cluster based on a practical Bayesian protocol algorithm, and identifies whether the data acquisition node is controlled or not, thereby improving the identification efficiency and accuracy, and ensuring the high effectiveness and high reliability of the identification and the expandability of the system.

Based on the content of the foregoing embodiments, after the voting result of the consensus node is obtained and broadcasted to other consensus nodes in the consensus node cluster, the method further includes: and obtaining scores of voting results of the consensus nodes.

Specifically, for the consensus node, the false behavior of the consensus node can be identified through the Bayesian protocol and the reputation mechanism. The consensus node with the false behavior is the controlled consensus node.

In order to ensure the system safety, a node credit system is added, and a credit mechanism is adopted to identify the cheating consensus node by matching with an improved Bayesian protocol. Voting is carried out on the voting result, and whether traitor nodes exist or not is judged. The reputation system scores the votes and then identifies "traitor" nodes.

After each vote is finished, the voting result of each consensus node is scored. If the voting result of the consensus node is inconsistent with the consensus result, the voting score of the consensus node is lower; if the consensus node is consistent with the consensus result, the score of the consensus node is higher for the voting.

If the score of the voting result of any consensus node is judged to meet the preset condition, any consensus node is identified to be controlled.

Specifically, the score of each consensus node is recorded, and the credit of the consensus node can be identified by analyzing the score record.

The preset conditions may be that the score is always very low.

If a certain consensus node, which is controlled, has been very low in credit, it can be considered a "traitor" node, possibly under the control of a virus attack or hacker, with a false behaviour.

The embodiment of the invention continuously scores the voting results of the consensus nodes, and identifies the controlled consensus nodes according to the multiple scoring results, thereby improving the identification efficiency and accuracy, and ensuring the high effectiveness and reliability of the identification and the expandability of the system.

Based on the foregoing embodiments, for the common traffic message received by each consensus node cluster, each consensus node in the consensus node cluster selects an abnormal traffic detection method, and before obtaining the detection result of the consensus node and broadcasting to other consensus nodes in the consensus node cluster, the method further includes: and randomly selecting a plurality of groups of consensus node clusters from the consensus node pool according to a preset election algorithm.

Wherein any consensus node in any group of consensus node clusters is not in other consensus node clusters.

Specifically, the node pool is composed of all consensus nodes, the number of which is m=a (3f+1), excluding "traitor nodes" excluded by the node reputation mechanism, and the nodes are added to the preselected node pool again after the falsified consensus nodes are cleared of faults. Wherein a is a positive integer

A PRNG algorithm may be used to generate a random number R, where the selected node number k=r% n (n being the total number of nodes remaining in the current node pool), and thus, 3f+1 times are repeated all the time, and a set of consensus nodes is selected.

And repeating the steps to select a plurality of groups of consensus node clusters. The number of groups of the selected consensus node cluster is (a-1).

And each group of consensus node clusters respectively receives the flow messages from different flow acquisition domains and performs verification processing. The different consensus node clusters select to accept the traffic messages sent by the data acquisition nodes in the specific range by setting IPtables, filter the messages sent by the rest data acquisition nodes and prevent the different consensus node clusters from receiving repeated messages.

In the embodiment of the invention, the flow data are processed in parallel by selecting different consensus node groups; and at the same time of verifying the building nodes of the common node cluster, verifying the content of each flow characteristic message in the common flow characteristic message set S in parallel.

According to the embodiment of the invention, the different consensus node groups are selected, and the plurality of consensus node groups process the flow data in parallel, so that the performance and the recognition efficiency of the whole system can be improved.

Based on the content of the above embodiments, the specific steps of identifying whether the data acquisition node sending the common traffic message is controlled based on the consensus mechanism and the detection result of each consensus node include: and the consensus node receives detection results broadcast by other consensus nodes, votes according to the detection results of the consensus nodes and the detection results broadcast by other consensus nodes, acquires voting results of the consensus nodes and broadcasts the voting results to other consensus nodes in the consensus node cluster.

In particular, the practical bayer pattern Protocol (PBFT) employs cryptographic correlation techniques (RSA signature algorithm, message authentication code and digest) to ensure that the message transfer process cannot be tampered with and broken.

A node in the group is selected as a block node by a random algorithm, and is hereinafter referred to as a View (View) as long as the block node is not switched, and one View represents a round of consensus process. Views are integers numbered consecutively, guaranteeing the sequential nature of the consensus within each consensus node group. The state of each consensus node contains the overall state of the service, the message log (message log) on the consensus node contains the message accepted (accepted) by the node, and an integer is used to represent the current view number of the consensus node.

Each group processing process consisting of a plurality of consensus node clusters comprises the following four steps: a common set of traffic feature messages is determined, a block node is determined, votes are cast and the votes are forwarded.

The step of determining the common traffic feature message set is as follows:

and in a period of time, the data acquisition node starts to collect the traffic data information in the whole network, and after most of the traffic data information in the period of time is acquired, the data acquisition node starts to broadcast the traffic information to all consensus nodes in the network. Each consensus node cluster receiving the traffic data information sent by the data acquisition node will first store the received traffic information.

According to the current network state information and the flow data information number received by a certain consensus node cluster, a temporary dynamic scanning amount N is randomly set for the corresponding consensus node cluster, then the flow data information received by the cluster is scanned, N flow messages in the flow data information are scanned, the N flow messages are broadcast to all other consensus nodes, and the other consensus node clusters repeat the same operation.

After the clusters of the consensus nodes broadcast the traffic messages for a period of time, that is, each cluster is given sufficient time to receive the traffic messages sent by other clusters of the consensus nodes, the corresponding clusters of the consensus nodes then compare the N traffic data messages just broadcast by themselves with the traffic messages broadcast by other consensus nodes received in the period of time to determine all the common traffic data, and the traffic data messages determine the common traffic feature message set S.

After receiving the results broadcast by other nodes, each node verifies sig, if sig is true, then the results are placed on the corresponding labels (the number i of the nodes) of the vector.

The building block node broadcasts the abnormal flow verification result and the MD5 of the adopted abnormal flow verification method to other consensus nodes, initiates consensus, and the other consensus nodes record in a vector after receiving the votes of the building block node and verifying the signature.

The block node is a consensus node which receives the traffic message from the data acquisition node.

After receiving the information broadcast by the block building node, the consensus node performs verification and voting, and attaches own signature. And then broadcast its own voting results.

The specific process is as follows:

the method comprises the steps that a block node distributes a serial number n to a verification result of abnormal traffic in a period of time, then broadcasts a self verification result message to all other consensus nodes in a group, and adds a signature of the self verification result message, wherein a message vector format is < < PREPARE, view, n, digest, signature, methods >, view is a view number, n is a traffic processing serial number, digest is a traffic characteristic message and a digest, signature is a signature field, the signature of the block node is contained, meanwhile, a space is reserved for the signature of the message by a following consensus node, methods are a method field, the MD5 code of a detection method adopted by the block node for verifying the traffic is contained, meanwhile, the MD5 code of a verification method adopted by the following consensus node is reserved for verifying, and message is a traffic data characteristic and an abnormal verification result message.

When other consensus nodes in the group receive the verification result information of the block building node, the validity of the information is checked, and each consensus node can verify the processing result of the block building node on abnormal flow only after the following conditions are met, and the processing result is compared with the processing result of the consensus node, and finally voting is carried out. The validity check conditions are:

a) The message signature is consistent with the building block node, and the digest is consistent with the digest of the message

b) The current view is numbered view

c) The consensus node never accepts message messages with sequence number n but different digest in view.

d) The sequence number n of the message must be between the upper and lower limits H and H of the watermark (watermark) (the existence of the watermark has the meaning of preventing a failed node from consuming a large sequence number space using a large sequence number)

After verification, the consensus node adds the voting result into the message, adds own signature in the signature domain, adds the MD5 code of the detection method adopted by the self verification in the methods method domain, and writes the voting result, the MD5 code of the verification method and the message information into the message log of the self.

And the consensus node receives the voting results broadcast by other consensus nodes, and identifies whether the data acquisition node sending the public traffic message is controlled or not according to the voting results of the consensus node and the voting results broadcast by other consensus nodes.

Specifically, the consensus node votes and broadcasts the traffic characteristic message sent from the block node, and also receives voting results broadcast by other consensus nodes. The consensus node forwards the received voting results of other consensus nodes. Each traffic signature message corresponds to a vector that is used to store the voting results of all consensus nodes for that traffic signature message.

After receiving the voting result message sent by the identified consensus node, the consensus node performs validity verification on three conditions of whether the signature of the message is correct, whether the view number is consistent, and whether the message sequence number meets the waterline limit, if the verification is passed, the preparation message is written into a message log, then the received voting result message of other consensus nodes is added with own signature in a signature domain, and then the signature is broadcast to other consensus nodes.

Each consensus node counts the votes received by itself, and at least the same result of 2f+1 different consensus nodes is received, and the result is taken as a final result R.

Based on the foregoing content of each embodiment, if it is determined that the score of the voting result of any one of the consensus nodes satisfies the preset condition, after identifying that any one of the consensus nodes is controlled, the method further includes: and taking any one of the consensus nodes as a failure node, and deleting any one of the consensus nodes from the consensus node pool.

Specifically, once the falsification behavior of the consensus node is found, the falsification behavior is immediately excluded from the voting node as a failure node, and is deleted from the consensus node pool.

According to the embodiment of the invention, the controlled consensus node is used as the failure node and is deleted from the consensus node pool, so that the identification accuracy can be improved.

Based on the foregoing embodiments, after the consensus node receives the voting results broadcast by the other consensus nodes, and identifies whether the data acquisition node that sends the common traffic message is controlled according to the voting results of the consensus node and the voting results broadcast by the other consensus nodes, the method further includes: if the block building node judges that the number of voting results broadcasted by the received consensus node is not less than (2f+1), generating a block to be uplink according to the result of identifying whether the data acquisition node sending the public traffic message is controlled or not, and accessing the block to be uplink into a block queue.

The building block node is one common node selected from each common node cluster according to a preset selection algorithm.

Specifically, a blockchain is a data structure that is linked sequentially from back to front by blocks that contain traffic characterization message information. The block is divided into a block head part and a block body part. Each block header contains its parent block hash value. This sequence of hash values linking each chunk to its respective parent creates a chain that can be traced back to the first chunk. The block is a data result of aggregating traffic characteristic message information in the blockchain, where the traffic characteristic message information is mainly traffic data and its verification result.

The block body mainly stores data information. The method mainly comprises data flow information, a judgment result of whether the flow information is abnormal by the consensus node and an MD5 code of a detection method adopted by the consensus node for abnormal flow verification.

The chunk master identifier is its cryptographic hash value, a digital fingerprint obtained by performing a secondary hash of the chunk header by the SHA256 algorithm. The generated hash value is called a block hash value, which can uniquely and explicitly identify a block, and any node can independently obtain the block hash value by simply hashing the block header. The second way to identify a block is by its position in the blockchain, i.e. "block height". The first block has a block height of 0. Thus, a block can be identified in two ways: a block hash value or a block height.

The common node can acquire the MD5 code of the detection method when calling the abnormal flow detection method for verification, the MD5 code of the detection method can be broadcast together with the abnormal flow verification result and the node signature, the MD5 code can be used as the identification of the detection method, and the flow information and the abnormal flow verification result are stored in the block chain together for traceability inquiry.

And after each consensus node in the consensus node cluster agrees with the checking result of the flow message, the block building node packages the flow message and the result into a block.

The determination of the block node is as follows:

in order to determine the block node, a preselected index T is set, and the T and the node reputation system are combined together to establish a block node selection mechanism. Let P (0 < P < 1) be the reputation score of a node after each round of consensus, e be the number of times this node is selected as a block node. Establishing an exponential relationship:

T＝P ^e

and when each block node is selected, sequencing the preselected indexes T of each consensus node in the group, and selecting the node with the highest preselected index as the block node.

When a node reputation score is unchanged and is always relatively high, e increases each time it becomes a building node, its preselected index T decreases. Therefore, the building block nodes which are not selected each time are the same nodes with good credit, and each node with good credit has the opportunity to be selected as the building block node.

If the reputation score of a node is low, P is low, its preselected index T can be guaranteed to be low, and the probability of being selected as a block node is low.

Nodes with poor reputation among multiple consensus identities may be subject to fraud. False is identified according to the node reputation mechanism, voting cannot be participated, and meanwhile, the node cannot be added into a node pool selected by the consensus node group. And after the consensus node is out of order, re-entering the preselected node pool.

After the block node is determined, the node verifies the flow characteristic message information, and the verification result and the MD5 code of the adopted abnormal flow detection method are broadcast to all the consensus nodes together.

The block is commonly identified by common nodes in the common node cluster. After the consensus is successful, the block is taken as the block to be uplink and put into a block queue.

Each consensus node broadcasts a signature attached to R to other nodes' own COMMIT messages < < COMMIT, view, n, digest (message), signature, methods > message >, and the building nodes aggregate at least 2f+1 COMMIT messages verified by the consensus node, which indicates that the consensus proposal passes smoothly.

And the block building node builds a block according to the result, puts the block into a pre-block queue, waits for the idle consensus node to carry out consensus on the hash of the father block of each block, and builds a final block.

After the upper link point cluster performs consensus and success on each block to be uplinked in the block queue, each block to be uplinked is added into the block chain.

The uplink node cluster comprises (3f+1) non-repeated consensus nodes selected from the consensus nodes which are not selected into any consensus node cluster in the consensus node pool.

Specifically, a block is taken out of a queue from a uplink node cluster selected from the rest idle nodes in the consensus node pool, then the top block head hash of the current block chain is used as the pre hash of the block, then consensus is carried out, and a signature is attached. After the consensus is successful, the block becomes the new top block of the blockchain.

The detection result after the consensus confirmation is recorded on the blockchain, and can be traced and inquired at any time. Abnormal traffic is verified and processed based on an improved Bayesian consensus protocol, abnormal information of a blockchain network record is established, and traceability query can be performed at any time.

The embodiment of the invention adopts the Bayesian blockchain system to record and store abnormal information, and the blockchain structure ensures the difficult tamper property and the safety of data. The traffic characteristic information, the detection result and the detection method abstract are stored on a block chain, the block chain is extremely difficult to tamper, and the block chain is a distributed database and can be recovered from other nodes even if one node loses data. The whole consensus system adopts a Bayesian fault-tolerant mechanism, and an attacker can attack the whole system only by attacking more than f nodes at the same time, so that the difficulty is high.

Based on the foregoing content of each embodiment, the specific steps of selecting an abnormal traffic detection method by each consensus node in the consensus node cluster include: and selecting an abnormal flow detection method according to the height of the block chain, the number of each consensus node and the number of the abnormal flow detection methods.

Specifically, the data detection module of the consensus node has N independent detection methods, and the number is 1-N. Wherein N is a positive integer. Each method is packaged in a class mode, and only a simple function interface is provided for the outside.

When the consensus node detects the flow data, in order to make the consensus node participating in the voting of the round use various detection methods more evenly as possible, the consensus node determines the abnormal flow detection method used by the round through the following selection method before detecting the flow data information:

1) The current blockchain height H and the node number K are obtained.

2) And calculating M= (H+K)% N+1, wherein M is the number of the abnormal flow detection method selected by the node.

According to the embodiment of the invention, an abnormal flow detection method is selected according to the height of the block chain, the number of each consensus node and the number of the abnormal flow detection methods, so that the recognition efficiency and accuracy can be improved.

Based on the foregoing embodiments, according to a preset election algorithm, a plurality of groups of consensus node clusters are randomly selected from a consensus node pool, and each consensus node in the consensus node clusters selects an abnormal traffic detection method for a common traffic message received by each consensus node cluster, obtains a detection result of the consensus node and broadcasts the detection result to other consensus nodes in the consensus node clusters, and further includes: and receiving the flow information sent by the data acquisition nodes in a preset range by any one of the consensus nodes in the consensus node cluster based on a filtering mechanism, and broadcasting the flow information to other consensus nodes in the consensus node cluster.

Specifically, the data collection node receives the traffic information data packet collected by the traffic information collection tool, and ensures that the data packet comes from a valid traffic source by checking whether the size, version number and number of bytes received are sufficient to accommodate header information. After receiving the effective data packet, the data acquisition node processes the received flow information flow and packages the needed data into a flow characteristic message. At intervals, to all consensus nodes. Different from general data acquisition, the data acquisition node of the system can sign the streaming feature message, so that the data effectiveness is improved.

And if all the consensus nodes in the consensus node cluster receive the traffic message, determining the traffic message as a public traffic message.

Specifically, for any traffic message, if all the consensus nodes in the consensus node cluster receive the traffic message, the traffic message is a common traffic message.

According to the embodiment of the invention, whether the data acquisition node sending the traffic message is controlled or not is identified according to the traffic message received by all the consensus nodes, so that the identification efficiency and accuracy can be improved, and the high effectiveness and high reliability of identification can be ensured.

The description of the controlled identification system of the operator key infrastructure provided by the embodiment of the invention is provided below, and the controlled identification system of the operator key infrastructure described below and the controlled identification method of the operator key infrastructure described above can be referred to correspondingly.

Fig. 2 is a schematic structural diagram of an operator key infrastructure controlled identification system according to an embodiment of the present invention. Based on the foregoing of the embodiments, the system includes a plurality of consensus nodes 202 and a plurality of data acquisition nodes 201, as shown in FIG. 2.

In particular, the operator critical infrastructure controlled identification system is constituted by a critical infrastructure. The key infrastructure includes at least two types: a plurality of consensus nodes 202 and a plurality of data acquisition nodes 201.

The data collection node 201 is configured to obtain multiple traffic characteristics of the target area network according to traffic information of the target area network, and send traffic information carrying the multiple traffic characteristics of the target area network to the consensus node.

Specifically, a network connection is defined as a sequence of TCP packets from beginning to end over a period of time, and during this period of time, data is transferred under a predefined protocol (e.g., TCP, UDP) from a source IP address to a destination IP address. Each network connection is marked as normal (normal) or abnormal (attack), and the abnormal type is subdivided into 4 major classes for 39 attack types. Each connection record is described by 41 features, plus a final label (label), for a total of 42 entries. The first 41 flow characteristics fall into 4 broad categories:

1) TCP connection basic characteristics (9 kinds in total)

2) Content characterization of TCP connections (13 types in total)

3) Time-based network traffic statistics (9 kinds in total)

4) Host-based network traffic statistics (10 types total)

The 4 exception types are:

DOS (data of service), denial of service attacks such as ping-of-device, synflood, smurf, etc.; in particular, large-flow useless data are manufactured, so that network congestion to an attacked host is caused, and the attacked host cannot normally communicate with the outside. The defect that the attacked host provides service or processes repeated connection on a transmission protocol is utilized, and the attacked host repeatedly sends out aggressive repeated service requests at high frequency, so that the attacked host cannot process other normal requests in time. The system resources are allocated in a large amount by repeatedly sending malformed attack data to cause the host to be in a suspended state or even to be dead by utilizing the defects of the service program or the transmission protocol provided by the attacked host.

R2L (unauthorized access from a remote machine to a local machine), unauthorized access from a remote host, e.g., guessing password; an attacker without an account on the target host obtains the local access rights of the machine, and filters out the attack modes of data, modifying the data and the like from the machine.

U2R (unauthorized access to local superuser privileges by a local unpivileged user), unauthorized local superuser privileged access, e.g., buffer overflow attacks;

PROBING (surveillance and probing) probe attack, port monitoring or scanning, e.g. port-scan, ping-sweep, etc. The method refers to an attack mode of scanning a computer network or a DNS server to acquire a valid IP address, a movable port number, a host operating system type and security vulnerabilities.

When the flow collection node 201 collects the characteristic data of the flow, it encapsulates the characteristic data into a message, attaches a signature of itself, and then sends the message to the consensus node.

Each piece of traffic information may contain the following fields:

srcoaddr: IP address of source, e.g., 119.75.216.20.

dstaddr: destination IP address, e.g., 182.254.18.159.

srchport: ports of TCP/UDP origin, such as 60221.

dstport: the ports of the TCP/UDP destination are e.g. 80, 443.

prot: protocol type, such as 6=tcp, 17=udp.

First: information flow start time.

Last: the time when the last packet of the information stream was received.

size: the information stream conveys the total size of the information in bytes.

PacketCount: number of datagrams in the information stream.

The consensus node 202 is configured to identify whether the data collection node is controlled or not and whether other consensus nodes are controlled or not based on the consensus mechanism and the traffic message.

Specifically, for the common traffic message received by each consensus node cluster, each consensus node 202 in the consensus node cluster selects an abnormal traffic detection method, obtains the detection result of the consensus node 202, and broadcasts to other consensus nodes 202 in the consensus node cluster.

The consensus node cluster identifies whether the data acquisition node sending the public traffic message is controlled or not based on the consensus mechanism and the detection result of each consensus node.

The method for identifying the controlled infrastructure of the operator, which is provided by the embodiment of the present invention, is used for executing the method for identifying the controlled infrastructure of the operator, and the specific method and the flow for implementing the corresponding functions by each module included in the controlled infrastructure of the operator, which are provided by the embodiment of the method for identifying the controlled infrastructure of the operator, are detailed in the embodiment of the method for identifying the controlled infrastructure of the operator, and are not repeated here.

The operator-critical infrastructure controlled identification system is used for the operator-critical infrastructure controlled identification method of the foregoing embodiments. Therefore, the description and definition in the operator-critical infrastructure controlled identification method in the foregoing embodiments may be used for understanding the execution modules in the embodiments of the present invention.

The embodiment of the invention generates the detection result by randomly selecting the anomaly detection method and broadcasts the detection result, carries out consensus in the whole consensus node cluster based on a practical Bayesian protocol algorithm, and identifies whether the data acquisition node is controlled or not, thereby improving the identification efficiency and accuracy, and ensuring the high effectiveness and high reliability of the identification and the expandability of the system.

Based on the foregoing embodiments, the operator critical infrastructure controlled identification system includes at least two layer data collection nodes.

Specifically, based on the network structure of the operator, at least two layers of data acquisition nodes can be deployed, corresponding to networks of different areas.

Each data acquisition node in the first layer is configured to acquire multiple traffic characteristics of the first area network according to traffic information of the corresponding first area network.

Specifically, the first area is generally a provincial domain, and the first area network is a provincial domain network (abbreviated as "provincial domain network").

In each intra-provincial network of the operator, the switching route of the provincial node on the tandem layer is connected with the metropolitan area network in other all provincial networks. The fixed number of data acquisition nodes are deployed on the provincial node, and the number of the provincial nodes in the network topology structure of the operator is very limited, so that the economic cost of deploying the data acquisition nodes on each provincial node route is relatively small.

The second layer comprises at least one data acquisition node; each data acquisition node in the second layer is used for acquiring multiple flow characteristics of the second area network according to the flow information of each second area network according to a preset rotation algorithm.

Wherein the second region is a sub-region of the first region.

Specifically, the second area is typically a metropolitan area, and the second area network is a metropolitan area network (simply referred to as "metropolitan area network").

More than ten metropolitan area networks exist under the provincial network of each operator, and it is impractical and costly to deploy data collection nodes on each metropolitan area network. Based on such background, such strategies are designed: setting a data acquisition node which is connected with a routing flow data monitoring tool device for detecting the flow information externally exchanged by each metropolitan area network, and then adopting a time slice rotation mode, wherein the data acquisition node selectively receives the flow information externally transmitted by a specific metropolitan area network, so that the flow information transmitted by the metropolitan area network to other metropolitan area networks in the province can be obtained.

The specific strategy of the time slice rotation algorithm is as follows: first, the data acquisition node selects a smaller time slice t, and monitors and records the amount of network traffic in the time period. And after a round of time slice rotation, dividing different priorities for different metropolitan area networks according to the size of the data volume externally transmitted by each metropolitan area network in the previous round, and simultaneously carrying out time slice rotation processing sequencing, wherein the priority of the nodes with more data in the previous round is higher, and the data acquisition nodes preferentially detect the traffic data externally transmitted by the metropolitan area network. Meanwhile, an auxiliary strategy is provided, a time slice coefficient L is set, the initial time slice coefficient is a certain specific value, if a certain metropolitan area network route has higher priority in a plurality of continuous rounds, the time slice coefficient corresponding to the metropolitan area network route is increased by a certain amount, so that a data acquisition node can acquire the routing flow with more external transmission data in more time, and more flow data information can be acquired in a phase peak value of a certain specific metropolitan area network flow. Similarly, if many consecutive rounds are performed, the priority of a particular metro network route is low, the time slice coefficient of the metro network route is properly reduced, and the lowest time slice coefficient is the initial time slice coefficient. The time T for each metropolitan area network route to be monitored by the data acquisition node is as follows:

T＝t×L

In the case, a reasonable random deployment strategy is designed, and a plurality of data acquisition nodes which are used through random rounds are deployed and matched with the time slice rotation strategy, so that most of traffic in a network can be basically collected by the data acquisition nodes.

According to the embodiment of the invention, by deploying the two-layer data acquisition nodes, more comprehensive flow data can be acquired under the condition of deploying fewer data acquisition nodes, so that the controlled key infrastructure of an operator can be continuously, accurately and comprehensively identified.

The system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. A method for controlled identification of an operator critical infrastructure, comprising:

according to a preset election algorithm, randomly selecting a plurality of groups of consensus node clusters from the consensus node pool;

wherein, any consensus node in any group of consensus node clusters is not in other consensus node clusters; each group of consensus node clusters respectively receives flow messages from different flow acquisition domains, and the different consensus node clusters select to accept the flow messages sent by the data acquisition nodes in the corresponding range by setting IPtables, and filter the messages sent by the other data acquisition nodes;

for each consensus node cluster, receiving a public traffic message from a data acquisition node, selecting an abnormal traffic detection method by each consensus node in the consensus node cluster, acquiring a detection result of the consensus node and broadcasting the detection result to other consensus nodes in the consensus node cluster;

the consensus node cluster identifies whether a data acquisition node sending the public traffic message is controlled or not based on a consensus mechanism and a detection result of each consensus node on the public traffic message;

wherein the consensus node cluster comprises 3f+1 non-repeated consensus nodes, and f is a positive integer; the public flow information carries various flow characteristics of the target area network;

The specific steps of identifying whether the data acquisition node sending the public traffic message is controlled or not based on the consensus mechanism and the detection result of each consensus node comprise the following steps:

the consensus node receives the detection results broadcast by the other consensus nodes, votes according to the detection results of the consensus nodes and the detection results broadcast by the other consensus nodes, acquires the voting results of the consensus nodes and broadcasts the voting results to the other consensus nodes in the consensus node cluster;

the consensus node receives voting results broadcast by other consensus nodes, and identifies whether a data acquisition node sending the public traffic message is controlled or not according to the voting results of the consensus node and the voting results broadcast by the other consensus nodes;

if the block building node judges that the number of voting results broadcasted by the received consensus node is not less than 2f+1, generating a block to be uplink according to the result of identifying whether the data acquisition node sending the public traffic message is controlled or not, and accessing the block to be uplink into a block queue;

after the upper chain link point cluster performs consensus and success on each block to be uplinked in the block queue, adding the block to be uplinked into a block chain;

The building block node is a consensus node selected from each consensus node cluster according to a preset selection algorithm; the upper chain link point cluster comprises 3f+1 non-repeated consensus nodes selected from all the consensus nodes which are not selected into any consensus node cluster in the consensus node pool;

after the voting result of the consensus node is obtained and broadcast to other consensus nodes in the consensus node cluster, the method further comprises the following steps:

obtaining scores of voting results of the consensus nodes;

if the score of the voting result of any one of the consensus nodes is judged to meet the preset condition, identifying that any one of the consensus nodes is controlled;

and the scoring of the voting results of the consensus nodes is low if the voting results of the consensus nodes are inconsistent with the consensus voting results, and the scoring of the voting results of the consensus nodes is high if the voting results of the consensus nodes are consistent with the consensus voting results.

2. The method for identifying controlled operators key infrastructure according to claim 1, wherein if it is determined that the score of the voting result of any one of the consensus nodes satisfies the preset condition, identifying that any one of the consensus nodes is controlled further comprises:

And taking any one of the consensus nodes as a failure node, and deleting the any one of the consensus nodes from the consensus node pool.

3. The method for identifying controlled operators' critical infrastructure as claimed in claim 1, wherein each consensus node in the consensus node cluster selects an abnormal traffic detection method comprising the specific steps of:

and selecting an abnormal flow detection method according to the height of the blockchain, the number of each consensus node and the number of the abnormal flow detection methods.

4. The method for identifying a controlled key infrastructure of an operator according to claim 1, wherein the selecting, according to a preset election algorithm, a plurality of groups of common node clusters from a common node pool, and the selecting, for each common node in the common node cluster, an abnormal traffic detection method, between the selecting, by each common node in the common node cluster, of an abnormal traffic detection method, obtaining a detection result of the common node and broadcasting the detection result to other common nodes in the common node cluster, further comprises:

any consensus node in the consensus node cluster receives a flow message sent by a data acquisition node in a preset range based on a filtering mechanism and broadcasts the flow message to other consensus nodes in the consensus node cluster;

And if all the consensus nodes in the consensus node cluster receive the traffic message, determining the traffic message as a public traffic message.

5. An operator critical infrastructure controlled identification system, comprising: a plurality of consensus nodes and a plurality of data acquisition nodes;

the data acquisition node is used for acquiring various flow characteristics of the target area network according to the flow information of the target area network and sending flow information carrying the various flow characteristics of the target area network to the consensus node;

the consensus node is used for identifying whether the data acquisition node is controlled or not and whether other consensus nodes are controlled or not based on a consensus mechanism and the flow message;

the operator critical infrastructure controlled identification system is capable of implementing the operator critical infrastructure controlled identification method of any of claims 1 to 4.

6. The carrier critical infrastructure controlled identification system of claim 5, comprising at least two layers of the data collection nodes;

each data acquisition node in the first layer is used for acquiring various flow characteristics of the first area network according to the flow information of the corresponding first area network;

The second layer comprises at least one data acquisition node; each data acquisition node in the second layer is used for acquiring various flow characteristics of each second area network according to a preset rotation algorithm and flow information of each second area network respectively;

wherein the second region is a sub-region of the first region.