CN115955334A - Network attack traffic processing method and system based on edge calculation - Google Patents
Network attack traffic processing method and system based on edge calculation Download PDFInfo
- Publication number
- CN115955334A CN115955334A CN202211544532.2A CN202211544532A CN115955334A CN 115955334 A CN115955334 A CN 115955334A CN 202211544532 A CN202211544532 A CN 202211544532A CN 115955334 A CN115955334 A CN 115955334A
- Authority
- CN
- China
- Prior art keywords
- edge
- data
- node
- cloud
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 12
- 238000004364 calculation method Methods 0.000 title abstract description 5
- 230000002159 abnormal effect Effects 0.000 claims abstract description 119
- 238000000034 method Methods 0.000 claims abstract description 25
- 230000005856 abnormality Effects 0.000 claims abstract description 18
- 238000004891 communication Methods 0.000 claims description 50
- 238000012545 processing Methods 0.000 claims description 19
- 230000008439 repair process Effects 0.000 claims description 16
- 238000012423 maintenance Methods 0.000 claims description 14
- 239000000284 extract Substances 0.000 claims description 8
- 239000000126 substance Substances 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 8
- 230000005540 biological transmission Effects 0.000 description 12
- 238000013528 artificial neural network Methods 0.000 description 10
- 238000012795 verification Methods 0.000 description 10
- 230000015654 memory Effects 0.000 description 9
- 239000011159 matrix material Substances 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000004913 activation Effects 0.000 description 4
- 238000010606 normalization Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network attack traffic processing method and system based on edge calculation, which judge whether real-time flow data is abnormal or not by establishing a data traffic model of a plurality of terminals, and process the abnormal flow data by a safety node when the abnormal flow data exists, so that the traffic abnormality can be timely and efficiently processed, and the loss caused by attack is avoided.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a network attack traffic processing method and system based on edge computing.
Background
Edge computing refers to an open platform integrating network, computing, storage and application core capabilities on one side close to an object or a data source, a nearest-end service is provided nearby, an application program is initiated on the edge side, a faster network service response is generated, and basic requirements of the industry on real-time business, application intelligence, safety, privacy protection and the like are met. However, the edge terminal and the edge server have the problems of simple hardware structure, deficient computing resources, lack of security consideration in design and the like, lack of effective protection measures, and greatly increase the possibility of malicious intrusion, and once the edge terminal and the edge server are attacked by hackers, the edge terminal and the edge server can attack the cloud end upwards or downwards to the terminal equipment, so that the network attack is expanded from point to surface, and the risk of invading the whole system by means of the edge node after being tampered or attacked by hackers exists. Therefore, a network attack traffic processing scheme based on edge computing is needed to ensure the network security of the edge node.
Disclosure of Invention
The invention is based on the above problems, and provides a network attack traffic processing method and system based on edge computing, which judges whether the real-time flow data is abnormal by establishing a data traffic model of a plurality of terminals, and processes the abnormal flow data by a safety node when the abnormal flow data exists, so that the traffic abnormality can be timely and efficiently processed, and the loss caused by the attack is avoided.
In view of this, an aspect of the present invention provides a network attack traffic processing method based on edge computing, including:
the network attack traffic processing system is applied to the network attack traffic processing system and comprises the following components: the system comprises a first gateway device, an edge terminal, an edge cloud node and an edge security node which are connected with the first gateway device, a second gateway device which is respectively connected with the edge cloud node and the edge security node, and a cloud security node and a cloud server which are connected with the second gateway device; it is characterized by comprising:
the cloud server provides registration service and configures unique identifiers in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node respectively;
the first gateway equipment stores the flow data received and sent by the first gateway equipment, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
the edge security node acquires first historical traffic data from the historical traffic data of the first gateway device, and respectively establishes an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node acquires second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establishes a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node acquires first real-time flow data of the first gateway equipment, judges whether the first real-time flow data is abnormal according to the flow model of the first gateway equipment, and transfers the corresponding first data to the edge security node if the first real-time flow data is abnormal;
and the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether the second real-time flow data is abnormal according to the flow model of the second gateway equipment, and transfers the corresponding second data to the cloud security node if the second real-time flow data is abnormal.
Optionally, after the operation of transferring the corresponding second data to the cloud security node, the method further includes:
the edge security node extracts first edge terminal data sent by the edge terminal and first edge cloud node data sent by the edge cloud node according to the unique identifier carried by the first data;
the edge security node analyzes the data abnormal situation of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determines the abnormal first edge terminal from the edge terminal;
the edge security node analyzes first data exception information of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sends the first data exception information to the cloud security node;
the cloud security node extracts second edge cloud node data which belongs to the edge cloud node and is sent by the edge cloud node according to the unique identifier carried by the second data;
the cloud security node analyzes second data abnormal information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with abnormality from the edge cloud nodes according to the first data abnormal information and the second data abnormal information;
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and using the remaining data in the first data as first normal data;
transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a preset rule;
separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the rest data in the second data as second normal data;
and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a preset rule.
Optionally, the method further comprises:
the edge security node analyzes the first abnormal data to determine a first data abnormal type;
the cloud security node analyzes the second abnormal data to determine a second data abnormal type;
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes being forged, being destroyed, being partially tampered.
Optionally, the step of executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type specifically includes:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a backup edge terminal and/or a backup edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
Optionally, the method further comprises:
determining a second edge terminal which normally works in the edge terminals, and determining a second edge cloud node which normally works in the edge cloud nodes;
the edge security node constructs a first secure communication channel between the second edge terminal and the second edge cloud node;
and the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server.
Another aspect of the present invention provides a network attack traffic processing system based on edge computing, including: the system comprises a first gateway device, an edge terminal, an edge cloud node and an edge security node which are connected with the first gateway device, a second gateway device which is respectively connected with the edge cloud node and the edge security node, and a cloud security node and a cloud server which are connected with the second gateway device; wherein, the first and the second end of the pipe are connected with each other,
the cloud server is configured to provide a registration service and configure unique identifiers in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively;
the first gateway device is used for storing the traffic data received and sent by the first gateway device, and classifying the traffic data according to the unique identifier carried by the traffic data to obtain historical traffic data;
the edge security node is configured to obtain first historical traffic data from the historical traffic data of the first gateway device, and respectively establish an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node is configured to obtain second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establish a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node is used for acquiring first real-time flow data of the first gateway equipment, judging whether the first real-time flow data is abnormal according to the flow model of the first gateway equipment, and if so, transferring the corresponding first data to the edge security node;
and the cloud security node is used for acquiring second real-time flow data of the second gateway equipment, judging whether the second real-time flow data is abnormal according to the flow model of the second gateway equipment, and if so, transferring the corresponding second data to the cloud security node.
Optionally, after the cloud security node performs the operation of transferring the corresponding second data to the cloud security node,
the edge security node is further configured to:
extracting first edge terminal data sent by the edge terminal and first edge cloud node data sent by the edge cloud node according to the unique identifier carried by the first data;
analyzing the abnormal data condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determining the abnormal first edge terminal from the edge terminals;
analyzing first data abnormal information of the edge cloud nodes according to the first edge cloud node data and the edge cloud node traffic model, and sending the first data abnormal information to the cloud security node;
the cloud security node is further configured to:
extracting second edge cloud node data which belongs to the edge cloud node and is sent according to the unique identifier carried by the second data;
analyzing second data abnormal information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determining a first edge cloud node with abnormality from the edge cloud nodes according to the first data abnormal information and the second data abnormal information;
the edge security node is further configured to:
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and using the remaining data in the first data as first normal data;
transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a preset rule;
the cloud security node is further configured to:
separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the rest data in the second data as second normal data;
and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a preset rule.
Optionally, the edge security node is further configured to analyze the first abnormal data to determine a first data abnormal type;
the cloud security node is further used for analyzing the second abnormal data to determine the second data abnormal type;
the edge security node and/or the cloud security node are further configured to:
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes being forged, being destroyed, being partially tampered.
Optionally, the step of executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type is performed, and the edge security node and/or the cloud security node is specifically configured to:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a backup edge terminal and/or a backup edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
Optionally, the edge security node and/or the cloud security node are further configured to determine a second edge terminal that normally operates in the edge terminal, and determine a second edge cloud node that normally operates in the edge cloud node;
the edge security node is further configured to construct a first secure communication channel between the second edge terminal and the second edge cloud node;
the cloud security node is further configured to construct a second secure communication channel between the second edge cloud node and the cloud server.
By adopting the technical scheme of the invention, whether the real-time flow data is abnormal or not is judged by establishing the data flow models of the terminals, and the abnormal flow data is processed by the safety node when the abnormal flow data exists, so that the flow abnormity can be timely and efficiently processed, and the loss caused by attack is avoided.
Drawings
Fig. 1 is a flowchart of a network attack traffic processing method based on edge computing according to an embodiment of the present invention;
fig. 2 is a schematic block diagram of a network attack traffic processing system based on edge computing according to an embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced otherwise than as specifically described herein, and thus the scope of the present invention is not limited by the specific embodiments disclosed below.
The terms "first," "second," and the like in the description and claims of the present application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein may be combined with other embodiments.
A network attack traffic processing method and system based on edge computing according to some embodiments of the present invention are described below with reference to fig. 1 to 2.
As shown in fig. 1, an embodiment of the present invention provides a network attack traffic processing method based on edge computing, including: the network attack traffic processing system is applied to the network attack traffic processing system and comprises the following components: the system comprises a first gateway device, an edge terminal, an edge cloud node and an edge security node which are connected with the first gateway device, a second gateway device which is respectively connected with the edge cloud node and the edge security node, and a cloud security node and a cloud server which are connected with the second gateway device; it is characterized by comprising:
the cloud server provides registration service and configures unique identifiers in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node respectively;
the first gateway equipment stores the flow data received and sent by the first gateway equipment, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
the edge security node acquires first historical traffic data from the historical traffic data of the first gateway device, and respectively establishes an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node acquires second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establishes a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node acquires first real-time flow data of the first gateway equipment, judges whether the first real-time flow data is abnormal according to the flow model of the first gateway equipment, and transfers the corresponding first data to the edge security node if the first real-time flow data is abnormal;
and the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether an abnormality exists according to the flow model of the second gateway equipment, and if so, transfers the corresponding second data to the cloud security node.
It can be understood that, in the embodiment of the present invention, the cloud server provides a unique identifier in a unified format for registration service and configuration for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively.
The terminal of the internet of things can be an intelligent home terminal, an intelligent street lamp, an intelligent health terminal, an intelligent teaching terminal, an intelligent camera terminal, an intelligent machine tool, an intelligent automobile, a robot and the like. The first gateway device may be an internet of things gateway device.
The first gateway equipment stores the traffic data received and sent by the first gateway equipment, and classifies the traffic data according to the unique identifier carried by the traffic data to obtain historical traffic data; the edge security node obtains first historical traffic data from the historical traffic data of the first gateway device (for example, obtaining the first historical traffic data according to actual requirements or preset rules), and establishes an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data and in combination with a first neural network. The cloud security node acquires second historical traffic data corresponding to the first historical traffic data (if the arrival time is consistent or a preset time difference according with a transmission speed rule exists) on the second gateway device, and establishes a second gateway device traffic model of the second gateway device by combining a second neural network according to the second historical traffic data; the edge security node collects first real-time flow data of the first gateway device, judges whether an abnormality exists according to the first gateway device flow model, if so, transfers corresponding first data (such as data generated from the time T1 when the abnormality occurs on the first gateway device and the time T is pushed forward by a preset time length to the current time) to the edge security node, and suspends a data transmission task of the first gateway device. And the cloud security node acquires second real-time flow data of the second gateway device, judges whether an abnormality exists according to the flow model of the second gateway device, if so, transfers corresponding second data (such as data generated at the moment that the abnormal moment T2 is advanced by a preset time to the current moment at T3 on the second gateway device) to the cloud security node, and suspends a data transmission task of the second gateway device.
It should be noted that the process of training and constructing the traffic model (the edge terminal traffic model, the edge cloud node traffic model, the first gateway device traffic model, and the second gateway device traffic model) by using the neural network specifically includes:
setting a neural network comprising an input layer, a first initial layer, a simulation output layer, an activation function, a second initial layer, a verification coefficient layer and an output layer;
inputting historical traffic data of a subject as first input data into the input layer of the first neural network;
the input layer transmits the first input data to the first initial layer which establishes connection with the input layer through matrix operation;
the first initial layer activates the first output data through the activation function after receiving the first output data to obtain second output data, and sends the activated second output data to the analog output layer;
the analog output layer calculates the second output data through a matrix to obtain an analog output value, and inputs the analog output value into the second initial layer;
the second initial layer calculates the analog output value through a matrix to obtain a verification output result;
performing data connection on the first input data of the input layer and the second initial layer;
the second initial layer obtains third output data through matrix calculation, and the third output data and the verification output result are sent to the verification coefficient layer for verification to obtain a normalization coefficient;
sending the normalization coefficient and the analog output value to the output layer, and normalizing the analog output value by the output layer to obtain a mimicry result;
and collecting positive feedback data and negative feedback data, and learning and correcting the mimicry result according to the positive feedback data and the negative feedback data to generate a flow model.
By adopting the technical scheme of the embodiment, whether the real-time flow data is abnormal or not is judged by establishing the data flow models of the terminals, and the abnormal flow data is processed by the safety node when the abnormal flow data exists, so that the abnormal flow data can be processed timely and efficiently, and the loss caused by attack is avoided.
In some possible embodiments of the present invention, after the transferring the corresponding second data to the cloud security node, the method further includes:
the edge security node extracts first edge terminal data sent by the edge terminal and first edge cloud node data sent by the edge cloud node according to the unique identifier carried by the first data;
the edge security node analyzes the data abnormal situation of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determines the abnormal first edge terminal from the edge terminal;
the edge security node analyzes first data exception information of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sends the first data exception information to the cloud security node;
the cloud security node extracts second edge cloud node data which belongs to the edge cloud node and is sent by the edge cloud node according to the unique identifier carried by the second data;
the cloud security node analyzes second data abnormal information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with abnormality from the edge cloud nodes according to the first data abnormal information and the second data abnormal information;
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and using the remaining data in the first data as first normal data;
transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a preset rule;
separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the residual data in the second data as second normal data;
and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a preset rule.
It can be understood that, in order to efficiently handle traffic anomaly and provide a normal data transmission service in time, in the embodiment of the present invention, the edge security node extracts, according to the unique identifier carried by the first data, first edge terminal data (total data sent by all edge terminals) that belong to the edge terminals and first edge cloud node data (total data sent by all edge cloud nodes) that belong to the edge cloud nodes, analyzes a data anomaly situation of the edge terminals according to the first edge terminal data and the edge terminal traffic model, determines a first edge terminal with an anomaly from the edge terminals, analyzes second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with an anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information. Then, separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and using the remaining data in the first data as first normal data; transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a first preset rule; separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the residual data in the second data as second normal data; and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a second preset rule.
In some possible embodiments of the invention, the method further comprises:
the edge security node analyzes the first abnormal data to determine a first data abnormal type;
the cloud security node analyzes the second abnormal data to determine a second data abnormal type;
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes being forged, being destroyed, being partially tampered.
It is understood that, in order to quickly recover the normal data transmission service, in the present embodiment, the first abnormal data is analyzed by the edge security node to determine the first data abnormal type (including but not limited to being forged, damaged, or partially tampered); the cloud security node analyzes the second abnormal data to determine a second data abnormal type (including but not limited to being forged, destroyed, partially tampered); determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type; and executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type.
In some possible embodiments of the present invention, the step of executing the maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type specifically includes:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and communication connection between the standby edge cloud node and the second gateway equipment.
It can be understood that, in order to quickly process an exception to recover a normal data transmission service in time, in this embodiment, a work task of an abnormal edge terminal or an edge cloud node is stopped, and is disconnected from a corresponding gateway device, a system scan (such as a bug scan, a trojan scan, a virus scan, a port scan, and the like) corresponding to the attack type is performed on the first edge terminal and/or the first edge cloud node to determine a repair point, and the repair point is repaired; starting a standby edge terminal and/or a standby edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node; establishing communication connection between the standby edge terminal and the first gateway equipment; and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and communication connection between the standby edge cloud node and the second gateway equipment.
In some possible embodiments of the invention, the method further comprises:
determining a second normally working edge terminal in the edge terminals and determining a second normally working edge cloud node in the edge cloud nodes;
the edge security node constructs a first secure communication channel between the second edge terminal and the second edge cloud node;
and the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server.
It can be understood that, in order not to affect the execution of the work tasks of the edge terminals and the edge cloud nodes where no traffic abnormality occurs, in this embodiment, a second edge terminal that normally works is determined in the edge terminals, and a second edge cloud node that normally works is determined in the edge cloud nodes; the edge security node constructs a first secure communication channel between the second edge terminal and the second edge cloud node, for example, the edge security node selects a standby first secure communication gateway device, determines a first communication protocol with a higher security level, allocates a communication address, and the like; the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server, for example, the cloud security node selects a standby second secure communication gateway device, determines a second communication protocol with a higher security level, allocates a communication address, and the like.
Referring to fig. 2, another embodiment of the present invention provides a network attack traffic processing system based on edge computing, including: the system comprises a first gateway device, an edge terminal, an edge cloud node and an edge security node which are connected with the first gateway device, a second gateway device which is respectively connected with the edge cloud node and the edge security node, a cloud security node and a cloud server which are connected with the second gateway device; wherein the content of the first and second substances,
the cloud server is configured to provide a registration service and configure unique identifiers in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively;
the first gateway device is used for storing the traffic data received and sent by the first gateway device, and classifying the traffic data according to the unique identifier carried by the traffic data to obtain historical traffic data;
the edge security node is configured to obtain first historical traffic data from the historical traffic data of the first gateway device, and respectively establish an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node is configured to acquire second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establish a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node is used for acquiring first real-time traffic data of the first gateway device, judging whether the first real-time traffic data is abnormal according to the traffic model of the first gateway device, and if so, transferring the corresponding first data to the edge security node;
and the cloud security node is used for acquiring second real-time flow data of the second gateway equipment, judging whether the second real-time flow data is abnormal according to the flow model of the second gateway equipment, and if so, transferring the corresponding second data to the cloud security node.
It can be understood that, in the embodiment of the present invention, the cloud server provides a unique identifier in a unified format for registration service and configuration for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively.
The terminal of the internet of things can be an intelligent home terminal, an intelligent street lamp, an intelligent health terminal, an intelligent teaching terminal, an intelligent camera terminal, an intelligent machine tool, an intelligent automobile, a robot and the like. The first gateway device may be an internet of things gateway device.
The first gateway equipment stores the traffic data received and sent by the first gateway equipment, and classifies the traffic data according to the unique identifier carried by the traffic data to obtain historical traffic data; the edge security node obtains first historical traffic data from the historical traffic data of the first gateway device (for example, obtaining the first historical traffic data according to actual requirements or preset rules), and establishes an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data and in combination with a first neural network. The cloud security node acquires second historical traffic data corresponding to the first historical traffic data (such as the arrival time is consistent or a preset time difference according with a transmission speed rule exists) on the second gateway device, and establishes a second gateway device traffic model of the second gateway device by combining a second neural network according to the second historical traffic data; the edge security node collects first real-time flow data of the first gateway device, judges whether an abnormality exists according to the first gateway device flow model, if so, transfers corresponding first data (such as data generated from the time T1 when the abnormality occurs on the first gateway device and the time T is pushed forward by a preset time length to the current time) to the edge security node, and suspends a data transmission task of the first gateway device. And the cloud security node acquires second real-time flow data of the second gateway device, judges whether an abnormality exists according to the flow model of the second gateway device, if so, transfers corresponding second data (such as data generated at the moment that the abnormal moment T2 is advanced by a preset time to the current moment at T3 on the second gateway device) to the cloud security node, and suspends a data transmission task of the second gateway device.
It should be noted that the process of training and constructing the traffic model (the edge terminal traffic model, the edge cloud node traffic model, the first gateway device traffic model, and the second gateway device traffic model) by using the neural network specifically includes:
setting a neural network comprising an input layer, a first initial layer, a simulation output layer, an activation function, a second initial layer, a verification coefficient layer and an output layer;
inputting historical traffic data of a subject as first input data into the input layer of the first neural network;
the input layer transmits the first input data to the first initial layer which establishes connection with the input layer through matrix operation;
the first initial layer activates the first output data through the activation function after receiving the first output data to obtain second output data, and sends the activated second output data to the analog output layer;
the analog output layer calculates the second output data through a matrix to obtain an analog output value, and inputs the analog output value into the second initial layer;
the second initial layer calculates the analog output value through a matrix to obtain a verification output result;
performing data connection on the first input data of the input layer and the second initial layer;
the second initial layer obtains third output data through matrix calculation, and the third output data and the verification output result are sent to the verification coefficient layer for verification to obtain a normalization coefficient;
sending the normalization coefficient and the analog output value to the output layer, and normalizing the analog output value by the output layer to obtain a mimicry result;
and collecting positive feedback data and negative feedback data, and learning and correcting the mimicry result according to the positive feedback data and the negative feedback data to generate a flow model.
By adopting the technical scheme of the embodiment, whether the real-time flow data is abnormal or not is judged by establishing the data flow models of the terminals, and the abnormal flow data is processed by the safety node when the abnormal flow data exists, so that the abnormal flow data can be processed timely and efficiently, and the loss caused by attack is avoided.
In some possible embodiments of the invention, after the cloud security node performs the operation of transferring the corresponding second data to the cloud security node,
the edge security node is further configured to:
extracting first edge terminal data sent by the edge terminal and first edge cloud node data sent by the edge cloud node according to the unique identifier carried by the first data;
analyzing the abnormal data condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determining the abnormal first edge terminal from the edge terminals;
analyzing first data abnormal information of the edge cloud nodes according to the first edge cloud node data and the edge cloud node traffic model, and sending the first data abnormal information to the cloud security node;
the cloud security node is further configured to:
extracting second edge cloud node data which belongs to the edge cloud node and is sent according to the unique identifier carried by the second data;
analyzing second data abnormal information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determining a first edge cloud node with abnormality from the edge cloud nodes according to the first data abnormal information and the second data abnormal information;
the edge security node is further configured to:
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and using the remaining data in the first data as first normal data;
transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a preset rule;
the cloud security node is further configured to:
separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the residual data in the second data as second normal data;
and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a preset rule.
It can be understood that, in order to efficiently handle traffic anomalies to provide a normal data transmission service in time, in an embodiment of the present invention, the edge security node extracts, according to the unique identifier carried by the first data, first edge terminal data (total data sent by all edge terminals) belonging to the edge terminals and first edge cloud node data (total data sent by all edge cloud nodes) belonging to the edge cloud nodes, analyzes a data anomaly situation of the edge terminals according to the first edge terminal data and the edge terminal traffic model, determines a first edge terminal with an anomaly from the edge terminals, analyzes second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with an anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information. Then, separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and using the remaining data in the first data as first normal data; transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a first preset rule; separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the residual data in the second data as second normal data; and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a second preset rule.
In some possible embodiments of the present invention, the edge security node is further configured to analyze the first abnormal data to determine a first data abnormal type;
the cloud security node is further used for analyzing the second abnormal data to determine the second data abnormal type;
the edge security node and/or the cloud security node are further configured to:
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes being forged, being destroyed, being partially tampered.
It is understood that, in order to recover the normal data transmission service quickly, in this embodiment, the first abnormal data is analyzed by the edge security node to determine the first data abnormal type (including but not limited to being forged, damaged, or partially tampered); the cloud security node analyzes the second abnormal data to determine a second data abnormal type (including but not limited to being forged, destroyed, partially tampered); determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type; and executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type.
In some possible embodiments of the present invention, the step of executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type is performed by the edge security node and/or the cloud security node, where the edge security node and/or the cloud security node is specifically configured to:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and communication connection between the standby edge cloud node and the second gateway equipment.
It can be understood that, in order to quickly process an exception to recover a normal data transmission service in time, in this embodiment, a work task of an abnormal edge terminal or an edge cloud node is stopped, and is disconnected from a corresponding gateway device, a system scan (such as a bug scan, a trojan scan, a virus scan, a port scan, and the like) corresponding to the attack type is performed on the first edge terminal and/or the first edge cloud node to determine a repair point, and the repair point is repaired; starting a standby edge terminal and/or a standby edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node; establishing communication connection between the standby edge terminal and the first gateway equipment; and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
In some possible embodiments of the present invention, the edge security node and/or the cloud security node is further configured to determine a second edge terminal that normally operates in the edge terminal, and determine a second edge cloud node that normally operates in the edge cloud node;
the edge security node is further configured to construct a first secure communication channel between the second edge terminal and the second edge cloud node;
the cloud security node is further configured to construct a second secure communication channel between the second edge cloud node and the cloud server.
It can be understood that, in order not to affect the execution of the work tasks of the edge terminals and the edge cloud nodes where no traffic abnormality occurs, in this embodiment, a second edge terminal that normally works is determined in the edge terminals, and a second edge cloud node that normally works is determined in the edge cloud nodes; the edge security node constructs a first secure communication channel between the second edge terminal and the second edge cloud node, for example, the edge security node selects a standby first secure communication gateway device, determines a first communication protocol with a higher security level, allocates a communication address, and the like; the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server, for example, the cloud security node selects a standby second secure communication gateway device, determines a second communication protocol with a higher security level, allocates a communication address, and the like.
It should be understood that the block diagram of the network attack traffic processing system based on edge computing shown in fig. 2 is only schematic, and the number of the shown modules does not limit the protection scope of the present invention.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the above-described division of the units is only one type of division of logical functions, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit may be stored in a computer readable memory if it is implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the present application, which are essential or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product, which is stored in a memory and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the above methods of the embodiments of the present application. And the aforementioned memory comprises: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Those skilled in the art will appreciate that all or part of the steps of the methods of the above embodiments may be implemented by a program, which is stored in a computer-readable memory, the memory including: flash Memory disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the above description of the embodiments is only provided to help understand the method and the core concept of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Although the present invention is disclosed above, the present invention is not limited thereto. Various changes and modifications can be easily made by those skilled in the art without departing from the spirit and scope of the present invention, and it is within the scope of the present invention to include different functions, combination of implementation steps, software and hardware implementations.
Claims (10)
1. A network attack traffic processing method based on edge computing is applied to a network attack traffic processing system, and the network attack traffic processing system comprises: the system comprises a first gateway device, an edge terminal, an edge cloud node and an edge security node which are connected with the first gateway device, a second gateway device which is respectively connected with the edge cloud node and the edge security node, and a cloud security node and a cloud server which are connected with the second gateway device; it is characterized by comprising:
the cloud server provides registration service and configures unique identifiers in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node respectively;
the first gateway equipment stores the traffic data received and sent by the first gateway equipment, and classifies the traffic data according to the unique identifier carried by the traffic data to obtain historical traffic data;
the edge security node acquires first historical traffic data from the historical traffic data of the first gateway device, and respectively establishes an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node acquires second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establishes a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node acquires first real-time flow data of the first gateway equipment, judges whether the first real-time flow data is abnormal according to the flow model of the first gateway equipment, and transfers the corresponding first data to the edge security node if the first real-time flow data is abnormal;
and the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether an abnormality exists according to the flow model of the second gateway equipment, and if so, transfers the corresponding second data to the cloud security node.
2. The network attack traffic processing method based on edge computing according to claim 1, wherein after the operation of transferring the corresponding second data to the cloud security node, the method further comprises:
the edge security node extracts first edge terminal data sent by the edge terminal and first edge cloud node data sent by the edge cloud node according to the unique identifier carried by the first data;
the edge security node analyzes the abnormal data condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determines the abnormal first edge terminal from the edge terminal;
the edge security node analyzes first data exception information of the edge cloud node according to the first edge cloud node data and the edge cloud node flow model, and sends the first data exception information to the cloud security node;
the cloud security node extracts second edge cloud node data which belongs to the edge cloud node and is sent by the edge cloud node according to the unique identifier carried by the second data;
the cloud security node analyzes second data abnormal information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with abnormality from the edge cloud nodes according to the first data abnormal information and the second data abnormal information;
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to be used as first abnormal data, and using the rest data in the first data as first normal data;
transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a preset rule;
separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the rest data in the second data as second normal data;
and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a preset rule.
3. The method for processing network attack traffic based on edge computing according to claim 2, wherein the method further comprises:
the edge security node analyzes the first abnormal data to determine a first data abnormal type;
the cloud security node analyzes the second abnormal data to determine a second data abnormal type;
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes being forged, being destroyed, being partially tampered.
4. The network attack traffic processing method based on edge computing according to claim 3, wherein the step of executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type specifically includes:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
5. The method for processing network attack traffic based on edge computing according to claims 1-4, characterized in that the method further comprises:
determining a second edge terminal which normally works in the edge terminals, and determining a second edge cloud node which normally works in the edge cloud nodes;
the edge security node constructs a first secure communication channel between the second edge terminal and the second edge cloud node;
and the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server.
6. A network attack traffic processing system based on edge computing, comprising: the system comprises a first gateway device, an edge terminal, an edge cloud node and an edge security node which are connected with the first gateway device, a second gateway device which is respectively connected with the edge cloud node and the edge security node, and a cloud security node and a cloud server which are connected with the second gateway device; wherein the content of the first and second substances,
the cloud server is configured to provide a registration service and configure unique identifiers in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively;
the first gateway device is used for storing the traffic data received and sent by the first gateway device, and classifying the traffic data according to the unique identifier carried by the traffic data to obtain historical traffic data;
the edge security node is configured to obtain first historical traffic data from the historical traffic data of the first gateway device, and respectively establish an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node is configured to acquire second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establish a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node is used for acquiring first real-time traffic data of the first gateway device, judging whether the first real-time traffic data is abnormal according to the traffic model of the first gateway device, and if so, transferring the corresponding first data to the edge security node;
and the cloud security node is used for acquiring second real-time flow data of the second gateway equipment, judging whether the second real-time flow data is abnormal according to the flow model of the second gateway equipment, and if so, transferring the corresponding second data to the cloud security node.
7. The edge computing-based network attack traffic processing system of claim 6, wherein after the cloud security node performs the operation of transferring the corresponding second data to the cloud security node,
the edge security node is further configured to:
extracting first edge terminal data which belong to the edge terminal and are sent and first edge cloud node data which belong to the edge cloud node and are sent according to the unique identifier carried by the first data;
analyzing the abnormal data condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determining the abnormal first edge terminal from the edge terminals;
analyzing first data abnormal information of the edge cloud nodes according to the first edge cloud node data and the edge cloud node traffic model, and sending the first data abnormal information to the cloud security node;
the cloud security node is further configured to:
extracting second edge cloud node data which belongs to the edge cloud node and is sent according to the unique identifier carried by the second data;
analyzing second data abnormal information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determining a first edge cloud node with abnormality from the edge cloud nodes according to the first data abnormal information and the second data abnormal information;
the edge security node is further configured to:
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to be used as first abnormal data, and using the rest data in the first data as first normal data;
transmitting the first normal data back to the first gateway equipment, and transmitting the first normal data by the first gateway equipment according to a preset rule;
the cloud security node is further configured to:
separating the data generated by the first edge cloud node from the second data to be used as second abnormal data, and using the residual data in the second data as second normal data;
and transmitting the second normal data back to the second gateway equipment, and transmitting the second normal data by the second gateway equipment according to a preset rule.
8. The edge computing-based network attack traffic processing system of claim 7,
the edge security node is further configured to analyze the first abnormal data to determine a first data abnormal type;
the cloud security node is further used for analyzing the second abnormal data to determine the second data abnormal type;
the edge security node and/or the cloud security node are further configured to:
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data exception type and/or the second data exception type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes being forged, being destroyed, being partially tampered.
9. The network attack traffic processing system according to claim 8, wherein the step of performing a maintenance scheme on the first edge terminal and/or the first edge cloud node according to the attack type is performed by the edge security node and/or the cloud security node, and the edge security node and/or the cloud security node is specifically configured to:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node having the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and communication connection between the standby edge cloud node and the second gateway equipment.
10. The edge computing-based network attack traffic processing system according to claims 6-9,
the edge security node and/or the cloud security node are/is further configured to determine a second edge terminal which normally works in the edge terminal and determine a second edge cloud node which normally works in the edge cloud node;
the edge security node is further configured to construct a first secure communication channel between the second edge terminal and the second edge cloud node;
the cloud security node is further configured to construct a second secure communication channel between the second edge cloud node and the cloud server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211544532.2A CN115955334B (en) | 2022-12-02 | 2022-12-02 | Network attack flow processing method and system based on edge calculation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211544532.2A CN115955334B (en) | 2022-12-02 | 2022-12-02 | Network attack flow processing method and system based on edge calculation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115955334A true CN115955334A (en) | 2023-04-11 |
| CN115955334B CN115955334B (en) | 2023-11-10 |
Family
ID=87288426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211544532.2A Active CN115955334B (en) | 2022-12-02 | 2022-12-02 | Network attack flow processing method and system based on edge calculation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115955334B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170104718A1 (en) * | 2015-10-09 | 2017-04-13 | International Business Machines Corporation | Security threat identification, isolation, and repairing in a network |
| US20190052659A1 (en) * | 2017-08-08 | 2019-02-14 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
| US20200145440A1 (en) * | 2018-11-06 | 2020-05-07 | Schlumberger Technology Corporation | Cybersecurity with edge computing |
| CN111683097A (en) * | 2020-06-10 | 2020-09-18 | 广州市品高软件股份有限公司 | Cloud network flow monitoring system based on two-stage architecture |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| US20210029149A1 (en) * | 2018-03-23 | 2021-01-28 | Nippon Telegraph And Telephone Corporation | Abnormal traffic analysis apparatus, abnormal traffic analysis method, and abnormal traffic analysis program |
| US20210058794A1 (en) * | 2018-03-23 | 2021-02-25 | Nippon Telegraph And Telephone Corporation | Abnormal traffic analysis apparatus, abnormal traffic analysis method, and abnormal traffic analysis program |
| CN112769796A (en) * | 2020-12-30 | 2021-05-07 | 华北电力大学 | Cloud network side collaborative defense method and system based on end side edge computing |
| CN113037687A (en) * | 2019-12-24 | 2021-06-25 | 中移物联网有限公司 | Flow identification method and electronic equipment |
| CN113422720A (en) * | 2021-06-22 | 2021-09-21 | 河北卓智电子技术有限公司 | Anomaly detection method based on edge computing gateway |
| CN114448830A (en) * | 2022-03-07 | 2022-05-06 | 中国农业银行股份有限公司 | Equipment detection system and method |
-
2022
- 2022-12-02 CN CN202211544532.2A patent/CN115955334B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170104718A1 (en) * | 2015-10-09 | 2017-04-13 | International Business Machines Corporation | Security threat identification, isolation, and repairing in a network |
| US20190052659A1 (en) * | 2017-08-08 | 2019-02-14 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
| US20210029149A1 (en) * | 2018-03-23 | 2021-01-28 | Nippon Telegraph And Telephone Corporation | Abnormal traffic analysis apparatus, abnormal traffic analysis method, and abnormal traffic analysis program |
| US20210058794A1 (en) * | 2018-03-23 | 2021-02-25 | Nippon Telegraph And Telephone Corporation | Abnormal traffic analysis apparatus, abnormal traffic analysis method, and abnormal traffic analysis program |
| US20200145440A1 (en) * | 2018-11-06 | 2020-05-07 | Schlumberger Technology Corporation | Cybersecurity with edge computing |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| CN113037687A (en) * | 2019-12-24 | 2021-06-25 | 中移物联网有限公司 | Flow identification method and electronic equipment |
| CN111683097A (en) * | 2020-06-10 | 2020-09-18 | 广州市品高软件股份有限公司 | Cloud network flow monitoring system based on two-stage architecture |
| CN112769796A (en) * | 2020-12-30 | 2021-05-07 | 华北电力大学 | Cloud network side collaborative defense method and system based on end side edge computing |
| CN113422720A (en) * | 2021-06-22 | 2021-09-21 | 河北卓智电子技术有限公司 | Anomaly detection method based on edge computing gateway |
| CN114448830A (en) * | 2022-03-07 | 2022-05-06 | 中国农业银行股份有限公司 | Equipment detection system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115955334B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210006582A1 (en) | Security evaluation system, security evaluation method, and program | |
| CN103828298B (en) | For the system and method for network Asset operation relevance score | |
| CN109711171A (en) | Localization method and device, system, storage medium, the electronic device of software vulnerability | |
| CN110120948B (en) | Illegal external connection monitoring method based on wireless and wired data stream similarity analysis | |
| CN109271793B (en) | Internet of things cloud platform equipment category identification method and system | |
| CN110912882A (en) | Intrusion detection method and system based on intelligent algorithm | |
| CN108306747B (en) | Cloud security detection method and device and electronic equipment | |
| CN112800428B (en) | Method and device for judging safety state of terminal equipment | |
| CN106776243B (en) | Monitoring method and device for monitoring software | |
| CN111510339A (en) | Industrial Internet data monitoring method and device | |
| CN106411644A (en) | Network sharing device detection method and system based on DPI technology | |
| CN114679292A (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
| KR102083028B1 (en) | System for detecting network intrusion | |
| CN111988170A (en) | Terminal fault positioning method and device | |
| CN115955334B (en) | Network attack flow processing method and system based on edge calculation | |
| CN107612755A (en) | The management method and its device of a kind of cloud resource | |
| CN112448919B (en) | Network anomaly detection method, device and system and computer readable storage medium | |
| CN112291225A (en) | Big data abnormal flow detection method and system applied to integral system | |
| CN111723370A (en) | Method and equipment for detecting malicious behavior of container | |
| CN113992419B (en) | System and method for detecting and processing abnormal behaviors of user | |
| Chen et al. | A wireless multi-step attack pattern recognition method for WLAN | |
| CN109246002B (en) | Deep security gateway and network element equipment | |
| CN110401559A (en) | A kind of server restorative procedure and device | |
| CN103944897A (en) | IIS application server embedded security monitoring method and device | |
| TWI814555B (en) | Internet of vehicles message flow detection system and method thereof for analyzing malicious behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |