CN115955334B - Network attack flow processing method and system based on edge calculation - Google Patents

Network attack flow processing method and system based on edge calculation Download PDF

Info

Publication number
CN115955334B
CN115955334B CN202211544532.2A CN202211544532A CN115955334B CN 115955334 B CN115955334 B CN 115955334B CN 202211544532 A CN202211544532 A CN 202211544532A CN 115955334 B CN115955334 B CN 115955334B
Authority
CN
China
Prior art keywords
edge
data
node
cloud
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211544532.2A
Other languages
Chinese (zh)
Other versions
CN115955334A (en
Inventor
彭昱栋
林莉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Mingliyang Technology Co ltd
Original Assignee
Shenzhen Mingliyang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Mingliyang Technology Co ltd filed Critical Shenzhen Mingliyang Technology Co ltd
Priority to CN202211544532.2A priority Critical patent/CN115955334B/en
Publication of CN115955334A publication Critical patent/CN115955334A/en
Application granted granted Critical
Publication of CN115955334B publication Critical patent/CN115955334B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention provides a network attack flow processing method and system based on edge calculation, which are used for judging whether real-time flow data are abnormal or not by establishing a data flow model of a plurality of terminals, and when the abnormality exists, a security node processes the abnormal flow data, so that the flow abnormality can be processed timely and efficiently, and the loss caused by attack is avoided.

Description

Network attack flow processing method and system based on edge calculation
Technical Field
The invention relates to the technical field of networks, in particular to a network attack flow processing method and system based on edge calculation.
Background
The edge calculation refers to that an open platform integrating network, calculation, storage and application core capabilities is adopted at one side close to an object or data source, nearest service is provided nearby, an application program of the nearest service is initiated at the edge side, a faster network service response is generated, and the basic requirements of the industry in the aspects of real-time service, application intelligence, security, privacy protection and the like are met. However, the edge terminal and the edge server have the problems of simple hardware structure, lack of computing resources, lack of design consideration safety and the like, lack of effective protective measures, the possibility of being maliciously invaded is greatly increased, once the edge terminal and the edge server are attacked by hackers, the attack can be launched to the cloud or downwards to the terminal equipment, so that the network attack is expanded from point to surface, and the risk of being tampered by hackers or invading the whole system by means of the edge node exists. Therefore, a network attack traffic handling scheme based on edge computation is needed to guarantee the network security of the edge nodes.
Disclosure of Invention
Based on the problems, the invention provides a network attack flow processing method and system based on edge calculation, which are used for judging whether the real-time flow data has abnormality or not by establishing a data flow model of a plurality of terminals, and when the abnormality exists, the security node processes the abnormal flow data, so that the flow abnormality can be processed timely and efficiently, and the loss caused by attack is avoided.
In view of this, an aspect of the present invention proposes a network attack traffic processing method based on edge computation, including:
the network attack flow processing system comprises: the cloud security system comprises first gateway equipment, an edge terminal, an edge cloud node and an edge security node, which are connected with the first gateway equipment, second gateway equipment, a cloud security node and a cloud server, wherein the second gateway equipment is respectively connected with the edge cloud node and the edge security node; characterized by comprising the following steps:
the cloud server provides a registration service and a unique identifier with a configuration unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node respectively;
The first gateway device stores the received and transmitted flow data, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
the edge security node acquires first historical flow data from the historical flow data of the first gateway device, and respectively establishes an edge terminal flow model of the edge terminal, an edge cloud node flow model of the edge cloud node and a first gateway device flow model of the first gateway device according to the first historical flow data;
the cloud security node acquires second historical flow data corresponding to the first historical flow data on the second gateway device, and establishes a second gateway device flow model of the second gateway device according to the second historical flow data;
the edge security node acquires first real-time traffic data of the first gateway equipment, judges whether abnormality exists according to the traffic model of the first gateway equipment, and if yes, transfers the corresponding first data to the edge security node;
and the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether abnormality exists according to the second gateway equipment flow model, and transfers the corresponding second data to the cloud security node if the abnormality exists.
Optionally, after the operation of transferring the corresponding second data to the cloud security node, the method further includes:
the edge security node extracts first edge terminal data which are sent by the edge terminal and first edge cloud node data which are sent by the edge cloud node according to the unique identifier carried by the first data;
the edge safety node analyzes the data abnormal condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determines a first edge terminal with abnormality from the edge terminals;
the edge security node analyzes first data exception information of an edge Yun Jiedian of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sends the first data exception information to the cloud security node;
the cloud security node extracts second edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the second data;
the cloud security node analyzes second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information;
Separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data;
transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a preset rule;
separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data;
and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a preset rule.
Optionally, the method further comprises:
the edge security node analyzes the first abnormal data to determine a first data abnormal type;
the cloud security node analyzes the second abnormal data to determine a second data abnormal type;
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
Wherein the first data exception type or the second data exception type includes forged, destroyed, partially tampered.
Optionally, the step of executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type specifically includes:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
Optionally, the method further comprises:
determining a second edge terminal which works normally in the edge terminals and determining a second edge cloud node which works normally in the edge cloud nodes;
the edge security node constructs a first security communication channel between the second edge terminal and the second edge cloud node;
and the cloud security node constructs a second security communication channel between the second edge cloud node and the cloud server.
Another aspect of the present invention provides a network attack traffic processing system based on edge computation, including: the cloud security system comprises first gateway equipment, an edge terminal, an edge cloud node and an edge security node, which are connected with the first gateway equipment, second gateway equipment, a cloud security node and a cloud server, wherein the second gateway equipment is respectively connected with the edge cloud node and the edge security node; wherein,
the cloud server is configured to provide a registration service and a unique identifier configured in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node, respectively;
the first gateway device is used for storing the flow data received and sent by the first gateway device and classifying the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
The edge security node is configured to obtain first historical traffic data from the historical traffic data of the first gateway device, and respectively establish an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node is configured to obtain second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establish a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node is used for collecting first real-time flow data of the first gateway equipment, judging whether an abnormality exists according to the first gateway equipment flow model, and if yes, transferring the corresponding first data to the edge security node;
and the cloud security node is used for acquiring second real-time flow data of the second gateway equipment, judging whether an abnormality exists according to the second gateway equipment flow model, and if yes, transferring the corresponding second data to the cloud security node.
Optionally, after the cloud security node performs the operation of transferring the corresponding second data to the cloud security node,
the edge security node is further configured to:
extracting first edge terminal data which belongs to the edge terminal transmission and first edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the first data;
analyzing the data abnormality of the edge terminals according to the first edge terminal data and the edge terminal flow model, and determining the first edge terminal with abnormality from the edge terminals;
analyzing first data anomaly information of an edge Yun Jiedian of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sending the first data anomaly information to the cloud security node;
the cloud security node is further configured to:
extracting second edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the second data;
analyzing second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determining a first edge cloud node with anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information;
The edge security node is further configured to:
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data;
transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a preset rule;
the cloud security node is further configured to:
separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data;
and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a preset rule.
Optionally, the edge security node is further configured to analyze the first abnormal data to determine a first data abnormal type;
the cloud security node is further configured to analyze the second abnormal data to determine a second data abnormal type;
the edge security node and/or the cloud security node are further configured to:
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type;
Executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes forged, destroyed, partially tampered.
Optionally, the step of performing a maintenance scheme on the first edge terminal and/or the first edge cloud node according to the attack type, where the edge security node and/or the cloud security node are specifically configured to:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
And respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
Optionally, the edge security node and/or the cloud security node are further configured to determine a second edge terminal that works normally in the edge terminals, and determine a second edge cloud node that works normally in the edge cloud nodes;
the edge security node is further configured to construct a first secure communication channel between the second edge terminal and the second edge cloud node;
the cloud security node is further configured to construct a second secure communication channel between the second edge cloud node and the cloud server.
By adopting the technical scheme of the invention, the data flow models of the terminals are established to judge whether the real-time flow data has abnormality, and when the abnormality exists, the safety node processes the abnormal flow data, so that the flow abnormality can be processed timely and efficiently, and the loss caused by attack is avoided.
Drawings
FIG. 1 is a flow chart of a method for processing network attack traffic based on edge computation according to one embodiment of the present invention;
fig. 2 is a schematic block diagram of a network attack traffic processing system based on edge computation according to an embodiment of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present application will be more clearly understood, a more particular description of the application will be rendered by reference to the appended drawings and appended detailed description. It should be noted that, without conflict, the embodiments of the present application and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, however, the present application may be practiced otherwise than as described herein, and therefore the scope of the present application is not limited to the specific embodiments disclosed below.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The following describes a network attack traffic processing method and system based on edge computation according to some embodiments of the present application with reference to fig. 1 to 2.
As shown in fig. 1, an embodiment of the present application provides a network attack traffic processing method based on edge computation, including: the network attack flow processing system comprises: the cloud security system comprises first gateway equipment, an edge terminal, an edge cloud node and an edge security node, which are connected with the first gateway equipment, second gateway equipment, a cloud security node and a cloud server, wherein the second gateway equipment is respectively connected with the edge cloud node and the edge security node; characterized by comprising the following steps:
The cloud server provides a registration service and a unique identifier with a configuration unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node respectively;
the first gateway device stores the received and transmitted flow data, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
the edge security node acquires first historical flow data from the historical flow data of the first gateway device, and respectively establishes an edge terminal flow model of the edge terminal, an edge cloud node flow model of the edge cloud node and a first gateway device flow model of the first gateway device according to the first historical flow data;
the cloud security node acquires second historical flow data corresponding to the first historical flow data on the second gateway device, and establishes a second gateway device flow model of the second gateway device according to the second historical flow data;
the edge security node acquires first real-time traffic data of the first gateway equipment, judges whether abnormality exists according to the traffic model of the first gateway equipment, and if yes, transfers the corresponding first data to the edge security node;
And the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether abnormality exists according to the second gateway equipment flow model, and transfers the corresponding second data to the cloud security node if the abnormality exists.
It may be appreciated that in the embodiment of the present invention, the cloud server provides unique identifiers in a unified format for registration service and configuration for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively.
The internet of things terminal can be an intelligent home terminal, an intelligent street lamp, an intelligent health terminal, an intelligent teaching terminal, an intelligent camera terminal, an intelligent machine tool, an intelligent automobile, a robot and the like. The first gateway device may be an internet of things gateway device.
The first gateway device stores the received and transmitted flow data, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data; the edge security node obtains first historical flow data (for example, obtains the first historical flow data according to actual requirements or preset rules) from the historical flow data of the first gateway device, and respectively establishes an edge terminal flow model of the edge terminal, an edge cloud node flow model of the edge cloud node and a first gateway device flow model of the first gateway device according to the first historical flow data and in combination with a first neural network. The cloud security node obtains second historical flow data corresponding to the first historical flow data (such as the consistency in arrival time or the existence of a preset time difference conforming to the transmission speed rule) on the second gateway equipment, and establishes a second gateway equipment flow model of the second gateway equipment according to the second historical flow data and in combination with a second neural network; the edge security node collects first real-time traffic data of the first gateway equipment, judges whether abnormality exists according to the traffic model of the first gateway equipment, if so, transfers corresponding first data (such as data generated currently from the moment T1 when abnormality occurs on the first gateway equipment to the moment T1 when the abnormality occurs for a preset time) to the edge security node, and pauses a data transmission task of the first gateway equipment. And the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether the second gateway equipment has abnormality according to the flow model of the second gateway equipment, if so, transfers corresponding second data (such as data generated currently from the moment T3 of the moment T2 of the abnormality to the moment T3 of the preset duration on the second gateway equipment) to the cloud security node, and pauses the data transmission task of the second gateway equipment.
It should be noted that, the process of training to construct the traffic model (the edge terminal traffic model, the edge cloud node traffic model, the first gateway device traffic model and the second gateway device traffic model) by using the neural network specifically includes:
setting a neural network comprising an input layer, a first initial layer, an analog output layer, an activation function, a second initial layer, a verification coefficient layer and an output layer;
inputting historical traffic data of a subject as first input data into the input layer of the first neural network;
the input layer transmits the first input data to the first initial layer which is connected with the input layer through matrix operation;
the first initial layer receives first output data, activates the first output data through the activation function to obtain second output data, and sends the activated second output data to the analog output layer;
the analog output layer calculates the second output data through a matrix to obtain an analog output value, and inputs the analog output value into the second initial layer;
the second initial layer calculates the analog output value through a matrix to obtain a verification output result;
The first input data of the input layer is in data connection with the second initial layer;
the second initial layer calculates to obtain third output data through a matrix, and sends the third output data and the verification output result to the verification coefficient layer for verification to obtain a normalization coefficient;
the normalization coefficient and the analog output value are sent to the output layer, and the output layer normalizes the analog output value to obtain a mimicry result;
and collecting positive feedback data and reverse feedback data, and carrying out learning correction on the mimicry result according to the positive feedback data and the reverse feedback data to generate a flow model.
By adopting the technical scheme of the embodiment, the data flow models of the terminals are established to judge whether the real-time flow data has abnormality, and when the abnormality exists, the safety node processes the abnormal flow data, so that the flow abnormality can be processed timely and efficiently, and the loss caused by attack is avoided.
In some possible embodiments of the present invention, after the operation of transferring the corresponding second data to the cloud security node, the method further includes:
the edge security node extracts first edge terminal data which are sent by the edge terminal and first edge cloud node data which are sent by the edge cloud node according to the unique identifier carried by the first data;
The edge safety node analyzes the data abnormal condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determines a first edge terminal with abnormality from the edge terminals;
the edge security node analyzes first data exception information of an edge Yun Jiedian of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sends the first data exception information to the cloud security node;
the cloud security node extracts second edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the second data;
the cloud security node analyzes second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information;
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data;
Transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a preset rule;
separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data;
and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a preset rule.
It may be understood that, in order to efficiently process a traffic anomaly and provide a normal data transmission service in time, in this embodiment of the present invention, the edge security node extracts, according to the unique identifier carried by the first data, first edge terminal data (total data sent by all edge terminals) belonging to the edge terminal and first edge cloud node data (total data sent by all edge cloud nodes) belonging to the edge cloud node, analyzes a data anomaly condition of the edge terminal according to the first edge terminal data and the edge terminal traffic model, determines a first edge terminal with an anomaly from the edge terminals, analyzes second data anomaly information of the edge cloud node according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with an anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information. Then, separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data; transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a first preset rule; separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data; and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a second preset rule.
In some possible embodiments of the invention, the method further comprises:
the edge security node analyzes the first abnormal data to determine a first data abnormal type;
the cloud security node analyzes the second abnormal data to determine a second data abnormal type;
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes forged, destroyed, partially tampered.
It will be appreciated that in order to quickly resume normal data transmission services, in this embodiment, the first anomaly data is analyzed by the edge security node to determine a first data anomaly type (including but not limited to being forged, corrupted, partially tampered with); the cloud security node analyzes the second anomaly data to determine a second data anomaly type (including, but not limited to, being forged, corrupted, partially tampered with); determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type; and executing maintenance schemes for the first edge terminal and/or the first edge cloud node according to the attack type.
In some possible embodiments of the present invention, the step of executing the maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type specifically includes:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
It can be understood that, in order to quickly process an exception and restore a normal data transmission service in time, in this embodiment, a work task of an exception edge terminal or an edge cloud node is stopped and disconnected from a corresponding gateway device, and a system scan (such as a vulnerability scan, a Trojan scan, a virus scan, a port scan, etc.) corresponding to the attack type is performed on the first edge terminal and/or the first edge cloud node to determine a repair point, and the repair point is repaired; starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node; establishing communication connection between the standby edge terminal and the first gateway equipment; and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
In some possible embodiments of the invention, the method further comprises:
determining a second edge terminal which works normally in the edge terminals and determining a second edge cloud node which works normally in the edge cloud nodes;
the edge security node constructs a first security communication channel between the second edge terminal and the second edge cloud node;
and the cloud security node constructs a second security communication channel between the second edge cloud node and the cloud server.
It can be understood that, in order not to affect the execution of the working tasks of the edge terminal and the edge cloud node where the traffic abnormality does not occur, in this embodiment, a second edge terminal that works normally is determined in the edge terminal, and a second edge cloud node that works normally is determined in the edge cloud node; the edge security node constructs a first security communication channel between the second edge terminal and the second edge cloud node, for example, the edge security node selects a standby first security communication gateway device, determines a first communication protocol with higher security level, allocates a communication address and the like; and the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server, for example, the cloud security node selects a standby second secure communication gateway device, determines a second communication protocol with higher security level, allocates a communication address and the like.
Referring to fig. 2, another embodiment of the present invention provides a network attack traffic processing system based on edge computing, including: the cloud security system comprises first gateway equipment, an edge terminal, an edge cloud node and an edge security node, which are connected with the first gateway equipment, second gateway equipment, a cloud security node and a cloud server, wherein the second gateway equipment is respectively connected with the edge cloud node and the edge security node; wherein,
the cloud server is configured to provide a registration service and a unique identifier configured in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node, respectively;
the first gateway device is used for storing the flow data received and sent by the first gateway device and classifying the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
the edge security node is configured to obtain first historical traffic data from the historical traffic data of the first gateway device, and respectively establish an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
The cloud security node is configured to obtain second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establish a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node is used for collecting first real-time flow data of the first gateway equipment, judging whether an abnormality exists according to the first gateway equipment flow model, and if yes, transferring the corresponding first data to the edge security node;
and the cloud security node is used for acquiring second real-time flow data of the second gateway equipment, judging whether an abnormality exists according to the second gateway equipment flow model, and if yes, transferring the corresponding second data to the cloud security node.
It may be appreciated that in the embodiment of the present invention, the cloud server provides unique identifiers in a unified format for registration service and configuration for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device, and the cloud security node, respectively.
The internet of things terminal can be an intelligent home terminal, an intelligent street lamp, an intelligent health terminal, an intelligent teaching terminal, an intelligent camera terminal, an intelligent machine tool, an intelligent automobile, a robot and the like. The first gateway device may be an internet of things gateway device.
The first gateway device stores the received and transmitted flow data, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data; the edge security node obtains first historical flow data (for example, obtains the first historical flow data according to actual requirements or preset rules) from the historical flow data of the first gateway device, and respectively establishes an edge terminal flow model of the edge terminal, an edge cloud node flow model of the edge cloud node and a first gateway device flow model of the first gateway device according to the first historical flow data and in combination with a first neural network. The cloud security node obtains second historical flow data corresponding to the first historical flow data (such as the consistency in arrival time or the existence of a preset time difference conforming to the transmission speed rule) on the second gateway equipment, and establishes a second gateway equipment flow model of the second gateway equipment according to the second historical flow data and in combination with a second neural network; the edge security node collects first real-time traffic data of the first gateway equipment, judges whether abnormality exists according to the traffic model of the first gateway equipment, if so, transfers corresponding first data (such as data generated currently from the moment T1 when abnormality occurs on the first gateway equipment to the moment T1 when the abnormality occurs for a preset time) to the edge security node, and pauses a data transmission task of the first gateway equipment. And the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether the second gateway equipment has abnormality according to the flow model of the second gateway equipment, if so, transfers corresponding second data (such as data generated currently from the moment T3 of the moment T2 of the abnormality to the moment T3 of the preset duration on the second gateway equipment) to the cloud security node, and pauses the data transmission task of the second gateway equipment.
It should be noted that, the process of training to construct the traffic model (the edge terminal traffic model, the edge cloud node traffic model, the first gateway device traffic model and the second gateway device traffic model) by using the neural network specifically includes:
setting a neural network comprising an input layer, a first initial layer, an analog output layer, an activation function, a second initial layer, a verification coefficient layer and an output layer;
inputting historical traffic data of a subject as first input data into the input layer of the first neural network;
the input layer transmits the first input data to the first initial layer which is connected with the input layer through matrix operation;
the first initial layer receives first output data, activates the first output data through the activation function to obtain second output data, and sends the activated second output data to the analog output layer;
the analog output layer calculates the second output data through a matrix to obtain an analog output value, and inputs the analog output value into the second initial layer;
the second initial layer calculates the analog output value through a matrix to obtain a verification output result;
The first input data of the input layer is in data connection with the second initial layer;
the second initial layer calculates to obtain third output data through a matrix, and sends the third output data and the verification output result to the verification coefficient layer for verification to obtain a normalization coefficient;
the normalization coefficient and the analog output value are sent to the output layer, and the output layer normalizes the analog output value to obtain a mimicry result;
and collecting positive feedback data and reverse feedback data, and carrying out learning correction on the mimicry result according to the positive feedback data and the reverse feedback data to generate a flow model.
By adopting the technical scheme of the embodiment, the data flow models of the terminals are established to judge whether the real-time flow data has abnormality, and when the abnormality exists, the safety node processes the abnormal flow data, so that the flow abnormality can be processed timely and efficiently, and the loss caused by attack is avoided.
In some possible embodiments of the present invention, after the cloud security node performs the operation of transferring the corresponding second data to the cloud security node,
The edge security node is further configured to:
extracting first edge terminal data which belongs to the edge terminal transmission and first edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the first data;
analyzing the data abnormality of the edge terminals according to the first edge terminal data and the edge terminal flow model, and determining the first edge terminal with abnormality from the edge terminals;
analyzing first data anomaly information of an edge Yun Jiedian of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sending the first data anomaly information to the cloud security node;
the cloud security node is further configured to:
extracting second edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the second data;
analyzing second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determining a first edge cloud node with anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information;
The edge security node is further configured to:
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data;
transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a preset rule;
the cloud security node is further configured to:
separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data;
and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a preset rule.
It may be understood that, in order to efficiently process a traffic anomaly and provide a normal data transmission service in time, in this embodiment of the present invention, the edge security node extracts, according to the unique identifier carried by the first data, first edge terminal data (total data sent by all edge terminals) belonging to the edge terminal and first edge cloud node data (total data sent by all edge cloud nodes) belonging to the edge cloud node, analyzes a data anomaly condition of the edge terminal according to the first edge terminal data and the edge terminal traffic model, determines a first edge terminal with an anomaly from the edge terminals, analyzes second data anomaly information of the edge cloud node according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with an anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information. Then, separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data; transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a first preset rule; separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data; and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a second preset rule.
In some possible embodiments of the present invention, the edge security node is further configured to analyze the first anomaly data to determine a first data anomaly type;
the cloud security node is further configured to analyze the second abnormal data to determine a second data abnormal type;
the edge security node and/or the cloud security node are further configured to:
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes forged, destroyed, partially tampered.
It will be appreciated that in order to quickly resume normal data transmission services, in this embodiment, the first anomaly data is analyzed by the edge security node to determine a first data anomaly type (including but not limited to being forged, corrupted, partially tampered with); the cloud security node analyzes the second anomaly data to determine a second data anomaly type (including, but not limited to, being forged, corrupted, partially tampered with); determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type; and executing maintenance schemes for the first edge terminal and/or the first edge cloud node according to the attack type.
In some possible embodiments of the present invention, the step of performing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type, where the edge security node and/or the cloud security node are specifically configured to:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
It can be understood that, in order to quickly process an exception and restore a normal data transmission service in time, in this embodiment, a work task of an exception edge terminal or an edge cloud node is stopped and disconnected from a corresponding gateway device, and a system scan (such as a vulnerability scan, a Trojan scan, a virus scan, a port scan, etc.) corresponding to the attack type is performed on the first edge terminal and/or the first edge cloud node to determine a repair point, and the repair point is repaired; starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node; establishing communication connection between the standby edge terminal and the first gateway equipment; and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
In some possible embodiments of the present invention, the edge security node and/or the cloud security node are further configured to determine a second edge terminal that works normally in the edge terminals, and determine a second edge cloud node that works normally in the edge cloud nodes;
the edge security node is further configured to construct a first secure communication channel between the second edge terminal and the second edge cloud node;
the cloud security node is further configured to construct a second secure communication channel between the second edge cloud node and the cloud server.
It can be understood that, in order not to affect the execution of the working tasks of the edge terminal and the edge cloud node where the traffic abnormality does not occur, in this embodiment, a second edge terminal that works normally is determined in the edge terminal, and a second edge cloud node that works normally is determined in the edge cloud node; the edge security node constructs a first security communication channel between the second edge terminal and the second edge cloud node, for example, the edge security node selects a standby first security communication gateway device, determines a first communication protocol with higher security level, allocates a communication address and the like; and the cloud security node constructs a second secure communication channel between the second edge cloud node and the cloud server, for example, the cloud security node selects a standby second secure communication gateway device, determines a second communication protocol with higher security level, allocates a communication address and the like.
It should be noted that the block diagram of the network attack traffic processing system based on edge computing shown in fig. 2 is only schematic, and the number of the illustrated modules does not limit the protection scope of the present application.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, such as the above-described division of units, merely a division of logic functions, and there may be additional manners of dividing in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, or may be in electrical or other forms.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the above-mentioned method of the various embodiments of the present application. And the aforementioned memory includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be implemented by a program that instructs associated hardware, and the program may be stored in a computer readable memory, which may include: flash disk, read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
The foregoing has outlined rather broadly the more detailed description of embodiments of the application, wherein the principles and embodiments of the application are explained in detail using specific examples, the above examples being provided solely to facilitate the understanding of the method and core concepts of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Although the present application is disclosed above, the present application is not limited thereto. Variations and modifications, including combinations of the different functions and implementation steps, as well as embodiments of the software and hardware, may be readily apparent to those skilled in the art without departing from the spirit and scope of the application.

Claims (8)

1. A network attack flow processing method based on edge calculation is applied to a network attack flow processing system, and the network attack flow processing system comprises the following steps: the cloud security system comprises first gateway equipment, an edge terminal, an edge cloud node and an edge security node, which are connected with the first gateway equipment, second gateway equipment, a cloud security node and a cloud server, wherein the second gateway equipment is respectively connected with the edge cloud node and the edge security node; characterized by comprising the following steps:
the cloud server provides a registration service and a unique identifier with a configuration unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node respectively;
the first gateway device stores the received and transmitted flow data, and classifies the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
the edge security node acquires first historical flow data from the historical flow data of the first gateway device, and respectively establishes an edge terminal flow model of the edge terminal, an edge cloud node flow model of the edge cloud node and a first gateway device flow model of the first gateway device according to the first historical flow data;
The cloud security node acquires second historical flow data corresponding to the first historical flow data on the second gateway device, and establishes a second gateway device flow model of the second gateway device according to the second historical flow data;
the edge security node acquires first real-time traffic data of the first gateway equipment, judges whether abnormality exists according to the traffic model of the first gateway equipment, and if yes, transfers the corresponding first data to the edge security node;
the cloud security node acquires second real-time flow data of the second gateway equipment, judges whether abnormality exists according to the second gateway equipment flow model, and transfers the corresponding second data to the cloud security node if the abnormality exists;
after the operation of transferring the corresponding second data to the cloud security node, the method further includes:
the edge security node extracts first edge terminal data which are sent by the edge terminal and first edge cloud node data which are sent by the edge cloud node according to the unique identifier carried by the first data;
the edge safety node analyzes the data abnormal condition of the edge terminal according to the first edge terminal data and the edge terminal flow model, and determines a first edge terminal with abnormality from the edge terminals;
The edge security node analyzes first data exception information of an edge Yun Jiedian of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sends the first data exception information to the cloud security node;
the cloud security node extracts second edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the second data;
the cloud security node analyzes second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determines a first edge cloud node with anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information;
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data;
transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a preset rule;
separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data;
And transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a preset rule.
2. The edge computing-based network attack traffic processing method according to claim 1, wherein the method further comprises:
the edge security node analyzes the first abnormal data to determine a first data abnormal type;
the cloud security node analyzes the second abnormal data to determine a second data abnormal type;
determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes forged, destroyed, partially tampered.
3. The method for processing network attack traffic based on edge calculation according to claim 2, wherein the step of executing the maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type specifically comprises:
Stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
4. The edge computing-based network attack traffic processing method according to claim 3, wherein the method further comprises:
determining a second edge terminal which works normally in the edge terminals and determining a second edge cloud node which works normally in the edge cloud nodes;
The edge security node constructs a first security communication channel between the second edge terminal and the second edge cloud node;
and the cloud security node constructs a second security communication channel between the second edge cloud node and the cloud server.
5. A network attack traffic processing system based on edge computation, comprising: the cloud security system comprises first gateway equipment, an edge terminal, an edge cloud node and an edge security node, which are connected with the first gateway equipment, second gateway equipment, a cloud security node and a cloud server, wherein the second gateway equipment is respectively connected with the edge cloud node and the edge security node; wherein,
the cloud server is configured to provide a registration service and a unique identifier configured in a unified format for the edge terminal, the first gateway device, the edge cloud node, the edge security node, the second gateway device and the cloud security node, respectively;
the first gateway device is used for storing the flow data received and sent by the first gateway device and classifying the flow data according to the unique identifier carried by the flow data to obtain historical flow data;
The edge security node is configured to obtain first historical traffic data from the historical traffic data of the first gateway device, and respectively establish an edge terminal traffic model of the edge terminal, an edge cloud node traffic model of the edge cloud node, and a first gateway device traffic model of the first gateway device according to the first historical traffic data;
the cloud security node is configured to obtain second historical traffic data corresponding to the first historical traffic data on the second gateway device, and establish a second gateway device traffic model of the second gateway device according to the second historical traffic data;
the edge security node is used for collecting first real-time flow data of the first gateway equipment, judging whether an abnormality exists according to the first gateway equipment flow model, and if yes, transferring the corresponding first data to the edge security node;
the cloud security node is used for acquiring second real-time flow data of the second gateway equipment, judging whether abnormality exists according to the second gateway equipment flow model, and if yes, transferring the corresponding second data to the cloud security node;
After the cloud security node performs the operation of transferring the corresponding second data to the cloud security node,
the edge security node is further configured to:
extracting first edge terminal data which belongs to the edge terminal transmission and first edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the first data;
analyzing the data abnormality of the edge terminals according to the first edge terminal data and the edge terminal flow model, and determining the first edge terminal with abnormality from the edge terminals;
analyzing first data anomaly information of an edge Yun Jiedian of the edge cloud node according to the first edge cloud node data and the edge cloud node traffic model, and sending the first data anomaly information to the cloud security node;
the cloud security node is further configured to:
extracting second edge cloud node data which belongs to the edge cloud node transmission according to the unique identifier carried by the second data;
analyzing second data anomaly information of the edge cloud nodes according to the second edge cloud node data and the edge cloud node traffic model, and determining a first edge cloud node with anomaly from the edge cloud nodes according to the first data anomaly information and the second data anomaly information;
The edge security node is further configured to:
separating data generated by the first edge terminal and/or the first edge cloud node from the first data to serve as first abnormal data, and taking the remaining data in the first data as first normal data;
transmitting the first positive constant data back to the first gateway device, and transmitting the first positive constant data by the first gateway device according to a preset rule;
the cloud security node is further configured to:
separating data generated by the first edge cloud node from the second data to serve as second abnormal data, and taking the remaining data in the second data as second normal data;
and transmitting the second positive constant data back to the second gateway device, and transmitting the second positive constant data by the second gateway device according to a preset rule.
6. The edge computing-based cyber attack traffic handling system according to claim 5, wherein,
the edge security node is further configured to analyze the first abnormal data to determine a first data abnormal type;
the cloud security node is further configured to analyze the second abnormal data to determine a second data abnormal type;
the edge security node and/or the cloud security node are further configured to:
Determining the attack type suffered by the first edge terminal and/or the first edge cloud node according to the first data anomaly type and/or the second data anomaly type;
executing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type;
wherein the first data exception type or the second data exception type includes forged, destroyed, partially tampered.
7. The edge computing-based network attack traffic processing system according to claim 6, wherein the step of performing a maintenance scheme for the first edge terminal and/or the first edge cloud node according to the attack type is specifically performed by the edge security node and/or the cloud security node:
stopping the work of the first edge terminal and/or the first edge cloud node, and disconnecting the first edge terminal and/or the first edge cloud node from the first gateway device and/or the second gateway device;
performing system scanning corresponding to the attack type on the first edge terminal and/or the first edge cloud node to determine a repair point, and repairing the repair point;
Starting a standby edge terminal and/or a standby edge cloud node with the same attribute as the first edge terminal and/or the first edge node to replace the corresponding first edge terminal and/or the first edge node;
establishing communication connection between the standby edge terminal and the first gateway equipment;
and respectively establishing communication connection between the standby edge cloud node and the first gateway equipment and the second gateway equipment.
8. The edge computing-based cyber attack traffic handling system according to claim 7, wherein,
the edge security node and/or the cloud security node are/is further used for determining a second edge terminal which works normally in the edge terminals and determining a second edge cloud node which works normally in the edge cloud nodes;
the edge security node is further configured to construct a first secure communication channel between the second edge terminal and the second edge cloud node;
the cloud security node is further configured to construct a second secure communication channel between the second edge cloud node and the cloud server.
CN202211544532.2A 2022-12-02 2022-12-02 Network attack flow processing method and system based on edge calculation Active CN115955334B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211544532.2A CN115955334B (en) 2022-12-02 2022-12-02 Network attack flow processing method and system based on edge calculation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211544532.2A CN115955334B (en) 2022-12-02 2022-12-02 Network attack flow processing method and system based on edge calculation

Publications (2)

Publication Number Publication Date
CN115955334A CN115955334A (en) 2023-04-11
CN115955334B true CN115955334B (en) 2023-11-10

Family

ID=87288426

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211544532.2A Active CN115955334B (en) 2022-12-02 2022-12-02 Network attack flow processing method and system based on edge calculation

Country Status (1)

Country Link
CN (1) CN115955334B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111683097A (en) * 2020-06-10 2020-09-18 广州市品高软件股份有限公司 Cloud network flow monitoring system based on two-stage architecture
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN112769796A (en) * 2020-12-30 2021-05-07 华北电力大学 Cloud network side collaborative defense method and system based on end side edge computing
CN113037687A (en) * 2019-12-24 2021-06-25 中移物联网有限公司 Flow identification method and electronic equipment
CN113422720A (en) * 2021-06-22 2021-09-21 河北卓智电子技术有限公司 Anomaly detection method based on edge computing gateway
CN114448830A (en) * 2022-03-07 2022-05-06 中国农业银行股份有限公司 Equipment detection system and method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9917811B2 (en) * 2015-10-09 2018-03-13 International Business Machines Corporation Security threat identification, isolation, and repairing in a network
WO2019032728A1 (en) * 2017-08-08 2019-02-14 Sentinel Labs, Inc. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
JP6973227B2 (en) * 2018-03-23 2021-11-24 日本電信電話株式会社 Abnormal traffic analyzer, abnormal traffic analysis method and abnormal traffic analysis program
JP7025098B2 (en) * 2018-03-23 2022-02-24 日本電信電話株式会社 Abnormal traffic analyzer, abnormal traffic analysis method and abnormal traffic analysis program
US11399038B2 (en) * 2018-11-06 2022-07-26 Schlumberger Technology Corporation Cybersecurity with edge computing

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN113037687A (en) * 2019-12-24 2021-06-25 中移物联网有限公司 Flow identification method and electronic equipment
CN111683097A (en) * 2020-06-10 2020-09-18 广州市品高软件股份有限公司 Cloud network flow monitoring system based on two-stage architecture
CN112769796A (en) * 2020-12-30 2021-05-07 华北电力大学 Cloud network side collaborative defense method and system based on end side edge computing
CN113422720A (en) * 2021-06-22 2021-09-21 河北卓智电子技术有限公司 Anomaly detection method based on edge computing gateway
CN114448830A (en) * 2022-03-07 2022-05-06 中国农业银行股份有限公司 Equipment detection system and method

Also Published As

Publication number Publication date
CN115955334A (en) 2023-04-11

Similar Documents

Publication Publication Date Title
US11201882B2 (en) Detection of malicious network activity
CN103828298B (en) For the system and method for network Asset operation relevance score
CN109711171A (en) Localization method and device, system, storage medium, the electronic device of software vulnerability
CN108306747B (en) Cloud security detection method and device and electronic equipment
CN111510339B (en) Industrial Internet data monitoring method and device
CN110912882A (en) Intrusion detection method and system based on intelligent algorithm
CN113313280B (en) Cloud platform inspection method, electronic equipment and nonvolatile storage medium
WO2022151815A1 (en) Method and apparatus for determining security state of terminal device
CN106411644A (en) Network sharing device detection method and system based on DPI technology
CN112291075A (en) Network fault positioning method and device, computer equipment and storage medium
CN114679292A (en) Honeypot identification method, device, equipment and medium based on network space mapping
CN116319099A (en) Multi-terminal financial data management method and system
WO2015169028A1 (en) On-line upgrade method and device for terminal software
CN115955334B (en) Network attack flow processing method and system based on edge calculation
CN114205134A (en) Network policy detection method, electronic device, and storage medium
CN107612755A (en) The management method and its device of a kind of cloud resource
CN113079186A (en) Industrial network boundary protection method and system based on industrial control terminal feature recognition
KR102083028B1 (en) System for detecting network intrusion
CN112448919B (en) Network anomaly detection method, device and system and computer readable storage medium
RU2704538C1 (en) Network architecture of an anthropoid network and a method of realizing
CN106230666B (en) A kind of monitoring method and monitoring system of service availability
CN111343193B (en) Cloud network port security protection method and device, electronic equipment and storage medium
CN114338135A (en) Remote login behavior processing method and device, computing equipment and storage medium
CN113315830A (en) Data transmission method of data engineering machine for industrial internet
CN112884165A (en) Federal machine learning-oriented full-flow service migration method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant