CN116405187B - Distributed node intrusion situation sensing method based on block chain - Google Patents
Distributed node intrusion situation sensing method based on block chain Download PDFInfo
- Publication number
- CN116405187B CN116405187B CN202310437731.1A CN202310437731A CN116405187B CN 116405187 B CN116405187 B CN 116405187B CN 202310437731 A CN202310437731 A CN 202310437731A CN 116405187 B CN116405187 B CN 116405187B
- Authority
- CN
- China
- Prior art keywords
- node
- data
- intrusion
- nodes
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 230000008569 process Effects 0.000 claims abstract description 31
- 238000012795 verification Methods 0.000 claims abstract description 25
- 230000004044 response Effects 0.000 claims abstract description 20
- 238000012545 processing Methods 0.000 claims abstract description 18
- 238000004422 calculation algorithm Methods 0.000 claims description 32
- 238000001514 detection method Methods 0.000 claims description 28
- 238000011156 evaluation Methods 0.000 claims description 18
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000007781 pre-processing Methods 0.000 claims description 14
- 238000000605 extraction Methods 0.000 claims description 13
- 238000012549 training Methods 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 10
- 238000007405 data analysis Methods 0.000 claims description 9
- 230000007246 mechanism Effects 0.000 claims description 9
- 230000009467 reduction Effects 0.000 claims description 9
- 238000011157 data evaluation Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 7
- 238000013528 artificial neural network Methods 0.000 claims description 7
- 238000013500 data storage Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 claims description 6
- 230000010354 integration Effects 0.000 claims description 5
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 4
- 238000012847 principal component analysis method Methods 0.000 claims description 4
- 230000009545 invasion Effects 0.000 claims description 3
- 238000003062 neural network model Methods 0.000 claims description 3
- 238000004140 cleaning Methods 0.000 claims description 2
- 238000003672 processing method Methods 0.000 claims description 2
- 238000012552 review Methods 0.000 claims 1
- 238000004458 analytical method Methods 0.000 description 11
- 239000011159 matrix material Substances 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 239000013598 vector Substances 0.000 description 5
- 238000000513 principal component analysis Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012797 qualification Methods 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
- G06N3/0442—Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention discloses a distributed node intrusion situation awareness method based on a blockchain, and relates to the technical field of blockchains. The method comprises the following steps: de-centering avatar authentication; sharing and cooperatively processing intrusion data; intrusion situation awareness. The off-center avatar authentication method includes the following steps: the whole authentication process comprises seven steps of authentication initialization, distributed key generation, public key combination, identity registration and verification, intelligent contract initiated identity verification request, node distributed signature verification request and node sent signature response. The method can improve the security and the credibility of the distributed network.
Description
Technical Field
The invention relates to the technical field of blockchains, in particular to a distributed node intrusion situation awareness method based on blockchains.
Background
With the wide application of emerging technologies such as big data, the internet of things, artificial intelligence and the like, more and more devices are connected to the internet, so that the network attack surface is continuously expanded, the variety and the number of network security threats are rapidly increased, and the traditional single-point protection means cannot meet the requirements of complex and changeable network environments. The block chain technology is based on a distributed network, has the characteristics of decentralization, non-tampering, transparency and the like, and provides a brand new solution for safety protection. However, the distributed network structure has the problems of trust establishment, data security, data sharing, coordination and the like.
Furthermore, today where network attacks are increasingly complex and hidden, conventional intrusion detection techniques have failed to meet the needs of people. Especially when against various complex network attacks and malicious behaviors, the problem of uncoordinated network security protection systems caused by different device information barriers exists.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide a distributed node intrusion situation awareness method capable of improving the security and the credibility of a distributed network.
In order to solve the technical problems, the invention adopts the following technical scheme: a distributed node intrusion situation awareness method based on a blockchain comprises the following steps:
de-centering avatar authentication;
sharing and cooperatively processing intrusion data;
intrusion situation awareness.
The further technical scheme is that the off-center avatar authentication method comprises the following steps:
the whole authentication process comprises seven steps of authentication initialization, distributed key generation, public key combination, identity registration and verification, intelligent contract initiated identity verification request, node distributed signature verification request and node sent signature response.
The further technical scheme is that the intrusion data sharing and cooperative processing method comprises the following steps:
The intelligent contract provides a standardized and automatic way for managing intrusion detection data.
The further technical scheme is that the intrusion situation awareness comprises the following steps:
data preprocessing and feature extraction, data analysis and evaluation and situation awareness prediction;
in the data preprocessing and feature extraction stage, performing dimension reduction and feature extraction on the data by adopting a principal component analysis method;
in the data analysis and evaluation stage, calculating a network security situation score by using a weighted comprehensive evaluation method, and mapping the score to different risk levels;
in the situation awareness prediction stage, modeling and predicting network security situation data by adopting an LSTM neural network model.
The further technical scheme is that the method for sensing the intrusion situation based on the LSTM comprises the following steps:
1) Preprocessing network security situation data: after collecting network security situation data, processing abnormal and bad data; normalizing the original data to a (0, 1) range, wherein an LSTM neural network prediction model using a gradient descent algorithm has higher sensitivity to the data between (0, 1);
2) Data set processing: before prediction, converting the network security situation data set into a shape required by model input by using a time window strategy; dividing all network security situation value data into a training set and a testing set according to the ratio of 4:1;
3) Model building and training: constructing an LSTM model, inputting data of a training set and corresponding labels into a network for training, and optimizing LSTM neural network parameters by adopting a random gradient descent algorithm to obtain an optimal network security situation prediction model;
4) Situation prediction: after the data of the test set are processed in the step 1) and the step 2), the data are input into the optimal network security situation prediction model trained in the step 3), and the prediction result output by the model can be used for evaluating the security state of the current network.
The beneficial effects of adopting above-mentioned technical scheme to produce lie in: aiming at the problems of identity authentication, data transmission, storage and integrity in distributed intrusion detection, the application provides an identity authentication scheme based on elliptic curve, distributed key generation and threshold cryptography so as to establish a reliable decentralised identity authentication and data security mechanism and guarantee the trust relationship among participating nodes. Meanwhile, data security technologies such as key agreement, digital signature and the like are adopted, so that security in the transmission process of keys, intrusion data and the like is ensured.
Aiming at the problem that the traditional intrusion detection system is difficult to effectively cope with complex network attacks, the application provides a cooperative intrusion detection scheme based on a block chain. And the distributed characteristics of the blockchain are utilized to realize data sharing and coordination so as to improve the coordination capability of a plurality of participating nodes when the safety threat is handled. The IPFS is adopted to distribute data and computing resources to a plurality of nodes in the network, so that data can be stored in a distributed mode across the network, single-point faults and attack risks are reduced, and accordingly safety and reliability of the intrusion detection network are improved. Based on the transparency of the blockchain, the data flow records can be co-verified and audited by all nodes, thereby helping to identify malicious nodes and network security threats. Designing intelligent contracts enables automatic execution of preset logic, node qualification screening and transaction control. Meanwhile, a reward incentive and punishment mechanism is introduced to improve the partnership and efficiency of the blockchain network.
In order to solve the trust and data security problems of intrusion data in situation awareness, the method and the device form comprehensive knowledge of the security condition of the whole network by carrying out situation analysis on the intrusion data generated by the block chain data sharing and collaboration part. Firstly, the feature of intrusion data is extracted by adopting principal component analysis, weight distribution is carried out on the feature, and the network security situation score is calculated, so that the network risk level is determined. And then, establishing a network security situation prediction model by using the long-short memory neural network, and predicting the future network security situation score to obtain a network security risk level prediction value at the next moment.
Drawings
The invention will be described in further detail with reference to the drawings and the detailed description.
FIG. 1 is a block chain based distributed node intrusion situation awareness model diagram in an embodiment of the invention;
FIG. 2 is a flow chart of intrusion detection data sharing and co-processing in accordance with an embodiment of the present invention;
FIG. 3 is a flow chart of intelligent contract control node input and data storage in an embodiment of the present invention;
FIG. 4 is a diagram of a situation awareness architecture in an embodiment of the present invention;
FIG. 5 is a diagram of protocol computation overhead versus graph in an embodiment of the present invention;
FIG. 6 is a graph of authentication response time versus node number in an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
The utility model discloses a distributed node intrusion situation awareness method based on a blockchain, which utilizes the blockchain technology to construct a decentralized distributed intrusion detection system so as to improve the security and the credibility of a network, and constructs an intelligent network security protection system through a distributed intrusion situation awareness model based on the blockchain so as to improve the accuracy and the effectiveness of network security protection.
A distributed blockchain network layer is created through the super ledger and is used for registration, updating, maintenance and monitoring of the nodes. These nodes may be network security devices or ordinary hosts and are responsible for management by a de-centralized identity authentication mechanism. Intrusion data and other files are stored on blocks using a decentralised storage approach, with only file indexes stored on the blocks. The consensus mechanism is responsible for data transmission among nodes, ensures that the data stored on all the nodes are the same, and designs rewarding transactions to excite good nodes and control malicious nodes. The intelligent contract realizes automatic execution of preset logic, node qualification examination and transaction control. And carrying out situation analysis on intrusion data generated by the block chain data sharing and coordination part, and carrying out situation sensing by adopting principal component analysis, weight distribution and long-short-time memory neural network. The entire protocol model is shown in fig. 1. The scheme comprises three parts: decentralizing identity authentication, data security, intrusion detection data sharing, coordination and situation awareness.
The decentralised avatar authentication method comprises seven steps of authentication initialization, generation of a distributed key, public key combination, identity registration and verification, intelligent contract initiation of an identity verification request, node distributed signature verification request, node sending signature response and the like. The method is based on elliptic curve, distributed key generation and threshold cryptography techniques. The data security method introduces an overall data security scheme including data transfer security, data storage security, data integrity and key updates between nodes. In data transmission and storage, a hybrid encryption and IPFS distributed file system is employed for data encryption and storage, and digital signature techniques are used to ensure the integrity of the data. Meanwhile, the asymmetric key pairs are updated periodically between the nodes so as to enhance the security of the system.
The intrusion data sharing and collaboration method provides a distributed intrusion detection method based on a blockchain and IPFS technology, and the distributed intrusion detection method comprises four stages of initialization, storage consensus, sharing collaboration and attacker uplink. The method adopts a decentralization consensus algorithm to ensure the cooperation and data consistency among nodes, and can effectively improve the reliability and safety of an intrusion detection system. Smart contracts provide a standardized and automated way to manage intrusion detection data.
The situation awareness method introduces the architecture and specific implementation steps of network security situation awareness. The method comprises data preprocessing and feature extraction, data analysis and evaluation and situation awareness prediction. And in the data preprocessing and feature extraction stage, performing dimension reduction and feature extraction on the data by adopting a principal component analysis method. In the data analysis and evaluation stage, a weighted comprehensive evaluation method is used for calculating the network security situation score, and the score is mapped to different risk levels. In the situation awareness prediction stage, modeling and predicting network security situation data by adopting an LSTM neural network model.
Decentralised identity authentication
The privacy and security of the node may be protected using off-center avatar authentication. The core idea is to release the identity from the centralization mechanism, so that the node can completely control the own identity information, and meanwhile, the authentication and the authentication can be performed in a decentralization mode.
First, key generation is performed by using a distributed key generation technique idea. In the key generation process, a key is typically generated by a single node and its shares are distributed to other nodes. However, this procedure involves a risk that the entire key will be compromised if the key generating node is attacked. The distributed key generation technology generates a secure key by cooperation of a plurality of participants, and the generation flow is distributed to a plurality of nodes, so that even if some nodes are attacked, the whole key is not revealed.
The whole authentication process comprises seven steps of authentication initialization, distributed key generation, public key combination, identity registration and verification, intelligent contract initiated identity verification request, node distributed signature verification request and node sent signature response. The decentralised identity authentication algorithm is as follows:
(1) Authentication initialization
Let n participating nodes together create an elliptic curve key pair. The threshold is denoted by t (t < = n), i.e. at least t nodes are required to co-operate together to complete the key generation and signing. The key is generated in conjunction with the secp256k1 elliptic curve algorithm. The relevant parameters for the Secp256k1 curve are shown in Table 1:
table 1 authentication initialization parameter table
The base point G is a known point on the curve, which is a unit element in the addition of all points. The order n represents the result of adding the base point G n times as a unit cell.
(2) Generation of distributed keys
The security in the key generation process is improved by combining the Shamir's Secret Sharing (SSS) idea. The purpose is to divide the secret value into a plurality of parts on the premise of not revealing the secret, thereby improving the security of the secret value. A public-private key pair is divided into n parts, each part only keeps partial information, and at least k parts need to be collected to restore the complete public-private key pair.
Each participating node will generate a public key share and a private key share by: generating a random number using a pseudo-random number generator as a private key share SecKey i ,i∈[1,n-1]Wherein i identifies the index of the node; each node uses a t-1 th order polynomial to create a secret sharing:
randomly selecting coefficient a 1 ,a 2 ,…,a t-1 Calculating a polynomial f i (x)=SecKey i +a 1 *x+a 2 *x 2 +…+a t-1 *x t -1 . The method comprises the steps of carrying out a first treatment on the surface of the Calculating public key share and pubKey i =SecKey i * G, wherein G is the base point of the elliptic curve; finally, each node broadcasts its public key share to other participating nodes.
(3) Public key combination
The node collects the public key shares of all other participating nodes and calculates the combined public key using lagrangian interpolation: for each public key share PubKey i Calculating interpolation coefficient lambda i =Π(x j /(x j -x i ) 1.ltoreq.j.ltoreq.t, j.noteq.i); calculating a combined public key PubKey = Σλ i *PubKey i 。
The core idea of Lagrange interpolation is to construct a polynomial P (x) that satisfies the interpolation condition by using the known data points through the Lagrange basis function, so that the function value of P (x) at the data points is the same as the function value of the basis function. Thus, the original function can be approximated by P (x), thereby realizing interpolation calculation.
(4) Identity registration
A process of creating and recording a new identification identifier DID in a distributed ledger. After the node generates the identification document, it registers with the blockchain so that others can find and verify the information of the identification on the blockchain. The document includes information such as DID, public key, identity card verification method, and service endpoint.
(5) Intelligent contract initiated authentication request
The present application designs an intelligent contract as a service provider. The smart contract may verify the identity of the user by executing the smart contract code, enabling de-centralized identity authentication. The smart contracts as service providers are advantageous in that they can automatically perform authentication and authorization operations, avoiding single point of failure and security risks for central authentication service providers.
When a node accesses a blockchain network to issue a task, the intelligent contract will initiate an authentication request to the node. This request includes a random number (nonce).
(6) Node distributed signature verification request
Nodes use private key share SecKey i The request is signed. The signature process uses an elliptic curve Schnorr multiple signature algorithm. The elliptic curve Schnorr multiple signature algorithm is a multiple signature scheme based on elliptic curve cryptography, and can realize the signature of a plurality of signers on the same transaction, thereby improving the security and the credibility of the transaction. Signature algorithm step:
calculating a message hash value using SHA-256, h=sha-256 (message); each participant selects a random number k i And calculate R i =k i * G, G; each participant will R i Broadcast to other participantsThen the received R i Adding to give r= Σr i The method comprises the steps of carrying out a first treatment on the surface of the Calculating r=x (R) mod n; each participant calculates s i =k i +r*SecKey i The method comprises the steps of carrying out a first treatment on the surface of the Collecting s of at least t other nodes i Calculate s= Σs i mod n, (r, s) is the final signature.
(7) Node sends signature response
The node sends the final signed response to the smart contract. After receiving the signature response sent by the node, the intelligent contract uses the corresponding public key to verify the validity of the signature. If the signature verification is successful, the intelligent contract confirms the identity of the node and provides corresponding service or resource for the node; otherwise the intelligent contract refuses the node's request.
The decentralizing avatar authentication algorithm has the characteristics of distributed decentralizing, and improves the security in the key generation process. Multiple signatures of the same transaction are realized by using elliptic curve encryption and threshold cryptography, and the security and the credibility of the transaction are improved. By using smart contracts as service providers, single point failure and security risks of a central avatar verifying the service provider are avoided. In general, the present application provides a secure, efficient and decentralised distributed identity authentication method.
Data security
Each node is able to obtain a pair of asymmetric keys, e.g., a public key and a private key, through a distributed key generation step. The node has stored the public key on the blockchain for authentication and encrypted communications by other nodes.
(1) Data transmission security
In the inter-node communication, a hybrid encryption method is used to ensure data security. Hybrid encryption is the use of a combination of public key encryption algorithms and symmetric encryption algorithms. For data transmission security in the present application, data is encrypted in combination with the AES symmetric encryption algorithm.
The method comprises the following specific steps:
a. key agreement
When node A and node B need to communicate securely, A generates a random number r A And meterCalculating temporary public key temp_pubKey A =r A * G. Node A sends a temp_PubKey to node B A Node B generates a random number r B And calculates a temporary public key temp_pubkey B =r B * G and sent to node a. Node a calculates the key agreement result: k (K) A =r A *temp_PubKey B . Node B calculates key negotiation results: k (K) B =r B *temp_PubKey A 。K A And K B Is identical and can be used as AES session key k.
b. Data encryption
Let the original data be M. The node a encrypts the data M using the AES session key k to obtain encrypted data C. The encryption process is expressed as: c=aes_encrypt (M, k)
c. Data transmission
The node a transmits the encrypted data C to the node B.
d. Data decryption
To recover the original data M, the node B needs to decrypt the encrypted data C using the AES session key k. The decryption process is expressed as: m=aes_decrypt (C, k)
(2) Data storage security
The encrypted file storage is performed using the IPFS distributed file system. The method comprises the following specific steps:
when the node A needs to store data, the node B is selected as a data storage node. The file M is encrypted using the key agreement step mentioned above: c=aes_encrypt (M, k); node a uploads the encrypted data C to the IPFS network. The IPFS generates a unique hash value H for the data as an index; node a then stores the file index H on the blockchain for retrieval by other node nodes.
When node D wants to access data stored in the IPFS, node D performs a key negotiation with node B to obtain AES session key k. Node D obtains encrypted data C from IPFS using file index H. The node D uses the AES session key k to decrypt the encrypted data C to obtain the original data M.
(3) Data integrity
Digital signature techniques can ensure data integrity during data transmission. The signature is performed using a digital signature algorithm ECDSA (Elliptic Curve Digital Signature Algorithm) based on elliptic curve cryptography. The ECDSA algorithm has a high degree of security and a relatively short key length. Suppose node a needs to sign an intrusion event report (reported as message).
Signature stage
First, node a needs to generate an elliptic curve key pair (dA as the private key and QA as the public key), where qa=da×g (G is the generator of the elliptic curve); when a report needs to be signed, node a performs the following steps:
i. a random number k (1<=k<N-1, n is the order of the elliptic curve); calculating the point p=k×g on the elliptic curve, and calculating the modulo n remainder r of the x coordinate: r=p.xmod n, if r is 0, reselecting k and repeating steps i and ii; calculating the modulo-n multiplication inverse k of k inv :k inv =k -1 mod n; calculating a reported hash value h: h=hash (message). v. calculating s: s= (h+da r) k inv mod n, if s is 0, reselect k and repeat steps i through v.
After step v is finished, the signature of the node A is obtained as (r, s).
Verification:
assuming that node B receives the intrusion event report sent by node a and its signature (r, s), node B performs the following steps to verify:
i. ensure that the ranges of r and s are valid: 1<=r,s<=n-1. Calculating a reported hash value h: h=hash (message). Calculating the modulo-n multiplication inverse s of s inv :s inv =s -1 mod n. Two values u1 and u2 are calculated: u1=h×s inv mod n and u2=r.s inv mod n. Calculating the point p=u1+g2 QA on the elliptic curve. verifying whether the condition is satisfied: r% n= P.x% n. If so, the signature is valid; otherwise, the signature is invalid.
(4) Key updating between nodes
To prevent long-term attacks on keys and to enhance security of the overall system. The asymmetric key pair needs to be updated periodically between nodes. During the update process, the new public key will be written to the blockchain, replacing the old public key. Each node needs to monitor the public key updates of other nodes on the blockchain to ensure that the latest public key is used for encrypted communication. The method comprises the following specific steps:
each node calculates a key update period T according to its own security policy and requirements. The period T may be a fixed time interval or dynamically adjusted according to a certain rule; when the key usage time of a node reaches the update period T, it will trigger the key update procedure; the node triggering the key update broadcasts a key update request to other nodes; and re-executing the identity authentication step, obtaining a new public key used in the key negotiation and data encryption processes, and broadcasting the public key.
Intrusion detection data sharing and collaboration
The intrusion detection tasks are distributed to a plurality of nodes, each node has a local detection algorithm to obtain results, and the results are submitted to a blockchain network for verification and recording. The scheme realizes the decentralization storage and sharing of the intrusion detection results. Meanwhile, the scheme adopts a decentralised consensus algorithm to ensure the collaboration among nodes and the consistency of data.
Each node in the collaborative distributed architecture has its own intrusion detection algorithms and policies and can be adjusted and upgraded as needed. When a node detects suspicious activity, it may upload the results to a central node or other neighboring nodes for further analysis and processing. The central node may collect and integrate all the node uploaded information and may determine if intrusion activity exists according to rules or models.
The storage employs the IPFS file system. In conventional intrusion detection systems, data is typically stored in a centralized database, and the IPFS stores files in blocks, each block having its hash value, and the blocks are stored on various nodes of the IPFS network. Each file also has its unique hash value that can be used to locate and retrieve the file that will be published onto the IPFS network. When a node wants to access a file, the IPFS network automatically looks up the file from the nearest node and downloads the blocks of the file. The IPFS file system is adopted, so that the problems caused by centralized storage are avoided, the traceability and the reliability of intrusion data are ensured, and the processing efficiency and the response speed of the data are improved.
The intrusion detection data sharing and collaboration of the distributed nodes are divided into four phases: an initialization phase, a storage consensus phase, a sharing collaboration phase, and an attacker's chaining phase. The overall flow is as shown in fig. 2:
(1) Initialization phase
When a node (e.g., node 1) detects an alarm such as an intrusion attempt, it will initiate an intrusion detection event. According to the requirements of the intelligent contract, the identity of the node 1 needs to be authenticated first, and whether enough resources are provided for performing the block generation operation is checked. If node 1 identity authentication is not passed, then the node will initiate a certificate application in the blockchain network. If the node resources are insufficient, the transaction is aborted, and alarm information of abnormal state of the node 1 is broadcast to other nodes to remind the administrator of paying attention to the node state. Only after node 1 passes all the censoring will it be successfully initialized.
(2) Store consensus phase
At this stage, the node 1 provides the original alert data according to the input parameters of the smart contract. In return, node 1 will receive rewards offered by the smart contract. Node 1 will add a digital signature to the data. The intelligent contract packages and stores the digitally signed data into the IPFS system and returns a unique hash value as a file index. At the same time, the intelligent contract also generates an intrusion data summary including suspicious source IP and intrusion time for subsequent quick retrieval. The transaction initiating node then records the file index of the original alert intrusion data along with the intrusion data summary into block 1 and broadcasts it to other nodes. The remaining nodes will be rewarded in consensus blocks. In common, the rest of the nodes verify the identity of node 1 according to the authentication mechanism in section 3.2.1. And receiving the block 1 if the result is passed. Once more than 50% of the nodes accept block 1, the consensus is complete. The smart contract specifies the content and format in which each node records data to a block, as shown in fig. 3.
(3) Shared collaboration phase
After receiving the broadcasted block 1, the neighboring node (e.g. node 2) of the node 1 will retrieve the aggressor's intrusion data in its own database according to the information of the block header. The smart contract then appends the attacker data provided by update node 2 to the original file according to the file index using the file update algorithm of IPFS. If the node 2 has no aggressor related intrusion data, the node additionally updates a piece of descriptive data containing self equipment information and 'no aggressor found'. At the same time node 2 will digitally sign the new data. The IPFS will store the new data and hash the new data with the original alert data, which will return a new unique hash value as the file index (e.g., file index 2). Node 2 writes the block 1 hash value, the intrusion data summary of the block 1, and the file index 2 to the block 2 and broadcasts to other nodes. Other nodes will have a consensus on block 2. Each node, upon consensus, if it encounters a longer chain, will update the local chain, thereby ensuring that the already-consensus block is no longer received. If some nodes do not respond to the broadcast for a long time, the rest of the nodes do not wait for their response communication any more, so as to prevent communication or operation blockage. This process will repeat until all nodes provide a lookup result for the attacker data.
(4) Attacker's chaining stage
At this stage, the smart contract will monitor the block (e.g., block n) generated by the last node to update the attacker data and read the file index n from that block. The smart contract will then download the file from the IPFS file system, which contains the attacker information provided by all the nodes. The intelligent contract will sort the attack data in the order of the time stamps, comb out the attack chain and generate an intrusion data set for the attacker. The smart contract will then store the data set in the IPFS file system and obtain a new file index (e.g., file index n+1). The smart contract will delete file n from file index n to free up storage space. Next, the smart contract issues a file index n+1 to block 1. Block 1 records the aggressor intrusion data profile along with the file index onto the block and registers for release onto the blockchain. Thus, all nodes can access and inquire the invasion data of the attacker, and the monitoring and tracking of the behavior of the attacker are realized.
Through the four phases, the blockchain network successfully realizes the processing of intrusion detection events and the sharing of attacker data. The method effectively utilizes the advantages of the blockchain and IPFS technology, and improves the network security and the data reliability.
Situational awareness assessment
By analyzing and mining the intrusion data set and other network state information collected in the foregoing, the malicious behavior evaluation and early warning mechanism is realized. In this process, the information within the data source will be analyzed, including but not limited to network traffic, host logs, and security event data, among others. These data are preprocessed and feature extracted, and then analyzed and understood to strongly support subsequent evaluations and warnings. The situation awareness architecture is shown in fig. 4.
Stage 1 data preprocessing and feature extraction
(1) Data integration
The data index is obtained from the blockchain, the blockchain is traversed, blocks containing attacker information are found, and file index information is extracted from the blocks. Data is obtained from the IPFS file system according to the file index. The latest threat information, network service status, etc. are collected from external data sources, and real-time situation data of the network and the devices are collected. The real-time data is integrated with intrusion data obtained from the IPFS file system to form a complete data set. And checking the integrity and consistency of the data by using the hash value of the block chain, and ensuring that the data is not tampered in the transmission process. When new intrusion data is generated, the data set is updated in real time, so that the timeliness of the data is ensured.
(2) Data preprocessing
Abnormal values and noise are removed through data cleaning, and effective data information is reserved, so that data quality and accuracy are improved, and a reliable basis is provided for subsequent data analysis and mining. Table 2 below is a partial data processing item.
Table 2 partial data processing item list
Data integration is performed from several aspects: the consistency of the data format is convenient for data integration and analysis, the accuracy and the integrity of the data source avoid the influence on analysis, the processing of data repeatability and the balance of data quantity so as to avoid the bias of analysis and the standardization of the data to ensure the consistency and the comparability of the data.
Principal component analysis PCA is utilized for data reduction and feature extraction. There are often many relevant attributes in network security intrusion events. For example, in a mail phishing attack event, the time of malicious mails and the lateral attack range of the controlled host are most important, so that communications ip and trusted mails provided by the rest of normal communication behaviors of the controlled host are removed.
PCA extracts the most important features (principal components) from high-dimensional data and converts them into new feature representations in low-dimensional space. The original data is converted into the data representation under the new coordinate system through linear transformation, so that the data under the new coordinate system has the maximum variance, and different dimensions are independent from each other, thereby achieving the purpose of dimension reduction. Table 3 below is some of the definitions involved in the PCA algorithm:
Table 3 PCA algorithm correlation definition
The process of PCA includes the following steps: the original data X is subjected to decentralization treatment to obtain a decentralized data matrix X c The method comprises the steps of carrying out a first treatment on the surface of the Calculating covariance matrixThe eigenvalue lambda is obtained by eigenvalue decomposition of the covariance matrix C 1 ,λ 2 ,...,λ n And feature vector v 1 ,v 2 ,...,v n The method comprises the steps of carrying out a first treatment on the surface of the Sorting the feature vectors from large to small according to the corresponding feature values, and selecting the first k feature vectors to form a matrix W, wherein k is the feature number of the target after dimension reduction; matrix X of data c Multiplying the matrix W to obtain a dimension-reduced data matrix y=x c W. And returning the data matrix Y after the dimension reduction.
Assume that, through data integration, preprocessing and feature extraction, an intrusion dataset is obtained that contains the following features: attack type coding, which has been converted into numerical data using one-time coding; an attack source IP address, which has been converted to an integer number; the IP address of the target equipment is converted into an integer value; attack duration, numerical data in seconds; attack traffic, data of numerical value type in bytes. As shown in table 4, are part of the numerical features of some original intrusion data set.
Firstly, calculating covariance matrix of the feature data, and then carrying out feature value decomposition to obtain feature vectors and corresponding feature values. After selecting the feature vectors corresponding to the first two maximum feature values as the projection matrix, multiplying the original data by the matrix to obtain the main component data after dimension reduction, as shown in table 5.
TABLE 4 partial characterization of original intrusion dataset A
TABLE 5 original intrusion dataset A feature dimension reduction
As shown in the table above, the original three features have been reduced in dimension to two principal components. These two principal components can account for most of the variance in the raw data while reducing the dimensionality of the features. The principal component analysis can help to find potential modes in data and remove redundant and inconsequential characteristics in the intrusion data set processing process in network security situation awareness, so that the data processing efficiency is improved, and potential security threats are better identified and predicted.
Stage 2 data analysis and evaluation
And evaluating the network security situation according to the data. And calculating a total security situation score by adopting a weighted comprehensive evaluation method and distributing weights for different indexes. The method comprises the following specific steps:
(1) And determining an evaluation index.
It is necessary to determine an index for evaluating the security situation of the network. The main component obtained in the previous stage is used as an index.
(2) Assigning weights
A weight needs to be assigned to each evaluation index. The weight reflects the relative importance of the index in the overall security situation. The weight distribution can be adjusted according to actual conditions and domain knowledge. For example, the main component 1 has a higher correlation, and this is an important index of network security. The weights may be assigned as follows: the main component 1 was 0.7, and the main component 2 was 0.3.
(3) Calculating each score and evaluating network security situation results
For each evaluation index, a score needs to be calculated. The score may be calculated based on actual data, criteria, or experience. For each index, the score is multiplied by its corresponding weight, and then all the products are added to calculate a total score. And evaluating the network security situation according to the total score. The scores are mapped to an evaluation interval level, and the risk levels are determined, such as safety (low risk), basic safety (medium and low risk), risk (medium risk), high risk (medium and high risk), and extreme risk (high risk).
(4) Dynamic adjustment
Network security posture is a dynamically changing process. Therefore, new intrusion data can be continuously collected, and the network security situation assessment weight and the result can be updated in real time. This will help discover new security threats in time, developing effective countermeasures.
Situational awareness prediction
The LSTM is employed to model data of historical network security events and use the model to predict security scenarios for predicting network traffic. Based on LSTM, the principle and scheme steps of intrusion situation awareness are as follows:
(1) Preprocessing network security situation data. After collecting network security posture data, it is necessary to process abnormal and bad data. To solve for network security posture values more conveniently, we need to normalize the raw data to the (0, 1) range. The LSTM neural network prediction model using the gradient descent algorithm has a higher sensitivity to data between (0, 1).
(2) And (5) data set processing. The network security posture data set is converted into the shape required by the model input by using a time window strategy before prediction. In order to avoid the phenomenon of overfitting, all network security situation value data are required to be divided into a training set and a testing set according to the ratio of 4:1.
(3) And (5) model building and training. And constructing an LSTM model, inputting data of a training set and corresponding labels into a network for training, and optimizing LSTM neural network parameters by adopting a random gradient descent algorithm to obtain an optimal network security situation prediction model.
(4) And (5) situation prediction. After data of the test set are processed (step 1 and step 2), the data are input into the optimal network security situation prediction model trained in step 3, and the prediction result output by the model can be used for evaluating the security state of the current network.
Resistance to attack analysis:
(1) Malicious node impersonates legal node to attack
Such attacks are prevented using distributed key generation and authentication based on asymmetric key pairs. Each node has a pair of asymmetric keys (public and private) and stores the public key on the blockchain. Only legitimate nodes can pass authentication. Since the private key is held by the node itself only, a malicious attacker cannot forge the identity of a legitimate node.
(2) Man-in-the-middle attack
A hybrid encryption method (combining a public key encryption algorithm and a symmetric encryption algorithm) is used to ensure the security of data transmission. Through the key agreement procedure, two nodes may generate a shared session key k. Since k is shared only between these two nodes, a malicious attacker cannot obtain the key and thus cannot decrypt the data in the transmission.
(3) Data tamper attack
Digital signature techniques (e.g., ECDSA) are used to ensure the integrity of the data during transmission. Before transmitting the data, the node digitally signs the message and then transmits the signature along with the ciphertext to the receiving node. The receiving node uses the public key of the sending node to verify the validity of the signature. Only if the signature is valid will the data not be tampered with during transmission. This prevents malicious attackers from modifying the data in transit.
(4) Data theft attack
The encrypted file storage is performed using the IPFS distributed file system. The node encrypts the data before storing the data in the IPFS network. Thus even if an attacker can access data on the IPFS network, the attacker cannot obtain the original information because the data is encrypted.
(5) Key leakage attack
Nodes are required to update asymmetric key pairs periodically to prevent the key from being attacked for a long period of time. When the key usage time of a node reaches the update period T, it will trigger the key update procedure. The newly generated public key will be written to the blockchain, replacing the old public key. Thus, even if an attacker can crack the old key, it cannot pose a threat to the new key.
Blockchain transaction and consensus security analysis:
(1) Preventing malicious attacks
In the node initialization phase, each node has its own resource limit value resLimit, preventing denial of service attacks (DDoS). If the transaction node does not have sufficient computing resources to handle the computing tasks in the transaction, it may be the target of denial of service attacks by the attacker. By checking the computational resources of the node, it can be ensured that the node is able to withstand a certain load pressure, thus preventing denial of service attacks.
Each time a node initiates a task, it is security reviewed by the intelligent dating. While the intelligent contracts will periodically check the rewards amount of the node, and if the rewards amount is lower than the threshold value, the malicious node may escape the transaction.
(2) Collaborative attack
Cooperative attack refers to that attackers jointly control enough nodes through collusion or cooperation so as to master the whole blockchain network. An attacker typically increases his weight in a blockchain network by continually purchasing enough rewards.
The rewarding transaction incentive mechanism can ensure that the benefits of the honest nodes are higher than those of malicious behaviors. This will encourage the nodes to follow the protocol, reducing the motivation for malicious nodes to launch a cooperative attack. Meanwhile, the digital signature technology is used, which is equivalent to that a plurality of nodes sign and encrypt the data together, so that the difficulty of tampering the data and launching cooperative attack by malicious nodes is increased.
Efficiency analysis
To facilitate a unified analysis of the present application with the remaining solutions, the present application contrasts with other solutions from a collaborative authentication perspective. The privacy protection process of key negotiation, encryption, transmission decryption is added to the decentralised identity authentication, and a digital signature algorithm is executed when the node is combined for communication, which is called an intrusion detection identity authentication process, and then the response time is calculated.
The intrusion detection identity authentication process mainly comprises dot multiplication and dot addition operation. The analysis results in 3 times of point multiplication operations (calculation of public key share, AES column confusion, ri and digital signature key generation), 2 times of point addition operations (calculation of R, round key addition and combination of public key, digital signature key generation), 1 time of hash operation, and 1 time of exponent operation (construction of polynomial).
The operational and time overhead of the present application for document [60] (Hsieh W B, leu J S.an anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures [ J ]. The Journal of Supercomputing,2014,70:133-148 ]) and document [61] (Yuan C, zhang W, wang X.EIMAKP: heterogeneous cross-domain authenticated key agreement protocols in the EIM system [ J ]. Arabian Journal for Science and Engineering,2017, 42:3275-3287.) are summarized in Table 6, table 7 and FIG. 5, according to the same statistical and computational principles:
table 6 various arithmetic operations, symbols
Table 7 protocol operation
It can be seen that the present application is significantly lower in computational overhead relative to the solutions of both document [60] and document [61], mainly because the present application reduces one mapping operation to a point.
The code is written to realize that the intrusion detection identity authentication simulation process based on RSA key negotiation is compared with the intrusion detection identity authentication simulation process based on ECC key negotiation. And (3) using a Python code to realize a simulation experiment, and realizing data encryption and decryption based on a Python cryptograph library. The relationship between the authentication process response time and the number of nodes is shown in fig. 6, and the range of the number of nodes is set to be within 100.
From the graph, it can be analyzed that as the number of nodes increases, there is a distributed authentication pair. The response time is increasing. This is because the number of nodes increases, the overhead of the system increases gradually, the memory occupied by the system increases gradually, and the amount of processor operation used increases gradually, so that the authentication response time increases. Often, however, the number of participants and the threshold are limited, and a low response time can be achieved by a typical user computer.
Claims (7)
1. A distributed node intrusion situation awareness method based on a blockchain is characterized by comprising the following steps:
de-centering avatar authentication;
sharing and cooperatively processing intrusion data;
sensing an intrusion situation;
the off-center avatar authentication method includes the following steps:
seven steps of authentication initialization, generation of a distributed key, public key combination, identity registration and verification, intelligent contract initiation of an identity verification request, node distributed signature verification request and node signature response sending;
the data security is realized by the following method:
1) Data transmission security
The data is encrypted by combining an AES symmetric encryption algorithm, and the specific steps are as follows:
a. key agreement
When node A communicates securely with node B, node A generates a random number r A And calculates a temporary public key pubKey A =r A * G, G; node A sends a temporary public key PubKey to node B A Node B generates a random number r B And calculates a temporary public key pubKey B =r B * G, and sending the result to the node A; node a calculates the key agreement result: k (K) A =r A * Temporary PubKey B The method comprises the steps of carrying out a first treatment on the surface of the Node B calculates key negotiation results: k (K) B =r B * Temporary PubKey A ;K A And K B Is identical and serves as AES session key k;
b. data encryption
The original data is M; the node A encrypts the original data M by using an AES session key k to obtain encrypted data C; the encryption process is expressed as: c=aes_encrypt (M, k);
c. data transmission
The node A sends the encrypted data C to the node B;
d. data decryption
To recover the original data M, the node B decrypts the encrypted data C using the AES session key k; the decryption process is expressed as: m=aes_decrypt (C, k)
2) Data storage security
The encrypted file storage is carried out by using an IPFS distributed file system, and the specific steps are as follows:
when the node A stores data, the node B is selected as a data storage node; the original data is encrypted using a data encryption step: c=aes_encrypt (M, k); the node A uploads the encrypted data C to an IPFS network; IPFS will generate a unique hash value H for data C as an index; node a then stores the file index H on the blockchain for retrieval by other nodes;
When the node D needs to access the data stored in the IPFS, the node D performs key negotiation with the node B to obtain an AES session key k; node D obtains encrypted data C from IPFS using file index H; the node D uses the AES session key k to carry out data decryption on the encrypted data C to obtain original data M;
3) Data integrity
Signature stage:
firstly, a node A generates an elliptic curve key pair, wherein a private key is dA, a public key is QA, QA=dA is G, and G is a generator of an elliptic curve; when signing a report, node a performs the following steps:
i selecting a random number k,1<=k<N-1, n is the order of the elliptic curve; calculating the point p=k×g on the elliptic curve, and calculating the modulo n remainder r of the x coordinate: r=p.xmod n, if r is 0, reselecting k and repeating steps i and ii; calculating the modulo-n multiplication inverse k of k inv :k inv =k -1 mod n; calculating a reported hash value h: h=hash (message); v. calculating s: s= (h+da r) k inv mod n, if s is 0, reselecting k and repeating steps i through v;
after the step v is finished, obtaining the signature of the node A as (r, s);
verification:
the node B receives the intrusion event report sent by the node A and the signature (r, s) thereof, and the node B performs the following steps for verification:
i. Ensure that the ranges of r and s are valid: 1<=r,s<=n-1; calculating a reported hash value h: h=hash (message); calculating the modulo-n multiplication inverse s of s inv :s inv =s -1 mod n; two values u1 and u2 are calculated: u1=h×s inv mod n and u2=r.s inv mod n; calculating a point p=u1+g2 QA on the elliptic curve; verifying whether the condition is satisfied: r% n= P.x% n; if so, the signature is valid; otherwise, the signature is invalid;
4) Key updating between nodes
During the update process, the new public key will be written to the blockchain, replacing the old public key; each node needs to monitor the public key update of other nodes on the blockchain, and the specific steps are as follows:
each node calculates a key updating period T according to the security policy and the requirement of the node; the period T is a fixed time interval or dynamically adjusted according to a certain rule; when the key use time of a node reaches an update period T, triggering a key update flow; the node triggering the key update broadcasts a key update request to other nodes; and re-executing the de-centering avatar authentication method, obtaining a new public key used in the key negotiation and data encryption processes, and broadcasting the new public key.
2. The blockchain-based distributed node intrusion situation awareness method of claim 1, wherein:
1) Authentication initialization
The n participating nodes jointly create an elliptic curve key pair; using t to represent a threshold value, t < = n, at least requiring that t nodes cooperate together to complete key generation and signature, and combining a secp256k1 elliptic curve algorithm to generate a key;
2) Generation of distributed keys
Each participating node will generate a public key share and a private key share by:
generating a random number using a pseudo-random number generator as a private key share SecKey i ,i∈[1,n-1]Wherein i represents an index of each participating node; each participating node uses a t-1 th order polynomial to create a secret sharing:
randomly selecting coefficient a 1 ,a 2 ,…,a t-1 Calculating a polynomial f i (x)=SecKey i +a 1 *x+a 2 *x 2 +…+a t-1 *x t-1 The method comprises the steps of carrying out a first treatment on the surface of the Calculating public key share and pubKey i =SecKey i * G, wherein G is a generator of an elliptic curve; finally, each participating node broadcasts its public key share to other participating nodes;
3) Public key combination
Each participating node collects the public key shares of all other participating nodes and calculates a combined public key using lagrangian interpolation: for each public key share PubKey i Calculating interpolation coefficient lambda i =Π(x j /(x j -x i ) 1.ltoreq.j.ltoreq.t, j.noteq.i); calculating a combined public key PubKey = Σλ i *PubKey i ;
4) Identity registration
Creating a new identity identifier DID and recording the new identity identifier DID in a distributed account book; after each participating node generates an identity identifier document, registering the identity identifier document on the blockchain so that other participating nodes can search and verify the information of the identity identifier on the blockchain;
5) Intelligent contract initiated authentication request
The intelligent contract is a service provider, and the intelligent contract verifies the identity of the user by executing an intelligent contract code so as to realize the decentralised identity authentication;
when each participating node accesses the blockchain network to issue a task, the intelligent contract initiates an identity verification request to the node, wherein the request comprises a random number nonce;
6) Node distributed signature verification request
Each participating node uses a private key share SecKey i Signing the request; the signature process uses an elliptic curve Schnorr multiple signature algorithm;
signature algorithm step:
calculating a message hash value using SHA-256, h=sha-256 (message); each participating node selects a random number k i And calculate R i =k i * G, G; each participating node will R i Broadcast to other participating nodes and then receive R i Adding to give r= Σr i The method comprises the steps of carrying out a first treatment on the surface of the Calculating r=x (R) mod n; each participating node calculates s i =k i +r*SecKey i The method comprises the steps of carrying out a first treatment on the surface of the Collecting s of at least t other participating nodes i Calculate s= Σs i mod n, (r, s) is the final signature;
7) Node sends signature response
Each participating node sends a final signed response to the smart contract; after receiving the final signature response sent by each participating node, the intelligent contract uses the corresponding public key to verify the validity of the signature; if the signature verification is successful, the intelligent contract confirms the identity of the participating node and provides corresponding service or resource for the participating node; otherwise the intelligent contract refuses the request of the participating node.
3. The blockchain-based distributed node intrusion situation awareness method of claim 1, wherein the intrusion data sharing and co-processing method comprises
The intelligent contract provides a standardized and automatic way for managing intrusion detection data.
4. The method for sensing intrusion situations of distributed nodes based on blockchains as in claim 3, wherein the method for sharing and co-processing intrusion data specifically comprises the following steps:
an initialization stage:
when the node 1 monitors an intrusion attempt alert, the node 1 will initiate an intrusion detection event; according to the requirement of the intelligent contract, firstly, identity authentication needs to be carried out on the node 1, and whether the node 1 has enough resources or not is checked to carry out block generation operation; if the identity authentication of the node 1 is not passed, the node initiates a certificate application in the blockchain network; if the node resources are insufficient, the transaction is aborted, and alarm information of abnormal state of the node 1 is broadcast to other nodes to remind an administrator of paying attention to the node state; only after node 1 passes all the reviews will it be successfully initialized;
Storing the consensus phase:
at this stage, the node 1 provides the original alarm intrusion data according to the input parameters of the intelligent contract; in return, node 1 will receive rewards offered by the smart contracts; node 1 will add a digital signature to the original alarm intrusion data; the intelligent contract packages and stores the original alarm intrusion data after digital signature into an IPFS system, and returns a unique hash value as a file index; meanwhile, the intelligent contract also generates an intrusion data summary including suspicious source IP and intrusion time so as to facilitate subsequent quick retrieval; then, the transaction initiating node records the file index of the original alarm intrusion data and the intrusion data summary together into a block 1 and broadcasts the file index and the intrusion data summary to other nodes; other nodes will get rewards when consensus blocks; during consensus, other nodes verify the identity of the node 1 according to an identity authentication mechanism, and the node passes through the receiving block 1; once more than 50% of the nodes accept block 1, consensus is complete;
sharing collaboration phase:
after receiving the broadcast block 1, the adjacent node 2 of the node 1 will search the invasion data of the attacker in the own database according to the information of the block head; the intelligent contract then uses the IPFS file updating algorithm to append the attacker intrusion data provided by the updating node 2 to the original file according to the file index; if the node 2 has no aggressor related intrusion data, the node is additionally updated with a piece of descriptive data containing self equipment information and 'no aggressor detected'; meanwhile, the node 2 carries out digital signature on the new data; the IPFS stores the new data, and carries out hash operation on the new data and the original alarm intrusion data, and returns a new unique hash value as a file index 2; node 2 writes the hash value of block 1, the intrusion data summary of block 1 and file index 2 into block 2 and broadcasts to other nodes; other nodes will have consensus on block 2; when each node is in consensus, if a longer chain is encountered, the local chain is updated, so that the block which is in consensus is not received any more; if some nodes do not respond to the broadcast for a long time, other nodes do not wait for the response communication, so that the communication or the operation blockage is prevented; this process will repeat until all nodes provide a search result for the attacker intrusion data;
Attacker uplink stage:
at this stage, the smart contract will monitor the block n generated by the last node updating the attacker intrusion data and read the file index n from this block; the smart contract will then download the file from the IPFS file system, which contains the attacker information provided by all nodes; the intelligent contract sorts attack data according to the sequence of the time stamps, sorts out an attack chain and generates an invasion data set of the attacker; the smart contract will then store the data set in the IPFS file system and obtain a new file index n+1; the intelligent contract deletes the file n according to the file index n to release the storage space; next, the intelligent contract issues a file index n+1 to block 1; block 1 records the aggressor intrusion data profile along with file index n+1 onto the block and registers for release onto the blockchain.
5. The blockchain-based distributed node intrusion situation awareness method of claim 1, wherein the intrusion situation awareness comprises the steps of:
data preprocessing and feature extraction, data analysis and evaluation and situation awareness prediction;
in the data preprocessing and feature extraction stage, performing dimension reduction and feature extraction on the data by adopting a principal component analysis method;
In the data analysis and evaluation stage, calculating a network security situation score by using a weighted comprehensive evaluation method, and mapping the score to different risk levels;
in the situation awareness prediction stage, modeling and predicting network security situation data by adopting an LSTM neural network model.
6. The method for intrusion situation awareness of a blockchain-based distributed node of claim 5, wherein the intrusion situation awareness specifically comprises the steps of:
the data preprocessing and feature extraction in the stage 1 comprise the following steps:
1-1) data integration
Acquiring file indexes from a block chain, traversing the block chain, finding blocks containing attacker information, and extracting file index information from the blocks; acquiring intrusion data from the IPFS file system according to the file index; collecting latest threat information and network service state from external data sources, and collecting real-time condition data of the network and the equipment; integrating the real-time data with intrusion data acquired from the IPFS file system to form a complete data set; checking the integrity and consistency of the intrusion data by using the hash value of the blockchain, and updating the data set in real time when new intrusion data is generated;
1-2) data preprocessing
Abnormal values and noise are removed through data cleaning, and effective data information is reserved;
stage 2 data analysis and evaluation, comprising the steps of:
the network security situation is evaluated according to the data, a weighted comprehensive evaluation method is adopted, and a total security situation score is calculated by distributing weights for different indexes, and the method specifically comprises the following steps:
2-1) determining an evaluation index
Determining an index for evaluating the network security situation, and taking a principal component obtained by a principal component analysis method in the previous stage as the index;
2-2) weight assignment
Assigning a weight to each evaluation index; the weight reflects the relative importance of the index in the overall security situation;
2-3) calculating each score and evaluating network security posture results
Calculating a score for each evaluation index; for each evaluation index, multiplying the score of each evaluation index by the corresponding weight of each evaluation index, and then adding all products to calculate a total score; evaluating the network security situation according to the total score; mapping the total score to an evaluation interval level, and determining a risk level thereof;
2-4) dynamic adjustment
The network security situation is a dynamically changing process; new intrusion data is continuously collected, and network security situation assessment weights and results are updated in real time.
7. The blockchain-based distributed node intrusion situation awareness method of claim 1, wherein the method for intrusion situation awareness based on the LSTM is as follows:
1) Preprocessing network security situation data: after collecting network security situation data, processing abnormal data; normalizing the raw data to a (0, 1) range;
2) Data set processing: before prediction, converting the network security situation data set into a shape required by model input by using a time window strategy; dividing all network security situation data sets into a training set and a testing set according to the ratio of 4:1;
3) Model building and training: constructing an LSTM model, training data of a training set and a corresponding label input model, and optimizing LSTM neural network parameters by adopting a random gradient descent algorithm to obtain an optimal network security situation prediction model;
4) Situation prediction: and (3) after the data of the test set are processed in the step (1) and the step (2), inputting the data into the optimal network security situation prediction model trained in the step (3), and using a prediction result output by the model for evaluating the security state of the current network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310437731.1A CN116405187B (en) | 2023-04-21 | 2023-04-21 | Distributed node intrusion situation sensing method based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310437731.1A CN116405187B (en) | 2023-04-21 | 2023-04-21 | Distributed node intrusion situation sensing method based on block chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116405187A CN116405187A (en) | 2023-07-07 |
| CN116405187B true CN116405187B (en) | 2024-04-09 |
Family
ID=87007370
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310437731.1A Active CN116405187B (en) | 2023-04-21 | 2023-04-21 | Distributed node intrusion situation sensing method based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116405187B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116567633B (en) * | 2023-07-10 | 2023-10-10 | 华侨大学 | Identity authentication method, system and equipment based on ECDSA signature algorithm |
| CN117113310B (en) * | 2023-10-16 | 2024-03-08 | 北京华鲲振宇智能科技有限责任公司 | Data transmission control method, system, equipment and medium |
| CN117221131B (en) * | 2023-11-09 | 2024-01-23 | 北京邮电大学 | Internet of things communication method, system, computer equipment and storage medium |
| CN117494218B (en) * | 2023-12-25 | 2024-04-02 | 信联科技(南京)有限公司 | Credible data space data management and control method and system based on contract attachment |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019113495A1 (en) * | 2017-12-08 | 2019-06-13 | Solana Labs, Inc. | Systems and methods for cryptographic provision of synchronized clocks in distributed systems |
| CN110705859A (en) * | 2019-09-25 | 2020-01-17 | 三峡大学 | PCA-self-organizing neural network-based method for evaluating running state of medium and low voltage distribution network |
| CN111079136A (en) * | 2019-11-07 | 2020-04-28 | 北京科技大学 | Fog computing intrusion detection feature sharing system based on block chain technology |
| CN111586013A (en) * | 2020-04-29 | 2020-08-25 | 数网金融有限公司 | Network intrusion detection method, device, node terminal and storage medium |
| CN112100659A (en) * | 2020-09-14 | 2020-12-18 | 电子科技大学 | Block chain federal learning system and Byzantine attack detection method |
| CN113194469A (en) * | 2021-04-28 | 2021-07-30 | 四川师范大学 | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain |
| CN113472547A (en) * | 2021-09-06 | 2021-10-01 | 湖南和信安华区块链科技有限公司 | Safety monitoring system based on block chain |
| CN113536382A (en) * | 2021-08-09 | 2021-10-22 | 北京理工大学 | Block chain-based medical data sharing privacy protection method by using federal learning |
| CN113904862A (en) * | 2021-10-22 | 2022-01-07 | 中车株洲电力机车有限公司 | Distributed train control network intrusion detection method, system and storage medium |
| CN114971638A (en) * | 2022-05-17 | 2022-08-30 | 中国银行股份有限公司 | Transaction authentication method and device based on risk identification |
| CN115242559A (en) * | 2022-09-23 | 2022-10-25 | 北京航空航天大学 | Network flow intrusion detection method based on block chain and federal learning |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220069995A1 (en) * | 2019-02-24 | 2022-03-03 | Nili Philipp | System and method for securing data |
| US11436615B2 (en) * | 2020-08-28 | 2022-09-06 | Anchain.ai Inc. | System and method for blockchain transaction risk management using machine learning |
-
2023
- 2023-04-21 CN CN202310437731.1A patent/CN116405187B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019113495A1 (en) * | 2017-12-08 | 2019-06-13 | Solana Labs, Inc. | Systems and methods for cryptographic provision of synchronized clocks in distributed systems |
| CN110705859A (en) * | 2019-09-25 | 2020-01-17 | 三峡大学 | PCA-self-organizing neural network-based method for evaluating running state of medium and low voltage distribution network |
| CN111079136A (en) * | 2019-11-07 | 2020-04-28 | 北京科技大学 | Fog computing intrusion detection feature sharing system based on block chain technology |
| CN111586013A (en) * | 2020-04-29 | 2020-08-25 | 数网金融有限公司 | Network intrusion detection method, device, node terminal and storage medium |
| CN112100659A (en) * | 2020-09-14 | 2020-12-18 | 电子科技大学 | Block chain federal learning system and Byzantine attack detection method |
| CN113194469A (en) * | 2021-04-28 | 2021-07-30 | 四川师范大学 | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain |
| CN113536382A (en) * | 2021-08-09 | 2021-10-22 | 北京理工大学 | Block chain-based medical data sharing privacy protection method by using federal learning |
| CN113472547A (en) * | 2021-09-06 | 2021-10-01 | 湖南和信安华区块链科技有限公司 | Safety monitoring system based on block chain |
| CN113904862A (en) * | 2021-10-22 | 2022-01-07 | 中车株洲电力机车有限公司 | Distributed train control network intrusion detection method, system and storage medium |
| CN114971638A (en) * | 2022-05-17 | 2022-08-30 | 中国银行股份有限公司 | Transaction authentication method and device based on risk identification |
| CN115242559A (en) * | 2022-09-23 | 2022-10-25 | 北京航空航天大学 | Network flow intrusion detection method based on block chain and federal learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116405187A (en) | 2023-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Meng et al. | Enhancing medical smartphone networks via blockchain-based trust management against insider attacks | |
| CN116405187B (en) | Distributed node intrusion situation sensing method based on block chain | |
| Gisdakis et al. | Security, privacy, and incentive provision for mobile crowd sensing systems | |
| Khaliq et al. | A secure and privacy preserved parking recommender system using elliptic curve cryptography and local differential privacy | |
| Gong et al. | A remote attestation mechanism for the sensing layer nodes of the Internet of Things | |
| KR20210077703A (en) | Collaborative Risk Awareness Certification | |
| Wang et al. | STAMP: Ad hoc spatial-temporal provenance assurance for mobile users | |
| Liu et al. | SeDID: An SGX-enabled decentralized intrusion detection framework for network trust evaluation | |
| Carullo et al. | Feeltrust: providing trustworthy communications in ubiquitous mobile environment | |
| Luo et al. | A dynamic trust management system for wireless sensor networks | |
| Cho et al. | Composite trust-based public key management in mobile ad hoc networks | |
| Babu et al. | Blockchain-based Intrusion Detection System of IoT urban data with device authentication against DDoS attacks | |
| Zhang et al. | BTNC: A blockchain based trusted network connection protocol in IoT | |
| Premarathne et al. | Secure and reliable surveillance over cognitive radio sensor networks in smart grid | |
| Khan et al. | ‘who, when, and where?’location proof assertion for mobile devices | |
| Liu et al. | DePTVM: Decentralized pseudonym and trust value management for integrated networks | |
| Ahmad et al. | Efficient time-oriented latency-based secure data encryption for cloud storage | |
| Reidt et al. | The fable of the bees: incentivizing robust revocation decision making in ad hoc networks | |
| Itoo et al. | RKMIS: robust key management protocol for industrial sensor network system | |
| Vuppula et al. | Blockchain‐oriented location privacy preserving for cooperative spectrum sensing in 6G Wireless Networks | |
| Iftikhar et al. | Security, trust and privacy risks, responses, and solutions for high-speed smart cities networks: A systematic literature review | |
| Liu et al. | A trusted proof mechanism of data source for smart city | |
| Yuan et al. | Fedcomm: A privacy-enhanced and efficient authentication protocol for federated learning in vehicular ad-hoc networks | |
| Neureither et al. | LegIoT: Ledgered trust management platform for IoT | |
| Hamian et al. | Blockchain-based User Re-enrollment for Biometric Authentication Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |