+

CN114205816A - Information security architecture of power mobile Internet of things and use method thereof - Google Patents

Information security architecture of power mobile Internet of things and use method thereof Download PDF

Info

Publication number
CN114205816A
CN114205816A CN202111525756.4A CN202111525756A CN114205816A CN 114205816 A CN114205816 A CN 114205816A CN 202111525756 A CN202111525756 A CN 202111525756A CN 114205816 A CN114205816 A CN 114205816A
Authority
CN
China
Prior art keywords
data
network
layer
things
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111525756.4A
Other languages
Chinese (zh)
Other versions
CN114205816B (en
Inventor
曹靖怡
朱亚运
姜琳
王海翔
缪思薇
张晓娟
蔺子清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202111525756.4A priority Critical patent/CN114205816B/en
Publication of CN114205816A publication Critical patent/CN114205816A/en
Application granted granted Critical
Publication of CN114205816B publication Critical patent/CN114205816B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/10Detection; Monitoring
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/20Analytics; Diagnosis
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Biomedical Technology (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Artificial Intelligence (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an electric mobile Internet of things information security architecture and a using method thereof, wherein the electric mobile Internet of things information security architecture comprises the following components: the sensing layer is designed based on a block chain and is used for sensing, collecting and identifying data; the network layer is designed based on dynamic security association and is used for data access and transmission; the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data; and the application layer is designed based on the confrontation sample detection model and is used for data processing and data application. The information security architecture of the electric mobile Internet of things can improve the operation security of a power grid and avoid the safety threat of the electric mobile Internet of things.

Description

Information security architecture of power mobile Internet of things and use method thereof
Technical Field
The invention belongs to the technical field of information security of power Internet of things, and particularly relates to an information security architecture of a power mobile Internet of things and a using method thereof.
Background
In recent years, the demand of social electric power energy is increasing, and the rapid development of the electric power industry is promoted; the electric power internet of things is supported by a modern smart grid technology, and the deep fusion of smart grid information flow, electric power flow and service flow is realized by combining the modern advanced information, communication and perception technologies, so that important technical support is provided for the stable operation of the electric power industry. The wide application of the power internet of things promotes the real-time monitoring and sensing of the operation of the smart power grid, and provides important guarantee for the safety and stability of the operation of the power grid; in addition, the application coverage range of the power internet of things is wide, the complexity of a power system is improved to a great extent, and higher requirements are put forward on safety.
The structural layer of the electric power internet of things information security technology is mainly divided into a sensing layer for comprehensively sensing the electric power of the whole power grid, a network layer for transmitting data to various networks, a platform layer for storing various data of the power grid and an application layer for visualizing various data. In the electric power internet of things security architecture, the security performance of internet of things data has a very important influence in an application system, and the security of the data directly influences the accuracy and the security of data transmission of electric power equipment. The internet of things and the internet have different performances, and the internet of things has extremely strict requirements on the safety of data information. The internet of things is required to have higher network stability performance and reliability on network connection in terms of data information than the internet.
With the continuous development of socio-economy, power network systems have been increasingly used. In the application process of the power internet of things, a great deal of various types of data information can be generated, and the traditional safety architecture cannot meet the requirements of safe transmission and storage of mass data; specifically, the sensing layer of the traditional security architecture has a high probability of being attacked maliciously because sensing terminals of different types are mostly deployed on the same sensing node; the network layer of the traditional security architecture is mainly used for transmitting, processing and utilizing information, and the problem of security performance is easy to occur when a large number of mobile terminals are switched among different networks; the platform layer of the traditional safety architecture mainly guarantees the safety of information in the processes of calculation, storage and transmission, while the platform layer which does not adopt a proper safety strategy is difficult to ensure the privacy and the safety of the information in the power internet of things, and in addition, the efficiency of data storage is low; the application layer of the traditional security architecture is easy to be attacked maliciously by a large number of intelligent terminals as well as the perception layer.
Disclosure of Invention
The invention aims to provide an information security architecture of an electric mobile internet of things and a using method thereof, so as to solve one or more technical problems. The information security architecture of the electric mobile Internet of things can improve the operation security of a power grid and avoid the safety threat of the electric mobile Internet of things.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides an information security architecture of an electric mobile Internet of things, which comprises the following components:
the sensing layer is designed based on a block chain and is used for sensing, collecting and identifying data;
the network layer is designed based on dynamic security association and is used for data access and transmission;
the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data;
and the application layer is designed based on the confrontation sample detection model and is used for data processing and data application.
In a further improvement of the present invention, the sensing layer based on the block chain design comprises:
the sensor equipment is used for sensing and acquiring data;
the system comprises a consensus node, a feedback mechanism and a feedback mechanism, wherein the consensus node is a network structure with a plurality of node branches; the consensus node is used for carrying out multiple times of security verification on data transmitted by the sensor equipment and carrying out consistency verification on the data according to a preset formula or an evaluation mechanism; the return mechanism is used for returning data which passes security verification and consistency check;
the verification node is used for verifying information between the inside and the outside of the sensor equipment;
and the storage node is a node network capable of storing information and is used for connecting the sensor equipment with the data center.
In a further improvement of the present invention, the sensing layer based on the blockchain design further comprises:
a synchronization node, which is a display mechanism processed by the information security system, for displaying the security of the information.
The invention is further improved in that the network layer based on the dynamic security association design adopts a security association authentication architecture based on the sharing dynamics;
the security association authentication architecture based on the sharing dynamic state comprises distributed heterogeneous wireless networks, and each heterogeneous wireless network is provided with an authentication server for authenticating the mobile terminal.
A further improvement of the present invention is that the step of authenticating the mobile terminal specifically comprises:
the authentication server in the network where the subscription service of the mobile terminal is located is the home authentication server of the mobile terminal; when the mobile terminal roams to an external network, an authentication server of a network where the mobile terminal is located is a local authentication server; in a heterogeneous wireless network, each access router shares the same static security association with an authentication server in the network, and all local authentication servers are connected with each other through dynamic security associations;
when the mobile terminal is positioned in a home network, establishing static security association with a local authentication server; when the mobile terminal roams to an external network, the mobile terminal establishes dynamic security association with the local authentication server.
A further development of the invention is that the validity period T of the dynamic security associationSAExpressed as:
TSA=Tau+TS+Tth
in the formula, TauFor required authentication time, TSFor service time, TthIs a time threshold for dynamic security associations.
In a further improvement of the present invention, in the platform layer designed based on data desensitization and big data processing,
a data desensitization method is adopted to realize platform layer privacy protection;
converting the structured data storage into semi-structured or unstructured data storage, and compressing all existing data information; alternatively, the information is converted into a preset structure through a big data calculation mode.
A further refinement of the invention is that the data desensitization method is one or more of data aggregation, data sampling and data sampling.
In the application layer designed based on the confrontation sample detection model,
the confrontation-based sample detection model is constructed by using an artificial intelligence algorithm, and the algorithm is a method based on neural network training or threshold value;
in the countermeasure sample-based detection model, countermeasure samples are added into a training set; decreasing the magnitude of the network gradient using a defensive distillation method; the input is randomly adjusted.
The invention provides a use method of an information security architecture of an electric mobile Internet of things, which comprises the following steps:
the sensing layer captures data related to flow state or environmental condition, and verifies and identifies the transmitted data based on a block chain technology to ensure the safety and consistency of the data;
the network layer acquires data from the sensing layer and realizes the transmission and switching of the data in different networks based on dynamic security association;
the platform layer acquires data from the network layer, and mining, calculating and storing of the data are realized based on data desensitization and big data processing;
the application layer obtains data from the platform layer, unified safety detection is carried out on the data based on the countermeasure sample detection model, and the data passing through the safety detection are used for various preset intelligent terminals.
Compared with the prior art, the invention has the following beneficial effects:
the existing information security architecture of the power internet of things cannot process complex data and simultaneously ensure the overall security, so that the information security evaluation parameters are low; in order to enhance the information security of the electric power Internet of things, the invention discloses an electric power mobile Internet of things information security architecture, which is provided with a sensing layer based on a block chain technology, a network layer based on a dynamic security association technology, a platform layer based on a big data technology and an application layer based on a countermeasure sample detection model, so that the whole electric power Internet of things architecture has the advantages of high security performance and high data processing efficiency, the information security of an electric power Internet of things terminal can be ensured, the electric power Internet of things is prevented from being threatened by security, the operation security of a power grid is improved, and the economic benefit of an electric power enterprise is maintained.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art are briefly introduced below; it is obvious that the drawings in the following description are some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic diagram of an information security architecture of an electric mobile internet of things according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a sensing layer node according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a network information storage flow according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of the construction of the confrontation sample detection model according to the embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the accompanying drawings:
the electric power internet of things terminals are various in types and can be divided into a distribution transformer terminal, an FTU/DTU, a primary and secondary fusion terminal of a power distribution system, a meter metering terminal of an electric power system and a post-user-metering intelligent home terminal according to service scenes; according to asset attribution and attack damage consequences, the method can be mainly divided into a power distribution and utilization terminal belonging to power grid assets and a user intelligent home terminal belonging to user assets. The consequences of the attack damage of the internet of things terminal are obviously different, wherein the attack damage to the power distribution and utilization terminal affects the power supply of a direct-associated user on the light side and invades a production control area on the heavy side to cause power failure of a large number of users, and the attack damage to the intelligent home terminal mainly relates to the leakage of user privacy information.
An important characteristic of the power internet of things is the ubiquitous power communication network, a large number of public network protocols are deployed in the power communication network, the power grid supervision level is improved, and meanwhile, an applicable platform is provided for most internet attack means. And the identity authentication risk faced by the power Internet of things is analyzed by combining the power Internet of things architecture. Along with the evolution of the open interconnection of the power internet of things, the power internet of things has massive network connection, especially under the environment of mobile, ubiquitous, hybrid and wide area interconnection, a large amount of internal and external network data acquisition, control and management equipment such as a sensing device, a mobile terminal, video monitoring, an intelligent electric meter, a charging pile and an office computer are deployed in the power internet of things, so that the identity recognition is realized, the accurate positioning of a service system on massive power equipment is realized, and the problem that the false identity recognition and the malicious counterfeit access must be faced is solved.
The block chain mainly comprises a point-to-point networking part, an account book structure and a consensus mechanism. The distributed general ledger is disclosed in the whole network, a decentralized mode is adopted for management, user nodes in the whole network are agreed through a consensus mechanism, the network is controlled by all users together, and only when most users agree to make a certain change, the change can be effective. Each node locally stores a copy of the distributed general ledger, records all legal and commonly recognized transactions in the point-to-point network, and any node can find the transaction information of a certain user through the local ledger.
The electric power internet of things terminal is located at the bottommost layer of a cloud pipe side end system, is a key node for connecting a physical world and a digital world, realizes state perception in various heterogeneous network environments by adopting various types of sensing equipment, is complex in safety condition, and faces the challenge of access safety. With the development of the smart power grid, the power grid faces the problem of processing mass data, and the block chain and the mass data have great potential value in the smart power grid. In the electric power internet of things information security architecture disclosed by the embodiment of the invention, the concepts of a block chain, big data and artificial intelligence are fused, and the whole architecture is built in a computer device in a stage division manner, so that the information acquisition effect of a data center can be enhanced, and the data calculation and processing capability of the internet of things device is stably improved.
The architecture provided by the embodiment of the invention can be applied to the business requirements in the fields of public security, police service application and police service informatization, and a police Internet of things system can be constructed based on the proposed system architecture.
Referring to fig. 1, an information security architecture of an electric mobile internet of things according to an embodiment of the present invention includes:
a sensing layer comprising: the device comprises a data acquisition module, an edge calculation module and a sensing equipment module; the sensing layer is used for sensing, collecting, identifying and the like of data;
a network layer, comprising: wired transmission and wireless transmission; the network layer is used for data access, transmission and the like;
a platform layer comprising: data mining, data storage and data calculation; the platform layer is used for starting and stopping the data, and comprises data mining, data storage and the like;
an application layer comprising: various intelligent terminals; the application layer is used for data processing and data application.
(1) In the embodiment of the invention, the sensing layer design based on the block chain technology comprises the following steps:
the information security design of the sensing layer is mainly used for preventing the sensor device from being attacked maliciously, and in general, a node device connected with each other may be designed to connect the sensor device with the data center, as shown in fig. 2.
In the device shown in fig. 2, the consensus node is a network structure with a plurality of node branches, and the data security is ensured by repeatedly verifying the data transmitted in the sensor device. Meanwhile, the consensus node can also perform consistency check on the data conducted through the transmission node according to a certain formula or an evaluation mechanism, and a return mechanism is needed at the tail of the consensus node to return the data passing through the consensus node to the original sample. The main function of the verification node is to verify information between the inside and the outside of the sensor, so that an information processing device in the sensor can correctly process the relationship between hardware and software, and data generated by combining the hardware and the software is transmitted to the node.
When the access control policy is uploaded in clear text, it may reveal some sensitive information about the data user. If the mapping function from the attributes to the access control matrix can be removed, the entire attribute will be hidden in the anonymous access control structure, and the mapping function is reconstructed when the data user decrypts the data.
The storage node is a node network capable of temporarily storing information, and in general, the storage mode can temporarily connect the data center and the sensor equipment and establish a communication bridge between the data center and the sensor equipment. The last synchronization node is a display mechanism processed by the information security system, if the security of the information is displayed in the synchronization node, the information can be completely transmitted to the data center, otherwise, the hidden danger of the information is indicated, and the information needs to be verified repeatedly or deleted directly.
(2) In the embodiment of the invention, the network layer design based on the dynamic security association technology comprises the following steps:
the design starting point of the network layer is the safe access of the terminal under the heterogeneous network, and a dynamic safety association technology is introduced to improve a mobile authentication architecture.
When a mobile terminal is switched in a traditional Authentication architecture based on static security association, an external Network Agent FA (FA, Foreign Agent) sends out consultation information, the mobile terminal adds a Network Access Identifier (NAI, Network Access Identifier) and a challenge response and other messages into a mobile IP request, the external Network Agent starts an Authentication and authorization protocol through an external Network Authentication Center (FAC) to generate a VAC mobile registration request message, wherein the VAC mobile registration request message contains a registration request message of the mobile terminal, the FAC analyzes the NAI, finds a Home Authentication Center (HAC) address of the mobile terminal, starts an AAA protocol and waits for the approval of the HAC. The HAC verifies the certificate information of the mobile terminal and if the verification is successful, the mobile terminal is assigned a home address. Essentially, the problem of Security Association (SA) still exists between two different static networks. In the embodiment of the invention, an authentication architecture based on sharing dynamic security association rather than static security association is adopted. The architecture mainly comprises a distributed heterogeneous wireless network, wherein each network is provided with an authentication server so as to authenticate the mobile terminal. A mobile terminal subscribes to a service in a network, where an Authentication Server is a Home Authentication Server (HAS) of the mobile terminal, and when the mobile terminal roams to an external network, the Authentication Server of the network where the mobile terminal is located is called a Local Authentication Server (LAS).
In a wireless network, each Access Router (AR) shares the same static security association with an authentication server in the network. When the mobile terminal is positioned in a home network, establishing static security association with the HAS; but when the mobile terminal roams to an external network, a dynamic security association is established with the LAS and all LAS are also connected to each other through the dynamic association.
Alternatively, the mobile terminals in the heterogeneous network may show different mobility states, which are summarized as high mobility and low mobility. Since a low Mobility Terminal (MTLM) may cover a smaller area than a high mobility node (MTLM) for a certain period of time, it may generate less inter-domain handover authentication than a high mobility terminal, and generate more intra-domain handover authentication than a high mobility node. The high mobility node always frequently accesses a new external network, establishes a new security association for inter-domain handover authentication, and the low mobility terminal can dynamically reuse the established SA during intra-domain authentication.
The validity period of the SA may be expressed as:
TSA=Tau+TS+Tth (1)
in the formula, TauFor required authentication time, TSFor service time, TthIs the time threshold for dynamic SA.
The T of the low-mobility terminal is enabled to be higher by setting a higher time threshold value for the low-mobility terminal and setting a lower time threshold value for the high-mobility nodeSAT of longer, high mobility nodeSAShorter.
The variable time threshold is set for the validity period of the security association, so that the authentication delay is reduced at the low-mobility node, and the bandwidth efficiency is improved, and for the high-mobility node, the average value and the privacy exposure possibility of the security association are reduced under the condition of maintaining certain authentication delay and bandwidth efficiency, and the security performance of the mobile terminal in switching among different networks is effectively improved.
(3) In the embodiment of the invention, a platform layer design based on a big data technology comprises the following steps:
1) privacy protection: the safety of the platform layer mainly guarantees the safety of information in the processes of calculation, storage and transmission, and the platform layer must adopt a proper safety strategy to guarantee the privacy and the safety of the information in the ubiquitous power internet of things, so that the safety requirement of platform layer privacy protection is met by adopting a data desensitization technology.
Data desensitization generally involves several methods:
and (3) data aggregation: data aggregation, which is a collection of statistical techniques (e.g., sum, count, average, maximum and minimum), when applied to attributes in micro data, produces results that are representative of all records in the original data set.
Illustratively, the use of data aggregation should note several aspects:
a) data aggregation may reduce the usefulness of the data; since statistical values are obtained, the characteristics of the individual data records cannot be reflected.
b) Data aggregation is very effective against heavy identification attacks; the output of the data aggregation is a "statistical value" that facilitates overall reporting or analysis of the data without revealing any individual records.
Data sampling: data sampling is an important method for improving the effectiveness of data desensitization techniques by selecting a representative subset of the data set to analyze and evaluate the original data set.
Illustratively, the selection and use of data sampling techniques should be addressed in several ways:
a) there are many methods for extracting samples from a data set, and the methods are very different and need to be selected according to the characteristics of the data set and the expected use scenario.
b) Data sampling is often used for pre-processing of data desensitization, and random sampling of a data set can increase the uncertainty in identifying a particular personal information data subject, thereby improving the effectiveness of other data desensitization techniques for subsequent applications.
c) Data sampling can simplify the amount of computation on a data set, so when performing data desensitization on a data set of large samples, sampling is performed first, and then data desensitization is performed by using a specific technology, and it is necessary to pay attention to that the samples should not lose important data.
Deterministic encryption: deterministic encryption is a non-random symmetric encryption; deterministic encryption replaces the identifier value in the micro data with the encryption result when applied during data desensitization.
Illustratively, the selection and use of deterministic encryption techniques should be addressed to the following:
a) deterministic encryption can ensure that data is truly usable, i.e., two identical data encrypted with the same key will produce two identical ciphertexts.
b) Deterministic encryption can guarantee the usefulness of data in the aspects of statistical processing, privacy and anti-mining to some extent, and can also generate micro-data for precise matching search, data association and analysis. The analysis of the deterministic encryption result is limited to checking whether the data values are equal.
c) The re-identification attack on the deterministic encryption mainly lies in the attack without the key use right; the correlation attack may be applied to ciphertext that is deterministically encrypted using the same key, and the success of the attack depends largely on the choice of encryption algorithm parameters.
2) Data storage
In the platform layer, in order to strengthen information security, a structured data storage needs to be converted into a semi-structured or unstructured data storage in some special ways, and all existing data information is compressed and processed, or the information is converted into a structure which is easier to process through a large data calculation mode. The data generally has the characteristics of high value, high density and high storage efficiency, and is more suitable for an internet of things system with smaller memory amount compared with the conventional data. In combination with specific information of the power mobile internet of things, the structure system of big data can be referred to.
As shown in fig. 3, the whole system can be roughly divided into four parts, which are respectively the initialization stage of the database, and in this stage, the system flow stores all the existing data information in the database, so as to prevent the data loss. The second part is an adding and storing part of data, and in the stage, a computer can add a part of data information to the power internet of things information security terminal, which is also a core part of the whole data storage model. Here, it is necessary to first calculate whether the data is larger than the capacity of the database, if the data can be stored, the third part may be entered, and if the memory is insufficient, the stage of initializing the database needs to be returned. If the database is abnormal, the database initialization stage needs to be returned, and if the database is not abnormal, the data indexing step of the fourth stage can be entered. The data indexing is mainly to really add data information into the information security terminal of the power internet of things, place the data information at a due position, update a directory file of a database and give an address of newly added data. After all the above algorithms are implemented, the storage of the network data can be primarily completed.
(4) In the embodiment of the invention, the application layer design based on the confrontation sample detection model comprises the following steps:
in an application layer, the power internet of things faces massive data generated by various intelligent applications, and the importance of the safety performance of the power internet of things is self-evident. Therefore, in the design of the application layer, a confrontation sample detection model is constructed by using artificial intelligent algorithms such as machine learning and deep learning. Algorithms for detecting models are numerous and can be broadly classified into neural network training-based and threshold-based methods. The process of constructing the model based on training is that a normal sample and a malicious sample are collected firstly, and after feature extraction, the model is obtained through a certain training process. And constructing a model based on the threshold value by calculating a parameter model of the data, and performing hypothesis test according to the parameter model to determine the optimal threshold value. Finally, a plurality of constructed models are selected according to the requirements of the application scenario, and the specific flow is shown in fig. 4.
The evaluation and selection of the detection model can be considered from three directions: algorithm performance, detection capability, and complexity of the input data. The algorithm performance analysis comprises the space-time complexity of the detection algorithm and the robustness of the algorithm. The defense technology for improving the robustness of the model is established on the model which has good performance under antagonism and normal input, so that the model is less sensitive to irrelevant changes of input, the model is effectively regularized to reduce attack surfaces, and the response to non-manifold disturbance is limited. Illustratively, the following 3 types of defense methods against attacks can be introduced to enhance the robustness of the model: (1) data expansion: the countermeasure sample is added into the training set for retraining, so that the robustness of the model is improved; (2) the regularization method comprises the following steps: the size of the network gradient is reduced by using a defensive distillation method, and the discovery capability of a small-amplitude disturbance countermeasure sample is improved; (3) data randomization: a method for eliminating the disturbance by randomly adjusting the input.
The detection capability of the model can be analyzed from the false alarm rate, the false negative rate and the universality of the algorithm. The complexity of input data, i.e., the dimension, accuracy and data size of the feature data required in the process of training the model, affects the efficiency of generation and use of the model.
The use method of the information security architecture of the electric mobile Internet of things comprises the following steps:
step 1, capturing data related to a process state or an environmental condition by a sensor of a sensing layer, and repeatedly verifying the data transmitted in a sensor device of a consensus node of a network structure with a plurality of node branches to ensure the safety of the data;
step 2, data received from the sensors appear in an analog form, are collected and converted into a digital form, and transmission and switching of the data in different networks are realized through a shared dynamic security association authentication architecture;
and 3, the data enters the platform layer from the network layer, and the processes of data mining, calculation, storage and the like are completed on the platform layer supported by the data desensitization technology.
And 4, enabling the data to enter an application layer, carrying out uniform safety detection on the data by an antagonistic sample detection model of the application layer, filtering malicious data, and finally applying the malicious data to the intelligent terminal.
In summary, the embodiment of the invention specifically discloses an information security architecture of an electric mobile internet of things and a use method thereof. Specifically, in order to enhance the information security of the power internet of things, the embodiment of the invention provides a whole set of information security overall architecture of the power internet of things; the sensing layer is designed based on the block chain technology, and a consensus node, a verification node, a storage node and a synchronization node are added between the sensor and the data center, so that the sensor is prevented from being attacked easily and the information security of the sensing layer is enhanced; a network layer is designed based on a dynamic security association technology, and a variable time threshold is set for the validity period of security association, so that the authentication delay is reduced at a low-mobility node, the bandwidth efficiency is improved, the average value and the privacy exposure possibility of the security association are reduced, and the security performance of switching of a mobile terminal between different networks is effectively improved; a platform layer is designed based on a privacy protection technology and a big data technology, sensitive data in mass data are processed by using a data desensitization technology, and the abnormal rate of the data storage process is reduced, so that the data storage system has high data security and high data storage efficiency; an application layer is designed based on a constructed countermeasure sample detection model, and the countermeasure sample detection model is constructed by carrying out feature extraction on data, so that the malicious sample recognition rate of the application layer terminal is improved, and the information safety of the power internet of things terminal is enhanced. In summary, the electric power internet of things information security architecture disclosed by the embodiment of the invention is designed in a detailed layered manner, and the sensing layer, the network layer, the platform layer and the application layer are designed and improved in detail by using technologies such as a block chain, big data, dynamic security association, privacy protection and an antagonistic sample detection model, so that the whole electric power internet of things architecture has the advantages of high security performance and high data processing efficiency.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (10)

1. An electric mobile internet of things information security architecture, comprising:
the sensing layer is designed based on a block chain and is used for sensing, collecting and identifying data;
the network layer is designed based on dynamic security association and is used for data access and transmission;
the platform layer is designed based on data desensitization and big data processing and is used for mining, calculating and storing data;
and the application layer is designed based on the confrontation sample detection model and is used for data processing and data application.
2. The information security architecture of claim 1, wherein the sensing layer based on the blockchain design comprises:
the sensor equipment is used for sensing and acquiring data;
the system comprises a consensus node, a feedback mechanism and a feedback mechanism, wherein the consensus node is a network structure with a plurality of node branches; the consensus node is used for carrying out multiple times of security verification on data transmitted by the sensor equipment and carrying out consistency verification on the data according to a preset formula or an evaluation mechanism; the return mechanism is used for returning data which passes security verification and consistency check;
the verification node is used for verifying information between the inside and the outside of the sensor equipment;
and the storage node is a node network capable of storing information and is used for connecting the sensor equipment with the data center.
3. The information security architecture of claim 2, wherein the perception layer based on the blockchain design further comprises:
a synchronization node, which is a display mechanism processed by the information security system, for displaying the security of the information.
4. The architecture of claim 1, wherein the network layer based on dynamic security association design employs a security association authentication architecture based on shared dynamics;
the security association authentication architecture based on the sharing dynamic state comprises distributed heterogeneous wireless networks, and each heterogeneous wireless network is provided with an authentication server for authenticating the mobile terminal.
5. The information security architecture of claim 4, wherein the step of authenticating the mobile terminal specifically comprises:
the authentication server in the network where the subscription service of the mobile terminal is located is the home authentication server of the mobile terminal; when the mobile terminal roams to an external network, an authentication server of a network where the mobile terminal is located is a local authentication server; in a heterogeneous wireless network, each access router shares the same static security association with an authentication server in the network, and all local authentication servers are connected with each other through dynamic security associations;
when the mobile terminal is positioned in a home network, establishing static security association with a local authentication server; when the mobile terminal roams to an external network, the mobile terminal establishes dynamic security association with the local authentication server.
6. The power mobile internet of things information security architecture of claim 5, wherein the validity period T of the dynamic security association isSAExpressed as:
TSA=Tau+TS+Tth
in the formula, TauFor required authentication time, TSFor service time, TthIs a time threshold for dynamic security associations.
7. The information security architecture of the power mobile Internet of things (EMN) according to claim 1, wherein in the platform layer designed based on data desensitization and big data processing,
a data desensitization method is adopted to realize platform layer privacy protection;
converting the structured data storage into semi-structured or unstructured data storage, and compressing all existing data information; alternatively, the information is converted into a preset structure through a big data calculation mode.
8. The information security architecture of claim 7, wherein the data desensitization method is one or more of data aggregation, data sampling, and data sampling.
9. The power mobile Internet of things information security architecture of claim 1, wherein in the application layer designed based on the countermeasure sample detection model,
the confrontation-based sample detection model is constructed by using an artificial intelligence algorithm, and the algorithm is a method based on neural network training or threshold value;
in the countermeasure sample-based detection model, countermeasure samples are added into a training set; decreasing the magnitude of the network gradient using a defensive distillation method; the input is randomly adjusted.
10. A use method of the information security architecture of the electric mobile internet of things as claimed in claim 1, characterized by comprising the following steps:
the sensing layer captures data related to flow state or environmental condition, and verifies and identifies the transmitted data based on a block chain technology to ensure the safety and consistency of the data;
the network layer acquires data from the sensing layer and realizes the transmission and switching of the data in different networks based on dynamic security association;
the platform layer acquires data from the network layer, and mining, calculating and storing of the data are realized based on data desensitization and big data processing;
the application layer obtains data from the platform layer, unified safety detection is carried out on the data based on the countermeasure sample detection model, and the data passing through the safety detection are used for various preset intelligent terminals.
CN202111525756.4A 2021-12-14 2021-12-14 A power mobile Internet of things information security architecture and its application method Active CN114205816B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111525756.4A CN114205816B (en) 2021-12-14 2021-12-14 A power mobile Internet of things information security architecture and its application method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111525756.4A CN114205816B (en) 2021-12-14 2021-12-14 A power mobile Internet of things information security architecture and its application method

Publications (2)

Publication Number Publication Date
CN114205816A true CN114205816A (en) 2022-03-18
CN114205816B CN114205816B (en) 2023-08-08

Family

ID=80653484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111525756.4A Active CN114205816B (en) 2021-12-14 2021-12-14 A power mobile Internet of things information security architecture and its application method

Country Status (1)

Country Link
CN (1) CN114205816B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002161A (en) * 2022-06-09 2022-09-02 北银金融科技有限责任公司 Thing networking finance integrated management system based on block chain
CN115238282A (en) * 2022-06-17 2022-10-25 中国人民解放军战略支援部队信息工程大学 Distributed network architecture and method for ABAC attribute mining based on edge computing under the architecture
CN115361273A (en) * 2022-08-23 2022-11-18 国网江苏省电力有限公司 Blockchain-based power operation and maintenance safety supervision and emergency management and control system and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network Security Risk Analysis Method Based on Network Node Vulnerability and Attack Information
US20190379699A1 (en) * 2018-06-07 2019-12-12 Unifyvault LLC Systems and methods for blockchain security data intelligence
CN111404914A (en) * 2020-03-11 2020-07-10 南京邮电大学 Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN113132318A (en) * 2019-12-31 2021-07-16 中国电力科学研究院有限公司 Active defense method and system for information safety of power distribution automation system master station
CN113392429A (en) * 2021-05-26 2021-09-14 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device
CN113542339A (en) * 2020-12-23 2021-10-22 南方电网数字电网研究院有限公司 Electric power Internet of things safety protection design method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network Security Risk Analysis Method Based on Network Node Vulnerability and Attack Information
US20190379699A1 (en) * 2018-06-07 2019-12-12 Unifyvault LLC Systems and methods for blockchain security data intelligence
CN113132318A (en) * 2019-12-31 2021-07-16 中国电力科学研究院有限公司 Active defense method and system for information safety of power distribution automation system master station
CN111404914A (en) * 2020-03-11 2020-07-10 南京邮电大学 Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN113542339A (en) * 2020-12-23 2021-10-22 南方电网数字电网研究院有限公司 Electric power Internet of things safety protection design method
CN113392429A (en) * 2021-05-26 2021-09-14 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002161A (en) * 2022-06-09 2022-09-02 北银金融科技有限责任公司 Thing networking finance integrated management system based on block chain
CN115238282A (en) * 2022-06-17 2022-10-25 中国人民解放军战略支援部队信息工程大学 Distributed network architecture and method for ABAC attribute mining based on edge computing under the architecture
CN115361273A (en) * 2022-08-23 2022-11-18 国网江苏省电力有限公司 Blockchain-based power operation and maintenance safety supervision and emergency management and control system and method
CN115361273B (en) * 2022-08-23 2024-07-19 国网江苏省电力有限公司 Power operation and maintenance safety supervision and emergency management and control system and method based on block chain

Also Published As

Publication number Publication date
CN114205816B (en) 2023-08-08

Similar Documents

Publication Publication Date Title
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
Gowda et al. Technologies for comprehensive information security in the IoT
Yi et al. Web phishing detection using a deep learning framework
CN110008720B (en) Method and device for traceability of Internet of things dynamic data based on alliance chain
Kumar et al. DBTP2SF: a deep blockchain‐based trustworthy privacy‐preserving secured framework in industrial internet of things systems
US20200412767A1 (en) Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks
CN116405187B (en) Distributed node intrusion situation sensing method based on block chain
Li et al. Trust model to enhance security and interoperability of cloud environment
Rizvi et al. Application of artificial intelligence to network forensics: Survey, challenges and future directions
CN114205816B (en) A power mobile Internet of things information security architecture and its application method
Yang et al. VoteTrust: Leveraging friend invitation graph to defend against social network sybils
Alghayadh et al. A hybrid intrusion detection system for smart home security
Sun et al. Network security technology of intelligent information terminal based on mobile internet of things
US11875188B2 (en) Data processing system using directed acyclic graph and method of use thereof
Fang et al. Zero‐Trust‐Based Protection Scheme for Users in Internet of Vehicles
Lin et al. Dynamic network security situation prediction based on bayesian attack graph and big data
Xiong et al. A distributed security SDN cluster architecture for smart grid based on blockchain technology
CN115001790B (en) Device fingerprint-based secondary authentication method and device and electronic device
Ding et al. Divide, conquer, and coalesce: Meta parallel graph neural network for iot intrusion detection at scale
Moghariya et al. Blockchain-enabled IoT (B-IoT): overview, security, scalability & challenges
Huang A Data‐Driven WSN Security Threat Analysis Model Based on Cognitive Computing
Chen et al. A blockchain-based security model for iot systems
CN119357933A (en) An industrial big data platform system for smart supervision
Chen et al. Dynamic threshold strategy optimization for security protection in Internet of Things: An adversarial deep learning‐based game‐theoretical approach
Bouzeraib et al. A blockchain data balance using a generative adversarial network approach: Application to smart house IDS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Cao Jingyi

Inventor after: Zhu Yayun

Inventor after: Jiang Lin

Inventor after: Wang Haixiang

Inventor after: Miao Siwei

Inventor after: Zhang Xiaojuan

Inventor after: Lin Ziqing

Inventor before: Cao Jingyi

Inventor before: Zhu Yayun

Inventor before: Jiang Lin

Inventor before: Wang Haixiang

Inventor before: Miao Siwei

Inventor before: Zhang Xiaojuan

Inventor before: Lin Ziqing

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载