+

CN115442155A - Data encryption method and system for SD-WAN - Google Patents

Data encryption method and system for SD-WAN Download PDF

Info

Publication number
CN115442155A
CN115442155A CN202211326681.1A CN202211326681A CN115442155A CN 115442155 A CN115442155 A CN 115442155A CN 202211326681 A CN202211326681 A CN 202211326681A CN 115442155 A CN115442155 A CN 115442155A
Authority
CN
China
Prior art keywords
data
accessed
data point
dimensional
initial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211326681.1A
Other languages
Chinese (zh)
Other versions
CN115442155B (en
Inventor
姚乔翰
潘洛沙
毛圣林
叶惠超
刘超
欧旭轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Guanglian Century Information Technology Co ltd
Original Assignee
Shenzhen Guanglian Century Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Guanglian Century Information Technology Co ltd filed Critical Shenzhen Guanglian Century Information Technology Co ltd
Priority to CN202211326681.1A priority Critical patent/CN115442155B/en
Publication of CN115442155A publication Critical patent/CN115442155A/en
Application granted granted Critical
Publication of CN115442155B publication Critical patent/CN115442155B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a data encryption method and a data encryption system for an SD-WAN (secure digital-Wide area network), which belong to the technical field of digital information transmission, and comprise the following steps: collecting a plurality of pieces of accessed flow data in a preset time period; calculating the sensitivity degree of each piece of accessed flow data; converting each piece of accessed flow data into a three-dimensional data point in a three-dimensional coordinate system, and randomly selecting one three-dimensional data point as an initial data point; calculating the local offset of the initial data point in the initial neighborhood value; dividing the three-dimensional data points into a plurality of layers according to the local offset degree, and performing data offset on each three-dimensional data point in each layer to obtain encrypted data; the invention ensures that the encrypted data can not present the periodic data characteristics in a range, and adjusts and changes the data with similar sensitivity characteristics in a certain range, thereby greatly increasing the concealment of the data.

Description

Data encryption method and system for SD-WAN
Technical Field
The invention belongs to the technical field of digital information transmission, and particularly relates to a data encryption method and system for an SD-WAN.
Background
Compared with the traditional WAN architecture, the SD-WAN architecture avoids the need of returning all flow data from a branch mechanism to a headquarter data center, and further avoids the reduction of the production efficiency of a user caused by the traditional architecture, however, in the SD-WAN architecture, as the accessed flow data contains a lot of private information, and the encryption of the data in the network transmission process is the basis for ensuring the safe interaction of two communication parties, in order to ensure the safety of the transmitted network flow data, the data must be encrypted firstly and then transmitted; however, in the data encryption method in the prior art, data is generally transmitted after being encrypted in segments according to a time sequence order, that is, the data is encrypted according to the size of the data in a certain adjacent range to ensure the concealment of the data, but the encryption method can present periodic data characteristics in a certain range, is easy to crack by violence, and has poor concealment.
Disclosure of Invention
The invention provides a data encryption method and system for an SD-WAN (secure digital-to-Wide area network), which can ensure that encrypted data cannot present periodic data characteristics in a range, and data with similar sensitivity characteristics in a certain range are adjusted and changed, so that the concealment of the data is greatly improved.
The data encryption method for the SD-WAN adopts the following technical scheme:
s1, collecting flow data of a plurality of visits in a preset time period; the flow data of each access comprises read data volume, read time and the number of access pieces of a user IP corresponding to the flow data of each access in a preset time period;
s2, calculating the sensitivity of each piece of accessed flow data according to the flow data accessed in a preset time period and historical data of a user IP corresponding to the flow data accessed;
s3, converting each piece of accessed flow data into a three-dimensional data point in a three-dimensional coordinate system, and randomly selecting one three-dimensional data point as an initial data point;
s4, setting an initial neighborhood value, and acquiring target data points in all the initial neighborhood values in a three-dimensional coordinate system by taking an initial data point as a center, wherein the target data points comprise the initial data point and all data points of the initial data point in the initial neighborhood;
s5, calculating the local sensitivity density characteristic of each target data point in the initial neighborhood value by using the sensitivity of each target data point and other data points in the initial neighborhood value; calculating the local offset of the initial data point in the initial neighborhood value by using the local sensitivity density characteristics of all target data points in the initial neighborhood value;
s6, when the local offset of the initial data point in the initial neighborhood value is larger than a preset offset threshold, increasing the initial neighborhood value according to a preset step length to obtain an increased neighborhood value, and repeating the steps S4-S5 to obtain the local offset of the initial data point in the increased neighborhood value; sequentially iterating until the local offset of the initial data point is less than or equal to a preset local offset threshold value, and stopping iterating; taking the neighborhood value when the iteration is stopped as a final distance neighborhood;
s7, taking all three-dimensional data points in the final distance neighborhood of the initial data point as a first layer;
s8, reselecting the three-dimensional data points outside the first layer as new initial data points, and repeating the steps S4-S7 until all the three-dimensional data points are layered;
and S9, performing data migration on each three-dimensional data point in each layer to obtain encrypted data of each three-dimensional data point in each layer.
Further, the step of calculating the sensitivity of each piece of accessed traffic data according to the traffic data accessed in the preset time period and the historical data of the user IP corresponding to the piece of accessed traffic data includes:
acquiring a first difference value between the read data volume of each piece of accessed flow data and the average read data volume of all pieces of accessed flow data of a corresponding user IP history;
obtaining a second difference value between the reading time of each piece of accessed flow data and the average reading time of all pieces of accessed flow data of the IP history of the corresponding user;
acquiring a first ratio of the number of access pieces of user IP corresponding to each piece of accessed flow data in a preset time period to the total number of acquired flow data accessed in the preset time period;
and calculating the sensitivity degree of each piece of accessed flow data by using the first difference, the second difference and the first ratio.
Further, the calculation formula of the sensitivity of each piece of accessed traffic data is as follows:
Figure DEST_PATH_IMAGE001
wherein,
Figure 100002_DEST_PATH_IMAGE002
denotes the first
Figure DEST_PATH_IMAGE003
The sensitivity of the bar accessed traffic data;
Figure 100002_DEST_PATH_IMAGE004
denotes the first
Figure 252072DEST_PATH_IMAGE003
Read data volume of the flow data of the stripe access;
Figure DEST_PATH_IMAGE005
is shown as
Figure 841316DEST_PATH_IMAGE003
Read time of the accessed traffic data;
Figure 100002_DEST_PATH_IMAGE006
is shown as
Figure 558736DEST_PATH_IMAGE003
The number of access pieces of the user IP corresponding to the accessed flow data in a preset time period;
Figure DEST_PATH_IMAGE007
is shown as
Figure 891629DEST_PATH_IMAGE003
Average read data volume of all accessed flow data of the user IP history corresponding to the accessed flow data;
Figure 100002_DEST_PATH_IMAGE008
is shown as
Figure 502738DEST_PATH_IMAGE003
Average reading time of all accessed flow data of the user IP history corresponding to the accessed flow data;
Figure DEST_PATH_IMAGE009
representing the total number of the acquired flow data accessed in a preset time period;
Figure 100002_DEST_PATH_IMAGE010
a hyperbolic tangent function is represented for normalizing the feature values.
Further, the step of converting each piece of accessed traffic data into a three-dimensional data point in a three-dimensional coordinate system comprises:
and respectively taking the read data volume of each piece of accessed flow data, the read time of each piece of accessed flow data and the number of access pieces of the user IP corresponding to each piece of accessed flow data in a preset time period as coordinates of three coordinates in a three-dimensional coordinate system, and converting each piece of accessed flow data into a three-dimensional data point in the three-dimensional coordinate system.
Further, the calculation formula of the local sensitivity density feature of each target data point in the initial neighborhood value is as follows:
Figure 100002_DEST_PATH_IMAGE011
wherein,
Figure DEST_PATH_IMAGE012
is shown as
Figure 200567DEST_PATH_IMAGE003
Local sensitivity density characteristics of each target data point within the initial neighborhood value;
Figure 100002_DEST_PATH_IMAGE013
indicating an initial neighborhood value of
Figure DEST_PATH_IMAGE014
Figure 100002_DEST_PATH_IMAGE015
Denotes the first
Figure 77387DEST_PATH_IMAGE003
The target data point is at the beginning
Figure DEST_PATH_IMAGE016
The number of three-dimensional data points in the distance neighborhood;
Figure 100002_DEST_PATH_IMAGE017
is shown as
Figure 617566DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 552024DEST_PATH_IMAGE016
Within a distance neighborhood
Figure 100002_DEST_PATH_IMAGE018
The sensitivity degree corresponding to each target data point;
Figure DEST_PATH_IMAGE019
is to show to
Figure 748650DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 909504DEST_PATH_IMAGE016
And summing the sensitivity degrees corresponding to all target data points in the distance neighborhood.
Further, the calculation formula of the local offset of the starting data point within the initial neighborhood value is as follows:
Figure 100002_DEST_PATH_IMAGE020
wherein,
Figure DEST_PATH_IMAGE021
representing a local offset of the start data point within the initial neighborhood value;
Figure 115357DEST_PATH_IMAGE003
indicates to a first
Figure 904322DEST_PATH_IMAGE003
Taking the target data points as starting data points;
Figure 740691DEST_PATH_IMAGE012
is shown as
Figure 513475DEST_PATH_IMAGE003
Local sensitivity degree density characteristics of each target data point in the initial neighborhood value;
Figure 929543DEST_PATH_IMAGE014
indicating an initial neighborhood value of
Figure 104173DEST_PATH_IMAGE014
Figure 845864DEST_PATH_IMAGE015
Is shown as
Figure 840365DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 450338DEST_PATH_IMAGE016
The number of three-dimensional data points in the distance neighborhood;
Figure 100002_DEST_PATH_IMAGE022
denotes the first
Figure 617489DEST_PATH_IMAGE018
The target data point is at the beginning
Figure 795661DEST_PATH_IMAGE016
Local sensitivity density features in a distance neighborhood;
Figure DEST_PATH_IMAGE023
is shown to the first
Figure 683982DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 832067DEST_PATH_IMAGE014
And summing the local sensitivity density characteristics corresponding to all target data points in the distance neighborhood.
Further, the step of performing data migration on each three-dimensional data point in each layer to obtain encrypted data of each three-dimensional data point in each layer includes:
calculating the average read data amount corresponding to all three-dimensional data points in each layer;
calculating the average reading time corresponding to all three-dimensional data points in each layer;
taking a third difference absolute value of the read data volume corresponding to each three-dimensional data point in each layer and the average read data volume of the layer as the read data volume offset of each three-dimensional data point in each layer;
taking a fourth difference absolute value of the reading time corresponding to each three-dimensional data point in each layer and the average reading time of the layer as the reading time offset of each three-dimensional data point in each layer;
according to the read data volume offset and the read time offset of each three-dimensional data point in each layer, performing data offset on each three-dimensional data point in each layer to obtain read data volume after offset and read time after offset of each three-dimensional data point in each layer;
and taking the read data volume after the deviation of each three-dimensional data point in each layer, the read time after the deviation and the number of access points of a user IP corresponding to the three-dimensional data point in a preset time period as the encrypted data of each three-dimensional data point in each layer.
A data encryption system for SD-WAN, comprising:
a processor for performing the data encryption method for the SD-WAN.
The invention has the beneficial effects that:
the invention provides a data encryption method and a data encryption system for an SD-WAN (secure digital-to-Wide area network), which introduce a hierarchical structure idea to carry out hierarchical structure encryption on all accessed flow data: establishing a three-dimensional coordinate system, taking each piece of accessed flow data as a three-dimensional data point, adopting a local outlier factor algorithm, designing neighborhoods with different sizes, taking data points in a certain range as the same layer, dividing all three-dimensional data points into a plurality of layers according to the local sensitivity density characteristic of the data and the data characteristic of the data points, and then performing data migration on each three-dimensional data point in each layer to obtain encrypted data of each three-dimensional data point in each layer; the method comprehensively considers the sensitivity characteristic of each data and expresses the sensitivity characteristic through the three-dimensional coordinate system, so that the encrypted data does not have range periodic data characteristics, the three-dimensional data points with similar sensitivity characteristics in a certain range are layered, and the three-dimensional data points of each layer are layered and encrypted, thereby greatly increasing the concealment of the data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of the general steps of an embodiment of the data encryption method for SD-WAN of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
An embodiment of the data encryption method for SD-WAN of the present invention, as shown in fig. 1, includes:
s1, collecting flow data of a plurality of visits in a preset time period; the flow data of each access comprises read data volume, read time and the number of access of user IP corresponding to the flow data of each access in a preset time period.
Compared with the traditional WAN architecture, the SD-WAN architecture avoids the need of returning all flow data from a branch mechanism to a headquarter data center, and avoids the reduction of the production efficiency of a user caused by the traditional architecture, however, in the SD-WAN architecture, as the accessed flow data contains a lot of private information, and the encryption of the data in the network transmission process is the basis for ensuring the safe interaction of two communication parties, in order to ensure the safety of the transmitted network flow data, the data must be encrypted firstly and then transmitted; when data transmitted by the SD-WAN are encrypted, firstly, collecting a plurality of pieces of accessed flow data in a preset time period; the flow data of each access comprises read data volume, read time and the number of the user IP corresponding to the flow data of each access in a preset time period, wherein the preset time period is set according to experience, and the preset time period can be set to be 20min.
S2, calculating the sensitivity of each piece of accessed flow data according to the flow data accessed in the preset time period and the historical data of the user IP corresponding to the flow data accessed.
The step of calculating the sensitivity of each piece of accessed traffic data according to the traffic data accessed in the preset time period and the historical data of the user IP corresponding to the accessed traffic data comprises the following steps: acquiring a first difference value between the read data volume of each piece of accessed flow data and the average read data volume of all pieces of accessed flow data corresponding to the IP history of the user; acquiring a second difference value between the reading time of each piece of accessed flow data and the average reading time of all pieces of accessed flow data corresponding to the IP history of the user; acquiring a first ratio of the number of access pieces of user IP corresponding to each piece of accessed flow data in a preset time period to the total number of acquired flow data accessed in the preset time period; and calculating the sensitivity degree of each piece of accessed flow data by using the first difference, the second difference and the first ratio.
Because the sensitivity degrees of the accessed flow data are different, for example, some sensitive operations, a certain user frequently accesses the database, the data access time is too long or too short, a large amount of data downloaded in the database belong to the sensitive operations, the sensitivity degree of the corresponding accessed flow data is higher, and the access frequency of one user IP in a preset time period is too high, which belongs to the sensitive operations, the sensitivity degree of each piece of accessed flow data is firstly calculated.
The sensitivity degree of each piece of accessed flow data is calculated by the following formula:
Figure 715709DEST_PATH_IMAGE001
wherein,
Figure 64782DEST_PATH_IMAGE002
is shown as
Figure 33875DEST_PATH_IMAGE003
The sensitivity of the bar accessed traffic data;
Figure 861017DEST_PATH_IMAGE004
denotes the first
Figure 599166DEST_PATH_IMAGE003
Read data volume of the accessed flow data;
Figure 119140DEST_PATH_IMAGE005
is shown as
Figure 575529DEST_PATH_IMAGE003
Read time of the accessed traffic data;
Figure 100002_DEST_PATH_IMAGE024
is shown as
Figure 471941DEST_PATH_IMAGE003
The number of access pieces of the user IP corresponding to the accessed flow data in a preset time period;
Figure 64596DEST_PATH_IMAGE007
denotes the first
Figure 755472DEST_PATH_IMAGE003
Average read data volume of all accessed flow data of the user IP history corresponding to the accessed flow data;
Figure DEST_PATH_IMAGE025
is shown as
Figure 837173DEST_PATH_IMAGE003
Average reading time of all accessed flow data of the user IP history corresponding to the accessed flow data;
Figure DEST_PATH_IMAGE027
representing the total number of the acquired flow data accessed in a preset time period;
Figure 802855DEST_PATH_IMAGE010
a hyperbolic tangent function is represented for normalizing the feature values. The sensitive accessed flow data is mainly reflected in the read data volume, the read time and the number of accessesThe above. If the read data volume of the accessed flow data is larger or smaller and the difference between the read data volume and the average read data volume is larger, the more abnormal and more sensitive the accessed flow data is indicated; if the longer or shorter the reading time of the accessed flow data is, the larger the difference from the average reading time is, the more abnormal and sensitive the accessed flow data is; the larger the access frequency of the piece of accessed traffic data is, the more abnormal and sensitive the piece of accessed traffic data is. Thus, the sensitivity of each piece of accessed traffic data is obtained.
And S3, converting each piece of accessed flow data into a three-dimensional data point in a three-dimensional coordinate system, and randomly selecting one three-dimensional data point as an initial data point.
The step of converting each piece of accessed flow data into a three-dimensional data point in a three-dimensional coordinate system comprises: and respectively taking the read data volume of each piece of accessed flow data, the read time of each piece of accessed flow data and the number of access pieces of a user IP corresponding to each piece of accessed flow data in a preset time period as coordinates of three coordinate axes of an X axis, a Y axis and a Z axis in a three-dimensional coordinate system, and converting each piece of accessed flow data into a three-dimensional data point in the three-dimensional coordinate system.
And S4, setting an initial neighborhood value, and acquiring target data points in all the initial neighborhood values in a three-dimensional coordinate system by taking an initial data point as a center, wherein the target data points comprise the initial data point and all data points of the initial data point in the initial neighborhood.
Randomly selecting a three-dimensional data point as an initial data point, and setting an initial neighborhood value
Figure 515596DEST_PATH_IMAGE016
The value is 2, and the initial data point in the three-dimensional coordinate system is obtained as the center
Figure 970848DEST_PATH_IMAGE016
All three-dimensional data points in the distance neighborhood are taken as target data points, and the target data points comprise the starting data point and all data points of the starting data point in the initial neighborhood.
S5, calculating the local sensitivity density characteristic of each target data point in the initial neighborhood value by using the sensitivity of each target data point and other data points in the initial neighborhood value; and calculating the local offset of the initial data point in the initial neighborhood value by using the local sensitivity density characteristics of all target data points in the initial neighborhood value.
Calculating the local sensitivity density characteristic of each target data point in the initial neighborhood value by using the sensitivity of each target data point and other data points in the initial neighborhood, and when calculating the local sensitivity density characteristic of each target data point in the initial neighborhood value, calculating the local sensitivity density characteristic of each target data point in the initial neighborhood value
Figure 277196DEST_PATH_IMAGE016
Substituting the sensitivity degrees corresponding to all three-dimensional data points in the distance neighborhood into calculation, and setting an initial neighborhood in a local outlier factor algorithm by utilizing the local outlier factor algorithm in the prior art
Figure 374465DEST_PATH_IMAGE016
And calculating the local sensitivity degree density characteristic of each target data point in the initial neighborhood value according to the following calculation formula:
Figure 817078DEST_PATH_IMAGE011
wherein,
Figure 708811DEST_PATH_IMAGE012
denotes the first
Figure 502455DEST_PATH_IMAGE003
Local sensitivity density characteristics of each target data point within the initial neighborhood value;
Figure 137835DEST_PATH_IMAGE014
indicating an initial neighborhood value of
Figure 559589DEST_PATH_IMAGE014
Figure 763169DEST_PATH_IMAGE015
Is shown as
Figure 903163DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 217601DEST_PATH_IMAGE016
The number of three-dimensional data points in the distance neighborhood;
Figure 100002_DEST_PATH_IMAGE028
is shown as
Figure 165965DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 399500DEST_PATH_IMAGE016
Within a distance neighborhood
Figure DEST_PATH_IMAGE029
The sensitivity degree of each target data point;
Figure 430386DEST_PATH_IMAGE019
is to show to
Figure 673148DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 679282DEST_PATH_IMAGE014
And summing the sensitivity degrees corresponding to all target data points in the distance neighborhood.
The local degree of deviation of the starting data point within the initial neighborhood value is calculated by the formula:
Figure 349297DEST_PATH_IMAGE020
wherein,
Figure 198305DEST_PATH_IMAGE021
representing the local offset of the starting data point within the initial neighborhood value;
Figure 854545DEST_PATH_IMAGE003
indicates to a first
Figure 100002_DEST_PATH_IMAGE030
Taking the target data points as starting data points;
Figure 777502DEST_PATH_IMAGE012
is shown as
Figure 618419DEST_PATH_IMAGE003
Local sensitivity degree density characteristics of each target data point in the initial neighborhood value;
Figure 830088DEST_PATH_IMAGE014
indicating an initial neighborhood value of
Figure 414654DEST_PATH_IMAGE014
Figure 520013DEST_PATH_IMAGE015
Is shown as
Figure 407197DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 230797DEST_PATH_IMAGE016
The number of three-dimensional data points in the distance neighborhood;
Figure 228840DEST_PATH_IMAGE022
is shown as
Figure 454285DEST_PATH_IMAGE018
The target data point is at the beginning
Figure 512371DEST_PATH_IMAGE014
Local sensitivity in the proximity of distancesA sensitivity level density characteristic;
Figure 823266DEST_PATH_IMAGE023
is to show to
Figure 749634DEST_PATH_IMAGE003
The target data point is at the beginning
Figure 702022DEST_PATH_IMAGE014
And summing the local sensitivity density characteristics corresponding to all target data points in the distance neighborhood. Wherein the local sensitivity density characteristic of the current three-dimensional data point is calculated and obtained
Figure 55643DEST_PATH_IMAGE016
The average local sensitivity density characteristic in the distance neighborhood is used for representing the offset of the three-dimensional data point, when the local sensitivity density characteristic of any three-dimensional data point is compared with the initial position of the local sensitivity density characteristic
Figure 729201DEST_PATH_IMAGE016
The larger the difference between the average local sensitivity degree density characteristics in the distance neighborhood is, the more discrete the current three-dimensional data point is in a certain neighborhood, and the larger the offset of the three-dimensional data point is.
S6, when the local offset of the initial data point in the initial neighborhood value is larger than a preset offset threshold, increasing the initial neighborhood value according to a preset step length to obtain an increased neighborhood value, and repeating the steps S4-S5 to obtain the local offset of the initial data point in the increased neighborhood value; sequentially iterating until the local offset of the initial data point is less than or equal to a preset local offset threshold value, and stopping iterating; and taking the neighborhood value when the iteration is stopped as a final distance neighborhood.
Setting an offset threshold
Figure DEST_PATH_IMAGE031
(depending on the specific implementation of the implementation, the empirical reference value is given in this case), if the local offset of the current three-dimensional data point is larger than the set thresholdThen it indicates that the current three-dimensional data point appears as an abnormal three-dimensional data point in its neighborhood, thus by increasing the initial neighborhood
Figure 865784DEST_PATH_IMAGE014
And (3) increasing the value by taking the step length as 1 so that the local offset meets the set offset threshold, and sequentially carrying out iterative computation.
And S7, taking all three-dimensional data points in the final distance neighborhood of the initial data point as a first layer.
And after the threshold condition of the offset degree is met, taking all three-dimensional data points in the final distance neighborhood of the initial data point as a first layer.
And S8, reselecting the three-dimensional data points outside the first layer as new initial data points, and repeating the steps S4-S7 until all the three-dimensional data points are layered.
The scheme introduces a layered structure idea, carries out layered structure encryption on all accessed flow data, reselects a three-dimensional data point positioned outside the first layer as a new initial data point, and repeats the steps S4-S7 until all three-dimensional data points are layered.
And S9, performing data migration on each three-dimensional data point in each layer to obtain encrypted data of each three-dimensional data point in each layer.
The step of performing data migration on each three-dimensional data point in each layer to obtain encrypted data of each three-dimensional data point in each layer comprises the following steps: calculating the average read data amount corresponding to all three-dimensional data points in each layer; calculating the average reading time corresponding to all three-dimensional data points in each layer; taking a third difference absolute value of the read data volume corresponding to each three-dimensional data point in each layer and the average read data volume of the layer as the read data volume offset of each three-dimensional data point in each layer; taking a fourth difference absolute value of the reading time corresponding to each three-dimensional data point in each layer and the average reading time of the layer as the reading time offset of each three-dimensional data point in each layer; according to the read data volume offset and the read time offset of each three-dimensional data point in each layer, performing data offset on each three-dimensional data point in each layer to obtain read data volume after offset and read time after offset of each three-dimensional data point in each layer; and taking the read data volume after the deviation of each three-dimensional data point in each layer, the read time after the deviation and the number of access pieces of the user IP corresponding to the three-dimensional data point in a preset time period as the encrypted data of each three-dimensional data point in each layer.
The read data amount offset of each three-dimensional data point in any layer and the read time offset of each three-dimensional data point in the layer are calculated according to the following formula:
Figure 100002_DEST_PATH_IMAGE032
wherein,
Figure DEST_PATH_IMAGE033
indicates the current layer is
Figure 100002_DEST_PATH_IMAGE034
Read data volume offset of stripe accessed traffic data, i.e. current layer first
Figure 3504DEST_PATH_IMAGE034
A read data volume offset for each three-dimensional data point;
Figure DEST_PATH_IMAGE035
represents the first of the current layer
Figure 934551DEST_PATH_IMAGE034
Read data volume of the accessed flow data;
Figure 100002_DEST_PATH_IMAGE036
the average value of the read data quantity of all accessed flow data of the current layer is represented;
Figure DEST_PATH_IMAGE037
indicates the current layer is
Figure 892143DEST_PATH_IMAGE034
Read time offset of the traffic data of the stripe access;
Figure 100002_DEST_PATH_IMAGE038
represents the first of the current layer
Figure DEST_PATH_IMAGE039
Read time of the accessed traffic data;
Figure 100002_DEST_PATH_IMAGE040
represents the average of the read times of all accessed traffic data of the current layer.
First of the current layer
Figure 238942DEST_PATH_IMAGE039
The shifted data of the accessed traffic data is:
Figure 100002_DEST_PATH_IMAGE041
wherein
Figure DEST_PATH_IMAGE042
Wherein
Figure 100002_DEST_PATH_IMAGE043
And taking the read data volume after the deviation of each three-dimensional data point in each layer, the read time after the deviation and the number of access points of a user IP corresponding to the three-dimensional data point in a preset time period as the encrypted data of each three-dimensional data point in each layer. The corresponding key constitutes the following content: read data amount offset and read time offset corresponding to each three-dimensional data point in each layer; and after receiving the encrypted data at the receiving end, decrypting the encrypted data by utilizing the read data volume offset and the layer average read data volume corresponding to each three-dimensional data point in each layer, the read time offset and the layer average read time corresponding to each three-dimensional data point in each layer.
The present embodiment further provides a data encryption system for SD-WAN, including:
a processor for performing the data encryption method for the SD-WAN as described above.
In summary, the invention provides a data encryption method and system for an SD-WAN, so that encrypted data does not exhibit range-periodic data characteristics, and data with similar sensitivity characteristics in a certain range is adjusted and changed, thereby greatly increasing the concealment of data.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, which is intended to cover any modifications, equivalents, improvements, etc. within the spirit and scope of the present invention.

Claims (8)

1. A method for data encryption for SD-WAN, the method comprising:
s1, collecting flow data of a plurality of visits in a preset time period; each piece of accessed traffic data comprises read data volume, read time and the number of access pieces of a user IP corresponding to each piece of accessed traffic data in a preset time period;
s2, calculating the sensitivity of each piece of accessed flow data according to the flow data accessed in a preset time period and historical data of a user IP corresponding to the flow data accessed;
s3, converting each piece of accessed flow data into a three-dimensional data point in a three-dimensional coordinate system, and randomly selecting one three-dimensional data point as an initial data point;
s4, setting initial neighborhood values, and acquiring target data points in all the initial neighborhood values in a three-dimensional coordinate system by taking the initial data points as centers, wherein the target data points comprise the initial data points and all data points of the initial data points in the initial neighborhood;
s5, calculating the local sensitivity density characteristic of each target data point in the initial neighborhood value by using the sensitivity of each target data point and other data points in the initial neighborhood value; calculating the local offset of the initial data point in the initial neighborhood value by using the local sensitivity density characteristics of all target data points in the initial neighborhood value;
s6, when the local deviation degree of the initial data point in the initial neighborhood value is larger than a preset deviation threshold value, increasing the initial neighborhood value according to a preset step length to obtain an increased neighborhood value, and repeating the steps S4-S5 to obtain the local deviation degree of the initial data point in the increased neighborhood value; sequentially iterating until the local offset of the initial data point is less than or equal to a preset local offset threshold value, and stopping iterating; taking the neighborhood value when the iteration is stopped as a final distance neighborhood;
s7, taking all three-dimensional data points in the final distance neighborhood of the initial data point as a first layer;
s8, reselecting the three-dimensional data points outside the first layer as new initial data points, and repeating the steps S4-S7 until all the three-dimensional data points are layered;
and S9, performing data migration on each three-dimensional data point in each layer to obtain encrypted data of each three-dimensional data point in each layer.
2. The data encryption method for SD-WAN as claimed in claim 1, wherein the step of calculating the sensitivity of each piece of accessed traffic data according to the traffic data of each piece of accessed traffic data and the historical data of the user IP corresponding to the piece of accessed traffic data in a preset time period comprises:
acquiring a first difference value between the read data volume of each piece of accessed flow data and the average read data volume of all pieces of accessed flow data corresponding to the IP history of the user;
acquiring a second difference value between the reading time of each piece of accessed flow data and the average reading time of all pieces of accessed flow data corresponding to the IP history of the user;
acquiring a first ratio of the number of access pieces of user IP corresponding to each piece of accessed flow data in a preset time period to the total number of acquired flow data accessed in the preset time period;
and calculating the sensitivity degree of each piece of accessed flow data by using the first difference, the second difference and the first ratio.
3. The data encryption method for SD-WAN according to claim 2, wherein the calculation formula of the sensitivity of each piece of accessed traffic data is:
Figure DEST_PATH_IMAGE002
wherein,
Figure DEST_PATH_IMAGE004
is shown as
Figure DEST_PATH_IMAGE006
The sensitivity of the accessed traffic data;
Figure DEST_PATH_IMAGE008
is shown as
Figure 603661DEST_PATH_IMAGE006
Read data volume of the accessed flow data;
Figure DEST_PATH_IMAGE010
is shown as
Figure DEST_PATH_IMAGE011
Read time of the accessed traffic data;
Figure DEST_PATH_IMAGE013
is shown as
Figure 368486DEST_PATH_IMAGE006
The number of the accessed user IP corresponding to the accessed flow data in a preset time period;
Figure DEST_PATH_IMAGE015
denotes the first
Figure 495185DEST_PATH_IMAGE006
Average read data volume of all accessed flow data of the user IP history corresponding to the accessed flow data;
Figure DEST_PATH_IMAGE017
is shown as
Figure DEST_PATH_IMAGE018
Average reading time of all accessed flow data of a user IP history corresponding to the accessed flow data is calculated;
Figure DEST_PATH_IMAGE020
representing the total number of the acquired flow data accessed in a preset time period;
Figure DEST_PATH_IMAGE022
representing a hyperbolic tangent function for normalizing the feature values.
4. The data encryption method for SD-WAN as claimed in claim 1, wherein the step of converting each piece of accessed traffic data into one three-dimensional data point in a three-dimensional coordinate system comprises:
and respectively taking the read data volume of each piece of accessed flow data, the read time of each piece of accessed flow data and the number of access pieces of the user IP corresponding to each piece of accessed flow data in a preset time period as coordinates of three coordinates in a three-dimensional coordinate system, and converting each piece of accessed flow data into a three-dimensional data point in the three-dimensional coordinate system.
5. The data encryption method for SD-WAN of claim 1, wherein the calculation formula of the local sensitivity density characteristic of each target data point within the initial neighborhood value is:
Figure DEST_PATH_IMAGE024
wherein,
Figure DEST_PATH_IMAGE026
is shown as
Figure 61164DEST_PATH_IMAGE006
Local sensitivity density characteristics of each target data point within the initial neighborhood value;
Figure DEST_PATH_IMAGE028
indicating an initial neighborhood value of
Figure 127340DEST_PATH_IMAGE028
Figure DEST_PATH_IMAGE030
Is shown as
Figure 525217DEST_PATH_IMAGE006
The target data point is at the beginning
Figure 55556DEST_PATH_IMAGE028
The number of three-dimensional data points in the distance neighborhood;
Figure DEST_PATH_IMAGE032
is shown as
Figure 12010DEST_PATH_IMAGE006
The target data point is at the beginning
Figure 362220DEST_PATH_IMAGE028
Within a distance neighborhood
Figure DEST_PATH_IMAGE034
The sensitivity degree of each target data point;
Figure DEST_PATH_IMAGE036
is to show to
Figure 764120DEST_PATH_IMAGE006
The target data point is at the beginning
Figure 148965DEST_PATH_IMAGE028
And summing the sensitivity degrees corresponding to all target data points in the distance neighborhood.
6. The data encryption method for SD-WAN of claim 1, wherein the calculation formula of the local degree of shift of the start data point within the initial neighborhood value is:
Figure DEST_PATH_IMAGE038
wherein,
Figure DEST_PATH_IMAGE040
representing a local offset of the start data point within the initial neighborhood value;
Figure 214004DEST_PATH_IMAGE006
indicates to a first
Figure 84134DEST_PATH_IMAGE006
Taking the target data points as starting data points;
Figure 853507DEST_PATH_IMAGE026
is shown as
Figure 92858DEST_PATH_IMAGE011
Local sensitivity density characteristics of each target data point within the initial neighborhood value;
Figure 187853DEST_PATH_IMAGE028
indicating an initial neighborhood value of
Figure 512655DEST_PATH_IMAGE028
Figure DEST_PATH_IMAGE041
Denotes the first
Figure 787516DEST_PATH_IMAGE011
The target data point is at the beginning
Figure 412533DEST_PATH_IMAGE028
The number of three-dimensional data points in the distance neighborhood;
Figure DEST_PATH_IMAGE043
denotes the first
Figure 819374DEST_PATH_IMAGE034
The target data point is at the beginning
Figure 867358DEST_PATH_IMAGE028
Local sensitivity density features in a distance neighborhood;
Figure DEST_PATH_IMAGE045
is to show to
Figure 181796DEST_PATH_IMAGE006
The target data point is at the beginning
Figure 661319DEST_PATH_IMAGE028
And summing the local sensitivity density characteristics corresponding to all target data points in the distance neighborhood.
7. The data encryption method for an SD-WAN as in claim 1, wherein the step of performing a data migration on each three-dimensional data point within each layer to obtain encrypted data for each three-dimensional data point within each layer comprises:
calculating the average read data volume corresponding to all three-dimensional data points in each layer;
calculating the average reading time corresponding to all three-dimensional data points in each layer;
taking a third difference absolute value of the read data volume corresponding to each three-dimensional data point in each layer and the average read data volume of the layer as the read data volume offset of each three-dimensional data point in each layer;
taking a fourth difference absolute value of the reading time corresponding to each three-dimensional data point in each layer and the average reading time of the layer as the reading time offset of each three-dimensional data point in each layer;
according to the read data volume offset and the read time offset of each three-dimensional data point in each layer, performing data offset on each three-dimensional data point in each layer to obtain the read data volume after offset and the read time after offset of each three-dimensional data point in each layer;
and taking the read data volume after the deviation of each three-dimensional data point in each layer, the read time after the deviation and the number of access pieces of the user IP corresponding to the three-dimensional data point in a preset time period as the encrypted data of each three-dimensional data point in each layer.
8. A data encryption system for SD-WAN, comprising:
a processor for performing the data encryption method for SD-WAN of any one of claims 1 to 7.
CN202211326681.1A 2022-10-27 2022-10-27 Data encryption method and system for SD-WAN Active CN115442155B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211326681.1A CN115442155B (en) 2022-10-27 2022-10-27 Data encryption method and system for SD-WAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211326681.1A CN115442155B (en) 2022-10-27 2022-10-27 Data encryption method and system for SD-WAN

Publications (2)

Publication Number Publication Date
CN115442155A true CN115442155A (en) 2022-12-06
CN115442155B CN115442155B (en) 2023-01-31

Family

ID=84252656

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211326681.1A Active CN115442155B (en) 2022-10-27 2022-10-27 Data encryption method and system for SD-WAN

Country Status (1)

Country Link
CN (1) CN115442155B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103942838A (en) * 2014-05-13 2014-07-23 福州大学 Point cloud data based single tree three-dimensional modeling and morphological parameter extracting method
US20190342315A1 (en) * 2018-05-04 2019-11-07 Citrix Systems, Inc. Systems and methods for traffic inspection via an embedded browser
CN111343070A (en) * 2020-03-03 2020-06-26 深圳市吉祥腾达科技有限公司 Communication control method for sdwan network
CN115048682A (en) * 2022-08-15 2022-09-13 河北省农林科学院农业信息与经济研究所 Safe storage method of land circulation information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103942838A (en) * 2014-05-13 2014-07-23 福州大学 Point cloud data based single tree three-dimensional modeling and morphological parameter extracting method
US20190342315A1 (en) * 2018-05-04 2019-11-07 Citrix Systems, Inc. Systems and methods for traffic inspection via an embedded browser
CN111343070A (en) * 2020-03-03 2020-06-26 深圳市吉祥腾达科技有限公司 Communication control method for sdwan network
CN115048682A (en) * 2022-08-15 2022-09-13 河北省农林科学院农业信息与经济研究所 Safe storage method of land circulation information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
付培国等: "基于密度偏倚抽样的局部距离异常检测方法", 《软件学报》 *

Also Published As

Publication number Publication date
CN115442155B (en) 2023-01-31

Similar Documents

Publication Publication Date Title
CN109583885B (en) Round control of rewritable block chains
WO2020140636A1 (en) Watermark embedding and extracting methods and apparatuses, and terminal device and medium
CN112667712B (en) Grouped accurate histogram data publishing method based on differential privacy
Guo et al. A robust and lossless commutative encryption and watermarking algorithm for vector geographic data
CN115442155B (en) Data encryption method and system for SD-WAN
CN101464995A (en) Digital watermarking method for two-dimension vector space data based on spacing topological
CN110750725A (en) Privacy-protecting user portrait generation method, terminal device and storage medium
WO2025108040A1 (en) Data verification method and apparatus, and device and medium
CN113505348A (en) Data watermark embedding method, data watermark verifying method and data watermark verifying device
Zhang et al. A multi-layer mesh synchronized reversible data hiding algorithm on the 3D model
Bhattacharjee Gaussian approximation for rooted edges in a random minimal directed spanning tree
CN118246251A (en) BIM-based intelligent management method for hospital building construction
CN117829837A (en) Data processing method and system for digital currency
CN102393895A (en) Line/plane type GIS (geographic information system) vector data hiding and restoring method based on interpolation prediction
CN114422105B (en) Joint modeling method, device, electronic device and storage medium
CN111461178B (en) Data processing method, system and device
CN115495778A (en) Differential privacy histogram publishing method and device based on grouping combination
CN115632828A (en) A numerical control system encryption method and device based on equipment's own characteristics
CN118503953B (en) Electronic certificate storage method, terminal and storage medium for digital service
CN115828312B (en) Privacy protection method and system for social network of power user
CN113704725A (en) Key storing and reading method
Du et al. Vertex attack resistant zero-watermarking for vector maps based on geometric feature mining using Delaunay triangulation network
CN115439118B (en) Digital certificate storage management method based on blockchain
Zhang et al. Batch Validation Scheme of Data Feature Requirement in Blockchain-Based Data Trading Platform
CN117786746A (en) Method for providing personal data privacy protection by safety compliance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载