[go: up one dir, main page]

CN119766556B - A distributed data security protection system based on Internet of Things nodes - Google Patents

A distributed data security protection system based on Internet of Things nodes

Info

Publication number
CN119766556B
CN119766556B CN202411963373.9A CN202411963373A CN119766556B CN 119766556 B CN119766556 B CN 119766556B CN 202411963373 A CN202411963373 A CN 202411963373A CN 119766556 B CN119766556 B CN 119766556B
Authority
CN
China
Prior art keywords
data
unit
node
security
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411963373.9A
Other languages
Chinese (zh)
Other versions
CN119766556A (en
Inventor
刘建朝
张霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Zhike Changlian Data Technology Co ltd
Original Assignee
Shandong Zhike Changlian Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Zhike Changlian Data Technology Co ltd filed Critical Shandong Zhike Changlian Data Technology Co ltd
Priority to CN202411963373.9A priority Critical patent/CN119766556B/en
Publication of CN119766556A publication Critical patent/CN119766556A/en
Application granted granted Critical
Publication of CN119766556B publication Critical patent/CN119766556B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network data security, in particular to a distributed data security protection system based on an Internet of things node, which comprises a security negotiation module, a dynamic encryption module, an identity authentication module, a data integrity detection module and an intrusion detection module; the system comprises a security negotiation module, a dynamic encryption module, an identity authentication module, a data integrity detection module and an intrusion detection module, wherein the security negotiation module is used for dynamically selecting an encryption algorithm, an authentication mechanism and a data transmission strategy, the dynamic encryption module is used for conducting encryption processing on transmitted data, the identity authentication module is used for conducting identity verification among nodes, the data integrity detection module is used for conducting integrity verification on the transmitted data, the intrusion detection module is used for analyzing and identifying potential security threats in real time, and the security of data transmission among the nodes of the Internet of things and the overall protection capability of the system are improved by dynamically selecting the encryption algorithm, the authentication mechanism and the data transmission strategy and combining the real-time intrusion detection and threat identification.

Description

Distributed data safety protection system based on Internet of things node
Technical Field
The invention relates to the technical field of network data security, in particular to a distributed data security protection system based on an Internet of things node.
Background
Along with the rapid development of internet of things (IoT) technology, the number of nodes and communication scale of the internet of things are continuously increased, so that huge data exchange demands are brought, however, the high-degree distribution and isomerism of the internet of things environment and the safety instability of equipment make the traditional network safety protection technology difficult to meet the safety demands in the data transmission and communication process, the internet of things nodes carry out data transmission through a wireless network, the transmission process faces safety threats such as data theft, malicious attack, illegal access and the like, particularly in complex distributed environments, the problems of identity authentication, data encryption, data integrity guarantee and the like of the nodes are more prominent, in addition, the internet of things nodes generally have the limitation of calculation and storage capacity, and on the premise of guaranteeing high-efficiency performance, the confidentiality, the integrity and the usability of the network of the data are key problems to be solved in the internet of things safety field.
Although some safety protection systems based on the nodes of the internet of things exist in the prior art, the problems that on one hand, the traditional encryption algorithm and authentication mechanism are often based on fixed rules and configurations and are difficult to adapt to the dynamically-changed network environment and the diversified demands of the nodes in the internet of things, on the other hand, the existing system usually adopts a centralized or fixedly-configured safety strategy, and cannot flexibly adjust safety measures, so that certain nodes cannot be timely and effectively ensured under specific conditions, and in addition, the problems of low response speed, inaccurate threat identification and the like also exist in the aspects of intrusion detection and abnormal traffic identification.
Disclosure of Invention
Based on the above purpose, the invention provides a distributed data security protection system based on the nodes of the Internet of things.
The distributed data security protection system based on the Internet of things node comprises a security negotiation module, a dynamic encryption module, an identity authentication module, a data integrity detection module and an intrusion detection module, wherein:
the security negotiation module is configured on each node of the Internet of things, and is used for dynamically selecting an encryption algorithm, an authentication mechanism and a data transmission strategy according to the real-time security state and the network environment of the nodes when communication connection is established between the nodes, and generating corresponding security configuration parameters;
The dynamic encryption module is connected with the security negotiation module and used for receiving the security configuration parameters and carrying out encryption processing on the transmitted data according to the node characteristic information and the current network state;
the identity authentication module is used for carrying out identity authentication among the nodes, verifying the legitimacy of the nodes and determining the access authority of the nodes, and ensuring that only authorized nodes can participate in data exchange;
The data integrity detection module is used for carrying out integrity check on the data in transmission and verifying whether the data is tampered or not by generating hash values and signature information of the data;
and the intrusion detection module is used for monitoring the communication flow of the nodes of the Internet of things, analyzing and identifying potential security threats in real time so as to prevent the intrusion behavior from affecting the system.
Optionally, the security negotiation module includes a security state monitoring unit, a network environment monitoring unit, a policy selection unit, and a configuration parameter generation unit, where:
The security state monitoring unit is used for monitoring the security state of each node of the Internet of things in real time, including the authentication state of the node and the system load condition;
the network environment monitoring unit is used for monitoring current network environment parameters including network bandwidth, delay and node connection quality;
the strategy selection unit dynamically selects an encryption algorithm, an authentication mechanism and a data transmission strategy based on the data provided by the security state monitoring unit and the network environment analysis unit so as to meet the security requirements among different nodes;
and the configuration parameter generating unit is used for generating corresponding security configuration parameters according to the selection result of the strategy selection unit and transmitting the security configuration parameters to the dynamic encryption module and the identity authentication module.
Optionally, the policy selection unit includes:
selecting an AES symmetric encryption algorithm with low computational complexity if the network bandwidth is less than 10Mbps and the node load is greater than 80%, and selecting an RSA asymmetric encryption algorithm with high encryption strength if the network bandwidth is greater than 100Mbps and the node load is less than 50%;
selecting an authentication mechanism based on public key infrastructure if the authentication state of the node is normal and the system load is less than 50%, and selecting an authentication mechanism based on a shared key if the node load is greater than 80%;
And selecting a data transmission strategy, namely selecting a lossless transmission strategy and using a TCP protocol to transmit data if the network delay is less than 50ms and the bandwidth is greater than 100Mbps, and selecting a transmission strategy with strong fault tolerance and using a UDP protocol and a retransmission mechanism if the network delay is greater than 200ms or the bandwidth is less than 10 Mbps.
Optionally, the dynamic encryption module comprises an encryption algorithm selection unit, a key management unit and a data encryption processing unit, wherein:
The encryption algorithm selection unit is used for selecting an encryption algorithm according to the node characteristic information and the current network state, wherein the encryption algorithm comprises a symmetric encryption algorithm AES and an asymmetric encryption algorithm RSA;
the key management unit is used for generating a corresponding encryption key according to the selected encryption algorithm;
And the data encryption processing unit is used for encrypting the data to be transmitted by using the encryption algorithm selected by the encryption algorithm selection unit and the key generated by the key management unit, so as to ensure confidentiality and integrity of the data in the transmission process.
Optionally, the identity authentication module comprises an identity authentication unit, a right management unit, an access control unit and a log recording unit, wherein:
The identity verification unit is used for receiving the identity information from the communication node, verifying the validity of the communication node by comparing the identity information with a prestored legal identity database, and ensuring that only the legal node can pass identity verification;
The authority management unit is used for consulting the authority database according to the verification result of the identity verification unit, determining the access authority level of the communication node and generating a corresponding authority control strategy;
the access control unit is used for dynamically adjusting the access authority of the communication node according to the authority control strategy generated by the authority management unit, so that the node can only access the authorized resources and functions;
and the log recording unit is used for recording all operation logs of authentication and authority management, including authentication requests, authentication results and authority allocation conditions of the nodes.
Optionally, the rights management unit includes:
the authority inquiry, namely searching authority data matched with the node identity in an authority database according to the identity verification result, and acquiring a preset authority level and an access resource range of the node;
The authority control strategy is generated by generating a complete access authority control strategy to allow the node to access all system resources if the node identity is legal and the authority level is an administrator, generating a limited access authority control strategy to only allow the node to access the appointed system resources if the node identity is legal and the authority level is a user, and refusing access if the node identity fails to verify or the authority level is not authority.
Optionally, the data integrity detection module includes a hash value generation unit, a signature generation unit, a data receiving unit, a hash value verification unit, a signature verification unit, and a tamper detection unit, wherein:
The hash value generation unit is used for receiving the data to be transmitted and generating a hash value of the data by using a hash algorithm of SHA-256;
the signature generation unit is used for carrying out signature processing on the data by using the generated hash value and a prestored private key before data transmission to generate a digital signature of the data;
the data receiving unit is used for receiving the data transmitted by the node of the Internet of things and the digital signature attached to the data, and the received data comprises the original data and the signature information generated by the signature generating unit;
the hash value verification unit is used for recalculating the hash value of the received data and comparing the hash value with the received hash value, and if the comparison result is consistent, the data is not tampered, and if the comparison result is inconsistent, the data is tampered;
the signature verification unit is used for verifying the signature by combining the received data and the digital signature attached to the received data with the stored public key to judge whether the data is tampered;
And the tamper detection unit is used for generating alarm information and triggering safety response when detecting that the data is tampered according to the results of the hash value verification unit and the signature verification unit, and preventing the data from being continuously transmitted or notifying a system administrator.
Optionally, the signature verification unit includes:
calculating a hash value of the received data by using a hash algorithm of SHA-256, wherein the formula is H (P) =sha-256 (P), wherein H (P) is the hash value of the data P;
Decrypting the extracted digital signature by using the public key to obtain a hash value used in signing, wherein the expression is H Signing = decryption (signature, public key);
comparing whether the calculated hash value H (P) is consistent with the hash value H Signing obtained by decryption, wherein the formula is as follows:
And judging tampering, namely confirming that the data is not tampered if the verification result is valid, allowing the data to continue to be transmitted and processed, and triggering corresponding safety response if the verification result is invalid and judging that the data is tampered.
Optionally, the intrusion detection module comprises a flow monitoring unit, a feature extraction unit, a threat identification unit and an alarm generation unit, wherein:
the flow monitoring unit is used for continuously monitoring communication flow among the nodes of the Internet of things and collecting metadata and content information of the data packet, wherein the metadata and the content information comprise a source address, a destination address, a port number, a protocol type, the size of the data packet and a transmission rate;
the feature extraction unit is used for extracting features from the monitored communication traffic and transmitting the extracted features to the threat identification unit;
The threat identification unit is used for classifying and analyzing the extracted feature vectors by utilizing a decision tree algorithm and identifying potential security threats;
And the alarm generation unit is used for generating and recording safety alarm information and sending alarm notification to a system administrator when the threat identification unit detects the safety threat.
Optionally, the threat identification unit includes:
receiving the feature vector, namely receiving the feature vector from the feature extraction unit and carrying out normalization processing;
Inputting the received feature vector into a pre-trained decision tree model, making a layer-by-layer decision according to each attribute value in the feature vector, and determining whether the data packet has security threat;
The decision tree model sequentially compares the characteristic values with the node segmentation values from the root node according to a predefined decision rule based on the attribute values of the characteristic vectors, and traverses downwards along the corresponding branch paths until the leaf nodes are reached, so that whether the data packet is a potential safety threat is judged in a classified mode;
and determining the threat type, namely determining the specific threat type of the data packet according to the classification label of the leaf node after the leaf node is reached.
The invention has the beneficial effects that:
The dynamic adaptability effectively solves the problems of fixed encryption configuration and inflexible authentication mechanism in the traditional internet of things security system, and can automatically select the most suitable security configuration according to the real-time security state of the node and the network environment to ensure the confidentiality and integrity of data in the transmission process.
According to the method, the device and the system, the communication flow of the nodes of the Internet of things is continuously monitored, the characteristics of the data packets are analyzed in real time, the potential security threat is identified, various attack behaviors can be accurately classified by combining a decision tree algorithm, corresponding security alarm information is generated, and malicious attack or unauthorized access behaviors are effectively prevented.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only of the invention and that other drawings can be obtained from them without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a distributed data security system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an intrusion detection module according to an embodiment of the invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and to specific embodiments. While the invention has been described herein in detail in order to make the embodiments more detailed, the following embodiments are preferred and can be embodied in other forms as well known to those skilled in the art, and the accompanying drawings are only for the purpose of describing the embodiments more specifically and are not intended to limit the invention to the specific forms disclosed herein.
It should be noted that references in the specification to "one embodiment," "an example embodiment," "some embodiments," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the relevant art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
Generally, the terminology may be understood, at least in part, from the use of context. For example, the term "one or more" as used herein may be used to describe any feature, structure, or characteristic in a singular sense, or may be used to describe a combination of features, structures, or characteristics in a plural sense, depending at least in part on the context. In addition, the term "based on" may be understood as not necessarily intended to convey an exclusive set of factors, but may instead, depending at least in part on the context, allow for other factors that are not necessarily explicitly described.
1-2, The distributed data security protection system based on the Internet of things node comprises a security negotiation module, a dynamic encryption module, an identity authentication module, a data integrity detection module and an intrusion detection module, wherein:
the security negotiation module is configured on each node of the Internet of things, and is used for dynamically selecting an encryption algorithm, an authentication mechanism and a data transmission strategy according to the real-time security state and the network environment of the nodes when communication connection is established between the nodes, and generating corresponding security configuration parameters;
The dynamic encryption module is connected with the security negotiation module and is used for receiving the security configuration parameters and carrying out encryption processing on the transmitted data according to the node characteristic information and the current network state, wherein the encryption processing comprises the selection of a proper encryption algorithm and a proper key length;
the identity authentication module is used for carrying out identity authentication among the nodes, verifying the legitimacy of the nodes and determining the access authority of the nodes, and ensuring that only authorized nodes can participate in data exchange;
The data integrity detection module is used for carrying out integrity check on the data in transmission and verifying whether the data is tampered or not by generating hash values and signature information of the data;
and the intrusion detection module is used for monitoring the communication flow of the nodes of the Internet of things, analyzing and identifying potential security threats in real time so as to prevent the intrusion behavior from affecting the system.
The security negotiation module comprises a security state monitoring unit, a network environment monitoring unit, a strategy selection unit and a configuration parameter generation unit, wherein:
The security state monitoring unit is used for monitoring the security state of each node of the Internet of things in real time, including the authentication state of the node and the system load condition;
the network environment monitoring unit is used for monitoring current network environment parameters including network bandwidth, delay and node connection quality;
the strategy selection unit dynamically selects an encryption algorithm, an authentication mechanism and a data transmission strategy based on the data provided by the security state monitoring unit and the network environment analysis unit so as to meet the security requirements among different nodes;
The configuration parameter generation unit is used for generating corresponding security configuration parameters according to the selection result of the strategy selection unit, transmitting the security configuration parameters to the dynamic encryption module and the identity authentication module to guide the subsequent data encryption processing and the identity authentication process, and through the design, the security negotiation module can dynamically select a proper encryption algorithm, authentication mechanism and data transmission strategy according to the real-time security state and network environment of the node of the Internet of things, and generate corresponding security configuration parameters.
The policy selection unit includes:
selecting an AES symmetric encryption algorithm with low computational complexity if the network bandwidth is less than 10Mbps and the node load is greater than 80%, and selecting an RSA asymmetric encryption algorithm with high encryption strength if the network bandwidth is greater than 100Mbps and the node load is less than 50%;
Selecting an authentication mechanism based on Public Key Infrastructure (PKI) if the authentication state of the node is normal and the system load is less than 50%, and selecting an authentication mechanism based on a shared key, such as HMAC (Hash-based message authentication code), if the node load is more than 80%;
The data transmission strategy selection comprises the steps of selecting a lossless transmission strategy and using a TCP protocol to carry out data transmission if the network delay is less than 50ms and the bandwidth is greater than 100Mbps, selecting a transmission strategy with strong fault tolerance if the network delay is greater than 200ms or the bandwidth is less than 10Mbps, combining a UDP protocol with a retransmission mechanism to ensure the reliability of data, intelligently selecting a proper encryption algorithm, an authentication mechanism and a data transmission strategy according to the network state, the node load and the security requirement monitored in real time by a strategy selection unit through the design, and ensuring that a system can operate efficiently under different network conditions and loads by the dynamic adjustment mechanism and simultaneously providing strong data protection capability.
The dynamic encryption module comprises an encryption algorithm selection unit, a key management unit and a data encryption processing unit, wherein:
An encryption algorithm selection unit for selecting an encryption algorithm according to the node characteristic information and the current network state, wherein the encryption algorithm comprises a symmetric encryption algorithm AES (advanced encryption standard) and an asymmetric encryption algorithm RSA (Rivest-Shamir-Adleman);
The key management unit is used for generating a corresponding encryption key according to the selected encryption algorithm and is responsible for distributing, storing and periodically updating the key so as to ensure the security and effectiveness of the key;
The dynamic encryption module can intelligently select the most suitable encryption algorithm and effectively manage the encryption key according to the characteristic information and the real-time network state of the node of the Internet of things, thereby realizing efficient and safe data encryption processing.
The identity authentication module comprises an identity authentication unit, a right management unit, an access control unit and a log recording unit, wherein:
The identity verification unit is used for receiving the identity information from the communication node, verifying the validity of the communication node by comparing the identity information with a prestored legal identity database, and ensuring that only the legal node can pass identity verification;
The authority management unit is used for consulting the authority database according to the verification result of the identity verification unit, determining the access authority level of the communication node and generating a corresponding authority control strategy;
the access control unit is used for dynamically adjusting the access authority of the communication node according to the authority control strategy generated by the authority management unit, so that the node can only access the authorized resources and functions;
And the log recording unit is used for recording all operation logs of identity verification and authority management, including the identity verification request, the verification result and the authority distribution condition of the node, so as to facilitate subsequent audit and tracing.
The rights management unit includes:
the authority inquiry, namely searching authority data matched with the node identity in an authority database according to the identity verification result, and acquiring a preset authority level and an access resource range of the node;
The authority control strategy generation method comprises the steps of generating a complete access authority control strategy to allow nodes to access all system resources if node identities are legal and authority levels are administrators, generating a limited access authority control strategy to only allow the nodes to access specified system resources if the node identities are legal and the authority levels are users, refusing access if the node identities are failed or the authority levels are not authority, and generating a flexible and dynamic authority control strategy according to the identity verification result of the nodes, data in an authority database and real-time network conditions by the aid of the authority management unit, wherein the strategy generation mechanism ensures that the nodes can obtain proper access authorities according to actual requirements under different scenes, and the access of the nodes to the system resources is effectively controlled.
The data integrity detection module comprises a hash value generation unit, a signature generation unit, a data receiving unit, a hash value verification unit, a signature verification unit and a tamper detection unit, wherein:
The hash value generation unit is used for receiving the data to be transmitted and generating a hash value of the data by using a hash algorithm of SHA-256, wherein the hash value is a unique representation of the data, any tiny data change can cause the change of the hash value, and the integrity of the data is ensured;
the signature generation unit is used for carrying out signature processing on the data by using the generated hash value and a prestored private key before data transmission to generate a digital signature of the data, wherein the signature can be used for verifying the integrity of the data and ensuring that the data is not tampered;
the data receiving unit is used for receiving the data transmitted by the node of the Internet of things and the digital signature attached to the data, and the received data comprises the original data and the signature information generated by the signature generating unit;
the hash value verification unit is used for recalculating the hash value of the received data and comparing the hash value with the received hash value, and if the comparison result is consistent, the data is not tampered, and if the comparison result is inconsistent, the data is tampered;
the signature verification unit is used for verifying the signature by combining the received data and the digital signature attached to the received data with the stored public key to judge whether the data is tampered;
The tamper detection unit is used for generating alarm information and triggering safety response when detecting that the data is tampered according to the results of the hash value verification unit and the signature verification unit, and the tamper detection unit comprises the step of preventing the data from being continuously transmitted or notifying a system administrator; through the design, the data integrity detection module realizes strict verification of the integrity of transmission data through the hash value and digital signature technology, ensures that the data is not tampered in the transmission process, provides an effective data verification mechanism for the hash value generation unit and the signature generation unit, ensures the validity and the integrity of the data, can timely discover the data tampering behavior, triggers corresponding safety response and effectively ensures the safety and the reliability of the data in the Internet of things system.
The signature verification unit includes:
calculating a hash value of the received data by using a hash algorithm of SHA-256, wherein the formula is H (P) =sha-256 (P), wherein H (P) is the hash value of the data P;
Decrypting the extracted digital signature by using a public key to obtain a hash value used in signing, wherein the expression is H Signing = decryption (signature, public key);
comparing whether the calculated hash value H (P) is consistent with the hash value H Signing obtained by decryption, wherein the formula is as follows:
The method comprises the steps of judging whether data are tampered or not, allowing the data to be continuously transmitted and processed if the verification result is valid, judging that the data are tampered and triggering corresponding safety response if the verification result is invalid, and carrying out strict signature verification by combining the received data and the digital signature attached to the received data with the stored public key through the design by the strategy selection unit, so that whether the data are tampered or not is accurately judged in the transmission process, wherein the mechanism ensures the integrity and the source credibility of the data, and prevents the influence of malicious tampering actions on a system.
The intrusion detection module comprises a flow monitoring unit, a feature extraction unit, a threat identification unit and an alarm generation unit, wherein:
the flow monitoring unit is used for continuously monitoring communication flow among the nodes of the Internet of things and collecting metadata and content information of the data packet, wherein the metadata and the content information comprise a source address, a destination address, a port number, a protocol type, the size of the data packet and a transmission rate;
The feature extraction unit is used for extracting features such as the transmission rate and the size of a data packet, the frequency of the packet and the change trend of the frequency of the packet from the monitored communication traffic and transmitting the extracted features to the threat identification unit;
The threat identification unit is used for classifying and analyzing the extracted feature vectors by utilizing a decision tree algorithm and identifying potential security threats;
the system comprises a threat identification unit, an alarm generation unit, an intrusion detection module and a decision tree algorithm, wherein the threat identification unit is used for identifying the security threat, generating and recording security alarm information and sending alarm notification to a system administrator when the threat identification unit detects the security threat, the intrusion detection module is used for comprehensively monitoring and analyzing the communication flow between the nodes of the Internet of things and accurately identifying the potential security threat by utilizing the decision tree algorithm, and once the threat is detected, the alarm generation unit is used for timely generating and recording the alarm information and notifying the system administrator to take corresponding measures, so that the intrusion behavior is effectively prevented and dealt with, and the overall security protection capability of the system is improved.
The threat identification unit includes:
receiving the feature vector, namely receiving the feature vector from the feature extraction unit and carrying out normalization processing;
Inputting the received feature vector into a pre-trained decision tree model, making a layer-by-layer decision according to each attribute value in the feature vector, and determining whether the data packet has security threat;
The decision tree model sequentially compares the characteristic values with the node segmentation values from the root node according to a predefined decision rule based on the attribute values of the characteristic vectors, and traverses downwards along the corresponding branch paths until the leaf nodes are reached, so that whether the data packet is a potential safety threat is judged in a classified mode;
The predefined decision rules include:
rule 1 if the source address of the data packet is an IP address in the blacklist and the transmission rate exceeds 1000 packets/second, classifying the data packet as a "denial of service attack (DoS)";
Rule 2 if the protocol type of the packet is an abnormal protocol (non-standard protocol) and the port number is a high risk port (e.g., 8080), classifying the packet as "malware propagation";
Rule 3, if the data packet size of the data packet is smaller than 50 bytes and the transmission rate suddenly increases, classifying the data packet as "information leakage attempt";
rule 4, if the source address and the destination address of the data packet change frequently and the system load is higher than 80%, classifying the data packet as a 'man-in-the-middle attack';
Rule 5, if the source address and the destination address of the data packet are both internal network addresses, but the protocol type is an external suspicious protocol, classifying the data packet as an internal threat;
Rule 6, if the transmission rate of the data packet exceeds twice the normal level and the size of the data packet continuously fluctuates, classifying the data packet as an 'abnormal traffic mode';
Rule 7, if the source address of the data packet comes from an unauthorized geographic area and the protocol type is a high risk protocol, classifying the data packet as a geographic location anomaly attack;
Rule 8, if the source address of the data packet is known malicious IP and the protocol type is standard protocol, classifying the data packet as 'known malicious activity';
Rule 9, if the data packet size of the data packet is continuously increased and the transmission rate is kept stable, classifying the data packet as a 'data packet expansion attack';
rule 10. If the source address and destination address of the packet match a particular attack pattern (e.g., a scan attack), classifying the packet as a "scan attack";
and determining the threat type, namely determining the specific threat type of the data packet according to the classification label of the leaf node after the leaf node is reached.
The decision tree model application step comprises the following steps:
step 1, according to each attribute value in the feature vector, applying predefined decision rules (rule 1 to rule 10) one by one, and judging whether the data packet accords with the feature condition of a specific threat type;
Step 2, classifying the data packet into corresponding threat types once the data packet accords with the condition of a certain rule, and stopping matching of the further rule;
And 3, if the data packet accords with the conditions of a plurality of rules, selecting the most serious threat type for classification according to a preset priority order, and by the design, the threat identification unit can realize efficient and accurate security threat monitoring and identification in the environment of the Internet of things, thereby remarkably improving the security protection level of the whole data and ensuring the reliable operation of the system of the Internet of things.
The invention is intended to cover any alternatives, modifications, equivalents, and variations that fall within the spirit and scope of the invention. In the following description of preferred embodiments of the invention, specific details are set forth in order to provide a thorough understanding of the invention, and the invention will be fully understood to those skilled in the art without such details. In other instances, well-known methods, procedures, flows, components, circuits, and the like have not been described in detail so as not to unnecessarily obscure aspects of the present invention.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (7)

1.一种基于物联网节点的分布式数据安全防护系统,其特征在于,包括安全协商模块、动态加密模块、身份认证模块、数据完整性检测模块以及入侵检测模块;其中:1. A distributed data security protection system based on Internet of Things nodes, characterized by including a security negotiation module, a dynamic encryption module, an identity authentication module, a data integrity detection module, and an intrusion detection module; wherein: 安全协商模块:配置于每个物联网节点上,用于在节点之间建立通信连接时,根据节点的实时安全状态和网络环境,动态选择加密算法、认证机制和数据传输策略,并生成相应的安全配置参数;Security negotiation module: This module is configured on each IoT node and is used to dynamically select encryption algorithms, authentication mechanisms, and data transmission strategies based on the node's real-time security status and network environment when establishing a communication connection between nodes, and to generate corresponding security configuration parameters. 所述安全协商模块包括安全状态监测单元、网络环境监测单元、策略选择单元以及配置参数生成单元;其中:The security negotiation module includes a security status monitoring unit, a network environment monitoring unit, a policy selection unit, and a configuration parameter generation unit; wherein: 安全状态监测单元:用于实时监测各物联网节点的安全状态,包括节点的认证状态以及系统负载情况;Security status monitoring unit: used to monitor the security status of each IoT node in real time, including the node's authentication status and system load; 网络环境监测单元:用于监测当前网络环境参数,包括网络带宽、延迟及节点连接质量;Network environment monitoring unit: used to monitor current network environment parameters, including network bandwidth, latency, and node connection quality; 策略选择单元:基于安全状态监测单元和网络环境分析单元提供的数据,动态选择加密算法、认证机制和数据传输策略,以满足不同节点间的安全需求;Policy selection unit: Based on the data provided by the security status monitoring unit and the network environment analysis unit, it dynamically selects encryption algorithms, authentication mechanisms, and data transmission strategies to meet the security requirements between different nodes; 配置参数生成单元:用于根据所述策略选择单元的选择结果,生成相应的安全配置参数,并将所述安全配置参数传递至动态加密模块和身份认证模块;Configuration parameter generation unit: used to generate corresponding security configuration parameters according to the selection result of the policy selection unit, and pass the security configuration parameters to the dynamic encryption module and the identity authentication module; 所述策略选择单元包括:The strategy selection unit includes: 加密算法选择:若网络带宽小于10Mbps且节点负载大于80%,优先选择计算复杂度低的AES对称加密算法;若网络带宽大于100Mbps且节点负载小于50%,优先选择加密强度高的RSA非对称加密算法;Encryption algorithm selection: If the network bandwidth is less than 10 Mbps and the node load is greater than 80%, the AES symmetric encryption algorithm with low computational complexity is preferred. If the network bandwidth is greater than 100 Mbps and the node load is less than 50%, the RSA asymmetric encryption algorithm with high encryption strength is preferred. 认证机制选择:若节点认证状态正常且系统负载小于50%,选择基于公钥基础设施的认证机制;若节点负载大于80%,则选择基于共享密钥的认证机制;Authentication mechanism selection: If the node authentication status is normal and the system load is less than 50%, select the authentication mechanism based on public key infrastructure; if the node load is greater than 80%, select the authentication mechanism based on shared key; 数据传输策略选择:若网络延迟小于50ms且带宽大于100Mbps,选择无损传输策略,使用TCP协议进行数据传输;若网络延迟大于200ms或带宽小于10Mbps,选择容错性强的传输策略,使用UDP协议与重传机制结合;Data transmission strategy selection: If the network delay is less than 50ms and the bandwidth is greater than 100Mbps, select a lossless transmission strategy and use the TCP protocol for data transmission. If the network delay is greater than 200ms or the bandwidth is less than 10Mbps, select a fault-tolerant transmission strategy and use the UDP protocol in combination with a retransmission mechanism. 动态加密模块:与安全协商模块连接,用于接收安全配置参数,并依据节点特征信息和当前网络状态对传输的数据进行加密处理;Dynamic encryption module: connected to the security negotiation module, used to receive security configuration parameters and encrypt the transmitted data based on node feature information and current network status; 身份认证模块:用于在节点间进行身份验证,验证节点的合法性并确定节点的访问权限,确保只有授权的节点能够参与数据交换;Identity authentication module: used to authenticate nodes, verify the legitimacy of nodes and determine node access rights, ensuring that only authorized nodes can participate in data exchange; 数据完整性检测模块:用于对传输中的数据进行完整性校验,通过生成数据的哈希值和签名信息来验证数据是否被篡改;Data integrity detection module: used to perform integrity check on the data in transmission, and verify whether the data has been tampered with by generating the hash value and signature information of the data; 所述数据完整性检测模块包括哈希值生成单元、签名生成单元、数据接收单元、哈希值验证单元、签名验证单元以及篡改检测单元;其中:The data integrity detection module includes a hash value generation unit, a signature generation unit, a data receiving unit, a hash value verification unit, a signature verification unit, and a tampering detection unit; wherein: 哈希值生成单元:用于接收待传输的数据,并使用SHA-256的哈希算法生成数据的哈希值;Hash value generation unit: used to receive the data to be transmitted and generate the hash value of the data using the SHA-256 hash algorithm; 签名生成单元:用于在数据传输之前,使用生成的哈希值及预先存储的私钥对数据进行签名处理,生成数据的数字签名;Signature generation unit: used to sign the data using the generated hash value and pre-stored private key before data transmission to generate a digital signature of the data; 数据接收单元:用于接收来自物联网节点传输的数据及其附带的数字签名,接收到的数据包括原始数据以及通过签名生成单元所生成的签名信息;Data receiving unit: used to receive data transmitted from IoT nodes and their accompanying digital signatures. The received data includes the original data and the signature information generated by the signature generation unit. 哈希值验证单元:用于对接收到的数据重新计算哈希值,并与接收到的哈希值进行比对;若比对结果一致,则表示数据未被篡改;若比对结果不一致,则表示数据被篡改;Hash value verification unit: used to recalculate the hash value of the received data and compare it with the received hash value; if the comparison result is consistent, it means that the data has not been tampered with; if the comparison result is inconsistent, it means that the data has been tampered with; 签名验证单元:使用接收到的数据及其附带的数字签名,结合存储的公钥对签名进行验证,来判断数据是否被篡改;Signature verification unit: uses the received data and its accompanying digital signature, combined with the stored public key to verify the signature to determine whether the data has been tampered with; 篡改检测单元:根据哈希值验证单元和签名验证单元的结果,用于在检测到数据被篡改时,生成警报信息并触发安全响应,包括阻止数据继续传输或通知系统管理员;Tamper detection unit: Based on the results of the hash value verification unit and the signature verification unit, it is used to generate an alarm message and trigger a security response when it detects that the data has been tampered with, including blocking the further transmission of the data or notifying the system administrator; 入侵检测模块:用于监控物联网节点的通信流量,实时分析并识别潜在的安全威胁,以防止入侵行为对系统造成影响。Intrusion detection module: used to monitor the communication traffic of IoT nodes, analyze and identify potential security threats in real time to prevent intrusion behaviors from affecting the system. 2.根据权利要求1所述的一种基于物联网节点的分布式数据安全防护系统,其特征在于,所述动态加密模块包括加密算法选择单元、密钥管理单元以及数据加密处理单元;其中:2. A distributed data security protection system based on Internet of Things nodes according to claim 1, characterized in that the dynamic encryption module includes an encryption algorithm selection unit, a key management unit, and a data encryption processing unit; wherein: 加密算法选择单元:根据节点特征信息和当前网络状态,选择加密算法,包括对称加密算法AES和非对称加密算法RSA;Encryption algorithm selection unit: selects encryption algorithms based on node feature information and current network status, including symmetric encryption algorithm AES and asymmetric encryption algorithm RSA; 密钥管理单元:用于根据所选加密算法,生成相应的加密密钥;Key management unit: used to generate the corresponding encryption key according to the selected encryption algorithm; 数据加密处理单元:使用加密算法选择单元所选定的加密算法和密钥管理单元生成的密钥,对待传输的数据进行加密处理,确保数据在传输过程中的机密性和完整性。Data encryption processing unit: uses the encryption algorithm selected by the encryption algorithm selection unit and the key generated by the key management unit to encrypt the data to be transmitted to ensure the confidentiality and integrity of the data during transmission. 3.根据权利要求1所述的一种基于物联网节点的分布式数据安全防护系统,其特征在于,所述身份认证模块包括身份验证单元、权限管理单元、访问控制单元以及日志记录单元;其中:3. A distributed data security protection system based on Internet of Things nodes according to claim 1, characterized in that the identity authentication module includes an identity authentication unit, a rights management unit, an access control unit, and a log recording unit; wherein: 身份验证单元:用于接收来自通信节点的身份信息,并通过与预先存储的合法身份数据库进行对比,验证通信节点的合法性,确保只有合法节点能够通过身份验证;Authentication unit: used to receive identity information from communication nodes and verify the legitimacy of communication nodes by comparing it with the pre-stored legal identity database, ensuring that only legal nodes can pass authentication; 权限管理单元:用于根据身份验证单元的验证结果,查阅权限数据库,确定通信节点的访问权限级别,并生成相应的权限控制策略;The authority management unit is used to consult the authority database based on the verification result of the identity authentication unit, determine the access authority level of the communication node, and generate the corresponding authority control policy; 访问控制单元:用于根据权限管理单元生成的权限控制策略,动态调整通信节点的访问权限,确保节点只能访问其被授权的资源和功能;Access control unit: used to dynamically adjust the access rights of communication nodes according to the permission control policy generated by the permission management unit, ensuring that nodes can only access authorized resources and functions; 日志记录单元:用于记录所有身份验证和权限管理的操作日志,包括节点的身份验证请求、验证结果和权限分配情况。Logging unit: used to record all authentication and permission management operation logs, including node authentication requests, verification results, and permission allocation. 4.根据权利要求3所述的一种基于物联网节点的分布式数据安全防护系统,其特征在于,所述权限管理单元包括:4. A distributed data security protection system based on Internet of Things nodes according to claim 3, characterized in that the authority management unit comprises: 权限查询:根据身份验证结果,权限数据库中查找与节点身份匹配的权限数据,获取节点的预设权限级别和访问资源范围;Permission query: Based on the authentication results, the permission database is searched for permission data that matches the node identity, and the node's preset permission level and access resource scope are obtained; 权限控制策略生成:若节点身份为合法且权限级别为管理员,则生成完全访问权限控制策略,允许节点访问所有系统资源;若节点身份为合法且权限级别为用户,则生成有限访问权限控制策略,仅允许节点访问指定的系统资源;若节点身份验证失败或权限级别为无权限,则拒绝访问。Generation of permission control policy: If the node identity is legal and the permission level is administrator, a full access permission control policy is generated, allowing the node to access all system resources; if the node identity is legal and the permission level is user, a limited access permission control policy is generated, allowing the node to access only specified system resources; if the node identity authentication fails or the permission level is no permission, access is denied. 5.根据权利要求1所述的一种基于物联网节点的分布式数据安全防护系统,其特征在于,所述签名验证单元包括:5. The distributed data security protection system based on Internet of Things nodes according to claim 1, wherein the signature verification unit comprises: 使用SHA-256的哈希算法,计算接收到的数据的哈希值,公式为:H(P)=SHA-256(P),其中,H(P)为数据P的哈希值;Use the SHA-256 hash algorithm to calculate the hash value of the received data. The formula is: H(P) = SHA-256(P), where H(P) is the hash value of data P. 使用所述公钥对提取的数字签名进行解密,得到签名时使用的哈希值,表达式为:H签名=解密(签名,公钥);The extracted digital signature is decrypted using the public key to obtain the hash value used when signing, which is expressed as: Hsignature =decryption(signature, public key); 比较计算得到的哈希值H(P)与解密得到的哈希值H签名是否一致,公式为:Compare the calculated hash value H(P) with the decrypted hash value H signature to see if they are consistent. The formula is: 篡改判断:若验证结果为有效,则确认数据未被篡改,允许数据继续传输和处理;若验证结果为无效,判定数据被篡改,则触发相应的安全响应。Tampering judgment: If the verification result is valid, it is confirmed that the data has not been tampered with, and the data is allowed to continue to be transmitted and processed; if the verification result is invalid, it is determined that the data has been tampered with, and the corresponding security response is triggered. 6.根据权利要求1所述的一种基于物联网节点的分布式数据安全防护系统,其特征在于,所述入侵检测模块包括流量监控单元、特征提取单元、威胁识别单元以及报警生成单元;其中:6. A distributed data security protection system based on Internet of Things nodes according to claim 1, characterized in that the intrusion detection module includes a traffic monitoring unit, a feature extraction unit, a threat identification unit, and an alarm generation unit; wherein: 流量监控单元:用于持续监控物联网节点之间的通信流量,收集数据包的元数据和内容信息,包括源地址、目的地址、端口号、协议类型、数据包大小及传输速率;Traffic monitoring unit: used to continuously monitor the communication traffic between IoT nodes and collect metadata and content information of data packets, including source address, destination address, port number, protocol type, packet size and transmission rate; 特征提取单元:用于从监控到的通信流量中提取特征,并将提取的特征传递至威胁识别单元;Feature extraction unit: used to extract features from the monitored communication traffic and pass the extracted features to the threat identification unit; 威胁识别单元:利用决策树算法对提取的特征向量进行分类和分析,识别潜在的安全威胁;Threat identification unit: uses decision tree algorithm to classify and analyze extracted feature vectors to identify potential security threats; 报警生成单元:在威胁识别单元检测到安全威胁时,生成并记录安全报警信息,并向系统管理员发送警报通知。Alarm generation unit: When the threat identification unit detects a security threat, it generates and records security alarm information and sends an alarm notification to the system administrator. 7.根据权利要求6所述的一种基于物联网节点的分布式数据安全防护系统,其特征在于,所述威胁识别单元包括:7. A distributed data security protection system based on Internet of Things nodes according to claim 6, characterized in that the threat identification unit comprises: 接收特征向量:接收来自特征提取单元的特征向量,并进行归一化处理;Receiving feature vector: receiving the feature vector from the feature extraction unit and performing normalization processing; 决策树模型应用:将接收到的特征向量输入至预先训练好的决策树模型,依据特征向量中的各项属性值进行逐层决策,确定数据包是否存在安全威胁;Decision tree model application: The received feature vector is input into a pre-trained decision tree model, and layer-by-layer decisions are made based on the attribute values in the feature vector to determine whether the data packet poses a security threat. 分类决策步骤:决策树模型基于特征向量的属性值,按照预定义的决策规则,从根节点开始,依次比较特征值与节点分割值,沿着相应的分支路径向下遍历,直至达到叶节点,从而分类判断数据包是否为潜在安全威胁;Classification decision step: The decision tree model is based on the attribute values of the feature vector and follows predefined decision rules. Starting from the root node, it compares the feature values with the node split values in sequence, traversing down along the corresponding branch path until it reaches a leaf node, thereby classifying and determining whether the data packet is a potential security threat. 威胁类型确定步骤:在达到叶节点后,根据叶节点的分类标签,确定数据包所属的具体威胁类型。Threat type determination step: After reaching the leaf node, determine the specific threat type to which the data packet belongs based on the classification label of the leaf node.
CN202411963373.9A 2024-12-30 2024-12-30 A distributed data security protection system based on Internet of Things nodes Active CN119766556B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411963373.9A CN119766556B (en) 2024-12-30 2024-12-30 A distributed data security protection system based on Internet of Things nodes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411963373.9A CN119766556B (en) 2024-12-30 2024-12-30 A distributed data security protection system based on Internet of Things nodes

Publications (2)

Publication Number Publication Date
CN119766556A CN119766556A (en) 2025-04-04
CN119766556B true CN119766556B (en) 2025-09-23

Family

ID=95189122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411963373.9A Active CN119766556B (en) 2024-12-30 2024-12-30 A distributed data security protection system based on Internet of Things nodes

Country Status (1)

Country Link
CN (1) CN119766556B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116010888A (en) * 2022-12-29 2023-04-25 山石网科通信技术股份有限公司 Flow detection method and device, computer storage medium and electronic device
CN118631570A (en) * 2024-07-03 2024-09-10 广州东兆信息科技有限公司 A trusted authentication method and system for mobile terminal equipment based on the Internet of Things

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117131484A (en) * 2023-08-16 2023-11-28 深圳奥联信息安全技术有限公司 Dynamic encryption method, system, computer equipment and storage medium
CN117792603B (en) * 2023-12-26 2024-06-18 山东展望信息科技股份有限公司 Internet of things data secure sharing method and system
CN118590263A (en) * 2024-05-14 2024-09-03 重庆高新技术产业研究院有限责任公司 Industrial Internet security protection system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116010888A (en) * 2022-12-29 2023-04-25 山石网科通信技术股份有限公司 Flow detection method and device, computer storage medium and electronic device
CN118631570A (en) * 2024-07-03 2024-09-10 广州东兆信息科技有限公司 A trusted authentication method and system for mobile terminal equipment based on the Internet of Things

Also Published As

Publication number Publication date
CN119766556A (en) 2025-04-04

Similar Documents

Publication Publication Date Title
CN115189927B (en) A zero-trust-based power network security protection method
CN118433704B (en) Mobile office data security access system based on encrypted mirror image transmission
US8806572B2 (en) Authentication via monitoring
EP4236206B1 (en) Actively monitoring encrypted traffic by inspecting logs
CN118944982B (en) A data security transmission method based on encryption algorithm
CN116192497B (en) Network access and user authentication safe interaction method based on zero trust system
CN117155609A (en) Internet of things access scene identity modeling and access control method
CN120017424B (en) A method and system for secure access to encrypted enterprise network data
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
Neu et al. An approach for detecting encrypted insider attacks on OpenFlow SDN Networks
Venkatesan et al. Analysis of accounting models for the detection of duplicate requests in web services
CN119485284A (en) A secure access method for Internet of Things devices based on mobile communication network
CN117560230B (en) Network data transmission encryption type data transmission method
CN117061556B (en) Remote operation and maintenance safety protection device for power monitoring system
CN119766556B (en) A distributed data security protection system based on Internet of Things nodes
CN115297481B (en) A 5G MEC security assessment system and method
CN117749476A (en) Trusted secure connection method and device based on encryption algorithm and electronic equipment
US12069070B2 (en) Systems and methods for early detection, warning and prevention of cyber threats
Kalangi et al. A hybrid IP trace back mechanism to pinpoint the attacker
Choudhary et al. Detection and Isolation of Zombie Attack under Cloud Computing
CN115664771B (en) A method and system for security monitoring of intelligent terminals participating in flexible resource aggregation and regulation
CN120342741A (en) Cloud architecture distributed data processing method, device, equipment and storage medium
Kaskar et al. A system for detection of distributed denial of service (DDoS) attacks using KDD cup data set
Tang et al. Research on security protection countermeasures of internet of things
CN119676001B (en) Data encryption transmission method and device with early warning mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant