[go: up one dir, main page]

CN116405089A - A path verification method and device for satellite Internet - Google Patents

A path verification method and device for satellite Internet Download PDF

Info

Publication number
CN116405089A
CN116405089A CN202310219167.6A CN202310219167A CN116405089A CN 116405089 A CN116405089 A CN 116405089A CN 202310219167 A CN202310219167 A CN 202310219167A CN 116405089 A CN116405089 A CN 116405089A
Authority
CN
China
Prior art keywords
delay
ground station
path
station
satellite
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310219167.6A
Other languages
Chinese (zh)
Other versions
CN116405089B (en
Inventor
刘君
李贺武
张天宇
吴茜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202310219167.6A priority Critical patent/CN116405089B/en
Priority claimed from CN202310219167.6A external-priority patent/CN116405089B/en
Publication of CN116405089A publication Critical patent/CN116405089A/en
Application granted granted Critical
Publication of CN116405089B publication Critical patent/CN116405089B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1851Systems using a satellite or space-based relay
    • H04B7/18519Operations control, administration or maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18521Systems of inter linked satellites, i.e. inter satellite service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/06Airborne or Satellite Networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Environmental & Geological Engineering (AREA)
  • Radio Relay Systems (AREA)

Abstract

The invention provides a path verification method and a path verification device for satellite Internet, which are used for constructing a global time delay gradient matrix reflecting an implicit mapping relation between data transmission time delay and geographic distance between ground stations, and detecting potential risk paths by clustering abnormal values in the global time delay gradient matrix; and constructing a risk criterion according to physical characteristics of path hijacking attacks in the satellite Internet, and performing risk verification on the potential risk paths according to the risk criterion. The invention replaces the encryption mark matching verification method used by the hop-by-hop verification mechanism, avoids a great deal of expenditure caused by frequent path change under the satellite internet dynamic topology condition, and improves the path verification performance in the satellite internet scene.

Description

一种用于卫星互联网的路径验证方法和装置A path verification method and device for satellite Internet

技术领域technical field

本发明涉及卫星通信技术领域,尤其涉及一种用于卫星互联网的路径验证方法和装置。The invention relates to the technical field of satellite communication, in particular to a path verification method and device for satellite Internet.

背景技术Background technique

近年来,低轨巨型卫星星座的应用为接入卫星互联网的用户终端提供了全球覆盖的低时延网络服务,提升了用户终端的用网体验。然而,低轨巨型卫星星座中部署有大量的星间链路,使得低轨巨型卫星星座与采用弯管模式的卫星通信系统相比,真正具备网络化特征,这意味着低轨巨型卫星星座面临前所未有的网络攻击威胁。路由劫持攻击是目前互联网最常见的网络攻击之一,攻击者通过各种手段修改数据包原本的转发路径,使其陷入路由黑洞或经过窃听节点等不安全区域,损害用户数据安全。低轨巨型卫星星座不仅同样面临该问题,并且相比于数据中心这样安保严密的地面节点,卫星节点的全球暴露特性导致其处于巨量的潜在攻击者视野中。此外,由于卫星节点长期处于非受控区域,缺少地面测控支持设施,难以在攻击早期及时地感知和防御。因此,检测路由劫持是尤为必要的。In recent years, the application of low-orbit mega-satellite constellations has provided user terminals accessing the satellite Internet with global coverage and low-latency network services, improving the network experience of user terminals. However, a large number of inter-satellite links are deployed in the low-orbit megasatellite constellation, which makes the low-orbit megasatellite constellation truly networked compared with the satellite communication system using the bent-pipe mode, which means that the low-orbit megasatellite constellation faces Unprecedented threat of cyber attacks. Route hijacking attack is one of the most common network attacks on the Internet at present. Attackers modify the original forwarding path of data packets by various means, making them fall into routing black holes or pass through unsafe areas such as eavesdropping nodes, and damage user data security. Low-orbit giant satellite constellations not only face this problem, but compared with ground nodes with strict security such as data centers, the global exposure of satellite nodes makes them in the field of vision of a huge number of potential attackers. In addition, because the satellite nodes are in the uncontrolled area for a long time and lack ground measurement and control support facilities, it is difficult to perceive and defend in the early stage of the attack. Therefore, it is particularly necessary to detect route hijacking.

路径验证是检测路由劫持的主要手段之一,其目的在于使节点或终端能够验证上游转发路径是否与期望转发路径一致,以检测该类涉及路径篡改的攻击。现有路径验证方法大多采用逐跳验证机制来实现,即以网络拓扑结构稳定为隐形假设为源端指定一条期望转发路径,生成期望转发路径节点间的共享密钥,以上一节点对数据包进行密码学操作生成加密标记,并将其嵌入包头跟随数据转发,下一节点通过核验加密标记证明该数据包确实经过了上一节点的逐跳验证方式,验证实际转发路径与期望转发路径的一致性。Path verification is one of the main means of detecting route hijacking. Its purpose is to enable nodes or terminals to verify whether the upstream forwarding path is consistent with the expected forwarding path, so as to detect such attacks involving path tampering. Most of the existing path verification methods are implemented by using the hop-by-hop verification mechanism, that is, to designate an expected forwarding path for the source end under the implicit assumption that the network topology is stable, generate a shared key between the nodes on the expected forwarding path, and perform a data packet verification on the previous node. The cryptographic operation generates an encrypted mark, and embeds it in the packet header to follow the data forwarding. The next node proves that the data packet has indeed passed the hop-by-hop verification method of the previous node by verifying the encrypted mark, and verifies the consistency between the actual forwarding path and the expected forwarding path. .

然而在卫星互联网中,由于星地链路以分钟级频繁切换,网络拓扑一直处于快速变化状态,路由需要根据新的拓扑重新收敛,端到端不再具有稳定的转发路径,因此当网络拓扑结构改变时,以之前网络拓扑结构稳定为隐形假设为源端指定的期望转发路径,将无法再反映当下情况,导致路径验证失去稳定的判别标准。每当星地链路发生切换时,需要重新生成节点间的共享密钥以及重新利用逐跳验证方式验证实际转发路径与期望转发路径的一致性;上述系列操作涉及多次信令交互和加解密计算,导致大量的信令开销和计算开销。另外,对网络拓扑改变的感知具有一定的滞后性,这种情形下期望转发路径的改变并不能及时被反映在加密标记中,将导致路径节点对数据包误判而丢包。因此,如何提供一种卫星互联网场景下低开销、高性能的路径验证方案成为亟待解决的难题。However, in the satellite Internet, due to the frequent switching of the satellite-ground link at the minute level, the network topology has been in a state of rapid change, and the routing needs to be re-converged according to the new topology, and the end-to-end no longer has a stable forwarding path. Therefore, when the network topology When changing, the expected forwarding path specified by the source based on the implicit assumption that the previous network topology structure is stable will no longer reflect the current situation, resulting in the loss of stable criteria for path verification. Whenever the satellite-ground link is switched, it is necessary to regenerate the shared key between nodes and re-use the hop-by-hop verification method to verify the consistency of the actual forwarding path and the expected forwarding path; the above series of operations involve multiple signaling interactions and encryption and decryption calculation, resulting in a large amount of signaling overhead and computational overhead. In addition, the perception of network topology changes has a certain lag. In this case, the change of the expected forwarding path cannot be reflected in the encryption mark in time, which will cause the path node to misjudge the data packet and lose the packet. Therefore, how to provide a low-overhead, high-performance path verification scheme in the satellite Internet scenario has become an urgent problem to be solved.

发明内容Contents of the invention

本发明提供一种用于卫星互联网的路径验证方法和装置,通过对地面站之间的时延与地理距离之间的隐式映射关系进行聚类分析得到异常值以检测风险路径,代替逐跳验证机制所使用的加密标记匹配校验方法,将采用聚类以及物理特征分析方式搜索到的时延与地理距离之间的隐式映射关系异常的路径作为发生路由劫持的路径,避免了现有路径验证技术中在卫星互联网动态拓扑条件下路径频繁改变导致的大量信令开销和计算开销。The present invention provides a path verification method and device for satellite Internet, by performing cluster analysis on the implicit mapping relationship between the time delay between ground stations and the geographical distance to obtain abnormal values to detect risky paths, instead of hop-by-hop The encryption tag matching verification method used in the verification mechanism uses clustering and physical feature analysis to find the path with an abnormal implicit mapping relationship between delay and geographical distance as the path for routing hijacking, avoiding the existing In path verification technology, under the condition of satellite Internet dynamic topology, frequent path changes cause a lot of signaling overhead and computing overhead.

第一方面,本发明提供一种用于卫星互联网的路径验证方法,所述方法包括:In a first aspect, the present invention provides a path verification method for satellite Internet, the method comprising:

根据地面站之间的地理位置信息生成站间距离矩阵;Generate an inter-station distance matrix according to the geographic location information between ground stations;

汇总每一个地面站的站间时延表,得到全局时延矩阵;Summarize the inter-station delay table of each ground station to obtain the global delay matrix;

将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;Differentiating corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix;

对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;Performing statistical outlier analysis on the global delay gradient matrix, and using the data transmission path of the ground station pair with the outlier as a potential risk path;

在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;When the potential risk path satisfies the first condition, determining the potential risk path as a risk path;

其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;Wherein, the data transmission delay from each target ground station to the ground station is stored in the inter-station delay table of each of the ground stations; the target ground station is a ground station other than the ground station;

所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。The first condition is that the difference between the measured value of the data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link.

根据本发明提供的用于卫星互联网的路径验证方法,所述地面站的站间时延表的生成过程,包括:According to the path verification method for satellite Internet provided by the present invention, the generation process of the inter-station delay table of the ground station includes:

令所述地面站在本地创建以源端地面站编号和数据传输时延为字段的4个站间时延子表;其中,所述4个站间时延子表与4种接入卫星轨道方向分别对应,所述4种接入卫星轨道方向分别为上星北向且下星南向、上星北向且下星北向、上星南向且下星北向以及上星南向且下星南向;Make the ground station locally create 4 inter-station delay sub-tables with the source ground station number and data transmission delay as fields; wherein, the 4 inter-station delay sub-tables and the 4 access satellite orbit directions are respectively Correspondingly, the four kinds of orbit directions of the access satellites are respectively the upper satellite north direction and the lower satellite direction south, the upper satellite direction north and the lower satellite direction north, the upper satellite south direction and the lower satellite north direction, and the upper satellite south direction and the lower satellite direction south;

在一个测量周期内,控制每一个所述目标地面站以预设时长为间隔向所述地面站发送时延测量包;其中,所述时延测量包是对IP数据包进行源端地面站编号、源端地面站接入卫星编号与发送时间戳的包头嵌入得到的;In a measurement cycle, control each of the target ground stations to send a delay measurement packet to the ground station at intervals of a preset duration; wherein, the delay measurement packet is to carry out the source end ground station number of the IP data packet , The access satellite number of the source ground station and the packet header embedding of the sending time stamp are obtained;

令所述地面站根据每一个所述目标地面站发送的时延测量包,推定每一个所述目标地面站到所述地面站的数据传输时延和接入卫星轨道方向;making the ground station estimate the data transmission delay and access satellite orbit direction from each of the target ground stations to the ground station according to the delay measurement packet sent by each of the target ground stations;

以每一个所述目标地面站的编号为索引,将每一个所述目标地面站到所述地面站的数据传输时延插入每一个所述目标地面站到所述地面站的接入卫星轨道方向对应的站间时延子表中,得到填充数据的4个站间时延子表;Using the number of each target ground station as an index, insert the data transmission delay from each target ground station to the ground station into the access satellite orbit direction from each target ground station to the ground station In the corresponding inter-station delay sub-table, get 4 inter-station delay sub-tables filled with data;

组合所述填充数据的4个站间时延子表,得到所述地面站的站间时延表。The four inter-station delay sub-tables of the filled data are combined to obtain the inter-station delay table of the ground station.

根据本发明提供的用于卫星互联网的路径验证方法,根据所述目标地面站发送的测量包,推定所述目标地面站到所述地面站的数据传输时延,包括:According to the path verification method for satellite Internet provided by the present invention, according to the measurement packet sent by the target ground station, the data transmission delay from the target ground station to the ground station is estimated, including:

将所述目标地面站发送的每一个测量包的发送时间戳与接收时间之间的时长列入第一列表中;List the duration between the sending time stamp and the receiving time of each measurement packet sent by the target ground station in the first list;

对所述第一列表中的多个时长进行滤波后取最小值,得到所述目标地面站到所述地面站的数据传输时延。After filtering the multiple durations in the first list, a minimum value is taken to obtain a data transmission delay from the target ground station to the ground station.

根据本发明提供的用于卫星互联网的路径验证方法,根据所述目标地面站发送的测量包,推定所述目标地面站到所述地面站的接入卫星轨道方向,包括:According to the path verification method for satellite Internet provided by the present invention, according to the measurement packet sent by the target ground station, the direction of the access satellite orbit from the target ground station to the ground station is estimated, including:

根据所述目标地面站发送的任一测量包中的源端地面站接入卫星编号以及预存的星座所有卫星的两行轨道根数信息,推定所述目标地面站到所述地面站的接入卫星轨道方向。According to the access satellite number of the source ground station in any measurement packet sent by the target ground station and the two-line orbit element information of all satellites in the constellation stored in advance, the access of the target ground station to the ground station is estimated Orbit direction of the satellite.

根据本发明提供的用于卫星互联网的路径验证方法,所述对所述全局时延梯度矩阵进行统计学异常值分析,包括:According to the path verification method for satellite Internet provided by the present invention, the statistical outlier analysis of the global delay gradient matrix includes:

利用预设异常值检测算法分析所述全局时延梯度矩阵,以从所述全局时延梯度矩阵中选出大于所述预设异常值检测算法安全阈值的异常值;Analyzing the global delay gradient matrix using a preset outlier detection algorithm to select outliers from the global delay gradient matrix that are greater than the safety threshold of the preset outlier detection algorithm;

所述预设异常值检测算法包括但不限于:IQR检验法和Grubbs检验法。The preset outlier detection algorithm includes but not limited to: IQR test method and Grubbs test method.

根据本发明提供的用于卫星互联网的路径验证方法,所述往返一次星地链路的最短数据传输时延是根据卫星的轨道高度确定的,所述潜在风险路径的数据传输时延的实测值为所述全局时延矩阵中与所述潜在风险路径的地面站对相对应的元素值;According to the path verification method for satellite Internet provided by the present invention, the shortest data transmission delay of the round-trip satellite-ground link is determined according to the orbital altitude of the satellite, and the measured value of the data transmission delay of the potential risk path is the element value corresponding to the ground station pair of the potential risk path in the global delay matrix;

所述潜在风险路径的数据传输时延的理论估计值的确定过程,包括:The process of determining the theoretical estimated value of the data transmission delay of the potential risk path includes:

确定所述潜在风险路径的邻近路径;determining adjacent paths to said potentially risky path;

从所述全局时延矩阵中抽取与所述邻近路径的地面站对相对应的元素,构成参考时延矩阵;Extracting elements corresponding to the ground station pairs of the adjacent paths from the global delay matrix to form a reference delay matrix;

针对所述参考时延矩阵范围内的地面站对,通过回归分析方法确定数据传输时延与地理距离之间映射关系;For the ground station pairs within the range of the reference delay matrix, determine the mapping relationship between the data transmission delay and the geographical distance through a regression analysis method;

根据所述映射关系以及所述潜在风险路径的地面站对的站间距离,确定所述潜在风险路径的数据传输时延的理论估计值。According to the mapping relationship and the distance between the ground station pairs of the potential risk path, a theoretical estimated value of the data transmission delay of the potential risk path is determined.

根据本发明提供的用于卫星互联网的路径验证方法,所述确定所述潜在风险路径的邻近路径,包括:According to the path verification method for satellite Internet provided by the present invention, the determination of the adjacent path of the potential risk path includes:

将满足第二条件的路径作为所述潜在风险路径的邻近路径;taking a path satisfying the second condition as an adjacent path of the potential risk path;

其中,所述第二条件为:Wherein, the second condition is:

源端与所述潜在风险路径的源端之间的距离小于第一阈值,且the distance between the source end and the source end of the potential risk path is less than a first threshold, and

目的端与所述潜在风险路径的目的端之间的距离小于第二阈值。The distance between the destination end and the destination end of the potential risk path is smaller than a second threshold.

第二方面,本发明提供一种用于卫星互联网的路径验证装置,所述装置包括:In a second aspect, the present invention provides a path verification device for satellite Internet, the device comprising:

站间距离矩阵生成模块,用于根据地面站之间的地理位置信息生成站间距离矩阵;An inter-station distance matrix generation module is used to generate an inter-station distance matrix according to the geographic location information between ground stations;

全局时延矩阵生成模块,用于汇总每一个地面站的站间时延表,得到全局时延矩阵;The global delay matrix generation module is used to summarize the inter-station delay table of each ground station to obtain the global delay matrix;

全局时延梯度矩阵生成模块,用于将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;A global delay gradient matrix generation module, configured to differentiate the corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix;

潜在风险路径认定模块,用于对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;A potential risk path identification module, configured to perform statistical outlier analysis on the global delay gradient matrix, and use the data transmission path of the ground station pair with an outlier value as a potential risk path;

风险路径认定模块,用于在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;A risk path identification module, configured to identify the potential risk path as a risk path when the potential risk path satisfies the first condition;

其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;Wherein, the data transmission delay from each target ground station to the ground station is stored in the inter-station delay table of each of the ground stations; the target ground station is a ground station other than the ground station;

所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。The first condition is that the difference between the measured value of the data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link.

第三方面,本发明提供一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所述用于卫星互联网的路径验证方法。In a third aspect, the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor, when the processor executes the program, the first The path verification method for satellite Internet described in the aspect.

第四方面,本发明提供一种非暂态计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如第一方面所述用于卫星互联网的路径验证方法。In a fourth aspect, the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the path verification method for satellite Internet as described in the first aspect is implemented.

本发明提供的一种用于卫星互联网的路径验证方法和装置,利用地面站之间的地理位置信息构建站间距离矩阵,利用测量到的地面站之间的数据传输时延构建全局时延矩阵;将全局时延矩阵和站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;该全局时延梯度矩阵反映了使用地面站之间的数据传输时延与地理距离之间的隐式映射关系,从全局视角对全局时延梯度矩阵进行异常值检测来初筛风险路径;由于梯度异常除了因路径劫持攻击所致的绕路,还可能来源于网络局部拥塞。为避免误判,并考虑到对于卫星互联网中的路径劫持攻击来说,一次额外的下星和上星操作是其不可抵赖的攻击特征,因此根据攻击的物理特征设计风险判据“潜在风险路径数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延时,则潜在风险路径为风险路径”,从局部视角根据风险判据对潜在风险路径进行风险验证。本发明替代了逐跳验证机制所使用的加密标记匹配校验方法,避免了由于卫星互联网动态拓扑条件下路径频繁改变导致的大量信令开销和计算开销,并提升了卫星互联网场景中路径验证的性能。The present invention provides a path verification method and device for satellite Internet, using the geographic location information between ground stations to construct an inter-station distance matrix, and using the measured data transmission delay between ground stations to construct a global delay matrix ; Differentiate the corresponding elements of the global delay matrix and the inter-station distance matrix to obtain the global delay gradient matrix; the global delay gradient matrix reflects the implicit relationship between the data transmission delay and the geographical distance between the ground stations The mapping relationship, from a global perspective, performs outlier detection on the global delay gradient matrix to initially screen risk paths; due to gradient anomalies, in addition to detours caused by path hijacking attacks, it may also come from local network congestion. In order to avoid misjudgment, and considering that for the path hijacking attack in the satellite Internet, an additional off-satellite and on-satellite operation is an undeniable attack feature, the risk criterion "potential risk path If the difference between the measured value of data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link, the potential risk path is a risk path", and the potential risk path is analyzed from a local perspective according to the risk criterion. Risk verification. The present invention replaces the encrypted tag matching verification method used in the hop-by-hop verification mechanism, avoids a large amount of signaling overhead and calculation overhead caused by frequent path changes under the dynamic topology of the satellite Internet, and improves the efficiency of path verification in the satellite Internet scene. performance.

附图说明Description of drawings

为了更清楚地说明本发明或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the present invention or the technical solutions in the prior art, the accompanying drawings that need to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are the present invention. For some embodiments of the invention, those skilled in the art can also obtain other drawings based on these drawings without creative effort.

图1是现有技术提供的路由劫持造成路径改变的示意图;FIG. 1 is a schematic diagram of path change caused by route hijacking provided by the prior art;

图2是现有技术提供的星地切换导致期望转发路径更新的示意图;Fig. 2 is a schematic diagram of the update of the desired forwarding path caused by satellite-ground handover provided by the prior art;

图3是本发明提供的用于卫星互联网的路径验证方法的流程示意图;Fig. 3 is a schematic flow chart of a path verification method for satellite Internet provided by the present invention;

图4是本发明提供的对IP报文包头扩展示意图;Fig. 4 is a schematic diagram of IP packet header expansion provided by the present invention;

图5是本发明提供的带内时延测量示意图;Fig. 5 is a schematic diagram of in-band delay measurement provided by the present invention;

图6是本发明提供的通过全局梯度矩阵进行初筛的示意图;Fig. 6 is a schematic diagram of preliminary screening through the global gradient matrix provided by the present invention;

图7是本发明提供的根据地理位置抽取邻近路径的示意图;Fig. 7 is a schematic diagram of extracting adjacent paths according to geographic location provided by the present invention;

图8是本发明提供的抽取邻近路径构建参考时延矩阵示意图;Fig. 8 is a schematic diagram of extracting adjacent paths to construct a reference delay matrix provided by the present invention;

图9是本发明提供的全流程示例图;Fig. 9 is an example diagram of the whole process provided by the present invention;

图10是本发明提供的用于卫星互联网的路径验证装置的结构示意图;Fig. 10 is a schematic structural diagram of a path verification device for satellite Internet provided by the present invention;

图11是本发明提供的实现用于卫星互联网的路径验证方法的电子设备的结构示意图;FIG. 11 is a schematic structural diagram of an electronic device implementing a path verification method for satellite Internet provided by the present invention;

附图标记:Reference signs:

110:处理器;120:通信接口;130:存储器;1140:通信总线。110: processor; 120: communication interface; 130: memory; 1140: communication bus.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明中的附图,对本发明中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the present invention clearer, the technical solutions in the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the present invention. Obviously, the described embodiments are part of the embodiments of the present invention , but not all examples. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

下面结合图1-图11描述本发明的用于卫星互联网的路径验证方法和装置。The route verification method and device for satellite Internet of the present invention will be described below with reference to FIGS. 1-11 .

本发明适用于基于卫星互联网的地面站切换接入卫星场景,涉及用户端设备、地面站以及卫星互联网。其中用户终端通过其附近的地面站接入卫星互联网,卫星节点部署有星间链路。图1为卫星互联网场景中路由劫持造成路径改变的示意图,如图1所示,卫星互联网中传输数据的期望路径为R1→R2→R3→R10→R5→R6→R7;攻击者对R10进行路由劫持进行路由劫持,衍生出从R10到攻击者附近地面站的下星路径和从攻击者附近地面站到R10的上星路径,即数据流流向为R1→R2→R3→R10→攻击者→R10→R5→R6→R7,攻击者可对数据流进行拷贝且不为人所知,严重损害用户数据安全。为此,检测路由劫持攻击对卫星互联网应用来说是至关重要的。The present invention is applicable to the scenario of satellite Internet-based ground station switching and accessing satellites, and involves user end equipment, ground stations and satellite Internet. Among them, the user terminal accesses the satellite Internet through its nearby ground station, and the satellite nodes are deployed with inter-satellite links. Figure 1 is a schematic diagram of path changes caused by route hijacking in the satellite Internet scenario. As shown in Figure 1, the expected path for data transmission in the satellite Internet is R1→R2→R3→R10→R5→R6→R7; the attacker routes R10 Hijacking Route hijacking, deriving the off-star path from R10 to the ground station near the attacker and the up-star path from the ground station near the attacker to R10, that is, the data flow direction is R1→R2→R3→R10→attacker→R10 →R5→R6→R7, the attacker can copy the data flow and keep it unknown, which seriously damages the security of user data. For this reason, detecting route hijacking attacks is crucial for satellite Internet applications.

路径验证是检测路由劫持的主要手段之一,现有路径验证方法大多采用逐跳验证机制来实现,图2是星地切换导致期望转发路径更新的示意图,如图2所示,源端发生星地切换时,路径规划服务器将卫星互联网中传输数据的期望路径由R1→R2→R3→R4→R5→R6→R7切换至R8→R9→R10→R5→R6→R7,根据期望路径R1→R2→R3→R4→R5→R6→R7设立的共享密钥以及利用基于该共享密钥生成并嵌入包头的加密标记都不再适用,需要重新根据期望路径R8→R9→R10→R5→R6→R7设立新的共享密钥以及利用新的共享密钥重新计算路径节点加密标记并插入包头,这一系列操作涉及多次信令交互和加解密计算,导致大量的信令开销和计算开销。Path verification is one of the main means to detect route hijacking. Most of the existing path verification methods adopt the hop-by-hop verification mechanism. When the ground is switched, the path planning server switches the expected path of data transmission in the satellite Internet from R1→R2→R3→R4→R5→R6→R7 to R8→R9→R10→R5→R6→R7, according to the desired path R1→R2 → The shared key established by R3→R4→R5→R6→R7 and the encryption mark generated based on the shared key and embedded in the packet header are no longer applicable, and it is necessary to follow the expected path R8→R9→R10→R5→R6→R7 Establishing a new shared key and using the new shared key to recalculate the path node encryption mark and insert the packet header, this series of operations involves multiple signaling interactions and encryption and decryption calculations, resulting in a large amount of signaling and computing overhead.

当然,在路径验证方面,还有一些依赖期望转发路径但与背景技术中逐跳验证机制不完全相同的路径验证方法,例如随机选择期望路径中一些卫星节点进行验证,而不对期望路径中全部卫星节点进行验证的路径验证方法,但是这些方法同样面临着上述技术缺陷。而本发明针对上述技术缺陷做出了改进。Of course, in terms of path verification, there are some path verification methods that rely on the expected forwarding path but are not exactly the same as the hop-by-hop verification mechanism in the background technology, such as randomly selecting some satellite nodes in the expected path for verification, instead of verifying all satellite nodes in the expected path. Path verification methods for node verification, but these methods also face the above-mentioned technical defects. And the present invention makes improvement to above-mentioned technical defect.

第一方面,本发明提供一种用于卫星互联网的路径验证方法,如图3所示,所述方法包括:In a first aspect, the present invention provides a path verification method for satellite Internet, as shown in Figure 3, the method includes:

S11、根据地面站之间的地理位置信息生成站间距离矩阵;S11. Generate an inter-station distance matrix according to the geographic location information between the ground stations;

S12、汇总每一个地面站的站间时延表,得到全局时延矩阵;其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;S12. Summarize the inter-station delay table of each ground station to obtain a global delay matrix; wherein, the data transmission time from each target ground station to the ground station is stored in the inter-station delay table of each ground station extension; the target ground station is a ground station other than the ground station;

S13、将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;S13. Differentiate the corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix;

S14、对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;S14. Perform statistical outlier analysis on the global delay gradient matrix, and use the data transmission path of the ground station pair with the outlier value as a potential risk path;

S15、在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;其中,所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。S15. When the potential risk path satisfies the first condition, determine that the potential risk path is a risk path; wherein, the first condition is that the difference between the measured value of the data transmission delay and the theoretical estimated value is greater than one round-trip satellite The shortest data transmission delay of the ground link.

本发明提供的一种用于卫星互联网的路径验证方法,利用地面站之间的地理位置信息构建站间距离矩阵,利用测量到的地面站之间的数据传输时延构建全局时延矩阵;将全局时延矩阵和站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;该全局时延梯度矩阵反映了使用地面站之间的数据传输时延与地理距离之间的隐式映射关系,从全局视角对全局时延梯度矩阵进行异常值检测来初筛风险路径;由于梯度异常除了因路径劫持攻击所致的绕路,还可能来源于网络局部拥塞。为避免误判,并考虑到对于卫星互联网中的路径劫持攻击来说,一次额外的下星和上星操作是其不可抵赖的攻击特征,因此根据攻击的物理特征设计风险判据“潜在风险路径数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延时,则潜在风险路径为风险路径”,从局部视角根据风险判据对潜在风险路径进行风险验证。本发明替代了逐跳验证机制所使用的加密标记匹配校验方法,避免了由于卫星互联网动态拓扑条件下路径频繁改变导致的大量信令开销和计算开销,并提升了卫星互联网场景中路径验证的性能。The present invention provides a path verification method for satellite Internet, which uses the geographic location information between ground stations to construct a distance matrix between stations, and uses the measured data transmission delay between ground stations to construct a global delay matrix; The global delay matrix and the corresponding elements of the inter-station distance matrix are differentiated to obtain the global delay gradient matrix; the global delay gradient matrix reflects the implicit mapping relationship between the data transmission delay between the ground stations and the geographical distance , from a global perspective, an outlier detection is performed on the global delay gradient matrix to initially screen risky paths; due to gradient anomalies, in addition to detours caused by path hijacking attacks, it may also come from local network congestion. In order to avoid misjudgment, and considering that for the path hijacking attack in the satellite Internet, an additional off-satellite and on-satellite operation is an undeniable attack feature, the risk criterion "potential risk path If the difference between the measured value of data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link, the potential risk path is a risk path", and the potential risk path is analyzed from a local perspective according to the risk criterion. Risk verification. The present invention replaces the encrypted tag matching verification method used in the hop-by-hop verification mechanism, avoids a large amount of signaling overhead and calculation overhead caused by frequent path changes under the dynamic topology of the satellite Internet, and improves the efficiency of path verification in the satellite Internet scene. performance.

具体的,本发明以处理中心为执行主体,该处理中心是具有计算能力的设备,可以是某个地面站,也可以是专门的计算中心。处理中心维护星座所有地面站的地理位置信息以及星座特征信息(卫星轨道高度),因此对于所述S11来说,根据地面站之间的地理位置信息即可计算出地面站之间的站间距离,构建站间距离矩阵;Specifically, the present invention uses a processing center as the execution subject, and the processing center is a device with computing capability, which may be a certain ground station or a specialized computing center. The processing center maintains the geographic location information of all ground stations in the constellation and the constellation feature information (satellite orbit height), so for the above S11, the distance between the ground stations can be calculated according to the geographic location information between the ground stations , to construct the inter-station distance matrix;

进一步地,站间距离矩阵中第i行第j列元素表示的是星座中第i个地面站与第j个地面站之间的站间距离。Further, the i-th row and the j-th column element in the inter-station distance matrix represent the inter-station distance between the i-th ground station and the j-th ground station in the constellation.

具体的,所述S12中,每一个地面站的站间时延表,用于存储星座内任一地面站到本地面站的数据传输时延。处理中心会向所有地面站请求获取其站间时延表,并以源端地面站到目的端地面站的数据传输时延为全局时延矩阵的元素内容,构建全局时延矩阵。即全局时延矩阵中第i行第j列元素表示的是星座中第i个地面站到第j个地面站的数据传输时延。Specifically, in S12, the inter-station delay table of each ground station is used to store the data transmission delay from any ground station in the constellation to the local ground station. The processing center will request all ground stations to obtain their inter-station delay tables, and use the data transmission delay from the source ground station to the destination ground station as the elements of the global delay matrix to construct a global delay matrix. That is, the i-th row and the j-th column element in the global delay matrix represent the data transmission delay from the i-th ground station to the j-th ground station in the constellation.

本发明在带内扩展包头构成时延测量包,并通过地面站之间时延测量包的收发间隔时长,精确确定地面站之间的数据传输时延。The invention expands the packet header in the band to form a time delay measurement package, and accurately determines the data transmission time delay between the ground stations through the time interval between sending and receiving of the time delay measurement package between the ground stations.

即每一个所述地面站的站间时延表的生成过程,具体如下:That is, the generation process of the inter-station delay table of each said ground station is as follows:

令所述地面站在本地创建以源端地面站编号和数据传输时延为字段的4个站间时延子表;其中,所述4个站间时延子表与源地面站上星和目的地面站下星所涉及的4种接入卫星轨道方向分别对应,所述4种接入卫星轨道方向分别为上星北向且下星南向、上星北向且下星北向、上星南向且下星北向以及上星南向且下星南向;Make the ground station locally create 4 inter-station delay sub-tables with the source ground station number and data transmission time delay as fields; The four access satellite orbit directions involved in the station disembarkation correspond respectively, and the four access satellite orbit directions are respectively the north direction of the upper satellite and the south direction of the lower satellite, the north direction of the upper satellite and the north direction of the lower satellite, the south direction of the upper satellite and the lower direction of the satellite. The star is north and the upper star is south and the lower star is south;

在一个测量周期内,控制每一个所述目标地面站以预设时长为间隔向所述地面站发送时延测量包;其中,所述时延测量包是对IP数据包的包头嵌入源端地面站编号(SourceGS ID)、源端地面站接入卫星编号(Up SatID)与发送时间戳(Send Time);In a measurement cycle, control each of the target ground stations to send a delay measurement packet to the ground station at intervals of a preset duration; wherein, the delay measurement packet is to embed the header of the IP data packet into the source ground Station number (SourceGS ID), source ground station access satellite number (Up SatID) and sending time stamp (Send Time);

该步骤的设定,使得一个测量周期内发送每个地面站可以向其他地面站连续发送n个时延测量包,避免了仅发送一个时延测量包带来的地面站之间的数据传输时延测定不准确的问题。The setting of this step makes it possible for each ground station to send n delay measurement packets to other ground stations continuously in one measurement cycle, avoiding the time-consuming data transmission between ground stations caused by only sending one delay measurement packet. The problem of inaccurate delay measurement.

图4是对IP报文包头扩展示意图,本发明采用的是基于发送时间戳的单向测量方式,避免了对传输层协议的依赖以及端处理的不确定性。Fig. 4 is a schematic diagram of IP packet header expansion. The present invention adopts a one-way measurement method based on sending time stamps, which avoids dependence on transport layer protocols and uncertainty in terminal processing.

令所述地面站根据每一个所述目标地面站发送的时延测量包,推定每一个所述目标地面站到所述地面站的数据传输时延和接入卫星轨道方向;making the ground station estimate the data transmission delay and access satellite orbit direction from each of the target ground stations to the ground station according to the delay measurement packet sent by each of the target ground stations;

需要说明的是,所述地面站在所述测量周期内会收到来自多个目标地面站的时延测量包。在此步骤之前,所述地面站接收每一个解析时延测量包后会记录接收时间并解析包头;而后会根据包头中的源端地面站编号进行时延测量包分类,得到每一个所述目标地面站发送的时延测量包。It should be noted that the ground station may receive delay measurement packets from multiple target ground stations within the measurement period. Before this step, the ground station will record the receiving time and analyze the packet header after receiving each analytical delay measurement packet; then it will classify the delay measurement packet according to the source ground station number in the packet header, and obtain each target Delay measurement packets sent by the ground station.

此步骤中,根据所述目标地面站发送的测量包,推定所述目标地面站到所述地面站的数据传输时延,具体包括:In this step, according to the measurement packet sent by the target ground station, the data transmission delay from the target ground station to the ground station is estimated, specifically including:

将所述目标地面站发送的每一个测量包的发送时间戳与接收时间之间的时长列入第一列表中;List the duration between the sending time stamp and the receiving time of each measurement packet sent by the target ground station in the first list;

对所述第一列表中的多个时长进行滤波后取最小值,得到所述目标地面站到所述地面站的数据传输时延。After filtering the multiple durations in the first list, a minimum value is taken to obtain a data transmission delay from the target ground station to the ground station.

这里,对所述第一列表中的多个时长进行滤波的目的是去除测量毛刺。Here, the purpose of filtering the multiple durations in the first list is to remove measurement glitches.

根据所述目标地面站发送的测量包,推定所述目标地面站到所述地面站的接入卫星轨道方向,包括:According to the measurement packet sent by the target ground station, estimating the access satellite orbit direction from the target ground station to the ground station, including:

根据所述目标地面站发送的任一测量包中的源端地面站接入卫星编号以及预存的星座所有卫星的两行轨道根数信息,推定所述目标地面站到所述地面站的接入卫星轨道方向。每一个地面站维护星座中所有卫星的TLE(两行轨道根数)信息;According to the access satellite number of the source ground station in any measurement packet sent by the target ground station and the two-line orbit element information of all satellites in the constellation stored in advance, the access of the target ground station to the ground station is estimated Orbit direction of the satellite. Each ground station maintains the TLE (two-row orbit element) information of all satellites in the constellation;

需要说明的是,所述TLE信息中的第一行包括:行号(1)、卫星编号、保密级别、发射年份与国际发射编号、TLE历时(该TLE数据发布时间年份以及是本年第几天)、平均运动的一阶时间导数、平均运动的二阶时间导数、BSTAR拖调制系数、星历类型、星历编号和校验和;所述TLE信息中的第二行包括:行号(2)、卫星编号、轨道面与赤道面夹角、升交点赤经、轨道偏心率、近地点幅角、平近点角、平均运动(每天环绕地球的圈数)、在轨圈数和校验和It should be noted that the first line in the TLE information includes: line number (1), satellite number, security level, launch year and international launch number, TLE duration (the TLE data release time year and the current year day), the first-order time derivative of the average motion, the second-order time derivative of the average motion, the BSTAR drag modulation coefficient, the ephemeris type, the ephemeris number and the checksum; the second line in the TLE information includes: line number ( 2), satellite number, angle between orbital plane and equatorial plane, right ascension of ascending node, orbital eccentricity, argument of perigee, mean anomaly, average motion (number of circles around the earth per day), number of circles in orbit and calibration and

根据卫星的TLE(两行轨道根数)信息可以推算卫星在任一时刻的位置。因此根据所述目标地面站发送的任一测量包中的源端地面站接入卫星编号以及预存的星座所有卫星的两行轨道根数信息,即可推定接入卫星的运行方向,即相当于确定了所述目标地面站到所述地面站的接入卫星轨道方向,从而定位对应的站间时延子表,The position of the satellite at any time can be calculated according to the TLE (two-line orbit element) information of the satellite. Therefore, according to the access satellite number of the source ground station in any measurement packet sent by the target ground station and the two lines of orbit element information of all satellites in the constellation pre-stored, the running direction of the access satellite can be estimated, which is equivalent to The access satellite orbit direction from the target ground station to the ground station is determined, so as to locate the corresponding inter-station delay sub-table,

以每一个所述目标地面站的编号为索引,将每一个所述目标地面站到所述地面站的数据传输时延插入每一个所述目标地面站到所述地面站的接入卫星轨道方向对应的站间时延子表中,得到填充数据的4个站间时延子表;Using the number of each target ground station as an index, insert the data transmission delay from each target ground station to the ground station into the access satellite orbit direction from each target ground station to the ground station In the corresponding inter-station delay sub-table, get 4 inter-station delay sub-tables filled with data;

组合所述填充数据的4个站间时延子表,得到所述地面站的站间时延表。The four inter-station delay sub-tables of the filled data are combined to obtain the inter-station delay table of the ground station.

需要说明的是,本发明默认两个地面站之间始终以其之间时延最短的路径传输数据流,因此两个地面站之间的数据传输时延,对应的是该时延最短的路径。It should be noted that, by default, the present invention always uses the path with the shortest delay between the two ground stations to transmit the data flow, so the data transmission delay between the two ground stations corresponds to the path with the shortest delay .

图5是与上述地面站的站间时延表的生成过程相对应的带内时延测量示意图。Fig. 5 is a schematic diagram of in-band delay measurement corresponding to the above-mentioned generation process of the inter-station delay table of the ground station.

具体的,所述S13中,全局时延梯度矩阵中的元素值反映了两地面站之间的数据传输时延随距离变化的关系。Specifically, in the above S13, the element values in the global delay gradient matrix reflect the relationship between the data transmission delay between the two ground stations as a function of the distance.

即全局时延梯度矩阵中的第i行第j列的元素值反映星座中第i个地面站到第j个地面站的数据传输时延与星座中第i个地面站到第j个地面站的距离的映射关系。That is, the element value of the i-th row and the j-th column in the global delay gradient matrix reflects the data transmission delay from the i-th ground station to the j-th ground station in the constellation and the difference between the i-th ground station and the j-th ground station in the constellation The mapping relationship of the distance.

动态网络中期望转发路径(期望路径节点序列)时变,不再适合作为路径验证的标准,本发明将数据传输时延与地理距离的映射关系作为新的验证比较量,通过与具体接入卫星解耦,消除星地切换导致的对路径验证标准的重计算需求,避免重计算带来的大量开销。In the dynamic network, the expected forwarding path (the expected path node sequence) is time-varying, and is no longer suitable as a standard for path verification. The present invention uses the mapping relationship between data transmission delay and geographical distance as a new verification comparison, and through the specific access satellite Decoupling eliminates the need for recalculation of path verification standards caused by satellite-to-ground switching, and avoids a large amount of overhead caused by recalculation.

具体的,所述S14中,对所述全局时延梯度矩阵进行统计学异常值分析,包括:Specifically, in the S14, performing statistical outlier analysis on the global delay gradient matrix, including:

利用预设异常值检测算法分析所述全局时延梯度矩阵,以从所述全局时延梯度矩阵中选出大于所述预设异常值检测算法安全阈值的异常值;Analyzing the global delay gradient matrix using a preset outlier detection algorithm to select outliers from the global delay gradient matrix that are greater than the safety threshold of the preset outlier detection algorithm;

所述预设异常值检测算法包括但不限于:IQR检验法和Grubbs检验法。The preset outlier detection algorithm includes but not limited to: IQR test method and Grubbs test method.

本发明以将地面站对(即源地面站-目的地面站)的数据传输时延与地理距离之间的隐式映射关系作为卫星互联网路径验证中的比较量,开展从全局到局部的两阶段路径验证,进而提升卫星互联网场景中路径验证的性能。S14为全局验证阶段(初筛阶段)的操作步骤。In the present invention, the implicit mapping relationship between the data transmission delay and the geographical distance of the ground station pair (that is, the source ground station-destination ground station) is used as the comparative quantity in the satellite Internet path verification, and two stages from global to local are carried out. Path verification, thereby improving the performance of path verification in satellite Internet scenarios. S14 is an operation step of the global verification stage (preliminary screening stage).

图6是通过全局梯度矩阵进行初筛的示意图,如图6所示,基于攻击者不可能入侵卫星互联网大部分节点的假设,全局时延梯度矩阵中的大部分元素应该满足相近的时延与距离映射关系,因此对全局时延梯度矩阵进行统计学异常值分析,以从全局视角初筛梯度异常的地站对(GS-GS),并将该梯度异常的地站对(GS-GS)的数据传输路径作为潜在风险路径;Figure 6 is a schematic diagram of preliminary screening through the global gradient matrix. As shown in Figure 6, based on the assumption that attackers cannot invade most nodes of the satellite Internet, most elements in the global delay gradient matrix should satisfy similar delay and Therefore, the statistical outlier analysis is performed on the global delay gradient matrix to screen the ground station pairs (GS-GS) with gradient anomalies from a global perspective, and the ground station pairs (GS-GS) with gradient anomalies The data transmission path as a potential risk path;

需要注意的是,异常值检测算法中的安全阈值通常是根据经验给出。It should be noted that the safety threshold in the outlier detection algorithm is usually given based on experience.

具体的,所述S15为局部验证阶段,地面站对的梯度异常除了因路径劫持攻击所致的绕路,还可能来源于网络局部拥塞。对于卫星互联网中的路径劫持攻击来说,一次额外的下星和上星操作是其不可抵赖的攻击特征,因此本发明根据风险路径满足数据传输时延的实测值与理论估计值的差值大于星地链路的RTT(往返一次星地链路的最短数据传输时延)这一不可抵赖的物理约束,构建了验证潜在风险路径是否是风险路径的验证判据:潜在风险路径数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延,则认定所述潜在风险路径为风险路径;进而从局部视角完成潜在风险路径的风险验证。Specifically, S15 is a local verification stage, and the gradient anomaly of the ground station pair may also come from local network congestion in addition to the detour caused by the path hijacking attack. For path hijacking attacks in the satellite Internet, an additional off-satellite and on-satellite operation is an undeniable attack feature, so the difference between the actual measured value and the theoretical estimated value of the data transmission delay according to the risk path of the present invention is greater than The undeniable physical constraint of RTT (the shortest data transmission delay for a round-trip satellite-ground link) of the satellite-ground link establishes a verification criterion for verifying whether a potential risk path is a risk path: data transmission delay of a potential risk path If the difference between the measured value and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link, the potential risk path is identified as a risk path; and then the risk verification of the potential risk path is completed from a local perspective.

这里,往返一次星地链路的最短数据传输时延是根据卫星的轨道高度确定的,在一个星座内,本发明默认卫星部署在同一层,具有相同的轨道高度。Here, the shortest data transmission delay for a round-trip satellite-ground link is determined according to the orbital height of the satellite. In a constellation, the present invention defaults that the satellites are deployed on the same floor and have the same orbital height.

潜在风险路径的数据传输时延的实测值为前述全局时延矩阵中与潜在风险路径的地面站对相对应的元素值;The actual measured value of the data transmission delay of the potential risk path is the element value corresponding to the ground station pair of the potential risk path in the aforementioned global delay matrix;

潜在风险路径的数据传输时延的理论估计值的确定过程,包括:The process of determining theoretical estimates of data transmission delays for potentially risky paths, including:

确定所述潜在风险路径的邻近路径;determining adjacent paths to said potentially risky path;

即:根据设定的参考距离以及潜在风险路径的源地面站和目的地面站的地理位置,筛选出潜在风险路径的邻近路径。图7是根据地理位置抽取邻近路径的示意图,如图7所示,确定潜在风险路径的邻近路径具体包括:That is: according to the set reference distance and the geographical locations of the source ground station and the destination ground station of the potential risk path, the adjacent paths of the potential risk path are screened out. Fig. 7 is a schematic diagram of extracting adjacent paths according to geographic location. As shown in Fig. 7, determining the adjacent paths of potential risk paths specifically includes:

将满足第二条件的路径作为所述潜在风险路径的邻近路径;taking a path satisfying the second condition as an adjacent path of the potential risk path;

其中,所述第二条件为:Wherein, the second condition is:

源端与所述潜在风险路径的源端之间的距离小于第一阈值,且the distance between the source end and the source end of the potential risk path is less than a first threshold, and

目的端与所述潜在风险路径的目的端之间的距离小于第二阈值。The distance between the destination end and the destination end of the potential risk path is smaller than a second threshold.

需要注意的是,第一阈值和第二阈值依据经验确定。潜在风险路径及其邻近路径大概率处于类似拥塞环境。It should be noted that the first threshold and the second threshold are determined based on experience. Potential risk paths and their adjacent paths are likely to be in a similar congested environment.

从所述全局时延矩阵中抽取与所述邻近路径的地面站对相对应的元素,构成参考时延矩阵;Extracting elements corresponding to the ground station pairs of the adjacent paths from the global delay matrix to form a reference delay matrix;

图8是抽取邻近路径构建参考时延矩阵示意图,该参考时延矩阵的聚类特征能反映潜在风险路径附近拥塞情况。FIG. 8 is a schematic diagram of extracting adjacent paths to construct a reference delay matrix. The clustering characteristics of the reference delay matrix can reflect the congestion near potential risk paths.

针对所述参考时延矩阵范围内的地面站对,通过回归分析方法确定数据传输时延与地理距离之间映射关系;For the ground station pairs within the range of the reference delay matrix, determine the mapping relationship between the data transmission delay and the geographical distance through a regression analysis method;

以潜在风险路径的邻近路径的地面站对为参考,通过回归分析方法对潜在风险路径附近区域内数据传输时延与地理距离之间映射关系进行建模。Taking the ground station pairs of the adjacent paths of the potential risk path as reference, the mapping relationship between the data transmission delay and the geographical distance in the vicinity of the potential risk path is modeled by regression analysis method.

根据所述映射关系以及所述潜在风险路径的地面站对的站间距离,确定所述潜在风险路径的数据传输时延的理论估计值。According to the mapping relationship and the distance between the ground station pairs of the potential risk path, a theoretical estimated value of the data transmission delay of the potential risk path is determined.

利用映射关系对潜在风险路径的理论估计值进行预估,以用于上述验证判据中排除潜在风险路径附近网络拥塞对潜在风险路径的影响。The theoretical estimated value of the potential risk path is estimated by using the mapping relationship, so as to exclude the influence of the network congestion near the potential risk path on the potential risk path in the above verification criterion.

综上,本发明通过带内测量与带外处理协同控制实现路径验证,如图9示例的全流程示例图,图中地站是地面站的同时用语,带内测量主要指在地面站内扩展包头构成时延测量包,并在地面站之间收发时延测量包,以确定地面站之间的数据传输时延;带外处理主要指从全局到局部的两阶段路径验证。该方法对卫星节点硬件及路由协议不需要做任何改造,提高了路径验证在巨型星座节点增量发射的现实环境下的可部署性。To sum up, the present invention realizes path verification through collaborative control of in-band measurement and out-of-band processing, as shown in the example diagram of the whole process shown in Figure 9, in which ground station is a simultaneous term for ground station, and in-band measurement mainly refers to expanding the header in the ground station Form a delay measurement package and send and receive delay measurement packages between ground stations to determine the data transmission delay between ground stations; out-of-band processing mainly refers to two-stage path verification from global to local. This method does not require any modifications to satellite node hardware and routing protocols, and improves the deployability of path verification in the real environment of incremental launch of giant constellation nodes.

此外本发明要增加现有地面站存储维护的信息,需要增加时延表用于存储地站之间的时延信息。In addition, in order to increase the information stored and maintained by the existing ground stations in the present invention, it is necessary to add a time delay table for storing time delay information between ground stations.

第二方面,对本发明提供的用于卫星互联网的路径验证装置进行描述,下文描述的用于卫星互联网的路径验证装置与上文描述的用于卫星互联网的路径验证方法可相互对应参照。图10示例了一种用于卫星互联网的路径验证装置的结构示意图,如图10所示,所述装置包括:In the second aspect, the path verification device for satellite Internet provided by the present invention is described. The path verification device for satellite Internet described below and the path verification method for satellite Internet described above can be referred to in correspondence. Figure 10 illustrates a schematic structural diagram of a path verification device for satellite Internet, as shown in Figure 10, the device includes:

站间距离矩阵生成模块21,用于根据地面站之间的地理位置信息生成站间距离矩阵;Inter-station distance matrix generation module 21, for generating inter-station distance matrix according to the geographic location information between ground stations;

全局时延矩阵生成模块22,用于汇总每一个地面站的站间时延表,得到全局时延矩阵;The global delay matrix generation module 22 is used to summarize the inter-station delay table of each ground station to obtain the global delay matrix;

全局时延梯度矩阵生成模块23,用于将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;The global delay gradient matrix generation module 23 is used to differentiate the corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix;

潜在风险路径认定模块24,用于对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;A potential risk path identification module 24, configured to perform statistical outlier analysis on the global delay gradient matrix, and use the data transmission path of the ground station pair with an outlier as a potential risk path;

风险路径认定模块25,用于在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;A risk path identification module 25, configured to identify the potential risk path as a risk path when the potential risk path satisfies the first condition;

其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;Wherein, the data transmission delay from each target ground station to the ground station is stored in the inter-station delay table of each of the ground stations; the target ground station is a ground station other than the ground station;

所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。The first condition is that the difference between the measured value of the data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link.

本发明提供的一种用于卫星互联网的路径验证装置,利用地面站之间的地理位置信息构建站间距离矩阵,利用测量到的地面站之间的数据传输时延构建全局时延矩阵;将全局时延矩阵和站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;该全局时延梯度矩阵反映了使用地面站之间的数据传输时延与地理距离之间的隐式映射关系,从全局视角对全局时延梯度矩阵进行异常值检测来初筛风险路径;由于梯度异常除了因路径劫持攻击所致的绕路,还可能来源于网络局部拥塞。为避免误判,并考虑到对于卫星互联网中的路径劫持攻击来说,一次额外的下星和上星操作是其不可抵赖的攻击特征,因此根据攻击的物理特征设计风险判据“潜在风险路径数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延时,则潜在风险路径为风险路径”,从局部视角根据风险判据对潜在风险路径进行风险验证。本发明替代了逐跳验证机制所使用的加密标记匹配校验方法,避免了由于卫星互联网动态拓扑条件下路径频繁改变导致的大量信令开销和计算开销,并提升了卫星互联网场景中路径验证的性能。在上述各实施例的基础上,作为一种可选的实施例,所述装置还包括:用于生成所述地面站的站间时延表的生成模块;A path verification device for satellite Internet provided by the present invention uses geographical location information between ground stations to construct an inter-station distance matrix, and utilizes measured data transmission delays between ground stations to construct a global delay matrix; The global delay matrix and the corresponding elements of the inter-station distance matrix are differentiated to obtain the global delay gradient matrix; the global delay gradient matrix reflects the implicit mapping relationship between the data transmission delay between the ground stations and the geographical distance , from a global perspective, an outlier detection is performed on the global delay gradient matrix to initially screen risky paths; due to gradient anomalies, in addition to detours caused by path hijacking attacks, it may also come from local network congestion. In order to avoid misjudgment, and considering that for the path hijacking attack in the satellite Internet, an additional off-satellite and on-satellite operation is an undeniable attack feature, the risk criterion "potential risk path If the difference between the measured value of data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link, the potential risk path is a risk path", and the potential risk path is analyzed from a local perspective according to the risk criterion. Risk verification. The present invention replaces the encrypted tag matching verification method used in the hop-by-hop verification mechanism, avoids a large amount of signaling overhead and calculation overhead caused by frequent path changes under the dynamic topology of the satellite Internet, and improves the efficiency of path verification in the satellite Internet scene. performance. On the basis of the above embodiments, as an optional embodiment, the device further includes: a generating module for generating an inter-station delay table of the ground station;

所述生成模块,具体包括:The generating module specifically includes:

站间时延子表构建单元,用于令所述地面站在本地创建以源端地面站编号和数据传输时延为字段的4个站间时延子表;其中,所述4个站间时延子表与4种接入卫星轨道方向分别对应,所述4种接入卫星轨道方向分别为上星北向且下星南向、上星北向且下星北向、上星南向且下星北向以及上星南向且下星南向;The inter-station delay sub-table construction unit is used to make the ground station locally create 4 inter-station delay sub-tables with the source ground station number and data transmission delay as fields; wherein, the 4 inter-station delay sub-tables The table corresponds to the four access satellite orbit directions respectively, and the four access satellite orbit directions are respectively the upper star north and the lower star south, the upper star north and the lower star north, the upper star south and the lower star north, and the upper star north and the lower star north. The star is south and the lower star is south;

时延测量包发送单元,用于在一个测量周期内,控制每一个所述目标地面站以预设时长为间隔向所述地面站发送时延测量包;其中,所述时延测量包是对IP数据包进行源端地面站编号、源端地面站接入卫星编号与发送时间戳的包头嵌入得到的;The delay measurement packet sending unit is used to control each of the target ground stations to send a delay measurement packet to the ground station at intervals of a preset duration within a measurement period; wherein, the delay measurement packet is for The IP data packet is obtained by embedding the source ground station number, the source ground station access satellite number and the packet header of the sending time stamp;

数据传输时延和接入卫星轨道方向确定单元,用于令所述地面站根据每一个所述目标地面站发送的时延测量包,推定每一个所述目标地面站到所述地面站的数据传输时延和接入卫星轨道方向;The data transmission delay and access satellite orbit direction determination unit is used to make the ground station estimate the data from each of the target ground stations to the ground station according to the delay measurement package sent by each of the target ground stations Transmission delay and access satellite orbit direction;

数据填充单元,用于以每一个所述目标地面站的编号为索引,将每一个所述目标地面站到所述地面站的数据传输时延插入每一个所述目标地面站到所述地面站的接入卫星轨道方向对应的站间时延子表中,得到填充数据的4个站间时延子表;The data filling unit is used to insert the data transmission delay from each target ground station to the ground station into each target ground station to the ground station by using the number of each target ground station as an index In the inter-station delay sub-table corresponding to the access satellite orbit direction, 4 inter-station delay sub-tables filled with data are obtained;

组合单元,用于组合所述填充数据的4个站间时延子表,得到所述地面站的站间时延表。A combining unit, configured to combine the four inter-station delay sub-tables of the filled data to obtain the inter-station delay table of the ground station.

在上述各实施例的基础上,作为一种可选的实施例,所述数据传输时延和接入卫星轨道方向确定单元,包括:数据传输时延确定子模块和接入卫星轨道方向确定子模块;On the basis of the above embodiments, as an optional embodiment, the data transmission delay and access satellite orbit direction determination unit includes: a data transmission delay determination sub-module and an access satellite orbit direction determination sub-module module;

所述数据传输时延确定子模块,用于:The data transmission delay determination submodule is used for:

将所述目标地面站发送的每一个测量包的发送时间戳与接收时间之间的时长列入第一列表中;List the duration between the sending time stamp and the receiving time of each measurement packet sent by the target ground station in the first list;

对所述第一列表中的多个时长进行滤波后取最小值,得到所述目标地面站到所述地面站的数据传输时延。After filtering the multiple durations in the first list, a minimum value is taken to obtain a data transmission delay from the target ground station to the ground station.

在上述各实施例的基础上,作为一种可选的实施例,所述接入卫星轨道方向确定子模块,用于:On the basis of the above embodiments, as an optional embodiment, the access satellite orbit direction determination submodule is used for:

根据所述目标地面站发送的任一测量包中的源端地面站接入卫星编号以及预存的星座所有卫星的两行轨道根数信息,推定所述目标地面站到所述地面站的接入卫星轨道方向。According to the access satellite number of the source ground station in any measurement packet sent by the target ground station and the two-line orbit element information of all satellites in the constellation stored in advance, the access of the target ground station to the ground station is estimated Orbit direction of the satellite.

在上述各实施例的基础上,作为一种可选的实施例,所述潜在风险路径认定模块,具体用于:On the basis of the above embodiments, as an optional embodiment, the potential risk path identification module is specifically used for:

利用预设异常值检测算法分析所述全局时延梯度矩阵,以从所述全局时延梯度矩阵中选出大于所述预设异常值检测算法安全阈值的异常值;Analyzing the global delay gradient matrix using a preset outlier detection algorithm to select outliers from the global delay gradient matrix that are greater than the safety threshold of the preset outlier detection algorithm;

所述预设异常值检测算法包括但不限于:IQR检验法和Grubbs检验法。The preset outlier detection algorithm includes but not limited to: IQR test method and Grubbs test method.

在上述各实施例的基础上,作为一种可选的实施例,所述往返一次星地链路的最短数据传输时延是根据卫星的轨道高度确定的;On the basis of the above-mentioned embodiments, as an optional embodiment, the shortest data transmission delay of the round-trip satellite-ground link is determined according to the orbital height of the satellite;

所述潜在风险路径的数据传输时延的实测值为所述全局时延矩阵中与所述潜在风险路径的地面站对相对应的元素值;The measured value of the data transmission delay of the potential risk path is an element value corresponding to the ground station pair of the potential risk path in the global delay matrix;

所述风险路径验证模块,包括用于The risk path verification module, including for

确定过程,包括:确定所述潜在风险路径的数据传输时延的理论估计值的确定单元;The determination process includes: a determination unit for determining a theoretical estimated value of the data transmission delay of the potential risk path;

所述确定单元,包括:The determination unit includes:

第一确定子单元,用于确定所述潜在风险路径的邻近路径;a first determining subunit, configured to determine adjacent paths of the potential risk path;

参考时延矩阵构建子单元,用于从所述全局时延矩阵中抽取与所述邻近路径的地面站对相对应的元素,构成参考时延矩阵;The reference delay matrix construction subunit is used to extract elements corresponding to the ground station pairs of the adjacent paths from the global delay matrix to form a reference delay matrix;

回归分析子单元,用于针对所述参考时延矩阵范围内的地面站对,通过回归分析方法确定数据传输时延与地理距离之间映射关系;The regression analysis subunit is used to determine the mapping relationship between the data transmission delay and the geographical distance through a regression analysis method for the ground station pairs within the range of the reference delay matrix;

理论估计值计算子单元,用于根据所述映射关系以及所述潜在风险路径的地面站对的站间距离,确定所述潜在风险路径的数据传输时延的理论估计值。The theoretical estimated value calculation subunit is configured to determine a theoretical estimated value of the data transmission delay of the potential risk path according to the mapping relationship and the inter-station distance of the pair of ground stations of the potential risk path.

在上述各实施例的基础上,作为一种可选的实施例,第一确定子单元,具体用于:On the basis of the foregoing embodiments, as an optional embodiment, the first determination subunit is specifically configured to:

将满足第二条件的路径作为所述潜在风险路径的邻近路径;taking a path satisfying the second condition as an adjacent path of the potential risk path;

其中,所述第二条件为:Wherein, the second condition is:

源端与所述潜在风险路径的源端之间的距离小于第一阈值,且the distance between the source end and the source end of the potential risk path is less than a first threshold, and

目的端与所述潜在风险路径的目的端之间的距离小于第二阈值。The distance between the destination end and the destination end of the potential risk path is smaller than a second threshold.

第三方面,图11示例了一种电子设备的实体结构示意图,如图11所示,该电子设备可以包括:处理器(processor)1110、通信接口(Communications Interface)1120、存储器(memory)1130和通信总线1140,其中,处理器1110,通信接口1120,存储器1130通过通信总线1140完成相互间的通信。处理器1110可以调用存储器1130中的逻辑指令,以执行用于卫星互联网的路径验证方法,该方法包括:根据地面站之间的地理位置信息生成站间距离矩阵;汇总每一个地面站的站间时延表,得到全局时延矩阵;将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。In the third aspect, FIG. 11 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. A communication bus 1140 , wherein the processor 1110 , the communication interface 1120 , and the memory 1130 communicate with each other through the communication bus 1140 . The processor 1110 can call the logic instructions in the memory 1130 to execute the path verification method for satellite Internet, the method includes: generating an inter-station distance matrix according to the geographic location information between ground stations; summarizing the inter-station distance matrix of each ground station A time delay table to obtain a global time delay matrix; differentiate the corresponding elements of the global time delay matrix and the inter-station distance matrix to obtain a global time delay gradient matrix; perform statistical outliers on the global time delay gradient matrix Analyze, and use the data transmission path of the pair of ground stations with abnormal values as a potential risk path; when the potential risk path satisfies the first condition, determine that the potential risk path is a risk path; wherein, each of the ground stations The inter-station delay table stores the data transmission delay from each target ground station to the ground station; the target ground station is a ground station other than the ground station; the first condition is when data transmission The difference between the measured value of the delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link.

此外,上述的存储器1130中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the memory 1130 may be implemented in the form of software function units and may be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

第四方面,本发明还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,计算机程序可存储在非暂态计算机可读存储介质上,所述计算机程序被处理器执行时,计算机能够执行上述各方法所提供的用于卫星互联网的路径验证方法,该方法包括:根据地面站之间的地理位置信息生成站间距离矩阵;汇总每一个地面站的站间时延表,得到全局时延矩阵;将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。In a fourth aspect, the present invention also provides a computer program product, the computer program product includes a computer program, the computer program can be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer can Execute the path verification method for satellite Internet provided by the above methods, the method includes: generating an inter-station distance matrix according to the geographic location information between ground stations; summarizing the inter-station delay table of each ground station to obtain the global time Delay matrix; differentiate the corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix; perform statistical outlier analysis on the global delay gradient matrix, and will have an outlier The data transmission path of the ground station pair is used as a potential risk path; when the potential risk path satisfies the first condition, the potential risk path is determined to be a risk path; wherein, in the inter-station delay table of each of the ground stations Store the data transmission delay from each target ground station to the ground station; the target ground station is a ground station other than the ground station; the first condition is the measured value and theoretical estimation of the data transmission delay The difference in value is greater than the shortest data transmission delay for a round-trip satellite-ground link.

第五方面,本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各方法提供的用于卫星互联网的路径验证方法,该方法包括:根据地面站之间的地理位置信息生成站间距离矩阵;汇总每一个地面站的站间时延表,得到全局时延矩阵;将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。In the fifth aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, it is implemented to perform the path verification method for satellite Internet provided by the above-mentioned methods , the method includes: generating an inter-station distance matrix according to geographical location information between ground stations; summarizing the inter-station delay table of each ground station to obtain a global delay matrix; combining the global delay matrix with the inter-station The corresponding elements of the distance matrix are differentiated to obtain the global delay gradient matrix; the statistical outlier analysis is performed on the global delay gradient matrix, and the data transmission path of the ground station pair with the outlier value is used as a potential risk path; When the potential risk path satisfies the first condition, the potential risk path is determined to be a risk path; wherein, the data transmission time from each target ground station to the ground station is stored in the inter-station delay table of each ground station delay; the target ground station is a ground station other than the ground station; the first condition is that the difference between the measured value of the data transmission time delay and the theoretical estimated value is greater than the shortest data transmission of a round-trip satellite-ground link delay.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative efforts.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (10)

1.一种用于卫星互联网的路径验证方法,其特征在于,所述方法包括:1. A path verification method for satellite Internet, characterized in that, the method comprises: 根据地面站之间的地理位置信息生成站间距离矩阵;Generate an inter-station distance matrix according to the geographic location information between ground stations; 汇总每一个地面站的站间时延表,得到全局时延矩阵;Summarize the inter-station delay table of each ground station to obtain the global delay matrix; 将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;Differentiating corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix; 对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;Performing statistical outlier analysis on the global delay gradient matrix, and using the data transmission path of the ground station pair with the outlier as a potential risk path; 在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;When the potential risk path satisfies the first condition, determining the potential risk path as a risk path; 其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;Wherein, the data transmission delay from each target ground station to the ground station is stored in the inter-station delay table of each of the ground stations; the target ground station is a ground station other than the ground station; 所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。The first condition is that the difference between the measured value of the data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link. 2.根据权利要求1所述的用于卫星互联网的路径验证方法,其特征在于,所述地面站的站间时延表的生成过程,包括:2. The path verification method for satellite Internet according to claim 1, wherein the generation process of the inter-station delay table of the ground station comprises: 令所述地面站在本地创建以源端地面站编号和数据传输时延为字段的4个站间时延子表;其中,所述4个站间时延子表与4种接入卫星轨道方向分别对应,所述4种接入卫星轨道方向分别为上星北向且下星南向、上星北向且下星北向、上星南向且下星北向以及上星南向且下星南向;Make the ground station locally create 4 inter-station delay sub-tables with the source ground station number and data transmission delay as fields; wherein, the 4 inter-station delay sub-tables and the 4 access satellite orbit directions are respectively Correspondingly, the four kinds of orbit directions of the access satellites are respectively the upper satellite north direction and the lower satellite direction south, the upper satellite direction north and the lower satellite direction north, the upper satellite south direction and the lower satellite north direction, and the upper satellite south direction and the lower satellite direction south; 在一个测量周期内,控制每一个所述目标地面站以预设时长为间隔向所述地面站发送时延测量包;其中,所述时延测量包是对IP数据包进行源端地面站编号、源端地面站接入卫星编号与发送时间戳的包头嵌入得到的;In a measurement cycle, control each of the target ground stations to send a delay measurement packet to the ground station at intervals of a preset duration; wherein, the delay measurement packet is to carry out the source end ground station number of the IP data packet , The access satellite number of the source ground station and the packet header embedding of the sending time stamp are obtained; 令所述地面站根据每一个所述目标地面站发送的时延测量包,推定每一个所述目标地面站到所述地面站的数据传输时延和接入卫星轨道方向;making the ground station estimate the data transmission delay and access satellite orbit direction from each of the target ground stations to the ground station according to the delay measurement packet sent by each of the target ground stations; 以每一个所述目标地面站的编号为索引,将每一个所述目标地面站到所述地面站的数据传输时延插入每一个所述目标地面站到所述地面站的接入卫星轨道方向对应的站间时延子表中,得到填充数据的4个站间时延子表;Using the number of each target ground station as an index, insert the data transmission delay from each target ground station to the ground station into the access satellite orbit direction from each target ground station to the ground station In the corresponding inter-station delay sub-table, get 4 inter-station delay sub-tables filled with data; 组合所述填充数据的4个站间时延子表,得到所述地面站的站间时延表。The four inter-station delay sub-tables of the filled data are combined to obtain the inter-station delay table of the ground station. 3.根据权利要求2所述的用于卫星互联网的路径验证方法,其特征在于,根据所述目标地面站发送的测量包,推定所述目标地面站到所述地面站的数据传输时延,包括:3. The path verification method for satellite Internet according to claim 2, wherein, according to the measurement packet sent by the target ground station, the data transmission time delay from the target ground station to the ground station is estimated, include: 将所述目标地面站发送的每一个测量包的发送时间戳与接收时间之间的时长列入第一列表中;List the duration between the sending time stamp and the receiving time of each measurement packet sent by the target ground station in the first list; 对所述第一列表中的多个时长进行滤波后取最小值,得到所述目标地面站到所述地面站的数据传输时延。After filtering the multiple durations in the first list, a minimum value is taken to obtain a data transmission delay from the target ground station to the ground station. 4.根据权利要求3所述的用于卫星互联网的路径验证方法,其特征在于,根据所述目标地面站发送的测量包,推定所述目标地面站到所述地面站的接入卫星轨道方向,包括:4. The path verification method for satellite Internet according to claim 3, characterized in that, according to the measurement packet sent by the target ground station, the access satellite orbit direction from the target ground station to the ground station is estimated ,include: 根据所述目标地面站发送的任一测量包中的源端地面站接入卫星编号以及预存的星座所有卫星的两行轨道根数信息,推定所述目标地面站到所述地面站的接入卫星轨道方向。According to the access satellite number of the source ground station in any measurement packet sent by the target ground station and the two-line orbit element information of all satellites in the constellation stored in advance, the access of the target ground station to the ground station is estimated Orbit direction of the satellite. 5.根据权利要求1~4任一项所述的用于卫星互联网的路径验证方法,其特征在于,所述对所述全局时延梯度矩阵进行统计学异常值分析,包括:5. The path verification method for satellite Internet according to any one of claims 1 to 4, wherein said performing statistical outlier analysis on said global delay gradient matrix includes: 利用预设异常值检测算法分析所述全局时延梯度矩阵,以从所述全局时延梯度矩阵中选出大于所述预设异常值检测算法安全阈值的异常值;Analyzing the global delay gradient matrix using a preset outlier detection algorithm to select outliers from the global delay gradient matrix that are greater than the safety threshold of the preset outlier detection algorithm; 所述预设异常值检测算法包括但不限于:IQR检验法和Grubbs检验法。The preset outlier detection algorithm includes but not limited to: IQR test method and Grubbs test method. 6.根据权利要求1~4任一项所述的用于卫星互联网的路径验证方法,其特征在于,所述往返一次星地链路的最短数据传输时延是根据卫星的轨道高度确定的,所述潜在风险路径的数据传输时延的实测值为所述全局时延矩阵中与所述潜在风险路径的地面站对相对应的元素值;6. The path verification method for satellite Internet according to any one of claims 1 to 4, wherein the shortest data transmission time delay of the round-trip satellite-ground link is determined according to the orbital height of the satellite, The measured value of the data transmission delay of the potential risk path is an element value corresponding to the ground station pair of the potential risk path in the global delay matrix; 所述潜在风险路径的数据传输时延的理论估计值的确定过程,包括:The process of determining the theoretical estimated value of the data transmission delay of the potential risk path includes: 确定所述潜在风险路径的邻近路径;determining adjacent paths to said potentially risky path; 从所述全局时延矩阵中抽取与所述邻近路径的地面站对相对应的元素,构成参考时延矩阵;Extracting elements corresponding to the ground station pairs of the adjacent paths from the global delay matrix to form a reference delay matrix; 针对所述参考时延矩阵范围内的地面站对,通过回归分析方法确定数据传输时延与地理距离之间映射关系;For the ground station pairs within the range of the reference delay matrix, determine the mapping relationship between the data transmission delay and the geographical distance through a regression analysis method; 根据所述映射关系以及所述潜在风险路径的地面站对的站间距离,确定所述潜在风险路径的数据传输时延的理论估计值。According to the mapping relationship and the distance between the ground station pairs of the potential risk path, a theoretical estimated value of the data transmission delay of the potential risk path is determined. 7.根据权利要求6所述的用于卫星互联网的路径验证方法,其特征在于,所述确定所述潜在风险路径的邻近路径,包括:7. The path verification method for satellite Internet according to claim 6, wherein said determining the adjacent path of said potential risk path comprises: 将满足第二条件的路径作为所述潜在风险路径的邻近路径;taking a path satisfying the second condition as an adjacent path of the potential risk path; 其中,所述第二条件为:Wherein, the second condition is: 源端与所述潜在风险路径的源端之间的距离小于第一阈值,且the distance between the source end and the source end of the potential risk path is less than a first threshold, and 目的端与所述潜在风险路径的目的端之间的距离小于第二阈值。The distance between the destination end and the destination end of the potential risk path is smaller than a second threshold. 8.一种用于卫星互联网的路径验证装置,其特征在于,所述装置包括:8. A path verification device for satellite Internet, characterized in that the device comprises: 站间距离矩阵生成模块,用于根据地面站之间的地理位置信息生成站间距离矩阵;An inter-station distance matrix generation module is used to generate an inter-station distance matrix according to the geographic location information between ground stations; 全局时延矩阵生成模块,用于汇总每一个地面站的站间时延表,得到全局时延矩阵;The global delay matrix generation module is used to summarize the inter-station delay table of each ground station to obtain the global delay matrix; 全局时延梯度矩阵生成模块,用于将所述全局时延矩阵和所述站间距离矩阵的对应元素做微分,得到全局时延梯度矩阵;A global delay gradient matrix generation module, configured to differentiate the corresponding elements of the global delay matrix and the inter-station distance matrix to obtain a global delay gradient matrix; 潜在风险路径认定模块,用于对所述全局时延梯度矩阵进行统计学异常值分析,并将具有异常值的地面站对的数据传输路径作为潜在风险路径;A potential risk path identification module, configured to perform statistical outlier analysis on the global delay gradient matrix, and use the data transmission path of the ground station pair with an outlier value as a potential risk path; 风险路径认定模块,用于在所述潜在风险路径满足第一条件时,认定所述潜在风险路径为风险路径;A risk path identification module, configured to identify the potential risk path as a risk path when the potential risk path satisfies the first condition; 其中,每一个所述地面站的站间时延表中存储每一个目标地面站到所述地面站的数据传输时延;所述目标地面站为除所述地面站之外的地面站;Wherein, the data transmission delay from each target ground station to the ground station is stored in the inter-station delay table of each of the ground stations; the target ground station is a ground station other than the ground station; 所述第一条件为数据传输时延的实测值与理论估计值的差值大于往返一次星地链路的最短数据传输时延。The first condition is that the difference between the measured value of the data transmission delay and the theoretical estimated value is greater than the shortest data transmission delay of a round-trip satellite-ground link. 9.一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1至7任一项所述用于卫星互联网的路径验证方法。9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor according to claim 1 is implemented when executing the program. The path verification method for satellite Internet described in any one of to 7. 10.一种非暂态计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至7任一项所述用于卫星互联网的路径验证方法。10. A non-transitory computer-readable storage medium, on which a computer program is stored, characterized in that, when the computer program is executed by a processor, it realizes the satellite Internet as described in any one of claims 1 to 7. Path validation method.
CN202310219167.6A 2023-03-06 A path verification method and apparatus for satellite internet Active CN116405089B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310219167.6A CN116405089B (en) 2023-03-06 A path verification method and apparatus for satellite internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310219167.6A CN116405089B (en) 2023-03-06 A path verification method and apparatus for satellite internet

Publications (2)

Publication Number Publication Date
CN116405089A true CN116405089A (en) 2023-07-07
CN116405089B CN116405089B (en) 2026-02-17

Family

ID=

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640463A (en) * 2024-01-25 2024-03-01 云天智能信息(深圳)有限公司 Satellite broadband short message communication and vital sign health monitoring method and system
CN120567284A (en) * 2025-07-31 2025-08-29 中国星网网络创新研究院有限公司 Satellite network routing method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640463A (en) * 2024-01-25 2024-03-01 云天智能信息(深圳)有限公司 Satellite broadband short message communication and vital sign health monitoring method and system
CN117640463B (en) * 2024-01-25 2024-04-19 云天智能信息(深圳)有限公司 Satellite broadband short message communication and vital sign health monitoring method and system
CN120567284A (en) * 2025-07-31 2025-08-29 中国星网网络创新研究院有限公司 Satellite network routing method and device

Similar Documents

Publication Publication Date Title
US12375340B2 (en) Data driven systems and methods to isolate network faults
Peterson et al. A position paper on data sovereignty: The importance of geolocating data in the cloud
CN112491636B (en) Data processing method and device and computer storage medium
US11831763B2 (en) Methods, systems, and computer readable media for utilizing predetermined encryption keys in a test simulation environment
Benson et al. Do you know where your cloud files are?
CN106685903B (en) SDN-based data transmission method, SDN controller and SDN system
Eriksson et al. Riskroute: A framework for mitigating network outage threats
JP2018515974A (en) System and method for providing virtual interfaces and advanced smart routing in a global virtual network (GVN)
CN112543473B (en) Test method, device and equipment based on network element simulation and computer storage medium
Donovan et al. Building the network of the future: Getting smarter, faster, and more flexible with a software centric approach
CN112805963A (en) Detecting and blocking network attacks
US20170031926A1 (en) Development of a Motility Scoring Methodology to Facilitate Urbanomic Mobility
US9800567B2 (en) Authentication of network nodes
Vickramasingam et al. A Link Planning and DDoS Attack Detection in SDN Based Integrated Space-Terrestrial Networks.
US20170170956A1 (en) Methods, systems, and computer readable media for reducing the size of a cryptographic key in a test simulation environment
EP3861445B1 (en) Method and apparatus for secure and verifiable composite service execution and fault management on blockchain
CN116405089A (en) A path verification method and device for satellite Internet
US7822872B2 (en) Multi-location distributed workplace network
US9158871B2 (en) Graph modeling systems and methods
Ramana et al. Multipath transmission control protocol for live virtual machine migration in the cloud environment
CN116405089B (en) A path verification method and apparatus for satellite internet
CN104980352A (en) Routing method and device for multiline computer room
CN101252475A (en) Message mirroring method and device
Jia et al. VoteGeo: An IoT-based voting approach to verify the geographic location of cloud hosts
WO2023136755A1 (en) Method and apparatus for tailored data monitoring of microservice executions in mobile edge clouds

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant