[go: up one dir, main page]

CN119172167A - A security prevention and control method based on edge computing device, cloud platform and edge computing device - Google Patents

A security prevention and control method based on edge computing device, cloud platform and edge computing device Download PDF

Info

Publication number
CN119172167A
CN119172167A CN202411597961.5A CN202411597961A CN119172167A CN 119172167 A CN119172167 A CN 119172167A CN 202411597961 A CN202411597961 A CN 202411597961A CN 119172167 A CN119172167 A CN 119172167A
Authority
CN
China
Prior art keywords
edge computing
data
computing device
interaction
cloud platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411597961.5A
Other languages
Chinese (zh)
Inventor
刘龙豹
苏敬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongruiheng Science & Technology Co ltd
Original Assignee
Beijing Zhongruiheng Science & Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhongruiheng Science & Technology Co ltd filed Critical Beijing Zhongruiheng Science & Technology Co ltd
Priority to CN202411597961.5A priority Critical patent/CN119172167A/en
Publication of CN119172167A publication Critical patent/CN119172167A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of edge computing and discloses a safety prevention and control method based on edge computing equipment, a cloud platform and the edge computing equipment, wherein the method comprises the steps of identifying a request interaction instruction type when the cloud platform and the edge computing equipment perform data interaction; and carrying out different security authentication strategies on the edge computing equipment according to the type of the request interaction instruction, and carrying out data interaction under the condition that the edge computing equipment passes the security authentication. In addition, the edge computing equipment is authenticated at different levels, and data interaction can be performed only on the premise that the authentication is passed, so that the safety of data acquisition of the edge computing equipment and the safety of a data source in butt joint of engine equipment are greatly improved, and resources can be effectively saved.

Description

Security prevention and control method based on edge computing equipment, cloud platform and edge computing equipment
Technical Field
The invention relates to the technical field of edge computing, in particular to a safety prevention and control method based on edge computing equipment, a cloud platform and the edge computing equipment.
Background
Along with the development of edge technology and the intelligent digital transformation of the whole Internet of things industry, the safety problem is more and more paid attention to by all parties. The safety certification of the existing edge computing engine is managed only through role authorization, the equipment can be completely controlled as long as the cloud system or the management interface of the edge computing engine can be logged in, and the uploading of the data from the collected platform side is basically free from data cleaning and attack on the PLC (programmable logic controller) equipment through tampering.
In this case, the outside can easily acquire and analyze the data structure by means of packet capturing, camouflage and the like, and then can perform identity simulation and data simulation, and attack the edge computing equipment and the equipment for acquiring and analyzing data at the edge side.
Disclosure of Invention
Aiming at the technical problems, the invention provides a safety prevention and control method based on edge computing equipment, a cloud platform and the edge computing equipment, wherein the platform side carries out different levels of authentication on the edge computing equipment aiming at the data interaction type with the edge computing equipment, only if the authentication passes, the data interaction can be performed, so that the safety of the data collected by the edge computing equipment and the safety of the data source docked by the engine equipment are greatly improved, and resources can be effectively saved.
In order to achieve the technical purpose, the invention adopts the following technical scheme:
the first aspect of the invention provides a security prevention and control method based on edge computing equipment, which is used for a cloud platform and comprises the following steps:
S1, identifying a request interaction instruction type when a cloud platform performs data interaction with the edge computing equipment;
s2, implementing different security authentication strategies for the edge computing equipment according to the type of the request interaction instruction, wherein the security authentication strategies specifically comprise the following steps:
S21, when the request interaction instruction is an uploading data instruction or a downloading control operation instruction, verifying the identity of the edge computing equipment through a predefined identity verification mechanism;
S22, under the condition that the edge computing equipment passes identity verification, decrypting ciphertext uploaded by the edge computing equipment to obtain interaction data and serial number information of the edge computing equipment;
S23, judging whether the serial number information is matched with the serial number of the edge computing equipment or not;
s24, receiving the interaction data when the serial number information is matched with the serial number of the edge computing equipment, otherwise, not receiving the interaction data;
S3, carrying out data interaction under the condition that the edge computing equipment passes the security authentication;
in step S22, decrypting the ciphertext uploaded by the edge computing device to obtain authentication and serial number information of the edge computing device includes:
s221, decrypting the ciphertext by using the RSA private key to obtain a Base64 coded character string;
S222, decoding the character string encoded by the Base64 to obtain binary data subjected to confusion processing;
S223, performing anti-confusion processing on the binary data subjected to confusion processing to obtain the interaction data and the serial number information of the edge computing equipment.
Further, in step S3, before the edge computing device performs data interaction under the condition that the edge computing device passes the security authentication, whether the edge computing device has access rights or not is verified by querying an access control list of sensitive data under the condition that the edge computing device passes the identity verification.
Further, the authentication includes authentication of an account/password mechanism, a dynamic token, or a digital certificate.
HMAC-SHA-1 means HMAC using SHA-1, truncate is a function that intercepts the encrypted string and takes which fields of the encrypted string to compose a new key.
Further, the method further comprises:
when an abnormal alarm of the edge computing equipment is received, the edge computing equipment is subjected to abnormal operation and control, and data recovery is carried out on the edge computing equipment through a preset emergency strategy.
A second aspect of the present invention provides a security prevention and control method based on an edge computing device, comprising:
S4, when the edge computing equipment performs data interaction with the cloud platform, sending request interaction data to the cloud platform, encrypting the interaction data by using a confusion encryption algorithm, and waiting for the cloud platform to perform security authentication on the interaction data;
s5, carrying out data interaction under the condition that the security authentication passes;
The step S4 of uploading the interaction data to the cloud platform and encrypting the interaction data by using a confusion encryption algorithm includes:
S41, encrypting the interaction data by using an RSA public key;
s42, determining serial number information of the edge computing equipment, and combining the serial number information with the encrypted data into a binary character string;
s43, performing Base64 coding on the binary character strings after combination;
S44, performing confusion processing on the coded character strings, and transmitting the character strings to the cloud platform.
Further, the method further includes that in the step S4, a specific algorithm for encrypting the interaction data using the confusion encryption algorithm is:
n=p×q;
m^e mod n=m;
c^d mod n=m;
Wherein, p and q are set values, p and q are prime numbers, n represents a modulus, e represents a public key index, and e is required to satisfy And e is equal toAnd mutually, m represents the interaction data, c represents ciphertext, and d represents a private key index.
Further, the method further comprises the step of verifying whether the edge computing device has access rights or not by querying an access control list of sensitive data under the condition that the edge computing device passes the security authentication before performing data interaction under the condition that the security authentication passes S5.
Further, the edge computing device is connected with an edge side terminal device, and the method further comprises:
S6, monitoring working data of the edge side terminal equipment, and judging whether the working data is in a preset behavior threshold interval or not;
and S7, under the condition that the judgment result is negative, an abnormal alarm is sent to the cloud platform, and data restoration is carried out according to an emergency strategy provided by the cloud platform.
The third aspect of the invention provides a cloud platform, which comprises a memory and a controller, wherein the memory is used for storing computer instructions, and the controller is used for calling and executing the computer instructions stored in the memory to realize the method of any one of the security prevention and control methods provided in the first aspect.
A fourth aspect of the invention provides an edge computing device comprising a memory for storing computer instructions and a controller for invoking and executing the computer instructions stored in the memory to implement any of the methods of security and control provided in the second aspect.
According to the method provided by the invention, the platform side can carry out different-level authentication on the edge computing equipment according to the data interaction type of the platform side and the edge computing equipment, and only the data interaction can be carried out on the premise that the authentication is passed, so that the safety of data acquisition of the edge computing equipment and the safety of a data source in butt joint of engine equipment are greatly improved, and resources can be effectively saved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate and explain the present disclosure, and together with the description serve to explain the present disclosure. In the drawings:
FIG. 1 is a schematic flow chart of a security control method according to some embodiments of the present application;
FIG. 2 is a second flow chart of a security control method according to some embodiments of the present application;
FIG. 3 is a third flow chart illustrating a security control method according to some embodiments of the present application;
FIG. 4 is a flow chart illustrating a security control method according to some embodiments of the present application;
Fig. 5 is a schematic diagram illustrating an encryption demonstration of a security prevention and control method according to some embodiments of the present application;
fig. 6 illustrates a data recovery and alarm schematic diagram of a security prevention and control method according to some embodiments of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application.
Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that like reference numerals and letters refer to like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
An embodiment of a first aspect of the present invention provides a security prevention and control method based on an edge computing device, which is used for a cloud platform, and in combination with fig. 1, the method includes S1 to S3, wherein:
s1, identifying a request interaction instruction type when a cloud platform performs data interaction with edge computing equipment;
s2, implementing different security authentication strategies for the edge computing equipment according to the type of the request interaction instruction;
and S3, carrying out data interaction under the condition that the edge computing equipment passes the security authentication.
The security prevention and control method based on the edge computing equipment ensures the security and reliability of data transmission when the cloud platform and the edge computing equipment perform data interaction. The method comprises the steps of identifying the type of the request interaction instruction, implementing a differential security authentication strategy, and safely performing data interaction after passing authentication. The cloud platform firstly receives an interaction request from the edge computing engine equipment, analyzes instruction content in the request, and identifies a specific interaction instruction type. These types may include data upload, command execution, configuration update, status query, etc. The requests are classified according to instruction type for subsequent enforcement of different security authentication policies.
In one embodiment of the present invention, referring to fig. 2, S2 includes S21 to S24, where:
s21, when the request interaction instruction is an uploading data instruction or a down control operation instruction, verifying the identity of the edge computing device through a predefined identity verification mechanism.
Different security authentication strategies are formulated for different types of interaction instructions. For example, for data upload instructions, more stringent encryption and authentication may be required, while for state query instructions, only basic authentication may be required. The identity of the edge computing engine device is verified by a predefined identity verification mechanism (e.g., username/password, token, digital certificate, etc.).
S22, under the condition that the edge computing device passes the identity verification, the ciphertext uploaded by the edge computing device is decrypted to obtain the original data and the serial number information of the edge computing device. The raw data may be sensitive data (e.g., monitoring data) or data that is to be downloaded.
S23, judging whether the serial number information is matched with the serial number of the edge computing device.
And S24, when the serial number information is matched with the serial number of the edge computing device, receiving the original data, otherwise, not receiving the original data.
Each edge computing device has a unique SN sequence number that can be used as an identity of the device. By reading and verifying the SN sequence number of the device, the legitimacy and uniqueness of the device can be ensured. In the encryption process, the unique SN serial number of the reading device is used as a part of encryption (for example, the first 7 bits of the serial number are used as a part of encryption, namely serial number information, when the decrypted serial number information is consistent with the first 7 bits of the serial number, the serial number information is considered to be matched, and when the serial number information is the serial number itself, the serial number information is judged to be consistent with the serial number information, the serial number information is considered to be matched), so that only the device with the correct SN serial number can decrypt and receive data. Such a mechanism may prevent unauthorized devices from accessing or tampering with the data.
In one embodiment of the present invention, referring to fig. 3, S22 includes S221 to S223, where:
s221, decrypting the ciphertext by using the RSA private key to obtain a Base64 coded character string, wherein Base64 is a method for representing any binary data by 64 characters.
And S222, decoding the Base64 coded character string to obtain the obfuscated binary data, wherein in the process, the Base64 decoding is to convert the Base64 coded character string possibly obtained after RSA decryption back to the original binary data.
S223, performing anti-confusion processing on the binary data subjected to the confusion processing to obtain the original data and the serial number information of the edge computing equipment. This step is to remove confusion added during transmission or storage to recover the original sensitive data. This procedure ensures the security and integrity of sensitive data during transmission and storage, while also preventing unauthorized access and understanding through anti-aliasing steps.
In one embodiment of the invention, in step S3, before the data interaction is performed under the condition that the edge computing device passes the security authentication, the method further comprises the step of checking whether the edge computing device has access rights or not by inquiring an access control list of the sensitive data under the condition that the edge computing device passes the identity authentication.
Verifying whether a device has the right to execute instructions of this type may be accomplished by querying a rights list or role assignments of the device. Different access rights are allocated according to the roles of the users, so that only authorized users can access sensitive data. And simultaneously limiting the access control list, namely setting the access control list for each resource, and defining which users or roles can access the resource. The minimum set of permissions is mapped to specific tables, columns and operations in the database. Each user or application program can only access and operate the table, column and operation corresponding to the minimum authority set, and periodically review and update the user authority, so that the authority is ensured to be in accordance with the actual requirement.
In the embodiment, the protection safety between the edge computing equipment and the cloud platform can be ensured through double verification, so that the stability of the whole system is greatly improved. It will be appreciated that the access rights of the edge computing device may be controlled based on the result of verifying whether the edge computing device has access rights.
In one embodiment, the authentication includes authentication of an account/password mechanism, dynamic token, or digital certificate.
In one embodiment of the invention, the dynamic token generation formula in dynamic token authentication is OTP (K, C) = Truncate (HMAC-SHA-1 (K, C)),
Where K represents the serial number of the edge computing device, C represents the data for the down-control, and OTP represents the one-time password.
HMAC-SHA-1 means that SHA-1 is used as HMAC, truncate is a function that intercepts the encrypted string and takes which fields of the encrypted string to compose a new key.
Specifically, K in the formula represents a key, an SN unique ID value of an edge computing device is currently adopted, for example (3641963C 68739803cfc1625 b), the value platform can BE obtained through an interface, C represents that the data (for example 34) of the lower control is data related to a data point collected by industrial equipment (for example a hotlist), namely sensitive data needing encryption, the sensitive data is encrypted by an HMAC-SHA-1 hash algorithm by taking SN and the lower control data as parameters (obtained according to the two data, namely BA125444A962EDA3DB7FE247ED372A853EFBB 08F), confusion of the encrypted data is completed through a Truncate function (for example, BA521449A462ADE3DF7BE742ED372A853 EFBBF), thus a token of the lower control data is completed, after the equipment side receives the data (BA 521449A462ADE3DF 742ED372A 8525), the sensitive data is obtained by using a function of (BA 125444A962EDA3DB7FE 3 FE 372A853EFBB 08F) firstly, and then the lower control data is obtained by a function of BA 962 3A 962EDA3 FE 3B 372A853EFBB 08F) and the lower control device (for obtaining the lower control data (for example, and the lower control data is obtained through a Truncate function, and the lower control device is completed by writing the control device (for obtaining the lower control data) to the control device (for the control device) and the control device (comprising the control device).
An embodiment of a second aspect of the present invention provides a security protection and control method based on an edge computing device, for use with the method provided by the embodiment of the first aspect, and in combination with fig. 4, the method includes S4 to S5, where:
S4, when the edge computing equipment performs data interaction with the cloud platform, sending request interaction data to the cloud platform, encrypting the interaction data by using a confusion encryption algorithm, and waiting for the cloud platform to perform security authentication on the interaction data;
And S5, carrying out data interaction under the condition that the security authentication is passed.
In one embodiment of the invention, the step S4 of sending the request interaction instruction to the cloud platform comprises the steps of encrypting the interaction data by using a confusion encryption algorithm when the interaction data is transmitted to the cloud platform, and the step S41-S44 of encrypting the interaction data by using the confusion encryption algorithm in combination with FIG. 5 comprises the steps of:
S41, encrypting the interaction data by using an RSA public key;
s42, determining serial number information of the edge computing equipment, and combining the serial number information with the encrypted data into a binary character string;
s43, performing Base64 coding on the binary character strings after combination;
S44, performing confusion processing on the coded character strings, and transmitting the character strings to the cloud platform.
In one embodiment, in the step S4, a specific algorithm for encrypting the interaction data using a confusion encryption algorithm is:
n=p×q
m^e mod n=m
c^d mod n=m
Wherein, p and q are set values, p and q are prime numbers, n represents a modulus, e represents a public key index, and e is required to satisfy And e is equal toThe mutual quality, m, represents the interaction instruction, c represents the ciphertext, d represents the private key exponent, and a power.
In particular, the algorithm of this formula is used to transmit the monitoring data of the industrial equipment collected by the edge calculator device. Where p and q are periodically replaced, if p=7q=11 and n=77 corresponds to a binary number of 100 1101 total 7 bits, the first 7 SN bits of the edge calculator device are taken as base64 string references (3641963), by the euler function By passing throughObtaining e=7, according to m-mode n=m, representing data m (such as 2) needing encryption, 2^3 =8, combining the data with 3641963 (the first 7 bits of the SN), then performing base64 coding (MzY 0MTk2Mzg =), after confusion (MzM 0YTkzM g=), then transmitting to a platform side, after receiving, the platform side firstly reducing to (MzY 0MTk2Mzg =), then performing base64 decoding to obtain (36419638), according to the agreed p-q values, obtaining data 8 after transmission after comparing the data bit numbers of the SN, and according to the formula (8=m-mode n), obtaining data acquired by industrial equipment to be m=2, and then displaying.
In one embodiment, before the data interaction in the case that the security authentication is passed, in S5, the method further comprises verifying whether the edge computing device has access rights by querying an access control list of sensitive data in the case that the edge computing device passes the security authentication.
In the embodiment, the protection safety between the edge computing equipment and the cloud platform can be ensured through double verification, so that the stability of the whole system is greatly improved. It will be appreciated that the access rights of the edge computing device may be controlled based on the result of verifying whether the edge computing device has access rights.
In one embodiment of the present invention, the edge computing device is connected to an edge side device (such as an electric quantity collection device, a temperature collection device, etc.), and the method further includes S6 to S7, where:
S6, monitoring working data of the edge side terminal equipment, and judging whether the working data is in a preset behavior threshold interval or not;
and S7, if the judgment result is negative, an abnormal alarm is sent to the cloud platform, and data restoration is carried out according to an emergency strategy provided by the cloud platform.
Another embodiment of the present invention provides a cloud platform including a memory for storing computer instructions, and a controller for invoking and executing the computer instructions stored in the memory to implement the method of the above embodiments.
Another embodiment of the present invention provides an edge computing device comprising a memory for storing computer instructions and a controller for invoking and executing the computer instructions stored in the memory to implement the method of the above embodiments.
Edge computing devices are important carriers of data processing and analysis, with their security directly related to the security and reliability of the data. Since the edge computing device is at the edge of the network, it is more vulnerable to attack and vandalism. Furthermore, because of the limited processing and storage capabilities of edge computing devices, more efficient and reliable security precautions are needed to ensure the security and reliability of data. The traditional cloud system mainly focuses on that the safe backup recovery of the platform end is mainly aimed at the platform side, and the edge computing equipment is generally only subjected to an identity verification process and even is not subjected to the identity verification process, so that many attacks aimed at the equipment are very simple and fatal, and the equipment can be controlled to perform various operations, set and even be stopped by simple disguise. And the hardware and software environments of the devices are different, so that unified security prevention and control are more difficult, and due to the limited processing capacity and storage capacity of the edge computing devices, more efficient and reliable security prevention and control measures are needed to ensure the security and reliability of data and the stability of device operation.
The method provided by the embodiment is mainly aimed at access authorization management of the edge computing engine, encryption management of sensitive data, multiple authentication processing of down control operation, data backup and automatic repair, and timely reports abnormal operation and data change to a platform and operation and maintenance manager through an alarm strategy so as to facilitate necessary human intervention, ensure the integrity and availability of the edge computing equipment and the whole system, and reduce the influence of an abnormal event on the whole business. The set of security prevention and control method, the system and the engine equipment based on the edge computing equipment provided by the embodiment provide prevention and control measures for the whole data security from the cloud to the edge side. In general, the present invention can achieve the following technical effects:
1. encryption management of sensitive data
Sensitive data is encrypted by adopting a strong encryption algorithm (WEIENCP algorithm) with confusion, so that the security of the data in the transmission and storage processes is ensured.
The strong encryption algorithm with confusion firstly carries out sequential confusion on sensitive data, then converts the sensitive data into a character string of base64, and transmits the character string after the operation of the following formula (≡power).
n=p×q;
m^e mod n=m;
c^d mod n=m;
After receiving the sensitive data, the platform side decrypts the sensitive data by a key (m=c≡d mod n), wherein Then, the decryption of base64 is performed, and finally, the true original sensitive data is obtained through the anti-aliasing processing of (C1 (-1)) (-r) x C2-s.
In addition, the keys are periodically replaced and the destruction of the old keys is ensured.
2. Multiple authentication processing of the down control operation, namely, in order to prevent irreversible data disasters caused by misoperation, hackers or lawless persons, multi-factor authentication such as user name passwords, dynamic tokens, confusion encryption and the like is adopted for special down control points, so that the authentication complexity is improved, and the security of engine equipment is ensured. The dynamic token is generated by OTP (K, C) = Truncate (HMAC-SHA-1 (K, C), where K represents a key string, C is a number, represents a random number, and OTP represents a one-time password. HMAC-SHA-1 means that SHA-1 is used as HMAC. Truncate is a function that intercepts the encrypted string and takes which fields of the encrypted string form a new key. The obfuscation encryption algorithm is just as sensitive data just the different public keys of WEIENCP algorithm and the obfuscation algorithm that are employed.
3. Access authorization management
And (3) role-based access control, namely allocating different access rights according to roles of users, and ensuring that only authorized users can access sensitive data. And simultaneously limiting the access control list, namely setting the access control list for each resource, and defining which users or roles can access the resource. The minimum set of permissions is mapped to specific tables, columns and operations in the database. Each user or application program can only access and operate the table, column and operation corresponding to the minimum authority set, and periodically review and update the user authority, so that the authority is ensured to be in accordance with the actual requirement.
4. And the data backup and automatic repair are that important data are backed up regularly, so that the data can be recovered when faults or disasters occur. And (3) recovering the data, namely recovering the data through backup data when the data is lost or damaged, so as to ensure the continuity of the service. And selecting a proper backup strategy according to the service requirement and the data importance, such as full backup once a week and incremental backup once a day. And carrying out recovery test on the backup data every month to ensure the availability and the integrity of the backup data. And (3) formulating a data recovery flow, namely formulating a detailed data recovery flow, defining a recovery step and a responsible person, and replying after double password authentication to ensure that the data can be recovered safely in time.
The algorithm provided by the embodiment is mainly used for carrying out strong encryption management with confusion on sensitive data, access authorization management on edge computing equipment, multiple authentication processing on lower control operation, data backup and automatic restoration, timely reporting abnormal operation and data change through an alarm strategy, controlling series of equipment in a diversified and uniform mode, preventing and controlling external illegal data from being tampered and attacked and the like. Authentication and authorization of edge computing devices is a fundamental measure to ensure device security. The identity and the legitimacy of the equipment can be confirmed through equipment authentication, the access authority and the operation range of the equipment can be controlled through authorization, and the WEIENCP algorithm encryption and decryption technology with confusion is an important means for guaranteeing the data security. In the edge computing device, WEIENCP algorithm encryption and decryption algorithms are also used to protect the confidentiality and integrity of data.
The intrusion detection and defense technology adopted by the invention can help to discover and prevent malicious attacks in time, namely, in the edge computing equipment, the attack is detected and defended by adopting detection based on equipment SN characteristics, abnormal detection and behavior detection. For example, authentication and WEIENCP algorithm confusion encryption and decryption are carried out through a unique SN serial number of equipment, encryption is carried out through the unique SN serial number of reading equipment during encryption, data interaction of each group of equipment is to verify that if SN used by a secret key is not matched with the SN, no receiving and down control processing is carried out, malicious attack of disguised equipment is effectively prevented, anomaly detection refers to anomaly of operation states of edge acquisition equipment, a standard behavior threshold is set for sensitive data, if the equipment acquisition data is not in the threshold range, whether human intervention is needed or equipment repair operation is needed to be started or not is judged through a platform side through reporting of an alarm system, the behavior anomaly is that the down control is carried out, validity of the down control operation is confirmed, information such as occurrence time of the behavior and operation personnel is recorded, recovery confusion after error is prevented by making backup information of related equipment is carried out, and the like. Meanwhile, a device safety management system is set, and the safety management system comprises the links of device purchase, use, maintenance, scrapping and the like. Meanwhile, training and education of staff are enhanced, and safety awareness and operation skills of the staff are improved.

Claims (10)

1.一种基于边缘计算设备的安全防控方法,用于云平台,其特征在于,所述方法包括:1. A security control method based on edge computing devices, used in a cloud platform, characterized in that the method includes: S1、在云平台与所述边缘计算设备进行数据交互时,识别请求交互指令类型;S1. When the cloud platform interacts with the edge computing device, identifying the type of the requested interaction instruction; S2、根据请求交互指令类型对所述边缘计算设备实施不同的安全认证策略,具体包括:S2. Implement different security authentication strategies on the edge computing device according to the type of requested interaction instruction, specifically including: S21、在所述请求交互指令为上传数据指令或下控操作指令时,通过预定义的身份验证机制验证所述边缘计算设备的身份;S21. When the request interaction instruction is an upload data instruction or a down-control operation instruction, verify the identity of the edge computing device through a predefined identity authentication mechanism; S22、在所述边缘计算设备通过身份验证的情况下,对所述边缘计算设备上传的密文进行解密,以获取交互数据和所述边缘计算设备的序列号信息;S22. When the edge computing device passes identity authentication, decrypt the ciphertext uploaded by the edge computing device to obtain the interaction data and the serial number information of the edge computing device; S23、判断所述序列号信息与所述边缘计算设备的序列号是否匹配;S23, determining whether the serial number information matches the serial number of the edge computing device; S24、在所述序列号信息与所述边缘计算设备的序列号相匹配时,接收所述交互数据,否则,不予接收所述交互数据;S24. When the serial number information matches the serial number of the edge computing device, receiving the interaction data; otherwise, not receiving the interaction data; S3、在所述边缘计算设备通过安全认证的情况下,进行数据交互;S3. Performing data interaction when the edge computing device passes security authentication; 其中,步骤S22中对所述边缘计算设备上传的密文进行解密,以获取身份验证和所述边缘计算设备的序列号信息,包括:Wherein, in step S22, the ciphertext uploaded by the edge computing device is decrypted to obtain identity authentication and serial number information of the edge computing device, including: S221、使用RSA私钥对密文进行解密,得到Base64编码的字符串;S221. Decrypt the ciphertext using the RSA private key to obtain a Base64-encoded string. S222、对所述Base64编码的字符串进行解码,得到经过混淆处理的二进制数据;S222, decoding the Base64-encoded string to obtain obfuscated binary data; S223、对所述经过混淆处理的二进制数据进行反混淆处理,得到所述交互数据和所述边缘计算设备的序列号信息。S223: De-obfuscate the obfuscated binary data to obtain the interaction data and serial number information of the edge computing device. 2.根据权利要求1所述的方法,其特征在于,在步骤S3,在所述边缘计算设备通过安全认证的情况下,进行数据交互之前,还包括:2. The method according to claim 1 is characterized in that, in step S3, when the edge computing device passes the security authentication, before the data interaction, it also includes: 在所述边缘计算设备通过身份验证的情况下,通过查询敏感数据的访问控制列表来验证所述边缘计算设备是否具有访问权限。When the edge computing device passes the identity authentication, whether the edge computing device has the access rights is verified by querying the access control list of sensitive data. 3.根据权利要求2所述的方法,其特征在于,所述身份验证包括对账号/密码机制、动态令牌或数字证书进行验证。3. The method according to claim 2 is characterized in that the identity authentication includes verifying an account/password mechanism, a dynamic token or a digital certificate. 4.根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:4. The method according to any one of claims 1 to 3, characterized in that the method further comprises: 在接收到所述边缘计算设备的异常报警时,对所述边缘计算设备进行异常操控,使所述边缘计算设备通过预设的应急策略进行数据恢复。When an abnormal alarm of the edge computing device is received, the edge computing device is abnormally controlled so that the edge computing device performs data recovery through a preset emergency strategy. 5.一种基于边缘计算设备的安全防控方法,其特征在于,所述方法包括:5. A security control method based on edge computing equipment, characterized in that the method includes: S4、边缘计算设备在与云平台进行数据交互时,向云平台发送请求交互数据,并使用混淆加密算法对所述交互数据进行加密后,等待云平台对加密后的所述交互数据进行安全认证;S4. When the edge computing device interacts with the cloud platform, it sends a request for interaction data to the cloud platform, encrypts the interaction data using an obfuscation encryption algorithm, and waits for the cloud platform to perform security authentication on the encrypted interaction data; S5、在安全认证通过的情况下,进行数据交互;S5. After the security authentication is passed, data interaction is performed; 其中,步骤S4中的在向云平台上传交互数据,并使用混淆加密算法对所述交互数据进行加密,包括:Wherein, in step S4, uploading the interactive data to the cloud platform and encrypting the interactive data using an obfuscation encryption algorithm includes: S41、使用RSA公钥对所述交互数据进行加密;S41, encrypting the interaction data using an RSA public key; S42、确定所述边缘计算设备的序列号信息,将所述序列号信息与加密后的数据组合成二进制字符串;S42: Determine the serial number information of the edge computing device, and combine the serial number information and the encrypted data into a binary string; S43、对组合后的二进制字符串进行Base64编码;S43, performing Base64 encoding on the combined binary string; S44、对编码后的字符串进行混淆处理,并传输至云平台。S44. Obfuscate the encoded string and transmit it to the cloud platform. 6.根据权利要求5所述的方法,其特征在于,所述步骤S4中,使用混淆加密算法对所述交互数据进行加密的具体算法为:6. The method according to claim 5, characterized in that, in step S4, the specific algorithm for encrypting the interactive data using the obfuscation encryption algorithm is: n=p×q;n = p × q; m^e mod n=m;m^e mod n = m; c^d mod n=m;c^d mod n=m; 其中,p和q均为设定值,p和q均为质数,n表示模数,e表示公钥指数,e须满足且e与互质,m表示所述交互数据,c表示密文,d表示私钥指数。Among them, p and q are set values, p and q are prime numbers, n represents the modulus, e represents the public key exponent, and e must satisfy And e and Mutually prime, m represents the interaction data, c represents the ciphertext, and d represents the private key exponent. 7.根据权利要求6所述的方法,其特征在于,在S5、在安全认证通过的情况下,进行数据交互之前,还包括:7. The method according to claim 6, characterized in that, in S5, before data interaction is performed when the security authentication is passed, it further comprises: 在所述边缘计算设备通过安全认证的情况下,通过查询敏感数据的访问控制列表来验证所述边缘计算设备是否具有访问权限。When the edge computing device passes the security authentication, whether the edge computing device has access rights is verified by querying the access control list of sensitive data. 8.根据权利要求5-7中任一项所述的方法,其特征在于,所述边缘计算设备和边缘侧终端设备连接,所述方法还包括:8. The method according to any one of claims 5 to 7, wherein the edge computing device is connected to an edge-side terminal device, and the method further comprises: S6、监控所述边缘侧终端设备的工作数据,判断所述工作数据是否处于预设行为阈值区间;S6. Monitor the working data of the edge-side terminal device to determine whether the working data is within a preset behavior threshold range; S7、在判断结果为否的情况下,向云平台发出异常报警,根据云平台提供的应急策略进行数据修复。S7. If the judgment result is no, an abnormal alarm is sent to the cloud platform, and data repair is performed according to the emergency strategy provided by the cloud platform. 9.一种云平台,其特征在于,包括:9. A cloud platform, characterized by comprising: 存储器,用于存储计算机指令;Memory, for storing computer instructions; 控制器,用于调用和执行所述存储器中存储的计算机指令以实现如权利要求1-4中任一项所述的方法。A controller, configured to call and execute computer instructions stored in the memory to implement the method according to any one of claims 1 to 4. 10.一种边缘计算设备,其特征在于,包括:10. An edge computing device, comprising: 存储器,用于存储计算机指令;Memory, for storing computer instructions; 控制器,用于调用和执行所述存储器中存储的计算机指令以实现如权利要求5-7中任一项所述的方法。A controller, configured to call and execute computer instructions stored in the memory to implement the method according to any one of claims 5 to 7.
CN202411597961.5A 2024-11-11 2024-11-11 A security prevention and control method based on edge computing device, cloud platform and edge computing device Pending CN119172167A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411597961.5A CN119172167A (en) 2024-11-11 2024-11-11 A security prevention and control method based on edge computing device, cloud platform and edge computing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411597961.5A CN119172167A (en) 2024-11-11 2024-11-11 A security prevention and control method based on edge computing device, cloud platform and edge computing device

Publications (1)

Publication Number Publication Date
CN119172167A true CN119172167A (en) 2024-12-20

Family

ID=93884189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411597961.5A Pending CN119172167A (en) 2024-11-11 2024-11-11 A security prevention and control method based on edge computing device, cloud platform and edge computing device

Country Status (1)

Country Link
CN (1) CN119172167A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120416258A (en) * 2025-07-01 2025-08-01 国网浙江省电力有限公司宁波供电公司 Distributed new energy data scheduling and processing method based on cloud-edge-end collaboration

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597521A (en) * 2020-05-20 2020-08-28 贵州电网有限责任公司 Transformer substation mobile terminal data security processing method and system
CN112636977A (en) * 2020-12-23 2021-04-09 四川虹微技术有限公司 Internet of things equipment management method, registration method, device and system and electronic equipment
WO2021245599A1 (en) * 2020-06-03 2021-12-09 IOT.nxt BV System and method for authenticating a device on a network
CN114755985A (en) * 2022-03-21 2022-07-15 山东氢探新能源科技有限公司 Comprehensive energy management system and method
US20230086581A1 (en) * 2021-09-20 2023-03-23 Blotout, Inc. Edge Data and Replication Compliance System
CN118487836A (en) * 2024-05-31 2024-08-13 浙江小遛信息科技有限公司 Data processing method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597521A (en) * 2020-05-20 2020-08-28 贵州电网有限责任公司 Transformer substation mobile terminal data security processing method and system
WO2021245599A1 (en) * 2020-06-03 2021-12-09 IOT.nxt BV System and method for authenticating a device on a network
CN112636977A (en) * 2020-12-23 2021-04-09 四川虹微技术有限公司 Internet of things equipment management method, registration method, device and system and electronic equipment
US20230086581A1 (en) * 2021-09-20 2023-03-23 Blotout, Inc. Edge Data and Replication Compliance System
CN114755985A (en) * 2022-03-21 2022-07-15 山东氢探新能源科技有限公司 Comprehensive energy management system and method
CN118487836A (en) * 2024-05-31 2024-08-13 浙江小遛信息科技有限公司 Data processing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐楚轲等: "一种面向分布式发电微电网的边缘计算架构与应用", 新能源进展, 15 October 2020 (2020-10-15), pages 383 - 389 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120416258A (en) * 2025-07-01 2025-08-01 国网浙江省电力有限公司宁波供电公司 Distributed new energy data scheduling and processing method based on cloud-edge-end collaboration
CN120416258B (en) * 2025-07-01 2025-09-12 国网浙江省电力有限公司宁波供电公司 Distributed new energy data scheduling processing method based on cloud edge end cooperation

Similar Documents

Publication Publication Date Title
US11695555B2 (en) Federated key management
JP6542962B2 (en) Delayed data access
US11372993B2 (en) Automatic key rotation
EP2957063B1 (en) Policy enforcement with associated data
Manthiramoorthy et al. Comparing several encrypted cloud storage platforms
CA2935780C (en) Systems and methods with cryptography and tamper resistance software security
CN117955707A (en) Quantum encryption-based computer network security control system and control method
CN119172167A (en) A security prevention and control method based on edge computing device, cloud platform and edge computing device
Singh Network security and management
CN119538319A (en) Anti-tampering database method and system based on trusted computing environment
US12432054B2 (en) Federated key management
CN120124021B (en) A system for secure storage and recovery of account private keys for blockchain development containers
Oyeyinka et al. A symbolic attribute-based access control model for data security in the cloud
Moodley et al. Password Security and Protection
Ali et al. Integrity Preserving Outsourcing Model in Cloud with Proxy Based Public Auditing
Barker et al. NIST DRAFT Special Publication 800-130

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination