CN106209865A - A kind of big data platform system based on minimum spanning tree - Google Patents
A kind of big data platform system based on minimum spanning tree Download PDFInfo
- Publication number
- CN106209865A CN106209865A CN201610559924.4A CN201610559924A CN106209865A CN 106209865 A CN106209865 A CN 106209865A CN 201610559924 A CN201610559924 A CN 201610559924A CN 106209865 A CN106209865 A CN 106209865A
- Authority
- CN
- China
- Prior art keywords
- network node
- node
- monitored object
- network
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of big data platform system based on minimum spanning tree, including sensing layer, for monitored object being monitored the detection of data, described monitored object includes the outside monitored object in the Internet and the node link of the Internet itself, and described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, vulnerability information;Application layer, it is the interface of big data platform system and user, uses distributed multiple user setup, be used for providing human-computer exchange function, user is stored or recovery data to server request by application layer, has the personnel of administration authority can revise data by client layer;Monitoring data in same monitored object a period of time are analyzed by supervisory layers, obtain this monitored object operation trend within the time period, find the exception of monitored object in time;Security protection system, for providing protection for network node and link.
Description
Technical field
The present invention relates to information platform field, be specifically related to a kind of big data platform system based on minimum spanning tree.
Background technology
Cloud computing has attracted the favor of more and more user, particularly enterprise customer, and by cloud computing, enterprise customer is not required to
Set up and safeguard the data center of oneself, and only need to quickly apply for according to himself business load demand and discharge cloud service carrying
The various resources provided for business, successfully solve each big business user from the significant cost of infrastructure construction with maintenance consumes
Release so that it is the development of self core business can be focused more on.Cloud computing has such powerful advantages, but owing to it is special
The Some features such as some Intel Virtualization Technologies, Data Hosting and outsourcing service, have also welcome unprecedented security challenge.
Summary of the invention
For the problems referred to above, the present invention provides a kind of big data platform system based on minimum spanning tree.
The purpose of the present invention realizes by the following technical solutions:
A kind of big data platform system based on minimum spanning tree, including sensing layer, for the monitoring to monitored object
The detection of data, described monitored object includes the outside monitored object in the Internet and the node link of the Internet itself, described monitoring
Data include the weight of temperature, voltage, image, Word message, node and link, security log, vulnerability information;
Application layer, is the interface of big data platform system and user, uses distributed multiple user setup, is used for providing
Human-computer exchange function, user is stored or recovery data to server request by application layer, has the personnel of administration authority to lead to
Cross client layer amendment data,
Monitoring data in same monitored object a period of time are analyzed by supervisory layers, obtain this monitored object at this
Operation trend in time period, finds the exception of monitored object in time;
Security protection system, it includes that cloud network node safety classification subsystem, security protection configuration subsystem, network are pacified
Full monitoring subsystem and cloud service subsystem.
Having the beneficial effect that of this big data platform devises the biggest a kind of data platform system, by sensing layer pair
Monitoring inside and outside the Internet object simultaneously detects, by supervisory layers to the monitoring data in same monitored object a period of time
It is analyzed, obtains this monitored object operation trend within the time period, find the exception of monitored object in time.
Accompanying drawing explanation
The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings
Other accompanying drawing.
Fig. 1 is the structured flowchart of a kind of big data platform system based on minimum spanning tree;
Fig. 2 is the structured flowchart of security protection system.
Reference: sensing layer-1;Application layer-2;Supervisory layers-3;Security protection system-4;Equipment control layer-5;Cloud net
Network node security classification subsystem-10;Security protection configuration subsystem-20;Network security monitoring subsystem-30;Cloud service
System-40;Incidence matrix generation module-11;Minimum spanning tree module-12;Diversity module-13;Substitute module-14.
Detailed description of the invention
The invention will be further described with the following Examples.
Application scenarios 1:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised
The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself
Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter
Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying
For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority
Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this
Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20,
Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously
Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring
Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception
Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment
In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception
Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison
The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node
Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node
The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class
Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole
Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12,
Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing
Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained
The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E=
{E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n
A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R
The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as,
If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain
The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T
Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum
The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R
The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest,
I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network,
Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with
Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as
Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node
Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node
It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively
Grade 1, grade 2, grade 3 and class 4;T3=0.25, fringe node number is not over the 30% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node
Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet
It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique
For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate
Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information
Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique,
Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B
During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu
RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out
Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class
For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class
For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over
Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES
Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 '
Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould
Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not
Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations
Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud
Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule
Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing
Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem
Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually
End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important
Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis
Row safety classification, T3=0.25, fringe node number is not over the 30% of overall network nodes;Security protection configuration subsystem 20
Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography
Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more
When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits
Storage space, improves and calculates speed, saves time cost.
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless
Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
In this embodiment, network security monitoring subsystem is set, it is possible to gather network node data, location standard in time
Really.
Application scenarios 2:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised
The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself
Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter
Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying
For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority
Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this
Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20,
Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously
Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring
Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception
Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment
In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception
Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison
The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node
Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node
The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class
Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole
Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12,
Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing
Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained
The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E=
{E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n
A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R
The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as,
If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain
The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T
Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum
The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R
The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest,
I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network,
Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with
Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as
Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node
Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node
It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively
Grade 1, grade 2, grade 3 and class 4;T3=0.28, fringe node number is not over the 27% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node
Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet
It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique
For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate
Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information
Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique,
Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B
During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu
RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out
Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class
For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class
For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over
Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES
Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 '
Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould
Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not
Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations
Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud
Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule
Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing
Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem
Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually
End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important
Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis
Row safety classification, T3=0.28, fringe node number is not over the 27% of overall network nodes;Security protection configuration subsystem 20
Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography
Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more
When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits
Storage space, improves and calculates speed, saves time cost;
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless
Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Application scenarios 3:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised
The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself
Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter
Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying
For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority
Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this
Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20,
Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously
Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring
Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception
Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment
In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception
Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison
The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node
Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node
The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class
Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole
Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12,
Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing
Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained
The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E=
{E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n
A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R
The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as,
If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain
The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T
Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum
The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R
The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest,
I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network,
Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with
Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as
Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node
Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node
It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively
Grade 1, grade 2, grade 3 and class 4;T3=0.30, fringe node number is not over the 32% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node
Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet
It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique
For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate
Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information
Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique,
Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B
During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu
RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out
Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class
For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class
For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over
Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES
Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 '
Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould
Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not
Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations
Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud
Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule
Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing
Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem
Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually
End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important
Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis
Row safety classification, T3=0.30, fringe node number is not over the 32% of overall network nodes;Security protection configuration subsystem 20
Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography
Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more
When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits
Storage space, improves and calculates speed, saves time cost;
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless
Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Application scenarios 4:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised
The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself
Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter
Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying
For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority
Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this
Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20,
Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously
Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring
Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception
Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment
In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception
Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison
The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node
Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node
The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class
Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole
Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12,
Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing
Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained
The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E=
{E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n
A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R
The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as,
If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents and connects network node V and network node V in non-directed graph GjLink, ω (Vi, Vj) represent this chain
The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T
Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum
The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R
The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest,
I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network,
Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with
Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as
Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node
Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node
It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively
Grade 1, grade 2, grade 3 and class 4;T3=0.33, fringe node number is not over the 35% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node
Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet
It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique
For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate
Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information
Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique,
Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B
During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu
RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out
Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class
For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class
For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over
Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES
Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 '
Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould
Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not
Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations
Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud
Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule
Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing
Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem
Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually
End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important
Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis
Row safety classification, T3=0.33, fringe node number is not over the 35% of overall network nodes;Security protection configuration subsystem 20
Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography
Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more
When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits
Storage space, improves and calculates speed, saves time cost.
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless
Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Application scenarios 5:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised
The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself
Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter
Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying
For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority
Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this
Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20,
Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously
Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring
Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception
Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment
In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception
Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison
The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node
Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node
The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class
Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole
Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12,
Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing
Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained
The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E=
{E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n
A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R
The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as,
If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain
The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T
Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum
The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R
The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest,
I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network,
Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with
Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as
Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node
Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node
It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively
Grade 1, grade 2, grade 3 and class 4;T3=0.35, fringe node number is not over the 37% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node
Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet
It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique
For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate
Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information
Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique,
Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B
During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu
RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out
Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class
For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class
For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over
Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES
Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 '
Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould
Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not
Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations
Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud
Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule
Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing
Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem
Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually
End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important
Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis
Row safety classification, T3=0.35, fringe node number is not over the 37% of overall network nodes;Security protection configuration subsystem 20
Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography
Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more
When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits
Storage space, improves and calculates speed, saves time cost.
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless
Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected
Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.
Claims (3)
1. a big data platform system based on minimum spanning tree, is characterized in that, including sensing layer, for monitored object
The detection of monitoring data, described monitored object includes the outside monitored object in the Internet and the node link of the Internet itself, institute
State supervision packet and include the weight of temperature, voltage, image, Word message, node and link, security log, vulnerability information;
Application layer, is the interface of big data platform system and user, uses distributed multiple user setup, is used for providing man-machine
Function of exchange, user is stored or recovery data to server request by application layer, has the personnel of administration authority can pass through to use
Family layer amendment data;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers, obtain this monitored object at this moment between
Operation trend in Duan, finds the exception of monitored object in time;
Security protection system, for providing protection for network node and link, it include cloud network node safety classification subsystem,
Security protection configuration subsystem, network security monitoring subsystem and cloud service subsystem.
Described a kind of big data platform system based on minimum spanning tree the most according to claim 1, is characterized in that, perception
Being additionally provided with equipment control layer between layer and supervisory layers, sensing layer device id is reflected by described equipment control layer according to certain rule
Penetrate the equipment control M-ID for described equipment control layer, for identifying that sensing layer equipment is in described equipment control layer and supervisory layers
Represent, identify and manage, and in this, as basis, it is achieved information is in described sensing layer and the conversion of the information of supervisory layers, transmission
And exchange, it is achieved described sensing layer equipment numerical value and status information are in the unified expression of described supervisory layers and identification.
The big data platform system of one the most according to claim 2, is characterized in that, described equipment control M-ID by type,
Local port number and sensing layer device id three part composition.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610559924.4A CN106209865A (en) | 2016-07-13 | 2016-07-13 | A kind of big data platform system based on minimum spanning tree |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610559924.4A CN106209865A (en) | 2016-07-13 | 2016-07-13 | A kind of big data platform system based on minimum spanning tree |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106209865A true CN106209865A (en) | 2016-12-07 |
Family
ID=57474812
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610559924.4A Pending CN106209865A (en) | 2016-07-13 | 2016-07-13 | A kind of big data platform system based on minimum spanning tree |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106209865A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111818048A (en) * | 2020-07-08 | 2020-10-23 | 珠海市鸿瑞信息技术股份有限公司 | Safety protection authentication system and method based on distribution network automation |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102932846A (en) * | 2012-10-22 | 2013-02-13 | 南京大学 | Data management system for distributed heterogeneous sensing network and data management method for data management system |
-
2016
- 2016-07-13 CN CN201610559924.4A patent/CN106209865A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102932846A (en) * | 2012-10-22 | 2013-02-13 | 南京大学 | Data management system for distributed heterogeneous sensing network and data management method for data management system |
Non-Patent Citations (1)
Title |
---|
彭凯: ""面向云内部网络结构的安全防护机制研究"", 《中国博士学位论文全文数据库-信息科技辑》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111818048A (en) * | 2020-07-08 | 2020-10-23 | 珠海市鸿瑞信息技术股份有限公司 | Safety protection authentication system and method based on distribution network automation |
CN111818048B (en) * | 2020-07-08 | 2022-05-27 | 珠海市鸿瑞信息技术股份有限公司 | Safety protection authentication system and method based on distribution network automation |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105933361B (en) | Big data security protection cloud system based on trusted calculation | |
Chen et al. | Collaborative trust blockchain based unbiased control transfer mechanism for industrial automation | |
CN103391185B (en) | A kind of cloud security storage of track traffic Monitoring Data and processing method and system | |
CN107360146B (en) | Privacy protection space crowdsourcing task allocation system and method for receiving guarantee | |
CN106209850B (en) | Big data information network self-adaptive safety protection system based on trusted computing | |
CN103414585A (en) | Method and device for building safety baselines of service system | |
CN106203164B (en) | Information security big data resource management system based on trust computing and cloud computing | |
CN106131489A (en) | Multi-source data power plant inspection management system | |
Itodo et al. | Digital forensics and incident response (DFIR) challenges in IoT platforms | |
Rahman et al. | Cloud based E-learning, security threats and security measures | |
CN105959418A (en) | Security-based vehicle assistance system | |
CN106209865A (en) | A kind of big data platform system based on minimum spanning tree | |
CN106114453A (en) | A kind of distributed high safety vehicle burglary-resisting system | |
Liang et al. | Collaborative intrusion detection as a service in cloud computing environment | |
Muhammad et al. | An analysis of security challenges and their perspective solutions for cloud computing and IoT | |
Malyuk et al. | Information security theory for the future internet | |
CN107465688B (en) | Method for identifying network application permission of state monitoring and evaluating system | |
CN106230856A (en) | A kind of System of Industrial Device Controls based on Internet of Things | |
CN106209869A (en) | A kind of intelligent power equipment data handling system based on classification safety | |
CN106130820A (en) | A kind of big data platform system | |
de Aguiar Monteiro et al. | A Survey on Microservice Security–Trends in Architecture Privacy and Standardization on Cloud Computing Environments | |
Kassimi et al. | A new approach based mobile agent system for ensuring secure big data transmission and storage | |
Xihua et al. | Blockchain mechanism for resolving privacy issues in a smart city | |
Ramane et al. | Monitoring Health of IIOT Devices using Blockchain | |
Sun et al. | Smart City Privacy Protection in Big Data Environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161207 |
|
RJ01 | Rejection of invention patent application after publication |