CN106209865A - A kind of big data platform system based on minimum spanning tree - Google Patents

A kind of big data platform system based on minimum spanning tree Download PDF

Info

Publication number
CN106209865A
CN106209865A CN201610559924.4A CN201610559924A CN106209865A CN 106209865 A CN106209865 A CN 106209865A CN 201610559924 A CN201610559924 A CN 201610559924A CN 106209865 A CN106209865 A CN 106209865A
Authority
CN
China
Prior art keywords
network node
node
monitored object
network
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610559924.4A
Other languages
Chinese (zh)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610559924.4A priority Critical patent/CN106209865A/en
Publication of CN106209865A publication Critical patent/CN106209865A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of big data platform system based on minimum spanning tree, including sensing layer, for monitored object being monitored the detection of data, described monitored object includes the outside monitored object in the Internet and the node link of the Internet itself, and described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, vulnerability information;Application layer, it is the interface of big data platform system and user, uses distributed multiple user setup, be used for providing human-computer exchange function, user is stored or recovery data to server request by application layer, has the personnel of administration authority can revise data by client layer;Monitoring data in same monitored object a period of time are analyzed by supervisory layers, obtain this monitored object operation trend within the time period, find the exception of monitored object in time;Security protection system, for providing protection for network node and link.

Description

A kind of big data platform system based on minimum spanning tree
Technical field
The present invention relates to information platform field, be specifically related to a kind of big data platform system based on minimum spanning tree.
Background technology
Cloud computing has attracted the favor of more and more user, particularly enterprise customer, and by cloud computing, enterprise customer is not required to Set up and safeguard the data center of oneself, and only need to quickly apply for according to himself business load demand and discharge cloud service carrying The various resources provided for business, successfully solve each big business user from the significant cost of infrastructure construction with maintenance consumes Release so that it is the development of self core business can be focused more on.Cloud computing has such powerful advantages, but owing to it is special The Some features such as some Intel Virtualization Technologies, Data Hosting and outsourcing service, have also welcome unprecedented security challenge.
Summary of the invention
For the problems referred to above, the present invention provides a kind of big data platform system based on minimum spanning tree.
The purpose of the present invention realizes by the following technical solutions:
A kind of big data platform system based on minimum spanning tree, including sensing layer, for the monitoring to monitored object The detection of data, described monitored object includes the outside monitored object in the Internet and the node link of the Internet itself, described monitoring Data include the weight of temperature, voltage, image, Word message, node and link, security log, vulnerability information;
Application layer, is the interface of big data platform system and user, uses distributed multiple user setup, is used for providing Human-computer exchange function, user is stored or recovery data to server request by application layer, has the personnel of administration authority to lead to Cross client layer amendment data,
Monitoring data in same monitored object a period of time are analyzed by supervisory layers, obtain this monitored object at this Operation trend in time period, finds the exception of monitored object in time;
Security protection system, it includes that cloud network node safety classification subsystem, security protection configuration subsystem, network are pacified Full monitoring subsystem and cloud service subsystem.
Having the beneficial effect that of this big data platform devises the biggest a kind of data platform system, by sensing layer pair Monitoring inside and outside the Internet object simultaneously detects, by supervisory layers to the monitoring data in same monitored object a period of time It is analyzed, obtains this monitored object operation trend within the time period, find the exception of monitored object in time.
Accompanying drawing explanation
The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings Other accompanying drawing.
Fig. 1 is the structured flowchart of a kind of big data platform system based on minimum spanning tree;
Fig. 2 is the structured flowchart of security protection system.
Reference: sensing layer-1;Application layer-2;Supervisory layers-3;Security protection system-4;Equipment control layer-5;Cloud net Network node security classification subsystem-10;Security protection configuration subsystem-20;Network security monitoring subsystem-30;Cloud service System-40;Incidence matrix generation module-11;Minimum spanning tree module-12;Diversity module-13;Substitute module-14.
Detailed description of the invention
The invention will be further described with the following Examples.
Application scenarios 1:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20, Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12, Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E= {E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as, If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest, I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network, Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively Grade 1, grade 2, grade 3 and class 4;T3=0.25, fringe node number is not over the 30% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique, Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 ' Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis Row safety classification, T3=0.25, fringe node number is not over the 30% of overall network nodes;Security protection configuration subsystem 20 Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits Storage space, improves and calculates speed, saves time cost.
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
x = Σ i = 1 n q i x i Σ i = 1 n q i
y = Σ i = 1 n q i y i Σ i = 1 n q i
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
In this embodiment, network security monitoring subsystem is set, it is possible to gather network node data, location standard in time Really.
Application scenarios 2:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20, Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12, Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E= {E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as, If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest, I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network, Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively Grade 1, grade 2, grade 3 and class 4;T3=0.28, fringe node number is not over the 27% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique, Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 ' Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis Row safety classification, T3=0.28, fringe node number is not over the 27% of overall network nodes;Security protection configuration subsystem 20 Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits Storage space, improves and calculates speed, saves time cost;
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
x = Σ i = 1 n q i x i Σ i = 1 n q i
y = Σ i = 1 n q i y i Σ i = 1 n q i
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Application scenarios 3:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20, Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12, Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E= {E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as, If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest, I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network, Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively Grade 1, grade 2, grade 3 and class 4;T3=0.30, fringe node number is not over the 32% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique, Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 ' Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis Row safety classification, T3=0.30, fringe node number is not over the 32% of overall network nodes;Security protection configuration subsystem 20 Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits Storage space, improves and calculates speed, saves time cost;
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
x = Σ i = 1 n q i x i Σ i = 1 n q i
y = Σ i = 1 n q i y i Σ i = 1 n q i
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Application scenarios 4:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20, Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12, Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E= {E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as, If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents and connects network node V and network node V in non-directed graph GjLink, ω (Vi, Vj) represent this chain The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest, I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network, Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively Grade 1, grade 2, grade 3 and class 4;T3=0.33, fringe node number is not over the 35% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique, Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 ' Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis Row safety classification, T3=0.33, fringe node number is not over the 35% of overall network nodes;Security protection configuration subsystem 20 Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits Storage space, improves and calculates speed, saves time cost.
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
x = Σ i = 1 n q i x i Σ i = 1 n q i
y = Σ i = 1 n q i y i Σ i = 1 n q i
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Application scenarios 5:
A kind of based on minimum spanning tree big data platform system as shown in Figure 1, including sensing layer 1, for being supervised The detection of the monitoring data of control object, described monitored object includes the outside monitored object in the Internet and the node chain of the Internet itself Road, described supervision packet includes the weight of temperature, voltage, image, Word message, node and link, security log, leak letter Breath;
Application layer 2, is the interface of big data platform system and user, uses distributed multiple user setup, is used for carrying For human-computer exchange function, user is stored or recovery data to server request by application layer, has personnel's energy of administration authority Data are revised by client layer;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers 3, obtain this monitored object at this Operation trend in time period, finds the exception of monitored object in time;
Security protection system 4, it include cloud network node safety classification subsystem 10, security protection configuration subsystem 20, Network security monitoring subsystem 30 and cloud service subsystem 40.
The present invention devises the biggest a kind of data platform system, by sensing layer to the monitoring inside and outside the Internet simultaneously Object detects, and is analyzed the monitoring data in same monitored object a period of time by supervisory layers, obtains this monitoring Object operation trend within the time period, finds the exception of monitored object in time.
Preferably, being additionally provided with equipment control layer 5 between sensing layer 1 and supervisory layers 3, described equipment control layer 5 is by perception Layer device id is mapped as the equipment control M-ID of described equipment control layer 5 according to certain rule, is used for identifying sensing layer equipment In described equipment control layer 5 and the expression of supervisory layers, identify and manage, and in this, as basis, it is achieved information is in described perception Layer 1 and supervisory layers 3 information conversion, transmit and exchange, it is achieved described sensing layer equipment numerical value and status information are at described prison The unified expression of control layer 2 and identification.
Preferably, described equipment control M-ID is made up of type, local port number and three parts of sensing layer device id.
Preferably, as in figure 2 it is shown, described network node security classification system 10 is by calculating the importance values of network node Network node is divided into 4 different safe classes, described security protection configuration subsystem 20 divide safely according to cloud network node The classification results of level subsystem 10, provides different safety for the link between network node and the node of different safety class Cryptographic services;Described network security monitoring subsystem 30 is used for monitoring network node state, and described cloud service subsystem 40 is whole Individual security protection cloud system provides cloud to support.
(1) cloud network node safety classification subsystem 10 include incidence matrix generation module 11, minimum spanning tree module 12, Diversity module 13 and replacement module 14:
The importance values of cloud network node safety classification subsystem 10 obtains and is based primarily upon following theory: to be measured by removing Node assesses this node status in the network, specifically, if after node to be measured is removed, raw in the new figure obtained The number of Cheng Shu is the fewest, then the importance values of this node is the biggest.
A, incidence matrix generation module 11:
A non-directed graph with m network node V and n bar link E, wherein V={V is represented with G1, V2... Vm, E= {E1, E2... En, the annexation of network structure interior joint and link, the one of matrix R is represented with the incidence matrix R of a m × n A network node in row map network, the string of R represents the value of network node and the relating attribute of corresponding sides, each in R The value of element is 0 or 1, wherein 0 represents link and does not associates with network node, and 1 represents link associates with network node;Such as, If the element of m row the n-th row is 1 in R, then represent m-th network node and nth bar link association;
B. minimum spanning tree module 12:
With (i j) represents connection network node V in non-directed graph GiWith network node VjLink, ω (Vi, Vj) represent this chain The weight on road, if there is subset that T is E and for without circulation figure so that ω (T) minimum, is just referred to as the minimum spanning tree of G, then by T Minimum spanning tree sum τ (G)=det (RR in GT), wherein det (.) represents determinant generating function,;
C. diversity module 13:
Node V is obtained by following formulaiImportance values ri:Wherein τ (G) is for be generated by minimum The minimum spanning tree sum that tree computing module obtains;K is the quantity of the i-th row nonzero element in incidence matrix R, and Z is remove R The new matrix obtained after the nonzero element column of i row and the i-th row, det (Zi) represent the determinant of Z;riValue the biggest, I.e. node demonstrates the highest importance, works as riValue when take 1, then it represents that ViIt is most important network node in this network, Once this network node is destroyed the connectedness of figure and will be destroyed dramatically, thus causes network service to interrupt;By with Upper method calculates the importance values of all-network node respectively, concurrently sets classification thresholds T1, T2, T3, and T1 > T2 > T3, as Really ri> T1, then be labeled as important node by this network node, if T1 is > ri> T2, then be labeled as time weight by this network node Want node, if T2 is > ri> T3, then be labeled as intermediate node by this network node, if riLess than T3, then by this network node It is labeled as fringe node, and the safe class of important node, secondary important node, intermediate node and fringe node is designated as respectively Grade 1, grade 2, grade 3 and class 4;T3=0.35, fringe node number is not over the 37% of overall network nodes;
D. replacement module 14:
When network node quantity or node location change, automatically recalculate the important of each network node Property value, and re-start safety classification and labelling;
(2) security protection configuration subsystem 20: between the network node that safe class is identical, uses based on Internet It is mutual that Secure Internet Protocol IPSec carries out information, it is provided that the protecting information safety of channel level, and ipsec protocol should by cryptographic technique For Internet, it is provided that what point-to-point data were transmitted includes the peace that safety certification, data encryption, access control, integrity differentiate Full service;Use between the network node of different safety class and be operated in the application layer protocol on network layer protocol and carry out information Alternately, the safety of application layer, based on PKI system, guarantees information file transfer, the safety shared and use by cryptographic technique, Following cipher mode is used to be encrypted specifically:
A. for network node A that safe class is n1 and network node B that safe class is n2, when A to transmit letter to B During breath MES, first being sent request by A to B, B returns Shu random number R D1 of Shu n1-n2, and B retains RD1;
Each RD1 is digitally signed by b.A by pre-assigned secret key, and produces random number corresponding to Shu n1-n2 Shu RD2;By the matrix on one Shu n1-n2 Shu × Shu n1-n2 Shu rank of RD1 and RD2 composition, utilize matrix encryption technology that information MES is carried out Encryption, is sent to B by encrypted result;Owing to the span of n1 and n2 is 1-4, easily know the net for different safety class For network node, this matrix is 3 × 3 rank matrixes to the maximum, minimum 1 × 1 matrix, and for the identical network node of safe class For, n1-n2=0, do not carry out the operation of matrix encryption;When safe class bypass the immediate leadership transmission progression the highest, Shu n1-n2 Shu get over Greatly, then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or when bypassing the immediate leadership little, AES Amount of calculation reduces accordingly, has stronger adaptivity.
C.B calls decryption function and is decrypted the information after encryption, obtains RD1 ' and information MES, is entered by RD1 and RD1 ' Row comparison match, if the match is successful, receives and retains MES, if inconsistent, MES return A or is abandoned;
(3) network security monitoring subsystem 30, is used for monitoring number of network node and network node location, and it includes perception mould Block and transport module:
Described sensing module realizes by disposing a large amount of wireless senser around network node, due to network node not Knowing self-position, described wireless senser is by accepting network node wireless signal, in conjunction with self and other sensing stations Relation, positions network node location;
(4) cloud service subsystem 40, including cloud storage module and cloud computing module:
Described cloud storage module includes publicly-owned cloud storage submodule and private cloud storage submodule, described publicly-owned storage cloud Module mainly stores network node ranked data, and its storage content external world can carry out free access, described private cloud storage submodule Block mainly stores secret key and decryption function, only can be conducted interviews by the personnel of authentication;
Described cloud computing module realizes by disposing SOA server, including publicly-owned cloud computing submodule and privately owned cloud computing Submodule, described publicly-owned cloud computing submodule provides for cloud network node safety classification subsystem and network security monitoring subsystem Calculating and support, described privately owned cloud computing submodule provides to calculate for security protection configuration subsystem and supports, and all types of user is by eventually End program obtains high in the clouds data.
In this embodiment: network system node security classification system 10 uses the node based on minimum spanning tree important Property calculate, can relatively accurately, amount of calculation calculates the importance of network node smaller, and enters the node in network on this basis Row safety classification, T3=0.35, fringe node number is not over the 37% of overall network nodes;Security protection configuration subsystem 20 Information between the network node of different safety class is transmitted and uses different encryption policy, and when safe class is bypassed the immediate leadership biography Pass the highest (when Shu n1-n2 Shu is the biggest), then the exponent number of scrambled matrix is the biggest, and cryptographic security is the best, and at the same level or more When level is little, the amount of calculation of AES reduces accordingly, has stronger adaptivity;Cloud service module is set, it is possible to saves and deposits Storage space, improves and calculates speed, saves time cost.
Preferably, in described network security monitoring subsystem, the concrete positioning action of network node is as follows:
With network node as the center of circle, r is that radius draws circle, and the wireless senser quantity in circle that falls is n, biography that i-th is wireless Sensor receives the signal intensity of this network node and corresponds to qi, i=1,2 ..., n;
The position of network node (x, y) as follows:
x = Σ i = 1 n q i x i Σ i = 1 n q i
y = Σ i = 1 n q i y i Σ i = 1 n q i
Described transport module is for being transferred to cloud service subsystem 40 by the monitoring result of sensing module.
Network security monitoring subsystem is set in this embodiment, it is possible to gather network node data, accurate positioning in time.
Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention Matter and scope.

Claims (3)

1. a big data platform system based on minimum spanning tree, is characterized in that, including sensing layer, for monitored object The detection of monitoring data, described monitored object includes the outside monitored object in the Internet and the node link of the Internet itself, institute State supervision packet and include the weight of temperature, voltage, image, Word message, node and link, security log, vulnerability information;
Application layer, is the interface of big data platform system and user, uses distributed multiple user setup, is used for providing man-machine Function of exchange, user is stored or recovery data to server request by application layer, has the personnel of administration authority can pass through to use Family layer amendment data;
Monitoring data in same monitored object a period of time are analyzed by supervisory layers, obtain this monitored object at this moment between Operation trend in Duan, finds the exception of monitored object in time;
Security protection system, for providing protection for network node and link, it include cloud network node safety classification subsystem, Security protection configuration subsystem, network security monitoring subsystem and cloud service subsystem.
Described a kind of big data platform system based on minimum spanning tree the most according to claim 1, is characterized in that, perception Being additionally provided with equipment control layer between layer and supervisory layers, sensing layer device id is reflected by described equipment control layer according to certain rule Penetrate the equipment control M-ID for described equipment control layer, for identifying that sensing layer equipment is in described equipment control layer and supervisory layers Represent, identify and manage, and in this, as basis, it is achieved information is in described sensing layer and the conversion of the information of supervisory layers, transmission And exchange, it is achieved described sensing layer equipment numerical value and status information are in the unified expression of described supervisory layers and identification.
The big data platform system of one the most according to claim 2, is characterized in that, described equipment control M-ID by type, Local port number and sensing layer device id three part composition.
CN201610559924.4A 2016-07-13 2016-07-13 A kind of big data platform system based on minimum spanning tree Pending CN106209865A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610559924.4A CN106209865A (en) 2016-07-13 2016-07-13 A kind of big data platform system based on minimum spanning tree

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610559924.4A CN106209865A (en) 2016-07-13 2016-07-13 A kind of big data platform system based on minimum spanning tree

Publications (1)

Publication Number Publication Date
CN106209865A true CN106209865A (en) 2016-12-07

Family

ID=57474812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610559924.4A Pending CN106209865A (en) 2016-07-13 2016-07-13 A kind of big data platform system based on minimum spanning tree

Country Status (1)

Country Link
CN (1) CN106209865A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818048A (en) * 2020-07-08 2020-10-23 珠海市鸿瑞信息技术股份有限公司 Safety protection authentication system and method based on distribution network automation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932846A (en) * 2012-10-22 2013-02-13 南京大学 Data management system for distributed heterogeneous sensing network and data management method for data management system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932846A (en) * 2012-10-22 2013-02-13 南京大学 Data management system for distributed heterogeneous sensing network and data management method for data management system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
彭凯: ""面向云内部网络结构的安全防护机制研究"", 《中国博士学位论文全文数据库-信息科技辑》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818048A (en) * 2020-07-08 2020-10-23 珠海市鸿瑞信息技术股份有限公司 Safety protection authentication system and method based on distribution network automation
CN111818048B (en) * 2020-07-08 2022-05-27 珠海市鸿瑞信息技术股份有限公司 Safety protection authentication system and method based on distribution network automation

Similar Documents

Publication Publication Date Title
CN105933361B (en) Big data security protection cloud system based on trusted calculation
Chen et al. Collaborative trust blockchain based unbiased control transfer mechanism for industrial automation
CN103391185B (en) A kind of cloud security storage of track traffic Monitoring Data and processing method and system
CN107360146B (en) Privacy protection space crowdsourcing task allocation system and method for receiving guarantee
CN106209850B (en) Big data information network self-adaptive safety protection system based on trusted computing
CN103414585A (en) Method and device for building safety baselines of service system
CN106203164B (en) Information security big data resource management system based on trust computing and cloud computing
CN106131489A (en) Multi-source data power plant inspection management system
Itodo et al. Digital forensics and incident response (DFIR) challenges in IoT platforms
Rahman et al. Cloud based E-learning, security threats and security measures
CN105959418A (en) Security-based vehicle assistance system
CN106209865A (en) A kind of big data platform system based on minimum spanning tree
CN106114453A (en) A kind of distributed high safety vehicle burglary-resisting system
Liang et al. Collaborative intrusion detection as a service in cloud computing environment
Muhammad et al. An analysis of security challenges and their perspective solutions for cloud computing and IoT
Malyuk et al. Information security theory for the future internet
CN107465688B (en) Method for identifying network application permission of state monitoring and evaluating system
CN106230856A (en) A kind of System of Industrial Device Controls based on Internet of Things
CN106209869A (en) A kind of intelligent power equipment data handling system based on classification safety
CN106130820A (en) A kind of big data platform system
de Aguiar Monteiro et al. A Survey on Microservice Security–Trends in Architecture Privacy and Standardization on Cloud Computing Environments
Kassimi et al. A new approach based mobile agent system for ensuring secure big data transmission and storage
Xihua et al. Blockchain mechanism for resolving privacy issues in a smart city
Ramane et al. Monitoring Health of IIOT Devices using Blockchain
Sun et al. Smart City Privacy Protection in Big Data Environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20161207

RJ01 Rejection of invention patent application after publication