CN116192459A - Edge node network security threat monitoring method based on edge-to-edge cooperation - Google Patents

Edge node network security threat monitoring method based on edge-to-edge cooperation Download PDF

Info

Publication number
CN116192459A
CN116192459A CN202211716555.7A CN202211716555A CN116192459A CN 116192459 A CN116192459 A CN 116192459A CN 202211716555 A CN202211716555 A CN 202211716555A CN 116192459 A CN116192459 A CN 116192459A
Authority
CN
China
Prior art keywords
information
edge
node
monitoring
core node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211716555.7A
Other languages
Chinese (zh)
Inventor
虞雁群
吴艳
刘彦伸
郭银锋
朱涛涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Yu'an Information Technology Co ltd
Original Assignee
Zhejiang Yu'an Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Yu'an Information Technology Co ltd filed Critical Zhejiang Yu'an Information Technology Co ltd
Priority to CN202211716555.7A priority Critical patent/CN116192459A/en
Publication of CN116192459A publication Critical patent/CN116192459A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Mathematical Analysis (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Mathematical Optimization (AREA)
  • Algebra (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an edge node network security threat monitoring method based on edge-to-edge cooperation, and belongs to the technical field of network security. Each edge core node and the edge core node with the highest response speed in the neighborhood are cooperative core nodes, and each edge monitoring unit is interconnected with the cooperative monitoring unit; the edge monitoring unit acquires network security threat alarm information of the node and the cooperative core node, and reports the information to the cloud monitoring center, so that network security threat monitoring and information reporting by the cooperation of the edge and the edge are realized; the cloud monitoring center is provided with an emergency threat studying and judging center, the emergency degree of the information is predicted through a machine learning method, and finally the result is fed back to the user in an emergency degree ordering mode. The method can rapidly judge the redundancy of the information and efficiently predict the emergency degree of the information, and achieve rapid research and judgment and safety warning of different safety threat information of the edge node.

Description

Edge node network security threat monitoring method based on edge-to-edge cooperation
Technical Field
The invention relates to an edge node network security threat monitoring method based on edge-to-edge cooperation, and belongs to the technical field of network security.
Background
Edge computing is a dip in cloud computing power from center to edge, commonly referred to as the "last kilometer of user". The edge calculation enables a large amount of real-time interactive calculation to be completed at the edge nodes, so that the processing efficiency is greatly improved, and the work load of the cloud is reduced. Currently, the application of the internet of things such as smart cities, smart homes, internet of vehicles and the like is not calculated by the edges. However, a large number of devices accessing the network from different locations will greatly increase the probability of network attack, which, while bringing new development opportunities, faces a variety of security issues such as physical attacks, port attacks, malicious traffic attacks, APT attacks, etc.
Terminal internet of things equipment with edge nodes connected in the south direction generally has the characteristics of mobility, instantaneity and the like, so that edge safety is an important guarantee of edge calculation. If the security threat information monitored by the edge node cannot be timely researched, judged and processed, for example, the node network is subjected to DDOS attack, so that the node network cannot work normally, for example, under an automatic driving scene, the problem of serious public security caused by vehicle destruction and personal death is likely to occur.
Disclosure of Invention
Based on the problems, the invention provides an edge node network security threat monitoring method based on edge-to-edge coordination.
The invention adopts the following technical methods:
the edge node network security threat monitoring method based on edge-to-edge cooperation comprises an edge core layer and a cloud core layer; the edge core layer and the cloud core layer are communicated with each other;
an edge core layer comprising edge core nodes; the edge core node is connected with the cloud platform in the north direction, and is connected with the terminal Internet of things equipment in the south direction and collects data of the terminal; the edge core node is provided with a monitoring unit and mass edge equipment; the monitoring unit acquires network security threat information of the edge core node and comprises a hardware security monitoring module, an abnormal behavior monitoring module, a node vulnerability monitoring module and a data security monitoring module; each edge core node and the adjacent edge core nodes are cooperative core nodes; the monitoring unit of each edge core node is in signal connection with the monitoring unit of the cooperative core node;
the cloud core layer comprises a cloud platform; the cloud platform is provided with a cloud monitoring center; the cloud monitoring center is provided with a threat library and an emergency threat research and judgment center; threat libraries include minutes, hours, days, and Zhou Ku; the monitoring unit is connected with the cloud monitoring center in the north direction;
the edge monitoring unit acquires network security threat alarm information of the edge core node and the cooperative core node, and reports the information to the cloud monitoring center, so that network security threat monitoring and information reporting of the cooperative edges are realized.
Preferably, the method for determining the cooperative core node is as follows: and setting a neighborhood threshold T for each edge core node, selecting at least two edge core nodes in the neighborhood, sending a plurality of response data packets to each edge core node by each edge core node, and determining the edge core node with the highest average response speed as a cooperative core node. And each edge core node is paired in the mode sequentially, and other nodes except the head node and the tail node are provided with two cooperative core nodes.
The edge node network security threat monitoring method based on edge-to-edge cooperation comprises the following steps:
s1: starting from the first edge core node, matching and responding to the edge core node with the highest speed, namely a cooperative core node, and then matching the cooperative core node with the edge core node with the highest speed until the last core node is successfully matched with the cooperative core node;
s2: the monitoring unit of the edge core node performs communication authentication with the monitoring unit of the cooperative core node and sends a request for acquiring network security threat information of the cooperative core node; after receiving the request, the monitoring unit of the cooperative core node periodically sends the network security threat information of the node where the cooperative core node is located to a requester; if the communication between the two parties is interrupted, the step S3 is carried out, otherwise, the step S6 is carried out;
s3: entering a re-authentication handshake mode, entering a step S4 if three times of authentication handshake fails, otherwise entering a step S5;
s4: reporting the fault information of the cooperative nodes to a cloud monitoring center;
s5: if the authentication is successful, the two parties continue to acquire the security threat information of the other party;
s6: all edge core nodes report the monitored and collected security threat information to a cloud monitoring center;
s7: the cloud monitoring center compares the reported information with the recently received data and judges the redundancy of the reported information;
s8: according to the comparison result of the step S7, deleting the redundant information if the information is the redundant report information, adding 1 to the alarm frequency of the undeleted information, otherwise, entering the step S9;
s9: the cloud monitoring center uses a machine learning method to rapidly predict the type of the emergency degree of the piece of monitoring information; the machine learning algorithm adopts a Bayesian network classifier; the emergency degree of the monitoring information is divided into urgent, urgent and conventional;
s10: synchronizing the monitoring information with the determined emergency degree to a threat emergency research and judgment center, sending monitoring result warning information to a user, and sequentially displaying in sequence according to the emergency, emergency and conventional sequence;
s11: and after the primary network security monitoring of the edge core node is finished, entering the next monitoring period.
The cooperative core node determining method in step S1 is as follows: and setting a neighborhood threshold T for each edge core node, selecting at least two edge core nodes in the neighborhood, sending a plurality of response data packets to each edge core node by each edge core node, and determining the edge core node with the highest average response speed as a cooperative core node. And each edge core node is paired in the mode sequentially, and other nodes except the head node and the tail node are provided with two cooperative core nodes.
In step S2, each monitored and collected network security threat information field comprises a node unique identification code, monitoring unit alarm time, alarm frequency, a sender unique identification code and threat information specific content;
the node unique identification code is used for identifying the edge core node reporting the information and can be customized;
the monitoring unit alarms time, namely the time when the monitoring unit discovers that the security threat information generates alarm information;
the alarm frequency, namely the alarm frequency of the monitoring unit to the information is initialized to be 1, and when the cloud monitoring center detects information redundancy, the alarm frequency is accumulated in the field;
the unique identification code of the sender is used for identifying the sender of the reported information and can be customized;
the threat information specific content is used for representing the monitored specific network security threat information;
the machine learning method for rapidly predicting the emergency degree category of the security threat information further comprises the following steps:
l1: the monitoring unit of the edge core node monitors the edge core node in real time, records the monitored security threat information and sends the security threat information to the cloud monitoring center;
l2: the cloud monitoring center collects and gathers monitoring information of each edge core node to generate a training set and a testing set;
l3: preprocessing a training data set of the cloud monitoring center, and labeling and classifying according to the emergency degree;
l4: and learning a training data set of the cloud monitoring center through a machine learning algorithm Bayesian network and testing the accuracy of the model by using a testing set.
Preferably, in step S6, the redundancy determination of the reported information by the cloud monitoring center is as follows:
p1: threat library is divided according to time, and a minute library data set M= { M is defined 1 ,M 2 ,…M m M is the current minute library informationNumber of strips, M s S is more than or equal to 1 and less than or equal to m, and the minute library is updated once per minute; time base dataset h= { H 1 ,H 2 ,…H h ' H is the number of pieces of current time base information, H s S is more than or equal to 1 and less than or equal to h, and the time base is updated once per hour; day library dataset d= { D 1 ,D 2 ,…D d D is the number of pieces of current day library information, D s S is more than or equal to 1 and less than or equal to d, and the day library is updated once a day; zhou Ku dataset w= { W 1 ,W 2 ,…W w W is the number of pieces of current Zhou Ku information, W s S is more than or equal to 1 and less than or equal to w, and Zhou Ku is updated once a week;
p2: in the minute library in the threat library, matching the information with other existing information, if the matching fails, entering a step P3, otherwise, entering a step S8;
p3: in the time base in the threat base, matching the information with other existing information, if the matching fails, entering a step P4, otherwise, entering a step S8;
p4: in a day library in the threat library, matching the information with other existing information, if the matching fails, entering a step P5, otherwise, entering a step S8;
p5: in Zhou Ku in the threat library, this information is matched with other existing information, if matching fails, step S9 is entered, otherwise step S8 is entered.
Further, the matching method is as follows:
m1: comparing the current information with all the information in the current threat library, checking whether the specific content of the threat information, the unique node identification code and the year and month in the alarm time of the monitoring unit are consistent, if so, entering a step M2, otherwise, entering a step S9;
m2: comparing whether the sender is consistent, if not, entering a step M3, otherwise entering a step S8;
m3: the piece of information is discarded.
Compared with the existing method, the invention has the advantages that:
1, each edge core node searches for the edge core node with the highest response speed in the neighborhood to be a cooperative core node, and other edge core nodes except the head node and the tail node are provided with two neighbors, so that all the edge core nodes are connected into a line by the topological structure, cooperative monitoring is ensured, and meanwhile, more safety problems caused by excessive communication connection between the nodes can be avoided.
2, in order to more rapidly determine whether reported information is redundant, a threat library is set up in the cloud monitoring center, each piece of monitoring information is matched in a minute library, a time library, a day library and Zhou Ku in sequence, generally, if the information is redundant, the probability of successful matching of the information in the minute library is high, and because the number of information items contained in the minute library is minimum, the time complexity of searching is greatly reduced.
And 3, in order to rapidly judge the emergency degree of the safety threat information and display the emergency threat information to the user in real time, setting up an emergency threat judging center in the cloud monitoring center, predicting the emergency degree of each piece of monitoring information by a machine learning method, and displaying the emergency information to the user in priority, so that the user can process the emergency safety event first.
Drawings
FIG. 1 is a topology diagram of a network security threat monitoring system of the invention;
FIG. 2 is a block diagram of a cyber-security threat monitoring system of the invention;
FIG. 3 is a flow chart of the steps of the network security threat monitoring method of the invention;
FIG. 4 is a flow chart of a machine learning method for rapidly studying and judging information emergency degree according to the present invention.
Detailed Description
For a better understanding of the technical solution of the present invention, the following detailed description of the embodiments of the present invention refers to the accompanying drawings. It should be clear that the described embodiments, all other embodiments, which a person of ordinary skill in the art would obtain without making any inventive effort, fall within the scope of protection of the present invention.
As shown in fig. 1, the edge core layer includes an edge core node B; the edge core node is connected with the cloud platform A in the north direction, is connected with the terminal Internet of things equipment in the south direction and collects data of the terminal C;
as shown in fig. 2, an edge monitoring unit B1 acquires network security threat information of the edge core node, including a hardware security monitoring module B1a, an abnormal behavior monitoring module B1B, and a node vulnerability monitoring module B1c; a data security monitoring module B1d; each edge computing node and the adjacent edge computing nodes are cooperative core nodes; the monitoring unit of each edge core node is in signal connection with the monitoring unit of the cooperative core node;
the cloud core layer comprises a cloud platform A; the cloud platform is provided with a cloud monitoring center A1; the cloud monitoring center is provided with a threat library A1a and an emergency threat research and judgment center A1b; threat libraries include a minute library A1, hour library A1a2, day library A1a3 and Zhou Ku A1a4; the emergency threat research and judgment center is provided with a threat information database A1b1; the edge monitoring unit B1 is connected with the cloud monitoring center A1 in the north direction;
the edge monitoring unit acquires network security threat alarm information of the edge core node and the cooperative core node, and reports the information to the cloud monitoring center, so that network security threat monitoring and information reporting of the cooperative edges are realized.
The edge node network security threat monitoring method based on edge-to-edge cooperation, as shown in fig. 3, comprises the following steps:
s1: each edge core node and the edge core node with the highest response speed are cooperative core nodes, the cloud platform is communicated with all the edge core nodes, and the cloud monitoring center is communicated with the monitoring unit;
s2: the monitoring unit of the edge core node performs communication authentication with the monitoring unit of the cooperative core node and sends a request for acquiring network security threat information of the cooperative core node; after receiving the request, the monitoring unit of the cooperative core node periodically sends the network security threat information of the node where the cooperative core node is located to a requester; if the communication between the two parties is interrupted, the step S3 is carried out, otherwise, the step S6 is carried out;
s3: entering a re-authentication handshake mode, entering a step S4 if three times of authentication handshake fails, otherwise entering a step S5;
s4: reporting the fault information of the cooperative nodes to a cloud monitoring center;
s5: if the authentication is successful, the two parties continue to acquire the security threat information of the other party;
s6: the edge core node reports the monitored and collected security threat information to a cloud monitoring center;
s7: the cloud monitoring center compares the reported information with the recently received data and judges the redundancy of the reported information;
s8: according to the comparison result of the step S7, deleting the piece of redundant information if the piece of information is the redundant report information, adding 1 to the characteristic quantity of the undeleted information, otherwise, entering the step S9;
s9: the cloud monitoring center uses a machine learning method to rapidly predict the type of the emergency degree of the piece of monitoring information; the machine learning algorithm adopts a Bayesian network classifier; the emergency degree of the monitoring information is divided into urgent, urgent and conventional;
s10: synchronizing the monitoring information with the determined emergency degree to a threat emergency research and judgment center, sending monitoring result warning information to a user, and sequentially displaying in sequence according to the emergency, emergency and conventional sequence;
s11: and after the primary network security monitoring of the edge core node is finished, entering the next monitoring period.
The cooperative core node determining method in step S1 is as follows: for each edge core node, a neighborhood threshold T is set, at least two edge core nodes adjacent to the neighborhood are selected in the neighborhood, each edge core node sends 3 response data packets to the edge core nodes, and the edge core node with the highest average response speed is determined to be the cooperative core node. And each edge core node is paired in the mode sequentially, and other nodes except the head node and the tail node are provided with two cooperative core nodes.
In step S2, each monitored and collected network security threat information field comprises a node unique identification code, monitoring unit alarm time, alarm frequency, a sender unique identification code and threat information specific content;
the node unique identification code is used for identifying the edge core node reporting the information and can be customized, such as MEC-A;
the alarm time of the monitoring unit, i.e. the time when the monitoring unit finds that the security threat information generates alarm information, such as 20221021;
the alarm frequency, namely the number of the same alarm information counted by the monitoring unit is 1 like the same alarm information, when the monitoring information is redundant, the monitoring unit can accumulate the frequency in the information field and change the accumulated frequency into 2;
the unique identification code of the sender is used for identifying the sender of the reported information and can be customized, such as MEC-B;
the threat information specific content is used for representing specific network security threat information discovered by monitoring, such as virus-1;
the machine learning method for rapidly predicting the emergency degree category of the security threat information, as shown in fig. 4, comprises the following steps:
l1: the monitoring unit of the edge core node monitors the edge core node in real time, records the monitored security threat information and sends the security threat information to the cloud monitoring center;
l2: the cloud monitoring center collects and gathers monitoring information of each edge core node to generate a training set and a testing set;
l3: preprocessing a training data set of the cloud monitoring center, and labeling and classifying according to the emergency degree;
l4: and learning a training data set of the cloud monitoring center through a machine learning algorithm Bayesian network and testing the model through a test set.
Preferably, in step S6, the redundancy determination of the reported information by the cloud monitoring center is as follows:
p1: threat library is divided according to time, and a minute library data set M= { M is defined 1 ,M 2 ,…M m M is the number of pieces of the current minute library information, M s S is more than or equal to 1 and less than or equal to m, and the minute library is updated once per minute; time base dataset h= { H 1 ,H 2 ,…H h ' H is the number of pieces of current time base information, H s S is more than or equal to 1 and less than or equal to h, and the time base is per hourUpdating once; day library dataset d= { D 1 ,D 2 ,…D d D is the number of pieces of current day library information, D s S is more than or equal to 1 and less than or equal to d, and the day library is updated once a day; zhou Ku dataset w= { W 1 ,W 2 ,…W w W is the number of pieces of current Zhou Ku information, W s S is more than or equal to 1 and less than or equal to w, and Zhou Ku is updated once a week;
p2: in the minute library in the threat library, matching the information with other existing information, if the matching fails, entering a step P3, otherwise, entering a step S8;
p3: in the time base in the threat base, matching the information with other existing information, if the matching fails, entering a step P4, otherwise, entering a step S8;
p4: in a day library in the threat library, matching the information with other existing information, if the matching fails, entering a step P5, otherwise, entering a step S8;
p5: in Zhou Ku in the threat library, this information is matched with other existing information, if matching fails, step S9 is entered, otherwise step S8 is entered.
Further, the matching method is as follows:
m1: comparing the current information with all the information in the current threat library, checking whether the specific content of the threat information, the unique node identification code and the year and month in the alarm time of the monitoring unit are consistent, if so, entering a step M2, otherwise, entering a step S9;
m2: comparing whether the sender is consistent, if not, entering a step M3, otherwise entering a step S8; m3: the piece of information is discarded.

Claims (7)

1. The edge node network security threat monitoring method based on edge-to-edge cooperation is characterized by comprising the following steps of:
the edge core layer and the cloud core layer are communicated with each other;
an edge core layer comprising edge core nodes; the edge core node is connected with the cloud platform in the north direction, and is connected with the terminal Internet of things equipment in the south direction and collects data of the terminal; the edge core node is provided with a monitoring unit and mass edge equipment; the monitoring unit acquires network security threat information of the edge core node and comprises a hardware security monitoring module, an abnormal behavior monitoring module, a node vulnerability monitoring module and a data security monitoring module; each edge core node and the adjacent edge core nodes are cooperative core nodes; the monitoring unit of each edge core node is in signal connection with the monitoring unit of the cooperative core node;
the cloud core layer comprises a cloud platform; the cloud platform is provided with a cloud monitoring center; the cloud monitoring center is provided with a threat library and an emergency threat research and judgment center; threat libraries include minutes, hours, days, and Zhou Ku;
the edge monitoring unit acquires network security threat alarm information of the edge core node and the cooperative core node, and reports the information to the cloud monitoring center, so that network security threat monitoring and information reporting by the cooperative edges are realized.
2. The edge node network security threat monitoring method based on edge-to-edge cooperation is characterized by comprising the following steps of:
s1: starting from the first edge core node, matching and responding to the edge core node with the highest speed, namely a cooperative core node, and then matching the cooperative core node with the edge core node with the highest speed until the last core node is successfully matched with the cooperative core node;
s2: the monitoring unit of the edge core node performs communication authentication with the monitoring unit of the cooperative core node and sends a request for acquiring network security threat information of the cooperative core node; after receiving the request, the monitoring unit of the cooperative core node periodically sends the network security threat information of the node where the cooperative core node is located to a requester; if the communication between the two parties is interrupted, the step S3 is carried out, otherwise, the step S6 is carried out;
s3: entering a re-authentication handshake mode, entering a step S4 if three times of authentication handshake fails, otherwise entering a step S5;
s4: reporting the fault information of the cooperative nodes to a cloud monitoring center;
s5: if the authentication is successful, the two parties continue to acquire the security threat information of the other party;
s6: all edge core nodes report the monitored and collected security threat information to a cloud monitoring center;
s7: the cloud monitoring center compares the reported information with the recently received data and judges the redundancy of the reported information;
s8: according to the comparison result of the step S7, deleting the redundant information if the information is the redundant report information, adding 1 to the alarm frequency of the undeleted information, otherwise, entering the step S9;
s9: the cloud monitoring center uses a machine learning method to rapidly predict the type of the emergency degree of the piece of monitoring information; the machine learning algorithm adopts a Bayesian network classifier; the emergency degree of the monitoring information is divided into urgent, urgent and conventional;
s10: synchronizing the monitoring information with the determined emergency degree to a threat emergency research and judgment center, sending monitoring result warning information to a user, and sequentially displaying in sequence according to the emergency, emergency and conventional sequence;
s11: and after the primary network security monitoring of the edge core node is finished, entering the next monitoring period.
3. The edge node network security threat monitoring method based on edge-to-edge coordination according to claim 2, wherein the cooperative core node determining method in step S1 is as follows: and setting a neighborhood threshold T for each edge core node, selecting at least two edge core nodes in the neighborhood, sending a plurality of response data packets to each edge core node by each edge core node, determining the edge core node with the highest average response speed as a cooperative core node, and pairing each edge core node in sequence according to the mode, wherein the other nodes except the head node and the tail node are provided with two cooperative core nodes.
4. The edge node network security threat monitoring method based on edge-to-edge coordination according to claim 2, wherein in step S2, each field of the monitored and collected network security threat information includes a node unique identification code, a monitoring unit alarm time, an alarm frequency, a sender unique identification code and threat information specific contents;
the node unique identification code is used for identifying the edge core node reporting the information and can be customized;
the monitoring unit alarms time, namely the time when the monitoring unit discovers that the security threat information generates alarm information;
the alarm frequency, namely the alarm frequency of the monitoring unit to the information is initialized to be 1, and when the cloud monitoring center detects information redundancy, the alarm frequency is accumulated in the field;
the unique identification code of the sender is used for identifying the sender of the reported information and can be customized;
the threat information specific content is used for representing the monitored specific network security threat information.
5. The edge node network security threat monitoring method based on edge-to-edge coordination of claim 2, wherein the machine learning method for rapidly predicting the emergency degree of security threat information further comprises the steps of:
l1: the monitoring unit of the edge core node monitors the edge core node in real time, records the monitored security threat information and sends the security threat information to the cloud monitoring center;
l2: the cloud monitoring center collects and gathers monitoring information of each edge core node to generate a training set and a testing set;
l3: preprocessing a training data set of the cloud monitoring center, and labeling and classifying according to the emergency degree;
l4: and learning a training data set of the cloud monitoring center through the Bayesian network and testing the accuracy of the model by using the test set.
6. The edge node network security threat monitoring method based on edge-to-edge cooperation according to claim 2, wherein in step S6, the redundancy determination step of the cloud monitoring center on the reported information is as follows:
p1: threatThe bins are partitioned by time, defining a minute bin dataset m= { M 1 ,M 2 ,…M m M is the number of pieces of the current minute library information, M s S is more than or equal to 1 and less than or equal to m, and the minute library is updated once per minute; time base dataset h= { H 1 ,H 2 ,…H h ' H is the number of pieces of current time base information, H s S is more than or equal to 1 and less than or equal to h, and the time base is updated once per hour; day library dataset d= { D 1 ,D 2 ,…D d D is the number of pieces of current day library information, D s S is more than or equal to 1 and less than or equal to d, and the day library is updated once a day; zhou Ku dataset w= { W 1 ,W 2 ,…W w W is the number of pieces of current Zhou Ku information, W s S is more than or equal to 1 and less than or equal to w, and Zhou Ku is updated once a week;
p2: in the minute library in the threat library, matching the information with other existing information, if the matching fails, entering a step P3, otherwise, entering a step S8;
p3: in the time base in the threat base, matching the information with other existing information, if the matching fails, entering a step P4, otherwise, entering a step S8;
p4: in a day library in the threat library, matching the information with other existing information, if the matching fails, entering a step P5, otherwise, entering a step S8;
p5: in Zhou Ku in the threat library, this information is matched with other existing information, if matching fails, step S9 is entered, otherwise step S8 is entered.
7. The redundancy determination of reported information by a cloud monitoring center according to claim 6, wherein the information matching method comprises the following steps:
m1: comparing the current information with all the information in the current threat library, checking whether the specific content of the threat information, the unique node identification code and the year and month in the alarm time of the monitoring unit are consistent, if so, entering a step M2, otherwise, entering a step S9;
m2: comparing whether the sender is consistent, if not, entering a step M3, otherwise entering a step S8;
m3: the piece of information is discarded.
CN202211716555.7A 2022-12-29 2022-12-29 Edge node network security threat monitoring method based on edge-to-edge cooperation Pending CN116192459A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211716555.7A CN116192459A (en) 2022-12-29 2022-12-29 Edge node network security threat monitoring method based on edge-to-edge cooperation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211716555.7A CN116192459A (en) 2022-12-29 2022-12-29 Edge node network security threat monitoring method based on edge-to-edge cooperation

Publications (1)

Publication Number Publication Date
CN116192459A true CN116192459A (en) 2023-05-30

Family

ID=86431977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211716555.7A Pending CN116192459A (en) 2022-12-29 2022-12-29 Edge node network security threat monitoring method based on edge-to-edge cooperation

Country Status (1)

Country Link
CN (1) CN116192459A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117201275A (en) * 2023-09-19 2023-12-08 深圳建安润星安全技术有限公司 Internet threat information monitoring system and method based on big data
CN117319095A (en) * 2023-11-29 2023-12-29 杭州海康威视数字技术股份有限公司 Fuzzy logic-based threat light-weight collaborative detection method and device for Internet of things

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117201275A (en) * 2023-09-19 2023-12-08 深圳建安润星安全技术有限公司 Internet threat information monitoring system and method based on big data
CN117319095A (en) * 2023-11-29 2023-12-29 杭州海康威视数字技术股份有限公司 Fuzzy logic-based threat light-weight collaborative detection method and device for Internet of things
CN117319095B (en) * 2023-11-29 2024-02-13 杭州海康威视数字技术股份有限公司 Fuzzy logic-based threat light-weight collaborative detection method and device for Internet of things

Similar Documents

Publication Publication Date Title
CN116192459A (en) Edge node network security threat monitoring method based on edge-to-edge cooperation
US20230419807A1 (en) Building risk analysis system with natural language processing for threat ingestion
CN111475804B (en) Alarm prediction method and system
CN103581186B (en) A kind of network security situational awareness method and system
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
CN110996259B (en) Intelligent garbage monitoring and clearing method and device based on edge calculation
CN112651589B (en) Intelligent community platform construction method based on government big data
CN108924759B (en) Method, device and system for identifying mobile generator
CN110751080A (en) Gathering early warning method and system for abnormal personnel and related device
CN116362445B (en) Multi-terminal-oriented intelligent city digital twin map management system
CN112688822A (en) Edge computing fault or security threat monitoring system and method based on multi-point cooperation
CN111654538B (en) Communication processing method based on block chain and big data and cloud side computing server
CN111476979A (en) Intelligent security and stability maintenance method and system based on multi-model analysis
Zuo et al. Power information network intrusion detection based on data mining algorithm
CN115080546A (en) Enterprise data diagnosis system based on big data
CN116863723B (en) Use method of digital twin base
CN110149303A (en) A kind of network safety pre-warning method and early warning system of Party school
CN116054416B (en) Intelligent monitoring operation and maintenance management system based on Internet of things
CN110135196B (en) Data fusion tamper-proof method based on input data compression representation correlation analysis
CN107590008A (en) A kind of method and system that distributed type assemblies reliability is judged by weighted entropy
CN116614245A (en) Attack path modeling method and system based on multi-source alarm log compression
CN115330262A (en) Smart city public management method, system and storage medium
CN111507564B (en) Urban road alarm message reliability assessment method integrating space-time correlation
CN110995650A (en) Multi-terminal checking early warning system based on industrial control base line
CN116743791B (en) Cloud edge synchronization method, device and equipment for subway cloud platform and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination