CN118174965B - Industrial Internet equipment authentication method based on multi-mode information fusion - Google Patents
Industrial Internet equipment authentication method based on multi-mode information fusion Download PDFInfo
- Publication number
- CN118174965B CN118174965B CN202410593060.2A CN202410593060A CN118174965B CN 118174965 B CN118174965 B CN 118174965B CN 202410593060 A CN202410593060 A CN 202410593060A CN 118174965 B CN118174965 B CN 118174965B
- Authority
- CN
- China
- Prior art keywords
- authentication
- information
- equipment
- layer
- industrial internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000004927 fusion Effects 0.000 title claims abstract description 48
- 238000003032 molecular docking Methods 0.000 claims description 35
- 238000012795 verification Methods 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 17
- 230000006870 function Effects 0.000 claims description 13
- 238000012423 maintenance Methods 0.000 claims description 8
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 238000004891 communication Methods 0.000 claims description 7
- 230000000694 effects Effects 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 5
- 230000002776 aggregation Effects 0.000 claims description 4
- 238000004220 aggregation Methods 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 claims description 4
- 230000004888 barrier function Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 abstract description 11
- 230000005540 biological transmission Effects 0.000 abstract description 6
- 238000004088 simulation Methods 0.000 description 10
- 210000001503 joint Anatomy 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 239000004744 fabric Substances 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007499 fusion processing Methods 0.000 description 2
- 238000009776 industrial production Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 208000025174 PANDAS Diseases 0.000 description 1
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 description 1
- 240000000220 Panda oleosa Species 0.000 description 1
- 235000016496 Panda oleosa Nutrition 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013502 data validation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000011056 performance test Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明属于工业互联网的数字信息传输技术领域,公开了一种基于多模态信息融合的工业互联网设备认证方法,包括:在认证系统中搭建金字塔形认证结构;设备向认证系统发送请求认证,认证系统检索信息并将金字塔形认证结构中的信息逐层融合,生成认证令牌。本发明采用递归的金字塔结构,每一层的信息都是基于前一层信息的融合,通过在金字塔结构中逐层融合信息,每个层级都包含哈希处理,使认证令牌包含了所有层的所有信息,通过结合多模态信息融合和分层结构,提供了一种既安全又高效的设备认证解决方案,有助于保护工业互联网中的设备和数据不受未授权访问和潜在的安全威胁。
The present invention belongs to the technical field of digital information transmission of the industrial Internet, and discloses an industrial Internet device authentication method based on multimodal information fusion, including: building a pyramid-shaped authentication structure in an authentication system; the device sends a request for authentication to the authentication system, and the authentication system retrieves information and fuses the information in the pyramid-shaped authentication structure layer by layer to generate an authentication token. The present invention adopts a recursive pyramid structure, and the information of each layer is based on the fusion of the information of the previous layer. By fusing information layer by layer in the pyramid structure, each level includes hash processing, so that the authentication token contains all the information of all layers. By combining multimodal information fusion and hierarchical structure, a safe and efficient device authentication solution is provided, which helps to protect the devices and data in the industrial Internet from unauthorized access and potential security threats.
Description
Technical Field
The invention belongs to the technical field of digital information transmission of industrial Internet, and particularly relates to an industrial Internet equipment authentication method based on multi-mode information fusion.
Background
The industrial internet (Industrial Internet) is a deep fusion of a new generation of information communication technology and industrial economy, and constructs a brand new manufacturing and service system which covers a whole industrial chain and a whole value chain. The method is not only an implementation way of industrial digitization, but also deep fusion of Internet, big data, artificial intelligence and entity economy. The industrial Internet takes a network as a base, a platform as a center, data as an element and safety as a guarantee, and remodels enterprise morphology, a supply chain and an industrial chain. At present, the industrial Internet is widely expanded to the important industry of national economy, six new modes are formed, and the development of entity economy is promoted strongly.
In order to improve the quality of industrial production activities, an industrial internet platform is opened to a plurality of industrial devices and is connected with the platform, so that real-time and different types of industrial production data are provided for various entities in the platform to achieve the purpose of collaborative production, and accordingly, various industrial devices with different types and different systems are connected with the industrial internet, various authentication information are connected with the industrial internet, and how to safely connect the industrial internet is important.
Chinese patent application number CN2022114080006 discloses an industrial internet remote authentication method based on a reduction technique, which involves a plurality of steps and a plurality of participating entities, including a computer terminal, a first gateway, a second key server, a device terminal and a first key server. The purpose of this approach is to enable secure communication and authentication between devices in the industrial internet. It utilizes a reduction technique to simplify the authentication process by gradually shrinking the problem size (reduction) while maintaining high security.
However, in the prior art, the security of the authentication process is highly dependent on the normal operation of the gateway and the key server, if the security of the components is threatened, the authentication mechanism is destroyed, and the required basic data are simple device ID and random number though hash calculation and key verification are performed for many times, so that the connection with the device is weak, and false devices are easy to construct and access the industrial internet.
Disclosure of Invention
In order to solve the technical problems, the invention provides an industrial Internet equipment authentication method based on multi-mode information fusion, which adopts a recursive pyramid structure, and provides a safe and efficient equipment authentication solution by combining the multi-mode information fusion and a layered structure, thereby being beneficial to protecting equipment and data in the industrial Internet from unauthorized access and potential security threat.
In order to achieve the above purpose, the invention is realized by the following technical scheme:
the invention relates to an industrial Internet equipment authentication method based on multi-mode information fusion, which comprises the following steps:
Step 1, constructing an authentication structure: building a pyramid authentication structure in the authentication system, wherein each side of the bottom layer of the pyramid authentication structure is provided with 2 k pieces of first information, each side of the second layer is provided with 2 k-1 pieces of second information, and the n layer is provided with 2 0 pieces of n information;
Step 2, industrial internet equipment authentication: the industrial internet equipment sends a request authentication to an authentication system, and the authentication system retrieves information and fuses the information in the pyramidal authentication structure in the step 1 layer by layer to generate an authentication token;
Step 3, authentication token verification: the authentication system performs validity check on the authentication token provided by the industrial Internet equipment, and then reversely traces back the generation path of the authentication token, and performs integrity check on the authentication token;
Step 4, outputting an authentication result: if the authentication token passes the verification of all layers on the authentication mechanism and the integrity check is correct, the equipment authentication is successful, otherwise, if any one step of verification fails, the equipment authentication fails, and the system refuses the access request of the equipment.
The invention further improves that: the pyramid authentication structure is regular polygon, the number of sides of the regular polygon is m, each side of the pyramid authentication structure independently performs equipment authentication flow, an information barrier is arranged between each side of the same layer, each side of the information barrier is an independent authentication channel, and a firewall is arranged to isolate information of each side of the same layer.
The invention further improves that: in the step 1, the first information, the second information and the nth information represent different types of data, and as the number of layers on the pyramidal authentication structure increases, the carried information is gradually complex and diversified, and the information sequentially includes: device ID, serial number, manufacturer information, operating system version, maintenance records, software update log, security patch application records, real-time running status of the device, network activity records, abnormal behavior detection results, and user access log.
The invention further improves that: the industrial internet equipment authentication in the step 2 specifically comprises the following steps:
Step 2.1, equipment requests authentication: the industrial Internet equipment sends an equipment ID to an authentication system as initial authentication information;
step 2.2, information retrieval: the authentication system retrieves corresponding information at the bottom layer of the authentication structure according to the equipment ID;
Step 2.3, information fusion: and fusing information on adjacent sides layer by using a hash function to form new information until the information reaches the top layer of the authentication structure, and generating a unique authentication token by the information fused layer by layer.
The invention further improves that: the information retrieval in said step 2.2 is specifically: after the initial authentication of the authentication system, the authentication system interacts with the docking device through the TLS encrypted communication channel, and then the authentication system carries out comprehensive scanning and information retrieval on the docking device, and directly extracts required basic information flows from an information base of the docking device, wherein the basic information flows are used for constructing a pyramid authentication structure and filling information of each layer.
The invention further improves that: before the information fusion in the step 2.3, firstly, preprocessing data of the extracted basic information stream respectively, and converting information of different types and volumes into a character string in a JSON format, wherein the preprocessing comprises the following steps: data cleansing, data conversion, data aggregation and summary and data formatting.
The invention further improves that: in the step 3, the authentication system performs validity check on the authentication token provided by the industrial internet device, specifically: the authentication system is provided with a database for storing expected and preset authentication token hash values in advance, the authentication system uses the equipment ID extracted from the docking equipment to search corresponding records in the database, the stored hash values are searched, the authentication system compares the searched stored hash values with the authentication token hash values extracted from the docking equipment, and if the two hash values are matched, the authentication system determines that the authentication token is valid.
The invention further improves that: in the step 3, the generation path of the authentication token is traced reversely, and the integrity check of the authentication token specifically comprises the following steps:
Step 3.1, disassembling the authentication token: starting from the authentication token at the top layer, reversely applying a hash function, integrating the authentication flow and the information of the industrial Internet equipment in the step 2, and disassembling the industrial Internet equipment to the bottom layer by layer;
Step 3.2, comparing the original information: comparing each layer of information obtained by disassembling in the step 3.1 with original information stored in an authentication system;
step 3.3, verifying data consistency: ensuring that the information of all layers is consistent in the disassembling and comparing processes, and no difference is found;
Step 3.4, information source verification: all layers of information obtained through disassembly are matched with information retrieved and extracted by the authentication system on the docking equipment, and the integrity and the source definition of all the information used for constructing the authentication structure are determined.
The invention further improves that: the authentication token is a hexadecimal number of 32 bytes in length.
The invention further improves that: the authentication system is also provided with an authentication token cleaning method, which specifically comprises the following steps:
Token updating: the authentication token registered in the database can be invalid due to the factors of user logout, equipment updating and token expiration, and the authentication system needs to update the authentication token state in the database in time;
Token revocation: the authentication system marks the authentication token as invalid in the database and recognizes and denies subsequent authentication requests of the docking device.
The beneficial effects of the invention are as follows:
(1) The invention adopts a recursive pyramid structure, the information of each layer is based on the fusion of the information of the previous layer, and each layer contains hash processing by fusing the information layer by layer in the pyramid structure, so that the authentication token contains all the information of all the layers, the basic information required by equipment authentication is complex, and the basic information is closely related to the operation of the equipment. Compared with the prior art, by combining the multi-mode information fusion and the layered structure, a safe and efficient device authentication solution is provided, and the device and the data in the industrial Internet are protected from unauthorized access and potential security threat.
(2) The invention provides a pyramid authentication structure, wherein each side of the bottom layer of the authentication structure is provided with 2 k pieces of first information, each side of the second layer is provided with 2 k-1 pieces of second information … …, the n layer is provided with 2 0 pieces of n information, the number of information on the edge is reduced according to the steps along with the increase of the number of layers, so that the pyramid authentication structure is formed, and the design of the structure is beneficial to centralized processing and verification of information on the top layer, and meanwhile, enough nodes are provided on the bottom layer to store and process detailed equipment information.
(3) The authentication system directly acquires the basic information from the docking equipment, calculates the basic information and converts the basic information into a format required by the authentication system, thereby avoiding acquisition of the tampered authentication token. The communication between the authentication system and the docking device is performed through the TLS encryption channel, so that the safety in the data transmission process is ensured; the information is directly extracted from the information base of the docking device, so that the authenticity and the integrity of the information can be guaranteed, and the risk of tampering in the transmission or processing process is reduced because the information is not processed by a third party.
(4) The invention provides a pyramid authentication structure, in the process of authenticating Internet equipment, an authentication token is generated by fusing information layer by layer, each fusion of adjacent layer information is processed by using a hash function, under the layer-by-layer fusion, the authentication token generated at the top layer contains all information from all layers, and the authentication token exists in a highly compressed and safe hash function form, so that the information security is ensured, and the authentication process efficiency is improved.
Drawings
Fig. 1 is a flow chart of an industrial internet device authentication method of the present invention.
Fig. 2 is a schematic diagram of a pyramidal authentication structure of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those described herein, and therefore the scope of the present invention is not limited to the specific embodiments disclosed below.
The invention provides an industrial Internet equipment authentication method based on multi-mode information fusion, which adopts a recursive pyramid structure, wherein the information of each layer is based on the fusion of the information of the previous layer, and each layer contains hash processing by fusing the information layer by layer in the pyramid structure, so that an authentication token contains all the information of all the layers, the basic information required by equipment authentication is complex, and the information is closely related to the operation of equipment. Compared with the prior art, by combining the multi-mode information fusion and the layered structure, a safe and efficient device authentication solution is provided, and the device and the data in the industrial Internet are protected from unauthorized access and potential security threat.
As shown in fig. 1, the invention is an industrial internet device authentication method based on multi-mode information fusion, comprising the following steps:
Step 1, constructing an authentication structure: a pyramid authentication structure is built in the authentication system, wherein each side of the bottom layer of the pyramid authentication structure is provided with 2 k pieces of first information, each side of the second layer is provided with 2 k-1 pieces of second information, and the n layer is provided with 2 0 pieces of n information. As the number of layers increases, the amount of information at the edges becomes smaller in order, thereby forming a pyramid-shaped authentication structure, which is designed to facilitate centralized processing and verification of information at the top layer, while providing sufficient nodes at the bottom layer to store and process detailed device information.
As shown in fig. 2, the pyramidal authentication structure is a pyramid structure of a regular polygon, and the number of sides of the regular polygon is m. The number m of the sides of the regular polygon can be adjusted according to actual requirements, which means that the authentication structure has high flexibility and expandability. The proper number m of edges can be selected according to actual conditions so as to meet different safety requirements and performance requirements. The regular polygon pyramid authentication structure has two forms in authentication use:
Each side of the pyramid authentication structure in the form 1 and the regular polygon can independently search and acquire information and fuse information layer by layer, and a plurality of butting devices can simultaneously authenticate without interference. The parallel processing mode can obviously improve the authentication efficiency of the equipment and reduce the load of an authentication system. The method is suitable for accessing the Internet of things equipment for processing simple information, the information processing amount is less, such as a quality sensor and a temperature sensor, the number of edges of the pyramid structure is even, and the access and authentication of a plurality of Internet of things equipment are processed at the same time. For example, in an intelligent fabric production factory, a quality sensor and a temperature sensor are respectively connected, the quality and the temperature of the fabric are monitored, the pyramid authentication structure is 6 sides, namely m=6, and three layers of authentication are carried out on one quality sensor or one temperature sensor on each three sides.
And 2, setting a plurality of sides for independently carrying out information retrieval and acquisition and layer-by-layer information fusion on the same butt joint equipment, generating an authentication token, and finally comparing whether the authentication token is consistent or not at the top layer to ensure that the process of retrieving and acquiring information and layer-by-layer information fusion is normally carried out. The method is suitable for accessing the Internet of things equipment with high safety and complex data information, processes a large amount of data, and performs multiparty authentication on the same Internet of things equipment, wherein the number of edges of the pyramid structure is even or odd. If in intelligent mill, access the supervisory equipment that uses image recognition, judge the defect of production surface fabric through image recognition, the pyramid authentication structure is 5 limit, namely m=5, five limit authentication to supervisory equipment simultaneously.
The first information and the second information … … n information represent different types of data respectively, and as the number of layers on the pyramidal authentication structure increases, the carried information is gradually complex and diversified, and the information comprises the following components in sequence according to the complexity: device ID, serial number, manufacturer information, operating system version, maintenance records, software update log, security patch application records, real-time running status of the device, network activity records, abnormal behavior detection results, and user access log.
The device ID, serial number, manufacturer information, and operating system version are basic information of the docking device for uniquely identifying the device in the authentication system.
The usage history, maintenance records, software update logs, and security patch application records of the device are used as usage and security status information for the docking device for evaluating the trustworthiness and compliance of the device.
The real-time running state of the equipment, the network activity record, the abnormal behavior monitoring result and the user access log are beneficial to monitoring the behavior of the docking equipment in real time, and ensuring that the docking equipment accords with an expected operation mode.
The device ID is made up of several parts including: fixed prefix, serial number, model code and hardware hash; wherein, the fixed prefix: DEV-is a fixed prefix, meaning that it is a device ID; sequence number: a unique serial number of the device, assigned by the manufacturer at the time of device production; model code: is defined by the manufacturer, reflecting the type, specification and function of the device; hardware hashing: based on the hash value generated by the hardware configuration of the equipment, the hardware component information of the butt joint equipment such as the CPU model, the memory size and the hard disk serial number is calculated by a hash algorithm SHA-256.
The invention selects a plurality of kinds of complex equipment operation information as the authentication information for accessing the industrial Internet, so that the authentication information is closely related to the equipment, the difficulty of constructing false equipment is greatly improved, and the security of the industrial Internet authentication is improved.
Step 2, industrial internet equipment authentication: the industrial internet device sends a request authentication to an authentication system, and the authentication system retrieves the information and fuses the information in the pyramidal authentication structure of step 1 layer by layer to generate an authentication token.
The industrial Internet equipment authentication specifically comprises the following steps of:
The device requests authentication: the industrial Internet equipment sends an equipment ID to an authentication system as initial authentication information;
information retrieval: the authentication system retrieves corresponding information at the bottom layer of the authentication structure according to the equipment ID, specifically: after the initial authentication of the authentication system, the authentication system interacts with the docking device through the TLS encrypted communication channel, and then the authentication system carries out comprehensive scanning and information retrieval on the docking device, and directly extracts required basic information flows from an information base of the docking device, wherein the basic information flows are used for constructing a pyramid authentication structure and filling information of each layer.
The authentication system directly acquires the basic information from the docking equipment, calculates the basic information and converts the basic information into a format required by the authentication system, thereby avoiding acquisition of the tampered authentication token. The communication between the authentication system and the docking device is performed through the TLS encryption channel, so that the safety in the data transmission process is ensured. The information is directly extracted from the information base of the docking device, so that the authenticity and the integrity of the information can be guaranteed, and the risk of tampering in the transmission or processing process is reduced because the information is not processed by a third party.
And (3) information fusion: and fusing information on adjacent sides layer by using a hash function to form new information until the information reaches the top layer of the authentication structure, and generating a unique authentication token by the information fused layer by layer.
Before information fusion, firstly respectively preprocessing the extracted information, including:
1. data cleaning:
removing redundant data: deleting duplicate or insignificant information to reduce the amount of data and increase processing efficiency; the data cleansing tool Pandas library is preferably used to identify and delete duplicate records and a recursive feature elimination algorithm is applied to identify and preserve the most important features while removing irrelevant or redundant features.
Processing the missing values: for missing data, padding, interpolation, or deletion may be selected; filling statistical methods such as mean, median, and mode to fill in missing values; for time series data, filling in missing values using linear interpolation; and deleting the record containing the missing value for the data with more missing values.
Correcting errors: identifying and correcting errors in the data, such as spelling errors, format errors, or logical errors; for misspellings, natural language processing library spaCy is used to identify and correct misspellings in the text data; checking and unifying data formats, such as date and time formats, currency formats and the like, by writing custom scripts; logically unreasonable data is identified by data validation rules.
Through the steps, data are cleaned, the quality and accuracy of information extracted from the butt joint equipment are ensured, and the equipment authentication speed and accuracy are improved.
2. Data conversion:
Standardization: data in different formats is converted into a unified format, such as unifying date formats as YYYY-MM-DD.
Normalization: the numerical data is scaled to fall within a small specified interval, such as [0,1] or [ -1,1].
Encoding: non-numeric data such as text or category data is converted to numeric form, preferably using Label Encoding (Label Encoding).
3. Data aggregation and summarization:
The data is abstracted, and a abstracting algorithm SHA-1 is used for carrying out hash operation on maintenance records, software update logs, security patch application records and user access logs of a large amount of data to generate an abstract value with a fixed size.
Data aggregation, which is to regularly aggregate the real-time running state of equipment, network activity records and abnormal behavior monitoring results: and counting the total network traffic and the occurrence times of abnormal behaviors in a specific time period, and taking the counted values as input data.
4. Formatting data:
the processed data is formatted into a character string form suitable for hash operation. This may involve combining multiple fields into one string, or serializing the data into JSON format.
According to the invention, the extracted information is respectively preprocessed, so that the information with different types and volumes is converted into the simple character strings with uniform formats, the data volume and the complexity are reduced, the subsequent hash operation is facilitated, and the efficiency and the reliability of the authentication system are improved.
In this embodiment, the information fusion step: the hash security algorithm SHA-256 is used for information fusion of adjacent layers,
[ \text{Hash Value} =H(\text{JSONString}.\text{encode('utf-8')}) ]
The method comprises the following steps:
# serializing device information into a string in JSON format
serialized_data = json.dumps(device_info, sort_keys=True)
# Convert JSON string to byte sequence
byte_sequence = serialized_data.encode('utf-8')
Hash operation using SHA-256 hash function
hasher = hashlib.sha256()
hasher.update(byte_sequence)
hash_value = hasher.hexdigest()
# Output hash value
print("SHA-256 Hash:", hash_value)
And obtaining new fusion information, and then carrying out layer-by-layer fusion to finally obtain the authentication token, wherein the authentication token is a hexadecimal number with the length of 32 bytes.
The invention provides a pyramid authentication structure, in the process of authenticating Internet equipment, an authentication token is generated by fusing information layer by layer, each fusion of adjacent layer information is processed by using a hash function, under the layer-by-layer fusion, the authentication token generated at the top layer contains all information from all layers, and the authentication token exists in a highly compressed and safe hash function form, so that the information security is ensured, and the authentication process efficiency is improved.
In the industrial internet, information carried on each layer of the authentication structure can ensure that the butt joint equipment is identified not only on a physical level, but also on an operation and behavior level, and meets the requirements of safety and compliance in the process of fusion and verification. In this way, unauthorized devices can be effectively prevented from accessing the network while ensuring safe and efficient use of network resources.
Step 3, authentication token verification: the authentication system performs validity check on the authentication token provided by the industrial Internet equipment, and then reversely traces back the generation path of the authentication token, and performs integrity check on the authentication token. Wherein,
The validity check is specifically as follows: the authentication system is provided with a database for storing expected and preset authentication token hash values in advance, the authentication system uses the equipment ID extracted from the docking equipment to search corresponding records in the database, the stored hash values are searched, the authentication system compares the searched stored hash values with the authentication token hash values extracted from the docking equipment, and if the two hash values are matched, the authentication system determines that the authentication token is valid.
The method for carrying out integrity check on the authentication token comprises the following steps of:
Step 3.1, disassembling the authentication token: starting from the authentication token at the top layer, reversely applying a hash function, integrating the authentication flow and the information of the industrial Internet equipment in the step 2, and disassembling the industrial Internet equipment to the bottom layer by layer;
Step 3.2, comparing the original information: comparing each layer of information obtained by disassembling in the step 3.1 with original information stored in an authentication system;
step 3.3, verifying data consistency: ensuring that the information of all layers is consistent in the disassembling and comparing processes, and no difference is found;
Step 3.4, information source verification: all layers of information obtained through disassembly are matched with information retrieved and extracted by the authentication system on the docking equipment, and the integrity and the source definition of all the information used for constructing the authentication structure are determined.
Step 4, outputting an authentication result: if the authentication token passes the verification of all layers on the authentication mechanism and the integrity check is correct, the equipment authentication is successful, otherwise, if any one step of verification fails, the equipment authentication fails, and the system refuses the access request of the equipment.
The invention can evaluate the correctness of each level of fusion rule by reversely tracing the effective authentication token generation path and implementing the integrity check, and ensure that the information fusion process is not tampered, thereby ensuring the safety and the reliability of the authentication token.
The authentication system is also provided with an authentication token cleaning method, which specifically comprises the following steps:
Token updating: the authentication token registered in the database can be invalid due to the factors of user logout, equipment updating and token expiration, and the authentication system needs to update the authentication token state in the database in time;
Token revocation: a security problem arises in the docking device, and for security reasons, the authentication system marks the authentication token as invalid in the database and identifies and denies subsequent authentication requests for the docking device.
In this embodiment, the authentication system is further provided with a security policy:
Tamper-resistant policy: before information of each layer is fused, the authentication system extracts information required by the layer from the pyramid authentication structure, then the authentication system compares the extracted information with original information stored by the butting equipment in a consistency mode by using a Merkle Tree (Hash Tree), the consistency of information content and a timestamp is detected, the information is prevented from being tampered in the fusion process, and therefore the safety and the reliability of equipment authentication are ensured.
An access control policy comprising the steps of:
Authentication policy: the docking device must authenticate through a pyramid authentication structure to gain access to the industrial internet, and the authentication process includes verification of the device ID, information retrieval, information fusion, and generation and verification of an authentication token.
Access control rules: according to roles such as a sensor, a controller, a management terminal and the like and functions of the docking device, corresponding access rights are allocated, and the access rights of the docking device follow a minimum rights principle, namely only the minimum level rights required for completing the task are granted.
Dynamic access control: the access rights can be dynamically adjusted according to the behavior, network state and security event of the device, working time period and network IP limit are set for each butt joint device, access is limited and refused out of range, the industrial Internet is required to be accessed out of range, and joint permission of a plurality of higher-rights devices is required.
Auditing and monitoring: all authentication attempts and access activities, including successful and failed authentications, are recorded and audit logs are periodically reviewed to detect abnormal behavior and potential security threats.
By implementing the access control strategy, the invention ensures that only authorized systems and devices can access and modify information in the pyramid structure, protects the security of the pyramid authentication structure, and simultaneously provides flexible access control so as to adapt to the continuously changing business requirements and security threats.
To verify the invention, a simulation experiment is provided: a pyramid authentication structure with six levels is constructed on a server, and four layers of information verification are set, including: one layer (device ID), two layers (serial number, manufacturer information, operating system version), three layers (maintenance record, software update log), and four layers (security patch application record). The simulation experiment designs 100 simulation devices in total, each device is provided with unique device ID, serial number and manufacturer information, and corresponding maintenance records and software update logs are generated through simulation. Of these 100 simulation devices, 10 problem simulation devices including an erroneous serial number, tampered maintenance record, and the like are purposely provided, aiming at simulating the situation of unauthorized access and information tampering.
These analog devices send authentication requests to the authentication system at random points in time and may repeat at different times. The authentication system retrieves the relevant information according to the device ID and generates an authentication token through an information fusion technology. The system then verifies the token and details the results of each authentication attempt, including success, failure, and response time.
The results of the simulation experiments are as follows:
In the security test, a total of 26 unauthorized access requests are received, 7 problem simulation devices are involved, and are successfully refused by the authentication system, so that excellent security is shown. In addition, for 11 information tampering attempts, 3 problem simulation devices are involved, and the authentication system can effectively detect the information, so that the validity of the tamper-proof strategy is verified.
In the performance test, when 1 to 3 analog devices simultaneously request authentication, the average response time of the authentication system is 0.5 seconds. While in a high load scenario simulating 6 devices requesting authentication at the same time, the average response time rises to 1.2 seconds, but is still within acceptable limits.
In terms of authentication success rate, 474 simulated authentication attempts are performed by 90 authorized simulated devices, wherein the authentication success rate is as high as 99.5%.
In summary, the industrial internet equipment authentication method based on multi-mode information fusion provided by the invention has excellent safety and efficiency in simulation experiments. The system not only can effectively resist unauthorized access and information tampering attacks, but also can maintain high-level performance under high-load conditions.
The foregoing description is only illustrative of the invention and is not to be construed as limiting the invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. An industrial internet equipment authentication method based on multi-mode information fusion is characterized in that: the industrial Internet equipment authentication method specifically comprises the following steps:
Step 1, constructing an authentication structure: building a pyramid authentication structure in the authentication system, wherein each side of the bottom layer of the pyramid authentication structure is provided with 2 k pieces of first information, each side of the second layer is provided with 2 k-1 pieces of second information, and the n layer is provided with 2 0 pieces of n information;
Step 2, industrial internet equipment authentication: the industrial internet equipment sends a request authentication to an authentication system, and the authentication system retrieves information and fuses the information in the pyramidal authentication structure in the step 1 layer by layer to generate an authentication token;
Step 3, authentication token verification: the authentication system performs validity check on the authentication token provided by the industrial Internet equipment, and then reversely traces back the generation path of the authentication token, and performs integrity check on the authentication token;
Step 4, outputting an authentication result: if the authentication token passes the verification of all layers on the authentication mechanism and the integrity check is correct, the equipment authentication is successful, otherwise, if any one step of verification fails, the equipment authentication fails, and the system refuses the access request of the equipment.
2. The industrial internet device authentication method based on multi-modal information fusion according to claim 1, wherein: the pyramid authentication structure is a regular polygon, the number of sides of the regular polygon is m, each side of the pyramid authentication structure independently performs equipment authentication flow, and information barriers are arranged between the sides of the same layer.
3. The industrial internet device authentication method based on multi-modal information fusion according to claim 1, wherein: in the step 1, the first information, the second information and the nth information respectively represent different types of data, and sequentially include, according to complexity: device ID, serial number, manufacturer information, operating system version, maintenance records, software update log, security patch application records, real-time running status of the device, network activity records, abnormal behavior detection results, and user access log.
4. The industrial internet device authentication method based on multi-modal information fusion according to claim 1, wherein: the industrial internet equipment authentication in the step 2 specifically comprises the following steps:
Step 2.1, equipment requests authentication: the industrial Internet equipment sends an equipment ID to an authentication system as initial authentication information;
step 2.2, information retrieval: the authentication system retrieves corresponding information at the bottom layer of the authentication structure according to the equipment ID;
Step 2.3, information fusion: and fusing information on adjacent sides layer by using a hash function to form new information until the information reaches the top layer of the authentication structure, and generating a unique authentication token by the information fused layer by layer.
5. The industrial internet device authentication method based on multi-modal information fusion of claim 4, wherein: the information retrieval in said step 2.2 is specifically: after the initial authentication of the authentication system, the authentication system interacts with the docking device through the TLS encrypted communication channel, and then the authentication system carries out comprehensive scanning and information retrieval on the docking device, and directly extracts required basic information flows from an information base of the docking device, wherein the basic information flows are used for constructing a pyramid authentication structure and filling information of each layer.
6. The industrial internet device authentication method based on multi-modal information fusion of claim 4, wherein: before the information fusion in the step 2.3, firstly, preprocessing data of the extracted basic information stream respectively, and converting information of different types and volumes into a character string in a JSON format, wherein the preprocessing comprises the following steps: data cleansing, data conversion, data aggregation and summary and data formatting.
7. The industrial internet device authentication method based on multi-modal information fusion according to claim 1, wherein: in the step 3, the authentication system performs validity check on the authentication token provided by the industrial internet device, specifically: the authentication system is provided with a database for storing expected and preset authentication token hash values in advance, the authentication system uses the equipment ID extracted from the docking equipment to search corresponding records in the database, the stored hash values are searched, the authentication system compares the searched stored hash values with the authentication token hash values extracted from the docking equipment, and if the two hash values are matched, the authentication system determines that the authentication token is valid.
8. The industrial internet device authentication method based on multi-modal information fusion of claim 7, wherein: in the step 3, the generation path of the authentication token is traced reversely, and the integrity check of the authentication token specifically comprises the following steps:
Step 3.1, disassembling the authentication token: starting from the authentication token at the top layer, reversely applying a hash function, integrating the authentication flow and the information of the industrial Internet equipment in the step 2, and disassembling the industrial Internet equipment to the bottom layer by layer;
Step 3.2, comparing the original information: comparing each layer of information obtained by disassembling in the step 3.1 with original information stored in an authentication system;
step 3.3, verifying data consistency: ensuring that the information of all layers is consistent in the disassembling and comparing processes, and no difference is found;
Step 3.4, information source verification: all layers of information obtained through disassembly are matched with information retrieved and extracted by the authentication system on the docking equipment, and the integrity and the source definition of all the information used for constructing the authentication structure are determined.
9. The industrial internet device authentication method based on multi-modal information fusion according to claim 1, wherein: the authentication token is a hexadecimal number of 32 bytes in length.
10. The industrial internet device authentication method based on multi-modal information fusion according to any one of claims 1-9, wherein: the authentication system is also provided with an authentication token cleaning method, which specifically comprises the following steps:
Token updating: the authentication token registered in the database can be invalid due to the factors of user logout, equipment updating and token expiration, and the authentication system needs to update the authentication token state in the database in time;
Token revocation: the authentication system marks the authentication token as invalid in the database and recognizes and denies subsequent authentication requests of the docking device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410593060.2A CN118174965B (en) | 2024-05-14 | 2024-05-14 | Industrial Internet equipment authentication method based on multi-mode information fusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410593060.2A CN118174965B (en) | 2024-05-14 | 2024-05-14 | Industrial Internet equipment authentication method based on multi-mode information fusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118174965A CN118174965A (en) | 2024-06-11 |
| CN118174965B true CN118174965B (en) | 2024-08-02 |
Family
ID=91360839
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410593060.2A Active CN118174965B (en) | 2024-05-14 | 2024-05-14 | Industrial Internet equipment authentication method based on multi-mode information fusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118174965B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108029016A (en) * | 2015-06-30 | 2018-05-11 | 黑莓有限公司 | Method and system for authenticating multiple IMS identities |
| CN114037457A (en) * | 2021-11-05 | 2022-02-11 | 西北工业大学 | Industrial complex product terminal cross-domain access authentication method based on identity |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10764266B2 (en) * | 2018-06-19 | 2020-09-01 | Cisco Technology, Inc. | Distributed authentication and authorization for rapid scaling of containerized services |
| CN116015706B (en) * | 2022-10-27 | 2025-01-03 | 东南大学 | Block chain enabled industrial Internet of things authentication and key negotiation method |
| CN116015648B (en) * | 2022-12-27 | 2025-08-01 | 安徽大学 | Cross-domain privacy protection message authentication method for industrial Internet of things |
-
2024
- 2024-05-14 CN CN202410593060.2A patent/CN118174965B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108029016A (en) * | 2015-06-30 | 2018-05-11 | 黑莓有限公司 | Method and system for authenticating multiple IMS identities |
| CN114037457A (en) * | 2021-11-05 | 2022-02-11 | 西北工业大学 | Industrial complex product terminal cross-domain access authentication method based on identity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118174965A (en) | 2024-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11582042B2 (en) | Industrial data verification using secure, distributed ledger | |
| US10277608B2 (en) | System and method for verification lineage tracking of data sets | |
| CN118862170A (en) | A method and device for ensuring data security of a distributed storage system | |
| CN120378207A (en) | Access anomaly analysis method and system based on multidimensional features and user behaviors | |
| CN118394991A (en) | File intelligent storage method and system based on blockchain | |
| CN116151826B (en) | Power transaction terminal trust management method based on blockchain | |
| Agbakwuru et al. | SQL Injection Attack on Web Base Application: Vulnerability Assessments and Detection Technique | |
| CN120408687B (en) | Persistent Flink job file loading and displaying method and system | |
| CN116614251A (en) | Data security monitoring system | |
| CN118174965B (en) | Industrial Internet equipment authentication method based on multi-mode information fusion | |
| CN120342744A (en) | Energy storage terminal remote security upgrade method and system based on end-to-end encryption | |
| CN118551408B (en) | A medical data security and privacy protection system based on blockchain | |
| CN111917801A (en) | Petri network-based user behavior authentication method in private cloud environment | |
| CN119167364A (en) | A method and system for enhancing computer data security | |
| CN116743434A (en) | An industrial Internet protection system and method | |
| CN102739690B (en) | Safety data exchange process monitoring method and system | |
| CN119577810B (en) | System-based data security monitoring method, device and medium | |
| CN120235589B (en) | Method and system for electronic file organization and single-set file transfer under four-dimensional environment | |
| Tuuli et al. | Detecting Stuxnet‐like data integrity attacks | |
| CN121009574A (en) | A method and system for secure operation of stored data | |
| Chen et al. | Information model operation and maintenance data network security construction based on partitioned blockchain | |
| CN116800770A (en) | Cloud edge distributed system node operation updating method based on block chain | |
| Afrianto et al. | Leveraging Internet of Things and Blockchain for Improved Air Quality Monitoring Systems | |
| Joshi et al. | An Improved Mechanism to Maintain Data Integrity and Anomaly Detection in Cloud Storage | |
| CN121151119A (en) | A method and system for tracing and reconstructing the source of APT attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |