[go: up one dir, main page]

WO2025036112A1 - Data security protection selection method and apparatus, and storage medium - Google Patents

Data security protection selection method and apparatus, and storage medium Download PDF

Info

Publication number
WO2025036112A1
WO2025036112A1 PCT/CN2024/107475 CN2024107475W WO2025036112A1 WO 2025036112 A1 WO2025036112 A1 WO 2025036112A1 CN 2024107475 W CN2024107475 W CN 2024107475W WO 2025036112 A1 WO2025036112 A1 WO 2025036112A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
security
data
information
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/107475
Other languages
French (fr)
Chinese (zh)
Inventor
王珂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, Research Institute of China Mobile Communication Co Ltd filed Critical China Mobile Communications Group Co Ltd
Publication of WO2025036112A1 publication Critical patent/WO2025036112A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Definitions

  • the present disclosure relates to the field of mobile communication technology, and in particular to a data security protection selection method, device and storage medium.
  • Digital twins are real-time mirror images of physical entities in the digital world, and are becoming a new focus of global information technology development and industrial digital transformation. In the future network, digital twin technology will be widely used in smart manufacturing, smart cities, scientific research and other fields, making the entire society move towards a "digital twin" world that combines virtuality and reality.
  • Digital Twin Network is a network system with physical network entities and virtual twins, and the two can be interactively mapped in real time.
  • various network management and applications can use the network virtual twins built by digital twin technology to efficiently analyze, diagnose, simulate and control the physical network based on data and models.
  • the network virtual twin can help the physical network achieve low-cost trial and error, intelligent decision-making, high-efficiency innovation and predictive maintenance.
  • Using the digital twin network as a key enabling platform for future mobile communication networks can help mobile communication networks achieve the goal of distributed autonomy.
  • the digital twin network can help users clearly perceive the network status, efficiently mine valuable network information, and explore innovative network applications with a more friendly immersive interactive interface through capability exposure and twin copying.
  • the deconstruction of the digital twin network is shown in Figure 1.
  • Data is the cornerstone of building digital twins.
  • the functional realization of the digital twin network is closely related to data processing, including data collection-data transmission-data storage-data preprocessing-data use, etc.
  • data collection realizes the efficient collection of multi-source heterogeneous data of the physical network
  • data transmission refers to the near real-time transmission of the collected data through the data transmission network
  • data storage and preprocessing will classify and store heterogeneous data, and use various methods to clean up "dirty" data, compress storage space, and improve data quality.
  • Open use of data refers to the use of data for application models through a unified format and interface.
  • the data collection methods currently under study partially support the establishment of secure transmission channels, but do not provide security protection for data from the data source to the model level, and do not have the ability to select and dynamically adjust security mechanisms. This cannot meet the precise protection requirements of the diverse models and data sources in the digital twin network, as well as the dynamic changes of the network, and may not meet the real-time requirements of the digital twin network.
  • At least one embodiment of the present disclosure provides a data security protection selection method, device and storage medium, which provide a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network to meet the security and real-time requirements of the digital twin network.
  • an embodiment of the present disclosure provides a data security protection selection method in a digital twin network, which is applied to a security policy management function, and the method includes:
  • first security information is security information of the target application or the target model
  • second security information is security information of the target data required by the target application or the target model
  • a digital twin network DTN data security requirement wherein the DTN data security requirement includes at least one of a confidentiality requirement, a privacy requirement, a trust requirement, and a real-time requirement;
  • the target security protection mechanism is configured for the target data source and related security entities.
  • determining the first security information and/or the second security information includes:
  • Analyze information of a target application or a target model determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;
  • the above method further includes:
  • the above method further includes:
  • Target security protection mechanism In the case where the target security protection mechanism needs to be updated, re-determine and configure the DTN data to meet the requirements. Target security protection mechanism based on security requirements.
  • the acquiring of the network status includes at least one of the following:
  • the determining whether it is necessary to update the target data source and/or update the target security protection mechanism includes at least one of the following:
  • an embodiment of the present disclosure provides a data security protection selection method in a digital twin network, which is applied to a data source node and a corresponding security entity, and the method includes:
  • the configuration information including a target security protection mechanism
  • the data source node and related security entities are configured.
  • an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to a security policy management function and includes a transceiver and a processor, wherein:
  • the transceiver is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;
  • the processor is used to determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, and the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements; determine the candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance; configure the target security protection mechanism for the target data source and related security entities.
  • the transceiver is further used for:
  • Analyze information of a target application or a target model determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;
  • the processor is further configured to:
  • the transceiver is further used to: obtain a network status, determine whether it is necessary to update a target data source and/or update a target security protection mechanism;
  • the processor is further configured to:
  • the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured.
  • the transceiver is further configured to obtain the network status in at least one of the following ways:
  • the processor is further configured to determine whether it is necessary to update the target data source and/or update the target security protection mechanism in at least one of the following ways:
  • an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to security policy management functions, including: a processor, a memory, and a program stored on the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the method described in the first aspect.
  • an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to a data source node and a corresponding security entity, including a transceiver and a processor, wherein:
  • the transceiver is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism;
  • the processor is used to configure the data source node and related security entities according to the target security protection mechanism
  • an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to data source nodes and corresponding security entities, including: a processor, a memory, and a program stored on the memory and executable on the processor, and when the program is executed by the processor, the steps of the method described in the second aspect are implemented.
  • an embodiment of the present disclosure provides a computer-readable storage medium, on which a program is stored.
  • the program is executed by a processor, the steps of the method described above are implemented.
  • the data security protection selection method, device and storage medium provided in the embodiments of the present disclosure provide a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, and can meet the precise protection requirements of the diverse models and data sources in the digital twin network and the dynamic changes of the network. It can meet the real-time and security requirements of digital twin networks and reduce human intervention.
  • FIG1 is an example diagram of a digital twin network deconstruction in the related art
  • FIG2 is a flow chart of a data security protection selection method according to an embodiment of the present disclosure
  • FIG3 is another flow chart of a data security protection selection method according to an embodiment of the present disclosure.
  • FIG4 is an exemplary flow chart of a data security protection selection method according to an embodiment of the present disclosure.
  • FIG5 is a schematic diagram of a structure of a data security protection selection device according to an embodiment of the present disclosure.
  • FIG6 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure.
  • FIG7 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure.
  • FIG8 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure.
  • FIG9 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure.
  • FIG. 10 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure.
  • common data collection methods include:
  • the network device data includes:
  • Geometric data such as the physical form data of the device, including device size, number of ports, device image, device deployment location, etc.
  • Status data such as the device’s operating status data, including port up/down status, central processing unit (CPU) utilization, memory utilization, etc.
  • Event data data triggered by events such as device configuration changes, abnormal conditions, and failures, such as alarms and logs;
  • Topological data such as data indicating the connection relationship between network elements, including device identification, number of links, port name, etc.
  • the network performance data refers to performance data such as network delay, jitter, packet loss, bandwidth, etc., including performance data of different network types such as wireless networks, transmission networks, and data center networks. Telemetry is a network monitoring technology.
  • Network traffic data refers to the traffic data running in the network, including traffic quintuples, packet length, priority, payload, etc.
  • Sflow is a network monitoring technology
  • Netflow is a network monitoring function
  • IPFIX refers to IP data flow information output (IP Flow Information Export)
  • Netstream is a statistical technology based on network flow information
  • eBPF refers to Extended Berkeley Packet Filter.
  • NWDAF network data analysis function
  • DTN will generate and store a large amount of device information, user information, interaction information, and management information.
  • the leakage of these data or unauthorized access by applications may cause privacy leakage of users or networks. If data is tampered with or destroyed during transmission or storage, or the collected data is unreliable, it will be difficult to meet the application and analysis requirements of data in DTN.
  • the multi-level collaboration of heterogeneous networks and the need for cross-domain twin generation of DTN data sharing have increased the complexity of ensuring the above data security requirements. Therefore, the digital twin network system needs to provide corresponding security mechanisms to ensure the confidentiality, integrity, reliability, and traceability of data.
  • network twins pursue a comprehensive and accurate representation of the network, which involves the collection of various types of data from various network devices and external libraries such as threat intelligence.
  • Each data source may have different security requirements for its own data.
  • the User Data Management (UDM) in the security domain and the Network Slice Management Function (NSMF) in the management security domain have different restrictions on the access scope of their respective traffic data.
  • each type of data has its own privacy requirements. For example, the privacy requirements of user data and device status data are different.
  • the resource capabilities of computing and storage bandwidth of various devices are different, and the data volume is different. Therefore, there may be different choices for the device and transmission resource consumption of the security mechanism as well as the software and hardware support.
  • the digital twin network supports multi-scale, multi-physical quantity, and multi-level application models.
  • application models There are many types of application models and they may have different security restrictions and security requirements.
  • a network element may have a requirement that data is available but invisible for cross-operator or cross-domain application models, while it is visible for models in the local domain.
  • application models with high interaction with the network such as autonomous operation and maintenance
  • those with low interaction such as artificial intelligence (AI) model training and optimization
  • AI artificial intelligence
  • security mechanisms have different security and non-security effects, such as security level, efficiency, cost, information loss, software and hardware support, availability and visibility, etc. That is, the above different security and non-security requirements require the selection of appropriate security mechanisms. See Table 1.
  • twin network supports model updates, expansions, and autonomous construction.
  • the content of twin data collection may also change dynamically based on network bandwidth conditions, failures, security attacks, etc. to strike a balance between real-time accuracy and overhead. For example, in order to reduce resource overhead, only high-value data needs to be identified in some scenarios and network states. For example, a small amount of data may be uploaded in normal states and more data may be uploaded in problem states for analysis. Accordingly, the security mechanism may need to be adjusted dynamically. Therefore, a framework that supports the selection of security protection mechanisms and can be adjusted dynamically is needed.
  • the data collection method of the relevant technology supports the establishment of a secure transmission channel, it does not provide security protection for data from the data source to the model level, and does not have the ability to select and dynamically adjust security mechanisms. It cannot meet the precise protection requirements of the diverse models and data sources in the digital twin network and the dynamic changes of the network, and may not meet the real-time requirements of the digital twin network.
  • the present disclosure provides a data security protection selection method.
  • the data of the digital twin network provides a data security protection mechanism that adapts to the upper-layer applications and the underlying network to meet the security and real-time requirements of the digital twin network.
  • Figure 2 is a flow chart of the data security protection selection method provided by the embodiment of the present disclosure applied to the security policy management function.
  • the security policy management function can specifically be the security management function in the network twin management of the twin network layer shown in Figure 1, or it can be the security management function in the existing network. As shown in Figure 2, the method includes:
  • the information of the target application or target model and the target data information required by the target application or target model are obtained.
  • the information of the target application or target model may generally include: description, type, user, etc. of the target application or target model, such as “model optimization application”, “security deduction application”, “slice security operation and maintenance”, “core network slice resource configuration”, “wireless network optimization”, etc.
  • the information of the target data indicates the type, collection time, collection period, etc.
  • the target data such as "the five-tuple of the data packets flowing through the user plane function (User Plane Function, UPF) of the network element at all times (source IP, source port, destination IP, destination port, 5 fields such as layer 4 protocol)", periodic collection of network element logs, information of network element processes at all times, etc.
  • UPF User Plane Function
  • Step 201 obtain information about the target application or target model and information about the target data it needs, and determine first security information and/or second security information, where the first security information is the security information of the target application or target model, and the second security information is the security information of the target data required by the target application or target model.
  • the security information of the target application or target model indicates the security limitations of the target application or target model (for example, the model can only use the data of network elements in the same security domain, the model cannot use user privacy data, etc.) or security requirements.
  • the security requirements may be one or more of the requirements such as confidentiality requirements, privacy requirements, trust requirements, and real-time requirements. For example, application models with high interaction with the network (such as autonomous operation and maintenance) have high trust and high real-time requirements, and application models with low interaction (such as AI model training and optimization) do not have high requirements for data trustworthiness.
  • the security information of the target data indicates the security limitations of the target data (for example, the data can only be read by models or applications in the same security domain/core security domain/management security domain, etc.) or security requirements.
  • the security requirements may be one or more of the requirements such as confidentiality requirements, privacy requirements, trust requirements, and real-time requirements. For example, the privacy requirements for user data and device status data are different.
  • the target application or target model information refers to the description information of the target application or target model, which may specifically include but is not limited to at least one of the following: (1) the purpose of the target application or target model, such as "AI model training and optimization”; (2) the characteristics of the target application or target model, such as “high interactivity with the network”; (3) the field of the target application or target model, such as “core network” or “wireless network”; (4) the requirements of the target application or target model, such as "high reliability and high real-time” and so on.
  • the target data information refers to the descriptive information of the target data, including but not limited to at least one of the following: (1) information indicating the data content of the target data, such as "user credentials”, “login and logout time”, “Internet Protocol (IP) address”, “port number”, “domain name requested by the user”, “host version number”, “number of processes”, “vulnerability”, “network risk/real-time/bandwidth occupancy index”, etc.; (2) the name of the object containing the data, so that the data can be parsed and obtained from the object, for example, “Virtual Private Network (VPN)/proxy/Network Address Translation (NAT)/system/service log”, “intrusion detection system (IDS) alarm information”, "netflow log and captured data packets", “nmap information", “threat intelligence”, etc.
  • VPN Virtual Private Network
  • NAT Network Address Translation
  • IDS intrusion detection system
  • the security policy management function After the security policy management function receives the target data and the information of the model or application, it analyzes and determines the security information of the target application or target model or target data accordingly. For example, based on a pre-trained AI model or preset conditions, the information of the model or application and the target data is analyzed to determine the security information of the model or application, thereby obtaining the first security information, and/or the security information of the target data is analyzed to obtain the second security information.
  • the security policy management function can also directly receive the security information of the target data required by the target application or target model and/or the security information of the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data.
  • Step 202 Determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, where the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements, and real-time requirements.
  • confidentiality requirements refer to information not being disclosed to unauthorized users, entities, or processes
  • privacy protection refers to the protection of information obtained by observing network behavior
  • credibility refers to the trustworthy characteristics of evidence or the degree to which it can be trusted
  • real-time requirements refer to the time length requirement from data generation to acquisition.
  • the security policy management function determines the DTN data security requirements based on the first security information and/or the second security information, thereby converting the security requirements from the model (or application) side and the data side, which are also unstructured, into structured security requirements for DTN data protection.
  • the DTN data security requirements may include at least one of confidentiality requirements, privacy protection requirements, trust requirements, and real-time requirements. For example, based on the requirements from the model - high-trust data, and the requirements from the data - user data cannot be directly read, the security requirements for DTN data protection are: high trust of user data, privacy protection, and repository invisibility.
  • Step 203 based on the data that can be provided by each pre-maintained data source, determine the candidate data source that can provide the target data, and based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance, determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source.
  • the data that can be provided by each data source and the data security protection mechanisms supported by each data source can be pre-established and maintained.
  • the correspondence between various data security protection mechanisms and data security performance can also be pre-established and maintained.
  • a plurality of different levels of data security performance are pre-defined, and for each level of data security performance, a corresponding data security protection mechanism is determined, which can specifically include one or more of a confidentiality security protection mechanism, a privacy security protection mechanism, a trusted security protection mechanism, and a real-time security protection mechanism.
  • data security performance refers to the security effect that can be produced by the data security protection mechanism or the security performance that can be achieved, and its specific indicators can also be referred to Table 2.
  • DTN data security requirements refer to the security requirements of the data involved.
  • the security policy management function can determine the candidate data sources that can provide the target data based on the data that can be provided by each pre-maintained data source, and then screen out the target data source that meets the DTN data security requirements from the candidate data sources based on the data security protection mechanisms supported by the candidate data sources and the correspondence between each pre-maintained data security protection mechanism and data security performance, and determine the target security protection mechanism that needs to be configured for the target data source, for example, determine a security protection mechanism that meets at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements.
  • Step 204 configure the target security protection mechanism for the target data source and related security entities.
  • the security policy management function can configure the target security protection mechanism for the target data source and related security entities, for example, by sending a configuration message to configure the target data source and related security entities to use the target security protection mechanism to perform security protection on data.
  • the related security entity is a security entity related to the target data source and used to implement security protection of the data source.
  • the embodiment of the present disclosure provides a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, thereby meeting the security and real-time requirements of the digital twin network.
  • the embodiments of the present disclosure can timely update the data source and its security protection mechanism according to the above changes to ensure that the security and real-time requirements of the digital twin network are met.
  • the security policy management function can obtain the network status.
  • the security policy management function can obtain the network status by subscribing to network indicators that indicate the network status and changes in the network status; and, receiving the network indicators, thereby obtaining the network status.
  • the security policy management function can obtain the network indicators by monitoring the network.
  • the security policy management function can determine whether it is necessary to update the target data source and/or update the target security protection mechanism. For example, the security policy management function can analyze whether the network indicators affect the data security performance that can be achieved by the target security protection mechanism of the target data source. If so, it is determined that the target data source needs to be updated and/or the target security protection mechanism needs to be updated; for another example, the security policy management function can analyze whether it is necessary to update the digital twin network DTN data security requirements based on the network indicators. If so, it is determined that the target data source needs to be updated and/or the target security protection mechanism needs to be updated.
  • the security policy management function can re-determine and configure the target data source and target security protection mechanism that can meet the DTN data security requirements. Determine a new target data source and a new target security protection mechanism that can meet the DTN data security requirements, and configure the new target security protection mechanism for the new target data source and related security entities;
  • the security policy management function can redefine and configure a new target security protection mechanism that can meet the DTN data security requirements, for example, redefine a new target security protection mechanism that can meet the DTN data security requirements, and configure the new target security protection mechanism for the target data source and related security entities.
  • the data security protection selection method in the digital twin network when applied to the data source node and the corresponding security entity, includes:
  • Step 301 Receive configuration information sent by the security policy management function, where the configuration information includes a target security protection mechanism.
  • Step 302 configure the data source node and related security entities according to the target security protection mechanism.
  • the security policy management function configures the target security protection mechanism for the data source nodes and corresponding security entities to meet the security and real-time requirements of the digital twin network.
  • the embodiment of the present disclosure also provides a data security protection selection method in a digital twin network, which is applied to a network indicator monitoring function.
  • the method includes:
  • Step a receiving a subscription request sent by a network indicator monitoring function, wherein the subscription request is used to subscribe to network indicators indicating network status and changes in network status;
  • Step b sending the network indicator to the network indicator monitoring function according to the subscription request.
  • FIG4 further provides an example flow of the data security protection selection method of the embodiment of the present disclosure interacting between multiple entities.
  • the relevant functional entity functions are logical entities, which can be co-located with other network element functions or deployed independently. Among them:
  • Security policy management entity responsible for receiving data security requirements or performing data security requirements analysis based on models and data; responsible for obtaining data sources; responsible for generating the initial list or changes of DTN data security mechanisms based on security requirements, network indicators, differences in security protection mechanisms, and support of data sources for security mechanisms.
  • Network indicator monitoring function responsible for collecting and analyzing network indicators; responsible for notifying network indicators and changes based on subscriptions.
  • Data source refers to the entity that provides or collects data, which can be a network element or NWDAF in the network, or a network/network element management entity, or a unified data warehouse or external database of the digital twin network (such as a threat intelligence library or other digital twin networks).
  • Related security entities refer to the supporting entities required by the security mechanism supported by the data source, such as a key distribution entity or a certificate issuing entity.
  • the process of this example mainly includes:
  • the security policy management function obtains the security information of data and applications or models, and based on this, makes static judgments on DTN data requirements, including confidentiality, privacy, trustworthiness, real-time, etc., to obtain security information on the data;
  • a DTN data security mechanism list which includes the screened target data sources and their corresponding target security protection mechanisms. If the candidate data source security mechanism does not meet the security requirements, select other data sources or notify the model to replace the data.
  • the security entity refers to the functions necessary to implement the security mechanism, such as the Certificate Authority (CA) entity of the certificate mechanism (issuing certificates), or the key management entity (distributing keys).
  • CA Certificate Authority
  • the security policy management function collects network status, analyzes changes in network indicators or obtains changes in network indicators through network indicator monitoring, determines whether it is necessary to update the target data source and/or update the target security protection mechanism, determines the data source to be updated, determines the security mechanism to be updated, and configures the DTN data security mechanism for the data source and related security entities. Because the original data source may be unavailable due to changes in network status (bandwidth conditions, failures, security attacks, etc.), or due to changes in bandwidth, the security mechanism of the data source does not meet the real-time requirements or other reasons, it may be necessary to replace the data source or update the security mechanism.
  • the embodiments of the present disclosure provide a method and framework that supports the selection of a security protection mechanism and can be dynamically adjusted, providing a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, which can meet the precise protection requirements of the diverse models and data sources in the digital twin network and the dynamic changes of the network. With data as the granularity, it can meet the real-time and security requirements of the digital twin network and reduce human intervention.
  • an embodiment of the present disclosure further provides a data security protection selection device in a digital twin network, which is applied to a security policy management function, and the device includes:
  • a first obtaining module 501 is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;
  • a first determination module 502 is used to determine a digital twin network DTN data security requirement according to the first security information and/or the second security information, wherein the DTN data security requirement includes at least one of a confidentiality requirement, a privacy requirement, a trust requirement, and a real-time requirement;
  • the second determination module 503 is used to determine, based on the data that can be provided by each pre-maintained data source, a candidate data source that can provide the target data, and determine, based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance, a target data source that can meet the DTN data security requirements and a target security protection mechanism that needs to be configured for the target data source;
  • the first configuration module 504 is used to configure the target security protection mechanism for the target data source and related security entities.
  • the embodiments of the present disclosure provide a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, thereby meeting the security and real-time requirements of the digital twin network.
  • the first obtaining module is further used to:
  • Analyze information of a target application or a target model determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;
  • the above device further includes:
  • the maintenance module is used to pre-establish and maintain the data that each data source can provide and the data security protection mechanism supported by each data source; pre-establish and maintain the correspondence between various data security protection mechanisms and data security performance.
  • the above device further includes:
  • a third determination module is used to obtain the network status and determine whether it is necessary to update the target data source and/or update the target security protection mechanism;
  • the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured.
  • the third determining module includes:
  • the second acquisition module is used to obtain the network status by at least one of the following methods:
  • the third determining module includes:
  • the fourth determining unit is used to determine whether it is necessary to update the target data source and/or update the target security protection mechanism by at least one of the following methods:
  • the device in this embodiment is a device corresponding to the method applied to the security policy management function, and the implementation methods in the above embodiments are applicable to the embodiments of the device and can achieve the same technical effect.
  • the above device provided in the embodiment of the present disclosure can implement all the method steps implemented in the above method embodiment, and can To achieve the same technical effect, the parts and beneficial effects of this embodiment that are the same as those of the method embodiment will not be described in detail here.
  • the embodiment of the present disclosure further provides a data security protection selection device 600 in a digital twin network, including: a transceiver 601 and a processor 602;
  • the transceiver 601 is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;
  • the processor 602 is used to: determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, and the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements; determine the candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance; configure the target security protection mechanism for the target data source and related security entities
  • the transceiver is further used to: analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;
  • the processor is further configured to:
  • the processor is further configured to:
  • the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured.
  • the processor is further configured to:
  • the processor is further configured to determine whether the target data source needs to be updated by at least one of the following methods: And/or update the target security protection mechanism:
  • the device in this embodiment is a device corresponding to the method applied to the security policy management function side, and the implementation methods in the above embodiments are all applicable to the embodiments of the device, and can achieve the same technical effect.
  • the above device provided by the embodiment of the present disclosure can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effect, and the parts and beneficial effects that are the same as those in the method embodiment in this embodiment will not be specifically described here.
  • the embodiment of the present disclosure further provides a data security protection selection device in a digital twin network, which is applied to a data source node and a corresponding security entity, including:
  • a first receiving module 701 is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism;
  • the first configuration module 702 is used to configure the data source node and related security entities according to the target security protection mechanism.
  • the device in this embodiment is a device corresponding to the method applied to the data source node and the corresponding security entity side, and the implementation methods in the above embodiments are all applicable to the embodiments of the device, and can also achieve the same technical effects.
  • the above device provided by the embodiment of the present disclosure can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effects.
  • the parts and beneficial effects that are the same as those in the method embodiment in this embodiment will not be specifically described here.
  • the embodiment of the present disclosure further provides a data security protection selection device 800 in a digital twin network, which is applied to a data source node and a corresponding security entity, including: a transceiver 801 and a processor 802;
  • the transceiver 801 is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism;
  • the processor 802 is used to configure the data source node and related security entities according to the target security protection mechanism.
  • the device in this embodiment is a device corresponding to the method applied to the data source node and the corresponding security entity side, and the implementation methods in the above embodiments are all applicable to the embodiments of the device, and can also achieve the same technical effects.
  • the above device provided by the embodiment of the present disclosure can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effects.
  • the parts and beneficial effects that are the same as those in the method embodiment in this embodiment will not be specifically described here.
  • the embodiment of the present disclosure further provides a data security protection selection device 900 in a digital twin network, which is applied to a security policy management function, and includes a processor 901, a memory 902, and a computer program stored in the memory 902 and executable on the processor 901.
  • the terminal executes the above-mentioned
  • the various processes of the data security protection selection method implementation example are similar to those of the embodiment of the present invention, and can achieve the same technical effect. To avoid repetition, they will not be described here.
  • the embodiment of the present disclosure also provides a data security protection selection device 1000 in a digital twin network, which is applied to data source nodes and corresponding security entities, including a processor 1001, a memory 1002, and a computer program stored in the memory 1002 and executable on the processor 1001.
  • a data security protection selection device 1000 in a digital twin network, which is applied to data source nodes and corresponding security entities, including a processor 1001, a memory 1002, and a computer program stored in the memory 1002 and executable on the processor 1001.
  • the various processes of the data security protection selection method embodiment performed by the network device are implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.
  • the disclosed embodiment also provides a computer-readable storage medium, on which a computer program is stored.
  • a computer program is stored.
  • the computer-readable storage medium is, for example, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.
  • the technical solution of the present disclosure can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, a magnetic disk, or an optical disk), and includes a number of instructions for enabling a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in each embodiment of the present disclosure.
  • a storage medium such as ROM/RAM, a magnetic disk, or an optical disk
  • a terminal which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiments of the present disclosure relate to the technical field of mobile communication. Provided are a data security protection selection method and apparatus, and a storage medium. The method comprises: obtaining information of a target application or a target model and information of target data required by the target application or the target model, and determining first security information and/or second security information; determining DTN data security requirements on the basis of the first security information and/or the second security information; determining a candidate data source capable of providing the target data, and on the basis of a data security protection mechanism supported by the candidate data source and a correspondence between each data security protection mechanism and a data security performance, determining a target data source capable of meeting the DTN data security requirements and a target security protection mechanism with which the target data source needs to be configured; and configuring the target security protection mechanism for the target data source and a relevant security entity.

Description

数据安全保护选择方法、装置及存储介质Data security protection selection method, device and storage medium

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本申请主张在2023年08月16日在中国提交的中国专利申请202311029613.3的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese patent application 202311029613.3 filed in China on August 16, 2023, the entire contents of which are incorporated herein by reference.

技术领域Technical Field

本公开涉及移动通信技术领域,具体涉及一种数据安全保护选择方法、装置及存储介质。The present disclosure relates to the field of mobile communication technology, and in particular to a data security protection selection method, device and storage medium.

背景技术Background Art

数字孪生是物理实体在数字世界的实时镜像,正在成为全球信息技术发展和产业数字化转型的新焦点。在未来网络,数字孪生技术将广泛地运用于智能制造、智慧城市和科学研究等领域,使得整个社会走向虚拟与现实结合的“数字孪生”世界。Digital twins are real-time mirror images of physical entities in the digital world, and are becoming a new focus of global information technology development and industrial digital transformation. In the future network, digital twin technology will be widely used in smart manufacturing, smart cities, scientific research and other fields, making the entire society move towards a "digital twin" world that combines virtuality and reality.

数字孪生网络(Digital Twin Network,DTN)是一个具有物理网络实体及虚拟孪生体,且二者可进行实时交互映射的网络系统。在此系统中,各种网络管理和应用可利用数字孪生技术构建的网络虚拟孪生体,基于数据和模型对物理网络进行高效的分析、诊断、仿真和控制。网络虚拟孪生体可帮助物理网络实现低成本试错、智能化决策、高效率创新和预测性维护。将数字孪生网络作为未来移动通信网络的关键使能平台,可助力移动通信网络达成分布式自治的目标。同时,数字孪生网络可通过能力开放和孪生体拷贝,按需帮助用户清晰感知网络状态、高效挖掘网络有价值信息、以更友好的沉浸交互界面探索网络创新应用。Digital Twin Network (DTN) is a network system with physical network entities and virtual twins, and the two can be interactively mapped in real time. In this system, various network management and applications can use the network virtual twins built by digital twin technology to efficiently analyze, diagnose, simulate and control the physical network based on data and models. The network virtual twin can help the physical network achieve low-cost trial and error, intelligent decision-making, high-efficiency innovation and predictive maintenance. Using the digital twin network as a key enabling platform for future mobile communication networks can help mobile communication networks achieve the goal of distributed autonomy. At the same time, the digital twin network can help users clearly perceive the network status, efficiently mine valuable network information, and explore innovative network applications with a more friendly immersive interactive interface through capability exposure and twin copying.

数字孪生网路解构如图1所示。数据是构建数字孪生的基石,数字孪生网络的功能实现与数据处理紧密相关,具体包括数据采集-数据传输-数据存储-数据预处理-数据使用等。其中,数据采集实现对物理网络多源异构数据的高效收集;数据传输指通过数据传输网络将采集的数据实现近实时传输;数据存储和预处理将对异构数据进行分类和存储,并使用各种方法清理“脏”数据,压缩存储空间,提高数据质量。数据开放使用指通过统一的格式和接口供应用模型调取使用数据。The deconstruction of the digital twin network is shown in Figure 1. Data is the cornerstone of building digital twins. The functional realization of the digital twin network is closely related to data processing, including data collection-data transmission-data storage-data preprocessing-data use, etc. Among them, data collection realizes the efficient collection of multi-source heterogeneous data of the physical network; data transmission refers to the near real-time transmission of the collected data through the data transmission network; data storage and preprocessing will classify and store heterogeneous data, and use various methods to clean up "dirty" data, compress storage space, and improve data quality. Open use of data refers to the use of data for application models through a unified format and interface.

目前研究中的数据采集方式部分自身支持建立安全传输通道,但并没有针对数据从数据源到模型层面的安全保护,且没有安全机制的选择和动态调整能力。无法满足数字孪生网络中多样化的模型、数据源的精确保护需求以及网络的动态变化情况,可能无法满足数字孪生网络的实时性要求。 The data collection methods currently under study partially support the establishment of secure transmission channels, but do not provide security protection for data from the data source to the model level, and do not have the ability to select and dynamically adjust security mechanisms. This cannot meet the precise protection requirements of the diverse models and data sources in the digital twin network, as well as the dynamic changes of the network, and may not meet the real-time requirements of the digital twin network.

发明内容Summary of the invention

本公开的至少一个实施例提供了一种数据安全保护选择方法、装置及存储介质,为数字孪生网络的数据提供适配上层应用和底层网络的数据安全保护机制,以满足数字孪生网络的安全和实时性需求。At least one embodiment of the present disclosure provides a data security protection selection method, device and storage medium, which provide a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network to meet the security and real-time requirements of the digital twin network.

为了解决上述技术问题,本公开是这样实现的:In order to solve the above technical problems, the present disclosure is implemented as follows:

第一方面,本公开实施例提供了一种数字孪生网络中的数据安全保护选择方法,应用于安全策略管理功能,所述方法包括:In a first aspect, an embodiment of the present disclosure provides a data security protection selection method in a digital twin network, which is applied to a security policy management function, and the method includes:

获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息;Obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;

根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种;Determine, according to the first security information and/or the second security information, a digital twin network DTN data security requirement, wherein the DTN data security requirement includes at least one of a confidentiality requirement, a privacy requirement, a trust requirement, and a real-time requirement;

根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制;Determine a candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine a target data source that can meet the DTN data security requirements and a target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance;

为所述目标数据源及相关安全实体配置所述目标安全保护机制。The target security protection mechanism is configured for the target data source and related security entities.

可选地,确定第一安全信息和/或第二安全信息,包括:Optionally, determining the first security information and/or the second security information includes:

分析目标应用或目标模型的信息,确定所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,分析所述目标应用或目标模型所需要的目标数据的信息,确定所述目标数据的安全信息,得到所述第二安全信息;Analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;

或者,or,

接收目标应用或目标模型发送的所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。Receive security information of target data required by the target application or target model and/or security information of the target application or target model sent by the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data.

可选地,上述方法还包括:Optionally, the above method further includes:

预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制;Establish and maintain in advance the data that each data source can provide and the data security protection mechanism supported by each data source;

预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。Establish and maintain the correspondence between various data security protection mechanisms and data security performance in advance.

可选地,上述方法还包括:Optionally, the above method further includes:

获取网络状态,确定是否需要更新目标数据源和/或更新目标安全保护机制;Obtaining the network status and determining whether it is necessary to update the target data source and/or update the target security protection mechanism;

在需要更新所述目标数据源的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制;In the case where the target data source needs to be updated, re-determine and re-configure the target data source and target security protection mechanism that can meet the DTN data security requirements;

在需要更新所述目标安全保护机制的情况下,重新确定并配置能够满足所述DTN数 据安全要求的目标安全保护机制。In the case where the target security protection mechanism needs to be updated, re-determine and configure the DTN data to meet the requirements. Target security protection mechanism based on security requirements.

可选地,所述获取网络状态,包括以下至少一种:Optionally, the acquiring of the network status includes at least one of the following:

订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标;Subscribing to network indicators indicating network status and changes in network status; and receiving the network indicators;

监控网络,获取所述网络指标。Monitor the network and obtain the network indicators.

可选地,所述确定是否需要更新目标数据源和/或更新目标安全保护机制,包括以下至少一种:Optionally, the determining whether it is necessary to update the target data source and/or update the target security protection mechanism includes at least one of the following:

分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;Analyze whether the network indicator affects the data security performance that can be achieved by the target security protection mechanism of the target data source, and if so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism;

分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。Analyze whether it is necessary to update the digital twin network DTN data security requirements based on network indicators. If so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism.

第二方面,本公开实施例提供了一种数字孪生网络中的数据安全保护选择方法,应用于数据源节点及相应安全实体,所述方法包括:In a second aspect, an embodiment of the present disclosure provides a data security protection selection method in a digital twin network, which is applied to a data source node and a corresponding security entity, and the method includes:

接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制;Receiving configuration information sent by the security policy management function, the configuration information including a target security protection mechanism;

根据所述目标安全保护机制,配置所述数据源节点及相关安全实体。According to the target security protection mechanism, the data source node and related security entities are configured.

第三方面,本公开实施例提供了一种数字孪生网络中的数据安全保护选择装置,应用于安全策略管理功能,包括收发机和处理器,其中,In a third aspect, an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to a security policy management function and includes a transceiver and a processor, wherein:

所述收发机,用于获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息;The transceiver is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;

所述处理器,用于根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种;根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制;为所述目标数据源及相关安全实体配置所述目标安全保护机制。The processor is used to determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, and the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements; determine the candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance; configure the target security protection mechanism for the target data source and related security entities.

可选地,所述收发机,还用于:Optionally, the transceiver is further used for:

分析目标应用或目标模型的信息,确定所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,分析所述目标应用或目标模型所需要的目标数据的信息,确定所述目标数据的安全信息,得到所述第二安全信息;Analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;

或者,or,

接收目标应用或目标模型发送的所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。 Receive security information of target data required by the target application or target model and/or security information of the target application or target model sent by the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data.

可选地,所述处理器,还用于:Optionally, the processor is further configured to:

预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制;Establish and maintain in advance the data that each data source can provide and the data security protection mechanism supported by each data source;

预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。Establish and maintain the correspondence between various data security protection mechanisms and data security performance in advance.

可选地,所述收发机,还用于:获取网络状态,确定是否需要更新目标数据源和/或更新目标安全保护机制;Optionally, the transceiver is further used to: obtain a network status, determine whether it is necessary to update a target data source and/or update a target security protection mechanism;

所述处理器,还用于:The processor is further configured to:

在需要更新所述目标数据源的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制;In the case where the target data source needs to be updated, re-determine and re-configure the target data source and target security protection mechanism that can meet the DTN data security requirements;

在需要更新所述目标安全保护机制的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标安全保护机制。In the case where the target security protection mechanism needs to be updated, the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured.

可选地,所述收发机,还用于通过以下至少一种方式获取网络状态:Optionally, the transceiver is further configured to obtain the network status in at least one of the following ways:

订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标;Subscribing to network indicators indicating network status and changes in network status; and receiving the network indicators;

监控网络,获取所述网络指标。Monitor the network and obtain the network indicators.

可选地,所述处理器,还用于通过以下至少一种方式,确定是否需要更新目标数据源和/或更新目标安全保护机制:Optionally, the processor is further configured to determine whether it is necessary to update the target data source and/or update the target security protection mechanism in at least one of the following ways:

分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;Analyze whether the network indicator affects the data security performance that can be achieved by the target security protection mechanism of the target data source, and if so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism;

分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。Analyze whether it is necessary to update the digital twin network DTN data security requirements based on network indicators. If so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism.

第四方面,本公开实施例提供了一种数字孪生网络中的数据安全保护选择装置,应用于安全策略管理功能,包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的程序,所述程序被所述处理器执行时实现如第一方面所述的方法的步骤。In a fourth aspect, an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to security policy management functions, including: a processor, a memory, and a program stored on the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the method described in the first aspect.

第五方面,本公开实施例提供了一种数字孪生网络中的数据安全保护选择装置,应用于数据源节点及相应安全实体,包括收发机和处理器,其中,In a fifth aspect, an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to a data source node and a corresponding security entity, including a transceiver and a processor, wherein:

所述收发机,用于接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制;The transceiver is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism;

所述处理器,用于根据所述目标安全保护机制,配置所述数据源节点及相关安全实体The processor is used to configure the data source node and related security entities according to the target security protection mechanism

第六方面,本公开实施例提供了一种数字孪生网络中的数据安全保护选择装置,应用于数据源节点及相应安全实体,包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的程序,所述程序被所述处理器执行时实现如第二方面所述的方法的步骤。In the sixth aspect, an embodiment of the present disclosure provides a data security protection selection device in a digital twin network, which is applied to data source nodes and corresponding security entities, including: a processor, a memory, and a program stored on the memory and executable on the processor, and when the program is executed by the processor, the steps of the method described in the second aspect are implemented.

第七方面,本公开实施例提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有程序,所述程序被处理器执行时,实现如上所述的方法的步骤。In a seventh aspect, an embodiment of the present disclosure provides a computer-readable storage medium, on which a program is stored. When the program is executed by a processor, the steps of the method described above are implemented.

与现有技术相比,本公开实施例提供的数据安全保护选择方法、装置及存储介质,为数字孪生网络的数据提供适配上层应用和底层网络的数据安全保护机制,可以满足数字孪生网络中多样化的模型、数据源的精确保护需求以及网络的动态变化情况,以数据为粒度, 能够满足数字孪生网络的实时性和安全要求,减少人工介入。Compared with the prior art, the data security protection selection method, device and storage medium provided in the embodiments of the present disclosure provide a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, and can meet the precise protection requirements of the diverse models and data sources in the digital twin network and the dynamic changes of the network. It can meet the real-time and security requirements of digital twin networks and reduce human intervention.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本公开的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art by reading the detailed description of the preferred embodiments below. The accompanying drawings are only for the purpose of illustrating the preferred embodiments and are not to be considered as limiting the present disclosure. Also, the same reference symbols are used throughout the accompanying drawings to represent the same components. In the accompanying drawings:

图1为相关技术的数字孪生网路解构示例图;FIG1 is an example diagram of a digital twin network deconstruction in the related art;

图2为本公开实施例的数据安全保护选择方法的一种流程图;FIG2 is a flow chart of a data security protection selection method according to an embodiment of the present disclosure;

图3为本公开实施例的数据安全保护选择方法的另一种流程图;FIG3 is another flow chart of a data security protection selection method according to an embodiment of the present disclosure;

图4为本公开实施例的数据安全保护选择方法的一种示例流程图;FIG4 is an exemplary flow chart of a data security protection selection method according to an embodiment of the present disclosure;

图5为本公开实施例的数据安全保护选择装置的一种结构示意图;FIG5 is a schematic diagram of a structure of a data security protection selection device according to an embodiment of the present disclosure;

图6为本公开实施例的数据安全保护选择装置的另一结构示意图;FIG6 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure;

图7为本公开实施例的数据安全保护选择装置的另一结构示意图;FIG7 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure;

图8为本公开实施例的数据安全保护选择装置的另一结构示意图;FIG8 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure;

图9为本公开实施例的数据安全保护选择装置的另一结构示意图;FIG9 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure;

图10为本公开实施例的数据安全保护选择装置的另一结构示意图。FIG. 10 is another schematic diagram of the structure of the data security protection selection device according to an embodiment of the present disclosure.

具体实施方式DETAILED DESCRIPTION

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。The exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although the exemplary embodiments of the present disclosure are shown in the accompanying drawings, it should be understood that the present disclosure can be implemented in various forms and should not be limited by the embodiments set forth herein. On the contrary, these embodiments are provided to enable a more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

本公开的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本公开的实施例例如能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。说明书以及权利要求中“和/或”表示所连接对象的至少其中之一。The terms "first", "second", etc. in the specification and claims of the present disclosure are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present disclosure described herein can, for example, be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to those steps or units that are clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices. "And/or" in the specification and claims represents at least one of the connected objects.

以下描述提供示例而并非限定权利要求中阐述的范围、适用性或者配置。可以对所讨论的要素的功能和布置作出改变而不会脱离本公开的精神和范围。各种示例可恰适地省略、替代、或添加各种规程或组件。例如,可以按不同于所描述的次序来执行所描述的方法,并且可以添加、省去、或组合各种步骤。另外,参照某些示例所描述的特征可在其他示例中被组合。The following description provides examples and does not limit the scope, applicability, or configuration set forth in the claims. Changes may be made to the functions and arrangements of the elements discussed without departing from the spirit and scope of the present disclosure. Various examples may appropriately omit, replace, or add various procedures or components. For example, the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.

相关技术中,常见数据的采集方式包括: In related technologies, common data collection methods include:

1、采集网络设备数据(简单网络管理协议(Simple Network Management Protocol,SNMP)、网络配置协议(Network Configuration Protocol,NETCONF)),所述网络设备数据包括:1. Collect network device data (Simple Network Management Protocol (SNMP), Network Configuration Protocol (NETCONF)), the network device data includes:

(1)几何数据;如设备的物理形态数据,包括设备大小、端口数量、设备图片、设备部署位置等;(1) Geometric data, such as the physical form data of the device, including device size, number of ports, device image, device deployment location, etc.

(2)状态数据;如设备的运行状态数据,包括端口开启(UP)/关闭(DOWN)状态、中央处理器(Central Processing Unit,CPU)利用率、内存利用率等;(2) Status data, such as the device’s operating status data, including port up/down status, central processing unit (CPU) utilization, memory utilization, etc.

(3)事件数据;如设备配置变化、异常状态、故障等事件触发的数据,如报警、日志等;(3) Event data: data triggered by events such as device configuration changes, abnormal conditions, and failures, such as alarms and logs;

(4)拓扑数据;如表示网元连接关系的数据,包括设备标识、链路数量、端口名称等。(4) Topological data; such as data indicating the connection relationship between network elements, including device identification, number of links, port name, etc.

2、采集网络性能数据(Telemetry),所述网络性能数据是指网络延迟、抖动、丢包、带宽等性能数据,包括无线网络、传输网络、数据中心网络等不同网络类型的性能数据;Telemetry是一种网络监测技术。2. Collect network performance data (Telemetry). The network performance data refers to performance data such as network delay, jitter, packet loss, bandwidth, etc., including performance data of different network types such as wireless networks, transmission networks, and data center networks. Telemetry is a network monitoring technology.

3、采集网络流量数据(Sflow,Netflow,IPFIX,Netstream,eBPF,外挂探针),网络流量数据是指网络中运行的流量数据,包括流量五元组、包长、优先级、有效载荷等数据。Sflow是一种网络监测技术,Netflow是一种网络监测功能,IPFIX是指IP数据流信息输出(IP Flow Information Export),Netstream是一种基于网络流信息的统计技术,eBPF是指扩展的伯克利包过滤器(Extended Berkeley Packet Filter)。3. Collect network traffic data (Sflow, Netflow, IPFIX, Netstream, eBPF, plug-in probes). Network traffic data refers to the traffic data running in the network, including traffic quintuples, packet length, priority, payload, etc. Sflow is a network monitoring technology, Netflow is a network monitoring function, IPFIX refers to IP data flow information output (IP Flow Information Export), Netstream is a statistical technology based on network flow information, and eBPF refers to Extended Berkeley Packet Filter.

4、从网络管理系统或网络数据分析功能(Network Data Analytics Function,NWDAF)获取数据(如Restful服务接口);4. Obtain data from the network management system or network data analysis function (NWDAF) (such as Restful service interface);

5、从统一数据库及外部数据库获取数据(Restful服务接口或文件传输协议(File Transfer Protocol,FTP)或kafka)。5. Get data from the unified database and external database (Restful service interface or File Transfer Protocol (FTP) or Kafka).

DTN会产生和存储大量设备信息、用户信息、交互信息和管理信息等,这些数据对外泄漏或被应用未授权访问有可能造成用户或网络的隐私泄露;数据在传输或存储中被篡改或破坏、采集的数据不可信等,将难以满足DTN中数据的应用和分析要求;异构网络的多级协作、跨域孪生产生DTN数据共享的需要,为上述数据安全需求的保障增加了复杂度。因此数字孪生网络系统需要提供相应安全机制以保障数据的机密性、完整性、可信、可追溯等。DTN will generate and store a large amount of device information, user information, interaction information, and management information. The leakage of these data or unauthorized access by applications may cause privacy leakage of users or networks. If data is tampered with or destroyed during transmission or storage, or the collected data is unreliable, it will be difficult to meet the application and analysis requirements of data in DTN. The multi-level collaboration of heterogeneous networks and the need for cross-domain twin generation of DTN data sharing have increased the complexity of ensuring the above data security requirements. Therefore, the digital twin network system needs to provide corresponding security mechanisms to ensure the confidentiality, integrity, reliability, and traceability of data.

而数字孪生实时性、复制、可扩展性的特点为数据安全机制提出了更多要求。The real-time, replication, and scalability characteristics of digital twins put forward more requirements for data security mechanisms.

首先,由于数字孪生体需跟踪真实网络的状态变化,对于动态性较强的应用场景,对数据采集和同步的实时性、准确性有较高的要求,而有些场景的实时性要求不高,因此对所使用的数据安全机制的时间开销、信息损失接受程度不同;First, since digital twins need to track the state changes of real networks, for application scenarios with strong dynamics, there are higher requirements for the real-time and accuracy of data collection and synchronization. However, some scenarios do not require high real-time performance, so the acceptance of the time overhead and information loss of the data security mechanism used varies.

其次,网络孪生追求对网络的全面呈现和精准表达,涉及网络各设备各类数据的采集以及外部库如威胁情报的采集,各数据源对自己数据的安全要求可能不同,比如处于核心 安全域的用户数据管理(User Data Management,UDM)和处于管理安全域的网络切片管理功能(Network Slice Management Function,NSMF)对各自流量数据的可访问范围限制是不同的,同时各类数据也有自己的隐私要求,比如用户数据和设备状态数据的隐私要求不同,另外,各类设备计算存储带宽的资源能力不同,数据体量不同,因此对安全机制的设备和传输资源消耗以及软硬件支持情况可能有不同选择;Secondly, network twins pursue a comprehensive and accurate representation of the network, which involves the collection of various types of data from various network devices and external libraries such as threat intelligence. Each data source may have different security requirements for its own data. For example, The User Data Management (UDM) in the security domain and the Network Slice Management Function (NSMF) in the management security domain have different restrictions on the access scope of their respective traffic data. At the same time, each type of data has its own privacy requirements. For example, the privacy requirements of user data and device status data are different. In addition, the resource capabilities of computing and storage bandwidth of various devices are different, and the data volume is different. Therefore, there may be different choices for the device and transmission resource consumption of the security mechanism as well as the software and hardware support.

第三,数字孪生网络支持多尺度、多物理量、多层级的应用模型,应用模型种类多可能有不同的安全限制和安全要求,比如某网元数据对跨运营商或跨域的应用模型有数据可用不可见的使用要求而对本域的模型则是可见的,再比如与网络高互动的应用模型(如自治运维)对数据可信程度要求高而低互动的(如人工智能(Artificial Intelligence,AI)模型训练及优化)对数据可信程度要求不高;Third, the digital twin network supports multi-scale, multi-physical quantity, and multi-level application models. There are many types of application models and they may have different security restrictions and security requirements. For example, a network element may have a requirement that data is available but invisible for cross-operator or cross-domain application models, while it is visible for models in the local domain. Another example is that application models with high interaction with the network (such as autonomous operation and maintenance) have high requirements for data credibility, while those with low interaction (such as artificial intelligence (AI) model training and optimization) have low requirements for data credibility.

最后,安全机制有不同的安全和非安全效果,比如安全保障程度、效率、开销、信息损失、软硬件支持、可用可见等,也即上述不同安全和非安全需求需要选择适当的安全机制。参见表1所示。Finally, security mechanisms have different security and non-security effects, such as security level, efficiency, cost, information loss, software and hardware support, availability and visibility, etc. That is, the above different security and non-security requirements require the selection of appropriate security mechanisms. See Table 1.

表1
Table 1

另外还需要考虑的是,网络是动态变化的,孪生网络支持模型的更新、扩展和自主构建,而孪生数据的采集内容也可能会根据网络带宽情况、故障、安全攻击等情况动态变化以满足实时性准确度和开销的平衡,比如为了减少资源开销,有些场景和网络状态下仅需识别高价值数据,再如正常状态上传少量数据问题状态上传更多数据以备分析,相应的,安全机制可能需要动态调整,因此需要提供一个支持选择安全保护机制并能动态调整的框架。Another thing to consider is that the network is dynamically changing. The twin network supports model updates, expansions, and autonomous construction. The content of twin data collection may also change dynamically based on network bandwidth conditions, failures, security attacks, etc. to strike a balance between real-time accuracy and overhead. For example, in order to reduce resource overhead, only high-value data needs to be identified in some scenarios and network states. For example, a small amount of data may be uploaded in normal states and more data may be uploaded in problem states for analysis. Accordingly, the security mechanism may need to be adjusted dynamically. Therefore, a framework that supports the selection of security protection mechanisms and can be adjusted dynamically is needed.

相关技术的数据采集方式部分虽然支持建立安全传输通道,但并没有针对数据从数据源到模型层面的安全保护,且没有安全机制的选择和动态调整能力。无法满足数字孪生网络中多样化的模型、数据源的精确保护需求以及网络的动态变化情况,可能无法满足数字孪生网络的实时性要求。Although the data collection method of the relevant technology supports the establishment of a secure transmission channel, it does not provide security protection for data from the data source to the model level, and does not have the ability to select and dynamically adjust security mechanisms. It cannot meet the precise protection requirements of the diverse models and data sources in the digital twin network and the dynamic changes of the network, and may not meet the real-time requirements of the digital twin network.

为解决以上问题中的至少一种,本公开实施例提供了一种数据安全保护选择方法,为 数字孪生网络的数据提供适配上层应用和底层网络的数据安全保护机制,以满足数字孪生网络的安全和实时性需求。图2为本公开实施例提供的数据安全保护选择方法应用于安全策略管理功能的流程图。所述安全策略管理功能具体可以是图1所示的孪生网络层的网络孪生体管理中的安全管理功能,也可以是现网中安全管理功能。如图2所示,该方法包括:To solve at least one of the above problems, the present disclosure provides a data security protection selection method. The data of the digital twin network provides a data security protection mechanism that adapts to the upper-layer applications and the underlying network to meet the security and real-time requirements of the digital twin network. Figure 2 is a flow chart of the data security protection selection method provided by the embodiment of the present disclosure applied to the security policy management function. The security policy management function can specifically be the security management function in the network twin management of the twin network layer shown in Figure 1, or it can be the security management function in the existing network. As shown in Figure 2, the method includes:

获得目标应用或目标模型的信息及其所需要的目标数据的信息,这里,所述目标应用或目标模型的信息通常可以包括:目标应用或目标模型的描述、类型、用户等,比如,“模型优化应用”、“安全推演应用”、“切片安全运维”、“核心网切片资源配置”、“无线网络优化”等。所述目标数据的信息指示目标数据的类型、采集时间、采集周期等,比如,“全时段流经网元用户面功能(User Plane Function,UPF)的数据包的五元组(源IP(source IP),源端口(source port),目标IP(destination IP),目标端口(destination port),4层通信协议(the layer 4 protocol)等5个字段)”,周期采集网元日志,全时段网元进程的信息等。The information of the target application or target model and the target data information required by the target application or target model are obtained. Here, the information of the target application or target model may generally include: description, type, user, etc. of the target application or target model, such as "model optimization application", "security deduction application", "slice security operation and maintenance", "core network slice resource configuration", "wireless network optimization", etc. The information of the target data indicates the type, collection time, collection period, etc. of the target data, such as "the five-tuple of the data packets flowing through the user plane function (User Plane Function, UPF) of the network element at all times (source IP, source port, destination IP, destination port, 5 fields such as layer 4 protocol)", periodic collection of network element logs, information of network element processes at all times, etc.

步骤201,获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息。Step 201, obtain information about the target application or target model and information about the target data it needs, and determine first security information and/or second security information, where the first security information is the security information of the target application or target model, and the second security information is the security information of the target data required by the target application or target model.

这里,所述目标应用或目标模型的安全信息指示所述目标应用或目标模型的安全限制(例如,该模型只能使用同一安全域的网元的数据,该模型不能使用用户隐私数据,等等)或安全要求,安全要求可以是保密性要求、隐私要求、可信要求和实时性要求等要求中的一种或多种,例如,与网络高互动的应用模型(如自治运维)有高可信高实时要求,低互动的(如AI模型训练及优化)应用模型对数据可信程度要求不高。所述目标数据的安全信息指示所述目标数据的安全限制(例如,该数据只能供同一安全域/核心安全域/管理安全域的模型或应用读取等)或安全要求,安全要求可以是保密性要求、隐私要求、可信要求和实时性要求等要求中的一种或多种,例如,用户数据和设备状态数据的隐私要求不同。Here, the security information of the target application or target model indicates the security limitations of the target application or target model (for example, the model can only use the data of network elements in the same security domain, the model cannot use user privacy data, etc.) or security requirements. The security requirements may be one or more of the requirements such as confidentiality requirements, privacy requirements, trust requirements, and real-time requirements. For example, application models with high interaction with the network (such as autonomous operation and maintenance) have high trust and high real-time requirements, and application models with low interaction (such as AI model training and optimization) do not have high requirements for data trustworthiness. The security information of the target data indicates the security limitations of the target data (for example, the data can only be read by models or applications in the same security domain/core security domain/management security domain, etc.) or security requirements. The security requirements may be one or more of the requirements such as confidentiality requirements, privacy requirements, trust requirements, and real-time requirements. For example, the privacy requirements for user data and device status data are different.

所述目标应用或目标模型的信息是指对目标应用或目标模型的描述信息,具体可以包括但不限于以下至少一种:(1)目标应用或目标模型的用途,例如“AI模型训练及优化”;(2)目标应用或目标模型的特征,例如“与网络互动性高”;(3)目标应用或目标模型的领域,例如“核心网”或“无线网”;(4)目标应用或目标模型的需求,例如“高可信高实时”等。The target application or target model information refers to the description information of the target application or target model, which may specifically include but is not limited to at least one of the following: (1) the purpose of the target application or target model, such as "AI model training and optimization"; (2) the characteristics of the target application or target model, such as "high interactivity with the network"; (3) the field of the target application or target model, such as "core network" or "wireless network"; (4) the requirements of the target application or target model, such as "high reliability and high real-time" and so on.

所述目标数据的信息是指对目标数据的描述信息,包括但不限于以下至少一种:(1)目标数据的数据内容的指示信息,如“用户凭证”、“登入与登出时间”、“网际互连协议(Internet Protocol,IP)地址”、“端口号”、“用户请求访问的域名”、“主机版本号”、“进程数目”、“漏洞”“网络风险/实时性/带宽占有率指标”等;(2)包含数据的对象的名字,这样可以从该对象中解析获取数据,例如,“虚拟专网(Virtual Private Network,VPN)/代理(proxy)/网络地址转换(Network Address Translation,NAT)/系统/服务日志”、“入侵检测系统(intrusion detection system,IDS)告警信息”、“netflow日志及捕获的数据包”、 “nmap信息”、“威胁情报”等。The target data information refers to the descriptive information of the target data, including but not limited to at least one of the following: (1) information indicating the data content of the target data, such as "user credentials", "login and logout time", "Internet Protocol (IP) address", "port number", "domain name requested by the user", "host version number", "number of processes", "vulnerability", "network risk/real-time/bandwidth occupancy index", etc.; (2) the name of the object containing the data, so that the data can be parsed and obtained from the object, for example, "Virtual Private Network (VPN)/proxy/Network Address Translation (NAT)/system/service log", "intrusion detection system (IDS) alarm information", "netflow log and captured data packets", "nmap information", "threat intelligence", etc.

安全策略管理功能接收到所述目标数据和所述模型或应用的信息后,据此分析并确定所述目标应用或目标模型或目标数据的安全信息,例如,根据预先训练得到的AI模型或预设条件,对所述模型或应用及目标数据的信息进行分析,确定所述模型或应用的安全信息,从而得到所述第一安全信息,和/或,分析所述目标数据的安全信息,得到所述第二安全信息。After the security policy management function receives the target data and the information of the model or application, it analyzes and determines the security information of the target application or target model or target data accordingly. For example, based on a pre-trained AI model or preset conditions, the information of the model or application and the target data is analyzed to determine the security information of the model or application, thereby obtaining the first security information, and/or the security information of the target data is analyzed to obtain the second security information.

作为另一种实现方式,安全策略管理功能还可以直接接收所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。As another implementation method, the security policy management function can also directly receive the security information of the target data required by the target application or target model and/or the security information of the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data.

步骤202,根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种。Step 202: Determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, where the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements, and real-time requirements.

这里,保密性要求是指信息不被泄露给非授权的用户、实体或过程;隐私保护是指对通过观察网络行为获得的信息的保护;可信性是指证据值得相信的特性或可被相信的程度;实时性要求是指数据从产生到获取的时间长度要求。这些特性可以有不同的级别,具体如表2所示。Here, confidentiality requirements refer to information not being disclosed to unauthorized users, entities, or processes; privacy protection refers to the protection of information obtained by observing network behavior; credibility refers to the trustworthy characteristics of evidence or the degree to which it can be trusted; and real-time requirements refer to the time length requirement from data generation to acquisition. These characteristics can have different levels, as shown in Table 2.

表2
Table 2

安全策略管理功能根据所述第一安全信息和/或第二安全信息,确定DTN数据安全要求,从而将分别来自模型(或应用)侧及数据侧的安全要求,也是非结构化的所述第一安全信息和/或第二安全信息,转换为结构化的对DTN数据保护的安全要求。所述DTN数据安全要求可以包括保密性要求、隐私保护要求、可信要求和实时性要求中的至少一种。例如,根据来自模型的要求-高可信数据,及来自数据的要求-用户数据不可被直接读取,得出DTN数据保护的安全要求为:用户数据高可信、隐私保护以及repository不可见。The security policy management function determines the DTN data security requirements based on the first security information and/or the second security information, thereby converting the security requirements from the model (or application) side and the data side, which are also unstructured, into structured security requirements for DTN data protection. The DTN data security requirements may include at least one of confidentiality requirements, privacy protection requirements, trust requirements, and real-time requirements. For example, based on the requirements from the model - high-trust data, and the requirements from the data - user data cannot be directly read, the security requirements for DTN data protection are: high trust of user data, privacy protection, and repository invisibility.

步骤203,根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制。 Step 203, based on the data that can be provided by each pre-maintained data source, determine the candidate data source that can provide the target data, and based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance, determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source.

这里,本公开实施例中可以预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制。另外,还可以预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。例如,预先定义多种不同等级的数据安全性能,针对每种等级的数据安全性能,确定与之对应的数据安全保护机制,具体可以包括机密性的安全保护机制、隐私性的安全保护机制、可信的安全保护机制和实时性的安全保护机制中的一种或多种。Here, in the embodiments of the present disclosure, the data that can be provided by each data source and the data security protection mechanisms supported by each data source can be pre-established and maintained. In addition, the correspondence between various data security protection mechanisms and data security performance can also be pre-established and maintained. For example, a plurality of different levels of data security performance are pre-defined, and for each level of data security performance, a corresponding data security protection mechanism is determined, which can specifically include one or more of a confidentiality security protection mechanism, a privacy security protection mechanism, a trusted security protection mechanism, and a real-time security protection mechanism.

本公开实施例中,数据安全性能是指数据安全保护机制能够产生的安全效果或者能够达到的安全性能,其具体指标也可以参考表2。DTN数据安全要求则是指所涉及的数据的安全需求。In the embodiments of the present disclosure, data security performance refers to the security effect that can be produced by the data security protection mechanism or the security performance that can be achieved, and its specific indicators can also be referred to Table 2. DTN data security requirements refer to the security requirements of the data involved.

这样,在步骤203中,安全策略管理功能可以根据预先维护的各数据源能够提供的数据,确定出能够提供所述目标数据的候选数据源,进而根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,从所述候选数据源中筛选出满足所述DTN数据安全要求的目标数据源,并确定所述目标数据源需配置的目标安全保护机制,例如,确定机密性要求、隐私性要求、可信要求和实时性要求中的至少一种的安全保护机制。In this way, in step 203, the security policy management function can determine the candidate data sources that can provide the target data based on the data that can be provided by each pre-maintained data source, and then screen out the target data source that meets the DTN data security requirements from the candidate data sources based on the data security protection mechanisms supported by the candidate data sources and the correspondence between each pre-maintained data security protection mechanism and data security performance, and determine the target security protection mechanism that needs to be configured for the target data source, for example, determine a security protection mechanism that meets at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements.

步骤204,为所述目标数据源及相关安全实体配置所述目标安全保护机制。Step 204: configure the target security protection mechanism for the target data source and related security entities.

这里,安全策略管理功能可以为所述目标数据源及相关安全实体配置所述目标安全保护机制,例如,通过发送配置消息,配置所述目标数据源及相关安全实体采用所述目标安全保护机制对数据进行安全保护。所述相关安全实体是与所述目标数据源相关的,用于实现数据源的安全保护的安全实体。Here, the security policy management function can configure the target security protection mechanism for the target data source and related security entities, for example, by sending a configuration message to configure the target data source and related security entities to use the target security protection mechanism to perform security protection on data. The related security entity is a security entity related to the target data source and used to implement security protection of the data source.

通过以上步骤,本公开实施例为数字孪生网络的数据提供适配上层应用和底层网络的数据安全保护机制,从而满足数字孪生网络的安全和实时性需求。Through the above steps, the embodiment of the present disclosure provides a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, thereby meeting the security and real-time requirements of the digital twin network.

考虑到网络状态的变化以及模型要求的变化,本公开实施例可以根据上述变化,及时更新数据源及其安全保护机制,以保证满足数字孪生网络的安全和实时性需求。Taking into account changes in network status and changes in model requirements, the embodiments of the present disclosure can timely update the data source and its security protection mechanism according to the above changes to ensure that the security and real-time requirements of the digital twin network are met.

具体的,本公开实施例中,安全策略管理功能可以获取网络状态,例如,安全策略管理功能可以通过订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标,从而获取网络状态;又例如,安全策略管理功能可以通过监控网络获取所述网络指标。Specifically, in the embodiments of the present disclosure, the security policy management function can obtain the network status. For example, the security policy management function can obtain the network status by subscribing to network indicators that indicate the network status and changes in the network status; and, receiving the network indicators, thereby obtaining the network status. For another example, the security policy management function can obtain the network indicators by monitoring the network.

在获取网络状态后,安全策略管理功能可以确定是否需要更新目标数据源和/或更新目标安全保护机制。例如,安全策略管理功能可以分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;又例如,安全策略管理功能可以分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。After obtaining the network status, the security policy management function can determine whether it is necessary to update the target data source and/or update the target security protection mechanism. For example, the security policy management function can analyze whether the network indicators affect the data security performance that can be achieved by the target security protection mechanism of the target data source. If so, it is determined that the target data source needs to be updated and/or the target security protection mechanism needs to be updated; for another example, the security policy management function can analyze whether it is necessary to update the digital twin network DTN data security requirements based on the network indicators. If so, it is determined that the target data source needs to be updated and/or the target security protection mechanism needs to be updated.

这样,在确定需要更新所述目标数据源的情况下,安全策略管理功能可以重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制。例如,重新确 定能够满足所述DTN数据安全要求的新目标数据源和新目标安全保护机制,并为所述新目标数据源及相关安全实体配置所述新目标安全保护机制;Thus, when it is determined that the target data source needs to be updated, the security policy management function can re-determine and configure the target data source and target security protection mechanism that can meet the DTN data security requirements. Determine a new target data source and a new target security protection mechanism that can meet the DTN data security requirements, and configure the new target security protection mechanism for the new target data source and related security entities;

在需要更新所述目标安全保护机制的情况下,安全策略管理功能可以重新确定并配置能够满足所述DTN数据安全要求的新目标安全保护机制,例如,重新确定能够满足所述DTN数据安全要求的新目标安全保护机制,并为所述目标数据源及相关安全实体配置所述新目标安全保护机制。When the target security protection mechanism needs to be updated, the security policy management function can redefine and configure a new target security protection mechanism that can meet the DTN data security requirements, for example, redefine a new target security protection mechanism that can meet the DTN data security requirements, and configure the new target security protection mechanism for the target data source and related security entities.

请参照图3,本公开实施例提供的数字孪生网络中的数据安全保护选择方法,在应用于数据源节点及相应安全实体时,包括:Referring to FIG. 3 , the data security protection selection method in the digital twin network provided in the embodiment of the present disclosure, when applied to the data source node and the corresponding security entity, includes:

步骤301,接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制。Step 301: Receive configuration information sent by the security policy management function, where the configuration information includes a target security protection mechanism.

步骤302,根据所述目标安全保护机制,配置所述数据源节点及相关安全实体。Step 302: configure the data source node and related security entities according to the target security protection mechanism.

通过以上步骤,安全策略管理功能为数据源节点及相应安全实体配置了目标安全保护机制,以满足数字孪生网络的安全和实时性需求。Through the above steps, the security policy management function configures the target security protection mechanism for the data source nodes and corresponding security entities to meet the security and real-time requirements of the digital twin network.

本公开实施例还提供了一种数字孪生网络中的数据安全保护选择方法,应用于网络指标监控功能,该方法包括:The embodiment of the present disclosure also provides a data security protection selection method in a digital twin network, which is applied to a network indicator monitoring function. The method includes:

步骤a,接收网络指标监控功能发送的订阅请求,所述订阅请求用于订阅指示网络状态及网络状态变化的网络指标;Step a, receiving a subscription request sent by a network indicator monitoring function, wherein the subscription request is used to subscribe to network indicators indicating network status and changes in network status;

步骤b,根据所述订阅请求,向所述网络指标监控功能发送所述网络指标。Step b: sending the network indicator to the network indicator monitoring function according to the subscription request.

图4进一步提供了本公开实施例的数据安全保护选择方法在多个实体间交互的一个示例流程。该示例中相关功能实体功能为逻辑实体,可与其他网元功能合设,也可以独立部署。其中:FIG4 further provides an example flow of the data security protection selection method of the embodiment of the present disclosure interacting between multiple entities. In this example, the relevant functional entity functions are logical entities, which can be co-located with other network element functions or deployed independently. Among them:

(1)安全策略管理实体:负责接收数据安全需求或基于模型和数据做数据安全需求分析;负责获取数据源;负责基于安全要求、网络指标、安全保护机制差异、数据源对安全机制的支持情况等,生成DTN数据安全机制初始列表或变化项。(1) Security policy management entity: responsible for receiving data security requirements or performing data security requirements analysis based on models and data; responsible for obtaining data sources; responsible for generating the initial list or changes of DTN data security mechanisms based on security requirements, network indicators, differences in security protection mechanisms, and support of data sources for security mechanisms.

(2)网络指标监控功能:负责采集并分析网络指标;负责根据订阅通知网络指标及变化。(2) Network indicator monitoring function: responsible for collecting and analyzing network indicators; responsible for notifying network indicators and changes based on subscriptions.

(3)数据源及相关的安全实体:数据源指提供或被采集数据的实体,可以是网络中的网元或NWDAF、或网络/网元管理实体,也可以是数字孪生网络的统一数据仓库或外部数据库(如威胁情报库或其他数字孪生网络)。相关的安全实体指数据源支持的安全机制所需要的配套实体,比如密钥分发实体或证书签发实体等。(3) Data source and related security entities: Data source refers to the entity that provides or collects data, which can be a network element or NWDAF in the network, or a network/network element management entity, or a unified data warehouse or external database of the digital twin network (such as a threat intelligence library or other digital twin networks). Related security entities refer to the supporting entities required by the security mechanism supported by the data source, such as a key distribution entity or a certificate issuing entity.

该示例的流程主要包括:The process of this example mainly includes:

1)模型注册数据-上线的应用或模型向安全策略管理功能报告自己所需要的数据;登记各个数据源的数据,包括网元及外部数据源(如威胁情报库等)上报自己或其他网元可以采集的数据及支持的安全机制;安全策略管理功能建立并维护数据安全保护机制和数据安全性能之间的对应关系。 1) Model registration data - the online application or model reports the data it needs to the security policy management function; registers the data of each data source, including network elements and external data sources (such as threat intelligence libraries, etc.) reporting the data that can be collected by themselves or other network elements and the supported security mechanisms; the security policy management function establishes and maintains the correspondence between data security protection mechanisms and data security performance.

2)安全策略管理功能得到数据和应用或模型的安全信息,并基于此对DTN数据要求做静态判定,包括机密性、隐私性、可信、实时性等,从而得到对数据的安全信息;2) The security policy management function obtains the security information of data and applications or models, and based on this, makes static judgments on DTN data requirements, including confidentiality, privacy, trustworthiness, real-time, etc., to obtain security information on the data;

3)基于登记的网元可采集数据确定候选数据源,基于候选数据源对安全机制的支持情况及数据安全保护机制和数据安全性能之间的对应关系,确定生成DTN数据安全机制列表,所述DTN数据安全机制列表包括筛选出的目标数据源及其对应的目标安全保护机制。如果候选数据源安全机制不满足安全要求,则选择其他数据源或通知模型替换数据。3) Based on the data that can be collected by the registered network elements, determine the candidate data sources, and based on the support of the candidate data sources for the security mechanism and the correspondence between the data security protection mechanism and the data security performance, determine to generate a DTN data security mechanism list, which includes the screened target data sources and their corresponding target security protection mechanisms. If the candidate data source security mechanism does not meet the security requirements, select other data sources or notify the model to replace the data.

4)向目标数据源及相关的安全实体配置DTN数据安全机制,可能需要增加协议位指示机密性、隐私性、可信、实时性的机制或通过已有服务接口配置;其中安全实体指配合安全机制实现所必需的功能,比如,证书机制的证书授权(Certificate Authority,CA)实体(签发证书),或,密钥管理实体(分发密钥)等。4) Configure the DTN data security mechanism for the target data source and related security entities. It may be necessary to add protocol bits to indicate confidentiality, privacy, trust, and real-time mechanisms or configure through existing service interfaces. The security entity refers to the functions necessary to implement the security mechanism, such as the Certificate Authority (CA) entity of the certificate mechanism (issuing certificates), or the key management entity (distributing keys).

5)安全策略管理功能采集网络状态,分析网络指标变化或通过网络指标监控获得网络指标变化,确定是否需要更新目标数据源和/或更新目标安全保护机制,确定需更新的数据源,确定需更新的安全机制,数据源及相关的安全实体配置DTN数据安全机制。因为有可能网络状态变化(带宽情况、故障、安全攻击等情况)原数据源不可用,或由于带宽等变化,数据源的安全机制不满足实时性需求或其他原因,因此可能需更换数据源或更新安全机制。5) The security policy management function collects network status, analyzes changes in network indicators or obtains changes in network indicators through network indicator monitoring, determines whether it is necessary to update the target data source and/or update the target security protection mechanism, determines the data source to be updated, determines the security mechanism to be updated, and configures the DTN data security mechanism for the data source and related security entities. Because the original data source may be unavailable due to changes in network status (bandwidth conditions, failures, security attacks, etc.), or due to changes in bandwidth, the security mechanism of the data source does not meet the real-time requirements or other reasons, it may be necessary to replace the data source or update the security mechanism.

从以上所述可以看出,本公开实施例提供了一种支持选择安全保护机制并能动态调整的方法和框架,为数字孪生网络的数据提供适配上层应用和底层网络的数据安全保护机制,可以满足数字孪生网络中多样化的模型、数据源的精确保护需求以及网络的动态变化情况,以数据为粒度,能够满足数字孪生网络的实时性和安全要求,减少人工介入。From the above, it can be seen that the embodiments of the present disclosure provide a method and framework that supports the selection of a security protection mechanism and can be dynamically adjusted, providing a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, which can meet the precise protection requirements of the diverse models and data sources in the digital twin network and the dynamic changes of the network. With data as the granularity, it can meet the real-time and security requirements of the digital twin network and reduce human intervention.

以上介绍了本公开实施例的各种方法。下面将进一步提供实施上述方法的装置。The above describes various methods of the embodiments of the present disclosure. The following further provides devices for implementing the above methods.

请参考图5,本公开实施例还提供一种数字孪生网络中的数据安全保护选择装置,应用于安全策略管理功能,该装置包括:Referring to FIG. 5 , an embodiment of the present disclosure further provides a data security protection selection device in a digital twin network, which is applied to a security policy management function, and the device includes:

第一获得模块501,用于获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息;A first obtaining module 501 is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;

第一确定模块502,用于根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种;A first determination module 502 is used to determine a digital twin network DTN data security requirement according to the first security information and/or the second security information, wherein the DTN data security requirement includes at least one of a confidentiality requirement, a privacy requirement, a trust requirement, and a real-time requirement;

第二确定模块503,用于根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制;The second determination module 503 is used to determine, based on the data that can be provided by each pre-maintained data source, a candidate data source that can provide the target data, and determine, based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance, a target data source that can meet the DTN data security requirements and a target security protection mechanism that needs to be configured for the target data source;

第一配置模块504,用于为所述目标数据源及相关安全实体配置所述目标安全保护机制。 The first configuration module 504 is used to configure the target security protection mechanism for the target data source and related security entities.

通过以上模块,本公开实施例为数字孪生网络的数据提供适配上层应用和底层网络的数据安全保护机制,满足了数字孪生网络的安全和实时性需求。Through the above modules, the embodiments of the present disclosure provide a data security protection mechanism for the data of the digital twin network that is adapted to the upper-layer applications and the underlying network, thereby meeting the security and real-time requirements of the digital twin network.

可选地,所述第一获得模块,还用于:Optionally, the first obtaining module is further used to:

分析目标应用或目标模型的信息,确定所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,分析所述目标应用或目标模型所需要的目标数据的信息,确定所述目标数据的安全信息,得到所述第二安全信息;Analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;

或者,or,

接收目标应用或目标模型发送的所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。Receive security information of target data required by the target application or target model and/or security information of the target application or target model sent by the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data.

可选地,上述装置还包括:Optionally, the above device further includes:

维护模块,用于预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制;预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。The maintenance module is used to pre-establish and maintain the data that each data source can provide and the data security protection mechanism supported by each data source; pre-establish and maintain the correspondence between various data security protection mechanisms and data security performance.

可选地,上述装置还包括:Optionally, the above device further includes:

第三确定模块,用于获取网络状态,确定是否需要更新目标数据源和/或更新目标安全保护机制;A third determination module is used to obtain the network status and determine whether it is necessary to update the target data source and/or update the target security protection mechanism;

在需要更新所述目标数据源的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制;In the case where the target data source needs to be updated, re-determine and re-configure the target data source and target security protection mechanism that can meet the DTN data security requirements;

在需要更新所述目标安全保护机制的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标安全保护机制。In the case where the target security protection mechanism needs to be updated, the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured.

可选地,所述第三确定模块包括:Optionally, the third determining module includes:

第二获得模块,用于通过以下至少一种方式获取网络状态:The second acquisition module is used to obtain the network status by at least one of the following methods:

订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标;Subscribing to network indicators indicating network status and changes in network status; and receiving the network indicators;

监控网络,获取所述网络指标。Monitor the network and obtain the network indicators.

可选地,所述第三确定模块包括:Optionally, the third determining module includes:

第四确定单元,用于通过以下至少一种方式,确定是否需要更新目标数据源和/或更新目标安全保护机制:The fourth determining unit is used to determine whether it is necessary to update the target data source and/or update the target security protection mechanism by at least one of the following methods:

分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;Analyze whether the network indicator affects the data security performance that can be achieved by the target security protection mechanism of the target data source, and if so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism;

分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。Analyze whether it is necessary to update the digital twin network DTN data security requirements based on network indicators. If so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism.

需要说明的是,该实施例中的设备是与上述应用于安全策略管理功能的方法对应的设备,上述各实施例中的实现方式均适用于该设备的实施例中,也能达到相同的技术效果。本公开实施例提供的上述设备,能够实现上述方法实施例所实现的所有方法步骤,且能够 达到相同的技术效果,在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。It should be noted that the device in this embodiment is a device corresponding to the method applied to the security policy management function, and the implementation methods in the above embodiments are applicable to the embodiments of the device and can achieve the same technical effect. The above device provided in the embodiment of the present disclosure can implement all the method steps implemented in the above method embodiment, and can To achieve the same technical effect, the parts and beneficial effects of this embodiment that are the same as those of the method embodiment will not be described in detail here.

请参考图6,本公开实施例还提供一种数字孪生网络中的数据安全保护选择装置600,包括:收发机601和处理器602;Please refer to FIG6 , the embodiment of the present disclosure further provides a data security protection selection device 600 in a digital twin network, including: a transceiver 601 and a processor 602;

所述收发机601,用于获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息;The transceiver 601 is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model;

所述处理器602,用于:根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种;根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制;为所述目标数据源及相关安全实体配置所述目标安全保护机制The processor 602 is used to: determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, and the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements; determine the candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance; configure the target security protection mechanism for the target data source and related security entities

可选地,所述收发机,还用于:分析目标应用或目标模型的信息,确定所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,分析所述目标应用或目标模型所需要的目标数据的信息,确定所述目标数据的安全信息,得到所述第二安全信息;Optionally, the transceiver is further used to: analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information;

或者,or,

接收目标应用或目标模型发送的所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。Receive security information of target data required by the target application or target model and/or security information of the target application or target model sent by the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data.

可选地,所述处理器,还用于:Optionally, the processor is further configured to:

预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制;Establish and maintain in advance the data that each data source can provide and the data security protection mechanism supported by each data source;

预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。Establish and maintain the correspondence between various data security protection mechanisms and data security performance in advance.

可选地,所述处理器,还用于:Optionally, the processor is further configured to:

获取网络状态,确定是否需要更新目标数据源和/或更新目标安全保护机制;Obtaining the network status and determining whether it is necessary to update the target data source and/or update the target security protection mechanism;

在需要更新所述目标数据源的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制;In the case where the target data source needs to be updated, re-determine and re-configure the target data source and target security protection mechanism that can meet the DTN data security requirements;

在需要更新所述目标安全保护机制的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标安全保护机制。In the case where the target security protection mechanism needs to be updated, the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured.

可选地,所述处理器,还用于:Optionally, the processor is further configured to:

订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标;Subscribing to network indicators indicating network status and changes in network status; and receiving the network indicators;

监控网络,获取所述网络指标。Monitor the network and obtain the network indicators.

可选地,所述处理器,还用于通过以下至少一种方式,确定是否需要更新目标数据源 和/或更新目标安全保护机制:Optionally, the processor is further configured to determine whether the target data source needs to be updated by at least one of the following methods: And/or update the target security protection mechanism:

分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;Analyze whether the network indicator affects the data security performance that can be achieved by the target security protection mechanism of the target data source, and if so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism;

分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。Analyze whether it is necessary to update the digital twin network DTN data security requirements based on network indicators. If so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism.

需要说明的是,该实施例中的设备是与上述应用于安全策略管理功能侧的方法对应的设备,上述各实施例中的实现方式均适用于该设备的实施例中,也能达到相同的技术效果。本公开实施例提供的上述设备,能够实现上述方法实施例所实现的所有方法步骤,且能够达到相同的技术效果,在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。It should be noted that the device in this embodiment is a device corresponding to the method applied to the security policy management function side, and the implementation methods in the above embodiments are all applicable to the embodiments of the device, and can achieve the same technical effect. The above device provided by the embodiment of the present disclosure can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effect, and the parts and beneficial effects that are the same as those in the method embodiment in this embodiment will not be specifically described here.

请参考图7,本公开实施例还提供一种数字孪生网络中的数据安全保护选择装置,应用于数据源节点及相应安全实体,包括:Referring to FIG. 7 , the embodiment of the present disclosure further provides a data security protection selection device in a digital twin network, which is applied to a data source node and a corresponding security entity, including:

第一接收模块701,用于接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制;A first receiving module 701 is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism;

第一配置模块702,用于根据所述目标安全保护机制,配置所述数据源节点及相关安全实体。The first configuration module 702 is used to configure the data source node and related security entities according to the target security protection mechanism.

需要说明的是,该实施例中的设备是与上述应用于数据源节点及相应安全实体侧的方法对应的设备,上述各实施例中的实现方式均适用于该设备的实施例中,也能达到相同的技术效果。本公开实施例提供的上述设备,能够实现上述方法实施例所实现的所有方法步骤,且能够达到相同的技术效果,在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。It should be noted that the device in this embodiment is a device corresponding to the method applied to the data source node and the corresponding security entity side, and the implementation methods in the above embodiments are all applicable to the embodiments of the device, and can also achieve the same technical effects. The above device provided by the embodiment of the present disclosure can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effects. The parts and beneficial effects that are the same as those in the method embodiment in this embodiment will not be specifically described here.

请参考图8,本公开实施例还提供一种数字孪生网络中的数据安全保护选择装置800,应用于数据源节点及相应安全实体,包括:收发机801和处理器802;Please refer to FIG8 , the embodiment of the present disclosure further provides a data security protection selection device 800 in a digital twin network, which is applied to a data source node and a corresponding security entity, including: a transceiver 801 and a processor 802;

所述收发机801,用于接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制;The transceiver 801 is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism;

所述处理器802,用于根据所述目标安全保护机制,配置所述数据源节点及相关安全实体。The processor 802 is used to configure the data source node and related security entities according to the target security protection mechanism.

需要说明的是,该实施例中的设备是与上述应用于数据源节点及相应安全实体侧的方法对应的设备,上述各实施例中的实现方式均适用于该设备的实施例中,也能达到相同的技术效果。本公开实施例提供的上述设备,能够实现上述方法实施例所实现的所有方法步骤,且能够达到相同的技术效果,在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。It should be noted that the device in this embodiment is a device corresponding to the method applied to the data source node and the corresponding security entity side, and the implementation methods in the above embodiments are all applicable to the embodiments of the device, and can also achieve the same technical effects. The above device provided by the embodiment of the present disclosure can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effects. The parts and beneficial effects that are the same as those in the method embodiment in this embodiment will not be specifically described here.

请参考图9,本公开实施例还提供一种数字孪生网络中的数据安全保护选择装置900,应用于安全策略管理功能,包括处理器901,存储器902,存储在存储器902上并可在所述处理器901上运行的计算机程序,该计算机程序被处理器901执行时实现上述由终端执 行的数据安全保护选择方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Referring to FIG9 , the embodiment of the present disclosure further provides a data security protection selection device 900 in a digital twin network, which is applied to a security policy management function, and includes a processor 901, a memory 902, and a computer program stored in the memory 902 and executable on the processor 901. When the computer program is executed by the processor 901, the terminal executes the above-mentioned The various processes of the data security protection selection method implementation example are similar to those of the embodiment of the present invention, and can achieve the same technical effect. To avoid repetition, they will not be described here.

请参考图10,本公开实施例还提供一种数字孪生网络中的数据安全保护选择装置1000,应用于数据源节点及相应安全实体,包括处理器1001,存储器1002,存储在存储器1002上并可在所述处理器1001上运行的计算机程序,该计算机程序被处理器1001执行时实现上述由网络设备执行的数据安全保护选择方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Please refer to Figure 10. The embodiment of the present disclosure also provides a data security protection selection device 1000 in a digital twin network, which is applied to data source nodes and corresponding security entities, including a processor 1001, a memory 1002, and a computer program stored in the memory 1002 and executable on the processor 1001. When the computer program is executed by the processor 1001, the various processes of the data security protection selection method embodiment performed by the network device are implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

本公开实施例还提供一种计算机可读存储介质,所述计算机可读存储介质上存储计算机程序,所述计算机程序被处理器执行时实现上述数据安全保护选择方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。其中,所述的计算机可读存储介质,如只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等。The disclosed embodiment also provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, each process of the above-mentioned data security protection selection method embodiment is implemented, and the same technical effect can be achieved. To avoid repetition, it is not repeated here. The computer-readable storage medium is, for example, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.

需要说明的是,在本文中,术语“包括”、“中包含”或者其任何其他变体意在涵盖非排他性的中包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, in this article, the terms "include", "include" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "includes a ..." does not exclude the existence of other identical elements in the process, method, article or device including the element.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本公开的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本公开各个实施例所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present disclosure, or the part that contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, a magnetic disk, or an optical disk), and includes a number of instructions for enabling a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in each embodiment of the present disclosure.

上面结合附图对本公开的实施例进行了描述,但是本公开并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本公开的启示下,在不脱离本公开宗旨和权利要求所保护的范围情况下,还可做出很多形式,均属于本公开的保护之内。 The embodiments of the present disclosure are described above in conjunction with the accompanying drawings, but the present disclosure is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present disclosure, ordinary technicians in this field can also make many forms without departing from the scope of protection of the purpose of the present disclosure and the claims, all of which are within the protection of the present disclosure.

Claims (17)

一种数字孪生网络中的数据安全保护选择方法,应用于安全策略管理功能,所述方法包括:A data security protection selection method in a digital twin network, applied to a security policy management function, the method comprising: 获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息;Obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model; 根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种;Determine, according to the first security information and/or the second security information, a digital twin network DTN data security requirement, wherein the DTN data security requirement includes at least one of a confidentiality requirement, a privacy requirement, a trust requirement, and a real-time requirement; 根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制;Determine a candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine a target data source that can meet the DTN data security requirements and a target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance; 为所述目标数据源及相关安全实体配置所述目标安全保护机制。The target security protection mechanism is configured for the target data source and related security entities. 如权利要求1所述的方法,其中,确定第一安全信息和/或第二安全信息,包括:The method of claim 1, wherein determining the first security information and/or the second security information comprises: 分析目标应用或目标模型的信息,确定所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,分析所述目标应用或目标模型所需要的目标数据的信息,确定所述目标数据的安全信息,得到所述第二安全信息;Analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information; 或者,or, 接收所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。Receive security information of target data required by the target application or target model and/or security information of the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data. 如权利要求1所述的方法,其中,所述方法还包括:The method according to claim 1, wherein the method further comprises: 预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制;Establish and maintain in advance the data that each data source can provide and the data security protection mechanism supported by each data source; 预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。Establish and maintain the correspondence between various data security protection mechanisms and data security performance in advance. 如权利要求1所述的方法,其中,所述方法还包括:The method according to claim 1, wherein the method further comprises: 获取网络状态,确定是否需要更新目标数据源和/或更新目标安全保护机制;Obtaining the network status and determining whether it is necessary to update the target data source and/or update the target security protection mechanism; 在需要更新所述目标数据源的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制;In the case where the target data source needs to be updated, re-determine and re-configure the target data source and target security protection mechanism that can meet the DTN data security requirements; 在需要更新所述目标安全保护机制的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标安全保护机制。In the case where the target security protection mechanism needs to be updated, the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured. 如权利要求4所述的方法,其中,所述获取网络状态,包括以下至少一种:The method according to claim 4, wherein the obtaining of the network status comprises at least one of the following: 订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标;Subscribing to network indicators indicating network status and changes in network status; and receiving the network indicators; 监控网络,获取所述网络指标。 Monitor the network and obtain the network indicators. 如权利要求4所述的方法,其中,所述确定是否需要更新目标数据源和/或更新目标安全保护机制,包括以下至少一种:The method of claim 4, wherein the determining whether the target data source needs to be updated and/or the target security protection mechanism needs to be updated comprises at least one of the following: 分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;Analyze whether the network indicator affects the data security performance that can be achieved by the target security protection mechanism of the target data source, and if so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism; 分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。Analyze whether it is necessary to update the digital twin network DTN data security requirements based on network indicators. If so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism. 一种数字孪生网络中的数据安全保护选择方法,应用于数据源节点及相应安全实体,所述方法包括:A data security protection selection method in a digital twin network is applied to a data source node and a corresponding security entity, and the method comprises: 接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制;Receiving configuration information sent by the security policy management function, the configuration information including a target security protection mechanism; 根据所述目标安全保护机制,配置所述数据源节点及相关安全实体。According to the target security protection mechanism, the data source node and related security entities are configured. 一种数字孪生网络中的数据安全保护选择装置,应用于安全策略管理功能,包括收发机和处理器,其中,A data security protection selection device in a digital twin network, applied to security policy management functions, includes a transceiver and a processor, wherein: 所述收发机,用于获得目标应用或目标模型的信息及其所需要的目标数据的信息,确定第一安全信息和/或第二安全信息,所述第一安全信息是目标应用或目标模型的安全信息,所述第二安全信息是目标应用或目标模型所需要的目标数据的安全信息;The transceiver is used to obtain information of a target application or a target model and information of target data required by the target application or the target model, and determine first security information and/or second security information, wherein the first security information is security information of the target application or the target model, and the second security information is security information of the target data required by the target application or the target model; 所述处理器,用于根据所述第一安全信息和/或第二安全信息,确定数字孪生网络DTN数据安全要求,所述DTN数据安全要求包括机密性要求、隐私性要求、可信要求和实时性要求中的至少一种;根据预先维护的各数据源能够提供的数据,确定能够提供所述目标数据的候选数据源,根据候选数据源支持的数据安全保护机制以及预先维护的各数据安全保护机制和数据安全性能之间的对应关系,确定能够满足所述DTN数据安全要求的目标数据源及目标数据源需配置的目标安全保护机制;为所述目标数据源及相关安全实体配置所述目标安全保护机制。The processor is used to determine the digital twin network DTN data security requirements based on the first security information and/or the second security information, and the DTN data security requirements include at least one of confidentiality requirements, privacy requirements, trust requirements and real-time requirements; determine the candidate data source that can provide the target data based on the data that can be provided by each pre-maintained data source, and determine the target data source that can meet the DTN data security requirements and the target security protection mechanism that needs to be configured for the target data source based on the data security protection mechanism supported by the candidate data source and the correspondence between each pre-maintained data security protection mechanism and data security performance; configure the target security protection mechanism for the target data source and related security entities. 如权利要求8所述的装置,其中,所述收发机,还用于:The apparatus according to claim 8, wherein the transceiver is further configured to: 分析目标应用或目标模型的信息,确定所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,分析所述目标应用或目标模型所需要的目标数据的信息,确定所述目标数据的安全信息,得到所述第二安全信息;Analyze information of a target application or a target model, determine security information of the target application or the target model, and obtain the first security information; and/or analyze information of target data required by the target application or the target model, determine security information of the target data, and obtain the second security information; 或者,or, 接收所述目标应用或目标模型所需要的目标数据的安全信息和/或所述目标应用或目标模型的安全信息;根据所述目标应用或目标模型的安全信息,得到所述第一安全信息,和/或,根据所述目标数据的安全信息,得到所述第二安全信息。Receive security information of target data required by the target application or target model and/or security information of the target application or target model; obtain the first security information based on the security information of the target application or target model, and/or obtain the second security information based on the security information of the target data. 如权利要求8所述的装置,其中,所述处理器,还用于:The apparatus of claim 8, wherein the processor is further configured to: 预先建立并维护各数据源能够提供的数据以及各个数据源支持的数据安全保护机制;Establish and maintain in advance the data that each data source can provide and the data security protection mechanism supported by each data source; 预先建立并维护各种数据安全保护机制和数据安全性能之间的对应关系。Establish and maintain the correspondence between various data security protection mechanisms and data security performance in advance. 如权利要求8所述的装置,其中,The device as claimed in claim 8, wherein 所述收发机,还用于:获取网络状态,确定是否需要更新目标数据源和/或更新目标 安全保护机制;The transceiver is also used to: obtain the network status, determine whether it is necessary to update the target data source and/or update the target Safety protection mechanism; 所述处理器,还用于:The processor is further configured to: 在需要更新所述目标数据源的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标数据源和目标安全保护机制;In the case where the target data source needs to be updated, re-determine and re-configure the target data source and target security protection mechanism that can meet the DTN data security requirements; 在需要更新所述目标安全保护机制的情况下,重新确定并配置能够满足所述DTN数据安全要求的目标安全保护机制。In the case where the target security protection mechanism needs to be updated, the target security protection mechanism that can meet the DTN data security requirements is re-determined and reconfigured. 如权利要求11所述的装置,其中,所述收发机,还用于通过以下至少一种方式获取网络状态:The apparatus according to claim 11, wherein the transceiver is further configured to obtain the network status by at least one of the following methods: 订阅用于指示网络状态及网络状态变化的网络指标;以及,接收所述网络指标;Subscribing to network indicators indicating network status and changes in network status; and receiving the network indicators; 监控网络,获取所述网络指标。Monitor the network and obtain the network indicators. 如权利要求11所述的装置,其中,所述处理器,还用于通过以下至少一种方式,确定是否需要更新目标数据源和/或更新目标安全保护机制:The apparatus of claim 11, wherein the processor is further configured to determine whether it is necessary to update the target data source and/or update the target security protection mechanism by at least one of the following methods: 分析网络指标是否影响目标数据源的目标安全保护机制所能实现的数据安全性能,若是,则确定需要更新目标数据源和/或更新目标安全保护机制;Analyze whether the network indicator affects the data security performance that can be achieved by the target security protection mechanism of the target data source, and if so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism; 分析是否需要根据网络指标更新数字孪生网络DTN数据安全要求,若是,则确定需要更新目标数据源和/或更新目标安全保护机制。Analyze whether it is necessary to update the digital twin network DTN data security requirements based on network indicators. If so, determine whether it is necessary to update the target data source and/or update the target security protection mechanism. 一种数字孪生网络中的数据安全保护选择装置,应用于安全策略管理功能,包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的程序,所述程序被所述处理器执行时实现如权利要求1至6任一项所述的方法的步骤。A data security protection selection device in a digital twin network, applied to security policy management functions, comprising: a processor, a memory, and a program stored on the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the method described in any one of claims 1 to 6. 一种数字孪生网络中的数据安全保护选择装置,应用于数据源节点及相应安全实体,包括收发机和处理器,其中,A data security protection selection device in a digital twin network is applied to a data source node and a corresponding security entity, including a transceiver and a processor, wherein: 所述收发机,用于接收所述安全策略管理功能发送的配置信息,所述配置信息包括目标安全保护机制;The transceiver is used to receive configuration information sent by the security policy management function, wherein the configuration information includes a target security protection mechanism; 所述处理器,用于根据所述目标安全保护机制,配置所述数据源节点及相关安全实体。The processor is used to configure the data source node and related security entities according to the target security protection mechanism. 一种数字孪生网络中的数据安全保护选择装置,应用于数据源节点及相应安全实体,包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的程序,所述程序被所述处理器执行时实现如权利要求7所述的方法的步骤。A data security protection selection device in a digital twin network, applied to a data source node and a corresponding security entity, comprising: a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program implements the steps of the method as claimed in claim 7 when executed by the processor. 一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至7任一项所述的方法的步骤。 A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
PCT/CN2024/107475 2023-08-16 2024-07-25 Data security protection selection method and apparatus, and storage medium Pending WO2025036112A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311029613.3A CN118828473A (en) 2023-08-16 2023-08-16 Data security protection selection method, device and storage medium
CN202311029613.3 2023-08-16

Publications (1)

Publication Number Publication Date
WO2025036112A1 true WO2025036112A1 (en) 2025-02-20

Family

ID=93075452

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/107475 Pending WO2025036112A1 (en) 2023-08-16 2024-07-25 Data security protection selection method and apparatus, and storage medium

Country Status (2)

Country Link
CN (1) CN118828473A (en)
WO (1) WO2025036112A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120429169A (en) * 2025-07-04 2025-08-05 上海安云无界软件有限公司 A data recovery method and system based on multi-cloud platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941214A (en) * 2021-08-05 2023-04-07 中国移动通信有限公司研究院 Method, device and storage medium for policy message processing
CN115934202A (en) * 2022-12-23 2023-04-07 星环信息科技(上海)股份有限公司 Data management method, system, data service gateway and storage medium
CN116015983A (en) * 2023-03-27 2023-04-25 江苏天创科技有限公司 Network security vulnerability analysis method and system based on digital twin
US20230164124A1 (en) * 2021-11-24 2023-05-25 Intertrust Technologies Corporation Data management systems and methods using explict private networking techniques
CN116506138A (en) * 2022-01-19 2023-07-28 中国移动通信有限公司研究院 Safe interaction method, device and related equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941214A (en) * 2021-08-05 2023-04-07 中国移动通信有限公司研究院 Method, device and storage medium for policy message processing
US20230164124A1 (en) * 2021-11-24 2023-05-25 Intertrust Technologies Corporation Data management systems and methods using explict private networking techniques
CN116506138A (en) * 2022-01-19 2023-07-28 中国移动通信有限公司研究院 Safe interaction method, device and related equipment
CN115934202A (en) * 2022-12-23 2023-04-07 星环信息科技(上海)股份有限公司 Data management method, system, data service gateway and storage medium
CN116015983A (en) * 2023-03-27 2023-04-25 江苏天创科技有限公司 Network security vulnerability analysis method and system based on digital twin

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120429169A (en) * 2025-07-04 2025-08-05 上海安云无界软件有限公司 A data recovery method and system based on multi-cloud platform

Also Published As

Publication number Publication date
CN118828473A (en) 2024-10-22

Similar Documents

Publication Publication Date Title
Sicari et al. A secure and quality-aware prototypical architecture for the Internet of Things
US10079846B2 (en) Domain name system (DNS) based anomaly detection
US7966391B2 (en) Systems, apparatus and methods for managing networking devices
JP5520231B2 (en) ACL configuration method of network device based on flow information
US11924058B2 (en) Extensible analytics and recommendation engine for network traffic data
US20160359695A1 (en) Network behavior data collection and analytics for anomaly detection
US20230273853A1 (en) Securing an application based on auto-learning and auto-mapping of application services and apis
US8887243B2 (en) Integrated security platform
CN101895442B (en) Network quality active monitoring method and system in credible Internet
Sicari et al. Dynamic policies in internet of things: enforcement and synchronization
Zhao et al. The implementation of border gateway protocol using software-defined networks: A systematic literature review
CN116458120A (en) Protecting network resources from known threats
WO2025036112A1 (en) Data security protection selection method and apparatus, and storage medium
Hmissi et al. A survey on application layer protocols for iot networks
CN117596252A (en) Flow mirroring method and device
Bye et al. Application-level simulation for network security
KR20220029142A (en) Sdn controller server and method for analysing sdn based network traffic usage thereof
Pekar et al. Towards threshold‐agnostic heavy‐hitter classification
Chaudhry et al. A distributed sdn application for cross-institution data access
Maccari et al. A Big Data and machine learning approach for network monitoring and security
CN116582424B (en) Switch configuration method and device, storage medium and electronic equipment
Alaslani Toward Improving the Internet of Things: Quality of Service and Fault Tolerance Perspectives
US20250350643A1 (en) Agentless network monitoring for network management, including the recommendation and implementation of security policies in a microsegmented network environment
KR101045332B1 (en) IRC and HTPT botnet information sharing system and method
Okathe et al. MIDDLEWARE FOR SMART HETEROGENEOUS CRITICAL INFRASTRUCTURE NETWORKS INTERCOMMUNICATION

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24853524

Country of ref document: EP

Kind code of ref document: A1