CN-121984783-A - Data security management method and system based on unified data base

Abstract

The application relates to the technical field of data security of the Internet of things, provides a data security management method and system based on a unified data base, and solves the problems of poor abnormality detection accuracy and poor security response instantaneity of time sequence data of heterogeneous equipment. The method comprises the steps of collecting time sequence data of multiple pieces of Internet of things equipment through a unified data base, representing the data into low-dimensional feature vectors by utilizing a variation automatic encoder, decoupling and separating, mapping and encoding components into a digital sequence according to a preset rule, splicing the digital sequence into data to be analyzed, judging the data by using a generation countermeasure network to screen out normal data fragments, inputting the normal fragments into the time sequence convolution network, processing and outputting state prediction data through an expansion causal convolution layer of the normal fragments, calculating deviation between the prediction data and actual data, and generating and executing a safety management instruction to realize safety management when the deviation continuously exceeds a preset safety threshold. The application improves the abnormality detection accuracy and the safety response instantaneity of the time sequence data of the heterogeneous equipment.

Inventors

• DOU BAOXIN
• YANG LIU
• PEI NING
• Liao Chenguang

Assignees

• 中铁电气化局集团有限公司

Dates

Publication Date

20260505

Application Date

20260324

Claims (10)

1. 1. The data security management method based on the unified data base is characterized by comprising the following steps of: acquiring time sequence measurement data from a plurality of internet of things devices through a unified data base; Performing characterization learning on the time sequence measurement data through a variation automatic encoder to obtain a low-dimensional feature vector, and separating the low-dimensional feature vector into a first feature component and a second feature component; Based on a preset coding rule, mapping the first characteristic component and the second characteristic component into a first digital coding sequence and a second digital coding sequence respectively, and splicing the first digital coding sequence and the second digital coding sequence to generate a third digital coding sequence; the third digital coding sequence is used as data to be analyzed, and the data to be analyzed is judged by utilizing a generated countermeasure network so as to screen out normal data fragments; Inputting the normal data segment into a time sequence convolution network, processing the normal data segment through a plurality of expansion cause and effect convolution layers of the time sequence convolution network, and outputting state prediction data; calculating a deviation value between the state prediction data and the actual measurement data, generating a safety management instruction when the deviation value is larger than a preset safety threshold value, and carrying out safety management on the data of the corresponding Internet of things equipment based on the safety management instruction.
2. 2. The method for data security management based on a unified data base according to claim 1, wherein the discriminating the data to be analyzed by using the generation countermeasure network to screen out normal data segments comprises: acquiring normal behavior pattern data, inputting the normal behavior pattern data to a generator for generating an countermeasure network, and learning potential distribution of the normal behavior pattern data through a multi-layer perceptron of the generator to output a simulation data sequence for simulating normal behavior; inputting the data to be analyzed and the simulated normal sequence as input data to a discriminator for generating an countermeasure network, wherein the discriminator adopts a one-dimensional convolutional neural network to extract local features, and introduces a gating circulation unit network to capture dynamic dependency based on the local features; the discriminator outputs discrimination result data based on the dynamic dependency relationship; And intercepting the original data corresponding to the sections with the discrimination scores continuously larger than a preset score threshold value in the discrimination result data from the data to be analyzed, and taking the intercepted original data as normal data fragments.
3. 3. The unified data base based data security management method according to claim 2 wherein the arbiter extracts local features using a one-dimensional convolutional neural network and introduces a gated loop unit network capturing dynamic dependency based on the local features, comprising: performing convolution operation on the input data by utilizing a plurality of convolution cores of the one-dimensional convolution neural network to obtain local features under a plurality of time scales; Combining the local features under all time scales to obtain a comprehensive feature sequence; And inputting the comprehensive characteristic sequence into a gating circulation unit network, and processing the comprehensive characteristic sequence by the gating circulation unit network according to a time sequence to obtain a dynamic dependency relationship of data in a time dimension.
4. 4. The unified data base based data security management method according to claim 1 wherein the inputting the normal data fragments into a time series convolution network, processing the normal data fragments through a plurality of dilation-causal convolution layers of the time series convolution network, outputting state prediction data, comprises: Inputting the normal data segment into a first expansion causal convolution layer of the time sequence convolution network, and performing one-dimensional convolution calculation on the normal data segment by the first expansion causal convolution layer to obtain first intermediate data; the first expansion causal convolution layer also sequentially executes nonlinear transformation operation and standardization operation on the first intermediate data to obtain first output data; inputting the first output data to a second causal expansion layer of the time series convolution network, wherein the processing procedure of the second causal expansion layer is the same as the processing procedure of the first causal expansion layer; repeatedly performing convolution calculation, nonlinear transformation operation and standardization operation layer by layer according to the preset network depth of the time sequence convolution network until network output data of the last expansion causal convolution layer is obtained; the network output data is input to a linear transformation layer of the time-sequential convolution network, which converts the network output data into at least one predicted value at a future time, the predicted values at all future times constituting state prediction data.
5. 5. The method for data security management based on a unified data base according to claim 1, wherein the performing, by a variation automatic encoder, characterization learning on the time-series measurement data to obtain a low-dimensional feature vector, and separating the low-dimensional feature vector into a first feature component and a second feature component, includes: Inputting the time sequence measurement data to an encoder of a variation automatic encoder, calculating statistical distribution parameters of the time sequence measurement data through the encoder, and generating a low-dimensional feature vector based on the statistical distribution parameters; And inputting the low-dimensional feature vector to a decoder of a variation automatic encoder, and mapping the low-dimensional feature vector to two orthogonal subspaces through a separation unit in the decoder and combining a preset orthogonal constraint rule to obtain a first feature component and a second feature component.
6. 6. The unified data base based data security management method according to claim 1 wherein the calculating the deviation value between the state prediction data and the actual measurement data, when the deviation value is greater than a preset security threshold, generating a security management instruction comprises: Acquiring actual measurement data corresponding to the state prediction data time; calculating the difference value between each predicted point in the state predicted data and the corresponding point in the actual measured data to obtain corresponding deviation values, wherein the number of the deviation values is the same as that of the predicted points; comparing each deviation value with the safety threshold, and when the first deviation value is larger than the safety threshold, determining a monitoring period of preset duration by taking the time corresponding to the deviation value as the starting time; And counting the number of the deviation values continuously exceeding the safety threshold in the monitoring period, and judging that the abnormality occurs and generating a safety management instruction when the number reaches a preset number threshold.
7. 7. The method for data security management based on a unified data base according to claim 1, further comprising, after performing security management on data of a corresponding internet of things device based on the security management instruction: Acquiring equipment identification information and abnormal associated data of the Internet of things equipment which performs security management operation; Inputting the equipment identification information and the abnormality related data into a pre-trained traceability analysis model, mapping the equipment identification information into a target node through a directed graph neural network in the traceability analysis model, and encoding the abnormality related data into initial abnormality characteristics of the target node; the directed graph neural network performs multiple rounds of feature propagation calculation according to the initial abnormal features and in combination with the historical interaction relation graph, and in each round of calculation, each node updates own feature vector according to the features of the neighbor nodes; after multiple rounds of feature propagation calculation, the directed graph neural network outputs final feature characterization of all nodes, and determines at least one suspicious equipment identifier according to the similarity between the final feature characterization of each node and the feature vector of the target node so as to form a tracing result; and generating a safety action instruction by using the strategy learning network according to the tracing result, generating a device control strategy according to the safety action instruction, and issuing the device control strategy to the unified data base for execution.
8. 8. A data security management system based on a unified data base, comprising: the acquisition module is used for acquiring time sequence measurement data from a plurality of internet of things devices through the unified data base; The learning module is used for carrying out characterization learning on the time sequence measurement data through a variation automatic encoder to obtain a low-dimensional feature vector, and separating the low-dimensional feature vector into a first feature component and a second feature component; The mapping module is used for mapping the first characteristic component and the second characteristic component into a first digital coding sequence and a second digital coding sequence respectively based on a preset coding rule, and splicing the first digital coding sequence and the second digital coding sequence to generate a third digital coding sequence; The judging module is used for judging the data to be analyzed by using the third digital coding sequence as the data to be analyzed and utilizing a generated countermeasure network so as to screen out normal data fragments; the input module is used for inputting the normal data segment into the time sequence convolution network, processing the normal data segment through a plurality of expansion causal convolution layers of the time sequence convolution network and outputting state prediction data; The calculation module is used for calculating a deviation value between the state prediction data and the actual measurement data, generating a safety management instruction when the deviation value is larger than a preset safety threshold value, and carrying out safety management on the data of the corresponding internet of things equipment based on the safety management instruction.
9. 9. An electronic device, comprising: A memory for storing a computer program; A processor for implementing the steps of the unified data base based data security management method as claimed in any one of claims 1 to 7 when executing the computer program.
10. 10. A computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when executed by a processor, the computer program is capable of implementing the unified data base based data security management method according to any one of claims 1 to 7.

Description

Data security management method and system based on unified data base Technical Field The application relates to the technical field of data security of the Internet of things, in particular to a data security management method and system based on a unified data base. Background With the wide application of the internet of things in the fields of engineering monitoring, intelligent manufacturing and the like, the data security management method becomes a core technology for guaranteeing the security of key information assets, and the application prospect of the method is expanded to active security scenes such as equipment abnormality early warning, system intrusion detection and the like. In the prior art, data management based on a unified data base is based on a multi-dependent static rule or a conventional statistical method, for example, unified identity authentication is implemented in an equipment access layer, and anomaly judgment is performed on the converged data streams by adopting fixed threshold comparison. Part of the methods introduce traditional time series analysis means, such as an autoregressive model, to predict the device state and compare with the actual readings, thereby triggering an alarm. However, these approaches have certain limitations when dealing with data streams that have complex timing relationships and high dimensional characteristics and require dynamic classification, such as being not sensitive enough to identify replay attack patterns with strong concealment, and having room for improvement in learning and prediction capabilities of complex timing patterns, resulting in an influence on the accuracy of safety response. Therefore, the technical problem of insufficient security threat detection precision for massive heterogeneous time sequence data exists in the prior art. Disclosure of Invention The application provides a data security management method and system based on a unified data base, which are used for solving the problems of poor abnormality detection accuracy and poor security response instantaneity of time sequence data of heterogeneous equipment in the prior art. In order to solve the above technical problems, in a first aspect, the present application provides a data security management method based on a unified data base, including: acquiring time sequence measurement data from a plurality of internet of things devices through a unified data base; Performing characterization learning on the time sequence measurement data through a variation automatic encoder to obtain a low-dimensional feature vector, and separating the low-dimensional feature vector into a first feature component and a second feature component; Based on a preset coding rule, mapping the first characteristic component and the second characteristic component into a first digital coding sequence and a second digital coding sequence respectively, and splicing the first digital coding sequence and the second digital coding sequence to generate a third digital coding sequence; the third digital coding sequence is used as data to be analyzed, and the data to be analyzed is judged by utilizing a generated countermeasure network so as to screen out normal data fragments; Inputting the normal data segment into a time sequence convolution network, processing the normal data segment through a plurality of expansion cause and effect convolution layers of the time sequence convolution network, and outputting state prediction data; calculating a deviation value between the state prediction data and the actual measurement data, generating a safety management instruction when the deviation value is larger than a preset safety threshold value, and carrying out safety management on the data of the corresponding Internet of things equipment based on the safety management instruction. Optionally, the discriminating the data to be analyzed by using the generating countermeasure network to screen out normal data segments includes: acquiring normal behavior pattern data, inputting the normal behavior pattern data to a generator for generating an countermeasure network, and learning potential distribution of the normal behavior pattern data through a multi-layer perceptron of the generator to output a simulation data sequence for simulating normal behavior; inputting the data to be analyzed and the simulated normal sequence as input data to a discriminator for generating an countermeasure network, wherein the discriminator adopts a one-dimensional convolutional neural network to extract local features, and introduces a gating circulation unit network to capture dynamic dependency based on the local features; the discriminator outputs discrimination result data based on the dynamic dependency relationship; And intercepting the original data corresponding to the sections with the discrimination scores continuously larger than a preset score threshold value in the discrimination result data from the data to be anal