Search

CN-122001677-A - Self-adaptive identity authentication policy dispatching method and system for edge computing environment

CN122001677ACN 122001677 ACN122001677 ACN 122001677ACN-122001677-A

Abstract

The invention discloses a self-adaptive identity authentication strategy scheduling method and a self-adaptive identity authentication strategy scheduling system for an edge computing environment, which are used for calculating abnormal deviation and resource grade and sensing system state in fine granularity by collecting network and equipment indexes in real time; according to the layering principle of security priority and the like, a high-performance, strong-security or resource-limited authentication algorithm is dynamically selected from a pluggable strategy library, an asynchronous non-blocking model and SIMD parallel optimization are adopted to realize high concurrency scheduling, and the self-adaptive calibration of a history benchmark and a threshold is realized through an EWMA algorithm and a threshold self-healing mechanism of pollution rejection. The invention solves the problems of poor adaptability and high time delay in the prior art and realizes the optimal balance of safety, energy efficiency and performance.

Inventors

  • DOU ZHAO
  • XIE JIACHENG
  • ZHANG ZHAOHE
  • LAI YUPING
  • BI JINGGUO
  • ZHU CHUNGE
  • PENG HAIPENG

Assignees

  • 北京邮电大学

Dates

Publication Date
20260508
Application Date
20260323

Claims (10)

  1. 1. An edge computing environment-oriented self-adaptive identity authentication policy scheduling method is characterized by comprising the following steps: Step 1, initializing a system, deploying an authentication framework containing a plurality of lightweight cryptographic algorithms on an edge gateway and terminal equipment, and initializing parameters, wherein the parameters comprise an abnormal deviation threshold value and a resource availability level threshold value; Step 2, constructing a multi-index system, evaluating the state, collecting network flow characteristics and equipment physical resource indexes in real time, calculating the abnormal deviation degree of the network based on the network flow characteristics, and calculating the available level of computing power resources based on the equipment physical resource indexes; step 3, policy decision, namely dividing the system state into a network threat state, a device resource limited state or a network normal state according to a comparison result of the abnormal deviation degree of the network and an abnormal deviation degree threshold value and a comparison result of an available level of computing power resources and a resource available level threshold value, and selecting a corresponding authentication policy from a preset authentication policy library according to a preset hierarchical decision principle; Step 4, dynamically loading and executing an authentication protocol, dynamically loading a corresponding authentication algorithm from an authentication policy library according to the selected authentication policy, and executing an identity authentication flow between the edge gateway and the terminal equipment; Step 5, dynamically feeding back and adaptively calibrating, recording authentication results and performance indexes, and dynamically updating the network anomaly deviation degree used in the step 2 according to the authentication results and the performance indexes And adaptively adjusting the anomaly bias threshold value 。
  2. 2. The method for dispatching the self-adaptive identity authentication policy for the edge computing environment according to claim 1, wherein in the step 2, a formula for calculating the abnormal deviation of the network is: , wherein, the For the actual observation of the ith network feature at the current time t, And The historical average and the historical standard deviation of the ith network feature at time t, N is the total number of network characteristics, which is a preset weight coefficient; the formula for calculating the available level of the computing power resource is as follows: , Wherein, the For the purpose of CPU utilization, For the remaining rate of the memory, Is the residual electric quantity, alpha, beta and gamma are preset weight coefficients, and 。
  3. 3. The method for scheduling adaptive identity authentication policy for edge-oriented computing environment according to claim 1, wherein in step 3: If it is Judging the device resource limited state and selecting a resource limited strategy; is an abnormal deviation threshold; If it is Judging that the network has a threat state, and selecting a strong security policy; If it is And is also provided with And when a plurality of state conditions are simultaneously satisfied, the hierarchical decision principle is that the threat state of the network is responded preferentially, the equipment resource limited state is responded secondarily, and finally, the network is in a normal state.
  4. 4. The method of claim 1, wherein in the step 4, when the authentication process is executed, if the selected policy is a resource-limited policy, a single algorithm is adopted for authentication, and if the selected policy is a high-performance policy or a strong security policy, a majority decision authentication mechanism is adopted, that is, at least three authentication algorithms are selected from the corresponding policy classes, and when the authentication result of at least two algorithms is successful, the party determines that the authentication is successful.
  5. 5. The method for dispatching the self-adaptive identity authentication policy for the edge computing environment according to claim 1, wherein in the step 4, the concurrent authentication requests of the plurality of terminal devices are dispatched by adopting an asynchronous non-blocking model and a multi-stage task queue at the edge gateway side: pressing authentication requests of different strategy types into corresponding task queues respectively; The scheduler adopts a polling algorithm with weight to allocate processing resources; And (3) utilizing the multi-core processor to verify authentication requests in the queue in parallel, and adopting a work stealing algorithm to realize load balancing among the multiple cores.
  6. 6. The method for scheduling adaptive authentication policies for an edge-oriented computing environment according to claim 1, wherein in step 5, dynamically updating the history reference value comprises: suspending averaging the histories when it is determined that the network is in a threat state And historical standard deviation Is updated according to the update of (a); When the network is judged to be in a normal state, the historical average value is updated by using an exponential weighted moving average algorithm And historical standard deviation 。
  7. 7. The method for scheduling adaptive identity authentication policies for an edge-oriented computing environment according to claim 1, wherein in step 5, adaptively adjusting the anomaly deviation threshold comprises: if the system detects for K times in succession And judging that the network has a threat state, wherein the K times of strong security authentication are successful at one time and no attack characteristic is detected, and automatically up-regulating an abnormal deviation threshold value The update formula is as follows: , Wherein, the Is a preset relaxation coefficient.
  8. 8. An edge computing environment-oriented adaptive identity authentication policy dispatching system, comprising an authentication framework deployed on an edge gateway and a terminal device, the authentication framework comprising: the multi-index system construction module is used for collecting network flow characteristics and equipment physical resource indexes in real time and calculating network abnormal deviation degree and computing power resource availability level; the policy decision module is used for dynamically selecting an optimal authentication policy from a preset authentication policy library according to the abnormal deviation degree of the network and the available level of computing power resources by combining a preset threshold value and a hierarchical decision principle; The pluggable lightweight protocol scheduling framework comprises a plurality of authentication strategies classified according to functional targets and is used for dynamically loading and executing corresponding authentication algorithms according to the selection of the strategy decision module; And the dynamic feedback and self-adaptive calibration module is used for recording an authentication result and dynamically updating the historical reference value and the decision threshold used by the multi-index system construction module according to the authentication result.
  9. 9. The edge computing environment oriented adaptive authentication policy scheduling system of claim 8 wherein the pluggable lightweight protocol scheduling framework wherein the authentication policies include at least a high performance policy targeting maximizing throughput, a strong security policy targeting defending against network attacks, and a resource constrained policy targeting minimizing computation and storage overhead, and wherein the high performance policy and the strong security policy employ a majority decision authentication mechanism when performing authentication, the resource constrained policy employing a single algorithm verification mechanism.
  10. 10. The edge computing environment oriented adaptive authentication policy dispatch system of claim 9, wherein the pluggable lightweight protocol dispatch framework specifically comprises, at a gateway side: an asynchronous non-blocking scheduler for receiving and decoupling concurrent authentication requests of a plurality of terminal devices; The multi-stage task queue is used for classifying and caching the authentication request according to the authentication policy type; And the parallel verification engine is used for processing the authentication requests in the task queue in parallel by utilizing the multi-core processor and realizing load balancing among cores.

Description

Self-adaptive identity authentication policy dispatching method and system for edge computing environment Technical Field The invention relates to the technical field of identity authentication, in particular to an edge computing environment-oriented self-adaptive identity authentication policy scheduling method and system. Background With the deep convergence of internet of things (IoT), 5G and industrial internet, edge computing architecture has become a key to supporting massive real-time traffic. The system is distributed in edge computing nodes, mobile terminals and various embedded devices of scenes such as production sites, smart cities, power inspection and the like, and the duty ratio in network ecology is exponentially increased. Because such devices are often deployed in unattended, electromagnetic environments complex or open physical spaces, and are extremely vulnerable to physical contact attacks, signal hijacking and malicious access, identity authentication is a first line of defense for establishing trust chains, and the importance of the identity authentication has become industry consensus. Currently, existing implementations focus mainly on the following directions for identity authentication in an edge computing environment. The scheme based on the fixed lightweight algorithm is characterized in that a lightweight symmetric algorithm or a lightweight hash function is hard coded in the equipment in advance, and identity verification is carried out between the equipment and the gateway through a fixed challenge-response mechanism. Such schemes have very little defense flexibility. Algorithm security may be inadequate when the network is subject to brute force attacks, while the fixed algorithm may still have unnecessary computational redundancy when the network state is excellent and resources are extremely limited. The authentication class is classified into three gears of high, medium and low based on a static scheme of predefined class switching, and a user manually configures at the time of initialization according to the type of the device. The static grade switching granularity of the scheme is thicker, the dynamic feedback tuning in the running process can not be realized, the real-time abnormal deviation degree of the network can not be perceived, and the safety grade is difficult to automatically improve when the environment is deteriorated. The centralized authentication management scheme based on the software defined network utilizes a controller to issue and configure the authentication policy of the whole network equipment, and a core controller collects global topology to uniformly decide the security policy of each node. However, such scheme control logic is too centralized, frequent policy issuing in the edge computing scenario may result in huge signaling overhead, and once the core link is delayed, the authentication process of the edge end will generate serious hysteresis, which does not meet the requirements of "instant authentication, low latency response" of the edge side. According to ACM SIGCOMM measured data, under a high-load scene, the delay from the end to the end of the threat perception strategy to take effect is higher, and the severe requirement of the industrial control scene on low delay is difficult to meet. However, in an edge computing environment, identity authentication faces a number of challenges. 1. Resource limitation and computational overhead-edge devices (e.g., sensors, smart meters) tend to be low in computational power, limited in memory space, and rely on battery power. The computational burden and energy loss incurred by conventional heavy-duty authentication protocols (such as RSA or complex ECC-based digital signatures) often results in delayed device responses and even downtime due to resource exhaustion. 2. Network environment dynamics, namely network topology in an edge environment frequently changes, network quality (bandwidth and delay) fluctuates severely, and the degree of threat (such as replay attack, man-in-the-middle attack and resource exhaustion attack) faced is in dynamic change. A single, fixed authentication algorithm cannot compromise high security with low authentication latency. 3. The algorithm expansibility is insufficient, the flexible switching is difficult, and the cryptographic algorithm in the existing implementation scheme is usually in deep coupling with the system logic, and the pluggable flexibility is lacking. When optimization for specific hardware is required (e.g., pursuing extremely small area or hardware compatibility), the entire system solution often needs to be re-developed. Disclosure of Invention Aiming at the key problems of high resource expense, poor environment adaptability, insufficient algorithm expansibility and the like in the prior art, the invention provides an edge computing environment-oriented self-adaptive identity authentication strategy scheduling method and system, which realize r