阅读说明：本技术 一种基于移动边缘计算的安全防护系统 (Safety protection system based on mobile edge calculation ) 是由 不公告发明人 于 2020-11-24 设计创作，主要内容包括：本发明涉及移动边缘计算安全防护技术领域,且公开了一种基于移动边缘计算的安全防护系统,包括：部署在移动边缘计算节点网络入口处且安装并运行有通讯权限认证系统软件和数据包过滤系统软件的物理隔离网闸,该物理隔离网闸使移动边缘计算节点网络在正常情况下与公共网络是完全断开的,物理隔离网闸上的通讯权限认证系统对公共网络上的请求通讯的用户端的通讯权限进行认证,物理隔离网闸上的数据包过滤系统对公共网络上的所述用户端发送的数据包进行安全检查,在确保了移动边缘计算节点网络、公共网络之间的物理隔离的基础上,保证了移动边缘计算节点网络的安全。本发明解决了移动边缘计算网络中安全性较差的边缘节点易被非法入侵的问题。(The invention relates to the technical field of mobile edge computing safety protection, and discloses a safety protection system based on mobile edge computing, which comprises: the physical isolation network gate is deployed at the entrance of the mobile edge computing node network and is provided with and operated with communication authority authentication system software and data packet filtering system software, the physical isolation network gate ensures that the mobile edge computing node network is completely disconnected with a public network under normal conditions, a communication authority authentication system on the physical isolation network gate authenticates the communication authority of a user side requesting communication on the public network, a data packet filtering system on the physical isolation network gate carries out security check on a data packet sent by the user side on the public network, and the security of the mobile edge computing node network is ensured on the basis of ensuring the physical isolation between the mobile edge computing node network and the public network. The invention solves the problem that the edge node with poor security in the mobile edge computing network is easy to be invaded illegally.)

1. A mobile edge computing based security protection system, comprising: the physical isolation gatekeeper is deployed at the entrance of the mobile edge computing node network, is provided with and runs communication authority authentication system software and data packet filtering system software, and enables the mobile edge computing node network to be completely disconnected from a public network under normal conditions.

2. The security protection system based on mobile edge computing according to claim 1, wherein the method for registering the legal communication right of the communication right authentication system on the physical isolation gatekeeper specifically comprises:

communication authority authentication system in binary field F₂Randomly generating an elliptic curve E, and randomly selecting a point R on the elliptic curve E as a base point;

user end on public network randomly selects one in binary field F₂A private key k on;

the communication authority authentication system is automatically generated in a binary field F₂The above public key K, and K ═ kR holds.

3. The mobile edge computing-based security protection system according to claim 2, wherein the legal communication right authentication of the communication right authentication system specifically comprises:

user end on public network randomly selects one in binary field F₂R above;

the communication authority authentication system is automatically generated in a binary field F₂Random number b, calculating R₁R ═ rR, and let R₁On the elliptic curve E;

a user side on a public network calculates S (r + bk) and sends S to a communication authority authentication system;

verification equation SR R of communication authority authentication system₁+ bK is true;

and if the equation is established, the user side on the public network has legal communication authority.

4. The mobile edge computing-based security protection system according to claim 3, wherein the packet filtering system on the physical isolation gatekeeper performs security check on the packet, and the security check method comprises: the packet filtering system sequentially puts the received packets into a shared input buffer, takes out the first n encapsulated packets in the buffer queue, and combines them into a new matrix U_m×nCreating U_m×nIs given by the sub-matrix V_n×n∈U_m×nIn which V is_n×nEach column vector V of_i(1. ltoreq. i. ltoreq.n) is independently selected randomly from the matrix U_m×nCalculating the matrix V_n×nThen U is calculated according to the calculation result_m×nMid-linear correlated packet drops.

Technical Field

The invention relates to the technical field of mobile edge computing safety protection, in particular to a safety protection system based on mobile edge computing.

Background

With the rapid development of Mobile networks and the diversification of service scenarios, Mobile Computing technology gradually shifts from centralized Mobile cloud Computing to Mobile Edge Computing (MEC), which aims to push Mobile Computing, network control, and storage to the network Edge, and provides IT service environment and cloud Computing function at the Edge of a Mobile network to reduce time delay, thereby ensuring efficient network operation and service delivery. The MEC has the characteristics of location awareness, mobile support, low time delay, dispersion, distribution and the like, can better meet new requirements of the Internet of things, 5G, mobile equipment and the like, and is a good supplement and extension of cloud computing. The security problem is well and widely researched in cloud computing, but because the MEC nodes are dispersed in a large area and centralized control is very difficult, edge nodes with poor security can be an entrance for an intruder to enter the MEC network, and once the intruder enters the network, the privacy data exchanged between entities by users can be mined and stolen.

Disclosure of Invention

Technical problem to be solved

Aiming at the defects of the prior art, the invention provides a security protection system based on mobile edge computing, which aims to solve the technical problem that edge nodes with poor security in a mobile edge computing network are easy to be illegally invaded.

(II) technical scheme

In order to achieve the purpose, the invention provides the following technical scheme:

a mobile edge computing based security protection system comprising: the physical isolation gatekeeper is deployed at the entrance of the mobile edge computing node network, is provided with and runs communication authority authentication system software and data packet filtering system software, and enables the mobile edge computing node network to be completely disconnected from a public network under normal conditions.

Further, the method for registering the legal communication right of the communication right authentication system on the physical isolation gatekeeper specifically includes:

communication authority authentication system in binary field F₂Randomly generating an elliptic curve E, and randomly selecting a point R on the elliptic curve E as a base point;

user end on public network randomly selects one in binary field F₂A private key k on;

the communication authority authentication system is automatically generated in a binary field F₂The above public key K, and K ═ kR holds.

Further, the legal communication authority authentication of the communication authority authentication system specifically includes:

user end on public network randomly selects one in binary field F₂R above;

the communication authority authentication system is automatically generated in a binary field F₂Random number b, calculating R₁R ═ rR, and let R₁On the elliptic curve E;

a user side on a public network calculates S (r + bk) and sends S to a communication authority authentication system;

verification equation SR R of communication authority authentication system₁+ bK is true;

and if the equation is established, the user side on the public network has legal communication authority.

Further, a data packet filtering system on the physical isolation gatekeeper performs security check on the data packet, and the security check method includes: the packet filtering system sequentially puts the received packets into a shared input buffer, takes out the first n encapsulated packets in the buffer queue, and combines them into a new matrix U_m×nCreating U_m×nIs given by the sub-matrix V_n×n∈U_m×nIn which V is_n×nEach column vector V of_i(1. ltoreq. i. ltoreq.n) is independently selected randomly from the matrix U_m×nCalculating the matrix V_n×nThen U is calculated according to the calculation result_m×nMid-linear correlated packet drops.

(III) advantageous technical effects

Compared with the prior art, the invention has the following beneficial technical effects:

the invention arranges a physical isolation network gate with communication authority authentication system software and data packet filtering system software at the entrance of a mobile edge computing node network, the communication authority authentication system on the physical isolation network gate authenticates the communication authority of a user end requesting communication on a public network, only if the communication terminal has legal communication authority, the isolation network gate establishes data connection of non-TCP/IP protocol with the communication terminal, after the connection is established, the data packet filtering system on the physical isolation network gate carries out safety check on the data packet sent by the user end on the public network, after the safety check, the isolation network gate only peels off all the protocols and writes the original data into a storage medium, once the data is completely written into the storage medium of the isolation network gate, the isolation network gate immediately interrupts the connection with the public network and starts the data connection of the non-TCP/IP protocol of the mobile edge computing node network, the isolation network gate pushes the data in the storage medium to the mobile edge computing node network, the mobile edge computing node network immediately performs TCP/IP encapsulation and application protocol encapsulation after receiving the data and delivers the data to an application system of the mobile edge computing node, and the isolation network gate immediately cuts off the direct connection between the isolation equipment and the mobile edge computing node network after the console receives a complete exchange signal;

therefore, on the basis of ensuring the physical isolation between the mobile edge computing node network and the public network, the safety of the mobile edge computing node network is ensured;

therefore, the technical problem that the edge node with poor security in the mobile edge computing network is easy to be invaded illegally is solved.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

A mobile edge computing based security protection system comprising: the physical isolation gateway is deployed at the entrance of the mobile edge computing node network, is provided with communication authority authentication system software and data packet filtering system software and operates, and enables the mobile edge computing node network to be completely disconnected from a public network under normal conditions;

when a user terminal on a public network sends a communication request to a mobile edge computing node on a mobile edge computing node network, a communication authority authentication system on a physical isolation gatekeeper authenticates the communication authority of the user terminal on the public network, and the authentication method comprises the following steps:

if the user side on the public network sends a communication request to the mobile edge computing node on the mobile edge computing node network for the first time, the communication authority authentication system carries out interactive communication with the user side on the public network, firstly completes the legal communication authority registration of the user side on the public network, and then completes the legal communication authority authentication of the user side on the public network;

the legal communication authority registration method specifically comprises the following steps:

communication authority authentication system in binary field F₂Randomly generating an elliptic curve E, and randomly selecting a point R on the elliptic curve E as a base point;

said user terminal on public network randomly selects one in binary field F₂A private key k on;

the communication authority authentication system is automatically generated in a binary field F₂The public key K above, and let K be kR hold;

if the user side on the public network does not send a communication request to the mobile edge computing node on the mobile edge computing node network for the first time, the communication authority authentication system performs interactive communication with the user side on the public network to complete the legal communication authority authentication of the user side on the public network, and the method specifically comprises the following steps:

the user terminal on the public network randomly selects one in the binary field F₂R, the communication authority authentication system is automatically generated in the binary field F₂Random number b, calculating R₁R ═ rR, and let R₁On the elliptic curve E;

the user side on the public network calculates S (r + bk) and sends S to a communication authority authentication system;

verification equation SR R of communication authority authentication system₁+ bK is true;

if the above equation is established, the user side on the public network has legal communication authority; otherwise, the user side on the public network does not have legal communication authority;

if the user side on the public network is a communication terminal with legal communication authority, the isolation gatekeeper establishes data connection of a non-TCP/IP protocol with the user side on the public network;

the data packet filtering system on the physical isolation gateway carries out security check on the data packet sent by the user terminal on the public network, and the security check method comprises the following steps: the packet filtering system sequentially puts the received packets into a shared input buffer, takes out the first n encapsulated packets in the buffer queue, and combines them into a new matrix U_m×nCreating U_m×nIs given by the sub-matrix V_n×n∈U_m×nIn which V is_n×nEach column vector V of_i(1. ltoreq. i. ltoreq.n) is independently selected randomly from the matrix U_m×nCalculating the matrix V_n×nThen U is calculated according to the calculation result_m×nMid-linear correlated packet drops;

after safety check, the isolation network gate strips all protocols and writes original data into a storage medium, once the data is completely written into the storage medium of the isolation network gate, the isolation network gate immediately interrupts the connection with the public network and initiates the data connection of a non-TCP/IP protocol to the mobile edge computing node network, the isolation network gate pushes the data in the storage medium to the mobile edge computing node network, the mobile edge computing node network immediately performs TCP/IP encapsulation and application protocol encapsulation after receiving the data and delivers the data to an application system of the mobile edge computing node, and after a control console receives a complete exchange signal, the isolation network gate immediately cuts off the direct connection between the isolation equipment and the mobile edge computing node network;

although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.