A communication data security analysis processing method and system, and a storage medium
By using edge node monitoring and differential privacy technology, an access frequency map is generated and a target communication subset is filtered to identify abnormal communication data. This solves the problems of data leakage and long query time in the Industrial Internet of Things and achieves efficient anomaly identification and risk location.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANDONG CLOUD SKY SECURITY TECH CO LTD
- Filing Date
- 2026-04-08
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies pose a high risk of data leakage and result in long data fragmentation and query times in scenarios such as the Industrial Internet of Things, thus affecting communication efficiency.
By generating access frequency maps through edge node monitoring, and combining differential privacy noise and gradient aggregation, target communication subsets are filtered, abnormal communication data is identified, and target scenarios are locked in through risk solving and listening blocking optimization.
It improves data processing accuracy and anomaly identification efficiency, reduces data processing interference, and ensures the continuity of communication services and environmental adaptability.
Smart Images

Figure CN122001683B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of communication technology, specifically to a communication data security analysis and processing method, system, and storage medium. Background Technology
[0002] With the large-scale deployment of IoT technology, the number of terminal devices in scenarios such as industrial IoT, smart parks, and urban rail transit is growing explosively. Traditional centralized processing requires the aggregation of massive amounts of sensitive data, which poses a high risk of data leakage. Furthermore, traditional fixed sharding strategies can easily lead to data fragmentation, and cross-shard queries are time-consuming, affecting the efficiency of processing massive amounts of data.
[0003] For example, Chinese Invention Patent Publication No. CN119583216A discloses a data security analysis system and method for wireless communication devices, belonging to the field of artificial intelligence technology. This invention records information about wireless communication devices within an enterprise, obtains the enterprise's wireless network architecture, monitors data traffic, and sends a dataset of wireless communication devices by combining the wireless communication device information and network topology diagram. It establishes normal communication behavior patterns through an ARIMA model; for mobile devices within the wireless communication equipment, it establishes a correlation with their movement trajectories within the enterprise campus; for fixed devices, it establishes a correlation with business applications; it uses a neural network algorithm to train a neural network model, learns normal communication behavior patterns, and identifies abnormal patterns in the wireless communication device dataset; when an abnormal pattern is detected, it automatically records detailed information about the abnormal event, takes corresponding measures for the abnormal device according to a preset security policy, and sends an alarm notification to the enterprise's security management team.
[0004] For example, Chinese Invention Patent Publication No. CN120415917A discloses a communication dynamic analysis method for virtual network security, which relates to the field of network security technology. The method includes: acquiring a communication time sequence; performing multi-scale decomposition on the communication time sequence to obtain a baseline communication time sequence; calculating the slope and propagation rate, and determining abnormal communication data based on the slope and propagation rate; determining continuous abnormal communication data based on the periodic characteristics of the abnormal communication data and its propagation order in network nodes, and using reverse time-series recursive analysis to determine the starting node and propagation path of the continuous abnormal communication data; inputting the abnormal data characteristics of the starting node and propagation path of the continuous abnormal communication data into an LSTM neural network model to predict subsequent abnormal nodes.
[0005] Existing technologies use time series autocorrelation and partial correlation processing, combined with base station deployment for communication anomalies, to identify and process communication behavior; or they use the propagation rate after multi-scale decomposition to determine the starting point of continuous anomalies by node backtracking. However, existing technologies tend to focus on identifying and processing abnormal communication behavior, which has the problems of high data leakage risk and long data fragmentation query time, which can easily lead to the accumulation of security risks, thereby affecting the overall system efficiency and causing a decrease in communication efficiency in multiple scenarios. Summary of the Invention
[0006] To solve the above-mentioned technical problems, the technical solution adopted by the present invention is: a communication data security analysis and processing method, including: S1, generating communication data containing device number, associated device, scene tag and node location based on the access frequency of each IoT scenario monitored by edge nodes.
[0007] S2, obtain the region node corresponding to the edge node, and assign differential privacy noise to the edge node according to the scene label of the region node; add noise when the edge node uploads data, and filter the target communication subset of the edge node to cooperate after the gradient of the region node is summarized.
[0008] S3, based on the logical coordination and temporal continuity of the target communication subset, and combined with the indirect access path composed of edge nodes and regional nodes, extracts abnormal communication data under time-delay coordination.
[0009] S4. Based on the abnormal time and abnormal response intensity related to the abnormal communication data, the scene label, node location and time period of the abnormal communication data are transformed into constraints to solve the risk coordination factors when the data is abnormal.
[0010] S5 monitors scenarios where risk synergy factors occur. When a new risk synergy factor is detected, it performs blocking optimization on indirect access paths to lock the target scenario for data analysis.
[0011] A communication data security analysis and processing system includes: a communication sampling module, used to generate communication data containing device number, associated device, scene tag and node location based on the access frequency of each scene in an IoT scenario monitored by edge nodes.
[0012] The data aggregation module is used to obtain the regional nodes corresponding to the edge nodes. The regional nodes assign differential privacy noise to the edge nodes according to the scene label. Noise is added when the edge nodes upload data. After the gradient aggregation of the regional nodes, the target communication subset for collaborative operation of the edge nodes is selected.
[0013] The collaborative judgment module is used to extract abnormal communication data under time-delay collaboration based on the logical coordination and temporal continuity of the target communication subset and in conjunction with the indirect access path composed of edge nodes and regional nodes.
[0014] The risk resolution module is used to convert the scenario label, node location, and time period of abnormal communication data into constraints based on the abnormal time and abnormal response intensity related to the abnormal communication data, and to solve the risk coordination factors when the data is abnormal.
[0015] The scenario locking module is used to monitor scenarios where risk collaboration factors occur. When a new risk collaboration factor is detected, it performs blocking optimization on indirect access paths to lock the target scenario for data analysis.
[0016] A storage medium storing computer instructions for causing a computer to execute any of the above-described communication data security analysis and processing methods.
[0017] The beneficial effects of this invention are as follows: First, this invention constructs a stacked map of edge node access frequency in an IoT scenario based on edge node monitoring, and combines this with associated devices to complete data sorting and determine the communication data of each edge node. It also completes the binding of scene tags with node locations, providing a data foundation for subsequent data scene positioning.
[0018] Second, this invention assigns differential privacy noise to edge nodes based on scene labels, adds noise locally when edge nodes upload data, and performs gradient aggregation at regional nodes. Simultaneously, it divides continuous time windows based on the collaborative operation status of multiple edge nodes, determining gradient data with lag time, access frequency, and collaborative communication counts as core dimensions, and performing gradient vector pruning. This clarifies the data theme for analysis in the current scene and aligns the gradients according to time sequence, ensuring the adaptability of the current data to the scene, thereby improving the accuracy of data processing.
[0019] Third, this invention extracts abnormal communication data under time-delay coordination by using the logical coordination and temporal continuity of the target communication subset as dual benchmarks, combined with the indirect access path composed of edge-region nodes; and identifies abnormal communication data according to the time-delay coordination deviation and the communication time of adjacent time windows in sequence; thus realizing the abnormal identification of multi-node collaborative scenarios, ensuring the integrity of the abnormal propagation link, and improving the traceability and location efficiency of abnormal data.
[0020] IV. This invention transforms scene labels, node locations, and time periods into three major constraints based on the abnormal time and intensity of abnormal communication data. It quantifies the probability of node anomalies by using the ratio of abnormal access frequency to normal access frequency. Based on the connection direction of abnormal nodes, it constructs a joint probability of risk propagation and evolution. Using the data after risk propagation and evolution as input, it determines the root cause node of abnormal communication through cross-validation and outputs the core risk synergistic factors. By limiting the scope of risk solution, it reduces interference data during data processing. Simultaneously, through repeated processing over multiple time periods, it prevents the differential privacy-enhanced noisy portion from being misidentified as abnormal data, further improving the accuracy of risk localization. Finally, based on the solved data, it locates risk scenarios through risk monitoring, ensuring the continuity of IoT communication services and environmental adaptability. Attached Figure Description
[0021] The present invention will be further described below with reference to the accompanying drawings and embodiments.
[0022] Figure 1 This is a flowchart illustrating a communication data security analysis and processing method.
[0023] Figure 2 This is a flowchart illustrating step S2 of a communication data security analysis and processing method.
[0024] Figure 3 This is a flowchart illustrating step S3 of a communication data security analysis and processing method.
[0025] Figure 4 This is a flowchart illustrating step S4 of a communication data security analysis and processing method.
[0026] Figure 5 This is a flowchart of step S5 of a communication data security analysis and processing method.
[0027] Figure 6 This is a system framework diagram of a communication data security analysis and processing system. Detailed Implementation
[0028] The embodiments of the present invention are described in detail below. The embodiments described below are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention. Where specific techniques or conditions are not specified in the embodiments, they shall be performed in accordance with the techniques or conditions described in the literature in the art or in accordance with the product manual.
[0029] See Figure 1 A communication data security analysis and processing method includes: S1, generating communication data containing device number, associated device, scene tag and node location based on the access frequency of each IoT scenario monitored by edge nodes.
[0030] S2, obtain the region node corresponding to the edge node, and assign differential privacy noise to the edge node according to the scene label of the region node; add noise when the edge node uploads data, and filter the target communication subset of the edge node to cooperate after the gradient of the region node is summarized.
[0031] S3, based on the logical coordination and temporal continuity of the target communication subset, and combined with the indirect access path composed of edge nodes and regional nodes, extracts abnormal communication data under time-delay coordination.
[0032] S4. Based on the abnormal time and abnormal response intensity related to the abnormal communication data, the scene label, node location and time period of the abnormal communication data are transformed into constraints to solve the risk coordination factors when the data is abnormal.
[0033] S5 monitors scenarios where risk synergy factors occur. When a new risk synergy factor is detected, it performs blocking optimization on indirect access paths to lock the target scenario for data analysis.
[0034] In one specific embodiment of this application, data from each edge node is processed based on distributed storage and federated learning mechanisms. The edge nodes are nodes deployed in an edge computing environment, used to continuously store time-series data of the same device within a preset time window, and to establish retrieval indexes for associated devices. Simultaneously, the collected data is synchronized to multiple edge nodes. Each edge node transmits data to its corresponding regional node through gradient aggregation. The regional node further uploads the aggregated gradient data to the cloud, thereby achieving collaborative processing of communication data.
[0035] Specifically, the edge nodes are configured to store high-frequency real-time data of the same device within 72 hours; the regional nodes are configured to store relevant data of the corresponding associated devices within 3 months; and the cloud is used to store the remaining data, including low-frequency real-time data and data of its associated devices.
[0036] Furthermore, when sorting data based on access frequency, the configuration can be tailored to the actual needs of the IoT scenario. For example, for IoT scenarios requiring second-level response, data updated at least once per second is defined as high-frequency data and deployed on edge nodes to enable real-time acquisition of high-frequency data by the edge nodes. Simultaneously, the real-time data content configured on each edge node can be dynamically adjusted according to the specific needs of the IoT scenario.
[0037] The specific implementation method for extracting communication data of each edge node in step S1 includes: S11, for the IoT scenario where the edge nodes are deployed, obtain the access frequency of each edge node, and construct an access frequency stacking map corresponding to all data in the edge node based on the access frequency; wherein, the access frequency stacking map is used to count the access frequency of data within a specific time period with access data as the horizontal axis and access count as the vertical axis.
[0038] S12, based on the access frequency stacking map and the associated devices corresponding to the current data, the data of each edge node is sorted to determine the communication data processed by each edge node. The data sorting is used to migrate hot data from the currently accessed data to the edge nodes, thereby improving the system's response speed to data access.
[0039] In one embodiment of the present invention, step S2 uploads the acquired communication data using a gradient extraction method and performs multi-device collaborative filtering to obtain a collaboratively running communication subset from the regional nodes, which is used to characterize the multi-terminal data combination in the regional aggregation scenario.
[0040] Specifically, in the scenario of edge node configuration, each edge node stores its own high-frequency data in real time. Regional nodes receive gradient data uploaded by the edge nodes after training, and during the gradient data upload process, differential privacy configuration is performed based on the storage status of adjacent edge nodes. Regional nodes aggregate the gradient data and synchronize it to the cloud, dynamically adjusting the storage location of the edge nodes according to the data access frequency to reduce data transmission latency during federated learning.
[0041] The configuration method for differential privacy noise is set based on the data acquisition scenario. A privacy budget ε is selected according to the acquisition scenario; for example, ε is set to 0.5 for medical data scenarios and 1.0 for industrial data scenarios. Global sensitivity is then set based on the maximum change in adjacent datasets during access, thus enabling the configuration of differential privacy noise.
[0042] like Figure 2 As shown, the implementation method of selecting the target communication subset for collaborative operation of edge nodes in step S2 includes: S21, based on the node location corresponding to the edge node, the continuous time is divided according to the collaborative operation status between multiple edge nodes to determine the gradient data uploaded by each edge node in the corresponding time period; wherein, the collaborative operation status refers to the state in which multiple edge nodes jointly execute tasks under the same regional node.
[0043] At each edge node, the system determines its feature dimensions based on the composition of high-frequency real-time data and extracts gradient features in multiple dimensions as the current output gradient data.
[0044] With subsequent data processing dimensions focused on time lag analysis, collaborative analysis, and access frequency statistics, the access behavior of edge node data is focused on the above three dimensions. Based on the gradient values of the corresponding dimensions, the edge nodes under different regional nodes are summarized in gradient to determine the access form in the global scenario.
[0045] Specifically, in this embodiment, the method for determining the gradient data uploaded by each edge node within the corresponding time period includes: constructing a gradient dataset based on the lag time and number of collaborative communications under the same collaborative task; constructing gradient vectors by using the lag time, access frequency, and number of collaborative communications in the gradient dataset as statistical dimensions; and outputting gradient data by performing gradient clipping on each gradient vector.
[0046] The gradient clipping is used to limit the gradient of the parameters within a preset range to prevent the gradient from being too large and causing data processing instability. At the same time, it unifies the gradient value range, ensures the consistency of differential privacy noise addition, and improves the stability of privacy protection effect.
[0047] Furthermore, the gradient dataset uses direct access frequency, indirect access frequency, lag time, and number of collaborative communications as statistical dimensions. Based on the current scenario analysis requirements, it is transformed into the original values of different time periods, the average value of multiple time periods, the fluctuation value, and the standard deviation, which serve as the gradient dataset for current processing. This enables subsequent data to be statistically analyzed based on the three dimensions of time lag analysis, collaborative analysis, and access frequency, thereby illustrating the configuration process of the federated learning framework in high-frequency access scenarios.
[0048] Direct access refers to data requests that directly access the corresponding edge node, with the communication path being: terminal device → belonging edge node → home region node → cloud; indirect access refers to non-direct connection jump access across edge nodes, meaning that the access request or data packet is not directly uploaded from the source edge node to its home region node, but is relayed and forwarded through one or more other edge nodes; latency refers to the delay time generated during the response to the access request; the number of collaborative communication times refers to the number of communication interactions between multiple edge nodes or multiple devices, and its data is essentially used to characterize access behaviors related to collaborative tasks, and serves as a statistical identifier for identifying collaborative operation status and the basis for setting up device collaboration groups.
[0049] S22, for the gradient data of all edge nodes after adding noise, mark the devices in the collaborative operation state as the device collaboration group.
[0050] By applying differential privacy protection to the data, the location privacy of each edge node is guaranteed, thereby preventing the risk of data intrusion. If it is necessary to aggregate the relative working status between different nodes, a privacy budget related to location protection should be set on the basis of the gradient protection budget, and the efficiency of subsequent analysis of related devices should be improved by using relatively coordinated working identifiers.
[0051] The above process aims to illustrate that while protecting the privacy of edge node locations, it is necessary to preserve the relative spatial correlation between different edge nodes when performing tasks, so as to avoid the distortion of gradient aggregation in subsequent collaborative analysis due to missing location information, which in turn affects the abnormal analysis results of global data.
[0052] S23, perform gradient temporal alignment on multiple edge nodes within the same device collaboration group, and segment the scene based on temporal similarity. Specifically, a sliding window corresponding to the gradient data is set, whereby the sliding window represents a time period of a specific length. The gradient data within the sliding window is temporally aligned, and dynamic time warping (DTW) is used to calculate the aligned temporal similarity. Based on this similarity, the data within the same device collaboration group is segmented to mark groups of data with different temporal similarities.
[0053] Specifically, for any two edge nodes within the same device collaboration group, a distance matrix is constructed based on the data points output by their gradient data. The distance is accumulated recursively through the distance matrix, and the minimum accumulated distance after temporal alignment is taken as the temporal similarity. The smaller this value, the higher the overall similarity between the two after temporal alignment, and the stronger their temporal collaboration consistency.
[0054] Furthermore, the minimum cumulative distance calculated by DTW is normalized to obtain a temporal similarity value between 0 and 1. Data with a similarity greater than the historical average temporal similarity of the same scene are selected for scene segmentation, thereby obtaining multiple sets of data from different temporal scenes.
[0055] S24, after the scene is divided, the data is summarized according to the scene label, time window and device collaboration group hierarchy to obtain a gradient aggregation dataset of multiple edge nodes, and the target communication subset is selected from the gradient aggregation dataset.
[0056] The target communication subset is divided according to the above processing procedure, and data in the same scene label, the same continuous time window and the same device collaboration group are matched to complete the output of the target communication subset.
[0057] Among them, gradient aggregation refers to the incremental aggregation and statistics of communication data uploaded by regional nodes to their subordinate edge nodes according to the hierarchy of scene tags, time windows, and device collaboration groups. Only statistics such as access frequency, latency, and number of collaborative communications are aggregated to reduce transmission and computing overhead.
[0058] In one embodiment of the present invention, step S3 adopts a horizontal federated learning approach, using the communication time and lag time of edge nodes as the verification content to determine abnormal communication data in the indirect access process.
[0059] In the process of horizontal federated learning, local edge nodes do not directly upload gradients to the aggregation node. Instead, they perform access behaviors such as hop forwarding, gradient fragment relay, or shared transmission through one or more edge nodes. The indirect access path refers to the path taken by the multi-hop forwarding behavior within a single processing cycle.
[0060] To prevent the original data from being reconstructed through gradient inversion, edge nodes split local data into multiple fragments when forwarding data, and forward each fragment to different edge nodes through different indirect access paths for collaborative forwarding, thereby achieving collaborative forwarding in multi-party secure computation.
[0061] Furthermore, the abnormal communication data is used to verify the abnormal parts of node processing time delay and node gradient, so as to characterize the abnormal situation that exists in the process of uploading multiple data loads.
[0062] like Figure 3 As shown, when the logical coordination and time continuity of the target communication subset are used as the benchmark in step S3, the implementation method includes: S31, for the devices and associated devices involved in the target communication subset, extract the time delay coordination deviation between the corresponding devices and associated devices, perform business logic checks in sequence, and regard the devices that meet the logic checks as meeting the logical coordination.
[0063] The time-delay coordination deviation is used to characterize the lag time in communication between the corresponding device and its associated device in the target communication subset. If authorized access exists between the two and the lag time is within the allowable range, it is considered data content that conforms to logical coordination.
[0064] Specifically, firstly, a pre-configured IoT device association map is invoked, which includes direct or indirect access permissions between devices, business timing requirements, and allowed time delay ranges; then, a map query is performed on the devices and associated devices involved in the target communication subset.
[0065] If two devices have an authorized access edge in the graph and the access direction conforms to the business logic (e.g., sensor → controller), then the time delay coordination verification process is initiated; if there is no authorized edge or the access direction does not conform to the logic, then the corresponding communication data is directly determined as abnormal communication data.
[0066] In the time-delay coordination verification process, for device pairs with authorized edges, the communication lag time between the two is extracted and compared with the allowed lag time for the service. If the lag time is not within the allowed range, it indicates that the time lag is excessive and there is an abnormality in the collaborative communication, and it is directly judged as abnormal communication data; otherwise, proceed to the next step to identify the path for indirect access.
[0067] For the verification and processing of indirect access, since indirect access involves special scenarios such as device collaboration, relay communication and fragmented transmission, if a failed node or zombie node appears in the indirect access, it indicates that there may be a network penetration attack in the current communication process. It is necessary to determine the specific path of the indirect access, and to judge whether the indirect access is normal through path pruning and logical evolution, and then extract the corresponding abnormal communication data.
[0068] For abnormal situations in direct communication, data verification can be completed directly through business logic checks.
[0069] S32, based on the indirect access path of the target communication subset within a continuous time period, perform time continuity analysis on each path node in the indirect access path in sequence to determine the failed nodes in the indirect access path; wherein, the indirect access path refers to the path formed by statistically analyzing the indirect access situation through edge nodes in the same device collaboration group and connecting them according to the node positions of relevant edge nodes and regional nodes.
[0070] Specifically, the indirect access path starts with the fragmented forwarding edge node, uses other edge nodes as intermediate nodes, and ends with the finally accessed regional node, connecting the corresponding nodes sequentially according to the communication sequence to form the indirect access path in the current scenario.
[0071] The method for determining failed nodes in an indirect access path includes: for each path node in the indirect access path, based on the timing of the data received by the node, selecting the same path node within an adjacent time window and obtaining its communication time within the adjacent time window; from the adjacent time window, using the communication time of the path node to determine whether there is communication within each time window, setting a communication identifier for the communication time, and filtering failed nodes according to the communication identifier.
[0072] Specifically, taking any two time periods as the test objects, determine whether their communication status is continuous no communication + no communication, communication interruption + no communication, communication recovery + no communication, and normal communication status. Record these as communication identifiers. Among the marked communication identifiers, only data with continuous communication proceeds to the next step of judgment, while data with recovered communication needs to be monitored again. Other data are directly output as abnormal communication data and marked as failed nodes.
[0073] S33, using the failed nodes in the indirect access path, mark the abnormal access start point and abnormal access end point, and construct a directed connection path.
[0074] The abnormal access starting point is used to characterize the starting position of the failed node in the indirect access path. The endpoint of the abnormal access is determined according to the form of a connectable path, and the relevant edge nodes are connected to form a directed connection path of abnormal access combination.
[0075] S34, take the intersection of the directed connection paths as the target node, and determine the abnormal communication data to be output based on the number of incoming and outgoing edges of the target node.
[0076] If the intersection is empty, it indicates that the problem parts in each indirect access are different, and the directed connection path corresponding to the empty set is taken as the output abnormal communication data.
[0077] If the intersection is not empty, the directed connection path corresponding to the intersection is determined according to the intersection part under each indirect access, and it is used as the abnormal communication data with priority output, and output in multiple batches in sequence; thus, the abnormal communication is processed with priority for cases with intersection and with secondary priority for cases without intersection.
[0078] Furthermore, the number of incoming and outgoing edges of the target node is used to characterize the aggregation situation during the node jump process. If the intersection is not empty and there are multiple sets of values for the number of incoming and outgoing edges, the value of the number of incoming and outgoing edges is used as the basis for the output order, the order of data output is adjusted, the abnormal aggregation parts are determined in sequence, and the failed nodes are pruned simultaneously to disconnect the connection with the failed nodes, so as to maintain the normal operation of edge nodes and regional nodes.
[0079] In one embodiment of the present invention, step S4 performs risk propagation processing on abnormal communication, quantifies the node abnormality probability and risk propagation path of abnormal communication under a specific access frequency, and combines the specific scenario, node location and time period explained by the constraint conditions into the output risk coordination factor.
[0080] like Figure 4As shown, the implementation method of solving the risk coordination factors when data anomalies in step S4 includes: S41, taking the node location corresponding to the abnormal communication data as the abnormal communication node to be processed, using the access frequency of the abnormal communication node in a unit time as the abnormal response intensity, and quantifying the node anomaly probability by the ratio of the abnormal access frequency to the total access frequency. Specifically, for each edge node in the abnormal communication dataset, its abnormal access frequency in the abnormal time period is counted, and combined with the total access frequency in the historical data stored in the cloud for that period, the node anomaly probability is calculated.
[0081] S42, based on the position of the abnormal communication node in the indirect connection path, sort out the connection direction between the abnormal communication node and other nodes in the indirect connection path, and construct the joint probability in the risk propagation evolution process.
[0082] S43 uses the data after the risk propagation and evolution as the input for cross-validation, selects the root cause node of abnormal communication, and takes the corresponding node as the output risk coordination factor.
[0083] The risk propagation evolution is implemented in this embodiment by: connecting each abnormal communication node based on the node position of the abnormal communication node in the indirect connection path to form multiple sets of connected subgraphs; each set of connected subgraphs is used to represent the connection direction between the current abnormal communication node and other nodes, that is, the directed jump relationship between the abnormal edge node and other edge nodes.
[0084] For each connected subgraph, the conditional probabilities between any two nodes are calculated to form a conditional probability table; the conditional probabilities obtained here are the aforementioned joint probabilities, which are used to characterize the conditional probability that the next node will be abnormal given that the previous node is abnormal.
[0085] Starting from the node with the highest probability of being abnormal in the connected subgraph, establish connections with other nodes sequentially along the corresponding connection direction of the connected subgraph.
[0086] For the connected edges, the edges with conditional probabilities greater than the preset probability value are recorded to form a risk propagation path; wherein, the preset probability value represents the baseline anomaly probability value in the anomaly propagation process, and its value is based on the average value of historical data sampling under the corresponding constraints.
[0087] The risk propagation path is repeatedly simulated, and the path that appears most frequently is used as the evolved data for risk propagation. This process uses multi-window repeated authentication to avoid misjudging the artifacts caused by differential privacy noise as abnormal communication in the current scenario, thereby improving the accuracy of communication judgment in the horizontal federated learning model.
[0088] In one implementation of the above-mentioned selection of the root cause node for abnormal communication, the process includes: calculating the influence intensity of each node in the input risk propagation path, where the influence intensity is the sum of the decreases in conditional probability of other nodes after removing that node; and selecting the node with the highest influence intensity as the output root cause node. The root cause node output in this process represents the node with the greatest impact on the overall system, directly affecting the security of the entire communication system. Alternatively, by splitting the data corresponding to the current risk propagation path proportionally to form multiple sample sets, reprocessing the risk propagation path for each sample set, and using the intersection of the processing results of multiple sample sets as the output root cause node; this process emphasizes the stability and consistency of communication anomalies.
[0089] In one embodiment of the present invention, step S5 involves scene monitoring, deploying listening windows for the edge nodes corresponding to each risk collaboration factor, and adjusting the configuration of indirect access paths based on new risk situations; the purpose is to collect the time and communication data of communication anomalies. When a new risk collaboration factor is discovered, the scenario of abnormal communication is determined by examining the semantic description of the corresponding node. Optimization methods include, but are not limited to: sequentially blocking all indirect access paths corresponding to the node's incoming or outgoing edges, isolating the node, and suspending its gradient sharding forwarding. Subsequently, the effectiveness of the current processing is verified based on the data input in the next time window, and the corresponding scenario is taken as the target scenario for the current analysis and processing. If communication anomalies repeatedly occur under the same scenario, the target scenario is locked to avoid scenario processing confusion, thereby achieving adaptive iteration of node communication and completing the distributed storage and federated learning configuration of the system.
[0090] Specifically, each risk collaboration factor processed is combined into a monitoring rule base according to its characteristic data and processing method. The monitoring rule base stores the blocking processing methods for path jumps and the characteristic data of abnormal access under different scenarios. Its content is integrated and deployed on regional nodes for real-time data processing in subsequent time windows. In this process, regional nodes, in fixed time periods, receive real-time communication data streams uploaded by their subordinate edge nodes after receiving risk collaboration factors, extract features from the data within each time period, and match the extracted features with the monitoring rule base. A new risk collaboration factor is considered to have been detected when any of the following conditions are met: Condition 1, the real-time feature does not appear in the monitoring rule base, its node anomaly probability is greater than or equal to the preset anomaly probability (i.e., greater than the average node anomaly probability recorded in historical data), and the node anomaly probability of this feature is at least among the top three in the current time period.
[0091] Condition 2: The real-time feature belongs to an association that is not recorded in the monitoring rule base, and there are one or more unrecorded contents in the edge node scene or associated device type corresponding to the association.
[0092] Condition 3: The root cause node of this real-time feature is not included in the current monitoring rule base.
[0093] Condition 4: The edge node corresponding to the real-time feature exists in the risk coordination factors of the preceding time period, and the change ratio of the node risk probability of the edge node is greater than or equal to 2 times.
[0094] If any of the above conditions are met, it indicates that a new abnormal form has occurred in the current communication process, and blocking optimization processing needs to be performed.
[0095] like Figure 5 As shown, when locking the target scenario for data analysis in step S5, the implementation method includes: S51, determining the edge nodes involved based on the acquired risk collaboration factors, and retrieving the monitoring rules corresponding to the risk collaboration in the monitoring rule base through the scenario tags corresponding to the edge nodes.
[0096] S52, based on the monitoring rule base, receive real-time communication data of the corresponding edge node. If there are risk collaboration factors in the real-time communication data, match the corresponding data with the monitoring rule base.
[0097] S53 performs hierarchical blocking optimization on indirect access paths based on the matched data content, and uses the scenario during optimization as the target scenario for output.
[0098] Furthermore, the blocking optimization process employs a tiered response mechanism, including: Level 1 is direct blocking, which blocks and stops communication and transmission at edge nodes; Level 2 is soft blocking, which performs preliminary filtering through a whitelist of indirect access paths, allowing only compliant business paths to pass, restricting traffic at abnormal locations on unauthorized paths, and bypassing root cause nodes corresponding to risk synergies; Level 3 is traffic degradation, which identifies the corresponding paths based on the probability of node anomalies and their conditional probabilities, and adjusts the priority of communication traffic in sequence according to the high, medium, and low risk levels identified.
[0099] Preferably, when performing hierarchical blocking optimization, the edge nodes corresponding to the current risk collaboration factors are classified according to the impact intensity corresponding to the real-time communication data.
[0100] Furthermore, using the normalized impact intensity as the basis for grading, historical data from the corresponding scenarios is retrieved, and the impact intensity values are sorted from smallest to largest, with their quartiles used as the grading criteria. Specifically, the 50% and 75% quartiles are selected to divide the levels, and real-time data is sequentially divided into three levels. The 75% quartile represents the abnormal access situation in the vast majority of cases; data exceeding the 75% quartile is directly blocked, and the corresponding data scenario is locked to complete the database configuration for communication anomalies. The 50% quartile represents the overall relative standard situation; the value range corresponding to the 50% to 75% quartile is used to quantify the degree of processing relative to the baseline abnormal situation, and a soft blocking method is used for processing. The remaining data undergoes preliminary processing of abnormal communication in the current time period through traffic degradation. Subsequently, closed-loop monitoring of data communication is achieved through multi-time-window listening, thereby completing the distributed storage and federated learning training process.
[0101] like Figure 6 As shown, the present invention also provides a communication data security analysis and processing system, including: a communication sampling module, a data aggregation module, a collaborative judgment module, a risk solving module, and a scene locking module. The output of the communication sampling module is connected to the data aggregation module, the output of the data aggregation module is connected to the collaborative judgment module, the output of the collaborative judgment module is connected to the risk solving module, and the output of the risk solving module is connected to the scene locking module.
[0102] The communication sampling module is used to generate communication data containing device number, associated device, scene tag and node location based on the access frequency of each IoT scenario monitored by edge nodes.
[0103] The data aggregation module is used to obtain the regional nodes corresponding to the edge nodes. The regional nodes are assigned differential privacy noise to the edge nodes according to the scene labels. Noise is added when the edge nodes upload data. After the gradient aggregation of the regional nodes, the target communication subset of the edge nodes is selected for collaborative operation.
[0104] The collaborative judgment module is used to extract abnormal communication data under time-delay collaboration based on the logical coordination and temporal continuity of the target communication subset and in conjunction with the indirect access path composed of edge nodes and regional nodes.
[0105] The risk solving module is used to convert the scene label, node location and time period of the abnormal communication data into constraints based on the abnormal time and abnormal response intensity related to the abnormal communication data, and to solve the risk coordination factors when the data is abnormal.
[0106] The scenario locking module is used to monitor scenarios where risk synergy factors occur. When a new risk synergy factor is detected, it performs blocking optimization on the indirect access path and locks the target scenario for data analysis.
[0107] The present invention also provides a storage medium storing computer instructions for causing a computer to execute the communication data security analysis and processing method described in any of the preceding claims.
[0108] The storage medium described in this embodiment includes permanent and non-permanent, removable and non-removable media, and information storage can be achieved through any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to: phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transfer medium that can be used to store information accessible by a computing device.
[0109] Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of the present invention, which are still covered within the protection scope of the present invention.
Claims
1. A communication data security analysis processing method, characterized by, include: S1, based on the IoT scenario monitored by edge nodes, generates communication data including device number, associated device, scenario tag and node location according to the access frequency of each scenario; S2, obtain the region nodes corresponding to the edge nodes, and assign differential privacy noise to the edge nodes according to the scene labels of the region nodes; Noise is added when data is uploaded from edge nodes, and the target communication subset for collaborative operation of edge nodes is selected after the gradient of regional nodes is summarized. The implementation methods for selecting the target communication subset for edge node collaborative operation in step S2 include: S21. Based on the node location corresponding to the edge node, the continuous time is divided according to the collaborative operation status between multiple edge nodes to determine the gradient data uploaded by each edge node in the corresponding time period. S22, for the gradient data after adding noise to all edge nodes, mark all devices in the gradient data that are in a cooperative running state as a device cooperative group; S23, for multiple edge nodes within the same device collaboration group, align their gradient time sequence and divide the scene according to time sequence similarity; S24. After the scene is divided, the gradient data is summarized according to the scene label, time window and device collaboration group level to obtain the gradient aggregation dataset of multiple edge nodes. The target communication subset is then selected from the gradient aggregation dataset. S3, based on the logical coordination and temporal continuity of the target communication subset, and combined with the indirect access path composed of edge nodes and regional nodes, extracts abnormal communication data under time-delay coordination. When step S3 is based on the logical coordination and temporal continuity of the target communication subset, its implementation includes: S31, for the devices and associated devices involved in the target communication subset, extract the time delay coordination deviation between the corresponding devices and associated devices, and perform business logic verification in sequence; S32, Based on the indirect access paths of the target communication subset in a continuous time period, perform time continuity analysis for each path node of the indirect access path in sequence to determine the failed nodes of the indirect access path. S33, using the failed nodes of the indirect access path, mark the abnormal access start point and abnormal access end point, and construct a directed connection path; S34, regard the intersection of directed connection paths as the target node, and determine the output abnormal communication data based on the number of incoming and outgoing edges of the target node; S4. Based on the abnormal time and abnormal response intensity related to the abnormal communication data, the scene label, node location and time period of the abnormal communication data are transformed into constraints to solve the risk coordination factors when the data is abnormal. S5 monitors scenarios where risk synergy factors occur. When a new risk synergy factor is detected, it performs blocking optimization on indirect access paths to lock the target scenario for data analysis.
2. The method of claim 1, wherein, The implementation methods for extracting communication data from each edge node in step S1 include: S11, for IoT scenarios where edge nodes are deployed, obtain the access frequency of edge nodes and establish a stacked map of access frequency corresponding to all data within the edge nodes. S12, based on the access frequency stacking map and the associated devices corresponding to the current data, sort the data of each edge node and determine the communication data to be processed by each edge node.
3. The communication data security analysis and processing method according to claim 1, characterized in that, The gradient data uploaded by each edge node at the corresponding time period can be determined in the following ways: A gradient dataset is formed based on the lag time and number of collaborative communications under the same collaborative task. Use the lag time, access frequency, and number of collaborative communications in the gradient dataset as statistical dimensions to set the gradient vector; After performing gradient clipping on each gradient vector, it is used as the output gradient data.
4. The communication data security analysis and processing method according to claim 1, characterized in that, When determining the failed node of an indirect access path, the implementation methods include: For each path node in the indirect access path, based on the timing of data reception by the path node, select the same path node in adjacent time windows and obtain the communication time of the path node in adjacent time windows. From adjacent time windows, use the communication time of path nodes to check whether there is communication in each time window, set a communication flag for the communication time, and filter out failed nodes based on the relevant content of the communication flag.
5. The communication data security analysis and processing method according to claim 1, characterized in that, The implementation methods for solving the risk synergy factors when dealing with data anomalies in step S4 include: S41, let the node position corresponding to the abnormal communication data be the abnormal communication node to be processed, and let the access frequency of the abnormal communication node in a unit of time be the abnormal response intensity. The ratio of the abnormal access frequency to the total access frequency is used to quantify the node abnormality probability. S42, Based on the position of the abnormal communication node in the indirect connection path, sort out the connection direction between the abnormal communication node and other nodes in the indirect connection path, and construct the joint probability when the risk propagation evolves. S43 uses the data after the risk propagation and evolution as the input for cross-validation, selects the root cause node of abnormal communication, and takes the corresponding node as the output risk coordination factor.
6. The communication data security analysis and processing method according to claim 1, characterized in that, When identifying the target scenario for data analysis in step S5, the implementation methods include: S51. Based on the acquired risk collaboration factors, determine the involved edge nodes, and retrieve the monitoring rule base under risk collaboration through the scene tags corresponding to the edge nodes; S52, based on the monitoring rule base, receives real-time communication data from the corresponding edge nodes. If there are risk coordination factors in the real-time communication data, the corresponding data is matched with the monitoring rule base. S53 optimizes the hierarchical blocking of indirect access paths based on the matched data content, and takes the scenario at the time of optimization as the target scenario for output.
7. A communication data security analysis and processing method according to any one of claims 1-6, wherein the method implements the corresponding steps through a communication data security analysis and processing system, characterized in that, The communication data security analysis and processing system includes: The communication sampling module is used in IoT scenarios based on edge node monitoring to generate communication data containing device number, associated device, scenario tag and node location according to the access frequency of each scenario; The data aggregation module is used to obtain the regional nodes corresponding to the edge nodes. The regional nodes assign differential privacy noise to the edge nodes according to the scene label. Noise is added when the edge nodes upload data. After the gradient aggregation of the regional nodes, the target communication subset for collaborative operation of the edge nodes is selected. The collaborative judgment module is used to extract abnormal communication data under time-delay collaboration based on the logical coordination and temporal continuity of the target communication subset and the indirect access path composed of edge nodes and regional nodes. The risk resolution module is used to convert the scenario label, node location, and time period of abnormal communication data into constraints based on the abnormal time and abnormal response intensity related to the abnormal communication data, and to solve the risk coordination factors when the data is abnormal. The scenario locking module is used to monitor scenarios where risk collaboration factors occur. When a new risk collaboration factor is detected, it performs blocking optimization on indirect access paths to lock the target scenario for data analysis.
8. A storage medium storing computer instructions, characterized in that, The computer instructions are used to cause the computer to execute the communication data security analysis and processing method according to any one of claims 1 to 6.