A cloud edge-oriented cross-layer security collaboration method and system

By employing a cross-layer security collaboration method through a collaborative orchestration hub, the fragmentation problem of cloud-edge-device security protection systems is solved, enabling dynamic linkage between the physical layer and the application layer, improving security and efficiency, and ensuring the security of trusted learning tasks throughout their entire lifecycle.

CN122247701APending Publication Date: 2026-06-19CHINA ACADEMY OF INFORMATION & COMM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA ACADEMY OF INFORMATION & COMM
Filing Date
2026-03-30
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing cloud-edge-device security protection systems suffer from fragmented protection, lack of dynamic adaptability and collaborative mechanisms, resulting in low security management efficiency. In particular, it is difficult to achieve collaborative protection between the physical layer and the application layer in complex network environments.

Method used

By using a collaborative orchestration hub to perform global threat analysis and protection strategy modeling, a cross-layer mutual awareness protocol is established to obtain channel status and data processing information in real time, and to dynamically schedule physical layer and application layer security modules to achieve linkage and optimization of security strategies.

Benefits of technology

It achieves adaptive and efficient security in complex network environments, avoiding over-protection or under-protection, improving overall security and resource utilization efficiency, and ensuring the security of trusted learning tasks throughout their entire lifecycle.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247701A_ABST
    Figure CN122247701A_ABST
Patent Text Reader

Abstract

This invention provides a cross-layer security collaborative orchestration method for cloud-edge-device applications. This method is executed by a collaborative orchestration hub and includes: performing global threat analysis and protection strategy modeling to construct a protection mapping model that associates data sensitivity, communication security level, and security strategy combinations; establishing and maintaining a cross-layer mutual awareness protocol to acquire channel state information from the physical layer and data processing information from the application layer in real time; and during the execution of a trusted learning task, scheduling physical layer security modules and application layer security modules sequentially based on the protection mapping model and real-time awareness information, including: first instructing and confirming the establishment and compliance of a physical layer security channel, and then dynamically selecting and instructing the application layer to perform data privacy protection operations of appropriate strength according to the real-time channel state. This invention achieves dynamic linkage and intelligent scheduling of physical layer communication security and application layer data privacy protection by establishing a unified collaborative orchestration hub.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of network security and distributed machine learning technology, and in particular to a cross-layer security collaboration method and system for cloud-edge-device applications. Background Technology

[0002] With the development of cloud-edge-device collaborative computing, trusted learning (such as federated learning) has become a key technology for solving data silos. However, existing security protection systems have the following problems: Protection fragmentation: Physical layer security (such as anti-interference and channel encryption) and application layer security (such as differential privacy and homomorphic encryption) are usually executed independently by different modules, lacking coordination.

[0003] Lack of dynamic adaptability: The application layer often does not know the current security status of the communication channel (e.g., whether it is being interfered with or eavesdropped on), resulting in insufficient protection when the channel is poor, or excessive encryption when the channel is secure, wasting computing power.

[0004] Lack of coordination mechanism: In the complex cloud-edge-device environment, the lack of a unified "central hub" to coordinate data flow and security strategies leads to low efficiency in security control during cross-domain data transmission. Summary of the Invention

[0005] This invention aims to overcome the shortcomings of existing cross-layer security protections that cannot coordinate. This invention provides a cross-layer security collaborative orchestration method for cloud-edge-device environments. This method is executed by a collaborative orchestration hub and includes: Conduct global threat analysis and protection strategy modeling, and construct a protection mapping model that combines data sensitivity, communication security level and security strategy. Establish and maintain a cross-layer mutual sensing protocol to obtain channel state information from the physical layer and data processing information from the application layer in real time; During the execution of the trusted learning task, based on the protection mapping model and real-time perception information, the physical layer security module and the application layer security module are scheduled in sequence, including: first, instructing and confirming that the physical layer security channel is established and meets the standard, and then dynamically selecting and instructing the application layer to perform data privacy protection operations of corresponding strength according to the real-time channel status.

[0006] Optionally, the "first instruct and confirm that the physical layer security channel has been established successfully" specifically means that after the collaborative orchestration center receives a confirmation signal from the physical layer security module that the channel authentication was successful and the security parameters met the requirements, it triggers a scheduling instruction to the application layer security module.

[0007] Optionally, the "dynamically selecting and instructing the application layer to perform data privacy protection operations of corresponding strength according to the real-time channel state" includes: when the real-time channel state information indicates that the channel quality is below the threshold or there is an attack risk, increasing the data encryption strength or privacy protection level of the application layer; when the channel state is good, reducing the protection strength of the application layer to optimize efficiency.

[0008] Optionally, the method further includes a task closure step: after the data transmission or computation phase is completed, the relevant nodes of the collaborative orchestration center instruct the privacy data to perform security cleanup and report the task security status.

[0009] This invention also provides a cross-layer secure collaborative orchestration system for implementing the aforementioned method, comprising: a collaborative orchestration layer for threat analysis, policy decision-making, and cross-layer scheduling; a physical layer protection interface unit coupled to the underlying communication hardware for executing physical layer security protocols and reporting channel status; and an application layer protection interface unit coupled to the upper-layer privacy computation algorithm for performing data privacy protection operations and reporting data processing information; wherein the collaborative orchestration layer is communicatively connected to the physical layer protection interface unit and the application layer protection interface unit, respectively, forming a centralized control collaborative orchestration architecture.

[0010] Optionally, the collaborative orchestration layer includes a threat analysis engine, a policy decision engine, and a cross-layer scheduler; the physical layer protection interface unit includes a channel state monitoring module and a security protocol execution module; and the application layer protection interface unit includes a data attribute awareness module and a privacy algorithm execution module.

[0011] Optionally, the system is deployed in a cloud-edge-device collaborative architecture, wherein, for the interconnection scenario between the cloud and the edge, the collaborative orchestration layer focuses on scheduling high-throughput link-level encryption and traffic monitoring; for the access scenario between the edge and the device, it focuses on scheduling lightweight device authentication and reliable access control.

[0012] The present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the methods described above.

[0013] The present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the methods described above.

[0014] The cross-layer secure collaborative orchestration method and system provided by this invention establishes a unified collaborative orchestration hub to achieve dynamic linkage and intelligent scheduling between physical layer communication security and application layer data privacy protection, thereby providing adaptive, efficient, and full lifecycle security assurance for trusted learning tasks in complex network environments. Attached Figure Description

[0015] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0016] Figure 1 This is a flowchart illustrating the trusted learning cross-layer security capability collaborative orchestration method for cloud-edge-device collaboration provided by the present invention.

[0017] Figure 2 It is a flowchart illustrating the unified scheduling process of the collaborative orchestration center.

[0018] Figure 3 This is a schematic diagram of the architecture of the cross-layer security capability collaborative orchestration system provided by the present invention.

[0019] Figure 4 This is a flowchart illustrating an example of initiating a federated learning task in the cloud.

[0020] Figure 5 This is a flowchart illustrating an embodiment of a vehicle-to-everything (V2X) edge collaborative perception scenario.

[0021] Figure 6 This is a schematic diagram of the handshake process between the coordination hub and the nodes. Detailed Implementation

[0022] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0023] Firstly, this invention provides a trusted learning cross-layer security capability collaborative orchestration method for cloud-edge-device collaboration, such as... Figure 1 As shown, it includes the following steps.

[0024] S1: Global Threat Analysis and Protection Strategy Modeling. For specific trusted learning tasks, collaborative analysis is performed on the cloud, edge, and endpoint nodes and communication links involved in their data flow graphs to identify potential attack surfaces and security threats. Based on the analysis results, a protection mapping model is constructed, which defines the mapping relationships between different data sensitivity levels, different communication environment security levels, and specific security strategy combinations (including application layer algorithms and physical layer mechanisms).

[0025] S2: Cross-layer security status mutual awareness. Establish and maintain a cross-layer mutual awareness protocol. The physical layer security module senses and reports channel status information in real time, including but not limited to signal-to-noise ratio, bit error rate, link authentication status, and intrusion detection alarms. The application layer security module senses and reports data processing information in real time, including but not limited to data type, privacy sensitivity level, data volume, privacy computing algorithm to be used, and expected overhead.

[0026] S3: Task-driven dynamic collaborative orchestration and execution. Throughout the entire lifecycle of a trusted learning task, a central collaborative orchestration hub provides unified scheduling, such as... Figure 2 As shown, the specific steps include: S31 (Task Triggering and Parsing): The central hub receives or initiates a trusted learning task instruction, parses the task requirements and data interaction requests from each participating node; S32 (Priority Establishment of Physical Layer Secure Channel): Based on the request, the central hub prioritizes instructing the physical layer security modules between relevant nodes to establish or verify a secure communication channel. Only after the central hub receives a "channel ready and security level meets the standard" confirmation signal from the physical layer is subsequent application layer operations triggered; S33 (Adaptive Execution of Application Layer Privacy Protection): Based on the protection mapping model and combined with the current real-time perceived physical layer channel state, the central hub dynamically selects and instructs the application layer security modules to perform corresponding data privacy protection operations. Its adaptive logic includes: when the channel state is poor or there is a risk, the privacy protection strength is enhanced (such as increasing the encryption level or adding differential privacy noise); when the channel state is good, the protection strength can be appropriately reduced to improve efficiency; S34 (Secure Transmission and Loop Closure): After being hardened by the application layer, the data is transmitted through the established secure physical channel. After the task phase is completed, the central hub instructs relevant nodes to perform privacy data cleanup. Finally, report the "safety ready" status to the mission management team.

[0027] Secondly, a cross-layer security capability collaborative orchestration system for implementing the above method is provided. This system includes a collaborative orchestration layer, a physical layer protection interface unit, and an application layer protection interface unit. For example... Figure 3 As shown below, each part will be explained in detail.

[0028] 1. Collaborative Orchestration Layer 10: As the control core of the system, it is deployed in the cloud or on core edge nodes. It includes a threat analysis engine, a policy decision engine, and a cross-layer scheduler, and is responsible for global view management, policy generation, and issuing collaborative instructions to the physical and application layers.

[0029] 2. Physical Layer Protection Interface Unit 20: Serves as an adaptation layer for underlying communication hardware (such as network interface cards, base stations, and terminal communication modules). It includes a channel state monitoring module, a security protocol execution module (responsible for authentication, encryption, etc.), and an instruction executor, used to execute physical layer instructions from the orchestration layer and provide real-time status feedback.

[0030] 3. Application Layer Protection Interface Unit 30: Serves as an adaptation layer for upper-layer privacy computation algorithm libraries (such as differential privacy libraries and homomorphic encryption libraries). It includes a data attribute awareness module, a privacy algorithm execution module, and an overhead evaluation module, used to execute application layer instructions from the orchestration layer and provide feedback on data processing status.

[0031] The collaborative orchestration layer communicates with the physical layer protection interface unit and the application layer protection interface unit through a standard interface to form a closed-loop control system of "perception-decision-execution".

[0032] The present invention will be further described in detail below with reference to specific embodiments. These embodiments are for illustrative purposes only and do not constitute a limitation on the scope of protection of the present invention. Example 1

[0033] like Figure 4 As shown, the collaborative orchestration layer acts as the "brain," while the physical layer and application layer protection interface units act as the "limbs," forming a three-layer logical architecture. When a federated learning task is initiated in the cloud, the following process is executed.

[0034] S11. Arrange the layer analysis task topology to construct the initial protection mapping model.

[0035] S12. Edge nodes collect data from terminal devices. The orchestration layer first instructs the terminal to establish a WPA3 encrypted Wi-Fi connection with the physical layer interface unit of the edge node and performs two-way device authentication.

[0036] S13. The physical layer interface unit reports a successful connection with a good signal-to-noise ratio.

[0037] S14. Based on the model and good channel conditions, the orchestration layer instructs the application layer interface unit to process the terminal data using a "lightweight homomorphic encryption" algorithm, rather than full homomorphic encryption which has huge computational overhead.

[0038] S15. The encrypted data is transmitted to the edge node via a secure Wi-Fi channel.

[0039] S16. After the edge node completes local training, its application layer interface unit adds differential privacy noise to the model gradient.

[0040] S17. The physical layer interface unit between the orchestration layer instruction edge and the cloud transmits encrypted gradient updates via a VPN tunnel.

[0041] S18. Cloud-based aggregation and updates complete one round of federated learning. All temporary data is securely erased locally on the participating parties.

[0042] Through this embodiment, the orchestration layer collaborates with edge nodes and the cloud to achieve dynamic security policy orchestration for trusted learning and the implementation of the orchestrated policies. Example 2

[0043] This embodiment is an example of adaptive adjustment in a vehicle-to-everything (V2X) edge collaborative perception scenario, such as... Figure 5 As shown, the specific steps include the following.

[0044] S21. The vehicle (end) reports perception data to the edge server.

[0045] S22. Under normal circumstances: The channel quality between the vehicle and the edge server (such as 5G NR) is excellent, and the orchestration layer instruction application layer transmits sensitive information such as vehicle ID after desensitizing it.

[0046] S23. Under sudden interference: The physical layer detects a sudden increase in the channel bit error rate, determines it as a potential interference attack risk, and immediately reports it to the orchestration layer.

[0047] S24. Dynamic Adjustment: Based on the protection mapping model, the orchestration layer immediately instructs the application layer to switch strategies, lightly encrypt the sensed data itself before transmission, and the physical layer may switch to a more interference-resistant frequency band or modulation method.

[0048] S25. After the risk is eliminated: Channel quality is restored, and the system can be readjusted back to the high-efficiency transmission mode.

[0049] Through the above collaborative mechanisms, it is ensured that the data security level can be improved in real time in the event of sudden network risks, preventing sensitive information from being "naked" in vulnerable channels. Example 3

[0050] This embodiment provides the handshake process between the collaborative hub and nodes, i.e., sequence diagram logic, such as... Figure 6 As shown below, the specific process will be explained in detail.

[0051] S41 (Initiator): Coordination Hub -> Send INIT_TASK signal -> Cloud / Edge / End Node.

[0052] S42 (Perception): Node -> Feedback DATA_INFO (Data Volume, Sensitivity) -> Collaboration Hub.

[0053] S43 (Scheduling Physical Layer): Coordination Hub -> Send SETUP_CHANNEL (Requirement Level: High) -> Communication Security Module.

[0054] S44 (Feedback Physical Layer): Communication Security Module -> Feedback CHANNEL_READY (Current Signal-to-Noise Ratio, Security Score) -> Coordination Hub.

[0055] S45 (Decision and Scheduling Application Layer): Judgment Logic: If the security score is less than the threshold, generate policy A (enable homomorphic encryption); if the security score is greater than the threshold, generate policy B (differential privacy only).

[0056] Command: Coordination Hub -> Send PROTECT_DATA (Policy Parameters) -> Apply Security Module.

[0057] S46 (Execution): The application security module processes data -> transmits it through the physical channel -> the receiver decrypts it -> triggers the learning task.

[0058] In this embodiment, the security policy of the application layer is dynamically adjusted according to the security status of the physical layer, thereby ensuring the safe operation of the learning task through cross-layer linkage.

[0059] Through the above technical solutions, this invention achieves higher security. By employing a two-layer collaboration, it avoids the "weakest link" effect, preventing data leakage caused by a single layer (such as a breach in the physical layer). This invention optimizes resource utilization, avoiding a "one-size-fits-all" approach to the highest level of protection. When the physical environment is secure, the system automatically reduces application-layer computational overhead (e.g., reducing the number of encryption rounds), improving learning efficiency. As a dynamic strategy orchestration method operating at the collaborative hub, this invention does not rely on specific underlying algorithms, is compatible with various existing communication protocols and privacy protection algorithms, and possesses strong scalability.

[0060] Compared with the prior art, the present invention has the following significant advantages.

[0061] 1. Achieved cross-layer collaborative security capabilities: Breaking down the barriers between application-layer and physical-layer security protection, the system achieves a synergistic effect of "communication security safeguarding data privacy, and data privacy adjusting according to communication conditions" through central scheduling, thereby enhancing the overall security level. 2. Possesses dynamic adaptive protection capabilities: Based on real-time cross-layer perception information, the system can dynamically adjust security policies, optimizing resource utilization efficiency while ensuring security, and avoiding over-protection or under-protection.

[0062] 2. Ensures security throughout the entire lifecycle of trusted learning: From task initiation and data transmission to data cleanup after computation, it provides end-to-end security orchestration, covering security aspects that are easily overlooked in traditional solutions.

[0063] 3. Improved overall system performance: Through intelligent collaboration, security is prioritized under adverse channel conditions, while performance is balanced under favorable channel conditions, enabling the cloud-edge-device trusted learning system to operate stably and efficiently in complex network environments.

[0064] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the method described above.

[0065] The present invention also provides a computer-readable storage medium storing a computer program thereon, characterized in that the program, when executed by a processor, implements the methods described above. On the other hand, the present invention also provides a computer program product comprising a computer program, which can be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer is capable of performing the methods provided by the aforementioned methods. The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0066] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0067] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A cross-layer secure collaborative orchestration method for cloud-edge-device applications, characterized in that, This method is executed by the coordinating orchestration center and includes: Conduct global threat analysis and protection strategy modeling, and construct a protection mapping model that combines data sensitivity, communication security level and security strategy. Establish and maintain a cross-layer mutual sensing protocol to obtain channel state information from the physical layer and data processing information from the application layer in real time; During the execution of the trusted learning task, based on the protection mapping model and real-time perception information, the physical layer security module and the application layer security module are scheduled in sequence, including: first, instructing and confirming that the physical layer security channel is established and meets the standard, and then dynamically selecting and instructing the application layer to perform data privacy protection operations of corresponding strength according to the real-time channel status.

2. The method according to claim 1, characterized in that, The "first instruct and confirm that the physical layer security channel has been established successfully" includes: after receiving a confirmation signal from the physical layer security module that the channel authentication was successful and the security parameters met the requirements, the collaborative orchestration center triggers a scheduling instruction to the application layer security module.

3. The method according to claim 1 or 2, characterized in that, The phrase "dynamically selecting and instructing the application layer to perform data privacy protection operations of appropriate strength based on real-time channel status" includes: when real-time channel status information indicates that the channel quality is below a threshold or there is an attack risk, increasing the data encryption strength or privacy protection level of the application layer; and reducing the protection strength of the application layer to optimize efficiency when the channel status is good.

4. The method according to claim 1, characterized in that, The method also includes a task closure step: after the data transmission or computation phase is completed, the relevant nodes of the collaborative orchestration center instruct the privacy data to perform security cleanup and report the task security status.

5. A cross-layer secure collaborative orchestration system for implementing the method of any one of claims 1-4, characterized in that, include: The collaborative orchestration layer is used for threat analysis, policy decision-making, and cross-layer scheduling; the physical layer protection interface unit is coupled with the underlying communication hardware to execute physical layer security protocols and report channel status; the application layer protection interface unit is coupled with the upper-layer privacy computing algorithm to perform data privacy protection operations and report data processing information; wherein, the collaborative orchestration layer is communicatively connected to the physical layer protection interface unit and the application layer protection interface unit, respectively, forming a centralized control collaborative orchestration architecture.

6. The system according to claim 5, characterized in that, The collaborative orchestration layer includes a threat analysis engine, a policy decision engine, and a cross-layer scheduler; the physical layer protection interface unit includes a channel state monitoring module and a security protocol execution module; and the application layer protection interface unit includes a data attribute awareness module and a privacy algorithm execution module.

7. The system according to claim 5, characterized in that, The system is deployed in a cloud-edge-device collaborative architecture. For the interconnection scenario between the cloud and the edge, the collaborative orchestration layer focuses on scheduling high-throughput link-level encryption and traffic monitoring; for the access scenario between the edge and the device, it focuses on scheduling lightweight device authentication and reliable access control.

8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the method as described in any one of claims 1-4.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1-4.