Method and device for joint evaluation of security boundary and communication performance based on 5g-a industrial internet
By constructing a nonlinear latency prediction model and a multidimensional coupling relationship matrix library, the problem of separating security assessment and communication assessment in 5G-A industrial internet is solved. This enables unified quantitative assessment and collaborative optimization of security zone boundaries and communication performance, and dynamically adjusts security strategies to achieve optimal synergy between security and communication resources.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA UNITED NETWORK COMM CO LTD SHENZHEN BRANCH
- Filing Date
- 2026-06-03
- Publication Date
- 2026-07-03
AI Technical Summary
In the context of 5G-A industrial internet, existing technologies conduct security assessments and communication performance assessments separately, lacking a unified analytical framework. This makes it difficult to characterize the dynamic changes in communication performance under different security configurations and fails to provide quantitative basis for network architecture design and security policy configuration.
A nonlinear latency prediction model and a multidimensional coupling matrix library are constructed. The nonlinear latency prediction model is used to characterize the nonlinear mapping relationship between network load data and security policy parameter combinations and overall latency. The multidimensional coupling matrix library is used to characterize the local impact of fine-tuning a single security parameter on communication performance. A deep reinforcement learning algorithm is used to optimize the security policy.
It achieves unified quantitative assessment and collaborative optimization of security zone boundaries and communication performance. By using a nonlinear delay prediction model and a multidimensional coupling relationship matrix library, it solves the problem of the independence between security assessment and communication assessment, realizes cross-domain coupling modeling of security domain and communication domain, provides a quantitative basis for joint analysis of security strategy and communication performance, and dynamically adjusts security strategy to achieve synergistic optimization of security and communication resources.
Smart Images

Figure CN122339853A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of secure communication assessment, and more specifically to a method and apparatus for joint assessment of security boundaries and communication performance based on 5G-A industrial internet. Background Technology
[0002] With the deep integration of 5G-Advanced (5G-A) technology and the Industrial Internet, the deterministic requirements for network communication in industrial scenarios are becoming increasingly stringent. At the same time, the external attack surface faced by industrial networks continues to expand, necessitating the deployment of multiple security protection mechanisms at the network boundary, such as signaling security gateways, IPSec (Internet Protocol Security) encrypted tunnels, industrial firewalls, and intrusion detection systems.
[0003] However, existing technologies typically separate security assessment from communication performance assessment, lacking a unified analytical framework. This makes it difficult to characterize the dynamic changes in communication performance under different security configurations and to provide quantitative basis for network architecture design and security policy configuration. Therefore, how to achieve unified quantitative assessment and collaborative optimization of security zone boundary maintenance and communication performance in 5G-A industrial internet scenarios has become an urgent technical problem to be solved in this field. Summary of the Invention
[0004] In view of the aforementioned problems, this application is proposed to provide a method and apparatus for joint evaluation of security boundary and communication performance based on 5G-A Industrial Internet, which overcomes or at least partially solves the aforementioned problems, including: A joint evaluation method for security boundary and communication performance based on 5G-A industrial internet is proposed. The method pre-constructs a nonlinear latency prediction model and a multidimensional coupling matrix library. The nonlinear latency prediction model characterizes the nonlinear mapping relationship between network load data, security policy parameter combinations, and overall latency. The security policy parameter combinations include authentication strength, encryption level, and access control rule complexity. The multidimensional coupling matrix library characterizes the local impact of fine-tuning a single security parameter on communication performance under different network load conditions. The method includes: Obtain the current network load data and the current security policy parameter combination, and input the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; The current security policy parameters are combined with the current overall latency utility to generate the current security-communication global score. When the current security-communication global score is lower than a preset threshold, the fine-tuning amount of each security parameter is determined from the multi-dimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination, and the optimal security policy parameter combination that satisfies the preset delay constraint is generated based on the fine-tuning amount.
[0005] Further steps in constructing a nonlinear time delay prediction model include: Determine the overall latency and resource utilization of the security policy parameter combination under different network loads; The nonlinear latency prediction model is obtained by fitting the overall latency and resource utilization rate of each security strategy parameter combination.
[0006] Further steps in constructing a multidimensional coupling relationship matrix library include: Under different network loads, the control variable method is used to perform step perturbation on a single security parameter in the security strategy parameter combination to generate the corresponding change in communication performance index, so as to construct a multi-dimensional coupling relationship matrix for quantifying the impact of security parameters on communication performance.
[0007] Furthermore, the step of using the control variable method to perform step perturbation on a single security parameter in the security strategy parameter combination to generate the corresponding change in communication performance index, in order to construct a multidimensional coupling relationship matrix for quantifying the impact of security parameters on communication performance, includes: Using the control variable method, a step perturbation is applied to only a single security parameter in the combination of security strategy parameters to determine the overall time delay change and the effective throughput change before and after the perturbation. A multidimensional coupling matrix is constructed based on the ratio of the overall delay change to the perturbation of all security parameters in the security strategy parameter combination and the effective throughput change under the corresponding network load.
[0008] Furthermore, the step of combining the current security policy parameters and the current overall latency utility to generate the current security-communication global score includes: The current security policy parameters and the current overall latency are combined and converted into utility values to generate the current security utility value and the current communication utility value. The current dynamic weight is determined based on the current security utility value and the current communication utility value; The current security-communication global score is generated based on the current security utility value, the current communication utility value, and the current dynamic weight.
[0009] Furthermore, the steps of combining the current security policy parameters and the current overall latency utility to generate the current security utility value and the current communication utility value include: The current overall latency is converted according to a preset exponential decay mapping function to generate the current communication utility value; The current security policy parameters are transformed according to a preset transformation function to generate the current security utility value.
[0010] Furthermore, the step of generating the optimal combination of security strategy parameters that satisfies the preset delay constraint based on the fine-tuning amount includes: Based on Markov decision processes, the fine-tuning parameters are used as initial action references, and the Pareto optimal safety policy parameter combination is determined through iterative optimization by a deep reinforcement learning agent.
[0011] A joint evaluation device for security boundary and communication performance based on 5G-A industrial internet is disclosed. The device is pre-built with a nonlinear latency prediction model and a multidimensional coupling relationship matrix library. The nonlinear latency prediction model is used to characterize the nonlinear mapping relationship between network load data and security policy parameter combinations and overall latency. The security policy parameter combinations include authentication strength, encryption level, and access control rule complexity. The multidimensional coupling relationship matrix library is used to characterize the local impact of fine-tuning a single security parameter on communication performance under different network load conditions. The device includes: The latency calculation module is used to obtain the current network load data and the current security policy parameter combination, and input the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; The global scoring module is used to combine the current security policy parameters and the current overall latency utility to generate the current security-communication global score. The parameter optimization module is used to determine the fine-tuning amount of each security parameter from the multi-dimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination when the current security-communication global score is lower than a preset threshold, and generate the optimal security policy parameter combination that satisfies the preset delay constraint based on the fine-tuning amount.
[0012] A computer electronic device includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor. When executed by the processor, the computer program implements the steps of the joint evaluation method for security boundary and communication performance based on 5G-A Industrial Internet as described above.
[0013] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the joint evaluation method for security boundaries and communication performance based on the 5G-A Industrial Internet as described above.
[0014] This application has the following advantages: In the embodiments of this application, addressing the technical problem of how to achieve unified quantitative evaluation and collaborative optimization of security area boundary maintenance and communication performance in a 5G-A industrial internet scenario, this application provides a solution for closed-loop optimization by pre-constructing a nonlinear latency prediction model and a multidimensional coupling matrix, which unifies the utility of security parameters and communication indicators. Specifically, this involves pre-constructing a nonlinear latency prediction model and a multidimensional coupling matrix library; the nonlinear latency prediction model is used to characterize the nonlinear mapping relationship between network load data and security policy parameter combinations and overall latency, wherein the security policy parameter combinations include authentication strength, encryption level, and access control rule complexity; the multidimensional coupling matrix library is used to characterize the nonlinear mapping relationship between network load data and security policy parameter combinations and overall latency. The method for assessing the local impact of fine-tuning a single security parameter on communication performance under the same network load condition includes: acquiring current network load data and a current combination of security policy parameters, and inputting the current network load data and the current combination of security policy parameters into the nonlinear latency prediction model to obtain the current overall latency; utilizing the current combination of security policy parameters and the current overall latency to generate a current security-communication global score; when the current security-communication global score is lower than a preset threshold, determining the fine-tuning amount of each security parameter from the multidimensional coupling relationship matrix library based on the current network load data and the current combination of security policy parameters, and generating an optimal combination of security policy parameters that satisfies a preset latency constraint based on the fine-tuning amount. By employing a nonlinear delay prediction model and a multidimensional coupling matrix library, this approach addresses the issue of independent security and communication assessments in existing technologies. It enables cross-domain coupled modeling of the security and communication domains, providing a quantitative foundation for the joint analysis of security strategies and communication performance. By calculating the overall delay and utilizing the security strategy parameters and overall delay, a global score is obtained, allowing for comparison and integration of security and communication within the same dimension. The matrix library outputs fine-tuning parameters for each security parameter and identifies the optimal security strategy. This allows for dynamic adjustment of the security strategy while meeting industrial hard constraints, achieving synergistic optimization of security and communication resources. Attached Figure Description
[0015] To more clearly illustrate the technical solution of this application, the drawings used in the description of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0016] Figure 1 This is a flowchart of a method for jointly evaluating security boundaries and communication performance based on 5G-A industrial internet, provided in one embodiment of this application; Figure 2This is an example diagram of a 5G-A industrial internet private network architecture provided in one embodiment of this application; Figure 3 This is a topology diagram of the 5G-A industrial internet security zone boundary and testing environment provided in one embodiment of this application; Figure 4 This is a flowchart illustrating the steps of a joint evaluation method for security boundaries and communication performance based on 5G-A industrial internet, provided in one embodiment of this application. Figure 5 This is a structural block diagram of a joint evaluation device for security boundary and communication performance based on 5G-A industrial internet, provided in one embodiment of this application. Figure 6 This is a schematic diagram of the structure of a computer electronic device provided in an embodiment of the present invention; 1. Computer electronic device; 2. External device; 3. Processing unit; 4. Bus; 5. Network adapter; 6. I / O interface; 7. Display; 8. Memory; 9. Random access memory; 10. Cache memory; 11. Storage system; 12. Program / utility; 13. Program module. Detailed Implementation
[0017] To make the objectives, features, and advantages of this application more apparent and understandable, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.
[0018] Analysis of existing technologies revealed that: Existing Technology 1: Performance Evaluation Method for Security Zone Boundary Protection in Industrial Internet Existing industrial internet security boundary protection and performance evaluation technologies primarily focus on improving system defense capabilities and threat detection accuracy, emphasizing DPI (Deep Packet Inspection), static access control verification, and high-strength cryptographic operations and data validation. One approach is based on static rule configuration, assessing network boundary risks by verifying the policy configuration status of security devices and calculating probabilities based on attack paths. Another approach is based on deep packet inspection and edge-side machine learning models, performing protocol parsing, feature matching, and real-time anomaly assessment of application-layer network traffic. Other methods include constructing a security perspective situational assessment model based on a multi-dimensional security indicator system to perform one-way security scoring.
[0019] However, anomaly detection methods based on deep packet inspection and deep learning suffer from high model inference latency and strong dependence on edge computing resources, making it difficult to balance security and real-time requirements in dynamically changing industrial environments. Security access methods based on static rule configuration and high-frequency hash verification introduce large signaling overhead and system load in high-traffic burst scenarios, undermining network stability. Existing technologies lack a unified quantitative assessment of the additional overhead of security mechanisms and their impact on communication performance, making it difficult to apply to the dynamic coupling relationship between security and performance in complex industrial internet scenarios.
[0020] Existing Technology 2: Industrial Internet Communication Performance Evaluation Method Existing industrial internet communication performance evaluation technologies mainly focus on the quantitative analysis of network domain transmission capacity and the passive loss calculation under specific overlay network architectures. One type of method is based on data-driven and transmission resource optimization, extracting real-time network operation characteristics to evaluate communication performance. Another type of method relies on edge computing frameworks to perform local game theory and allocation optimization of transmission resources and upper-layer service requirements at the pure communication level.
[0021] In industrial communication scenarios, these methods suffer from significant limitations in evaluation dimensions and static overhead assumptions. They are confined to single-dimensional threshold comparisons within the communication domain or only consider local game theory between communication transmission and AI computation, failing to incorporate resource consumption caused by dynamic security actions such as high-frequency authentication and access control into the overall utility equation. Faced with the application requirements of deep integration of security and communication, existing methods struggle to achieve effective correlation and unified modeling of security events and communication performance data, impacting the accuracy of fault location and the reliability of overall performance evaluation results.
[0022] The present invention addresses the above problems primarily through the following means: (1) Construction of 5G-A security test environment for industrial Internet scenario: an end-to-end network architecture is built in the private network, and signaling security gateways, IPSec tunnels and industrial firewalls are deployed on the N1, N3 and N6 interfaces. By configuring different authentication strengths, encryption levels and access control policies, a security boundary protection system decoupled from the control plane and data plane is formed.
[0023] (2) Synchronous collection and unified measurement of security and communication indicators: monitoring probes are deployed throughout the entire link. Security event and communication performance data are obtained through PTP (Precision Time Protocol) microsecond-level clock synchronization and out-of-band aggregation. Heterogeneous indicators are unified into dimensionless joint utility values through parameterized modeling and utility conversion.
[0024] (3) Security-communication joint evaluation and policy optimization: Based on the CES (Constant Elasticity of Substitution) joint evaluation model, a global quantitative score is output. The Pareto optimal security policy combination is solved by combining the MDP (Markov Decision Process) and TD3 (Twin Delayed Deep Deterministic Policy Gradient) deep reinforcement learning algorithms, and closed-loop adaptive adjustment is achieved through the 5G-A core network interface.
[0025] As shown in Figure 1, the logic of this invention consists of four major steps: constructing a 5G-A industrial internet security testing environment and security boundary system, establishing a method for constructing security-communication joint evaluation indicators, constructing a security-communication joint evaluation indicator system, and optimizing and controlling security strategies.
[0026] Step 1: Construct a 5G-A Industrial Internet security testing environment and security boundary system: A 5G-A industrial internet private network was built in the pilot plant, and a network tester was connected in series between the UPF (User Plane Function) and MEC (Multi-access Edge Computing) to inject gradient high-concurrency background traffic. Signaling security gateways, IPSec tunnels, and industrial firewalls were deployed at key interfaces of the control plane and data plane, respectively, forming a security boundary decoupled from the control plane and data plane. Simultaneously, monitoring probes were deployed throughout the entire link, and a high-fidelity underlying stream dataset was constructed through PTP microsecond-level clock synchronization and out-of-band aggregation mechanisms.
[0027] Step 2: Establish a method for constructing joint security-communication evaluation indicators: Based on the test environment and dataset constructed in step 1, key security mechanisms such as authentication strength, encryption level, and access control complexity are parametrically modeled and mapped to continuous policy vectors. A nonlinear latency prediction function is then constructed, dynamically updating the latency inflation coefficient by injecting gradient background traffic to characterize the nonlinear degradation relationship between security overhead and communication latency. The control variable method is used to perturb security parameters, and combined with measured data, a multidimensional coupling matrix between security and communication is constructed.
[0028] Step 3: Construct a joint evaluation index system for security and communication: Based on the multidimensional coupling matrix constructed in step 2, an exponential decay mapping of business tolerance thresholds is introduced for degradation indicators such as latency and packet loss, while a Logistic curve mapping is used for security indicators, unifying heterogeneous indicators into dimensionless utility values. Information entropy is calculated to obtain dynamic weights, and a joint evaluation model is constructed based on a constant substitution elasticity function to output a global quantitative score.
[0029] Step 4: Security strategy optimization and closed-loop control: Using the global quantitative score output in step 3 as the optimization objective, the security policy optimization problem is modeled as an MDP, defining the state space, action space, and reward function that integrates CES utility. The TD3 deep reinforcement learning algorithm is used to solve for the Pareto optimal security policy combination, and the policy is distributed to the underlying network elements through the 5G-A core network standard interface via the policy translation module, realizing closed-loop adaptive adjustment of the security policy.
[0030] The four main steps described above will be explained in detail below.
[0031] I. Regarding the construction of a 5G-A industrial internet security testing environment and security boundary system: It should be noted that, in any embodiment of the present invention, the tests are conducted in a constructed 5G-A industrial internet private network test environment.
[0032] Specifically, the first step is to build a 5G-A industrial internet private network test environment: To conduct testing in real or near-real industrial scenarios, this invention constructs an end-to-end 5G-A industrial internet private network architecture comprising an access layer, an edge core layer, a central core layer, an industrial network layer, and an application layer, such as... Figure 2 As shown, the core test service is the collaborative scheduling of AGV (Automated Guided Vehicle) clusters, which has extremely high requirements for network determinism, to accurately reflect the stringent communication constraints under the URLLC (Ultra-Reliable Low-Latency Communication) scenario.
[0033] To simulate the complex traffic environment of an industrial site and test the system's performance under extreme pressure, a Spirent C2 professional network performance tester was connected in series between the UPF and MEC in the core network. This was used to inject high-concurrency industrial background traffic with gradient changes, thereby constructing a 5G-A data closed-loop environment with a complete physical topology and controllable stress testing capabilities. This provides a foundation for subsequent analysis of the impact of security mechanisms under dynamic loads.
[0034] Secondly, deploy a secure zone boundary protection system: like Figure 3As shown, at the key interfaces of the 5G-A private network, a layered, decoupled, and collaboratively operating security zone boundary protection system is deployed to achieve differentiated security protection for the control plane and the data plane.
[0035] Figure 2 The authentication and signaling encryption of the AMF (Access and Mobility Management Function) / AUSF (Authentication Server Function) converge on the N1 interface of the control plane in the core network, while DPI (Device Proximity Intrusion Prevention System), IPS (Intrusion Prevention System), and IPSec are decoupled from the N3 interface of the MEC, thus decoupling high-frequency key re-authentication from lower-layer data plane traffic. When the control plane issues new security commands, the data payload is not transmitted back to the management side for verification.
[0036] On the control plane, a signaling security gateway is deployed on the N1 interface, enabling NAS (Non-Access Stratum) integrity protection and encryption functions to defend against air interface signaling tampering and eavesdropping. At the same time, a unified identity authentication platform is deployed on the core network side. This platform integrates the national cryptographic SM2 / SM3 / SM4 algorithm library and supports multiple authentication protocols such as 5G-AKA (Authentication and Key Agreement) and EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), thereby achieving end-to-end bidirectional identity authentication.
[0037] On the user plane, an IPSec security tunnel gateway is configured on the N3 interface to dynamically encapsulate and encrypt user plane data for transmission. At the N6 interface, an industrial-grade firewall, an IDS based on anomaly behavior analysis, and an application-layer gateway are deployed serially at the front end of the edge computing platform to perform deep packet inspection on typical industrial protocols such as Modbus, Profinet, and OPC UA (Open Platform Communications Unified Architecture). The core advantage of this system lies in its decoupling of the control plane and data plane, allowing security policies to be configured independently and dynamically adjusted, providing an execution entity for subsequent intelligent algorithm-based deployment of optimized security configurations.
[0038] Finally, deploy a high-precision synchronization performance monitoring probe: To accurately quantify the microscopic impact of security mechanisms on communication performance, high-precision data acquisition is required. Specifically, hardware TAP (Test Access Point) devices or software probes are deployed on the terminal side, base station side, UPF side, and application server side to capture the entire process of service data packets from sending to receiving. At the same time, a Syslog (System Log) collection agent is deployed on the security device to record security events, resource consumption, and processing latency.
[0039] To achieve precise end-to-end latency calculation and separation of security processing latency, a unified PTP (Timestamp Point) is introduced into the network to ensure that all acquisition devices distributed across heterogeneous nodes are strictly synchronized with the master clock source, controlling timestamp errors to the microsecond level. All collected performance data and security logs are transmitted in real time to a central analysis server via an independent out-of-band network. The server has a built-in time-series database that indexes and stores all data using a unified time benchmark, forming a high-fidelity underlying stream dataset isolated from network services. This provides accurate data support for subsequent security-communication correlation analysis.
[0040] The underlying flow dataset includes communication performance data, network element load data, traffic characteristic data, and time synchronization data. Communication performance data includes end-to-end latency, jitter, throughput, packet loss rate, packet transmission latency, and quality of service parameters. Network load data includes CPU utilization, memory usage, NIC queue depth, port bandwidth utilization, and concurrent connections of core network and edge computing nodes. Traffic characteristic data includes real-time traffic volume, traffic distribution characteristics, and AGV scheduling data streams.
[0041] II. Construction of joint security-communication evaluation indicators: It should be noted that, before the method described in this invention is executed online, a nonlinear latency prediction model and a multidimensional coupling matrix are pre-constructed. The nonlinear latency prediction model is used to characterize the nonlinear mapping relationship between network load data and the combination of security policy parameters and the overall latency. The combination of security policy parameters includes authentication strength, encryption level, and access control rule complexity. The multidimensional coupling matrix is used to characterize the local impact of fine-tuning a single security parameter on communication performance under different network load conditions.
[0042] The term "pre-built" refers to the fact that the aforementioned models and matrix libraries are trained and calibrated using offline experiments or historical data before formal business operation. During the online execution phase, they are not retrained or calibrated; they are only used for forward computation. The specific construction steps are as follows: 2.1 Parametric Modeling of Security Policies To achieve a unified quantitative assessment of various security protection mechanisms in the 5G-A Industrial Internet, the originally discretely configured security policies are parametrically modeled to construct a unified set of security policy parameters. For typical authentication, encryption, and access control mechanisms, key influencing factors are extracted and quantified, thereby mapping various security boundary protection scenarios into continuous policy parameter vectors. It is used to uniformly represent different security configuration states.
[0043] Regarding authentication strength Unified parameter configuration and mapping are performed through core network UDM (Unified Data Management) and AUSF (Authentication Server Function) network elements. Strength determination rules are constructed based on key indicators such as authentication protocol type, key length, and re-authentication cycle: one-way authentication mapping using the EAP-AKA protocol is classified as low strength level; two-way authentication mapping using the 5G-AKA protocol, combined with a 128-bit key and a re-authentication cycle of 24 hours is classified as medium strength level; and authentication mechanism based on the EAP-TLS protocol and integrating the SM2 algorithm, using a 256-bit key and a re-authentication cycle of 1 hour is classified as high strength level.
[0044] For encryption level The air interface encryption and integrity protection parameters NIA0 to NIA3 of the PDCP layer (Packet Data Convergence Protocol) are extracted, and a cryptographic overhead scalar is established in conjunction with the application layer TLS 1.3 secure channel configuration. At the same time, the key update cycle of the dynamic rotation mode with different time units is used as the feature quantity of the time dimension, with ten minutes as the minimum time unit.
[0045] For access control rule complexity The complexity was evaluated by quantifying the number of rules and detection depth of firewalls and IPS devices at the N6 interface: detection based on IP / TCP headers is of low complexity, detection with some application layer analysis capabilities is of medium complexity, and full payload detection based on industrial protocol feature libraries is of high complexity.
[0046] Through the above parametric modeling, multiple security mechanisms are uniformly converted into quantifiable security policy parameter vectors, providing a foundation for subsequent correlation analysis and joint evaluation.
[0047] 2.2 Degradation Modeling of Communication Performance Due to Security Mechanism Overhead In one embodiment of the present invention, the specific process of “constructing a nonlinear time delay prediction model” can be described in conjunction with the following description.
[0048] As described in the following steps, determine the overall latency and resource utilization of the security policy parameter combination under different network loads; As described in the following steps, the nonlinear latency prediction model is obtained by fitting the overall latency and resource utilization rate of each security strategy parameter combination.
[0049] By combining the real-time load conditions of 5G-A underlying network elements, abstract security policy parameters are transformed into intuitive impacts on communication link performance, establishing a dynamic model of security overhead and communication degradation, namely a nonlinear latency prediction model. This model, with parameterized security policies as input, can dynamically predict the degree of nonlinear degradation in underlying communication performance.
[0050] The increase in security overhead has a significant nonlinear relationship with the underlying communication latency. The nonlinearity of latency mainly stems from the saturation effect in queuing theory, the nonlinear overhead of resource contention, and the computational complexity of security algorithms. In actual production, this corresponds to the latency overhead of encryption calculation, authentication interaction, and rule matching.
[0051] Define the total end-to-end delay of an industrial command from the sending end to the receiving end as: . Mainly due to pure network transmission latency With security processing delay Composition, in which This is the sum of the queuing time for encryption / decryption of the UPF data plane, the DPI rule matching time of the MEC-side security gateway, and the authentication signaling interaction time of the core network AMF / AUSF.
[0052] Construct a nonlinear delay prediction function based on security policy vectors:
[0053] in, , , This is the time dilation function resulting from the fitted encryption computation, authentication interaction, and rule matching.
[0054] By continuously injecting industrial background traffic and DDoS attack traffic at gradients of 10Mbps to 10Gbps using a dedicated network tester, the dynamic fluctuations of a real industrial environment are simulated. This proactively triggers the traffic scrubbing and rate limiting mechanisms of security devices, while simultaneously collecting real-time CPU utilization, memory read / write speeds, and network interface card queue depths from the UPF and MEC physical servers. Then, using the burst background traffic and the real-time CPU and memory load of the devices as environmental variables, a sliding time window model is used to dynamically calculate and update the nonlinear scaling factor. , , To obtain key information on the time delay nonlinear mutations caused by deep DPI detection or high-frequency key re-authentication under extreme network pressure.
[0055] This modeling uses mathematical prediction functions to characterize the bottlenecks of 5G-A communication, simulating the critical parameters of network element computing power exhaustion and communication latency degradation caused by high-level encryption or deep DPI matching when encountering extreme network pressure, supporting the dynamic prediction of subsequent joint utility mapping.
[0056] 2.3 Construction of the Multidimensional Coupling Relationship Matrix between Security and Communication In one embodiment of the present invention, the specific process of "constructing a multidimensional coupling relationship matrix library" can be described in conjunction with the following description.
[0057] As described in the following steps, under different network loads, a step perturbation is applied to a single security parameter in the security policy parameter combination using the control variable method to generate corresponding changes in communication performance indicators, thereby constructing a multidimensional coupling matrix for quantifying the impact of security parameters on communication performance. Specifically, the control variable method is used to apply a step perturbation only to a single security parameter in the security policy parameter combination to determine the overall delay change and effective throughput change before and after the perturbation; a multidimensional coupling matrix under the corresponding network load is constructed based on the ratio of the overall delay change to the perturbation amount and the effective throughput change of all security parameters in the security policy parameter combination.
[0058] Based on the high-precision underlying stream dataset obtained above, parameterized security policies such as authentication key length, number of access control rules, and deep packet inspection depth are extracted as independent variable vectors, and basic communication performance indicators such as end-to-end latency and effective throughput are extracted as dependent variable vectors. The control variable method is used to perform perturbation tests on specific security parameters.
[0059] Maintain a constant system authentication frequency and encryption level by adjusting a single variable with a fixed parameter step size, and add a step perturbation to the target security gateway. Observe the change in output. .
[0060] Specifically, probe data aligned with microsecond-level timestamps is used to obtain perturbations of specific security parameters. Corresponding changes in communication metrics The ratio of the actual change in communication indicators to the perturbation variable of security parameters is calculated and used as a matrix element reflecting the degree of multidimensional coupling, until a complete relational matrix reflecting the degree of multidimensional coupling is generated. Each element in this matrix quantifies the impact of cryptographic computations of different strengths or protocol filtering actions of different scales on the utility of industrial network communication.
[0061] This step transforms the cross-influence of security and communication into a quantifiable numerical matrix, providing underlying data support for subsequent nonlinear manifold mapping of heterogeneous indicators and joint evaluation based on CES.
[0062] Third and fourth points: Regarding the construction of a joint security-communication assessment index system and the optimization and closed-loop control of security strategies: Reference Figure 4 This application illustrates a method for jointly evaluating security boundaries and communication performance based on a 5G-A industrial internet according to an embodiment of this application: S410. Obtain the current network load data and the current security policy parameter combination, and input the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; S420. Combine the current security policy parameters and the current overall latency utility to generate the current security-communication global score; S430. When the current security-communication global score is lower than a preset threshold, the fine-tuning amount of each security parameter is determined from the multi-dimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination, and the optimal security policy parameter combination that satisfies the preset delay constraint is generated based on the fine-tuning amount.
[0063] In the embodiments of this application, the problem of independent security assessment and communication assessment in the prior art is solved by using a nonlinear delay prediction model and a multidimensional coupling relationship matrix library. This achieves cross-domain coupling modeling of the security domain and the communication domain, providing a quantitative basis for the joint analysis of security strategy and communication performance. By calculating the overall delay and utilizing the security strategy parameters and the overall delay, a global score is obtained, enabling security and communication to be compared and integrated in the same dimension. By outputting the fine-tuning amount of each security parameter through the matrix library and finding the optimal security strategy, the security strategy can be dynamically adjusted under the premise of meeting industrial hard constraints, achieving the synergistic optimization of security and communication resources.
[0064] The following will further explain a joint evaluation method for security boundaries and communication performance based on 5G-A industrial internet in this exemplary embodiment.
[0065] In one embodiment of the present invention, the specific process of step S410, "obtaining the current network load data and the current security policy parameter combination, and inputting the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency," can be further explained in conjunction with the following description.
[0066] It should be noted that current network load data can be obtained in real time through system monitoring probes deployed on UPF and MEC servers. Current network load data includes CPU utilization, memory usage, network interface card queue depth, port bandwidth utilization, and concurrent connections of the current core network and edge computing nodes. Current security policy parameter combinations can be obtained by calling the API interface of the 5G Core Network Policy Control Function (PCF) or reading the configuration file of the security gateway. These combinations are quantified levels, such as authentication strength level 2, encryption level level 3, and access control rule complexity level 2.
[0067] In one specific implementation, current network load data is collected in real time by monitoring agents deployed on MEC nodes. The collected data includes UPF network element CPU utilization (65%), link bandwidth utilization (58%), and queue length (23 data packets). Current security policy parameter combinations are read from the security management platform, specifically authentication strength level 2, encryption level 3, and access control rule complexity level 2. After standardizing these two types of data, they are input into a nonlinear latency prediction model, which outputs a current overall latency of 18ms. This nonlinear latency prediction model decomposes end-to-end latency (i.e., overall latency) into the sum of pure network transmission latency and security processing latency. Security processing latency includes encryption computation latency, authentication interaction latency, and rule matching latency. The model dynamically updates the inflation coefficient of each security processing latency through a sliding time window to characterize the nonlinear latency mutation caused by security overhead under extreme load. It is understandable that the 18ms here is a model prediction value, not a direct measurement value.
[0068] In one embodiment of the present invention, the specific process of "combining the current security policy parameters and the current overall latency utility to generate the current security-communication global score" in step S420 can be further explained in conjunction with the following description.
[0069] As described in the following steps, the current security policy parameter combination and the current overall latency are respectively converted into utility to generate the current security utility value and the current communication utility value; specifically, the current overall latency is transformed according to a preset exponential decay mapping function to generate the current communication utility value; the current security policy parameters are transformed according to a preset transformation function to generate the current security utility value; The current dynamic weight is determined based on the current security utility value and the current communication utility value, as described in the following steps; As described in the following steps, the current security-communication global score is generated based on the current security utility value, the current communication utility value, and the current dynamic weight.
[0070] It should be noted that, for ease of unified comparison and integration, physical indicators with different dimensions are converted into dimensionless utility values within a unified quantification range. This utility conversion eliminates the dimensional differences between indicators, and a comprehensive evaluation of security and communication performance is achieved through global scoring, providing a basis for subsequent strategy fine-tuning. When the score falls below a preset threshold, it indicates that the current balance between security and communication performance does not meet business requirements and adjustments are necessary.
[0071] Specifically, to address the issue of differing dimensions and inconsistent variation patterns between security and communication indicators, a utility value conversion method combining service tolerance thresholds is proposed. First, the set of basic communication performance indicators collected from network elements and security gateways is defined as... Define the basic indicator set of the security mechanism as .
[0072] Degradation metrics that are negatively correlated with communication latency or packet loss rate An exponential decay mapping function incorporating a business tolerance threshold is introduced to convert it into a standardized communication utility value. The calculation formula is as follows:
[0073] In the formula, This indicates the safety latency tolerance threshold that does not affect the execution of control instructions in this specific industrial business scenario. The maximum physical latency that could cause service interruption. This is the environmental sensitivity attenuation coefficient. This is a non-linear adjustment factor. When the business is extremely sensitive to this indicator, A value greater than 1 ensures that once the basic indicator value exceeds... The corresponding communication utility value will drop rapidly.
[0074] Security indicators that are positively correlated with authentication strength and encryption level, but whose gain effect diminishes. The mapping is performed using a transformation function based on the Logistic curve:
[0075] in, Dynamically set based on the current baseline threat situation facing the Industrial Internet, This is the steepness coefficient for safety gain.
[0076] Through the two types of utility value transformations described above, security configuration data and network status data, which have different physical meanings and significantly different value ranges, are uniformly converted into values within a certain range. The dimensionless joint utility value is used as input data for subsequent in-depth integration and comprehensive evaluation of indicators.
[0077] Furthermore, to accommodate the varying priorities of different industrial business flows regarding security mechanisms and communication performance, this embodiment proposes a dynamic weight allocation method to replace static weight configuration. Within a set time window... Internally, the aforementioned basic indicator data are collected in real time, and their corresponding information entropy is calculated:
[0078] In the formula, Indicates time window The total number of sampling points within, Indicates the first The indicator in the first The data weight of each sampling point is determined. The objective entropy weight is derived from the calculated information entropy.
[0079] This objective entropy weight is used to reflect the degree of fluctuation in the current indicator data and will serve as the dynamic comprehensive weight vector for subsequent calculations. This enables the evaluation system to adaptively adjust the importance of indicators based on real-time data characteristics.
[0080] Finally, based on the dimensionless utility value and dynamic comprehensive weight vector obtained in the preceding steps, a CES (Constant Elasticity of Substitution) joint utility function is constructed. In the 5G-A industrial internet scenario, the relationship between security performance and communication performance is not a simple linear summation, but rather a deep coupling. The CES function can accurately characterize the nonlinear substitution relationship between the utility of the security domain and the communication domain, avoiding the evaluation distortion problem of the traditional weighted average method when dealing with indicators with shortcomings. The CES joint evaluation function is expressed as:
[0081] In this evaluation function, Output a globally unique quantitative score for the current system's security and communication coordination. and These are the global balancing coefficients for the security domain and the communication domain, respectively, unifying the two types of indicators to the same comparison dimension. This represents the alternative resilience parameter, characterizing the irreplaceability between security indicators and communication indicators.
[0082] In 5G-A industrial scenarios, set up The numerical value reflects the security and communication constraints of the business. The closer the value is to negative infinity, the closer the CES function is to the Leontief production function form, indicating a stronger complementarity and weaker substitutability between security and communication. At this point, the overall system utility will be dominated by the worst-performing bottleneck indicator. When any one of the key indicators approaches the lower bound of business tolerance, even if another indicator has a high value, the final output global quantitative score will be affected. It will also rapidly approach 0. This evaluation mechanism aligns with the dual bottom-line requirements of deterministic communication and absolute security in industrial control scenarios. This joint evaluation scalar serves as the quantitative basis and is input into the subsequent security strategy optimization model for optimization calculations.
[0083] In one embodiment of the present invention, the specific process of step S430, which involves "when the current security-communication global score is lower than a preset threshold, determining the fine-tuning amount of each security parameter from the multidimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination, and generating the optimal security policy parameter combination that satisfies the preset delay constraint based on the fine-tuning amount", can be further explained in conjunction with the following description.
[0084] As described in the following steps, based on the Markov decision process, the fine-tuning amount is used as an initial action reference, and the Pareto optimal safety policy parameter combination is determined through iterative optimization by a deep reinforcement learning agent.
[0085] Specifically, (1) MDP modeling for collaborative optimization To address the dynamic changes in communication load and security threats in industrial settings, this paper constructs a discrete-time Markov Decision Process (MDP) model to address the synergistic optimization problem of security mechanisms and communication performance. Policy optimization is achieved by defining the state space, action space, and reward function. The core of the Markov Decision Process lies in its Markov property, i.e., the system... State transition probability at time 1 Dependent only on the current state of time and the actions currently being taken This is independent of historical conditions. This aligns with the real-time evolution characteristics of network fluctuations and sudden threats in the 5G-A Industrial Internet, enabling the model to make dynamic and continuous decisions in uncertain environments.
[0086] First, define the quintuple model of MDP. Constructing the system environment state space In any decision time slot The state vector is defined as
[0087] in, A matrix representing the current network slice resource occupancy rate as perceived by 5G-A network data analysis capabilities. A quantitative index for the current security threat situation. This sets the latency and reliability constraints for the current business flow.
[0088] Secondly, define the security policy action space. The action vector directly corresponds to the specific configuration parameters of the programmable security gateway.
[0089] in This indicates the dynamically adjusted encryption key length. This indicates the trigger frequency of two-way authentication. The matching depth of the access control tree.
[0090] Next, define the state transition probability model. Given the current network resource state and security threat state, after executing the security policy reconfiguration action, the network environment will undergo a deterministic or random state transition based on the underlying traffic queuing model and security defense probability.
[0091] Finally, the CES joint utility function constructed above will be used... Reward calculation is introduced, and a penalty term oriented towards industrial constraints is added. (Time slot) Instant rewards Defined as:
[0092] In this formula, and These respectively represent the actions being performed. The expected latency and expected security defense strength afterward This represents the maximum allowed latency threshold for industrial operations. As the minimum safety strength benchmark for compliance requirements, and The reward function is the penalty coefficient. This reward function guides the optimization algorithm to maximize the global joint utility while imposing a negative penalty when the system state approaches or exceeds the delay threshold or safety benchmark, ensuring that the strategy exploration process meets the safety and real-time constraints of industrial control.
[0093] (2) Solving deep reinforcement learning strategies Due to the action space The problem involves both continuous and discrete variables. Traditional mixed-integer nonlinear programming or heuristic algorithms are prone to getting trapped in local optima during the solution process, and their computational latency cannot meet the millisecond-level scheduling requirements of 5G-A. Therefore, this invention constructs an intelligent decision-making model based on the TD3 algorithm.
[0094] In the problem of co-optimizing security and communication, the enhancement of security mechanisms inevitably consumes computational and bandwidth resources, thereby causing a decline in communication performance. A Pareto optimal strategy refers to the policy state where, under current resource constraints, the system cannot further improve its security defense performance without deteriorating communication utility indicators. The set of all Pareto optimal strategies constitutes the Pareto front. In this invention, the goal of the intelligent agent is to autonomously explore and approach this Pareto front through continuous interaction with a 5G-A digital twin or real-world testing environment.
[0095] In the TD3 decision model, one Actor network and two Critic networks were designed. Actor network Parameterization Responsible for the given state Output deterministic safety configuration actions Dual Critic Network and This is used to evaluate the long-term expected Q-value of the action in the current state, and by taking the minimum of the two values, policy oscillations caused by overestimation of Q-value in traditional algorithms are mitigated. The loss function of the Critic network is updated based on the Bellman equation:
[0096] in, , This represents the experience replay pool. This indicates the next state after an action is performed. Indicates an immediate reward. This represents the target Q value. The calculation introduces objective policy smoothing regularization, as shown in the formula:
[0097] here, Indicates the discount factor. This is the normally distributed noise that has been cropped, i.e. and This noise is introduced to improve the smoothness of target value prediction and prevent large fluctuations in the strategy due to small state disturbances in industrial environments.
[0098] The parameter updates of the Actor network proceed along the ascending gradient of the Q-value provided by the Critic network, and its policy gradient formula is:
[0099] By training the aforementioned deep neural network offline and fine-tuning online, the agent can converge to the Pareto optimal solution set in a high-dimensional security-communication policy space. This enables the system to optimize the policy combination output. It can maximize security defense indicators without reducing any communication effectiveness indicators.
[0100] (3) Closed-loop control and strategy issuance To achieve the optimal policy vector The efficient distribution and closed-loop control have constructed an automated signaling channel connecting the intelligent decision-making model and the 5G-A core network control plane.
[0101] First, a policy intent translation module is deployed at the logical layer. After the intelligent decision model outputs the optimal security configuration action vector, the policy intent translation module extracts the single network slice selection auxiliary information (S-NSSAI) of the target service flow and parses the abstract security configuration action parameters into standardized 5G system policy control elements accordingly.
[0102] Secondly, by calling the RESTful API interface of the 5G-A network open function, the translated security policy is pushed to the PCF in real time. The PCF then interacts with the SMF through the N7 interface, and finally distributes the microservice-based security component configuration to the UPF and P4 programmable switches distributed on the enterprise edge through the N4 signaling channel.
[0103] To ensure that the security policy reconstruction process does not cause service interruption or packet out-of-order delivery, convergence time constraints are set for policy issuance and execution:
[0104] in, Forward inference time of the TD3 model, To reduce cross-network element signaling transmission delay, For the security context switching latency of the underlying UPF data plane, This represents the time window during which the channel state remains relatively stable. Under the condition of satisfying the above inequality constraints, the system can dynamically adjust the security boundary parameters without the service being aware of them, realizing proactive security defense based on communication utility feedback and adaptive collaborative control of communication network resources.
[0105] The following is an example: 1. Initial State and Security Policy Parameterization Business scenario: Collaborative scheduling of AGV clusters in a pilot production plant.
[0106] Security policy: Employs the 5G-AKA protocol, a 128-bit key, and enables only over-the-air encryption (NIA1), based on IP / TCP and partial application layer detection. The security policy parameter vector is as follows: .
[0107] 2. Delay estimation and degradation calculation Regarding safety parameters Under ideal no-load conditions, the estimated foundation time is: authentication ,encryption Rule matching Set the sliding time window step size to 1 second.
[0108] During the system's stable operation period, the pure network latency was measured. The edge MEC server CPU utilization is 30%, and the network interface card queue depth is only 15. The system dynamically updates the non-linear scaling factor as follows: , , . The overall latency at any given moment is
[0109] During a sudden surge in background traffic, the private network experienced a peak of 5Gbps of concurrent industrial background traffic, causing the MEC server CPU utilization to rise to 88% and the UPF-side network interface card queue depth to accumulate to 120. Due to the increased security processing overhead, the system dynamically updated the scaling factor based on the current environmental load variables. , , At this point, the pure network latency slightly increases to . The overall time delay is:
[0110] 3. Control variable perturbation and multidimensional coupling matrix construction exist Maintain authentication under high load conditions and access control The encryption level will remain unchanged. Increasing from 1 to 2, step perturbation The probe measured an end-to-end delay that increased to [a certain value]. Change Effective throughput decreased The coupling coefficient between encryption overhead and latency under high load. .
[0111] Similarly, perturbation measurements were performed on other security parameters to obtain a multidimensional coupling matrix:
[0112] 4. Utility mapping and joint evaluation Set AGV safety delay tolerance threshold Limiting physical delay .
[0113] Current delay Approaching the tolerance threshold, substituting into the exponential decay mapping function, the communication utility value decays to... .
[0114] Based on the threat situation, the Logistic curve is used to map the security effectiveness of the current strategy. The dynamic objective entropy weight is calculated as follows: , Alternative elastic parameters Substituting into the CES joint evaluation model:
[0115] The overall score dropped to 0.71, and the system determined that the communication bottleneck was caused by a sudden surge in traffic, requiring optimization.
[0116] 5. Strategy optimization and closed-loop control The TD3 agent detects that the system state is approaching the latency threshold. To maximize the global score and avoid service interruption, the agent searches for the Pareto optimal solution in a high-dimensional space and outputs a new action. Actively reduce the DPI detection depth to 1.
[0117] The policy intent translation module distributes the new policy to the edge industrial firewall via the 5G-A standard interface. After the new policy takes effect, the DPI latency decreases, and the end-to-end latency drops back to [previous level]. Communication utility The system recovered and reached a new equilibrium between security and communication within the convergence time.
[0118] The advantages of this invention are mainly reflected in the following three aspects: 1. In a unified 5G-A industrial internet testing environment, this invention constructs extreme stress testing capabilities by connecting a network tester in series, and deploys a decoupled security boundary protection system on the N1, N3, and N6 interfaces to achieve differentiated protection between the control plane and the data plane. This solves the problem in the prior art that security assessment and communication assessment are independent of each other and it is difficult to systematically analyze the impact of security mechanisms on communication performance, thereby improving the completeness and reliability of the overall evaluation of the industrial internet system.
[0119] 2. This invention constructs a high-fidelity underlying stream dataset by deploying monitoring probes across the entire link, using PTP microsecond-level clock synchronization and out-of-band aggregation mechanism, and adopts utility conversion based on business tolerance threshold and dynamic weighting of information entropy to unify heterogeneous indicators into dimensionless joint utility values, thus solving the problems of scattered evaluation indicators and inconsistent standards in existing technologies.
[0120] 3. This invention establishes a multi-dimensional coupling relationship matrix between security and communication, constructs a CES joint evaluation model to output a global quantitative score, and solves the Pareto optimal strategy based on MDP and TD3 algorithms. It achieves closed-loop adaptive adjustment through the 5G-A core network standard interface, providing quantifiable decision-making basis for security policy configuration, network architecture design and resource optimization, and improving the engineering application value of the evaluation results.
[0121] As the device embodiment is basically similar to the method embodiment, the description is relatively simple, and relevant parts can be found in the description of the method embodiment.
[0122] Reference Figure 5 This application illustrates an embodiment of a joint evaluation device for security boundaries and communication performance based on a 5G-A industrial internet. The device pre-constructs a nonlinear latency prediction model and a multidimensional coupling matrix library. The nonlinear latency prediction model characterizes the nonlinear mapping relationship between network load data, security policy parameter combinations, and overall latency. The security policy parameter combinations include authentication strength, encryption level, and access control rule complexity. The multidimensional coupling matrix library characterizes the local impact of fine-tuning a single security parameter on communication performance under different network load conditions. Specifically, it includes the following modules: Specifically, it includes: The latency calculation module 510 is used to obtain the current network load data and the current security policy parameter combination, and input the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; The global scoring module 520 is used to combine the current security policy parameters and the current overall latency utility to generate a current security-communication global score. The parameter optimization module 530 is used to determine the fine-tuning amount of each security parameter from the multi-dimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination when the current security-communication global score is lower than a preset threshold, and generate the optimal security policy parameter combination that satisfies the preset delay constraint based on the fine-tuning amount.
[0123] In one embodiment of the present invention, a nonlinear time delay prediction model construction module is further included, comprising: The latency and resource utilization determination submodule is used to determine the overall latency and resource utilization of the security policy parameter combination under different network loads. The model building submodule is used to fit the nonlinear latency prediction model based on the overall latency and resource utilization rate of each security strategy parameter combination.
[0124] In one embodiment of the present invention, a multidimensional coupling relationship matrix construction module is further included, which is used to perform step perturbation on a single security parameter in the security strategy parameter combination under different network loads using the control variable method to generate the corresponding communication performance index change, so as to construct a multidimensional coupling relationship matrix for quantifying the impact of security parameters on communication performance.
[0125] In one embodiment of the present invention, the multidimensional coupling relationship matrix construction module includes: The step perturbation submodule is used to perform step perturbation on a single security parameter in the combination of security strategy parameters using the control variable method, and to determine the overall time delay change and effective throughput change before and after the perturbation. The matrix construction submodule is used to construct a multidimensional coupling relationship matrix under the corresponding network load based on the ratio of the overall delay change to the perturbation of all security parameters in the security policy parameter combination and the effective throughput change.
[0126] In one embodiment of the present invention, the global scoring module 520 includes: The utility submodule is used to combine the current security policy parameters and the current overall latency into utility, respectively, to generate the current security utility value and the current communication utility value. The dynamic weight determination submodule is used to determine the current dynamic weight based on the current security utility value and the current communication utility value; The scoring submodule is used to generate the current security-communication global score based on the current security utility value, the current communication utility value, and the current dynamic weight.
[0127] In one embodiment of the present invention, the utility submodule includes: The communication utility submodule is used to convert the current overall latency according to a preset exponential decay mapping function and generate the current communication utility value; The security utility submodule is used to transform the current security policy parameters according to a preset transformation function to generate the current security utility value.
[0128] In one embodiment of the present invention, the parameter optimization module 530 includes: The iterative optimization submodule is used to determine the Pareto optimal combination of safety policy parameters by using the fine-tuning amount as an initial action reference based on the Markov decision process and through the deep reinforcement learning agent for iterative optimization.
[0129] Reference Figure 6 The illustration shows a computer electronic device for implementing a joint evaluation method for security boundaries and communication performance based on 5G-A industrial internet, which may specifically include the following: The aforementioned computer electronic device 1 is manifested in the form of a general-purpose computing device. The components of the computer electronic device 1 may include, but are not limited to: one or more processors or processing units 3, memory 8, and a bus 4 connecting different system components (including memory 8 and processing unit 3).
[0130] Bus 4 represents one or more of several bus architectures, including memory buses or memory controllers, peripheral buses, graphics acceleration ports, processors, or local buses using any of the various bus architectures. For example, these architectures include, but are not limited to, the Industry Standard Architecture (ISA) bus, the Micro Channel Architecture (MAC) bus, the Enhanced ISA bus, the Audio / Video Electronics Standards Association (VESA) local bus, and the Peripheral Component Interconnect (PCI) bus.
[0131] Computer electronic device 1 typically includes a variety of computer system readable media. These media can be any available media that can be accessed by computer electronic device 1, including volatile and non-volatile media, removable and non-removable media.
[0132] Memory 8 may include computer system readable media in the form of volatile memory, such as random access memory 9 and / or cache memory 10. Computer electronic device 1 may further include other removable / non-removable, volatile / non-volatile computer system storage media. By way of example only, storage system 11 may be used to read and write non-removable, non-volatile magnetic media (commonly referred to as a "hard disk drive"). Although Figure 6 As not shown, a disk drive for reading and writing to a removable non-volatile disk (such as a "floppy disk") and an optical disk drive for reading and writing to a removable non-volatile optical disk (such as a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 4 via one or more data media interfaces. The memory may include at least one program product having a set (e.g., at least one) of program modules 13 configured to perform the functions of the embodiments of this application.
[0133] A program / utility 12 having a set (at least one) of program modules 13 may be stored, for example, in memory. Such program modules 13 include—but are not limited to—an operating system, one or more application programs, other program modules 13, and program data. Each or some combination of these examples may include an implementation of a network environment. Program modules 13 typically perform the functions and / or methods described in the embodiments of this application.
[0134] The computer electronic device 1 can also communicate with one or more external devices 2 (e.g., keyboard, pointing device, display 7, camera, etc.), and with one or more devices that enable an operator to interact with the computer electronic device 1, and / or with any device that enables the computer electronic device 1 to communicate with one or more other computing devices (e.g., network card, modem, etc.). This communication can be performed through the I / O interface 6. Furthermore, the computer electronic device 1 can also communicate with one or more networks (e.g., local area network (LAN)), wide area network (WAN), and / or public networks (e.g., the Internet) through the network adapter 5. Figure 6 As shown, network adapter 5 communicates with other modules of computer electronic device 1 via bus 4. It should be understood that, although... Figure 6 Not shown, it may be combined with other hardware and / or software modules, including but not limited to: microcode, device drivers, redundant processing unit 3, external disk drive array, RAID system, tape drive and data backup storage system 11, etc.
[0135] The processing unit 3 executes various functional applications and data processing by running programs stored in memory 8, such as implementing a joint evaluation method for security boundary and communication performance based on 5G-A industrial internet provided in the embodiments of this application.
[0136] That is, when the processing unit 3 executes the above program, it performs the following: acquiring the current network load data and the current security policy parameter combination, and inputting the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; utilizing the current security policy parameter combination and the current overall latency to generate a current security-communication global score; when the current security-communication global score is lower than a preset threshold, determining the fine-tuning amount of each security parameter from the multidimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination, and generating an optimal security policy parameter combination that satisfies the preset latency constraint based on the fine-tuning amount.
[0137] In this application embodiment, the application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements a joint evaluation method for security boundary and communication performance based on 5G-A industrial internet as provided in all embodiments of the application.
[0138] That is, when the program is executed by the processor, it performs the following: acquiring the current network load data and the current security policy parameter combination, and inputting the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; utilizing the current security policy parameter combination and the current overall latency to generate a current security-communication global score; when the current security-communication global score is lower than a preset threshold, determining the fine-tuning amount of each security parameter from the multidimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination, and generating an optimal security policy parameter combination that satisfies the preset latency constraint based on the fine-tuning amount.
[0139] Any combination of one or more computer-readable media may be used. A computer-readable medium can be a computer-readable signal medium or a computer-readable storage medium. A computer-readable storage medium can be, for example—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of computer-readable storage media include: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this document, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in connection with an instruction execution system, apparatus, or device.
[0140] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals may take various forms, including—but not limited to—electromagnetic signals, optical signals, or any suitable combination thereof. Computer-readable signal media may also be any computer-readable medium other than computer-readable storage media, capable of transmitting, propagating, or transmitting programs for use by or in connection with an instruction execution system, apparatus, or device.
[0141] Computer program code for performing the operations of this application can be written in one or more programming languages or a combination thereof. These programming languages include object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as C or similar languages. The program code can be executed entirely on the operator's computer, partially on the operator's computer, as a standalone software package, partially on the operator's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the operator's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider). The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably.
[0142] Although preferred embodiments of the present application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the embodiments of the present application.
[0143] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes said element.
[0144] The above provides a detailed description of the joint evaluation method and apparatus for security boundary and communication performance based on 5G-A industrial internet provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. A joint evaluation method for security boundary and communication performance based on 5G-A industrial internet, characterized in that, The method pre-constructs a nonlinear latency prediction model and a multidimensional coupling matrix library. The nonlinear latency prediction model is used to characterize the nonlinear mapping relationship between network load data and security policy parameter combinations and overall latency. The security policy parameter combinations include authentication strength, encryption level, and access control rule complexity. The multidimensional coupling matrix library is used to characterize the local impact of fine-tuning a single security parameter on communication performance under different network load conditions. The method includes: Obtain the current network load data and the current security policy parameter combination, and input the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; The current security policy parameters are combined with the current overall latency utility to generate the current security-communication global score. When the current security-communication global score is lower than a preset threshold, the fine-tuning amount of each security parameter is determined from the multi-dimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination, and the optimal security policy parameter combination that satisfies the preset delay constraint is generated based on the fine-tuning amount.
2. The method according to claim 1, characterized in that, The steps for constructing a nonlinear time delay prediction model include: Determine the overall latency and resource utilization of the security policy parameter combination under different network loads; The nonlinear latency prediction model is obtained by fitting the overall latency and resource utilization rate of each security strategy parameter combination.
3. The method according to claim 1, characterized in that, The steps for constructing a multidimensional coupling relation matrix library include: Under different network loads, the control variable method is used to perform step perturbation on a single security parameter in the security strategy parameter combination to generate the corresponding change in communication performance index, so as to construct a multi-dimensional coupling relationship matrix for quantifying the impact of security parameters on communication performance.
4. The method according to claim 3, characterized in that, The steps involved in constructing a multidimensional coupling matrix to quantify the impact of security parameters on communication performance include: applying a step perturbation to a single security parameter in a security strategy parameter combination using the control variable method to generate corresponding changes in communication performance indicators. Using the control variable method, a step perturbation is applied to only a single security parameter in the combination of security strategy parameters to determine the overall time delay change and the effective throughput change before and after the perturbation. A multidimensional coupling matrix is constructed based on the ratio of the overall delay change to the perturbation of all security parameters in the security strategy parameter combination and the effective throughput change under the corresponding network load.
5. The method according to claim 1, characterized in that, The steps of combining the current security policy parameters and the current overall latency utility to generate the current security-communication global score include: The current security policy parameters and the current overall latency are combined and converted into utility values to generate the current security utility value and the current communication utility value. The current dynamic weight is determined based on the current security utility value and the current communication utility value; The current security-communication global score is generated based on the current security utility value, the current communication utility value, and the current dynamic weight.
6. The method according to claim 5, characterized in that, The steps of combining the current security policy parameters and the current overall latency utility to generate the current security utility value and the current communication utility value include: The current overall latency is converted according to a preset exponential decay mapping function to generate the current communication utility value; The current security policy parameters are transformed according to a preset transformation function to generate the current security utility value.
7. The method according to claim 1, characterized in that, The step of generating the optimal combination of security strategy parameters that satisfies the preset delay constraint based on the fine-tuning amount includes: Based on Markov decision processes, the fine-tuning parameters are used as initial action references, and the Pareto optimal safety policy parameter combination is determined through iterative optimization by a deep reinforcement learning agent.
8. A joint evaluation device for security boundary and communication performance based on 5G-A industrial internet, characterized in that, The device is pre-built with a nonlinear latency prediction model and a multidimensional coupling relationship matrix library. The nonlinear latency prediction model is used to characterize the nonlinear mapping relationship between network load data and security policy parameter combinations and overall latency. The security policy parameter combinations include authentication strength, encryption level, and access control rule complexity. The multidimensional coupling relationship matrix library is used to characterize the local impact of fine-tuning a single security parameter on communication performance under different network load conditions. The device includes: The latency calculation module is used to obtain the current network load data and the current security policy parameter combination, and input the current network load data and the current security policy parameter combination into the nonlinear latency prediction model to obtain the current overall latency; The global scoring module is used to combine the current security policy parameters and the current overall latency utility to generate the current security-communication global score. The parameter optimization module is used to determine the fine-tuning amount of each security parameter from the multi-dimensional coupling relationship matrix library based on the current network load data and the current security policy parameter combination when the current security-communication global score is lower than a preset threshold, and generate the optimal security policy parameter combination that satisfies the preset delay constraint based on the fine-tuning amount.
9. A computer electronic device, characterized in that, It includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein when the computer program is executed by the processor, it implements the steps of the joint evaluation method for security boundary and communication performance based on 5G-A Industrial Internet as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, A computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the joint evaluation method for security boundary and communication performance based on 5G-A Industrial Internet as described in any one of claims 1 to 7.