Do you know your own computing network? These security risks may be overlooked!

The computing network is a key infrastructure for the construction of the digital economy, and network security and data security are important guarantees for the healthy development of the computing network. The "Overall Layout Plan for the Construction of Digital China" issued by the CPC Central Committee and the State Council pointed out that it is necessary to build a reliable and controllable digital security barrier. Effectively maintain network security and improve the network security laws, regulations and policy system. Enhance data security protection capabilities, establish a basic system for data classification and classification protection, and improve the network data monitoring, early warning and emergency response work system. As an important part of the computing network, home computing power also faces severe security issues. Understanding these security risks, formulating corresponding security measures, and building a sound security guarantee mechanism are important conditions for ensuring that home computing power is fully tapped and reasonably utilized.

1. Composition and development trend of household computing power

Home computing power usually includes the following equipment:

① Personal computers: Personal computers in homes are one of the most common computing devices. They are usually equipped with components such as a central processing unit (CPU), a graphics processing unit (GPU), and memory, and can complete various computing tasks.

②Mobile devices: including smartphones, tablets, etc. These devices usually have relatively small processing power, but can also handle some lightweight computing tasks.

③ Smart home devices: including smart appliances, smart speakers, smart cameras, etc. These devices are mainly responsible for a single function. The device versatility and processor power are lower than those of mobile devices, but they can also be used to process specific computing tasks or smaller-granularity computing tasks.

④ Network element equipment: such as routers, switches, TV set-top boxes, etc. The main function of these devices is to realize data forwarding, but in specific scenarios, they can also be used to complete computing tasks, such as video and audio caching.

The development of household computing power in the future will have the following trends: ① The computing power continues to improve; ② The intelligence level of equipment continues to improve; ③ The functions are becoming more and more complex.

These development trends indicate that there is huge potential in home computing networks, but they also bring security challenges to the construction of computing networks.

2. Three implementation modes of home computing network

China Mobile's "Computing Network White Paper" clearly puts forward the general architecture of the computing network. As part of the computing network, the home computing network has commonalities with other computing networks, but also has its own characteristics. Specifically, the computing network terminal equipment is diverse and ubiquitous; a large number of computing devices have low computing power; the network delay is large, and the online time is unstable. Therefore, in addition to adopting a general architecture, the construction of the home computing network can also combine specific business scenarios and the characteristics of computing devices to achieve an architectural model that conforms to the actual application scenario. The following are several typical architectural models:

The first mode is the general architecture mode, which integrates terminal computing power through computing power measurement, integrated orchestration, virtualization and other technologies, and integrates it into the computing power network for unified management and scheduling.

The second mode is the terminal self-organizing network mode, where devices of multiple households are interconnected in the region, and computing power scheduling is achieved between devices through self-organizing networks. In order to achieve intelligent scheduling, it is inevitable to interact with the platform side, but the main data exchange is in the client network; the networking forms include field terminal computing power network, local terminal computing power network and foreign terminal computing power network (End-side computing power network white paper). Typical products include HomeCDN.

The third mode is the business cloud model. In this model, on the one hand, thin terminals are used on the client to reduce investment costs, and on the other hand, investment is increased in the computing resource pool. User services are migrated from terminals to resource pools, giving full play to the advantages of centralized computing on cloud platforms and providing on-demand computing services for home applications. Typical products include cloud computers and cloud shops.

3. Risks faced by home computing networks

The architecture of home computing networks has changed significantly compared to traditional home networks. Therefore, the manifestation of security risks has also changed accordingly, as listed below:

①Terminal

Terminal devices are deployed on the user side, with large exposure in space and time, and lack of security protection measures, which makes terminal devices the weakest and most vulnerable link in the architecture. In traditional home networks, only data related to the home user is transmitted between the platform and the home device. Even if a device is hacked, the damage is limited; in the computing network architecture, hacking the terminal may lead to the penetration of other home users or business platforms, or cause the leakage of core data. As the attack benefits increase, it will inevitably attract the attention of attackers.

In addition, the terminal hardware and software vary greatly, and the online time is unstable, which will lead to unstable services and unpredictable computing time, affecting the quality of computing network services.

② Network

When wireless networks are used for transmission, data can be easily monitored and confidentiality is poor.

As important network element devices, home gateways and home switches have added control plane logic based on their original functions. The increase in functions also leads to an increased risk of attacks.

The security mechanism of the home network is weak, making it easy to be successfully invaded; the intranet segmentation isolation mechanism or firewall function is not perfect, and the connected devices are all in the same network segment, which makes it easy to launch attacks from one device to other devices. In the home computing network scenario, these have become points that are easy to break through and exploit.

③Platform

The computing network platform is open to end users and difficult to defend by deploying a private network or targeting specific IP addresses, increasing the risk of denial of service attacks.

The computing network platform integrates terminal nodes into resource pool management and scheduling, blurring the boundaries between computing resources and data, and posing the risk of unauthorized access.

When the platform provides computing power services to a third party, it may trigger attacks on the transaction process, such as denying the validity of the contract, forging transaction data, etc.

④ Data security

The perception of computing power requires the collection of a large amount of terminal data and sending it to the platform. This data is strongly related to user personal information, which poses a risk of privacy data leakage.

Computing nodes are ubiquitously distributed. When unloading computing power to computing nodes, there is a risk of data theft if effective encryption protection is not performed.

4. Security measures and technologies

①Terminal security

Since terminals may be subject to many attacks and their exposure is wide, traditional security mechanisms are difficult to cover comprehensively. It is possible to consider combining trusted computing and zero-trust mechanisms for comprehensive protection. The principle of trusted computing is to first create a trusted root in the system, and then establish a trust chain from the hardware platform, operating system to the application system. On this trust chain, one level is authenticated from the root, and one level is trusted. In this way, trust is expanded step by step. Only authenticated programs can run on the operating system, and unauthenticated programs cannot run, thus building a secure and trusted computing environment. The zero-trust mechanism can authenticate the identity of the terminal before access, and continuously perform behavior detection and trust assessment in subsequent processes to detect attacks in a timely manner and take protective measures;

To address the issues of unstable and heterogeneous terminal computing power, small-slice, non-real-time, and general computing tasks can be assigned to terminal devices. Terminal self-organizing networks (mode two) and moving computing resources to the platform (mode three) can also be used to reduce the impact of unstable computing power.

②Network security

In order to prevent data from being monitored and tampered with during network transmission, a high-strength encryption algorithm should be used to encrypt data transmission; at the same time, the transmitted data should be obfuscated to prevent the monitor from conducting targeted attacks on the data through feature analysis;

Taking home network element devices as core network devices, a root of trust can be implanted in them, which can not only ensure the security of network element devices, but also measure and authenticate hardware, operating systems and other devices, thus building a trusted computing environment as a whole;

The network element equipment forces the home network to use high-strength passwords to prevent illegal access; adds firewall functions to strengthen access control between devices; and combines the platform analysis engine to perform attack detection, so as to detect and handle attacks in the network as early as possible.

③Platform security

The platform can use SDP software-defined boundary technology to implement the "authentication before connection" mechanism. Only after the client passes the authentication can it establish a connection with the server, effectively reducing the probability of being attacked. Once attacked, the platform can also use the powerful computing and analysis capabilities of the computing network to implement source tracing detection, quickly locate the attack source, and intercept it.

The platform should adhere to the principle of "minimum authorization" to prevent unauthorized access or data abuse and minimize the damage caused by attacks;

When conducting computing power transactions with third-party platforms, you can use blockchain's smart contracts, multi-party consensus and other technologies to ensure the security, transparency and traceability of the transaction.

④Data security

To effectively protect user privacy, differential privacy computing can be used to add a certain degree of noise or data disturbance to the data during data collection and analysis, so that attackers cannot accurately infer individual feature data, thus maintaining the validity and availability of data while protecting privacy.

When offloading computing tasks to computing nodes, multi-party secure computing technology can be used to perform data operations without decryption. Common secure multi-party computing technologies include obfuscated circuits, homomorphic encryption, and key sharing.

5. Summary

While realizing computing power integration and improving resource utilization, home computing networks are also facing a large number of new security risks. In order to deal with these risks, it is necessary to build a comprehensive security system based on the existing security mechanism, combining trusted computing, zero trust, multi-party secure computing, blockchain and other technologies; at the same time, according to the specific business characteristics, a specific system architecture can be adopted to reduce exposure and reduce the risk of attack.

Author: Li Zhihui

Unit: China Mobile Smart Home Operation Center