Disclosure of Invention
In view of the foregoing analysis, the present invention aims to provide a system and a method for securely transmitting data across networks, so as to solve the problems of poor security and low transmission efficiency of data output across networks in the prior art.
In one aspect, the present invention provides a system for securely transmitting data across a network, including:
a first processor located in a first network region, and a second processor located in a second network region; the first network region is physically isolated from the second network region and communicates through a plurality of unidirectional transmission device groups;
the first processor is used for setting a priority range of each transmission queue, correspondingly slicing and encrypting each file to be transmitted in a current transmission period of a first network area to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the file through a one-way transmission equipment group with a transmission rate matched with the priority range;
and the second processor is used for receiving the data slice corresponding to each file to be transmitted by the first processor, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in a second network area.
Furthermore, the priority range of the transmission queue is matched with the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group comprises a plurality of unidirectional transmission devices with the same transmission rate;
the first processor is specifically configured to:
reading priority information of each file to be transmitted in a current transmission cycle in a first network area, and further determining a transmission queue to which each file to be transmitted belongs;
performing degradation sequencing on all files to be transmitted belonging to each transmission queue according to priorities, taking a preset number of data slices corresponding to each file to be transmitted as a group, caching the data slices in the transmission queues according to the sequencing, and further transmitting the data slices through a matched one-way transmission equipment group according to a caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
Further, the first processor is further configured to:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Further, the data slice comprises an identification ID of a file to be transmitted, a target IP address, a target port, a data block sequence number, a data encryption block length and a data encryption block;
the second processor is specifically configured to:
when the received data block serial number is 0, decrypting the data encryption block based on the corresponding data encryption block length to obtain a key;
when the received data block serial number is greater than 0, decrypting the data encryption block based on the corresponding data encryption block length and the key to obtain file data to be transmitted contained in the data slice;
merging the file data to be transmitted obtained by decryption to obtain the file to be transmitted;
and transmitting the file to be transmitted to a target three-party service system according to the target IP address and the target port.
Further, the system also comprises a plurality of first service nodes positioned in the first network area and a plurality of second service nodes positioned in the second network area; a plurality of the first service nodes and a plurality of the second service nodes are configured with adaptation interfaces of the unidirectional transmission equipment;
each first service node is used for receiving the data slice in the corresponding transmission queue, compressing the data slice and transmitting the data slice through the corresponding one-way transmission equipment group;
each second service node is used for correspondingly receiving the data slice transmitted by the first service node, decompressing the data slice and transmitting the data slice to the second processor.
Further, the first processor is further configured to:
acquiring the security level of the file to be transmitted and the file data to be transmitted;
comparing the security level of the file to be transmitted with the permitted security level of the second network area to judge whether the security level is higher than the permitted security level of the second network area, if not, comparing the file data to be transmitted with sensitive information words in a database, and replacing the sensitive information words in the file to be transmitted with preset symbols; if so, terminating the transmission of the file to be transmitted.
Furthermore, the first processor and the second processor are both configured with an identifier, a service IP and a port of the three-party service system allowed to be accessed, and used for judging whether the identifier is legal and whether the service IP and the port are matched when the three-party service system requests to be accessed.
In another aspect, the present invention provides a method for securely transmitting cross-network data, which is based on the system for securely transmitting cross-network data of any one of claims 1 to 7, and includes the following steps:
setting a priority range of each transmission queue by using a first processor of a first network area, slicing and encrypting each file to be transmitted in a current transmission period of the first network area correspondingly to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the file through a one-way transmission equipment group with a transmission rate matched with the priority range;
and receiving the data slice corresponding to each file to be transmitted by the first processor by using a second processor in the second network area, decrypting and combining to obtain the file to be transmitted, and transmitting the file to a target three-party service system in the second network area.
Furthermore, the priority range of the transmission queue is matched with the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group comprises a plurality of unidirectional transmission devices with the same transmission rate;
the step of transmitting the file to be transmitted by using the first processor comprises the following steps:
reading priority information of each file to be transmitted in a current transmission cycle in a first network area, and further determining a transmission queue to which each file to be transmitted belongs;
performing degradation sequencing on all files to be transmitted belonging to each transmission queue according to priorities, taking a preset number of data slices corresponding to each file to be transmitted as a group, caching the data slices in the transmission queues according to the sequencing, and transmitting the data slices through a matched one-way transmission equipment group according to a caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
Further, the step of transmitting the file to be transmitted by using the first processor further includes:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Compared with the prior art, the invention can realize at least one of the following beneficial effects:
1. the cross-network data safe transmission system and the cross-network data safe transmission method provided by the invention have the advantages that the files to be transmitted with different priorities are sliced and encrypted to obtain a plurality of encrypted data slices, the data slices are cached in the transmission queues with different priority ranges, and then the one-way transmission equipment group with the transmission rate matched with the priority range is selected for transmission, so that the simultaneous transmission of the files to be transmitted with different priority ranges is realized, and the transmission efficiency of the files to be transmitted can be improved to a great extent.
2. In each transmission period, the to-be-transmitted files with corresponding priorities are taken from the transmission queues which are not transmitted, cached in the transmission queues which are transmitted, and transmitted through the corresponding one-way transmission equipment groups, so that the transmission efficiency of the whole system for the to-be-transmitted files is improved.
3. The cross-network data security transmission system and the method provided by the invention have the advantages that the key for decrypting the data slice is independently stored in the data slice, the key is obtained at the receiving end through the set serial number of the data slice, and the data slices corresponding to other serial numbers are decrypted and combined based on the key to obtain the file to be transmitted, so that the security of cross-network data transmission is improved to a great extent.
In the invention, the technical schemes can be combined with each other to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
Detailed Description
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate preferred embodiments of the invention and together with the description, serve to explain the principles of the invention and not to limit the scope of the invention.
The invention discloses a cross-network data secure transmission system.
As shown in fig. 1, the system includes a first processor located in a first network region and a second processor located in a second network region. Specifically, the first network area is physically isolated from the second network area, and the communication is performed through the plurality of unidirectional transmission device groups, that is, the transmission of the file or data to be transmitted is performed through the plurality of unidirectional transmission device groups. Preferably, the first processor in the first network region may transmit the file or the data to be transmitted to the second network region through the corresponding unidirectional transmission device group, and the second processor in the second network region may also transmit the file or the data to be transmitted to the first network region through the corresponding unidirectional transmission device group.
Since the transmission process of the file or data to be transmitted from the first processor in the first network area to the second network area is the same as the transmission process of the file or data to be transmitted from the second processor in the second network area to the first network area, the transmission process will be described by taking the case where the file or data to be transmitted is transmitted from the first processor in the first network area to the second network area.
Preferably, the first processor receives files to be transmitted with various priorities from a three-party service system, and in order to enable the files to be transmitted with different priorities to be transmitted timely and efficiently, the first processor includes a plurality of transmission queues and sets a priority range of each transmission queue, illustratively, the priorities of the files to be transmitted are respectively 1 to 9 through ordinal number representation, the smaller the ordinal number of the file to be transmitted is, the higher the corresponding priority is, the priority range of the first transmission queue is set to be ordinal number 1 and ordinal number 2, the priority range of the second transmission queue is set to be ordinal number 3 to ordinal number 5, the priority range of the third transmission queue is set to be ordinal number 6 to ordinal number 9, or the priority range of each transmission queue can be set according to user requirements.
The first processor is further configured to slice and encrypt each file to be transmitted in a current transmission cycle of the first network area to obtain a preset number of encrypted data slices, and cache the data slices corresponding to the file to be transmitted in a corresponding transmission queue according to a priority of the file to be transmitted, where for example, if the priority of the file to be transmitted is 1, the data slices corresponding to the file to be transmitted are stored in the first transmission queue and are transmitted through a one-way transmission device group with a transmission rate matching with the priority range. Preferably, the transmission period may be set according to the cache memory of each transmission queue, so that the sum of the sizes of the files to be transmitted in the corresponding priority range in each transmission period is less than or equal to the cache memory of the corresponding transmission queue.
And the second processor is used for receiving the data slice corresponding to each file to be transmitted by the first processor, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in a second network area.
Preferably, the priority range of the transmission queue is matched with the transmission rate of the transmission group of the unidirectional device, and specifically, the smaller the ordinal number in the priority range of the transmission queue, the higher the transmission rate of the corresponding unidirectional transmission device group is, thereby improving the transmission efficiency of the file to be transmitted with the higher priority. In addition, each unidirectional transmission device group comprises a plurality of unidirectional transmission devices with the same transmission rate, and the number of the unidirectional transmission devices can be set according to the actual requirements of users.
Preferably, the first processor is specifically configured to:
reading the priority information of each file to be transmitted in the current transmission cycle in the first network area, namely acquiring the ordinal number of the file to be transmitted, thereby determining the priority level of the file to be transmitted and further determining the transmission queue to which each file to be transmitted belongs.
Each transmission queue may include a plurality of files to be transmitted with different priorities, in order to improve the transmission efficiency of the files to be transmitted with high priorities, all the files to be transmitted belonging to each transmission queue are subjected to degradation sequencing according to the priorities, a preset number of data slices corresponding to each file to be transmitted are taken as a group, and are cached in the transmission queue according to the sequencing, and then are transmitted through a matched one-way transmission equipment group according to the caching sequence. Preferably, the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices, so that the second processor in the second network region can receive a complete file to be transmitted at one time, and the transmission efficiency of the file to be transmitted is improved.
Preferably, in view of the difference in the time for each transmission queue to complete transmission, for example, any transmission queue may complete transmission first, and in order to provide efficiency of data transmission, the first processor is further configured to:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Illustratively, if the first transmission queue completes transmission first, the file to be transmitted with the highest priority and not transmitted is called from the second transmission queue and cached in the first transmission queue, and is transmitted through the corresponding one-way transmission equipment group; if the files to be transmitted in the second transmission queue are few and transmission is completed firstly, calling the files to be transmitted with the lowest priority which are not transmitted from the first transmission queue, caching the files to be transmitted in the second transmission queue, and transmitting the files through the corresponding one-way transmission equipment group; if the number of files with transmission in the third transmission queue is less, the transmission is completed firstly, and the file to be transmitted with the lowest priority and not transmitted is called from the first transmission queue and buffered in the third transmission queue, and is transmitted through the corresponding one-way transmission equipment group.
Preferably, in order to improve the security of transmission of the file to be transmitted, the data slice is set to include an identifier ID, a target IP address, a target port, a data block sequence number, a data encryption block length, and a data encryption block of the file to be transmitted. The identification ID of the file to be transmitted is used for determining the data slice contained in the file to be transmitted, and the length of the data encryption block is convenient for the second processor to determine the number of bytes read.
The preferred second processor is specifically configured to:
when the received data block sequence number is 0, it indicates that the content stored in the corresponding data encryption block is a key for decrypting other data slices, and the data encryption block is decrypted based on the corresponding data encryption block length to obtain the key.
And when the sequence number of the received data block is greater than 0, indicating that the content stored in the corresponding data encryption block is the substantial information content of the file to be transmitted, decrypting the data encryption block based on the length of the corresponding data encryption block and the key to obtain the file data to be transmitted contained in the data slice.
And merging the file data to be transmitted obtained by decryption according to the sequence number of the data blocks so as to obtain the file to be transmitted.
And the second processor determines which three-party service system the file to be transmitted needs to be transmitted to according to the target IP address, determines whether the three-party service system is in a service range or not according to the target port, and can confirm that the file to be transmitted is transmitted to the three-party service system if the target port exists in the target ports configured in advance.
Preferably, in order to improve the efficiency of data transmission across networks in the system, the system further includes a plurality of first service nodes located in the first network area and a plurality of second service nodes located in the second network area; the plurality of first service nodes and the plurality of second service nodes are configured with adaptive interfaces of the unidirectional transmission equipment, and are packaged and then are in communication connection with the unidirectional transmission equipment in the form of web interfaces.
Specifically, the service nodes correspond to the transmission queues one to one, each first service node is used for receiving and compressing the data slices in the corresponding transmission queue, the transmission efficiency of the data slices can be improved, and then the data slices are transmitted through the corresponding one-way transmission equipment groups, and the data slices in the plurality of transmission queues can be processed by the plurality of service nodes at the same time, so that the data processing and transmission efficiency is improved.
Correspondingly, each second service node is configured to correspondingly receive the data slice transmitted by the first service node, decompress the data slice, and transmit the decompressed data slice to the second processor.
In order to prevent the high-security level files from flowing into the low-security level network area and sensitive information from leaking out, the first processor is further configured to:
checking whether the file to be transmitted contains viruses or not through corresponding antivirus service, if so, terminating transmission, and returning feedback information to prompt a client user that the file to be transmitted contains viruses; and if not, scanning to obtain the security classification information of the file to be transmitted and the data content of the file to be transmitted.
Comparing the security level of the file to be transmitted with the permitted security level of the second network area to judge whether the security level is higher than the permitted security level of the second network area, if not, comparing the file data to be transmitted with the sensitive information words in the database, and replacing the sensitive information words in the file to be transmitted with preset symbols; if so, the transmission of the file to be transmitted is stopped, so that the safe transmission of the file to be transmitted is realized.
Preferably, the second processor is further configured to record a sender, a subject, a sending time, a data security level, a receiver, and a receiving time of each file to be transmitted, so as to ensure traceability and auditability of the file to be transmitted.
Preferably, the first processor and the second processor are both configured with an identifier, a service IP and a port of a three-party service system which is allowed to be accessed, and used for judging whether the identifier is legal and whether the service IP and the port are matched when the three-party service system requests to be accessed; in addition, the first processor and the second processor respectively carry out data transmission with the three-party service system and the three-party service system through a TCP/UDP application layer protocol interface, so that the efficiency and the safety of cross-network data transmission of the three-party service system are improved.
The invention further discloses a cross-network data secure transmission method which is realized based on the cross-network data secure transmission system disclosed by the embodiment of the method. As shown in fig. 2, the method comprises the steps of:
s110, setting a priority range of each transmission queue by using a first processor of a first network area, slicing and encrypting each file to be transmitted in a current transmission period of the first network area correspondingly to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the files through a one-way transmission equipment group with a transmission rate matched with the priority range.
And S120, receiving the data slice corresponding to each file to be transmitted by the first processor by using the second processor in the second network region, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in the second network region.
Preferably, the priority range of the transmission queue matches with the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group includes a plurality of unidirectional transmission devices with the same transmission rate.
The step of transmitting the file to be transmitted by using the first processor comprises the following steps:
and reading the priority information of each file to be transmitted in the current transmission cycle in the first network area, and further determining the transmission queue to which each file to be transmitted belongs.
The files to be transmitted belonging to each transmission queue are subjected to degradation sequencing according to the priority, a preset number of data slices corresponding to each file to be transmitted are taken as a group, are cached in the transmission queues according to the sequencing, and are transmitted through the matched one-way transmission equipment group according to the caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
Preferably, the step of transmitting the file to be transmitted by using the first processor further comprises:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Compared with the prior art, the cross-network data secure transmission system and the cross-network data secure transmission method disclosed by the embodiment of the invention have the advantages that firstly, files to be transmitted with different priorities are sliced and encrypted to obtain a plurality of encrypted data slices, the encrypted data slices are cached in transmission queues with different priority ranges, then, a one-way transmission equipment group with the transmission rate matched with the priority range is selected for transmission, the simultaneous transmission of the files to be transmitted with different priority ranges is realized, and the transmission efficiency of the files to be transmitted can be greatly improved. In each transmission period, the to-be-transmitted files with corresponding priorities are taken from the transmission queue which is not transmitted, cached in the transmission queue which is transmitted, and transmitted through the corresponding one-way transmission equipment group, so that the transmission efficiency of the whole system to the to-be-transmitted files is improved. In addition, the cross-network data secure transmission system and the method disclosed by the embodiment of the invention have the advantages that the key for decrypting the data slice is independently stored in the data slice, the key is obtained at the receiving end through the set serial number of the data slice, and the data slices corresponding to other serial numbers are decrypted and combined based on the key to obtain the file to be transmitted, so that the security of cross-network data transmission is improved to a great extent.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.