CN113904876B - Security protection method and device, electronic equipment and computer readable medium - Google Patents

Security protection method and device, electronic equipment and computer readable medium Download PDF

Info

Publication number
CN113904876B
CN113904876B CN202111480598.5A CN202111480598A CN113904876B CN 113904876 B CN113904876 B CN 113904876B CN 202111480598 A CN202111480598 A CN 202111480598A CN 113904876 B CN113904876 B CN 113904876B
Authority
CN
China
Prior art keywords
data processing
satellite
data
processing request
telemetry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111480598.5A
Other languages
Chinese (zh)
Other versions
CN113904876A (en
Inventor
王柳一
周欢
张春悦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Emposat Co Ltd
Original Assignee
Emposat Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Emposat Co Ltd filed Critical Emposat Co Ltd
Priority to CN202111480598.5A priority Critical patent/CN113904876B/en
Publication of CN113904876A publication Critical patent/CN113904876A/en
Application granted granted Critical
Publication of CN113904876B publication Critical patent/CN113904876B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1851Systems using a satellite or space-based relay
    • H04B7/18519Operations control, administration or maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18578Satellite systems for providing broadband data service to individual earth stations
    • H04B7/18593Arrangements for preventing unauthorised access or for providing user protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application relates to a safety protection method, a safety protection device, electronic equipment and a computer readable medium. The method can be used for a gateway device, and comprises the following steps: obtaining a data processing request from a satellite, the data processing request comprising: satellite information and telemetry data; performing security authentication on the data processing request based on the satellite information; after the security authentication is passed, determining the access authority of the data processing request based on the telemetering data and a preset strategy; and sending the data processing request to a back-end application of a satellite telemetry processing platform for processing based on the access authority. The safety protection method, the safety protection device, the electronic equipment and the computer readable medium for the satellite telemetry processing platform can perform safety protection on access data of the satellite telemetry processing platform, and improve the overall safety while normal receiving and using of the satellite telemetry data are not affected.

Description

Security protection method and device, electronic equipment and computer readable medium
Technical Field
The application relates to the field of telemetry and telecontrol data processing, in particular to a safety protection method and device of a satellite telemetry processing platform, electronic equipment and a computer readable medium.
Background
In recent years, with the continuous progress of electronic technology, satellite technology has been rapidly developed, commercial satellites with low cost, short development period and low price are increasingly favored, and the rise of commercial small satellites will open the era of satellite big data. After the development of the large environment of commercial space flight, the cost is too high, which naturally becomes a prominent problem restricting the development of commercial space flight.
Reducing the investment cost of the commercial satellite not only comprises reducing the development cost of the satellite, but also comprises reducing the cost of the on-orbit operation management of the commercial satellite. Aiming at the unique operation mode of commercial satellites, the in-orbit operation management efficiency of the commercial satellites is improved, the in-orbit management cost of the satellites is reduced, most commercial satellites are provided with a satellite telemetering processing platform at present, the measurement and control and operation control management work of a plurality of low-orbit commercial satellites is realized on the satellite telemetering processing platform, the satellite measurement and control and data transmission data analysis processing are completed in real time, the system has a plurality of control modes, and unattended automatic management can be realized in the whole process.
The satellite remote measuring processing platform generally comprises a data receiving and transmitting subsystem, a system operation management subsystem and a data processing subsystem. The data receiving and transmitting subsystem mainly completes the receiving and transmitting of satellite measurement and control signals and data transmission signals, signal processing, signal modulation and demodulation and other functions, and mainly comprises a data receiving and transmitting antenna, a channel processing subsystem, a baseband and other equipment. The system operation management subsystem mainly completes the works of equipment monitoring, task plan generation, remote control, daily management of the satellite and the like of all the systems and consists of a system monitor and a remote monitor. The data processing subsystem is mainly used for processing satellite downlink telemetering data and service data and can complete real-time processing and distribution of satellite data.
The satellite telemetry processing platform has complex tasks and a great deal of data to be processed, and the data security needs to be guaranteed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the application and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present application provides a security protection method and apparatus for a satellite telemetry processing platform, an electronic device, and a computer readable medium, which can perform security protection on access data of the satellite telemetry processing platform, and improve the overall security without affecting the normal receiving and use of the satellite telemetry data.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
According to an aspect of the present application, a security protection method for a satellite telemetry processing platform is provided, which may be used for a gateway device, and the method includes: obtaining a data processing request from a satellite, the data processing request comprising: satellite information and telemetry data; performing security authentication on the data processing request based on the satellite information; after the security authentication is passed, determining the access authority of the data processing request based on the telemetering data and a preset strategy; and sending the data processing request to a back-end application of a satellite telemetry processing platform for processing based on the access authority.
In an exemplary embodiment of the present application, obtaining a data processing request from a satellite includes: a satellite telemetry processing platform acquires a data processing request forwarded by a virtual route; forwarding the data processing request to the gateway device.
In an exemplary embodiment of the present application, the acquiring, by a satellite telemetry processing platform, a data processing request forwarded by a virtual router includes: the satellite telemetry processing platform virtually routes forwarded data processing requests based on a UDP socket unicast mode; the UDP port range is as follows: 3500-3700.
In an exemplary embodiment of the present application, the securely authenticating the data processing request based on the satellite information includes: analyzing the data processing request based on cross-domain authentication middleware; and performing security authentication according to the analysis result.
In an exemplary embodiment of the present application, parsing the data processing request based on cross-domain authentication middleware includes: and analyzing the data processing request by the cross-domain authentication middleware to acquire token information.
In an exemplary embodiment of the present application, performing security authentication according to the parsing result includes: and performing security authentication on the data processing request based on the token information.
In an exemplary embodiment of the present application, determining the access right of the data processing request based on the telemetry data and a preset policy includes: verifying the telemetry data based on a cyclic redundancy check; and after the verification is passed, determining the access right of the data processing request.
In an exemplary embodiment of the present application, determining the access right of the data processing request includes: analyzing the telemetric data to acquire authentication information; and matching the authentication information with the preset strategy to determine the access authority of the data processing request.
In an exemplary embodiment of the present application, parsing the telemetry data to obtain authentication information includes: parsing a master header of the telemetry data; acquiring a domain name, a request path, a mailbox address and access time based on the leader; and generating the authentication information based on the domain name, the request path, the mailbox address and the access time.
According to an aspect of the present application, a safety protection device for a satellite telemetry processing platform is provided, which can be used for a gateway device, and the device includes: a request module for obtaining a data processing request from a satellite, the data processing request comprising: satellite information and telemetry data; the authentication module is used for carrying out security authentication on the data processing request based on the satellite information; the authority module is used for determining the access authority of the data processing request based on the telemetering data and a preset strategy after the security authentication is passed; and the processing module is used for sending the data processing request to a back-end application of a satellite telemetry processing platform for processing based on the access authority.
According to an aspect of the present application, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the application, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the safety protection method, the safety protection device, the electronic equipment and the computer readable medium of the satellite telemetry processing platform, the data processing request from the satellite is acquired, and the data processing request comprises the following steps: satellite information and telemetry data; performing security authentication on the data processing request based on the satellite information; after the security authentication is passed, determining the access authority of the data processing request based on the telemetering data and a preset strategy; the data processing request is sent to a rear-end application of the satellite telemetry processing platform for processing based on the access authority, safety protection can be carried out on the access data of the satellite telemetry processing platform, and the overall safety is improved while normal receiving and using of the satellite telemetry data are not affected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are only some embodiments of the present application, and other drawings may be derived from those drawings by those skilled in the art without inventive effort.
FIG. 1 is a block diagram of a system architecture for a satellite telemetry processing platform.
FIG. 2 is a flow diagram illustrating a method of securing a satellite telemetry processing platform, according to an example embodiment.
FIG. 3 is a flow diagram illustrating a method of securing a satellite telemetry processing platform, according to another exemplary embodiment.
FIG. 4 is a flow diagram illustrating a method of securing a satellite telemetry processing platform, according to another exemplary embodiment.
FIG. 5 is a schematic diagram illustrating a method of securing a satellite telemetry processing platform, according to an example embodiment.
FIG. 6 is a block diagram illustrating a safety shield of a satellite telemetry processing platform, according to an exemplary embodiment.
FIG. 7 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 8 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the application.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the present concepts. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It will be appreciated by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present application and are, therefore, not intended to limit the scope of the present application.
The concept of the zero trust network model considers that the traditional boundary model has defects, and the internal network of the default trust of the boundary security model is full of threats. The boundary security model is arranged at the boundary of the network for layer defense, but once a single point is broken through, the possibility of transverse movement and further invasion is given to an attacker. Zero trust is proposed to overcome the shortcomings of the border security model, and aims to solve the inherent problem of the concept of establishing trust based on network borders.
The idea of the zero-trust network is that anyone, equipment, a system, an application and traffic inside and outside the network are not trusted, but the authentication and the authorization of people, equipment, a system and an application are realized based on the existing authentication and authorization technology, and the authentication and the authorization are dynamically adjusted in real time.
In the present application, security policies for satellite telemetry platforms are deployed based on a zero trust mechanism. The method specifically comprises the following steps:
a policy engine, which is responsible for making a final decision whether to grant access to a resource (access object) to a given access subject. The policy engine uses enterprise security policies and inputs from external sources (e.g., IP blacklists, threat intelligence services) as inputs to a "trust algorithm" to decide to grant or deny access to the resource, the core role of the policy engine being trust evaluation.
A policy manager, which is responsible for establishing a connection between the client and the resource. It will generate any authentication tokens or credentials that the client uses to access the enterprise resources. It is closely related to the policy engine and depends on the policy engine to decide whether to finally allow or deny connection, and the core of the policy manager is the policy decision point, which is the decision component of zero trust dynamic authority.
The policy enforcement point, which is actually a component system, is responsible for starting, continuously monitoring, and eventually ending the connection between the accessing principal and the accessing object. The policy enforcement point can be actually divided into two different components, namely a client component and a resource end component, and the policy enforcement point is used for ensuring the safe access of the service.
In addition to the above core components, there are many sources of data that provide the policy engine with human input and policy rules when making access decisions. Including local data sources and external data sources.
FIG. 1 is a system block diagram of a satellite telemetry processing platform. The satellite telemetry processing platform is used for receiving and analyzing a universal service for processing the telemetry data of a plurality of satellites, supporting dynamic satellite adding and telemetry parameter configuration processing, and providing a visual window interface for data output and an external calling API (application program interface). The software of the satellite telemetry processing platform provides services in a RESTful mode based on a B/S framework, and a user can call the services through a browser or directly in an HTTP POST mode to complete the viewing of telemetry analysis results and modify related configuration. The method mainly provides functions of adding multi-satellite telemetry configuration analysis, completing satellite telemetry classification receiving, data packaging, parameter extraction, parameter processing and result sending, and simultaneously comprises the functions of storing and playing back original code data streams.
FIG. 2 is a flow diagram illustrating a method of securing a satellite telemetry processing platform, according to an example embodiment. The safety protection method 20 of the satellite telemetry processing platform at least comprises the steps S202 to S208.
As shown in fig. 2, in S202, a data processing request from a satellite is obtained, the data processing request including: satellite information and telemetry data. The method comprises the following steps: a satellite telemetry processing platform acquires a data processing request forwarded by a virtual route; forwarding the data processing request to the gateway device. More specifically, the satellite telemetry processing platform virtually routes the forwarded data processing request based on a UDP socket unicast mode; the UDP port range is as follows: 3500-3700.
And the interface telemetry service of the satellite telemetry processing platform receives the satellite telemetry frame forwarded by the virtual route in a UDP socket unicast mode. Different frequency bands for different satellites use different receive ports that are automatically generated and allocated by the telemetry service.
In S204, the data processing request is securely authenticated based on the satellite information. The method comprises the following steps: analyzing the data processing request based on cross-domain authentication middleware; and performing security authentication according to the analysis result.
More specifically, the data processing request can be analyzed through a cross-domain authentication middleware to obtain token information, and the security authentication is performed on the data processing request based on the token information.
The developed authentication related components may be composed based on the form of GO WEB middleware, which resolves and verifies JWT through one middleware after the reverse proxy forwards the request to the backend. JWT is used to determine if a user account is authenticated.
Where JWT is an abbreviation for Json Web Token, it encrypts satellite information into Token and the server does not store any user information. The token is brought up each time the client communicates with the server. Token may be placed inside the header information Authorization field of the HTTP request. Tokens may also be placed, for example, within the body of data of the POST request. The present application is not limited thereto.
In S206, after the security authentication is passed, the access right of the data processing request is determined based on the telemetry data and a preset policy. The telemetry data may be checked, for example, based on a cyclic redundancy check; and after the verification is passed, determining the access right of the data processing request.
And detecting whether the authenticated account has the right to access the application at the back end. More specifically, certs is a directory of server certificates in which public and private keys are stored. In the satellite telemetry processing platform, based on the current random number, an authentication algorithm in the prior art is used for generating a response, the first 16 bits of the response are intercepted, exclusive or operation is carried out on CRC, the exclusive or operation result and message data are encrypted, and then the encrypted result and the encrypted message data are sent to a control center along a reverse link; after sending the data, the current random number is updated by using the appointed time and the mac address of the user to carry out verification.
More specifically, a dominant header of the telemetry data is parsed; acquiring a domain name, a request path, a mailbox address and access time based on the leader; and generating the authentication information based on the domain name, the request path, the mailbox address and the access time, and matching the authentication information with the preset strategy to determine the access authority of the data processing request.
And in S208, the data processing request is sent to a back-end application of the satellite telemetry processing platform for processing based on the access authority. The data processing request is proved to be safe and effective through the steps, and the data processing request is sent to the corresponding back-end application interface at the moment, so that the back-end application can process the request.
According to the safety protection method of the satellite telemetry processing platform, the data processing request from the satellite is acquired, and the data processing request comprises the following steps: satellite information and telemetry data; performing security authentication on the data processing request based on the satellite information; after the security authentication is passed, determining the access authority of the data processing request based on the telemetering data and a preset strategy; the data processing request is sent to a rear-end application of the satellite telemetry processing platform for processing based on the access authority, safety protection can be carried out on the access data of the satellite telemetry processing platform, and the overall safety is improved while normal receiving and using of the satellite telemetry data are not affected.
It should be clearly understood that this application describes how to make and use particular examples, but the principles of this application are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
FIG. 3 is a flow diagram illustrating a method of securing a satellite telemetry processing platform, according to another exemplary embodiment. The flow 30 shown in fig. 3 is a detailed description of "perform security authentication on the data processing request based on the satellite information" at S204 in the flow shown in fig. 2.
As shown in fig. 3, in S302, the data processing request is parsed based on the cross-domain authentication middleware. Parsing the data processing request based on JWT cross-domain authentication middleware.
In S304, the data processing request is securely authenticated based on the token information. In the JWT mode, the server side does not need to store token information, only a key for encryption needs to be stored, the token information is encrypted and generated when a user logs in and is sent to the client side, the token information is stored by the client side, the token information is taken when the client side requests the next time, and the server analyzes and verifies the token information. Therefore, the server does not waste space to store the login information and time to synchronize.
In the present application, the satellite information that needs to be encrypted is as follows:
Figure 523159DEST_PATH_IMAGE001
and generating Token based on the satellite information to perform encryption and decryption processing.
In S306, when the security authentication fails, the data processing request is discarded.
FIG. 4 is a flow diagram illustrating a method of securing a satellite telemetry processing platform, according to another exemplary embodiment. The process 40 shown in fig. 4 is a detailed description of the process of S206 "determining the access right of the data processing request based on the telemetry data and the preset policy" in the process shown in fig. 2.
As shown in fig. 4, in S402, the telemetry data is checked based on a cyclic redundancy check. The back end application receives the encrypted data and sends the encrypted data to the control center along a reverse link, the control center sends out time calculation appointed time according to a request sent by a user during access authentication, a random number is calculated by combining a mac address of the user, and expected response is locally regenerated based on the calculated random number. The first n/2 bits of the expected response and the last n/2 bits of the received data are intercepted according to a data frame mechanism, and the XOR result and the received data are subjected to CRC (cyclic redundancy check),
in S404, after the verification is passed, the telemetry data is parsed to obtain authentication information. If the verification is passed, the request information is judged to be correct telemetering data sent by a legal user, the telemetering data is subjected to subsequent processing, if the verification is not passed, the telemetering data is considered to be incorrect and/or the user is illegal, and the received data is discarded.
In S406, the authentication information is matched with the preset policy to determine the access right of the data processing request.
Whether the account has the right to access the corresponding resource is determined according to some rules. The authority of an account can be detected by several fields:
jet, requested host, i.e., the domain name to which the visit is requested.
Path, a requested path, such as a path of an administrator requested by a general user, is determined to be unauthorized for access. IP, source IP, for setting white or black lists.
Email, the mailbox address of the visitor.
The request time. The access validity time, in one embodiment, may set the temporary access permission to 1, i.e., to expire after 1 day.
With the above several fields, the following rules can be composed:
request.path.start-With (" / admin")&& requesL email = = x@ xsec. Io。
the above rule represents that only accounts with mailbox x @ xsec.
request,ip network("192.168.100.0/24")。
The above rule represents that only 192.168.100.0 is allowed to access the network.
In the present application, the data frame fields are as follows:
Figure DEST_PATH_IMAGE002
in a specific embodiment, after data information reaches a network adapter, system control software can perform security filtering processing steps related to the application, a verified data packet upwards transmits the data information to a Miniport Driver through the adapter, so that a data synthesis operation effect is achieved, the data is transmitted to an appropriate protocol stack, the system transmits the data from an application layer to a network layer in the data transmission process until an NDIS is reached, the NDIS receives the data and then continuously transmits the data to the Miniport Driver, and then the data is further transmitted to the adapter and a physical network and is transmitted to a back-end processing program for processing. The safety risk trend pair before and after the safety protection method in this application is used is shown in fig. 5. The method greatly reduces the safety risk of the satellite telemetry processing platform.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the methods provided herein. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to exemplary embodiments of the present application, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
FIG. 6 is a block diagram illustrating a safety shield of a satellite telemetry processing platform, according to an exemplary embodiment. As shown in fig. 6, a safety shield apparatus 60 of a satellite telemetry processing platform comprises: a request module 602, an authentication module 604, a permission module 606, and a processing module 608.
The request module 602 is configured to obtain a data processing request from a satellite, where the data processing request includes: satellite information and telemetry data; the request module 602 is further configured to obtain, by the satellite telemetry processing platform, a data processing request forwarded by the virtual route; forwarding the data processing request to the gateway device.
The authentication module 604 is configured to perform security authentication on the data processing request based on the satellite information; the authentication module 604 is further configured to parse the data processing request based on cross-domain authentication middleware; and performing security authentication according to the analysis result.
The authority module 606 is configured to determine, based on the telemetry data and a preset policy, an access authority of the data processing request after the security authentication is passed; the permission module 606 is further configured to verify the telemetry data based on a cyclic redundancy check; and after the verification is passed, determining the access right of the data processing request.
The processing module 608 is configured to send the data processing request to a backend application of the satellite telemetry processing platform for processing based on the access right.
According to the safety protection device of the satellite telemetry processing platform, by acquiring a data processing request from a satellite, the data processing request comprises: satellite information and telemetry data; performing security authentication on the data processing request based on the satellite information; after the security authentication is passed, determining the access authority of the data processing request based on the telemetering data and a preset strategy; the data processing request is sent to a rear-end application of the satellite telemetry processing platform for processing based on the access authority, safety protection can be carried out on the access data of the satellite telemetry processing platform, and the overall safety is improved while normal receiving and using of the satellite telemetry data are not affected.
FIG. 7 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 700 according to this embodiment of the present application is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 7, electronic device 700 is embodied in the form of a general purpose computing device. The components of the electronic device 700 may include, but are not limited to: at least one processing unit 710, at least one memory unit 720, a bus 730 that connects the various system components (including the memory unit 720 and the processing unit 710), a display unit 740, and the like.
Wherein the storage unit stores program code that can be executed by the processing unit 710 such that the processing unit 710 performs the steps according to various exemplary embodiments of the present application described in the present specification. For example, the processing unit 710 may perform the steps as shown in fig. 2, 3, 4.
The memory unit 720 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM) 7201 and/or a cache memory unit 7202, and may further include a read only memory unit (ROM) 7203.
The memory unit 720 may also include a program/utility 7204 having a set (at least one) of program modules 7205, such program modules 7205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 730 may be any representation of one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 700 may also communicate with one or more external devices 700' (e.g., keyboard, pointing device, bluetooth device, etc.), such that a user can communicate with devices with which the electronic device 700 interacts, and/or any devices (e.g., router, modem, etc.) with which the electronic device 700 can communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 750. Also, the electronic device 700 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 760. The network adapter 760 may communicate with other modules of the electronic device 700 via the bus 730. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 8, the technical solution according to the embodiment of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present application.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: obtaining a data processing request from a satellite, the data processing request comprising: satellite information and telemetry data; performing security authentication on the data processing request based on the satellite information; after the security authentication is passed, determining the access authority of the data processing request based on the telemetering data and a preset strategy; and sending the data processing request to a back-end application of a satellite telemetry processing platform for processing based on the access authority.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiment of the present application.
Exemplary embodiments of the present application are specifically illustrated and described above. It is to be understood that the application is not limited to the details of construction, arrangement, or method of implementation described herein; on the contrary, the intention is to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (9)

1. A safety protection method of a satellite telemetry processing platform can be used for gateway equipment, and is characterized by comprising the following steps:
obtaining a data processing request from a satellite, the data processing request comprising: satellite information and telemetry data;
performing security authentication on the data processing request based on the satellite information;
after the safety certification is passed, checking the telemetering data based on cyclic redundancy check;
after the verification is passed, analyzing a leading head of the telemetering data;
acquiring a domain name, a request path, a mailbox address and access time based on the leader;
generating authentication information based on the domain name, the request path, the mailbox address and the access time;
matching the authentication information with a preset strategy to determine the access authority of the data processing request;
and sending the data processing request to a back-end application of a satellite telemetry processing platform for processing based on the access authority.
2. The security method of claim 1, wherein obtaining a data processing request from a satellite comprises:
a satellite telemetry processing platform acquires a data processing request forwarded by a virtual route;
forwarding the data processing request to the gateway device.
3. The security protection method of claim 2, wherein the obtaining of the data processing request forwarded by the virtual route by the satellite telemetry processing platform comprises:
the satellite telemetry processing platform virtually routes forwarded data processing requests based on a UDP socket unicast mode;
the UDP port range is as follows: 3500-3700.
4. The security method of claim 1, wherein securely authenticating the data processing request based on the satellite information comprises:
analyzing the data processing request based on cross-domain authentication middleware;
and performing security authentication according to the analysis result.
5. The method of claim 4, wherein parsing the data processing request based on cross-domain authentication middleware comprises:
and analyzing the data processing request based on the cross-domain authentication middleware to acquire token information.
6. The security protection method of claim 5, wherein performing security authentication according to the parsing result comprises:
and performing security authentication on the data processing request based on the token information.
7. A safety protection device of a satellite telemetry processing platform, which can be used for gateway equipment, is characterized by comprising:
a request module for obtaining a data processing request from a satellite, the data processing request comprising: satellite information and telemetry data;
the authentication module is used for carrying out security authentication on the data processing request based on the satellite information;
the authority module is used for verifying the telemetering data based on cyclic redundancy check after the safety certification is passed; after the verification is passed, analyzing a leading head of the telemetering data; acquiring a domain name, a request path, a mailbox address and access time based on the leader; generating authentication information based on the domain name, the request path, the mailbox address and the access time; matching the authentication information with a preset strategy to determine the access authority of the data processing request;
and the processing module is used for sending the data processing request to a back-end application of a satellite telemetry processing platform for processing based on the access authority.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
9. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-6.
CN202111480598.5A 2021-12-07 2021-12-07 Security protection method and device, electronic equipment and computer readable medium Active CN113904876B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111480598.5A CN113904876B (en) 2021-12-07 2021-12-07 Security protection method and device, electronic equipment and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111480598.5A CN113904876B (en) 2021-12-07 2021-12-07 Security protection method and device, electronic equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN113904876A CN113904876A (en) 2022-01-07
CN113904876B true CN113904876B (en) 2022-02-25

Family

ID=79025569

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111480598.5A Active CN113904876B (en) 2021-12-07 2021-12-07 Security protection method and device, electronic equipment and computer readable medium

Country Status (1)

Country Link
CN (1) CN113904876B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726650B (en) * 2022-05-17 2022-08-23 北京航天驭星科技有限公司 Task request processing method and device, electronic equipment and computer readable medium
CN115086077B (en) * 2022-07-21 2022-12-27 北京航天驭星科技有限公司 API defense system construction method and system, electronic equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10841000B2 (en) * 2019-03-01 2020-11-17 Atlas Space Operations, Inc. System and method for authorizing access in satellite communications
CN111586076B (en) * 2020-05-26 2021-12-07 清华大学 Remote control and telemetry information tamper-proof encryption and decryption method and system based on mixed password
CN112532595B (en) * 2020-11-18 2022-07-22 四川安迪科技实业有限公司 Satellite network data authority control method, device and storage medium
CN112612617B (en) * 2020-12-30 2023-06-20 东方红卫星移动通信有限公司 Satellite telemetry data processing method and system and constellation state monitoring platform
CN112953726B (en) * 2021-03-01 2022-09-06 西安电子科技大学 Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network

Also Published As

Publication number Publication date
CN113904876A (en) 2022-01-07

Similar Documents

Publication Publication Date Title
US10554420B2 (en) Wireless connections to a wireless access point
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
US10992670B1 (en) Authenticating identities for establishing secure network tunnels
US11095635B2 (en) Server authentication using multiple authentication chains
CN101227468B (en) Method, device and system for authenticating user to network
US8813189B2 (en) System and method for capturing network traffic
US20170149774A1 (en) Multi factor user authentication on multiple devices
US8910241B2 (en) Computer security system
CN107294916B (en) Single-point logging method, single-sign-on terminal and single-node login system
CN108432180A (en) Method and system for the certification based on PKI
US20120054848A1 (en) Securely Accessing An Advertised Service
CN113904876B (en) Security protection method and device, electronic equipment and computer readable medium
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
US20180375648A1 (en) Systems and methods for data encryption for cloud services
JP2007534085A (en) Untrusted gateway authentication without disclosing personal information
CN115941236A (en) Zero trust safety protection method for edge side of power distribution network
CN114125027A (en) Communication establishing method and device, electronic equipment and storage medium
CN114301967B (en) Control method, device and equipment for narrowband Internet of things
US11665148B2 (en) Systems and methods for addressing cryptoprocessor hardware scaling limitations
KR20230111434A (en) Method and system for mydata service authentication
US11611541B2 (en) Secure method to replicate on-premise secrets in a cloud environment
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
Foltz et al. Secure Endpoint Device Agent Architecture.
CN116032601A (en) Network access control method, system and related equipment based on zero trust mechanism
CN114978736A (en) Method and device for encrypting cookie based on load balancing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant