CN114745176A - Data transmission control method, device, computer equipment and storage medium - Google Patents

Data transmission control method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN114745176A
CN114745176A CN202210371972.6A CN202210371972A CN114745176A CN 114745176 A CN114745176 A CN 114745176A CN 202210371972 A CN202210371972 A CN 202210371972A CN 114745176 A CN114745176 A CN 114745176A
Authority
CN
China
Prior art keywords
message
transmitted
data
field
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210371972.6A
Other languages
Chinese (zh)
Inventor
胡荣
吴金宇
陶文伟
庞晓健
胡海生
朱文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN202210371972.6A priority Critical patent/CN114745176A/en
Publication of CN114745176A publication Critical patent/CN114745176A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to a data transmission control method, a data transmission control device, computer equipment and a storage medium. The method comprises the following steps: acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field; judging whether the message to be transmitted meets a preset transmission condition or not according to the additional field; if the message to be transmitted meets the preset transmission condition, extracting a data field in the message to be transmitted, and transmitting the data field; and generating a target message based on the transmitted data field. Therefore, the message to be transmitted is screened once through the preset transmission condition, whether the message to be transmitted is safe or not is determined, the message to be transmitted is transmitted through the appointed channel, the data part is extracted and transmitted independently, the transmitted content is pure application data, and the communication safety is further guaranteed. Therefore, the safety of message transmission communication is ensured.

Description

Data transmission control method, data transmission control device, computer equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data transmission control method and apparatus, a computer device, and a storage medium.
Background
With the development of communication technology, malicious communication software is more and more, and the frequency of attack of the malicious software on a user system is higher and higher, which poses a great threat to the information security of the user. Therefore, how to improve the security of communication is a problem to be solved at present.
In the conventional technology, data transmission is directly performed through transmission messages.
However, with the progress of hacker technology, attack data can be merged into the message data, so that there is a certain risk in data transmission through the message.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a data transmission control method, an apparatus, a computer device, and a storage medium, which can reduce the risk in message transmission and improve the security of a user system.
A data transmission control method, the method comprising: acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field; judging whether the message to be transmitted meets a preset transmission condition or not according to the additional field; if the message to be transmitted meets the preset transmission condition, extracting a data field in the message to be transmitted, and transmitting the data field; and generating a target message based on the transmitted data field.
In one embodiment, the extracting a data field in the message to be transmitted and transmitting the data field includes: extracting the data field from the message to be transmitted according to the format corresponding to the message to be transmitted; replacing the data field by using a replacement field, wherein the replacement field comprises a plurality of randomly generated replacement bytes, and each replacement byte corresponds to a data byte in the data field one by one; recording the corresponding relation between each replacing byte and the data byte; and transmitting the replacing fields and the corresponding relation between each replacing byte and the data byte.
In one embodiment, the generating a target packet based on the transmitted data field includes: acquiring the replacement fields and the corresponding relation between each replacement byte and the data byte; and recombining the replacement fields according to the corresponding relation between each replacement byte and the data byte to obtain the target message.
In one embodiment, the determining, according to the additional field, whether the packet to be transmitted meets a preset transmission condition includes: determining configuration information of the message to be transmitted according to the additional field, wherein the configuration information comprises at least one of address data and port data of the message to be transmitted; and determining whether the message to be transmitted meets a preset transmission condition or not according to the configuration information and preset configuration information of the message to be transmitted.
In one embodiment, the determining, according to the additional field, whether the packet to be transmitted meets a preset transmission condition includes: determining a transmission protocol of the message to be transmitted according to the additional field; and determining whether the message to be transmitted meets a preset transmission condition or not according to the transmission protocol of the message to be transmitted and a preset transmission rule.
In one embodiment, the determining, according to the additional field, whether the packet to be transmitted meets a preset transmission condition includes: acquiring a preset message white list; determining whether the message to be transmitted is located in the message white list or not according to the additional field; and determining whether the message to be transmitted meets a preset transmission condition or not according to whether the message to be transmitted is located in the message white list or not.
In one embodiment, the method further comprises: and if the message to be transmitted does not meet the preset transmission condition, blocking the transmission of the message to be transmitted.
A data transmission control apparatus, the apparatus comprising:
the message acquisition module is used for acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field;
the transmission judging module is used for judging whether the message to be transmitted meets the preset transmission condition or not according to the additional field;
the message transmission module is used for extracting a data field in the message to be transmitted and transmitting the data field if the message to be transmitted meets the preset transmission condition;
and the message generation module is used for generating a target message based on the transmitted data field.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program: acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field; judging whether the message to be transmitted meets a preset transmission condition or not according to the additional field; if the message to be transmitted meets the preset transmission condition, extracting a data field in the message to be transmitted, and transmitting the data field; and generating a target message based on the transmitted data field.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of: acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field; judging whether the message to be transmitted meets a preset transmission condition or not according to the additional field; if the message to be transmitted meets the preset transmission condition, extracting a data field in the message to be transmitted, and transmitting the data field; and generating a target message based on the transmitted data field.
The data transmission control method, the data transmission control device, the computer equipment and the storage medium are provided. When the message to be transmitted is acquired, whether the message to be transmitted meets the preset transmission condition is judged, when the message to be transmitted meets the preset condition, a data part in the message to be transmitted is extracted and transmitted, and then a new target message is generated according to the data part. Therefore, the message to be transmitted is screened once through the preset transmission condition, whether the message to be transmitted is safe or not is determined, the message to be transmitted is transmitted through the appointed channel, the data part is extracted and transmitted independently, the transmitted content is pure application data, and the communication safety is further guaranteed. Therefore, the safety of message transmission communication is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or the conventional technologies of the present application, the drawings used in the descriptions of the embodiments or the conventional technologies will be briefly introduced below, it is obvious that the drawings in the following descriptions are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a data transfer control method in one embodiment;
FIG. 2 is a diagram illustrating an exemplary implementation of a data transmission control method;
FIG. 3 is a flowchart illustrating a method for determining whether a packet satisfies a predetermined condition in an embodiment;
FIG. 4 is a flowchart illustrating a method for determining whether a packet satisfies a predetermined condition in another embodiment;
FIG. 5 is a flowchart illustrating a method for determining whether a packet satisfies a predetermined condition in another embodiment;
FIG. 6 is a flow diagram illustrating a method for data transmission according to one embodiment;
FIG. 7 is a flow chart illustrating a method of data transmission in another embodiment;
FIG. 8 is a schematic flow chart diagram illustrating a method for reorganizing data in one embodiment;
FIG. 9 is a schematic diagram of a data transmission control apparatus according to an embodiment;
FIG. 10 is a schematic diagram of the electronics of the data transfer control apparatus in one embodiment;
FIG. 11 is a block diagram of a data transfer control device in one embodiment;
FIG. 12 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Description of reference numerals: 410-first processing unit, 420-isolation element, 430-second processing unit.
Detailed Description
To facilitate an understanding of the present application, the present application will now be described more fully with reference to the accompanying drawings. Embodiments of the present application are given in the accompanying drawings. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It will be understood that when an element is referred to as being "connected" to another element, it can be directly connected to the other element or be connected to the other element through intervening elements. Further, "connection" in the following embodiments is understood to mean "electrical connection", "communication connection", or the like, if there is a transfer of electrical signals or data between the connected objects.
As used herein, the singular forms "a", "an" and "the" may include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises/comprising," "includes" or "including," etc., specify the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, but do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.
As described in the background, the prior art data transmission has an insecure problem. The inventor researches and finds that the reason for the problem is that data transmission is performed through messages in the prior art, but the messages are easy to be tampered or merged into attack data.
Based on the above reasons, the present invention provides a data transmission control method, apparatus, computer device and storage medium, which can reduce the risk in message transmission and improve the security of the user system.
In one embodiment, as shown in fig. 1, there is provided a data transmission control method including:
step S100, obtaining a message to be transmitted.
Specifically, the message to be transmitted includes a data field and an additional field. The data field represents data to be transmitted by the message, and the additional field represents necessary additional information of the message, including message header, destination IP, destination port, source address, source port, data length, used protocol, encryption and other information except the data body.
The message to be transmitted may be a control message or a response message, for example. And establishing a TCP (Transmission Control Protocol) connection through TCP handshake, and acquiring a message to be transmitted from a transmitting end through the TCP connection.
And step S120, judging whether the message to be transmitted meets the preset transmission condition or not according to the additional field.
Specifically, whether the message meets the preset transmission condition is judged according to whether the information represented by the additional field meets the preset requirement.
Step S140, if the message to be transmitted meets the preset transmission condition, extracting the data field in the message to be transmitted, and transmitting the data field.
Specifically, when the message to be transmitted is judged to meet the preset transmission condition according to the additional field of the message to be transmitted, the additional field of the message to be transmitted is discarded, the data field is extracted, and the data field is transmitted. If the message to be transmitted does not meet the preset transmission condition, the transmission of the message to be transmitted is blocked, the message to be transmitted can be discarded, or alarm information is sent out to prompt that the message is abnormal.
Step S160, generating a target message based on the transmitted data field.
Specifically, the data field to be transmitted only is not a complete message, and a preset additional field needs to be added to the data field to form a complete message.
Illustratively, as shown in fig. 2, an application scenario of an embodiment of the present application may include at least one first service host 110, a data transmission control device 120, and at least one second service host 130, where the data transmission control device 120 may be directly or indirectly connected to each first service host 110 and each second service host 130 through wired or wireless communication. The at least one first service host 110, the data transmission control device 120 and the at least one second service host 130 may include physical devices of smart phones, tablet computers, notebook computers, desktop computers, digital assistants, smart speakers, smart wearable devices, vehicle terminals, servers, etc., and may also include software running in the physical devices, such as, but not limited to, application programs, etc. The data transmission control device 120 is a device capable of executing the data transmission control method in the present application.
The first service host 110/the second service host 130 may send a message to be transmitted to the data transmission control device 120, and the data transmission control device 120 may filter the message to be transmitted by using the data transmission control method provided in this embodiment, transmit the message meeting the transmission condition to the second service host 130/the first service host 110, and block the message not meeting the transmission condition, thereby improving the communication security between the first service host 110 and the second service host 130.
In practical applications, the data Transmission Control device 120 may be disposed in a boundary protection device of the power monitoring system, the first service host 110 may be a device in a high security zone, the second service host 130 may be a device in a low security zone, the data Transmission Control device 120 may include a first processing unit and a second processing unit, the first processing unit may be an internal unit, the second processing unit may be an external unit, both the internal unit and the external unit employ a proxy mechanism, and the internal unit and the first service host 110 in the high security zone implement a Transmission Control Protocol (TCP) handshaking and disconnecting mechanism, the process is terminated at the internal unit, the external unit and the second service host 130 in the low security zone implement a TCP handshaking and disconnecting mechanism, and the process is terminated at the external unit. The data transmission control device 120 can provide a secure information channel for devices in different security zones. The data transmission control device 120 implements a proxy communication function, may achieve an effect of data isolation, and implements data transmission between the first service host and the second service host, which may specifically include File exchange, database synchronization, File Transfer Protocol (FTP) access, database access, and mail transmission.
It should be noted that, because the TCP connection and disconnection process is relatively complex, when proxying TCP, the data transmission control apparatus also needs to maintain a complete state machine, and when the network is unstable, the handshake and disconnection messages may be out of order, and at this time, the switching of the state machine becomes more complex. Therefore, the data transmission control device can realize a similar state machine by imitating a TCP protocol stack, when the sequence of the received connection and disconnection messages is abnormal, no response is given, and the opposite end is forced to retransmit the messages by utilizing the retransmission mechanism of the TCP.
In this embodiment, when a message to be transmitted is acquired, it is first determined whether the message to be transmitted meets a preset transmission condition, and when the message to be transmitted meets the preset condition, a data portion in the message to be transmitted is extracted and transmitted, and then a new target message is generated according to the data portion. Therefore, the message to be transmitted is screened once through the preset transmission condition, whether the message to be transmitted is safe or not is determined, the message to be transmitted is transmitted through the appointed channel, the data part is extracted and transmitted independently, the transmitted content is pure application data, and the communication safety is further guaranteed. By means of the proxy communication mode, messages are filtered, and therefore safety of message transmission communication is guaranteed.
In one embodiment, as shown in fig. 3, step S120 includes:
and step S300, determining the configuration information of the message to be transmitted according to the additional field.
Specifically, the configuration information includes at least one of address data and port data of the packet to be transmitted.
Specifically, the message to be transmitted is analyzed to obtain configuration information of the message to be transmitted, where the configuration information includes one or more of a source Media Access Control (MAC) address, a destination MAC address, a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port, and a transmission Protocol.
Step S320, determining whether the packet to be transmitted satisfies a preset transmission condition according to the configuration information of the packet to be transmitted and the preset configuration information.
Specifically, a message header of a message to be transmitted may be analyzed through a mature computer program to obtain configuration information of the message to be transmitted, and based on the configuration information of the message to be transmitted, such as information of a source MAC address, a destination MAC address, a source IP address, a destination IP address, a source port, a destination port, a transmission protocol, and the like, the basic filtering may be performed, and a message that does not conform to a preset rule may be discarded. The preset rules can be preset according to actual needs, and can also be acquired from a safety control center or a situation perception system. That is, if the configuration information of the message to be transmitted conforms to the preset configuration information, it is determined that the message to be transmitted satisfies the preset transmission condition.
In this embodiment, the message to be transmitted is filtered and screened through the configuration information of the message to be transmitted, so that the message to be transmitted can be filtered, and the message to be transmitted which does not conform to the preset configuration information is removed, so that the message which may have potential safety hazards is blocked, and the safety of the transmitted message is ensured.
In one embodiment, as shown in fig. 4, step S120 includes:
and step S400, determining the transmission protocol of the message to be transmitted according to the additional field.
Specifically, the message header of the message to be transmitted may be analyzed, and the transmission protocol of the message to be transmitted may be determined. The transmission protocol of the message to be transmitted may include common industrial control protocols of the power system, common TCP/IP protocols, custom transmission protocols, and the like, where the industrial control protocols may include IEC61850, IEC60870-101/102/104/103, tase2, dl476, MODBUS, OPC, and the like, and the TCP/IP protocols may include HTTP, SFTP, SMTP, FTP, RPC, and the like.
Step S420, determining whether the packet to be transmitted satisfies a preset transmission condition according to the transmission protocol of the packet to be transmitted and a preset transmission rule.
Specifically, the transmission rule may be an application layer (industrial protocol) rule, and the transmission rule may be preset according to actual needs, or may be acquired from a security control center or a situation awareness system. In practical applications, various industrial protocols can be analyzed in advance to determine corresponding transmission rules. For example, for the IEC61850 protocol, because the IEC61850 protocol is object-oriented modeling, the modeling content includes most of common actual devices and components, a self-description language is adopted, the communication service interface is abstracted, the communication service interface is uniformly modeled for the whole power system, the complexity is high, and the content to be analyzed is also very much. And the IEC61850 protocol has been developed for many years, and currently, a plurality of versions such as V1.0, V2.0 and national standards exist. Therefore, the embodiment of the invention can study the processing mechanism of each protocol in advance, build a research test environment, and fully understand and verify the main content and the processing process of the protocol. And in software design, different versions are processed respectively. Thereby determining the transmission rule corresponding to each transmission protocol. And if the transmission rule corresponding to the transmission protocol of the message to be transmitted is in accordance with the preset transmission rule, judging that the message to be transmitted meets the preset transmission condition.
In this embodiment, the message to be transmitted is filtered and screened through the transmission protocol of the message to be transmitted, and whether the transmission rule corresponding to the transmission protocol of the message to be transmitted conforms to the preset transmission rule or not is determined, so that the message to be transmitted can be filtered, and the message to be transmitted which does not conform to the preset transmission rule is removed, so that the message which may have potential safety hazards is blocked, blocking and alarming of the message at the application layer are realized, and the safety of the transmitted message is ensured.
In one embodiment, as shown in fig. 5, step S120 includes:
step S500, acquiring a preset message white list.
Specifically, the security detection for a specific protocol may be developed in a customized manner, for example, a white list of transmission protocols is maintained, and if the transmission protocol of the packet to be transmitted is identified to be located in the white list, it may be directly determined that the preset transmission condition is satisfied. A blacklist of transmission protocols can also be maintained, and if the transmission protocol of the message to be transmitted is identified to be located in the blacklist, the message to be transmitted can be directly judged not to meet the preset transmission condition, and the message to be transmitted is discarded. The method can determine which messages are stored in a message white list and which messages are stored in a message black list through historical message data, and can also determine which messages are safe messages through a database to construct a message white list.
Step S520, according to the additional field, whether the message to be transmitted is located in the message white list is determined.
Specifically, the additional field is compared with the field in the message white list to determine whether the additional field meets the requirement of the message white list, so as to determine whether the message to be transmitted is in the message white list.
Step S540, determining whether the message to be transmitted meets a preset transmission condition according to whether the message to be transmitted is in the message white list.
Specifically, if the message to be transmitted is determined to be in the message white list, it is determined that the message to be transmitted meets the preset transmission condition.
Illustratively, the key bytes may also be pre-stored in the message white list. For example, for some specific transmission protocols, whether the message to be transmitted meets the preset transmission condition may be determined by filtering the keywords, etc. After the transmission protocol of the message to be transmitted is determined, the keyword information corresponding to the transmission protocol can be determined, whether the message to be transmitted contains the keyword or not is judged, and when the message to be transmitted contains (or does not contain) the keyword information, the condition that the preset transmission condition is met can be judged.
In this embodiment, whether the message to be transmitted meets the transmission condition is determined through a preset message white list, so that the message to be transmitted is filtered, and the transmission safety is ensured. And whether the message can be transmitted can be determined by comparing the message white list, so that the method is more convenient and faster.
In one embodiment, as shown in fig. 6, step S140 includes:
and S600, extracting data fields from the message to be transmitted according to the format corresponding to the message to be transmitted.
Specifically, different types of message formats are different, and bytes included in the additional field and the data field are also different, so that the format of the message to be transmitted needs to be determined first, so as to determine bytes represented by the part of the additional field and the part of the data field in the message to be transmitted, and then, the bytes of the data field in the message to be transmitted can be extracted.
Step S620, replace the data field with a replacement field.
Specifically, the replacement field includes a plurality of randomly generated replacement bytes, and each replacement byte corresponds to a data byte in the data field one to one. Because the replacing bytes are randomly generated, the replacing bytes of each transmission of the same data byte can be ensured to be unfixed, thereby improving the safety of data transmission.
Step S640 records the corresponding relationship between each replacement byte and the data byte.
Specifically, when the data bytes are replaced by the replacement bytes, the corresponding relation between the replacement bytes and the data bytes is recorded, so that subsequent recombination is facilitated.
Step S660, the corresponding relationship between the replacement field and each replacement byte and the data byte is transmitted.
Specifically, the replacement field and the corresponding relationship between the replacement byte and the data byte are transmitted, thereby facilitating the receiving end to be able to reassemble the data field.
In the embodiment, the data field is replaced by the replacement field and then transmitted, so that the safety in the data transmission process is greatly improved, a better confidentiality function is achieved, and the communication safety is ensured.
In one embodiment, as shown in fig. 7, step S140 includes:
step S700, extracting data fields from the message to be transmitted according to the format corresponding to the message to be transmitted.
And step S720, determining a first message sequence number corresponding to the data field according to the additional field.
Step S740, replacing the first message serial number with the second message serial number.
Step S760, the replaced data field is transmitted.
Specifically, the message header data in the additional field is analyzed, a first message serial number corresponding to the data portion is determined, the first message serial number is replaced by a second message serial number, and then the target message is generated. The first message serial number is used by a message sending end to be transmitted, the second message serial number is used by a message receiving end, and the first message serial number and the second message serial number are generated randomly so as to prevent a hacker from hijacking and replaying the message.
Specifically, when the packet is reassembled, the sequence number also needs to be recorded and replaced. When the network is unstable, the message may have retransmission and out-of-order problems, and at this time, the sequence number needs to be adjusted. Therefore, the corresponding relationship between the first message sequence number and the second message sequence number needs to be recorded, and when packet loss retransmission occurs, the sequence number used by the device also leaves the length of packet loss data, so that a receiving end of the message can sense the occurrence of packet loss.
In this embodiment, the serial number of the message is replaced, so that the message is encrypted, and the security in the message transmission process is improved.
In one embodiment, as shown in fig. 8, step S160 includes:
step S800, acquiring the replacement fields and the corresponding relation between each replacement byte and the data byte.
And step S820, recombining the replacement fields according to the corresponding relation between each replacement byte and the data byte to obtain the target message.
Specifically, according to the replacement field and the corresponding relationship between each replacement byte and the data byte, the replacement field can be reassembled and replaced again to obtain the data field as the target message.
In this embodiment, the data field can be restored by recombining the replacement field, so that complete transmission of data is realized.
In one embodiment, as shown in fig. 9, a data transmission control device is provided, which includes a first processing unit 410, a second processing unit 420, and an isolation unit 430, wherein the first processing unit 410 is communicatively connected to the second processing unit 420 through the isolation unit 430;
the first processing unit 410 is configured to receive a to-be-transmitted message sent by a first service host, and determine whether the to-be-transmitted message meets a preset transmission condition; when the message to be transmitted meets the preset transmission condition, extracting the data part in the message to be transmitted, and transmitting the data part to the second processing unit 420 through the isolation component;
the second processing unit 420 is configured to generate a target packet based on the data portion, and send the target packet to the second service host.
In one possible embodiment, the first processing unit 410 is further configured to:
and when the message to be transmitted does not meet the preset transmission condition, blocking the transmission of the message to be transmitted.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus provided in the above embodiments and the corresponding method embodiments belong to the same concept, and specific implementation processes thereof are detailed in the corresponding method embodiments and are not described herein again.
An embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where at least one instruction or at least one program is stored in the memory, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the access control method provided in the above method embodiment.
The memory may be used to store software programs and modules, and the processor may execute various functional applications and data processing by operating the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the device, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.
Referring to FIG. 10 in conjunction with the description, a block diagram of an electronic device 500 is shown, in accordance with one embodiment of the present invention. Electronic device 500 may include one or more processors 502, system control logic 508 coupled to at least one of processors 502, system memory 504 coupled to system control logic 508, non-volatile memory (NVM)506 coupled to system control logic 508, and network interface 510 coupled to system control logic 508.
Processor 502 may include one or more single-core or multi-core processors. The processor 502 may include any combination of general-purpose processors and special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In embodiments herein, the processor 502 may be configured to perform one or more embodiments in accordance with the various embodiments described above.
In some embodiments, system control logic 508 may include any suitable interface controllers to provide any suitable interface to at least one of processors 502 and/or any suitable device or component in communication with system control logic 508.
In some embodiments, system control logic 508 may include one or more memory controllers to provide an interface to system memory 504. System memory 504 may be used to load and store data and/or instructions. Memory 504 of device 500 may include any suitable volatile memory in some embodiments, such as suitable Dynamic Random Access Memory (DRAM).
NVM/memory 506 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, NVM/memory 506 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as at least one of an HDD (Hard Disk Drive), CD (Compact Disc) Drive, DVD (Digital Versatile Disc) Drive.
NVM/memory 506 may comprise a portion of a storage resource installed on a device of device 500 or it may be accessible by, but not necessarily a part of, the device. For example, NVM/storage 506 may be accessed over a network via network interface 510.
In particular, system memory 504 and NVM/storage 506 may each include: a temporary copy and a permanent copy of instructions 520. The instructions 520 may include: instructions that when executed by at least one of the processors 502 cause the apparatus 500 to implement the access control method as shown in fig. 2 and 3. In some embodiments, the instructions 520, hardware, firmware, and/or software components thereof may additionally/alternatively be located in the system control logic 508, the network interface 510, and/or the processor 502.
Network interface 510 may include a transceiver to provide a radio interface for device 500 to communicate with any other suitable device (e.g., front end module, antenna, etc.) over one or more networks. In some embodiments, the network interface 510 may be integrated with other components of the device 500. For example, the network interface 510 may be integrated with at least one of the communication module of the processor 502, the system memory 504, the NVM/storage 506, and a firmware device (not shown) having instructions that, when executed by at least one of the processors 502, the device 500 implements one or more of the various embodiments illustrated in fig. 2 and 3.
The network interface 510 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 510 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
In one embodiment, at least one of the processors 502 may be packaged together with logic for one or more controllers of system control logic 508 to form a System In Package (SiP). In one embodiment, at least one of the processors 502 may be integrated on the same die with logic for one or more controllers of system control logic 508 to form a system on a chip (SoC).
The apparatus 500 may further comprise: input/output (I/O) devices 512. I/O device 512 may include a user interface to enable a user to interact with device 500; the design of the peripheral component interface enables peripheral components to also interact with the device 500. In some embodiments, the device 500 further comprises a sensor for determining at least one of environmental conditions and location information associated with the device 500.
In some embodiments, the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., still image cameras and/or video cameras), a flashlight (e.g., a light emitting diode flash), and a keyboard.
In some embodiments, the peripheral component interfaces may include, but are not limited to, a non-volatile memory port, an audio jack, and a power interface.
In some embodiments, the sensors may include, but are not limited to, a gyroscope sensor, an accelerometer, a proximity sensor, an ambient light sensor, and a positioning unit. The positioning unit may also be part of the network interface 510 or interact with the network interface 510 to communicate with components of a positioning network, such as Global Positioning System (GPS) satellites.
It is to be understood that the illustrated structure of the embodiment of the invention is not intended to limit the electronic device 500. In other embodiments of the invention, the electronic device 500 may include more or fewer components than illustrated, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
It should be understood that although the various steps in the flowcharts of fig. 1, 3-8 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 1 and 3-8 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least some of the other steps.
In one embodiment, as shown in fig. 11, there is provided a data transmission control apparatus including: a message obtaining module 1101, a transmission judging module 1102, a message transmission module 1103 and a message generating module 1104, wherein:
the message obtaining module 1101 is configured to obtain a message to be transmitted, where the message to be transmitted includes a data field and an additional field.
The transmission determining module 1102 is configured to determine whether the packet to be transmitted meets a preset transmission condition according to the additional field.
The message transmission module 1103 is configured to, if the message to be transmitted meets the preset transmission condition, extract a data field in the message to be transmitted, and transmit the data field.
And a message generating module 1104, configured to generate a target message based on the transmitted data field.
In one embodiment, the transmission determining module 1102 includes: first information acquisition unit, first judgement unit, wherein:
and the first information acquisition unit is used for determining the configuration information of the message to be transmitted according to the additional field, wherein the configuration information comprises at least one of address data and port data of the message to be transmitted.
The first judging unit is used for determining whether the message to be transmitted meets the preset transmission condition according to the configuration information of the message to be transmitted and the preset configuration information.
In one embodiment, the transmission determining module 1102 includes: a second information acquisition unit and a second judgment unit, wherein:
and the second information acquisition unit is used for determining the transmission protocol of the message to be transmitted according to the additional field.
And the second judging unit is used for determining whether the message to be transmitted meets the preset transmission condition according to the transmission protocol of the message to be transmitted and the preset transmission rule.
In one embodiment, the transmission determining module 1102 includes: a third information acquisition unit and a third judgment unit, wherein:
and the third information acquisition unit is used for acquiring a preset message white list.
And the white list judging unit is used for determining whether the message to be transmitted is positioned in the message white list according to the additional field.
And the third judging unit is used for determining whether the message to be transmitted meets the preset transmission condition or not according to whether the message to be transmitted is positioned in the message white list or not.
In one embodiment, the message transmission module 1103 includes: extraction element, replacement unit, recording element, transmission unit, wherein:
and the extraction unit is used for extracting the data field from the message to be transmitted according to the format corresponding to the message to be transmitted.
And the replacing unit is used for replacing the data field by adopting a replacing field, wherein the replacing field comprises a plurality of replacing bytes which are randomly generated, and each replacing byte corresponds to the data byte in the data field one by one.
And the recording unit is used for recording the corresponding relation between each replacing byte and the data byte.
And the transmission unit is used for transmitting the replacement fields and the corresponding relation between each replacement byte and the data byte.
In one embodiment, the message generating module 1104 includes a data obtaining unit and a reassembling unit, wherein:
and the data acquisition unit is used for acquiring the replacement fields and the corresponding relation between each replacement byte and the data byte.
And the recombination unit is used for recombining the replacement fields according to the corresponding relation between each replacement byte and the data byte to obtain the target message.
For specific limitations of the data transmission control device, reference may be made to the above limitations of the data transmission control method, which are not described herein again. The respective modules in the data transmission control device may be wholly or partially implemented by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In one embodiment, a computer device is provided, the internal structure of which may be as shown in fig. 12. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data transmission control method.
Those skilled in the art will appreciate that the architecture shown in fig. 12 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
In the description herein, references to the description of "some embodiments," "other embodiments," "desired embodiments," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, a schematic description of the above terminology may not necessarily refer to the same embodiment or example.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A data transmission control method, characterized in that the method comprises:
acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field;
judging whether the message to be transmitted meets a preset transmission condition or not according to the additional field;
if the message to be transmitted meets the preset transmission condition, extracting a data field in the message to be transmitted, and transmitting the data field;
and generating a target message based on the transmitted data field.
2. The method of claim 1, wherein the extracting the data field from the message to be transmitted and transmitting the data field comprises:
extracting the data field from the message to be transmitted according to the format corresponding to the message to be transmitted;
replacing the data field by using a replacement field, wherein the replacement field comprises a plurality of randomly generated replacement bytes, and each replacement byte corresponds to a data byte in the data field one by one;
recording the corresponding relation between each replacing byte and the data byte;
and transmitting the replacement fields and the corresponding relation between each replacement byte and the data byte.
3. The method of claim 2, wherein generating the target packet based on the transmitted data field comprises:
acquiring the replacement fields and the corresponding relation between each replacement byte and the data byte;
and recombining the replacement fields according to the corresponding relation between each replacement byte and the data byte to obtain the target message.
4. The method according to claim 1, wherein the determining whether the packet to be transmitted satisfies a preset transmission condition according to the additional field comprises:
determining configuration information of the message to be transmitted according to the additional field, wherein the configuration information comprises at least one of address data and port data of the message to be transmitted;
and determining whether the message to be transmitted meets a preset transmission condition or not according to the configuration information and preset configuration information of the message to be transmitted.
5. The method according to claim 1, wherein the determining whether the packet to be transmitted satisfies a preset transmission condition according to the additional field comprises:
determining a transmission protocol of the message to be transmitted according to the additional field;
and determining whether the message to be transmitted meets a preset transmission condition or not according to the transmission protocol of the message to be transmitted and a preset transmission rule.
6. The method according to claim 1, wherein the determining whether the packet to be transmitted satisfies a preset transmission condition according to the additional field comprises:
acquiring a preset message white list;
determining whether the message to be transmitted is located in the message white list or not according to the additional field;
and determining whether the message to be transmitted meets a preset transmission condition or not according to whether the message to be transmitted is located in the message white list or not.
7. The method according to any one of claims 1-6, further comprising: and if the message to be transmitted does not meet the preset transmission condition, blocking the transmission of the message to be transmitted.
8. A data transmission control apparatus, characterized in that the apparatus comprises:
the message acquisition module is used for acquiring a message to be transmitted, wherein the message to be transmitted comprises a data field and an additional field;
the transmission judging module is used for judging whether the message to be transmitted meets the preset transmission condition or not according to the additional field;
the message transmission module is used for extracting a data field in the message to be transmitted and transmitting the data field if the message to be transmitted meets the preset transmission condition;
and the message generation module is used for generating a target message based on the transmitted data field.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202210371972.6A 2022-04-11 2022-04-11 Data transmission control method, device, computer equipment and storage medium Pending CN114745176A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210371972.6A CN114745176A (en) 2022-04-11 2022-04-11 Data transmission control method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210371972.6A CN114745176A (en) 2022-04-11 2022-04-11 Data transmission control method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114745176A true CN114745176A (en) 2022-07-12

Family

ID=82281713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210371972.6A Pending CN114745176A (en) 2022-04-11 2022-04-11 Data transmission control method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114745176A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002234A (en) * 2022-05-25 2022-09-02 阿维塔科技(重庆)有限公司 Data message conversion method, device, equipment and computer readable storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device
CN106330973A (en) * 2016-10-27 2017-01-11 国网江苏省电力公司南京供电公司 Data security exchange method based on black list and white list
CN110401624A (en) * 2018-04-25 2019-11-01 全球能源互联网研究院有限公司 The detection method and system of source net G system mutual message exception
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
CN111741127A (en) * 2020-07-23 2020-10-02 杭州海康威视数字技术股份有限公司 Communication connection blocking method and device, electronic equipment and storage medium
CN111818099A (en) * 2020-09-02 2020-10-23 南京云信达科技有限公司 TCP (Transmission control protocol) message filtering method and device
WO2021232920A1 (en) * 2020-05-20 2021-11-25 中兴通讯股份有限公司 Data transmission method, electronic device, and storage medium
WO2021253366A1 (en) * 2020-06-16 2021-12-23 北京京投信安科技发展有限公司 Switch encryption system
CN114050926A (en) * 2021-11-09 2022-02-15 南方电网科学研究院有限责任公司 Data message depth detection method and device
CN114268451A (en) * 2021-11-15 2022-04-01 中国南方电网有限责任公司 Method, device, equipment and medium for constructing power monitoring network security buffer area

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device
CN106330973A (en) * 2016-10-27 2017-01-11 国网江苏省电力公司南京供电公司 Data security exchange method based on black list and white list
CN110401624A (en) * 2018-04-25 2019-11-01 全球能源互联网研究院有限公司 The detection method and system of source net G system mutual message exception
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
WO2021232920A1 (en) * 2020-05-20 2021-11-25 中兴通讯股份有限公司 Data transmission method, electronic device, and storage medium
WO2021253366A1 (en) * 2020-06-16 2021-12-23 北京京投信安科技发展有限公司 Switch encryption system
CN111741127A (en) * 2020-07-23 2020-10-02 杭州海康威视数字技术股份有限公司 Communication connection blocking method and device, electronic equipment and storage medium
CN111818099A (en) * 2020-09-02 2020-10-23 南京云信达科技有限公司 TCP (Transmission control protocol) message filtering method and device
CN114050926A (en) * 2021-11-09 2022-02-15 南方电网科学研究院有限责任公司 Data message depth detection method and device
CN114268451A (en) * 2021-11-15 2022-04-01 中国南方电网有限责任公司 Method, device, equipment and medium for constructing power monitoring network security buffer area

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002234A (en) * 2022-05-25 2022-09-02 阿维塔科技(重庆)有限公司 Data message conversion method, device, equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
EP1566920A1 (en) Information processing device, server client system, method, and computer program
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
CN105357283B (en) Long connection establishing method of intelligent wearable equipment, server and terminal
CN111786971A (en) Host blasting attack defense method and device and computer equipment
CN114124929B (en) Cross-network data processing method and device
CN115146285A (en) File encryption and decryption method and device
CN113114707B (en) Rule filtering method for power chip Ethernet controller
CN112686358A (en) Data transmission method, NFC electronic tag, terminal device and storage medium
US9332405B2 (en) Short message backup method, mobile terminal, and server
CN114745176A (en) Data transmission control method, device, computer equipment and storage medium
CN107872315B (en) Data processing method and intelligent terminal
CN109714337B (en) Data encryption transmission method and equipment
Walter et al. Securing wearables through the creation of a personal fog
CN108154037B (en) Inter-process data transmission method and device
US11283768B1 (en) Systems and methods for managing connections
CN112532603B (en) Cross-domain file exchange leading-in device and method based on exchange authorization file
CN114996730A (en) Data encryption and decryption system, method, computer equipment and storage medium
CN114339737A (en) Wireless communication instruction encryption method and related equipment
CN113507482A (en) Data secure transmission method, secure transaction method, system, medium, and device
US9325559B1 (en) Method and apparatus of providing thin client functionality
CN114666173B (en) Internet of things information transmission method and device based on intermediate equipment
CN114978643B (en) Communication method, network equipment and storage medium
CN116032545B (en) Multi-stage filtering method and system for ssl or tls flow
CN111770099B (en) Data transmission method and device, electronic equipment and computer readable medium
CN114039770B (en) Access control method, device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination