CN115022084B - Network isolation gatekeeper data exchange method and application thereof - Google Patents

Network isolation gatekeeper data exchange method and application thereof Download PDF

Info

Publication number
CN115022084B
CN115022084B CN202210838190.9A CN202210838190A CN115022084B CN 115022084 B CN115022084 B CN 115022084B CN 202210838190 A CN202210838190 A CN 202210838190A CN 115022084 B CN115022084 B CN 115022084B
Authority
CN
China
Prior art keywords
data
transmission
channel
abnormal
pool
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210838190.9A
Other languages
Chinese (zh)
Other versions
CN115022084A (en
Inventor
朱述宝
吕国林
丘建栋
修科鼎
刘星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Urban Transport Planning Center Co Ltd
Original Assignee
Shenzhen Urban Transport Planning Center Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Urban Transport Planning Center Co Ltd filed Critical Shenzhen Urban Transport Planning Center Co Ltd
Priority to CN202210838190.9A priority Critical patent/CN115022084B/en
Publication of CN115022084A publication Critical patent/CN115022084A/en
Application granted granted Critical
Publication of CN115022084B publication Critical patent/CN115022084B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/04Protocols for data compression, e.g. ROHC
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

A network isolation gatekeeper data exchange method and application thereof belong to the technical field of gatekeepers. The method aims to solve the problems of rapid increase of data volume and complex data types in the data transmission process. The method adopts a transmission algorithm of dynamic ferry: after data transmission compression is completed in an external resource pool, an original transmission protocol is stripped and sliced, sequence codes and integrity check are added to data slices, address directions are distributed and selected during channel connection, a proper data transmission channel is selected to achieve the maximum transmission data flow rate of a single channel aiming at the data slices, abnormal indexes are detected by adopting the Lauda criterion, after data transmission is completed through multiple channels and data integrity check is completed, data are sequentially connected according to the sequence codes, the transmission protocol is packaged again after a data integration packet is obtained, after the packaging is completed, data decompression is performed, an internal resource pool is opened to be connected with an internal terminal, and logs are stored in the internal terminal after the transmission is completed. The invention has high transmission efficiency, high reliability and strong compatibility.

Description

Network isolation gatekeeper data exchange method and application thereof
Technical Field
The invention belongs to the technical field of isolation gatekeepers, and particularly relates to a network isolation gatekeeper data exchange method and application thereof.
Background
The isolation gatekeeper is generally used in a data center or a network with high security and used for realizing the isolation of the physical connection between an internal network and an external network, and the basic working principle of the isolation gatekeeper is to realize the conditional access between different completely isolated network segments through data ferry, and establish the physical connection with only one of the internal network or the external network at the same time, so that continuous physical communication connection cannot be established between the internal network and the external network, only the non-protocol ferry of data is carried out, and the isolation gatekeeper physically isolates and blocks all connections with potential attack possibility.
The information of the isolation gatekeeper ferry needs to reestablish the protocol according to the requirement. When two independent host systems are isolated through a gatekeeper, data exchange is carried out through a physical connection, a logical connection and an information transmission protocol which do not have communication between the systems. Therefore, the isolation gatekeeper is mainly composed of three parts: the system comprises isolation hardware, an internal end machine and an external end machine. The isolation gatekeeper divides the transmission equipment into an internal terminal and an external terminal, wherein the internal terminal is responsible for network communication, realizes data acquisition, collection and pretreatment, and delivers data to isolation hardware. The external terminal is responsible for receiving data of the isolated hardware ferry and transmitting the data through the wireless communication module. The isolation hardware is the only data path between the internal terminal and the external terminal, does not support common protocols such as TCP/IP, and realizes data ferry at the two ends of the internal terminal and the external terminal by a connection mode of time-sharing on-off so as to form a safety isolation data gate without real-time physical connection.
The core technology layer of the isolation gatekeeper mainly comprises a data ferrying technology in the aspect of data exchange and a data isolation technology in the aspect of network isolation. The existing isolation gatekeeper data exchange technology can be divided into two modes according to different control objects: one is ferry exchange, and the other is channel control.
Prior art 1, ferry exchange:
adopting a 2+1 architecture (an inner end machine, an outer end machine and isolation hardware) of the traditional isolation network gate technology, finishing ferry control through an isolation and exchange control unit in the isolation hardware, wherein the exchange control unit comprises a data exchange area and a ferry switch; the data exchange area is a temporary storage area for storing data in data exchange, and the ferry switch is an electronic changeover switch, so that the data exchange area and the internal and external networks are not connected at any time simultaneously to form space intervals, thereby realizing physical isolation.
The ferry switch is the most common switching mode of the network gate. In order to maintain physical isolation between the internal network and the external network, the internal network must be disconnected from the external network when connected to the internal network, and must be disconnected from the internal network when connected to the external network. When the electronic changeover switch C is communicated with the point A and the data exchange area is communicated with the intranet, the electronic changeover switch C is disconnected from the extranet, data to be exchanged in the intranet is written into the data exchange area, and meanwhile, data from the extranet in the data exchange area is read out to complete one ferry. And the electronic changeover switch C is communicated with the point B, when the data exchange area is communicated with the external network, the electronic changeover switch C is disconnected from the internal network, the data to be exchanged in the external network is written into the data exchange area, and meanwhile, the data from the internal network in the data exchange area is read out to complete secondary ferry.
The process of realizing the data exchange of a plurality of networks is to change the electronic changeover switch into a switching matrix. The data is switched in a similar manner to a data switch, but each network processing unit is connected to only one of the data buffers. Since each network element is connected to only one data exchange area at the same time and each data exchange area is also connected to only one network element at the same time, no one time each network is connected to each other. When the network processing unit reads data from the buffer, the network processing unit only reads the data from the corresponding buffer of the network processing unit, and writes the data into the buffer corresponding to the target network when the network processing unit writes the data.
Aiming at the data exchange technology of the two-zone model of the single isolation gatekeeper, the channel control of the two-zone model mostly adopts unidirectional transmission without the intervention of a ferry switch, and emphasizes the guarantee of the unidirectional property of the data transmission. Taking the unidirectional transmission technology based on optical fiber as an example, the receiving line of the sender must be disconnected with the sending line of the receiver, the sender has complete master control right, and the receiver can only passively receive the transmitted data. In the process of transmitting the 'blind' data, the specific physical attribute of the channel is utilized, only data information flow exists, but control information flow does not exist, and the safety of the protocol and the data can be effectively ensured.
However, such techniques have the disadvantage that the reliability of the data transmission is difficult to guarantee. Because a 'blind sending' mechanism is adopted, a receiver does not know whether the total data amount of a sender is present or not, and the sender does not know whether the receiver reliably receives all data or not, and whether the data is reliable or not is guaranteed by adding a security mechanism such as a leading-phase error correction code and redundancy check. Mechanisms such as a front-phase error correction code and redundancy check are mostly used for checking after data are received, and an alarm is given out when errors exist in the detected data, but the operation greatly increases the error correction cost, time cost and hardware cost of personnel.
Prior art 2, channel control:
the channel control technology changes the communication mode between the internal network and the external network, interrupts the direct connection of the internal network and the external network, adopts the appointed communication means to form the physical isolation of the internal network and the external network, and acts between the interface end of the internal terminal machine and the external terminal machine and the data buffer area of the isolation and exchange control unit. In the intranet and extranet processing units, the interface processes the channel between the data buffer area, which is called an internal channel 1, and the channel between the buffer area and the switching area, which is called an internal channel 2. The isolation of the internal network and the external network can be formed by controlling the switch of the internal channel.
At present, two models are a three-region model and a two-region model. The mode of ferrying data in the middle data exchange area is called a three-area model; and the data exchange area is eliminated, and the internal channel 1 and the internal channel 2 are respectively controlled in an interactive mode and are called as a two-area model.
When the three-region model ferries, the bus of the switching region is respectively connected with the inner network buffer region and the outer network buffer region, namely the control of the inner channel 2, and data switching is completed.
Data ferrying of the two-zone model is divided into two times: firstly, the internal channel 2 connecting the internal and external network data buffer areas is disconnected, the internal channel 1 is connected, the internal and external network interface units receive the data to be exchanged and store the data in the respective buffer areas, and one ferry is completed. Then the internal channel 1 is disconnected, the internal channel 2 is connected, after the data buffer areas of the internal network and the external network are disconnected with the respective interface units, the two buffer areas are connected, the data to be exchanged are exchanged to the buffer areas of the other side respectively, and the secondary ferry of the data is completed.
The internal channel generally adopts communication connection of a non-universal network, so that possible attacks from two ends are stopped at the interface unit, and the isolation effect of the gatekeeper is enhanced. The internal channel is usually selected from a special network, a SCSI (small computer system interface), and the like. The data exchange technology is reasonably selected for the data transmission of three data areas and two internal channels in the gatekeeper, so that the possibility of being attacked can be greatly reduced. Most of the existing manufacturers mainly focus on the channel control of the internal channel 2.
For the data exchange technology of the three-region model of the single isolation gatekeeper, the channel control of the technology mostly adopts bus control, wherein a PCI bus and an LVDS bus are often used, and the intervention of a ferry switch is needed. Taking channel control based on PCI bus as an example, the physical layer disconnection of TCP/IP model is realized, a data connection link is also eliminated, data reaches an external terminal machine from an external network, after the protocol of TCP/IP is stripped, a data packet with a transmission protocol is converted into pure data, network attack based on the protocol is prevented, then the external terminal machine checks the data, after confirming that the data is not virus data, a switch of an external network data channel is opened, the data is transmitted into a memory of a safety data exchange area, then the switch of the external network data channel is closed, an internal network data channel control switch is opened, the data is transmitted into an internal terminal machine, the internal terminal machine performs cyclic redundancy check on the data, and after the transmission is proved to be correct, TCP/IP is packaged again to restore the original transmission data.
The technology has strong dependence on the ferry switch, the single ferry switch can only aim at a single target at the same time, one-to-many data exchange cannot be realized, the method is very troublesome and time-consuming, only one set of ferry switch arranged in isolation hardware exists in a single network gate, the support on large files and massive files is poor, the speed is low in transmission and exchange, the phenomena of interruption and errors are easy to occur, a channel can fail when the ferry switch has an error, the mode of channel control loses practical significance, and the service timeliness is seriously influenced.
Disclosure of Invention
The invention aims to solve the problems that at present, the data security market is rapidly expanded, the service data volume of data exchange is rapidly increased, the data type is complex, and the existing single isolation gatekeeper technology is not enough to support the current situation of a huge data security service system in the reliability and strategy configuration of data transmission.
In order to achieve the purpose, the invention is realized by the following technical scheme:
a network isolation gateway data exchange method adopts a transmission algorithm of dynamic ferry, and comprises the following steps:
s1, data compression: the external terminal machine inputs data into a data pool of the external resource pool, and compresses the data in the data pool;
s2, slicing data: judging whether the total data amount is greater than a slicing condition, when the total data amount is greater than the slicing condition, the isolation gatekeeper judges the number of calling channels and strips a transmission protocol of data to slice the data, and when the total data amount is less than the slicing condition, the data is corrected;
s3, data transmission dynamic adjustment: adding a fragment identification sequence code to the head of each data slice in a data pool, adding a carrying sequence code to the tail of each data slice, detecting an abnormal index by adopting a Lauda criterion, judging abnormal retransmission, returning to the data compression step if the judgment is abnormal, and transmitting data if the judgment is normal;
s4, data transmission: in a thread pool of a resource pool, carrying out concurrent operation on the data slices added with the sequence codes and sequentially transmitting the data slices into a connection pool for multi-channel transmission, carrying out abnormal check judgment on an isolation gateway in the multi-channel transmission process, returning to the connection pool if the data slices are judged to be abnormal, and finishing transmission if the data slices are judged to be normal;
s5, after data transmission and data integrity verification are completed, sequentially connecting data by the internal resource pool according to sequence codes of the data slices, obtaining a data integration packet, then packaging a transmission protocol again, decompressing the data and starting the internal resource pool to be connected with the internal terminal after packaging is completed;
and S6, after the internal terminal finishes receiving the data, log storage is carried out on the transmission information generated in the transmission process in the internal terminal.
Further, the compression algorithm for compressing the data in step S1 adopts LZMA algorithm, and the isolation gatekeeper regularly scans the compressed data to obtain the data volume to be transmitted
Figure 897774DEST_PATH_IMAGE001
Further, the method for determining the slicing condition in step S2 is: the data return value is boolean, slicing is performed when the returned slice determination value is 1, and slicing is not performed when the returned slice determination value is 0:
slice determination value =
Figure 797597DEST_PATH_IMAGE002
Figure 363707DEST_PATH_IMAGE003
The theoretical rate of single-channel slice transmission, T is the time limit of single transmission, and the total amount of files which can be transmitted by a single channel is
Figure 304856DEST_PATH_IMAGE004
Further, the stripping manner of the transmission protocol of the data in step S2 is decapsulation of the data packet, which includes the following steps:
s2.1, stripping the IP protocol of the data, namely disconnecting the network layer of the OSI model of the original TCP/IP and eliminating all attacks based on the IP;
s2.2, stripping the TCP and the UCP protocol, namely disconnecting the transmission layer of the OSI model of the original TCP/IP and eliminating all attacks based on the TCP and the UCP;
s2.3, stripping the application protocol, namely disconnecting the application layer of the OSI model of the original TCP/IP and eliminating all attacks of unsafe transmission application;
s2.4, stripping all control signals for establishing the communication link, namely disconnecting the data link layer of the original TCP/IP OSI model, and eliminating the data link attack outside the original resource pool;
and S2.5, completely disconnecting the physical layer, and after the transmission protocol is stripped, converting the data from the compressed data packet with the transmission protocol into a simple data stream.
Furthermore, the step S2 of calling the channel number judgment includes determining the number of participating channels and the judgment of the amount of data to be transmitted in each channel;
calling weight by channel
Figure 665430DEST_PATH_IMAGE005
The method for counting the number of channels comprises the following steps:
Figure 52549DEST_PATH_IMAGE006
Figure 32138DEST_PATH_IMAGE007
in order to take part in the number of channels,
Figure 922733DEST_PATH_IMAGE008
the number of the channels is the total number of the channels,
Figure 719788DEST_PATH_IMAGE005
is the weight;
the isolation gatekeeper makes use-specific calls in idle usable channels by the following method:
Figure 328624DEST_PATH_IMAGE009
Figure 878947DEST_PATH_IMAGE010
to obtain the remainder;
setting P (k) to represent the time of k slice transmission, and obtaining the data volume of the previous n actual single-channel slices according to a formula by adopting the situation of the previous n transmissions
Figure 889629DEST_PATH_IMAGE011
Figure 857585DEST_PATH_IMAGE009
Figure 94662DEST_PATH_IMAGE012
The amount of data transmitted for the k-th slice,
Figure 806266DEST_PATH_IMAGE013
for the (k) th transmission, the first transmission,
Figure 671454DEST_PATH_IMAGE014
is the single transmission time, n is the total number of transmissions,
Figure 918633DEST_PATH_IMAGE011
the data volume of the previous n times of actual single-channel slices;
obtaining the actual transmission total amount:
actual total transmission amount =
Figure 502061DEST_PATH_IMAGE015
Setting error correction value of transmission data amount as
Figure 751777DEST_PATH_IMAGE016
Obtaining the data volume to be transmitted
Figure 877996DEST_PATH_IMAGE017
Figure 187755DEST_PATH_IMAGE018
Figure 258479DEST_PATH_IMAGE019
T is the one-time-transmission limit.
Further, in step S3, the header fragment id sequence code includes a UUID that is not repeatable and an ordinal number of a specific fragment that is repeatable, and when a transmission error occurs, the data fragment is discarded and the UUID is recorded in the terminal log, and the retransmitted data fragment is assigned a new UUID.
Further, in step S4, data distribution is performed in an address mode, data anomaly verification is performed according to the raleigh criterion in normal distribution, and data integrity verification is performed according to cyclic redundancy verification.
Further, the method for performing the anomaly verification by using the Laudea criterion in the normal distribution in the step S4 comprises the following steps:
cutting the single transmission time limit T into M parts, wherein M is any element in a set of appointed detection times j;
time of data transmission into channel
Figure 423137DEST_PATH_IMAGE020
Time of data transmission out of channel
Figure 262917DEST_PATH_IMAGE021
Time difference of received data
Figure 743577DEST_PATH_IMAGE022
Figure 911385DEST_PATH_IMAGE023
The time for the data to travel into the channel is,
Figure 462769DEST_PATH_IMAGE025
the time for the data to travel out of the channel,
Figure 753811DEST_PATH_IMAGE026
is the time difference of the received data;
when the transmission channel has the abnormality, the following relation is satisfied:
Figure 799127DEST_PATH_IMAGE027
Figure 194336DEST_PATH_IMAGE028
is the value of the t-mean value,
Figure 743129DEST_PATH_IMAGE029
is the standard deviation;
when there is an anomaly, the total length of the anomaly will be recorded:
Figure 440958DEST_PATH_IMAGE030
Figure 707991DEST_PATH_IMAGE031
as a total length of the abnormality,
Figure 906891DEST_PATH_IMAGE032
is an abnormal time;
obtaining an abnormality detection index
Figure 952601DEST_PATH_IMAGE033
Figure 211544DEST_PATH_IMAGE034
And for the mode that the breakpoint continuous transmission can be carried out when the abnormal detection parameter is smaller than a certain threshold value, the retransmission is required when the abnormal detection parameter is larger than the certain threshold value.
Further, step S8 is to perform log storage on the client, where the log storage includes all UUIDs used by the data slice and the specific time of the abnormal transmission, the UUIDs are classified into a normal transmission class and an abnormal transmission class according to a criterion of the abnormal index, and the abnormal transmission class is attached with an attribute of the specific time of the abnormal transmission.
An application of a network isolation gatekeeper data exchange method is used in the field of network information security or data information security.
The invention has the beneficial effects that:
the invention relates to a network isolation gatekeeper data exchange method, which provides a dynamic ferry optimization technology of a data transmission layer among a plurality of gatekeepers, and aims at the problem of poor data transmission reliability in the prior art, a three-region model and a channel control method for controlling the gatekeepers by a user-defined communication protocol are adopted; aiming at the problem that data transmission in the prior art cannot be performed in a one-to-many mode, a multi-network gate cluster is established, and the overall bandwidth is improved so as to meet the requirements of data volumes of different scales; aiming at the problems of trouble, time consumption and poor support of data transmission in the prior art, a brand new data transmission mode is adopted, namely a switching matrix is constructed, and the calling of the multiple gatekeepers is completed in a dynamic ferrying mode to fully play the cluster performance of the multiple gatekeepers.
The invention relates to a network isolation gateway data exchange method which can be applied to data security application scenes of various enterprises, governments and the like, aims to overcome the defects of the traditional isolation gateway, improves a data transmission method and a data transmission process, comprises the steps of completing dynamic ferry of original data through a plurality of gateways by methods of balanced calculation, data full load judgment, data IP slicing, channel distribution and the like, completing data integrity check, data integration and other operations on an internal terminal after dynamic ferry, and has the characteristics of high transmission efficiency, high reliability and strong compatibility under the principle of ensuring security.
Drawings
Fig. 1 is a flowchart illustrating a data slice transmission condition determination and an overall data slice flow in a method for exchanging data of a network isolation gatekeeper according to the present invention;
fig. 2 is a schematic diagram illustrating a data packet decapsulation process in a network isolation gatekeeper data exchange method according to the present invention;
FIG. 3 is a simulation diagram of slice transmission modification of data in a method for exchanging data of a network isolation gatekeeper according to the present invention;
fig. 4 is a schematic diagram illustrating an identification sequence code added to a data slice in a method for exchanging data of a network isolation gatekeeper according to the present invention;
fig. 5 is a flow chart illustrating a data transmission address and data allocation in a method for exchanging data of a network isolation gatekeeper according to the present invention;
fig. 6 is a schematic structural diagram of a network isolation gatekeeper data system according to the present invention.
Fig. 7 is a schematic structural diagram of a gatekeeper card of an isolation gatekeeper of a network isolation gatekeeper data system according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and the detailed description. It is to be understood that the embodiments described herein are illustrative only and are not limiting, i.e., that the embodiments described are only a few embodiments, rather than all, of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations, and the present invention may have other embodiments.
Thus, the following detailed description of specific embodiments of the present invention presented in the accompanying drawings is not intended to limit the scope of the invention as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the detailed description of the invention without inventive step, are within the scope of protection of the invention.
In order to further understand the contents, features and effects of the present invention, the following embodiments are illustrated and described in detail with reference to the accompanying drawings 1-5:
the first specific implementation way is as follows:
a network isolation gatekeeper data exchange method is realized by relying on the network isolation gatekeeper data exchange system, adopts a dynamic ferrying transmission algorithm, and comprises the following steps:
s1, data compression: the external terminal machine inputs data into a data pool of the external resource pool, and compresses the data in the data pool;
further, the compression algorithm for compressing the data in step S1 adopts LZMA algorithm, and the isolation gatekeeper periodically scans the compressed data to obtain the data volume to be transmitted
Figure 841240DEST_PATH_IMAGE001
S2, data slicing: judging whether the total data amount is greater than a slicing condition, when the total data amount is greater than the slicing condition, the isolation gatekeeper judges the number of calling channels and strips a transmission protocol of data to slice the data, and when the total data amount is less than the slicing condition, the data is corrected;
further, the method for determining the slicing condition in step S2 is: the data return value is boolean, slicing is performed when the returned slice determination value is 1, and slicing is not performed when the returned slice determination value is 0:
slice determination value =
Figure 312672DEST_PATH_IMAGE002
Figure 836058DEST_PATH_IMAGE003
The method is characterized in that the method is a single-channel slice transmission theoretical rate, T is a single transmission time limit, and the total amount of files which can be transmitted by a single channel is
Figure 639803DEST_PATH_IMAGE004
Further, as shown in fig. 2, the transmission protocol stripping manner of the data in step S2 is data packet decapsulation, which includes the following steps:
s2.1, stripping an IP protocol of data, namely disconnecting a network layer of an OSI model of the original TCP/IP and eliminating all attacks based on the IP;
s2.2, stripping the TCP and the UCP protocol, namely disconnecting the transmission layer of the OSI model of the original TCP/IP and eliminating all attacks based on the TCP and the UCP;
s2.3, stripping the application protocol, namely disconnecting the application layer of the OSI model of the original TCP/IP and eliminating all attacks of unsafe transmission application;
s2.4, stripping all control signals for establishing the communication link, namely disconnecting the data link layer of the original TCP/IP OSI model, and eliminating the data link attack outside the original resource pool;
s2.5, completely disconnecting the physical layer, and after the transmission protocol is stripped, converting data from a compressed data packet with the transmission protocol into a simple data stream;
furthermore, the step S2 of calling the channel number judgment includes determining the number of participating channels and the judgment of the amount of data to be transmitted in each channel;
calling weight by channel
Figure 615850DEST_PATH_IMAGE005
The method for counting the number of channels comprises the following steps:
Figure 31919DEST_PATH_IMAGE006
Figure 675389DEST_PATH_IMAGE007
in order to take part in the number of channels,
Figure 387387DEST_PATH_IMAGE008
the number of the channels is the total number of the channels,
Figure 116309DEST_PATH_IMAGE005
is the weight;
the isolation gatekeeper makes use-specific calls in idle usable channels by the following method:
Figure 70489DEST_PATH_IMAGE009
Figure 568467DEST_PATH_IMAGE010
to obtain the remainder;
setting P (k) to represent the time of k slice transmission, and obtaining the data volume of the previous n actual single-channel slices according to a formula by adopting the situation of the previous n transmissions
Figure 74534DEST_PATH_IMAGE011
Figure 290752DEST_PATH_IMAGE035
Figure 547159DEST_PATH_IMAGE012
The amount of data transmitted for the k-th slice,
Figure 899643DEST_PATH_IMAGE013
for the (k) th transmission the data is transmitted,
Figure 842191DEST_PATH_IMAGE014
is the single transmission time, n is the total number of transmissions,
Figure 155492DEST_PATH_IMAGE011
the data volume of the previous n times of actual single-channel slices;
obtaining the actual transmission total amount:
actual total transmission amount =
Figure 576109DEST_PATH_IMAGE015
Setting error correction value of transmission data amount as
Figure 48678DEST_PATH_IMAGE016
Obtaining the data volume to be transmitted
Figure 273380DEST_PATH_IMAGE017
Figure 198610DEST_PATH_IMAGE018
Figure 422918DEST_PATH_IMAGE019
T is the single transmission time limit;
furthermore, the number of channels participating in transportation can be manually selected, when a specific important file is urgently needed to be transmitted, the channels can be called to the maximum extent, and the channels call the weight:
Figure 625361DEST_PATH_IMAGE036
further, a slice transmission correction simulation diagram of data is shown in fig. 3, and it can be known from the diagram that a straight line part is an ideal transmission rate, a curve part is an actual transmission rate, an actual transmission data amount is an area of a lower half part of the curve part, a target transmission data amount is a rectangular whole area, and an error correction value is an entire area of an upper half part of the curve;
furthermore, the weight is called by adjusting the channel according to the actual situation
Figure 909711DEST_PATH_IMAGE005
The size of the slice data of the isolation gatekeeper is changed, and the rest of calculation processes are calculated on an FPGA control chip of the isolation gatekeeper.
S3, as shown in the attached figure 4, the data transmission is dynamically adjusted: adding a fragment identification sequence code to the head of each data slice in a data pool, adding a carrying sequence code to the tail of each data slice, detecting an abnormal index by adopting a Lauda criterion, judging abnormal retransmission, returning to the data compression step if the abnormal index is judged, and transmitting data if the abnormal index is judged;
further, the step S3 is to facilitate data integration after dynamic ferry;
further, in step S3, the header fragment identifier sequence code includes a section of non-repeatable UUID and a section of repeatable specific slice ordinal number, and when a transmission error occurs, the section of data slice is discarded and the UUID is recorded into the terminal log, and the retransmitted data slice is assigned a new UUID;
furthermore, the UUID is used for determining the uniqueness of the data slice, the data slice is abandoned and the UUID is recorded into an indoor terminal log when transmission errors occur, the retransmitted data slice is assigned with a new UUID, and the accurate position and the sequence occupied during data integration can be determined when a specific slice ordinal number is used for data integration;
further, detecting an abnormal index by adopting a Lauda criterion, and judging abnormal retransmission;
s4, data transmission: in a thread pool of a resource pool, performing concurrent operation on the data slices added with the sequence codes and sequentially transmitting the data slices into a connection pool for multi-channel transmission, performing exception checking judgment on an isolation gateway in the multi-channel transmission process, returning to the connection pool if the exception is judged, and completing transmission if the exception is judged to be normal;
further, step S4, data distribution is carried out in an address mode, data abnormity verification is carried out by adopting a Lauda criterion in normal distribution, and data integrity verification is carried out by adopting cyclic redundancy verification;
further, as shown in fig. 5, the specific process of performing data allocation in an address manner in step S4 is as follows:
s4.1, the data slice added with the sequence code enters a thread pool, whether the thread pool has a spare thread or not is judged, when the spare thread exists, the data slice added with the sequence code is loaded into the thread, a connection pool address is distributed, when the spare thread does not exist, whether a new thread is created or not is judged, if the new thread is created, the data slice added with the sequence code is loaded into the new thread, and if the new thread is not created, the data is returned to the data pool;
s4.2, judging whether the connection pool has an empty transmission channel, when the connection pool has the empty transmission channel, entering data into the channel for transmission, when the connection pool has no empty transmission channel, displaying abnormal transmission, and returning the data to the thread pool to redistribute the address of the connection pool;
furthermore, when all data slices enter the thread pool, a connection pool address is automatically allocated, and an idle thread is searched in the thread pool to immediately start the data-bearing slice to enter a preparation state; when a new connection request appears in the connection pool, the address is refreshed, the data slice in the thread pool is transmitted immediately through address matching, and the thread in the thread pool is destroyed and the memory is recycled; the thread pool technology focuses on how to shorten and optimize the time for adjusting and establishing and destroying threads, and the thread establishing and destroying are arranged in the spare time period, so that more system resources are used for address matching tasks; when the task queuing speed in the thread pool exceeds the task processing speed of one thread, the thread pool activates a new dormant thread, and the performance of the system can be improved by using the thread pool; for the connection pool, when the last data slice is transmitted, a new address is generated, the address is consistent with the address allocated to the data slice, the connection pool is matched in a mode of traversing the addresses of the threads used in the thread pool, the data slice is guided from the thread pool to the connection pool to be transmitted, the data slice is deleted and the new address is allocated after the data slice is normally transmitted, if the data slice is transmitted abnormally, the channel is determined to be abnormal after a certain threshold value is exceeded, the connection is deleted, and the address is allocated to the new connection to be transmitted continuously;
further, the method for performing the anomaly verification by using the Laudea criterion in the normal distribution in the step S4 comprises the following steps: cutting the single transmission time limit T into M parts, wherein M is the appointed detection times, and j is any element in the set;
time of data transmission into channel
Figure 322238DEST_PATH_IMAGE020
Time of data transmission out of channel
Figure 458559DEST_PATH_IMAGE021
Time difference of received data
Figure 640142DEST_PATH_IMAGE022
Figure 95394DEST_PATH_IMAGE023
Is composed of
Figure 870583DEST_PATH_IMAGE024
Figure 436694DEST_PATH_IMAGE025
The time for the data to travel out of the channel,
Figure 472783DEST_PATH_IMAGE026
is the time difference of the received data;
when the transmission channel has the abnormality, the following relation is satisfied:
Figure 499205DEST_PATH_IMAGE027
Figure 886324DEST_PATH_IMAGE028
is the value of the t-mean value,
Figure 990546DEST_PATH_IMAGE029
is the standard deviation of
Figure 22087DEST_PATH_IMAGE037
When there is an anomaly, the total length of the anomaly will be recorded:
Figure 819142DEST_PATH_IMAGE030
Figure 427978DEST_PATH_IMAGE031
the total length of the abnormality is a total length of time,
Figure 975371DEST_PATH_IMAGE032
is an abnormal time;
obtaining an abnormality detection index
Figure 986053DEST_PATH_IMAGE033
Figure 954009DEST_PATH_IMAGE034
For the mode that the breakpoint continuous transmission can be carried out when the abnormal detection parameter is smaller than a certain threshold value, the retransmission is required when the abnormal detection parameter is larger than the certain threshold value;
further, the overall reliability of the system = i
Figure 50141DEST_PATH_IMAGE038
) The integral abnormal detection index is obtained by continuously collecting parameters of the channel through an internal resource pool in the transmission process;
further, the full load rate of the channel during the transmission process
Figure 371532DEST_PATH_IMAGE039
Carrying out continuous statistics;
further, the complete check adopts CRC (cyclic redundancy check), and after the data slices are determined to be complete, all the slices are subjected to protocol encapsulation, integrated and decompressed into original data;
s5, after data transmission and data integrity verification are completed, sequentially connecting data by the isolation gatekeeper according to sequence codes of the data slices, encapsulating a transmission protocol again after a data integration packet is obtained, decompressing the data and starting an internal resource pool to be connected with an internal terminal after encapsulation is completed;
s6, after the internal terminal finishes receiving the data, log storage is carried out on transmission information generated in the transmission process by the internal terminal;
further, step S6, log storage is performed on the client at the inner end, including all UUIDs used by the data slice and the specific time of the abnormal transmission, the UUIDs are classified into a normal transmission class and an abnormal transmission class according to a judgment standard of the abnormal index, and the specific time attribute of the abnormal transmission is attached to the abnormal transmission class;
furthermore, the network isolation gatekeeper data exchange method provided by the invention realizes the remarkable improvement of data transmission efficiency and the comprehensive improvement of the integral support rate of the channel.
Further, an evaluation method of the network isolation gatekeeper data exchange method is as follows:
the consideration factors of the dynamic feedback health index comprise data quantity X (N), total number N of channels, single-channel slice transmission theoretical rate K (N), channel calling weight mu, single-channel full-load rate tau and abnormal detection index
Figure 502299DEST_PATH_IMAGE040
The deviation D (n) of the transmission rate is the derivative of the unit transmission rate error. The dynamic feedback bearer index H (n) is expressed as:
Figure 641156DEST_PATH_IMAGE041
n is the number of channel sequences;
Figure 601415DEST_PATH_IMAGE042
transmitting the total amount of normal data for a single channel dynamically;
Figure 851131DEST_PATH_IMAGE043
is the actual transmission rate ratio per unit time;
the larger the value of the dynamic feedback bearing index H (n), the larger the normal data volume borne by the single channel for transmission, but the larger the load of the single channel;
the overall utilization quantization index is
Figure 836405DEST_PATH_IMAGE044
For the sum of the dynamic feedback health indices:
Figure 21529DEST_PATH_IMAGE045
the larger the dynamic feedback health index sum is, the higher the data transmission capability of the whole isolation gatekeeper is, and the higher the efficiency is;
according to the quantization rule of data transmission efficiency in the technical scheme, the quantization index is a dynamic feedback bearing index H (n), and the overall utilization rate quantization index is a sum of dynamic feedback health indexes
Figure 92254DEST_PATH_IMAGE046
The total quantity of the random data packets of 10-100K is more than that of the random data packets of different data quantitiesSingle channel data transmission test for gatekeeper groups of different channel numbers, as shown in table 1, versus for example table 2:
TABLE 1 Multi-group Gate Transmission test with different channel number
Figure 145660DEST_PATH_IMAGE047
Table 2 gatekeeper transmission detection test of single channel control group
Figure 156079DEST_PATH_IMAGE048
As can be seen from the comparison between table 1 and table 2, under the condition of the same data volume, the sum of the dynamic feedback health indexes of the system can be greatly improved by reasonably selecting the number of channels to participate in the dynamic ferry, that is, the transmission capability of the whole isolation gatekeeper system is improved, so as to solve the problem of long time consumption; under the condition that the data volume is increased, the number of the channels which are put into participation in ferrying is increased, so that the dynamic feedback bearing index and the abnormal detection index of the single channel can be effectively reduced, namely the load and the abnormal rate of the single channel are reduced, and the service life and the reliability of the isolation gatekeeper are improved.
The second embodiment is as follows:
a network isolation network gate data exchange system comprises an external terminal 1, an external resource pool 2, an isolation network gate 3, an internal resource pool 4 and an internal terminal 5;
the external terminal 1 is connected with an external resource pool 2, the external resource pool 2 is connected with an isolation network gate 3, the isolation network gate 3 is connected with an internal resource pool 4, and the internal resource pool 4 is connected with an internal terminal 5;
the external resource pool 2 comprises a first connection pool 2-1, a first data pool 2-2 and a first thread pool 2-3;
the internal resource pool 4 comprises a second connection pool 4-1, a second data pool 4-2 and a second thread pool 4-3.
Further, the gatekeeper card of the isolation gatekeeper 3 comprises a PCI slave device module 3-1, a PCI master device module 3-2, an SDRAM controller 3-3, an SDRAM memory 3-4, an anomaly analysis module 3-5, a checker module 3-6 and an encoder module 3-7, wherein the PCI master device module 3-2 is respectively connected with the SDRAM controller 3-3 and the SDRAM memory 3-4, the SDRAM memory 3-4 is connected with the anomaly analysis module 3-5, the anomaly analysis module 3-5 is connected with the checker module 3-6, the checker module 3-6 is connected with the encoder module 3-7, the encoder module 3-7 is connected with the PCI slave device module 3-1, and the gatekeeper PCI card of the isolation gatekeeper 3 is connected with a PCI bus.
Furthermore, a resource pool is arranged at the position of the internal and external terminals, the original transmission and calculation pressure mainly concentrated on the network gate is dispersedly arranged on a plurality of internal terminals or a plurality of external terminals through the connection of the resource pool and a data buffer area of the isolation and exchange control unit, and the high concurrent connection and dynamic ferrying transmission algorithm support of the scattered data transmitted by the multiple network gates is completed in a resource pool sharing mode.
Furthermore, the resource pool is arranged in the resource pool before the calculation, processing, splitting and integration of the data, and the intervention of an isolation gateway processing unit is not needed, so that the TCP protocol transmission with higher data transmission reliability and higher data transmission freedom degree is still adopted in the resource pool. Therefore, in the configuration of the resource pool, the existing mature design of the data pool, the thread pool and the connection pool can be adopted to improve the number of concurrent connections and reduce the data receiving and sending delay in the resource pool.
Furthermore, the gatekeeper card of the isolation gatekeeper cluster uses the FPGA control chip, and based on the characteristics of programmability, logic blocks and connection variability of the FPGA control chip, the control unit of the isolation gatekeeper can be updated only by modifying and updating programs on a computer without additionally changing a circuit board, so that the deployment period of the isolation gatekeeper in different application scenes is shortened.
Furthermore, the network isolation gatekeeper data exchange system can support many-to-many and one-to-many data exchange, under the deployment of a resource pool, the processing operations of data splitting, merging, compressing, decompressing and the like are placed in an inner terminal machine and an outer terminal machine in front, the supportable maximum concurrent number of the data exchange system is defined by the inner terminal machine and the outer terminal machine, and the supportable maximum concurrent number of the data exchange system cannot exceed the total number of channels put into use in principle; and the core isolation processing unit of the isolation gatekeeper takes the FPGA as a core, logic circuits or hardware equipment do not need to be changed for different application scene requirements, and only the FPGA chip needs to be configured through software to achieve the target requirements, so that the compatibility and the support of the isolation gatekeeper are greatly improved, and the cost is reduced.
The third concrete implementation mode:
the application of the network isolation gatekeeper data exchange method according to the first embodiment is used in the field of network information security or data information security.
The technical key point of the invention is the targeted improvement of the data transmission mode of the existing isolation gatekeeper, and the invention realizes the efficient scheduling of a plurality of data channels of the gatekeeper cluster of different application objects and scenes. Through the proposed ferrying mode and the improved channel control algorithm, the specific function modules are configured at each end of the isolation gatekeeper framework based on dynamic ferrying so as to reduce the gatekeeper load rate and improve the transmission efficiency and reliability of the gatekeeper.
The protection point of the invention lies in the transmission algorithm and the resource pool allocation method. The resource pool allocation method comprises the steps of data preprocessing function setting of an internal terminal and an external terminal, protocol intercommunication method setting before and after transmission, data separation and integration function setting and the like, and the transmission algorithm comprises a transmission target selection algorithm, a resource pool address scheduling algorithm, a data transmission slicing algorithm, a data reliability verification algorithm and the like.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
While the application has been described above with reference to specific embodiments, various modifications may be made and equivalents may be substituted for elements thereof without departing from the scope of the application. In particular, the various features of the embodiments disclosed herein may be used in any combination that is not inconsistent with the structure, and the failure to exhaustively describe such combinations in this specification is merely for brevity and resource conservation. Therefore, it is intended that the application not be limited to the particular embodiments disclosed, but that the application will include all embodiments falling within the scope of the appended claims.

Claims (10)

1. A network isolation gatekeeper data exchange method is characterized in that: the transmission algorithm of dynamic ferry is adopted, and the method comprises the following steps:
s1, data compression: the external terminal machine inputs data into a data pool of the external resource pool, and compresses the data in the data pool;
s2, data slicing: judging whether the total data amount is greater than a slicing condition, if so, calling the channel number by the isolation gatekeeper, stripping a transmission protocol of the data, slicing the data, and if not, correcting the data;
s3, data transmission dynamic adjustment: adding a fragment identification sequence code to the head of each data slice in a data pool, adding a carrying sequence code to the tail of each data slice, detecting an abnormal index by adopting a Lauda criterion, judging abnormal retransmission, returning to the data compression step if the abnormal index is judged, and transmitting data if the abnormal index is judged;
s4, data transmission: in a thread pool of a resource pool, performing concurrent operation on the data slices added with the sequence codes and sequentially transmitting the data slices into a connection pool for multi-channel transmission, performing exception checking judgment on an isolation gateway in the multi-channel transmission process, returning to the connection pool if the exception is judged, and completing transmission if the exception is judged to be normal;
s5, after data transmission and data integrity verification are completed, sequentially connecting data by the internal resource pool according to sequence codes of the data slices, obtaining a data integration packet, then packaging a transmission protocol again, decompressing the data and starting the internal resource pool to be connected with the internal terminal after packaging is completed;
and S6, after the internal terminal finishes receiving the data, log storage is carried out on the transmission information generated in the transmission process in the internal terminal.
2. The method according to claim 1, wherein the method comprises: and S1, adopting an LZMA algorithm as a compression algorithm for compressing the data, and periodically scanning the compressed data by an isolation gatekeeper to obtain the data volume X to be transmitted.
3. The method of claim 2, wherein the method comprises: the method for judging the slicing conditions in the step S2 comprises the following steps: the data return value is boolean, slicing is performed when the returned slice determination value is 1, and slicing is not performed when the returned slice determination value is 0:
Figure FDA0003851503570000011
k (n) is the theoretical speed of single-channel slice transmission, T is the single transmission time limit, and the total amount of files which can be transmitted by a single channel is K (n) multiplied by T.
4. The method of claim 3, wherein the method comprises: the data transmission protocol stripping mode in the step S2 is data packet decapsulation, and the method comprises the following steps:
s2.1, stripping an IP protocol of data, namely disconnecting a network layer of an OSI model of the original TCP/IP and eliminating all attacks based on the IP;
s2.2, stripping the TCP and the UCP protocol, namely disconnecting the transmission layer of the OSI model of the original TCP/IP and eliminating all attacks based on the TCP and the UCP;
s2.3, stripping the application protocol, namely disconnecting the application layer of the OSI model of the original TCP/IP and eliminating all attacks of unsafe transmission application;
s2.4, stripping all control signals for establishing the communication link, namely disconnecting the data link layer of the original TCP/IP OSI model, and eliminating the data link attack outside the original resource pool;
and S2.5, completely disconnecting the physical layer, and after the transmission protocol is stripped, converting the data from the compressed data packet with the transmission protocol into a simple data stream.
5. The method as claimed in claim 4, wherein the method further comprises: calling channel number judgment in the step S2 comprises determining participation channel number judgment and judgment of data volume to be transmitted of each channel;
and (3) counting the number of channels by adopting a channel calling weight mu method:
Figure FDA0003851503570000021
i is the number of participating channels, N is the total number of channels, and mu is the weight;
the isolation gatekeeper makes use-specific calls in idle usable channels by the following method:
Figure FDA0003851503570000022
mod is a remainder;
setting P (k) to represent the time of kth slice transmission, and obtaining the data volume X (n) of the previous n actual single-channel slices according to a formula by adopting the situation of the previous n transmissions:
Figure FDA0003851503570000023
x (k) is data volume of the kth slice transmission, k is the kth transmission, t is single transmission time, n is total transmission times, and X (n) is data volume of the previous n actual single-channel slices;
obtaining the actual transmission total amount:
actual total transmission = N μ X (N)
Setting error correction value of transmission data amount to
Figure FDA0003851503570000024
Obtaining the data volume X to be transmitted:
Figure FDA0003851503570000025
d (n) is the rate offset value, and T is the one-time-to-transmit (TTD) limit.
6. The method of claim 5, wherein the method comprises: in step S3, the header fragment identification sequence code includes a section of non-repeatable UUID and a section of repeatable ordinal number of a specific fragment, and when transmission has an error, the data fragment is discarded and the UUID is recorded into the terminal log, and the retransmitted data fragment is assigned a new UUID.
7. The method of claim 6, wherein the method comprises: and S4, data distribution is carried out in an address mode, data abnormity verification is carried out by adopting a Layouta criterion in normal distribution, and data integrity verification is carried out by adopting cyclic redundancy verification.
8. The method of claim 7, wherein the method comprises: step S4, the method for carrying out the anomaly verification by adopting the Laudea criterion in the normal distribution comprises the following steps:
cutting the single transmission time limit T into M parts, wherein M is the appointed detection times, and j is any element in the set;
time t of data transmission into channel j ∈{t 1 ,t 2 ,t 3 ...t M }
Time t 'for data transmission out of channel' j ∈{t' 1 ,t' 2 ,t' 3 ...t' M }
Time difference Δ t of received data j =t j -t' j ,Δt j ∈{Δt 1 ,Δt 2 ,Δt 3 ...Δt M }
t j Time, t 'of data transmission into the channel' j Time of data transfer out of the channel, Δ t j Is the time difference of the received data;
when the transmission channel has abnormality, the following relation is satisfied:
Figure FDA0003851503570000031
Figure FDA0003851503570000033
is the t mean, σ is the standard deviation;
when there is an anomaly, the total length of the anomaly will be recorded:
t ζ =∑t abnormality (S)
t ζ As a total length of abnormality, t Abnormality (S) Is an abnormal time;
obtaining an abnormality detection index ζ i
Figure FDA0003851503570000032
And for the mode that the breakpoint continuous transmission can be carried out when the abnormal detection parameter is smaller than a certain threshold value, the retransmission is required when the abnormal detection parameter is larger than the certain threshold value.
9. The method of claim 8, wherein the method comprises: and S6, storing logs including all UUIDs used by the data slices and the abnormal transmission specific time by the internal terminal, wherein the UUIDs are divided into a normal transmission type and an abnormal transmission type according to the judgment standard of the abnormal index, and the abnormal transmission type is added with the abnormal transmission specific time attribute.
10. Use of a method for network isolation gatekeeper data exchange according to one of claims 1 to 9, characterized in that: the method is used in the field of network information security or data information security.
CN202210838190.9A 2022-07-18 2022-07-18 Network isolation gatekeeper data exchange method and application thereof Active CN115022084B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210838190.9A CN115022084B (en) 2022-07-18 2022-07-18 Network isolation gatekeeper data exchange method and application thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210838190.9A CN115022084B (en) 2022-07-18 2022-07-18 Network isolation gatekeeper data exchange method and application thereof

Publications (2)

Publication Number Publication Date
CN115022084A CN115022084A (en) 2022-09-06
CN115022084B true CN115022084B (en) 2022-11-25

Family

ID=83080460

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210838190.9A Active CN115022084B (en) 2022-07-18 2022-07-18 Network isolation gatekeeper data exchange method and application thereof

Country Status (1)

Country Link
CN (1) CN115022084B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116861301B (en) * 2023-09-04 2023-11-24 山东爱福地生物股份有限公司 Management method and system for biomass fuel data produced by straw
CN117155705B (en) * 2023-10-27 2024-02-02 三峡高科信息技术有限责任公司 Data transmission system, method, equipment and storage medium based on internet of things gateway

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101413995A (en) * 2008-11-28 2009-04-22 南瑞航天(北京)电气控制技术有限公司 Apparatus for checking electronic type current mutual inductor
CN105989308A (en) * 2015-02-05 2016-10-05 联想(上海)信息技术有限公司 Method, device and electronic equipment for realizing double network isolation
CN106982160A (en) * 2017-03-10 2017-07-25 深圳市利谱信息技术有限公司 Link asymmetry gateway Dual-Computer Hot-Standby System and main/standby switching method
CN111031003A (en) * 2019-11-21 2020-04-17 中国电子科技集团公司第三十研究所 Intelligent evaluation system of cross-network isolation safety system
CN113271301A (en) * 2021-05-12 2021-08-17 大连交通大学 Network gate system communication method based on embedded multi-core processing mode
CN114285668A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 Network gate testing method and device, storage medium and electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE602005019332D1 (en) * 2004-12-24 2010-03-25 Aspera Inc Bulk data transfer
CN107872360B (en) * 2016-09-28 2021-06-08 阿尔卡特朗讯 Method for calculating one-way path delay between clock modules
CN113055350B (en) * 2019-12-27 2022-11-22 深圳云天励飞技术有限公司 Data transmission method, device, equipment and readable storage medium
CN114615082B (en) * 2022-04-07 2023-09-12 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse gatekeepers

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101413995A (en) * 2008-11-28 2009-04-22 南瑞航天(北京)电气控制技术有限公司 Apparatus for checking electronic type current mutual inductor
CN105989308A (en) * 2015-02-05 2016-10-05 联想(上海)信息技术有限公司 Method, device and electronic equipment for realizing double network isolation
CN106982160A (en) * 2017-03-10 2017-07-25 深圳市利谱信息技术有限公司 Link asymmetry gateway Dual-Computer Hot-Standby System and main/standby switching method
CN111031003A (en) * 2019-11-21 2020-04-17 中国电子科技集团公司第三十研究所 Intelligent evaluation system of cross-network isolation safety system
CN113271301A (en) * 2021-05-12 2021-08-17 大连交通大学 Network gate system communication method based on embedded multi-core processing mode
CN114285668A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 Network gate testing method and device, storage medium and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于""策略的网闸并发连接数提高方法 》;王锡普等;《计算机工程》;20110705;第37卷(第13期);正文1-4页 *

Also Published As

Publication number Publication date
CN115022084A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
CN115022084B (en) Network isolation gatekeeper data exchange method and application thereof
CN106850188B (en) A kind of data transmission system based on multichannel isomery one-way transmission path
US6876669B2 (en) Packet fragmentation with nested interruptions
CN103780615B (en) Sharing method of client conversation data among multiple servers
US9258230B2 (en) In flight TCP window adjustment to improve network performance
KR101858543B1 (en) Packet loss detection method, apparatus, and system
US9203728B2 (en) Metadata capture for testing TCP connections
US20060215656A1 (en) Method, device and program storage medium for controlling communication
CN103259797A (en) Data file transmission method and platform
CN108235379A (en) A kind of method and apparatus of data transmission
CN115037700B (en) Complex network data packet transmission method, system, terminal and storage medium
CN109802868B (en) Mobile application real-time identification method based on cloud computing
CN110990413B (en) Block chain data storage device and rapid storage method thereof
CN104991530A (en) Communication method based on CAN bus, and power distribution terminal
CN111970346A (en) Internet of things data transmission method and system
CN110162511B (en) Log transmission method and related equipment
US11784929B2 (en) Heterogeneous link data translation and distribution method, system and device, and storage medium
CN113422714A (en) Module for supporting high-integrity redundancy management on AFDX terminal
CN111541578A (en) Data interaction device, method and system for dual-computer hot standby interlocking system
CN112997457A (en) Control unit architecture for a vehicle
KR100366295B1 (en) Reliable multicast data communication method for continuous media data processing
CN116886755B (en) Keep-alive method and keep-alive device for tested server
CN113873562B (en) Coding control method, device and system applied to double-card double-pass terminal and base station
Wang et al. Research on the time delay of controller area network for vehicle
CN112596893B (en) Monitoring method and system for multi-node edge computing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant