CN116527365A - System and method for realizing air traffic control heterogeneous data sharing - Google Patents
System and method for realizing air traffic control heterogeneous data sharing Download PDFInfo
- Publication number
- CN116527365A CN116527365A CN202310513128.7A CN202310513128A CN116527365A CN 116527365 A CN116527365 A CN 116527365A CN 202310513128 A CN202310513128 A CN 202310513128A CN 116527365 A CN116527365 A CN 116527365A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- user
- receiving end
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012545 processing Methods 0.000 claims abstract description 35
- 230000002159 abnormal effect Effects 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 24
- 239000004973 liquid crystal related substance Substances 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 abstract description 12
- 230000007246 mechanism Effects 0.000 abstract description 8
- 230000006399 behavior Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 206010000117 Abnormal behaviour Diseases 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000006378 damage Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Disclosed herein is a system and method for implementing hollow-tube heterogeneous data sharing, including: the transmitting end of the system is set as follows: signing the original data to obtain first data; symmetrically encrypting the first data and the first secret key respectively to obtain second data and a second secret key; encrypting the second key through a public key from the receiving end to obtain a third key; transmitting the second data and the third key to the receiving end; the receiving end of the system is set as follows: storing the generated public key and the private key in the local, and sending the public key to a sending end; decrypting the third key from the sending end through the local private key to obtain a second key; decrypting the second data from the transmitting end by using the second key to obtain the first data; signing and checking the first data to obtain original data; the raw data includes: empty pipe data. The embodiment of the invention carries out data transmission processing based on a hybrid encryption mechanism, thereby ensuring confidentiality of air traffic control data and verifiability of data sources.
Description
Technical Field
The present disclosure relates to, but not limited to, data security technologies, and in particular, to a system and method for implementing heterogeneous data sharing in an air traffic control.
Background
In the current informationized age background, data information becomes an important social resource; meanwhile, in order to promote sustainable development of the information system and promote win-win cooperation among enterprises, data sharing among enterprises becomes an indispensable important transaction gradually. Relevant laws of data security in China indicate that the China protects rights and interests related to data, encourages reasonable and effective utilization of the data according to law, ensures orderly free flow of the data according to law, and promotes development of digital economy taking the data as key elements; the risk monitoring should be enhanced when the data processing activity is carried out, and remedial measures should be immediately taken when risks such as data security defects and loopholes are found; when a data security event occurs, disposal measures should be immediately taken, and users should be informed in time and reported to the relevant authorities as prescribed.
In the face of the trend of information development, the air traffic control system inevitably interacts with the outside, and the data connection and data sharing requirements of the air traffic control system in the existing and future foreseeable period are continuously increased. The information of the empty pipe system has sensitivity, the data security level is relatively high, the system for data sharing must have extremely high security, the requirements of cross-platform, scalability, traceability and clear responsibility need to be met, and meanwhile, the normal operation of the existing system cannot be influenced by the secure sharing of the data.
Based on the safety characteristics of the civil aviation air traffic control data, the damage to national safety, public benefit or harm caused by personal and organization legal rights is considered, the national air traffic control data is tampered, destroyed, leaked or illegally acquired and illegally utilized, and on the premise of meeting the air traffic control data leading and sharing requirements, a set of data safety guarantee system is constructed by combining the national key information infrastructure and network safety level protection related requirements and combining the global construction planning of the civil aviation air traffic control data center and the goal of constructing a unified network safety protection system and referring to the domestic and foreign network safety data sharing method, so that the problem to be solved is solved.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The embodiment of the invention provides a system and a method for realizing the sharing of empty pipe heterogeneous data, which can ensure the transmission and the application of the empty pipe data.
The embodiment of the invention provides a system for realizing air traffic control heterogeneous data sharing, which comprises the following steps: a transmitting end and a receiving end; wherein, the liquid crystal display device comprises a liquid crystal display device,
the transmitting end is set as follows: carrying out signature processing on the shared original data to obtain first data; symmetrically encrypting the first data and the first secret key obtained by signature processing respectively to obtain second data and a second secret key; encrypting the obtained second key through a public key from the receiving end to obtain a third key; transmitting the obtained second data and third secret key to a receiving end;
the receiving end is set as: storing the generated public key and the private key in the private key locally, and transmitting the generated public key to a transmitting end; decrypting the third key from the sending end through the locally stored private key to obtain a second key; decrypting the second data from the transmitting end by using the second key obtained by decryption to obtain the first data; performing signature checking on the first data obtained through decryption to obtain original data;
wherein the raw data includes: empty pipe data.
On the other hand, the embodiment of the invention also provides a method for realizing the sharing of the heterogeneous data of the empty pipe, which comprises the following steps:
the method comprises the steps that a sending end carries out signature processing on shared original data to obtain first data;
symmetrically encrypting the first data and the first secret key obtained by signature processing respectively to obtain second data and a second secret key;
receiving a public key from a receiving end, encrypting the second key through the received public key, and obtaining a third key;
transmitting the second data and the third key to a receiving end;
wherein the raw data includes: empty pipe data.
In still another aspect, an embodiment of the present invention further provides a computer storage medium, where a computer program is stored, where the computer program when executed by a processor implements the method for implementing air-pipe heterogeneous data sharing described above.
In yet another aspect, an embodiment of the present invention further provides a terminal, including: a memory and a processor, the memory storing a computer program; wherein, the liquid crystal display device comprises a liquid crystal display device,
the processor is configured to execute the computer program in the memory;
the computer program, when executed by the processor, implements a method for implementing air traffic control heterogeneous data sharing as described above.
In yet another aspect, an embodiment of the present invention further provides a method for implementing air pipe heterogeneous data sharing, including:
the receiving end generates a pair of public key and private key, stores the private key locally and sends the public key to the sending end;
the receiving end receives the third secret key, decrypts the third secret key through the locally stored private key, and obtains the second secret key;
decrypting the received second data by using the second key obtained by decryption to obtain first data;
performing signature checking on the first data obtained through decryption to obtain original data;
wherein the raw data includes: empty pipe data.
In still another aspect, an embodiment of the present invention further provides a computer storage medium, where a computer program is stored, where the computer program when executed by a processor implements the method for implementing air-pipe heterogeneous data sharing described above.
In yet another aspect, an embodiment of the present invention further provides a terminal, including: a memory and a processor, the memory storing a computer program; wherein, the liquid crystal display device comprises a liquid crystal display device,
the processor is configured to execute the computer program in the memory;
the computer program, when executed by the processor, implements a method for implementing air traffic control heterogeneous data sharing as described above.
The system in the technical scheme of the application comprises: a transmitting end and a receiving end; wherein, the sender is set as: carrying out signature processing on the shared original data to obtain first data; symmetrically encrypting the first data and the first secret key obtained by signature processing respectively to obtain second data and a second secret key; encrypting the obtained second key through a public key from the receiving end to obtain a third key; transmitting the obtained second data and third secret key to a receiving end; the receiving end is set as: storing the generated public key and the private key in the private key locally, and transmitting the generated public key to a transmitting end; decrypting the third key from the sending end through the locally stored private key to obtain a second key; decrypting the second data from the transmitting end by using the second key obtained by decryption to obtain the first data; performing signature checking on the first data obtained through decryption to obtain original data; wherein, the original data comprises: empty pipe data. The embodiment of the invention carries out data transmission processing based on a hybrid encryption mechanism, thereby ensuring confidentiality of air traffic control data and verifiability of data sources.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate and do not limit the invention.
FIG. 1 is a block diagram of a system for sharing air traffic control heterogeneous data according to an embodiment of the present invention
FIG. 2 is a flowchart of a method for implementing air traffic control heterogeneous data sharing according to an embodiment of the present invention;
FIG. 3 is a flow chart of another method for implementing air traffic control heterogeneous data sharing according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a system for implementing air traffic control heterogeneous data sharing using an example of the present invention;
fig. 5 is a schematic diagram of a data transmission network based on a hybrid encryption mechanism as an application example of the present invention;
fig. 6 is a flowchart of the abnormal behavior processing by the present application example.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail hereinafter with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be arbitrarily combined with each other.
The steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer-executable instructions. Also, while a logical order is depicted in the flowchart, in some cases, the steps depicted or described may be performed in a different order than presented herein.
Fig. 1 is a block diagram of a system for implementing air-pipe heterogeneous data sharing according to an embodiment of the present invention, as shown in fig. 1, including: a transmitting end and a receiving end; wherein, the liquid crystal display device comprises a liquid crystal display device,
the transmitting end is set as follows: carrying out signature processing on the shared original data to obtain first data; symmetrically encrypting the first data and the first secret key obtained by signature processing respectively to obtain second data and a second secret key; encrypting the obtained second key through a public key from the receiving end to obtain a third key; transmitting the obtained second data and third secret key to a receiving end;
the receiving end is set as: storing the generated public key and the private key in the private key locally, and transmitting the generated public key to a transmitting end; decrypting the third key from the sending end through the locally stored private key to obtain a second key; decrypting the second data from the transmitting end by using the second key obtained by decryption to obtain the first data; performing signature checking on the first data obtained through decryption to obtain original data;
wherein, the original data comprises: empty pipe data.
The embodiment of the invention carries out data transmission processing based on a hybrid encryption mechanism, thereby ensuring confidentiality of air traffic control data and verifiability of data sources.
In one illustrative example, in an embodiment of the present invention: the transmitting end is further configured to: before signature processing is carried out on shared original data, the original data is processed through a preset hash encryption algorithm, a first hash value is obtained, and the first hash value is sent to a receiving end; the receiving end is further configured to: after the original data is obtained, the original data is obtained through a hash encryption algorithm and is processed, and a second hash value is obtained; and determining whether the received data from the transmitting end is complete or not by comparing the first hash value with the second hash value.
Through the processing, the embodiment of the invention realizes the integrity verification of the transmitted data and ensures the safety of the data transmission.
In an exemplary embodiment, the system of the embodiment of the present invention further comprises an authentication storage unit configured to:
judging whether the data format of the received third data to be stored accords with a preset standard format or not;
writing third data conforming to the standard format into a preset database;
and performing a process of refusing to write the third data which does not conform to the standard format.
In an exemplary embodiment, the system of the embodiment of the present invention further includes a rights management unit configured to:
storing information for determining an identity attribute of the user's access rights to the third data;
and when an access request of the user is received, providing corresponding access rights of third data for the user according to the stored information of the identity attribute.
In an exemplary embodiment, the system of the embodiment of the present invention further includes an exception handling unit configured to:
determining whether the access operation of the user is abnormal according to the access operation information of the user;
when the access operation of the user is abnormal, executing abnormal operation processing on the access of the user;
wherein, the abnormal operation processing includes: access alarms and/or interrupt connection processing.
In an exemplary embodiment, the exception handling unit of the present invention is configured to determine whether a user access operation is abnormal according to access operation information of a user, and includes:
and detecting the access operation information by adopting the isolated forest model to determine whether the access operation of the user is abnormal. In an exemplary embodiment, the verification storage unit, the rights management unit and the exception handling unit may be constituent units in a server for storing and managing air traffic data, and may be designed and implemented by a person skilled in the art with reference to the working principle of the system.
Fig. 2 is a flowchart of a method for implementing air traffic control heterogeneous data sharing according to an embodiment of the present invention, as shown in fig. 2, including:
step 201, a sending end performs signature processing on shared original data to obtain first data;
step 202, symmetrically encrypting first data and a first secret key obtained by signature processing respectively to obtain second data and a second secret key;
step 203, receiving the public key from the receiving end, and encrypting the second key through the received public key to obtain a third key;
step 204, the second data and the third secret key are sent to a receiving end;
wherein, the original data comprises: empty pipe data.
The embodiment of the invention also provides a computer storage medium, wherein a computer program is stored in the computer storage medium, and the method for realizing the air traffic control heterogeneous data sharing is realized when the computer program is executed by a processor.
The embodiment of the invention also provides a terminal, which comprises: a memory and a processor, the memory storing a computer program; wherein, the liquid crystal display device comprises a liquid crystal display device,
the processor is configured to execute the computer program in the memory;
the computer program, when executed by the processor, implements a method for implementing the above-described hollow-tube heterogeneous data sharing.
Fig. 3 is a flowchart of another method for implementing air-pipe heterogeneous data sharing according to an embodiment of the present invention, as shown in fig. 3, including:
step 301, a receiving end generates a pair of public key and private key, and stores the private key locally, and sends the public key to a sending end;
step 302, the receiving end receives the third secret key, and decrypts the third secret key through the locally stored private key to obtain the second secret key;
step 303, decrypting the received second data by using the second key obtained by decryption to obtain the first data;
step 304, performing signature checking on the first data obtained by decryption to obtain original data;
wherein, the original data comprises: empty pipe data.
The embodiment of the invention also provides a computer storage medium, wherein a computer program is stored in the computer storage medium, and the method for realizing the air traffic control heterogeneous data sharing is realized when the computer program is executed by a processor.
The embodiment of the invention also provides a terminal, which comprises: a memory and a processor, the memory storing a computer program; wherein, the liquid crystal display device comprises a liquid crystal display device,
the processor is configured to execute the computer program in the memory;
the computer program, when executed by the processor, implements a method for implementing the above-described hollow-tube heterogeneous data sharing.
The following briefly describes embodiments of the present invention by way of application examples, which are merely provided to illustrate embodiments of the present invention and are not intended to limit the scope of the present invention.
Application example
Fig. 4 is a schematic diagram of a system for implementing air-pipe heterogeneous data sharing according to an application example of the present invention, and as shown in fig. 4, the application example data processing includes three parts: a data provider, a data user, and an information sharing environment; including data interactions of the data plane and the control plane.
In the data plane, the application example sorts the data (the data stored in the information sharing environment, including the third data in the embodiment of the present invention) according to a preset format; according to preset authorities, respectively setting corresponding access authorities for different types of data; when an access request of a user is received, outputting corresponding data for the user according to the access authority of the user; in one illustrative example, the present application is illustrated in a data plane where a provider of data needs to package shared data into a pre-set format before delivering to a shared environment. The data transferred to the shared environment is marked with the authority attribute information of the access authority, namely the identity attribute required by the shared objects of different data. The sharing environment provides information receiving service, receives data transmitted by a data provider and stores the data in a database; and simultaneously, providing data reading service for the user, receiving a reading request from the user, judging the access authority of the user to the data according to the identity attribute of the user, and sending the data to the user according to the judging result. The application example can realize the retrieval function of various forms of information based on access authority management, receive the reading request of a data user, realize the retrieval and reading of the data and feed back the data to the user.
In a control plane, the application example prestores information of identity attributes of different users, wherein the information of the identity attributes can be used for determining the access rights of the users to data; determining the access right of the user to the data according to the stored information of the identity attribute; providing corresponding access rights of the access data for the user through the determined access rights of the user; further, according to the captured access operation information of the user, whether the access operation is abnormal or not is determined, and when the access operation is abnormal, an access alarm is executed and/or connection interruption processing is executed for the user. In an exemplary embodiment, the shared environment needs to collect information from multiple angles, verify the identity of the information provider, and decide whether to authorize connection of corresponding data communication according to a certain policy before opening the data receiving service to the information provider; after the data connection is established, the shared environment needs to continuously track and evaluate the communication behavior and judge whether the operation of the user accords with the behavior rule, and once the access operation is abnormal, the corresponding abnormal operation processing needs to be adopted. Also, for a user using data, the shared environment needs to verify the identity of the user before opening the data reading service, and continuously analyze access operation information during the data reading process to determine whether to interrupt the service, so as to protect the data from being illegally acquired.
The application example is based on the safety characteristics of civil aviation air traffic control data, and considers that the data is tampered, destroyed, leaked, illegally obtained or illegally utilized, and the access processing method of the data safety is constructed on the premise of meeting the requirements of air traffic control data connection and sharing on the harm caused by national safety, public benefit, individuals or organizational legal rights. Aiming at the empty pipe service system, safety guarantee mechanisms are respectively designed for all parts of data transmission and access, and the input/output connection mode of the system is established, so that the system has systematicness, integrity and safety.
In one illustrative example, the present application example process includes: executing the processing of whether the data is written into the database according to the judgment of whether the received data accords with the standard format; the application example presets the standard format of the data received by the system, performs format verification on the received data according to the standard format after the data is received, writes the data passing the format verification into the database, and refuses the request of writing the data failing the format verification into the database.
In an exemplary embodiment, the present application provides an encryption channel for end-to-end secure transmission, and adopts a one-time pad and digital signature mechanism, so that even if the data is intercepted by a third party in the data transmission process, the data cannot be stolen, tampered and forged, thereby ensuring confidentiality, integrity and non-repudiation of the data.
Fig. 5 is a schematic diagram of a data transmission network based on a hybrid encryption mechanism according to an application example of the present invention, as shown in fig. 5, in a data transmission process, an asymmetric encryption key needs to be agreed between a transmitting end and a receiving end, that is, the receiving end generates a pair of public key and private key, and discloses the public key to the transmitting end, and the receiving end is responsible for maintaining the private key.
In the process of data sharing, a transmitting end firstly carries out data signature processing, symmetrically encrypts the data subjected to the signature processing and a secret key respectively, and transmits a symmetrically encrypted data receiving end; meanwhile, the symmetrically encrypted secret key is encrypted by the public key from the receiving end and then sent to the receiving end.
After receiving the encrypted symmetric key, the receiving end decrypts the encrypted symmetric key through a prestored private key corresponding to the public key to obtain a symmetric encrypted key; decrypting the received encrypted data by using the symmetric encrypted key obtained by decryption; and carrying out signature checking on the decrypted data to obtain the original data.
The embodiment of the invention carries out data transmission based on the mixed encryption mechanism, thereby ensuring confidentiality of data and verifiability of a data source.
In an illustrative example, the present application example method further comprises: before transmitting data, a transmitting end processes the transmitted data through a preset hash encryption algorithm to obtain a first hash value;
the receiving end processes the received data through a hash encryption algorithm to obtain a second hash value;
by comparing the first hash value and the second hash value, it is determined whether the transmitted data is complete.
In one illustrative example, the hash encryption algorithm in this application example includes: SM3 hash algorithm.
In an illustrative example, the present application example method further comprises: verifying the user identity through pre-stored user information, and providing preset access rights for logged-in users according to the user information of more than one preset different users; in one illustrative example, the present application example provides a login user with a preset access right based on one or more of the following user information: user account number, device model number, device configuration, software version, operating system, etc.; the application example can receive external multi-source user information and execute access right control by combining an identity verification result; and meanwhile, tracking and monitoring authorized data access behaviors.
In one illustrative example, the present application example establishes a session with a service for a user having access rights by generating an authentication token or credential for a particular session. The present application example will allow a session to start if the session is authorized and the request passes authentication; if the session is rejected, the session connection is cut off by a preset signal.
In an illustrative example, the present application example method further comprises: carrying out abnormal behavior analysis on the flow for the established communication connection; and feeds back the analysis results to the policy engine. The application example can prevent a part of abnormal data access behaviors which imitate legal user identities, such as a large amount of access to sensitive data in non-working time, and the like through abnormal behavior analysis. In an exemplary embodiment, the present application may collect uplink and downlink traffic of a user according to a preset period, and analyze the collected uplink and downlink traffic by using an anomaly detection method in the related art, so as to implement detection of an anomaly.
In an exemplary embodiment, the present application example detects all users participating in data sharing at the current moment by using an isolated forest model, and determines whether the behavior of the users is abnormal; in one illustrative example, the analysis of abnormal behavior of a user through an isolated forest model includes: detecting the user behavior in real time from the login of the user, and judging whether the user behavior is abnormal or not; including but not limited to: the context is abnormal. And when the abnormal value score of the user since logging in reaches a preset threshold value, the abnormal behavior of the user is judged to be abnormal, and at the moment, the identity of the current user can be considered to be not trusted, and the behavior of the user for accessing data can be subjected to interrupt connection processing.
In one illustrative example, the input of the present application example orphan forest model is: the flow of all users at a fixed moment; in an exemplary embodiment, the application selects, according to the basic characteristics of the data sharing process, factors such as identification efficiency and accuracy, for example: and the user login time, the uplink and downlink flow of the user in the time period such as the current detection time and the last detection time, the total amount of the uplink and downlink flow of the user since the user login and other characteristic items. In one illustrative example, the output of the present application example orphan forest model is: when the abnormal value score of each user is fixed, the score value is between 0 and 1, and if the abnormal value score is larger than a preset threshold value (for example, larger than 0.9), the corresponding user is considered to have abnormal behaviors at the current time; if the anomaly score approaches 0.5, the user is considered to be free of anomalies. Initializing an abnormal value score S to be 0 when each user logs in, determining the abnormal value score by using an isolated forest model at each moment, if the abnormal value exceeds a threshold value d, correspondingly increasing the accumulated abnormal value score S by d, and when the S exceeds a threshold value K, taking a blocking measure; wherein d and K are parameters empirically set by those skilled in the art based on characteristics of the historical data.
In an illustrative example, the present application example method further includes recording information of one or any combination of the following: commands executed by the host, data to be transmitted, addresses of both communication parties, communication ports, and the like. In an exemplary embodiment, the present application example stores the information and/or log information recorded by the above-described method with reference to the related art to prevent data from being arbitrarily pruned.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Claims (10)
1. A system for implementing hollow-tube heterogeneous data sharing, comprising: a transmitting end and a receiving end; wherein, the liquid crystal display device comprises a liquid crystal display device,
the transmitting end is set as follows: carrying out signature processing on the shared original data to obtain first data; symmetrically encrypting the first data and the first secret key obtained by signature processing respectively to obtain second data and a second secret key; encrypting the obtained second key through a public key from the receiving end to obtain a third key; transmitting the obtained second data and third secret key to a receiving end;
the receiving end is set as: storing the generated public key and the private key in the private key locally, and transmitting the generated public key to a transmitting end; decrypting the third key from the sending end through the locally stored private key to obtain a second key; decrypting the second data from the transmitting end by using the second key obtained by decryption to obtain the first data; performing signature checking on the first data obtained through decryption to obtain original data;
wherein the raw data includes: empty pipe data.
2. The system according to claim 1, wherein:
the transmitting end is further configured to: before signature processing is carried out on shared original data, the original data is processed through a preset hash encryption algorithm, a first hash value is obtained, and the first hash value is sent to a receiving end;
the receiving end is further configured to: after the original data is obtained, the original data is obtained through the hash encryption algorithm and is processed, and a second hash value is obtained; and determining whether the received data from the transmitting end is complete or not by comparing the first hash value with the second hash value.
3. The system of claim 1, further comprising a verification storage unit configured to:
judging whether the data format of the received third data to be stored accords with a preset standard format or not;
writing third data conforming to the standard format into a preset database;
and performing a process of refusing to write the third data which does not conform to the standard format into the database.
4. A system according to claim 3, characterized in that the system further comprises a rights management unit arranged to:
storing information of identity attribute for determining access right of a user to the third data;
and when an access request of the user is received, providing corresponding access rights of the third data for the user according to the stored information of the identity attribute.
5. The system of claim 4, further comprising an exception handling unit configured to:
determining whether the access operation of the user is abnormal according to the access operation information of the user;
when the access operation of the user is abnormal, executing abnormal operation processing on the access of the user;
wherein the abnormal operation processing includes: access alarms and/or interrupt connection processing.
6. The system of claim 5, wherein the exception handling unit is configured to determine whether a user access operation is abnormal based on user access operation information, comprising:
and detecting the access operation information by adopting an isolated forest model to determine whether the access operation of the user is abnormal.
7. A method for realizing the sharing of heterogeneous data of a hollow pipe comprises the following steps:
the method comprises the steps that a sending end carries out signature processing on shared original data to obtain first data;
symmetrically encrypting the first data and the first secret key obtained by signature processing respectively to obtain second data and a second secret key;
receiving a public key from a receiving end, encrypting the second key through the received public key, and obtaining a third key;
transmitting the second data and the third key to a receiving end;
wherein the raw data includes: empty pipe data.
8. A method for realizing the sharing of heterogeneous data of a hollow pipe comprises the following steps:
the receiving end generates a pair of public key and private key, stores the private key locally and sends the public key to the sending end;
the receiving end receives the third secret key, decrypts the third secret key through the locally stored private key, and obtains the second secret key;
decrypting the received second data by using the second key obtained by decryption to obtain first data;
performing signature checking on the first data obtained through decryption to obtain original data;
wherein the raw data includes: empty pipe data.
9. A computer storage medium having stored therein a computer program which, when executed by a processor, implements the method of implementing air-management heterogeneous data sharing according to claim 7 or 8.
10. A terminal, comprising: a memory and a processor, the memory storing a computer program; wherein, the liquid crystal display device comprises a liquid crystal display device,
the processor is configured to execute the computer program in the memory;
the computer program, when executed by the processor, implements a method for implementing hollow-tube heterogeneous data sharing according to claim 7 or 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310513128.7A CN116527365A (en) | 2023-05-08 | 2023-05-08 | System and method for realizing air traffic control heterogeneous data sharing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310513128.7A CN116527365A (en) | 2023-05-08 | 2023-05-08 | System and method for realizing air traffic control heterogeneous data sharing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116527365A true CN116527365A (en) | 2023-08-01 |
Family
ID=87391881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310513128.7A Pending CN116527365A (en) | 2023-05-08 | 2023-05-08 | System and method for realizing air traffic control heterogeneous data sharing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116527365A (en) |
-
2023
- 2023-05-08 CN CN202310513128.7A patent/CN116527365A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111082940B (en) | Internet of things equipment control method and device, computing equipment and storage medium | |
| US9350536B2 (en) | Cloud key management system | |
| US8245042B2 (en) | Shielding a sensitive file | |
| US20210377258A1 (en) | Attributed network enabled by search and retreival of privity data from a registry and packaging of the privity data into a digital registration certificate for attributing the data of the attributed network | |
| US8949995B2 (en) | Certifying server side web applications against security vulnerabilities | |
| KR20150119112A (en) | Data security service | |
| CN107483495B (en) | Big data cluster host management method, management system and server | |
| CN111431896A (en) | Data sharing method and system | |
| CN107196932A (en) | Managing and control system in a kind of document sets based on virtualization | |
| CN103413100A (en) | File security protection system | |
| CN112329042A (en) | Big data secure storage system and method | |
| CN115622792A (en) | Zero trust-based data security comprehensive protection system and method | |
| CN111046405A (en) | Data processing method, device, equipment and storage medium | |
| CN104104650A (en) | Data file visit method and terminal equipment | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| CN112383577A (en) | Authorization method, device, system, equipment and storage medium | |
| US20130311385A1 (en) | Third Party Security Monitoring & Audit | |
| CN113901507B (en) | Multi-party resource processing method and privacy computing system | |
| WO2018121394A1 (en) | Mobile terminal, alarm information acquisition and sending method and device | |
| CN116527365A (en) | System and method for realizing air traffic control heterogeneous data sharing | |
| CN114266080A (en) | Data integrity protection method and system based on state cryptographic algorithm | |
| CN112305986B (en) | PLC protection system, method and medium based on verification separation | |
| CN117252599B (en) | Dual security authentication method and system for intelligent POS machine | |
| Kurdziel et al. | An SCA security supplement compliant radio architecture | |
| AU2014259536B2 (en) | Registry |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |