CN105491023B - Data isolation exchange and safety filtering method for power Internet of things - Google Patents

Abstract

The invention provides a data isolation exchange and safety filtering method for an electric power Internet of things, which comprises the following steps: (1) constructing an isolation architecture based on a front proxy and a proprietary protocol; (2) extracting feature vectors in a preposed agent part; (3) performing label encapsulation on the preposed agent part, and performing label analysis on an isolation service side; (4) realizing label filtering at an isolation service side; (5) and performing content filtering on the isolation service side by combining the feature vector and the label filtering. The invention realizes perfect protocol isolation by introducing the preposed agent and the private application layer protocol, and greatly improves the isolation strength.

Description

Data isolation exchange and safety filtering method for power Internet of things

Technical Field

The invention relates to a safety isolation exchange method, in particular to a data isolation exchange and safety filtering method for an electric power Internet of things.

Background

The basic principle of the security isolation and information exchange technology is that two or more networks are enabled to perform secure data transmission and resource sharing between the networks under the condition of non-communication through a special hardware-isolation device. The specific method is that the isolator cuts off the TCP/IP connection between networks, decomposes or recombines TCP/IP data packets, carries out security examination, and then establishes effective connection with the host on the other side and sends out the data.

Under the development background of an intelligent power grid, a large number of intelligent terminals, intelligent disconnecting links, operation terminals and various power business systems exist in the power internet of things environment, and the terminals and the systems need to perform frequent data interaction with a power information network. Because the electric power information network belongs to a secret-related network, the terminal and the system are accessed through a mobile APN network or the Internet, and the interaction of the terminal and the system has obvious safety risk for the electric power information network, an isolation protection measure must be taken. However, the existing security isolation and information exchange technology has obvious defects, and the isolation and exchange requirements of the power internet of things are difficult to meet, and the specific expression is as follows:

1. insufficient isolation strength

The isolation and exchange are a pair of contradictions, and the traditional safety isolation and information exchange technology is based on the decomposition and recombination of TCP/IP data packets, and has obvious defects on solving the contradiction problem of the isolation and exchange. Most specific data exchange needs to be carried by a specific application protocol, and once the consideration of the application layer protocol is added into a security isolation and information exchange model, it is found that the security risk introduced by the application layer protocol cannot be completely eliminated by TCP/IP message recombination. Supposing that a non-secret-involved network performs data exchange with an Oracle database in a secret-involved network through a security isolation and information exchange system, at the moment, the non-secret-involved network and the secret-involved network need to communicate based on a TNS protocol, and a TCP/IP message needs to be restored to a TNS protocol message format after passing through a hardware exchange matrix, so that an attacker of the non-secret-involved network can actually and completely attack the secret-involved network database through an open TNS protocol message. The defense of traditional security isolation and information exchange techniques against such attacks is to enhance the application-level filtering capabilities as much as possible, but this has obviously degraded to the level of application-level firewalls.

2. The filtration depth and efficiency are contradictory

In the traditional security isolation and information exchange technology system, security filtering is an important ring. Many related products claim to have filtering capabilities at the content level. However, content filtering algorithms cannot be without a performance penalty, and the deeper the depth of content filtering, the more severe the delay and throughput degradation it causes. Conventional security isolation and information exchange technology architectures attempt to accomplish deep filtering on isolated devices, which is likely not feasible in an industrial environment. For example, the number of terminals involved in the power internet of things environment is hundreds of millions, the data exchange flow is huge, strict requirements are also imposed on data exchange delay, the traditional safety isolation and information exchange technical system can only deal with the problem by closing the filtering function or reducing the filtering depth, and the contradiction between the filtering depth and the filtering efficiency is obviously overcome.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides a data isolation exchange and safety filtering method for the power internet of things.

In order to achieve the purpose of the invention, the invention adopts the following technical scheme:

a data isolation exchange and safety filtering method facing to an electric power Internet of things comprises the following steps:

(1) constructing an isolation architecture based on a front proxy and a proprietary protocol;

(2) extracting feature vectors in a preposed agent part;

(3) performing label encapsulation on the preposed agent part, and performing label analysis on an isolation service side;

(4) realizing label filtering at an isolation service side;

(5) and performing content filtering on the isolation service side by combining the feature vector and the label filtering.

Preferably, in the step (1), the isolation framework includes an application layer exchange protocol proprietary to the TCP/IP protocol, a dedicated security isolation device, and a pre-proxy, and is configured to map a user interaction process to the application layer exchange protocol packet, so as to implement data exchange.

Preferably, the step (2) includes the following steps:

step 2-1, for message content T_iCarrying out pretreatment;

step 2-2, for the message content T_iCarrying out feature extraction;

step 2-3, generating a message characteristic vector V' and a characteristic vector V of a sensitive library in an isolation service side;

and 2-4, storing the extracted feature vector into a label field of the message.

Preferably, in the step 2-1, the preprocessing includes performing word segmentation analysis on the text file through an ICTCLAS word segmentation interface, and the message content T is_iAfter word segmentation, the expression is as follows:

T_i＝((a_i1,l_i1,p_i1),(a_i2,l_i2,p_i2),......,(a_in,l_in,p_in))

in the formula: t is_iRepresenting messages i, a_inDenotes a divided phrase, l_inIndicates the length of the phrase, p_inAnd expressing the part of speech of the divided phrase.

Preferably, the step 2-2 includes the following steps:

step 2-2-1, for the message content T_iSelecting part of speech, extracting noun word groups in the analyzed text word groups, deleting other parts of speech, and the message content T_iAfter part of speech selection, the expression is as follows:

in the formula: ta_iIn order to extract the text following the noun,

for the sake of a noun, the term,

is the length of the noun phrase;

step 2-2-2, counting the occurrence frequency of the keywords to form word segmentation triplets comprising the word groups, the occurrence frequency and the part of speech of the word groups in the text, and converting Ta_iAdding a word frequency item, wherein the expression is as follows:

in the formula: tb_iTo count the text after the word frequency,

for the word group after the word frequency is counted,

for counting the length of the word group after the word frequency,

is composed of

The word frequency of;

step 2-2-3, calculating the length of each keyword and deleting the keywords of a single word, wherein the expression is as follows:

in the formula: tc_iFor deleting a keyword as text after a single word, wherein

Is a phrase with the length larger than one character,

is composed of

Word frequency;

step 2-2-4, eliminating phrases with keywords appearing once, and obtaining a final expression as follows:

wherein: td_iTo cull text after a keyword has appeared once,

in order to remove the phrase after the keyword appears once,

is composed of

Word frequency of wherein

Preferably, the step 2-3 includes the following steps:

step 2-3-1, calculating the weight of the phrase based on a TF-IDF formula, wherein the formula is as follows:

d_ij＝t_ij*log(N/n_j)

wherein d is_ijIs the phrase a_ijIn the text T_iIs equal to Td_iIn (1)

N is the total number of documents, N_jFor document librariesIn which the phrase a is included_ijThe number of documents of (2);

step 2-3-2, the feature vector composed of the sensitive library data is expressed as:

V＝((a₁₁,d₁₁),(a₁₂,d₁₂),......,(a_1m,d_1m),......,(a_n1,d_n1),(a_n1,d_n1),......,(a_nm,d_nm))

for brevity, this is:

V＝(d₁₁,d₁₂,......,d_1m,......,d_n1,d_n2,......,d_nm)

step 2-3-3, according to step 2-3-2, the characteristic vector of the obtained message is simplified as:

V′＝(d′₁₁,d′₁₂,......,d′_1m,......,d′_n1,d′_n2,......,d′_nm)。

preferably, in the step (3), the tag includes user information U (k, V), data attribute information Ad (k, V), a feature vector V', a generation time T, and encryption flag Fe information, and the expression is:

Label＝(U(k,v),Ad(k,v),V’,T,Fe)

the label encapsulation of the front proxy part comprises the following steps:

step 3-1-1, arranging user information U, data attribute information Ad (k, V), feature vectors V' and generation time T in sequence, and dividing the sequence into N blocks;

3-1-2, randomly selecting N1 blocks from the N blocks, setting an encryption identifier, and encrypting data to obtain EN 1;

3-1-3, recording a random selection process R, setting an encryption identifier by taking R as a block, and encrypting R to obtain ER;

3-1-4, setting no encryption identifier for the rest N2(N-N1) blocks;

3-1-5, calculating the length of the EN1 and the length of the ER, and connecting the EN1 length, the EN1, the ER length, the ER and the N2 to obtain label-encapsulated private protocol data E;

the label analysis on the isolation service side comprises the following steps:

step 3-2-1, obtaining the private protocol data E;

3-2-2, extracting the EN1 length, extracting EN1 through the EN1 length, and decrypting EN1 to obtain N1;

3-2-3, extracting the ER length, extracting the ER through the ER length, and decrypting the ER to obtain R;

step 3-2-4, extracting the subsequent data N2;

step 3-2-5, restore N1 and N2 to U (k, V), Ad (k, V), V' and T by random selection procedure R.

Preferably, in the step (4), the tag filtering is to filter the data according to the data attribute provided by the client through a policy rule; the strategy rule is composed of a left bracket [, a keyword begin, an expression exp, a keyword end and a right bracket ]; the expression is composed of basic terms and composition terms, wherein the basic terms comprise variables var, numerical values and character strings, and the composition terms are complex expressions which are connected through unary and binary operational characters by the variables, the numerical values and the character strings.

Preferably, the label filtering comprises the following steps:

step 4-1, extracting the user information U (k, v) and the data attribute information Ad (k, v) and assigning new attribute information Ad' (k, v) again;

step 4-2, extracting strategy rules from a strategy library;

4-3, traversing the strategy rule expression exp, and extracting a variable var in the expression;

step 4-4, extracting a value v corresponding to the var from the Ad' (k, v) by taking the var as a key;

step 4-5, replacing var in the strategy rule by v, and calculating an expression;

and 4-6, judging whether the data is filtered or not according to the calculation result, and recording the log.

Preferably, the step (5) includes the steps of:

step 5-1, the feature vector V' and the feature vector V of the sensitive library in the isolation service side are subjected to cosine calculation to obtain a cosine similarity value, and the cosine similarity calculation formula is as follows:

wherein V 'and V are two eigenvectors, and V' and V are standard vector dot products defined as

t is the dimension of the vector, and the norm V' in the denominator is defined as

Norm V in denominator is defined as

And 5-2, comparing the cosine similarity value with a predefined similarity threshold value, analyzing whether the obtained message carries secret-related information, and filtering the secret-related documents.

Compared with the prior art, the invention has the beneficial effects that:

the invention only needs to provide a private JDBC driver, does not need to open TNS protocol communication in a non-secret-involved network, and only opens TNS protocol communication in a secret-involved network, so that messages of networks at two sides of an isolation boundary are completely subjected to semantic translation without simple mapping relation, and an attacker of the non-secret-involved network cannot attack internal network TNS protocol loopholes, thereby realizing perfect protocol isolation and greatly improving the isolation strength.

The invention is based on the special isolation exchange architecture, the deep content analysis and the content characteristic value extraction are completed by moving to the preposed agent side, and only characteristic value matching is carried out on the isolation device side, so that the calculation requirement of the isolation boundary is greatly reduced. Under the environment of the power internet of things, the technology can utilize hundreds of millions of intelligent terminal devices to realize distributed content filtering calculation, so that high-efficiency low-delay distributed content filtering is realized. The contradiction between the filtering depth and the exchange efficiency is better solved.

According to the invention, the front-end agent is introduced, the boundary of the isolation exchange is moved to the terminal side, a large number of intelligent terminals in the power Internet of things environment are constructed based on the trusted computing concept, the front-end agent software running on the intelligent terminals can be combined with the trusted computing system of the intelligent terminals, and the whole isolation exchange system is brought into the trusted exchange system through the reinforcement of the private application layer protocol, so that the trusted isolation exchange is realized.

Drawings

FIG. 1 is a flow chart of a data isolation exchange and security filtering method for an electric power Internet of things provided by the invention

FIG. 2 is a flow chart of the present invention for extracting feature vectors in the pre-proxy portion

FIG. 3 is a flow chart of proprietary formatting of tag content by the tag and proprietary protocol encapsulation provided by the present invention

FIG. 4 is a flow chart of policy filtering provided by the present invention

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings.

As shown in fig. 1, the invention provides a data isolation exchange and security filtering method for an electric power internet of things, which adopts the following technical scheme:

step 1, construction of isolation framework

An isolation architecture based on a pre-proxy and a proprietary protocol is constructed, the isolation architecture comprises a proprietary application layer interactive protocol based on a TCP/IP protocol and a dedicated safety isolation device, the device has the capability of decomposing, recombining and exchanging the hardware-level TCP/IP protocol on one hand, and only supports the communication of the proprietary application layer protocol on the other hand, all third-party public application layer protocols and the pre-proxy are rejected, the pre-proxy can be in the forms of a driver, an SDK (software development kit) or a hardware plug-in and the like, the main function in the architecture is to map a user interaction process into a proprietary application layer protocol message to realize data exchange, and the pre-proxy can also play the roles of terminal reinforcement and credible authentication in the actual realization process.

Step 2, feature vector extraction is realized in the preposed agent part, as shown in fig. 2

Firstly, preprocessing the content Ti in the message, then extracting the features to generate a message feature vector V' and a sensitive library feature vector V, and storing the extracted feature vectors into the label field of the message.

(1) Pretreatment of

Performing word segmentation analysis on the text file through an ICTS word segmentation interface, and obtaining the message content T_iAfter word segmentation, the expression is as follows:

T_i＝((a_i1,l_i1,p_i1),(a_i2,l_i2,p_i2),......,(a_in,l_in,p_in))

wherein: t is_iRepresenting messages i, a_inDenotes a divided phrase, l_inIndicates the length of the phrase, p_inAnd expressing the part of speech of the divided phrase.

(2) Feature extraction

1) Part-of-speech selection

In the Chinese text, the keywords which can most strongly express the article content are selected according to the parts of speech and used for the subsequent feature extraction, which is beneficial to eliminating redundancy and simplifying the calculation process. Therefore, the noun word groups in the analyzed text word groups are extracted, and other parts of speech are deleted. Text file T_iAfter part of speech selection, the expression is as follows:

in the formula: ta_iIn order to extract the text following the noun,

for the sake of a noun, the term,

is the length of the noun phrase.

2) Word frequency statistics

And counting the occurrence frequency of the keywords to form word segmentation triples containing word groups, the occurrence frequency and the part of speech of the word groups in the text. Will T_aiAdding a word frequency term, further expressing as:

in the formula: tb_iTo count the text after the word frequency,

for the word group after the word frequency is counted,

for counting the length of the word group after the word frequency,

is composed of

The word frequency of (c).

3) Word length selection

In a text of chinese, words have a stronger expressive power than words, the length of each keyword is calculated and the keywords of a single word are deleted. Further expressed as:

in the formula: tc_iFor deleting a keyword as text after a single word, wherein

Is a phrase with the length larger than one character,

is composed of

And (4) word frequency.

4) Word frequency selection

In the Chinese text, words appearing only once are occasional and have no representativeness, so phrases appearing only once in the text word-dividing triplets after statistics are removed. The final characteristic binary expression is obtained as:

wherein: td_iTo cull text after a keyword has appeared once,

in order to remove the phrase after the keyword appears once,

is composed of

Word frequency of wherein

(3) Generating feature vectors

The calculation of the weight of the word is an effective method for measuring the characteristic value, and a TF-IDF formula based on a statistical method is widely used at present, and is proved to be feasible and effective in a large number of practical uses. The core idea is that the less the number of occurrences of a word in other texts, the more information the word contains and the more representative the type of document, and conversely, if the word also occurs in a large number in other documents, the less representative the word.

The currently common calculation formula for the TF-IDF is expressed as follows:

d_ij＝t_ij*log(N/n_j)

wherein, t_ijIs the phrase a_ijIn the text T_iIs equal to Td_iF in (1)_imN is the total number of documents, N_jFor the inclusion of phrase a in the document library_ijThe number of documents.

The feature vector composed of sensitive library data is represented as:

V＝((a₁₁,d₁₁),(a₁₂,d₁₂),......,(a_1m,d_1m),......,(a_n1,d_n1),(a_n1,d_n1),......,(a_nm,d_nm))

for brevity, this is:

V＝(d₁₁,d₁₂,......,d_1m,......,d_n1d_n2,......,d_nm)

the characteristic vector of the message obtained by the same method is simplified as:

V'＝(d'₁₁,d'₁₂,......,d'_1m,......,d'_n1d'_n2,......,d'_nm)

step 3, realizing label encapsulation at the preposed agent part and realizing label analysis at the isolated service side

The label package and analysis includes label, label and private protocol package, label and private protocol analysis. The label encapsulation and analysis are carried out by sending user information of an access user at a sending end, sending data attribute information, marking the characteristic vector information of the data, then carrying out random block encryption on the data through a private protocol, and then sending the data to a server end. At the server, the data is first recovered by parsing techniques. The recovered data serves for label filtering and feature vector filtering.

The label comprises user information U, data attribute information, a characteristic vector V, generation time T, an encryption identifier and other information.

Label＝(U(k,v),Ad(k,v),V’,T,Fe)

Wherein the content of the first and second substances,

1) the user information comprises user identity information and user request operation information, and the user information exists in a key value pair mode;

2) the data attribute information includes data type, data size, data creator, data modification time, etc., and the data attribute also exists in the form of key-value pair.

3) The feature vector is used for content filtering based on the feature vector of the server;

4) the generation time is the time of label generation;

5) the encryption identifier is used for identifying whether the block data is encrypted after the label is blocked, and the encryption identifier is used when the server side does not analyze the block data.

As shown in fig. 3, the tag and proprietary protocol encapsulation proprietary format the tag content, as follows,

a, arranging user information U, data attribute information Ad (k, V), a characteristic vector V' and generation time T in sequence, and dividing the sequence into N blocks;

b, randomly selecting N1 blocks from the N blocks, setting an encryption identifier, and encrypting data to obtain EN 1;

recording a random selection process R, setting an encryption identifier by taking R as a block, and encrypting R to obtain ER;

d, setting no encryption identification for the rest N2(N-N1) blocks;

step E-calculate the length of EN1 and the length of ER, and then concatenate E with EN1 length, EN1, ER length, ER, and N2, as shown in FIG. 3.

And after the label and the proprietary protocol are packaged, the label and the proprietary protocol are sent to a server side in a message form. The server side firstly analyzes the label and the private protocol of the report and recovers the label value, and the steps are as follows:

step a, acquiring private protocol data E;

step b, extracting the length of EN1, extracting EN1 through the length of EN1, and decrypting EN1 to obtain N1;

step c, extracting ER length, extracting ER through the ER length, and decrypting the ER to obtain R;

d, extracting the subsequent data N2;

step e-restore N1 and N2 to U (k, V), Ad (k, V), V' and T by random selection procedure R.

Step 4, realizing label filtration at the isolation service side

The label filtering filters the data according to the data attribute provided by the client by designing a flexible strategy rule.

Policy rules are a specification of policy filtering. The policy rules provide a unified policy description to be able to process the attribute information to achieve the purpose of filtering the data. In order to facilitate calculation and expansion, the strategy rule is designed into a self-defined expression which is composed of variables, values and operational characters. The variable values are extracted from the data attribute information according to the variables, and the operators and the variables are set by specific strategies. And during filtering, replacing the variable value with the attribute value, then calculating the strategy expression, and finally outputting the calculation result. Since the policy rules use expressions, the policy rules are very flexible.

The policy rules are formalized such that,

the policy rule is composed of left brackets [, keywords begin, expressions (exp), keywords end, right brackets ]. The expression is made up of two parts,

the basic items are: variables (var), values (float and integer) and strings (string);

the composition items are as follows: complex expressions linked by variables, values and strings, through unary (opu), binary (opb) operators.

The policy rules are described by using the self-defined expression, so that the filtering based on the policy is not only convenient, but also strong in operability and flexible in expansibility. The policy filtering process is shown in figure 4,

step a: extracting user information and data attribute information U (k, v) and Ad (k, v) from the analyzing step, and reassigning to new attribute information Ad (k, v);

b, extracting a strategy rule exp from a strategy library;

step c: traversing the strategy rule expression exp, and extracting a variable var in the expression;

step d: extracting a value v (integer number, floating point number and character string) corresponding to var from Ad (k, v) by taking var as a key;

step e: replacing var in the strategy rule by v, and calculating an expression;

step f: and judging whether the data is filtered or not according to the calculation result, and recording the log.

Step 5, combining the feature vector and the label filtration to realize content filtration at the isolation service side

Extracting a characteristic vector value V' in the analysis label, and obtaining the similarity with a characteristic vector V of a sensitive library on the isolation device through cosine calculation, wherein the cosine similarity calculation formula is as follows:

wherein V 'and V are two eigenvectors, and V' and V are standard vector dot products defined as

t is the dimension of the vector, which can be generally expressed as a series of numbers, each number in the series being called a component, i.e. the number of components, e.g. (a1, a2, a3) having a dimension of 3, the norm V' | in the denominator being defined as

And comparing the cosine similarity value with a predefined similarity threshold value, analyzing whether the obtained message carries secret-related information, and filtering the secret-related documents to achieve the function of filtering the contents.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (6)

1. A data isolation exchange and safety filtering method for an electric power Internet of things is characterized by comprising the following steps:

constructing an isolation framework based on a front proxy and a proprietary protocol;

step (2) extracting the feature vector in the preposed agent part;

step (3) label encapsulation is carried out on the preposed agent part, and label analysis is carried out on the isolation service side;

step (4) realizing label filtration at the isolation service side;

step 5, filtering content on the isolation service side by combining feature vector and label filtering;

the step (2) comprises the following steps:

step 2-1, for message content T_iCarrying out pretreatment;

step 2-2, for the message content T_iCarrying out feature extraction;

step 2-3, generating a message characteristic vector V' and a characteristic vector V of a sensitive library in an isolation service side;

step 2-4, storing the extracted feature vector into a label field of the message;

the preprocessing is to carry out word segmentation analysis on the text file through an ICTCCLAS word segmentation interface, and the message content T_iAfter word segmentation, the expression is as follows:

T_i＝((a_i1,l_i1,p_i1),(a_i2,l_i2,p_i2),......,(a_in,l_in,p_in))

in the formula: t is_iRepresenting messages i, a_inDenotes a divided phrase, l_inIndicates the length of the phrase, p_inRepresenting the part of speech of the divided phrase;

in the step 2-2, the method comprises the following steps:

step 2-2-1, for the message content T_iSelecting part of speech, extracting noun word groups in the analyzed text word groups, deleting other parts of speech, and the message content T_iAfter part of speech selection, the expression is as follows:

in the formula: ta_iIn order to extract the text following the noun,

for the sake of a noun, the term,

is the length of the noun phrase;

step 2-2-2, counting the occurrence frequency of the keywords to form word segmentation triplets comprising the word groups, the occurrence frequency and the part of speech of the word groups in the text, and converting Ta_iAdding a word frequency item, wherein the expression is as follows:

in the formula: tb_iTo count the text after the word frequency,

for the word group after the word frequency is counted,

for counting the length of the word group after the word frequency,

is composed of

The word frequency of;

step 2-2-3, calculating the length of each keyword and deleting the keywords of a single word, wherein the expression is as follows:

in the formula: tc_iFor deleting a keyword as text after a single word, wherein

Is a phrase with the length larger than one character,

is composed of

Word frequency;

step 2-2-4, eliminating phrases with keywords appearing once, and obtaining a final expression as follows:

wherein: td_iTo cull text after a keyword has appeared once,

in order to remove the phrase after the keyword appears once,

is composed of

Word frequency of wherein

In the step 2-3, the method comprises the following steps:

step 2-3-1, calculating the weight of the phrase based on a TF-IDF formula, wherein the formula is as follows:

d_ij＝t_ij*log(N/n_j)

wherein d is_ijIs the phrase a_ijIn the text T_iIs equal to Td_iIn (1)

N is the total number of documents, N_jFor words contained in document librariesGroup a_ijThe number of documents of (2);

step 2-3-2, the feature vector composed of the sensitive library data is expressed as:

V＝((a₁₁,d₁₁),(a₁₂,d₁₂),......,(a_1m,d_1m),......,(a_n1,d_n1),(a_n1,d_n1),......,(a_nm,d_nm))

for brevity, this is:

V＝(d₁₁,d₁₂,......,d_1m,......,d_n1,d_n2,......,d_nm)

step 2-3-3, according to step 2-3-2, the characteristic vector of the obtained message is simplified as:

V′＝(d′₁₁,d′₁₂,......,d′_1m,......,d′_n1,d′_n2,......,d′_nm)。

2. the method according to claim 1, wherein in the step (1), the isolation framework comprises an application layer exchange protocol proprietary to the TCP/IP protocol, a dedicated security isolation device and a pre-proxy, and is configured to map the user interaction process to the application layer exchange protocol packet to implement data exchange.

3. The method according to claim 1, wherein in step (3), the tag includes user information U (k, V), data attribute information Ad (k, V), a feature vector V', a generation time T, and encryption flag Fe information, and the expression is:

Label＝(U(k,v),Ad(k,v),V’,T,Fe)

the label encapsulation of the front proxy part comprises the following steps:

step 3-1-1, arranging user information U, data attribute information Ad (k, V), feature vectors V' and generation time T in sequence, and dividing the sequence into N blocks;

3-1-2, randomly selecting N1 blocks from the N blocks, setting an encryption identifier, and encrypting data to obtain EN 1;

3-1-3, recording a random selection process R, setting an encryption identifier by taking R as a block, and encrypting R to obtain ER;

3-1-4, setting no encryption identifier for the rest N-N1 blocks;

3-1-5, calculating the length of the EN1 and the length of the ER, and connecting the EN1 length, the EN1, the ER length, the ER and the rest N-N1 blocks to obtain label-encapsulated private protocol data E; the label analysis on the isolation service side comprises the following steps:

step 3-2-1, obtaining the private protocol data E;

3-2-2, extracting the EN1 length, extracting EN1 through the EN1 length, and decrypting EN1 to obtain N1;

3-2-3, extracting the ER length, extracting the ER through the ER length, and decrypting the ER to obtain R;

3-2-4, extracting the subsequent data N-N1;

step 3-2-5, N1 and N-N1 were restored to U (k, V), Ad (k, V), V' and T by random selection procedure R.

4. The method according to claim 3, wherein in the step (4), the tag filtering is to filter the data according to the data attribute provided by the client through a policy rule; the strategy rule is composed of left brackets [ keyword begin, expression exp, keyword end and right brackets ]; the expression is composed of basic terms and composition terms, wherein the basic terms comprise variables var, numerical values and character strings, and the composition terms are complex expressions which are connected through unary and binary operational characters by the variables, the numerical values and the character strings.

5. The method of claim 4, wherein the tag filtering comprises the steps of:

step 4-1, extracting the user information U (k, v) and the data attribute information Ad (k, v) and assigning new attribute information Ad' (k, v) again;

step 4-2, extracting strategy rules from a strategy library;

4-3, traversing the strategy rule expression exp, and extracting a variable var in the expression;

step 4-4, extracting a value v corresponding to the var from the Ad' (k, v) by taking the var as a key;

step 4-5, replacing var in the strategy rule by v, and calculating an expression;

and 4-6, judging whether the data is filtered or not according to the calculation result, and recording the log.

6. The method according to claim 5, wherein the step (5) comprises the steps of:

step 5-1, the feature vector V' and the feature vector V of the sensitive library in the isolation service side are subjected to cosine calculation to obtain a cosine similarity value, and the cosine similarity calculation formula is as follows:

wherein V 'and V are two eigenvectors, and V' and V are standard vector dot products defined as

t is the dimension of the vector, and the norm V' in the denominator is defined as

Norm V in denominator is defined as

And 5-2, comparing the cosine similarity value with a predefined similarity threshold value, analyzing whether the obtained message carries secret-related information, and filtering the secret-related documents.

Images