A kind of industry Internet of Things intelligent virtual private network system
Technical field
The present invention relates to a kind of industry internet platform more particularly to a kind of industrial Internet of Things intelligent virtual private network systems.
Background technique
With the arriving of big data era, the mechanisms such as more and more governments, enterprise, which come to realise data, to be become
Most important assets are organized, data analysis capabilities are becoming the core competitiveness of tissue, and have started large-scale investment.
During Informatization Development, construction in different times, by projects investment sources are different, implementation management is different,
Operation and maintenance dispersion etc. restricts, and all kinds of business application systems all largely exist in links, information resources dispersion, each business system
Interface between system is many and diverse, and there are information islands.Lack the unified management mechanism of information resources, informatization and service management
Service convergence degree is insufficient.
And there are mass data repeated acquisitions to store link, while occupying bulk information transimission and storage resource,
Data user rate is extremely low.It is counted according to utilization rate of certain pipeline company to the data for acquiring, uploading and storing in its near-sighted year, discovery
Real data utilization rate only accounts for the 0.75% of total amount of data, and data collected occupy mass data transmission bandwidth resource and storage
Resource.
Existing civilian cloud platform, data transfer to platform storage and management, and Information Security and privacy can not obtain
To guarantee, a possibility that there are leaking datas.It can not be for used in industrial circle.
It was found by the inventors of the present invention that in industrial circle, lacking can be types of applications or be multiple enterprises in an enterprise
Public use, and can effective guarantee data owner to data control power data control platform.
Summary of the invention
The purpose of the present invention is to provide a kind of industrial Internet of Things intelligent virtual private network systems, so that the safety of industrial information
Effective guarantee can be obtained, industrial information is avoided to be repeated acquisition, transmission, processing, saves the same of data transimission and storage resource
When, effectively applications is avoided directly to contact industrial data, is all kinds of applications while ensureing industrial data safety
Unified, convenient data call environment is provided.
In order to solve the above technical problems, embodiments of the present invention provide a kind of industrial Internet of Things intelligent virtual private network system
System, comprising:
Manage platform, the management platform includes first network IP address, each application pass through the first network with it is described
It manages platform and establishes communication connection, send request of data to the management platform;
The management platform is connect by the second network with each data source object node, the management platform and each data source
Object node separately includes one second network ip address;The first network and second network are mutually indepedent;
The management platform includes data management server, and the data management server is used to receive in the management platform
When to request of data from each application, authorization identifying is carried out to the application, if by authorization identifying, for the application point
With one second network ip address, the second network ip address and content data request of the application are sent to requested date institute
Belong to data source object node;Indicate that the data source object node is established by the second network ip address of the application and the application
Requested data are sent to the application by the connection of the second network security.
Embodiment of the present invention in terms of existing technologies, since to be stored directly in data source object node local for data,
Without uploading to data center, data are in dispersed distribution state, while saving mass data transimission and storage resource, increase
Strong data are by the extraneous difficulty invaded and stolen.Also, since the data source object Node distribution of storing data is in the of secret
Two networks, it is completely isolated with public first network, the safety of data has further been ensured from hardware configuration.Also, this
Only management platform in embodiment with first network IP address, and manage and do not save any data on platform, it is external black
Even if visitor's invasion management platform, can not also obtain any data.Management platform is merely responsible for carrying out permission to the party in request of data
Audit establishes secure connection between request of data side and data source object node, data are directly by data source after through audit
Object node uploads to the request of data side by audit, to be stayed node to minimize data transmission, data leak probability
It is preferably minimized, while ensureing safe, has saved transimission and storage resource to the full extent.
As a further improvement, the first network is generally public internet, second network is generally industry mutually
Networking.
As a further improvement, second network includes independent domain name resolution server, each data source object section
For point in management platform registration, domain name resolution server is that the data source object node distributes the second network IP
Address.By independent domain name mapping mechanism, physically with ensure the second network absolutely independently of first network in mechanism.
As a further improvement, the data management server of the management platform carries out authorization identifying at least to the application
Include:
The identity information of the application is authenticated;And/or
Authentication is carried out to the content data request of the application.
As a further improvement, the data management server is also used to save the data grant text of each data source object node
Part finds the corresponding data grant text of the affiliated data source object node of requested date when receiving the request of data for carrying out self-application
Part carries out authorization identifying to the application according to the data grant file.The data grant text of each data source object node
Part is arranged from data source object node owner to the management platform.Data management server is only holding for data grant file
Row side, itself does not have the permission of setting data grant file, can not permit without authorization or the transmission of forbidden data, so as to
Effectively prevent to manage a possibility that leaking data occurs for platform interior, it is ensured that have and only data resource owner provides with data
Permission, the proprietary equity of effective guarantee data source object node are managed in the transmission in source.
As a further improvement, the data management server is also used to receiving data source object node owner setting
When data grant file, the data grant backup for requesting it to save to the corresponding data source object node of the data grant file is literary
Part, by the data grant file compared with the data grant backup file received pair, if unanimously, saving the data and awarding
Weigh file.Even if also can not generate actual influence to which data grant file is tampered in transmission process to data information, have
Effect ensures the safety of data information.
As a further improvement, the data management server be also used to receive from data source object node it is proprietary
When modified data grant file, the number of its preservation is requested to the corresponding data source object node of data grant file to be modified
According to transmission authorization rule backup file, by the data grant file received compared with data transmission grant regular backup file pair,
If consistent, the modified data grant file is replaced into original.
When asset owner needs to modify the data grant file of owned data source object node, need to modify
It is while data grant file afterwards is sent to the industrial data management platform, modified data transmission grant rule is standby
Part file is stored on the data source object node;Data management server is by the data grant file received and data source object section
Data transmission grant regular backup file on point is compared to pair, if unanimously, the modified data grant file replaced
Change original.Even if altered data authority can not also save, industrial number to which assault industrial data manages platform
Authorization rule file after distorting according to management platform is compared with the backup file on data source object node, can find to leak
Hole, to refuse to modify.The data information security of the effective guarantee data assets owner.
As a further improvement, the data management server is also used to be possessed in the data source object node owner
Data source object number of nodes it is more than one when, to the owner under one's name all data source object nodes request its save data pass
Defeated authorization rule backup file;The data grant file that needs are saved or replaced and each data transmission grant rule received are standby
Part file compares one by one, if matching rate is greater than preset value, saves or replace the data grant file.To further increase
The difficulty for having added hacker's altered data transmission rule backup file, enhances the data information security of the data assets owner.
As a further improvement, the management platform be arranged when being also used to according to the data source object Node registry it is all
People's identity information verifies data source object node owner's identity, recognizes by data source object node owner's identity
After card, the proprietary data grant file of the data source object node is received.
As a further improvement, the second network security between the data source object node and application connects are as follows: the number
According to the dedicated connection of unidirectional virtual of source object node to the application.Even if to be established between applications and data source object node
Connection can only also obtain the data by authorization audit from object node, can not carry out any operation to data source object node, ensure
The safety of data source object node in second network.
As a further improvement, the application comes from following arbitrary equipment: personal PC, mobile terminal, cloud platform or center
Server etc..
As a further improvement, the management platform sends out the second network ip address and content data request of the application
When giving the affiliated data source object node of requested date, information also is managed comprising data set transmissions;The data transmission control letter
Breath includes following one or any combination thereof: when data transmission start time, data transmission period length, the data transfer ends
Between, document data transfer type, establish connection type;Indicate the data source object node in transmission control information instruction model
The second network security enclosed between interior foundation and the application connects, and requested data are sent to the application.Pass through logarithm
Security restriction is carried out according to transmission time, transmission form, data chain can be further prevented to be cracked and usurped by criminal.
As a further improvement, the data source object node, which includes at least data, acquires and saves function, for obtaining simultaneously
Industrial control equipment items industrial data information is saved, the industrial data information includes at least following one:
The testing number that the industrial data information that generates in the industrial control equipment operational process, the monitoring industrial control equipment obtain
It is believed that breath, etc..
Detailed description of the invention
Fig. 1 is the industrial Internet of Things intelligent virtual private network system structure chart of a better embodiment according to the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to each reality of the invention
The mode of applying is explained in detail.However, it will be understood by those skilled in the art that in each embodiment of the present invention,
In order to make the reader understand this application better, many technical details are proposed.But even if without these technical details and base
In the various changes and modifications of following embodiment, each claim of the application technical side claimed also may be implemented
Case.
A better embodiment of the invention is related to a kind of industrial Internet of Things intelligent virtual private network system, as shown in Figure 1, packet
It includes:
Manage platform, the management platform includes first network IP address, each application pass through the first network with it is described
It manages platform and establishes communication connection, send request of data to the management platform;
The management platform is connect by the second network with each data source object node, the management platform and each data source
Object node separately includes one second network ip address;The first network and second network are mutually indepedent;
The management platform includes data management server, and the data management server is used to receive in the management platform
When to request of data from each application, authorization identifying is carried out to the application, if by authorization identifying, for the application point
With one second network ip address, the second network ip address and content data request of the application are sent to requested date institute
Belong to data source object node;Indicate that the data source object node is established by the second network ip address of the application and the application
Requested data are sent to the application by the connection of the second network security.
Embodiment of the present invention in terms of existing technologies, since to be stored directly in data source object node local for data,
Without uploading to data center, data are in dispersed distribution state, while saving mass data transimission and storage resource, increase
Strong data are by the extraneous difficulty invaded and stolen.Also, since the data source object Node distribution of storing data is in the of secret
Two networks, it is completely isolated with public first network, the safety of data has further been ensured from hardware configuration.Also, this
Only management platform in embodiment with first network IP address, and manage and do not save any data on platform, it is external black
Even if visitor's invasion management platform, can not also obtain any data.Management platform is merely responsible for carrying out permission to the party in request of data
Audit establishes secure connection between request of data side and data source object node, data are directly by data source after through audit
Object node uploads to the request of data side by audit, thus ensure it is safe while, saved to the full extent transmission and
Storage resource.
As a further improvement, the first network is generally public internet, second network is generally industry mutually
Networking.
As a further improvement, second network includes independent domain name resolution server, each data source object section
For point in management platform registration, domain name resolution server is that the data source object node distributes the second network IP
Address.By independent domain name mapping mechanism, physically with ensure the second network absolutely independently of first network in mechanism.
As a further improvement, the data management server of the management platform carries out authorization identifying at least to the application
Include:
The identity information of the application is authenticated;And/or
Authentication is carried out to the content data request of the application.
As a further improvement, the data management server is also used to save the data grant text of each data source object node
Part finds the corresponding data grant text of the affiliated data source object node of requested date when receiving the request of data for carrying out self-application
Part carries out authorization identifying to the application according to the data grant file.Data management server is only data grant text
The execution side of part, itself does not have the permission of setting data grant file, can not permit without authorization or the transmission of forbidden data, from
And it can effectively prevent to manage a possibility that leaking data occurs for platform interior, the proprietary power of effective guarantee data source object node
Benefit.
As a further improvement, the data grant file of each data source object node from data source object node owner to
The management platform setting.So that it is guaranteed that have and only data resource owner have data resource transmission control permission.
As a further improvement, the data management server is also used to receiving data source object node owner setting
When data grant file, the data grant backup for requesting it to save to the corresponding data source object node of the data grant file is literary
Part, by the data grant file compared with the data grant backup file received pair, if unanimously, saving the data and awarding
Weigh file.Even if also can not generate actual influence to which data grant file is tampered in transmission process to data information, have
Effect ensures the safety of data information.
As a further improvement, the data management server be also used to receive from data source object node it is proprietary
When modified data grant file, the number of its preservation is requested to the corresponding data source object node of data grant file to be modified
According to transmission authorization rule backup file, by the data grant file received compared with data transmission grant regular backup file pair,
If consistent, the modified data grant file is replaced into original.
When asset owner needs to modify the data grant file of owned data source object node, need to modify
It is while data grant file afterwards is sent to the industrial data management platform, modified data transmission grant rule is standby
Part file is stored on the data source object node;Data management server is by the data grant file received and data source object section
Data transmission grant regular backup file on point is compared to pair, if unanimously, the modified data grant file replaced
Change original.Even if altered data authority can not also save, industrial number to which assault industrial data manages platform
Authorization rule file after distorting according to management platform is compared with the backup file on data source object node, can find to leak
Hole, to refuse to modify.The data information security of the effective guarantee data assets owner.
As a further improvement, the data management server is also used to be possessed in the data source object node owner
Data source object number of nodes it is more than one when, to the owner under one's name all data source object nodes request its save data pass
Defeated authorization rule backup file;The data grant file that needs are saved or replaced and each data transmission grant rule received are standby
Part file compares one by one, if matching rate is greater than preset value, saves or replace the data grant file.To further increase
The difficulty for having added hacker's altered data transmission rule backup file, enhances the data information security of the data assets owner.
As a further improvement, the management platform be arranged when being also used to according to the data source object Node registry it is all
People's identity information verifies data source object node owner's identity, recognizes by data source object node owner's identity
After card, the proprietary data grant file is received, original is saved or replaced.
As a further improvement, the second network security between the data source object node and application connects are as follows: the number
According to the dedicated connection of unidirectional virtual of source object node to the application.Even if to be established between applications and data source object node
Connection can only also obtain the data by authorization audit from object node, can not carry out any operation to data source object node, ensure
The safety of data source object node in second network.
As a further improvement, the application comes from following arbitrary equipment: personal PC, mobile terminal, cloud platform or center
Server etc..
As a further improvement, the management platform sends out the second network ip address and content data request of the application
When giving the affiliated data source object node of requested date, information also is managed comprising data set transmissions;The data transmission control letter
Breath includes following one or any combination thereof: when data transmission start time, data transmission period length, the data transfer ends
Between, document data transfer type, establish connection type;Indicate the data source object node in transmission control information instruction model
The second network security enclosed between interior foundation and the application connects, and requested data are sent to the application.Pass through logarithm
Security restriction is carried out according to transmission time, transmission form, data chain can be further prevented to be cracked and usurped by criminal.
As a further improvement, the data source object node, which includes at least data, acquires and saves function, for obtaining simultaneously
Industrial control equipment items industrial data information is saved, the industrial data information includes at least following one:
The testing number that the industrial data information that generates in the industrial control equipment operational process, the monitoring industrial control equipment obtain
It is believed that breath, etc..
It will be understood by those skilled in the art that the respective embodiments described above are to realize specific embodiments of the present invention,
And in practical applications, can to it, various changes can be made in the form and details, without departing from the spirit and scope of the present invention.