CN110677412A - Network security protection method and device for data downloading - Google Patents
Network security protection method and device for data downloading Download PDFInfo
- Publication number
- CN110677412A CN110677412A CN201910926031.2A CN201910926031A CN110677412A CN 110677412 A CN110677412 A CN 110677412A CN 201910926031 A CN201910926031 A CN 201910926031A CN 110677412 A CN110677412 A CN 110677412A
- Authority
- CN
- China
- Prior art keywords
- data
- processor
- command
- downloading
- signal line
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
The invention provides a network security protection method and a device for data downloading, wherein the method comprises the following steps: when a data downloading demand exists, the first processor generates a data downloading command; the second processor reads, identifies and executes the executable data downloading command to download data; the second processor then transmits the downloaded data unidirectionally to the first processor, and the first processor transmits the downloaded data to the public network or an external device. The invention isolates the connection between the external equipment and the data storage equipment in the data downloading process, and after the protection and the filtration of the second processor which is responsible for the data downloading, the external equipment can not directly send data or commands to the data storage equipment through a public network, thereby ensuring the network safety of the data storage equipment.
Description
Technical Field
The invention belongs to the field of data transmission, and particularly relates to a network security protection method and device for data downloading.
Background
The modern society is popularized rapidly in internet access business, brings great convenience to the working, living and other processes, and brings certain risks. In the current network data transmission, a corresponding data transmission method or device is mainly adopted for a device, a database or a server where stored data are located; however, most data transmission processes are bi-directional, i.e. transmitting relevant data outwards, and also receiving external data commands. If a malicious command is received (e.g., an illegal instruction or a large data volume attack), the device, database, or server on which the data is stored may be compromised.
Particularly for downloading train-mounted data, at present, a train-mounted recording downloading device is mainly connected with a train downloading interface, then recorded data of train-mounted equipment is downloaded, and the downloaded train-mounted data is transmitted to a ground monitoring center through a communication network. Because the downloading interface provided by the train equipment is a bidirectional interface, the train equipment can be subjected to maintenance functions such as configuration, software upgrading and the like besides being used for data downloading, the problem of network information safety of the train downloading interface is not considered, the processor responsible for downloading the vehicle-mounted data can be directly communicated through the network interface, and the downloading interface is equivalently exposed in a public network. Once the vehicle-mounted recording and downloading device is attacked, external personnel can maliciously attack the train through the network, and the running safety of the train is threatened.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a network security protection method and device for data downloading.
A network security protection method for data downloading, the method comprising the steps of:
when other equipment has a data downloading requirement, the first processor generates a data command;
the second processor reads and recognizes the data command;
according to the executable data command obtained by identification, the second processor downloads data from the connected current data storage equipment and transmits the data to the first processor;
and the first processor transmits the data to the other equipment.
Further, the first processor generates a data command by operating a command signal line.
Further, the second processor reading and recognizing the data command comprises:
the second processor periodically reads the state of the command signal line;
the second processor identifies data command content.
Further, the second processor identifying data command content includes:
the data required to be downloaded in the data command content completely conforms to the downloadable data stored in the current data storage device connected with the second processor, and the second processor identifies the data command as an executable data downloading command;
the data required to be downloaded in the data command content partially conforms to the downloadable data part stored in the current data storage device connected with the second processor, and the second processor identifies the data command content as a partially executable data downloading command;
the data required to be downloaded in the data command content does not accord with the downloadable data stored in the current data storage device connected with the second processor, or the requirement of the data command content is irrelevant to data downloading, and the second processor identifies the data command content as a non-executable data downloading command.
Further, the process of the second processor transmitting the data to the first processor is unidirectional data transmission.
A network safety protection device for data downloading comprises at least two processors, wherein the two processors are set as a first processor and a second processor;
the first processor is used for carrying out data communication with other equipment through a network and generating a data command;
the second processor is used for reading and identifying data commands and is responsible for downloading data from the data storage device;
the first processor and the second processor are connected through at least one command signal line and at least one data signal line;
the command signal line is applied to the process of generating a data command by the first processor;
and the data signal line is used for the second processor to send downloaded data to the first processor.
Further, the first processor is provided with a network module;
the network module is used for realizing communication between the first processor and other devices by using any one or more of a wired network and a wireless network.
Furthermore, the second processor is provided with at least one data downloading interface;
the data downloading interface is used for connecting with a downloading interface provided by the data storage device.
Further, the process of the command signal line applied to the first processor to generate data commands comprises:
the first processor representing a data command by one or more of a command signal line high, a command signal line low, or a combination of multiple command signal lines; and/or
The first processor represents a data command by presenting a signal of a particular frequency on a command signal line.
Further, the data signal line selects a unidirectional data signal line.
The invention isolates the connection between the external equipment and the data storage equipment in the data downloading process, and after the protection and the filtration of the second processor which is responsible for the data downloading, the external equipment can not directly send data or commands to the data storage equipment through a public network, thereby ensuring the network safety of the data storage equipment. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flow chart illustrating a method for network security protection of data download according to an embodiment of the present invention;
FIG. 2 is a block diagram of a network security guard for data download according to an embodiment of the present invention;
FIG. 3 is a block diagram of another network security guard according to an embodiment of the present invention;
fig. 4 shows a block diagram of a network safeguard for train data download according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention are clearly and completely described below, and it is obvious that the described embodiments are a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a network security protection method for data downloading, as shown in fig. 1, the method for the data downloading network security protection comprises the following steps:
the method comprises the following steps: when other equipment has a data downloading requirement, the first processor generates a data command;
the first processor is connected with the other equipment through a network, and when the other equipment needs to download data, a data downloading request is sent to the first processor; and after receiving the data downloading request, the first processor generates a data command through a command signal line. Wherein the other devices include, but are not limited to, devices, systems, databases, servers, etc. that can store, process, or analyze data; the network comprises any one or more of a wired network or a wireless network; the data command includes a download command of at least one data type.
Step two: the second processor reads and recognizes the data command;
and a command signal line is connected between the first processor and the second processor, and the second processor periodically and actively controls the state of the command signal line and identifies a data command. The identification process comprises:
1. if the one or more data types required to be downloaded in the data command all conform to the one or more data types stored and downloadable in the current data storage device connected with the second processor, the data command is a data downloading command executable by the second processor, and the second processor downloads all one or more data from the connected current data storage device;
2. if the data command content requires to download one or more data types, the one or more data types stored in the current data storage device connected with the second processor and capable of being downloaded partially accord with each other, the second processor can identify the data command content as a partially executable data download command and download partial data meeting the download requirement of the data storage device, and can also identify the data command content as a non-executable data download command and refuse to respond to and wait for the next data command;
3. if the data command content requires downloading of one or more data types, the one or more data types which are stored in the current data storage device connected with the second processor and can be downloaded are not matched, the second processor identifies the data command content as a non-executable data downloading command and refuses to respond to and wait for the next data command;
4. and if the data command content is required to be irrelevant to data downloading, the second processor identifies the data command content as a non-executable data command, refuses to respond and waits for the next data command.
Preferably, the current data storage device includes, but is not limited to, an apparatus, a system, a database or a server, etc. that can store data, process or analyze data; the second processor can prestore various command contents which can be executed to form an executable command library. For example: and pre-storing A data downloading, B data downloading and C data downloading in the second processor as executable commands, wherein the A data downloading command, the B data downloading command and the C data downloading command form a second processor executable command library. When the second processor reads any one or more data commands of the A data downloading command, the B data downloading command or the C data downloading command, the second processor recognizes the data commands as executable commands and carries out subsequent processing; however, when the second processor reads the D data downloading command, the command for downloading the D data is not pre-stored in the executable command library, and the second processor recognizes that the "D data downloading command" is a non-executable command; in addition, when an unexecutable command is recognized, the second processor can send a signal to the connected current data storage device for reminding or warning the data storage device that a risk exists in the current data downloading operation, and the data storage device forms a record or deals with according to the content of the signal.
Step three: according to the executable data command obtained by identification, the second processor downloads data from the connected current data storage equipment and transmits the data to the first processor;
after the executable data command content is obtained, the second processor downloads the data required by the other equipment from the current data storage equipment, and then the second processor transmits the data to the first processor through a data signal line.
Preferably, unidirectional data transmission is performed between the second processor and the first processor, and data can only be sent to the first processor by the second processor but not to the second processor by the first processor, so that direct data transmission between a network and the second processor and the data storage device which are responsible for downloading the data is avoided, and the risk that the data storage device is attacked maliciously is reduced.
Step four: and the first processor transmits the data to the other equipment.
Illustratively, when downloading train data, the ground server firstly connects and sends a train data downloading requirement to a first processor in the vehicle-mounted recording and downloading device through a network, and the first processor generates a corresponding data downloading command through a command signal line according to the downloading requirement; then, the second processor reads and identifies the data downloading command on the command signal line, and when the data downloading command is identified as a command executable by the second processor, the second processor operates a train data downloading interface connected with the second processor to download the data of the train-mounted equipment; after the data of the required train-mounted equipment is downloaded, the second processor transmits the read data to the first processor in a one-way mode through a data signal line, and then the first processor transmits the data of the train-mounted equipment to a ground server through a network for analysis, processing or storage.
By the method, the train downloading interface and the communication network are physically isolated from each other, only the network command can be read by the second processor, but the data operation command cannot be directly sent to the train equipment by the network, so that the train downloading interface is prevented from being exposed in a public network; the downloaded train data can only be transmitted to the first processor from the second processor in one way, so that malicious network data attack on the train equipment through a public network is prevented, and the safe operation of the train is ensured. The present invention is exemplified by downloading train data, but the present invention is not limited to downloading train data, and the downloading process for other data can be applied to the present invention.
Meanwhile, in combination with the network security protection method, an embodiment of the present invention further provides a network security protection device for data downloading, where as shown in fig. 2, the network security protection device includes at least two processors, and the two processors are configured as a first processor and a second processor:
the first processor is used for carrying out data communication with other equipment through a network and generating data commands. The first processor is provided with a network module which is used for realizing the communication between the first processor and other devices by using any one or more networks of a wired network or a wireless network. Preferably, the network interface module in the first processor may include one or more of an ethernet interface, a wireless network interface, or other interfaces; the first processor can generate corresponding data commands by setting high or low or combination of a plurality of command signal lines, and can also generate corresponding data commands by presenting signals with specific frequency on the command signal lines;
the second processor is used for reading and identifying data commands and is responsible for downloading data from the data storage device. The second processor periodically reads the state of the command signal line and identifies the content of a data command; and meanwhile, the second processor is provided with at least one data downloading interface for connecting with a downloading interface provided by the data storage equipment, so that the second processor can download data from the data storage equipment. Preferably, the data download interface in the second processor may be configured as any one or more of an existing interface (including but not limited to a serial interface, a parallel interface, an integrated drive electronics interface (IDE interface), a small computer system interface (SCSI interface), or a universal serial bus interface (USB interface)) or a custom interface, depending on the type of download interface provided by the data storage device. After downloading data from the data storage device, the second processor transmits the downloaded data to the first processor through a data signal line;
the first processor and the second processor are connected through at least one command signal line and at least one data signal line. The data signal line may be provided with an existing Interface protocol such as a Universal Asynchronous Receiver Transmitter (UART) or a Serial Peripheral Interface (SPI), or may be provided with a custom Interface protocol according to a transmission requirement. Preferably, the data signal line and the data signal line are unidirectional data signal lines, that is, only data is transmitted from the second processor to the first processor but not transmitted from the first processor to the second processor, that is, the network security protection device physically prevents a data transmission line from the first processor to the second processor.
It should be noted that the apparatus is not limited to include the first processor and the second processor, and a third processor, a fourth processor, and the like (and so on) may be further provided to implement other data transmission requirements (e.g., data uploading requirements, and so on). For example: the network safety protection device can also comprise a third processor, which is used for reading and identifying data commands and is responsible for downloading data from the data storage equipment, and the third processor is provided with at least one data uploading interface, which is used for connecting with the uploading interface provided by the data storage equipment to realize that the third processor uploads the data to the data storage equipment; the first processor and the third processor are connected through at least one command signal line and at least one data signal line, and the structure of the device is shown in fig. 3. The data security uploading process is as follows: the first processor receives a data uploading request and uploading data and forms a data uploading command through a command signal line; the third processor periodically reads the state of the command signal line and identifies the data uploading command content; the third processor executes the data uploading command identified as executable, receives the uploading data from the first processor (data unidirectional transmission, namely data is transmitted to the third processor only from the first processor), and uploads the data to the data storage device.
Exemplarily, a network safety protection device structure (the network safety protection device can replace a train-mounted record downloading device) used in downloading train data is shown in fig. 4, and the device is provided with a first processor and a second processor, wherein the first processor is used for performing wireless network transmission with other devices and is provided with a wireless network module; the second processor is used for reading the identification data command and downloading the train data and is provided with a train data downloading interface; a command signal line and a one-way data signal line are connected between the first processor and the second processor. When the server center needs to download train data, the ground server is connected with the first processor through a wireless network, the first processor generates a data command through a command signal line, the second processor reads and recognizes the data command on the command signal line, then the ground server is connected with the train equipment through a train data downloading interface and downloads related train data, the second processor transmits the downloaded train data to the first processor through the data signal line in a one-way mode, and then the first processor transmits the train data to the ground server through the wireless network, so that the server center can analyze, process or store various vehicle-mounted equipment data generated when the train runs.
The invention takes a network safety protection device for downloading train data as an example for illustration, but the invention is not limited to the device, and other devices used for downloading data can be applied to the invention; moreover, the device of the invention can be used independently, and the whole structure of the device can be integrated into the existing data transmission equipment for use.
By the method and the device, the connection between the external equipment and the data storage equipment can be isolated in the data downloading process, and after the protection and the filtration of the second processor which is responsible for data downloading, the external equipment cannot directly send data or commands to the data storage equipment through a public network, so that the network safety of the data storage equipment is ensured.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network security protection method for data downloading is characterized in that,
the method comprises the following steps:
when other equipment has a data downloading requirement, the first processor generates a data command;
the second processor reads and recognizes the data command;
according to the executable data command obtained by identification, the second processor downloads data from the connected current data storage equipment and transmits the data to the first processor;
and the first processor transmits the data to the other equipment.
2. The network security protection method of claim 1,
the first processor generates a data command by operating a command signal line.
3. The network security protection method according to claim 1 or 2,
the second processor reading and recognizing the data command comprises:
the second processor periodically reads the state of the command signal line;
the second processor identifies data command content.
4. The network security protection method of claim 3,
the second processor identifying data command content comprises:
the data required to be downloaded in the data command content completely conforms to the downloadable data stored in the current data storage device connected with the second processor, and the second processor identifies the data command as an executable data downloading command;
the data required to be downloaded in the data command content partially conforms to the downloadable data part stored in the current data storage device connected with the second processor, and the second processor identifies the data command content as a partially executable data downloading command;
the data required to be downloaded in the data command content does not accord with the downloadable data stored in the current data storage device connected with the second processor, or the requirement of the data command content is irrelevant to data downloading, and the second processor identifies the data command content as a non-executable data downloading command.
5. The network security protection method of claim 1,
the process of the second processor transmitting the data to the first processor is unidirectional data transmission.
6. A network safety protection device for data downloading is characterized in that,
the network safety protection device comprises at least two processors which are arranged as a first processor and a second processor;
the first processor is used for carrying out data communication with other equipment through a network and generating a data command;
the second processor is used for reading and identifying data commands and is responsible for downloading data from the data storage device;
the first processor and the second processor are connected through at least one command signal line and at least one data signal line;
the command signal line is applied to the process of generating a data command by the first processor;
and the data signal line is used for the second processor to send downloaded data to the first processor.
7. The network security guard of claim 6,
the first processor is provided with a network module;
the network module is used for realizing communication between the first processor and other devices by using any one or more of a wired network and a wireless network.
8. The network security guard of claim 6,
the second processor is provided with at least one data downloading interface;
the data downloading interface is used for connecting with a downloading interface provided by the data storage device.
9. The network security guard of claim 6,
the process of the command signal line applied to the first processor to generate data commands comprises:
the first processor representing a data command by one or more of a command signal line high, a command signal line low, or a combination of multiple command signal lines; and/or
The first processor represents a data command by presenting a signal of a particular frequency on a command signal line.
10. The network security guard of claim 6,
the data signal line is a unidirectional data signal line.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910926031.2A CN110677412A (en) | 2019-09-27 | 2019-09-27 | Network security protection method and device for data downloading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910926031.2A CN110677412A (en) | 2019-09-27 | 2019-09-27 | Network security protection method and device for data downloading |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110677412A true CN110677412A (en) | 2020-01-10 |
Family
ID=69079613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910926031.2A Pending CN110677412A (en) | 2019-09-27 | 2019-09-27 | Network security protection method and device for data downloading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110677412A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101131722A (en) * | 2007-07-27 | 2008-02-27 | 中国人民解放军海军通信应用研究所 | Protection system for computer and disk data security transmission |
| CN103986736A (en) * | 2014-06-09 | 2014-08-13 | 中国商用飞机有限责任公司 | Communication interface for network security protection and communication method |
| CN108040082A (en) * | 2017-11-03 | 2018-05-15 | 长安大学 | Connect equipment and data transmission method |
| CN108200020A (en) * | 2017-12-21 | 2018-06-22 | 上海电机学院 | A kind of industry big data safe transmission device and method |
-
2019
- 2019-09-27 CN CN201910926031.2A patent/CN110677412A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101131722A (en) * | 2007-07-27 | 2008-02-27 | 中国人民解放军海军通信应用研究所 | Protection system for computer and disk data security transmission |
| CN103986736A (en) * | 2014-06-09 | 2014-08-13 | 中国商用飞机有限责任公司 | Communication interface for network security protection and communication method |
| CN108040082A (en) * | 2017-11-03 | 2018-05-15 | 长安大学 | Connect equipment and data transmission method |
| CN108200020A (en) * | 2017-12-21 | 2018-06-22 | 上海电机学院 | A kind of industry big data safe transmission device and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5072370A (en) | System and method for monitoring electronic data processing equipment | |
| CN101848373B (en) | Wireless video monitoring system and video monitoring method thereof | |
| CN110427785B (en) | Equipment fingerprint acquisition method and device, storage medium and electronic device | |
| CN101072126A (en) | Cloaked device scan | |
| US10389685B2 (en) | Systems and methods for securely transferring selective datasets between terminals | |
| CN110166547B (en) | Terminal remote access control method | |
| WO2019085723A1 (en) | Wireless access authentication method | |
| CN112291222A (en) | Electric power edge calculation safety protection system and method | |
| CN110188129A (en) | Data processing method, device, system, equipment and the medium of testimony of a witness verification terminal | |
| CN113572757B (en) | Server access risk monitoring method and device | |
| CN103841143A (en) | File sending method, receiving method, system and device | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN110677412A (en) | Network security protection method and device for data downloading | |
| KR100773033B1 (en) | Remote Fault Data Aquisition System of Digital Protection Relay and Process Method thereof | |
| CN116980186A (en) | Abnormality determination method and device, electronic equipment and storage medium | |
| JP2021144639A (en) | Asset information management system, and asset information management method | |
| CN104331948B (en) | Tachographs upgrade information sending method, method of reseptance, apparatus and system | |
| CN112948845B (en) | Data processing method and system based on Internet of things data center | |
| CN111510431B (en) | Universal terminal access control platform, client and control method | |
| CN111428220A (en) | Mobile terminal office system based on remote collaboration platform | |
| WO2022091238A1 (en) | Processing device, monitoring system, processing method, and recording medium | |
| CN110708208B (en) | Monitoring data acquisition method and device, storage medium and terminal | |
| CN108063767B (en) | Online detection method and device, computer and storage medium | |
| CN104794806A (en) | Currency conversion device | |
| CN116226836A (en) | User operation identification method, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200110 |