CN111818021A

CN111818021A - Configuration information safety protection system and method based on new generation information technology

Info

Publication number: CN111818021A
Application number: CN202010569231.XA
Authority: CN
Inventors: 胡锦生; 李国峰; 熊雁; 何茜
Original assignee: Shenzhen Zhongchuangda Enterprise Consulting And Planning Co ltd
Current assignee: Shenzhen Zhongchuangda Enterprise Consulting And Planning Co ltd
Priority date: 2020-06-20
Filing date: 2020-06-20
Publication date: 2020-10-23
Anticipated expiration: 2040-06-20
Also published as: CN111818021B

Abstract

The invention provides a configuration information safety protection system and a method based on a new generation information technology, which adopts a configuration pool, a first pre-stored configuration set and a second pre-stored configuration set to pre-store basic configuration items of a user, reads the basic configuration items according to configuration password mapping, simultaneously adopts front-end filtering equipment to filter data packets, judges a modified configuration file as discarded data packets through false 'error filtering' of the filtering equipment and sends the discarded data packets to a data packet discarding pool, thereby avoiding secondary stealing before and after the front-end filtering equipment. And performing back-end filtering on the pooled data packets, monitoring false 'mis-filtering' of the front-end filtering equipment, judging the configuration files entering the pool, saving the configuration files from the data packet discarding pool to the first data packet overwriter, recovering the attribute of the configuration files, and sending the configuration files to the nodes of the Internet of things meeting the set requirement to achieve higher encapsulation performance and safety of the configuration files.

Description

Configuration information safety protection system and method based on new generation information technology

Technical Field

The invention belongs to the technical field of new-generation computer information, and particularly relates to a computer network configuration information security protection system architecture and a computer network configuration information security protection method based on a new-generation information technology.

Background

The internet of things is a new generation of information technology, the development is rapid, and the safety protection characteristic of the internet of things is also highly valued while the application range of the internet of things is continuously expanded.

IoT has gradually evolved into a complete Information industry chain that integrates Information and Communication Technologies (ICT) such as traditional networks, sensors, Ad Hoc wireless networks, pervasive computing, and cloud computing.

The internet of things is a network which connects any article with the internet by using Radio Frequency Identification (RFID), a sensor, an infrared sensor, a global positioning system, a laser scanner and other information acquisition devices according to an agreed protocol to exchange and communicate information so as to realize intelligent Identification, positioning, tracking, monitoring and management.

The safety of the internet of things mainly belongs to the field of network safety in information safety, particularly the field of wireless network safety, the coverage range of the internet of things is very wide, and the internet of things comprises terminal systems (such as RFID, sensor nodes, database systems, servers and the like) of the internet of things, so that content operations of the information safety, such as operating system safety, software safety, database safety and the like, can also be related.

The internet of things information security realization target comprises: authenticity: the information source is judged, and the information of the counterfeit source can be identified, which is also called identifiability. Confidentiality: it is guaranteed that confidential information is not eavesdropped or that an eavesdropper cannot know the true meaning of the information. Integrity: the consistency of the data is ensured, and the data is prevented from being falsified by illegal users. Availability: it is ensured that the use of information and resources by legitimate users is not denied. Non-repudiation: an effective responsibility mechanism is established to prevent the user from denying the behavior. Controllability: has control over the dissemination and content of information.

The ubiquitous terminal equipment and facilities comprise sensors with 'internal intelligence', mobile terminals, industrial systems, building control systems, home intelligent systems, video monitoring systems and the like, and 'external enabling'. For example, various assets attached with RFID, intelligent objects or animals or intelligent dust such as individuals and vehicles carrying an endless terminal and the like realize modes such as internet intercommunication application large integration and SaaS operation based on cloud computing through various wireless and/or wired long-distance and/or short-distance communication networks, and management and service functions such as safe, controllable and personalized real-time online monitoring, positioning and tracing, alarm linkage, scheduling command, plan management, remote control, safety precaution, remote maintenance, online upgrading, statistical statement, decision support, leadership desktop centralized display and the like are provided by adopting a proper information safety guarantee mechanism under intranet, private network and/or internet environments, so that the integration of management, control and camp on universities, energy conservation, safety and environmental protection of all things is realized.

The new generation information technology is based on the rapid development of the current IT industry and is in the future. The technology of the internet of things is particularly prominent, wherein the technology of the internet of things is particularly combined with a computer technology, a new-generation communication technology and a universal interconnection idea.

The core components of the Internet of things are Internet of things equipment, a gateway and a cloud. The Internet of things equipment is divided into two types, one type is equipment which naturally supports TCP/IP and can be directly accessed to the Internet of things, such as wifi equipment, GPRS/3G/4G (of course, upcoming 5G) equipment and the like; the other is that it fails to support IP protocol and requires gateway (protocol conversion) to access internet of things, such as Zigbee, bluetooth, etc. For bluetooth devices, a handset is actually a gateway.

The Internet of things is one of types of the Internet and has two communication modes, namely B/S and C/S. In the field of mobile internet, APP communicates with a server in a C/S mode in a client role; the WeChat is a super APP which is programmed by H5 through a built-in browser to obtain the capability of operating the hardware device, so that the communication module of the WeChat hardware platform is in a B/S mode. The B/S technology of the mobile internet is not different from the traditional internet, and the WeChat built-in browser supports H5, so that good platform expansibility can be obtained. We have recently focused on the internet of things based on the wechat hardware platform, and so have taught its evolution in terms of message push technology around the B/S model.

The technical architecture of the internet of things is divided into four layers, namely a perception layer, a transmission layer, a platform layer and an application layer. The sensing layer mainly relates to sensing equipment such as a chip, a module, a sensor and the like, wherein the wireless communication module is a key link for connecting the sensing layer of the Internet of things and the network layer; the transmission layer is divided into short-distance local area network transmission (WiFi, Bluetooth, Zigbee and the like) and long-distance and wide area network transmission (NB-IoT, LoRa, 2G/4G/5G and the like); the platform layer is divided into a connection management platform, an equipment management platform, an application time and service analysis platform; the application layer comprises logistics, traffic, security, energy and other industries.

The mainstream technology of the current sensing technology is MEMS (Micro-Electro-mechanical system), which is one of the most important forces for driving the evolution in the internet of things. Independent intelligent systems, with internal structures on the micrometer or even nanometer scale. The device has the advantages of small volume, light weight, low power consumption, high precision, batch production and the like. The MEMS industry is rapidly developed, and the global and Chinese markets are steadily increased.

RFID (radio frequency identification) provides an excellent channel for signal transmission between objects and between people and objects, and promotes the widening of application scenes of the Internet of things. The RFID can automatically identify a specific object and obtain related data through radio frequency signals, can identify a high-speed moving object and can simultaneously identify a plurality of labels, does not need to be contacted, can work in various severe environments, and is an important supporting technology for the development of the Internet of things.

The premise of the internet of things is that items must be uniquely addressed, and the IPV6 makes the internet of things possible. IPv6 is an updated version of the fourth version of the internet protocol (IPv 4). Existing standard IPv4 supports only approximately 40 billion (232 th power) network addresses, with an average of less than 1 per person. IPV6 supports 2128 (about 3.4 x 1038) addresses, which equates to 4.3 x 1020 addresses per square inch on earth (6.7 x 1017 addresses/mm 2).

The rise of the data analysis and big data industry provides technical support for analyzing and reacting mass data collected by the sensor, and is a key technology in the Internet of things. The data analysis can be performed by classifying, clustering, association rule mining and predicting the information acquired by the sensor, so that the data can be effectively stored, reasonable prediction can be performed, and the usability of the Internet of things is improved.

The security threat of the internet of things comprises: threat analysis for RFID: physical attack, channel attack, forgery attack, impersonation attack, duplication attack, replay attack, and information tampering. Threat against wireless sensor networks: the method comprises the following steps of network node capture, common node capture, sensing information eavesdropping, DoS attack, replay attack, integrity attack, false routing information, selective forwarding, Sinkhole attack, Sybil attack, Wormholes insect dongl attack, Helloflood, confirmation deception and massive node authentication. Security threat for mobile intelligent terminals: with the success and rapid development of mobile intelligent devices, the mobile intelligent devices represented by mobile smart phones are important components of the perception layer of the internet of things, and face security problems such as malicious software, botnet, operating system defects, privacy disclosure and the like.

When the data transmission requirements of the internet of things nodes existing in a massive and cluster manner are met, the core network is easily congested, and denial of service is generated. Because the problem that networks with different architectures need to be mutually communicated exists in the transmission layer of the internet of things, the transmission layer faces the problems of cross-network authentication of heterogeneous networks and the like, and can possibly receive DoS attacks, man-in-the-middle attacks, asynchronous attacks, collusion attacks and the like.

At the application layer of the internet of things, a great amount of privacy data of users, such as health conditions, address books, travel routes, consumption habits and the like, must be collected in a certain industry or application, and therefore specific or general privacy protection problems of the users must be considered for each industry or application. However, the construction of each subsystem does not have a unified standard at present, and the network convergence problem and the security problem linked as a large network platform will inevitably occur in the future.

In the process of communicating with other modules, control terminals and nodes of the internet of things, the modules or nodes are often required to be configured, and in general, a configuration file is a better configuration transfer mode, but a greater security threat also exists during the transfer of the configuration file.

Most computer programs we use-whether office suites, web browsers, and even video games-are configured through a menu interface system. It is almost the default way we use the machine. But some programs require that you are more than the above, you actually have to edit a text file in order to let them run at your will.

These text files-not strange-are called "configuration files". If you want to jump from "user" to "super user", you need to know how to adjust them.

A configuration file is essentially a file that contains the information needed to successfully operate a program, which is structured in a specific way. They are not hard coded in the program, but rather are user configurable, typically stored in a plain text file (although I have seen before programs that use the SQLite database as their configuration file).

In the internet of things, configuration files can be introduced to configure a huge and distributed internet of things system.

For example, the remote configuration function is used in the internet of things, and the configuration information such as system parameters, network parameters and the like of the equipment can be updated online and remotely under the condition that the equipment is not restarted or the operation of the equipment is interrupted.

In many scenarios, a developer needs to update configuration information of a device, including system parameters, network parameters, local policies, and the like of the device. Typically, the configuration information of the device is updated by a firmware upgrade. However, this would increase the maintenance effort of the firmware version and require the device to be taken out of service to complete the update. In order to solve the problems, the Internet of things platform provides a remote configuration updating function, and the configuration information can be updated online without restarting or interrupting operation of equipment.

However, compared with the configuration file transfer of other systems in the prior art, the current configuration and the configuration file transfer of the internet of things do not realize higher security consideration based on distribution, the transfer mechanism of the configuration file is too mechanized, the configuration sources are mostly single or few, and various risks are broken.

The invention provides a configuration information safety protection system and a method based on a new generation information technology, which adopts a configuration pool and a first pre-stored configuration set and a second pre-stored configuration set to pre-store basic configuration items of a user, and reads according to the configuration password mapping, in the configuration information transmission process of the platform of the Internet of things, the configuration file is subjected to secondary overwriting of a file level and stretching of a data packet level, and under the premise of the original security protection of the Internet of things, theft-protection of configuration data provides a particularly good level of security, while, after a second level of overwriting and a first level of stretching, the front-end filtering equipment is adopted for filtering the data packets, the modified configuration files are judged to be discarded data packets through false 'error filtering' of the filtering equipment and are sent to a data packet discarding pool, and therefore secondary stealing before and after the front-end filtering equipment is avoided. And carrying out back-end filtering on the pooled data packets, monitoring false 'error filtering' of the front-end filtering equipment, judging the configuration files entering the pool, saving the configuration files from the data packet discarding pool to the first data packet overwriter, recovering the attribute of the configuration files and sending the configuration files to the Internet of things node set meeting the set requirement, thereby realizing the safe transmission of the configuration files. Thus, compared with the prior art, the method for processing the configuration information comprises the following steps: firstly, through secondary overwriting on configuration files, more system key configurations are provided compared with the configuration information of the ubiquitous Internet of things, and the whole system configuration is carried out in the primary overwriting according to the requirements of users; moreover, the configuration information transmission of the Internet of things nodes is collected through the collected second-level overwriting, so that the loss of the correlation of the configuration files is avoided, and the data transmission risk is objectively reduced; secondly, the data packet hierarchy stretching is adopted, so that the configuration data packet is expanded in an 'error' mode, the configuration data packet cannot be filtered by a filter, and the configuration file data packet is led into a bypass of matching processing by using a mechanism superior to the prior art instead of being over-matched as in the prior art; thirdly, when the configuration data is discarded, a pooled cache is introduced, the pooled configuration data is rescued by using a first data packet overwriter, namely, the data packet discarded pool is used for bypass transmission, so that the probability of attacking or stealing the configuration file is greatly reduced, and a unique persistent storage and bypass protection mechanism is provided; fourthly, a centralized configuration file is introduced in the processing process of the first data packet overwriter to be issued, so that the energy consumption of the system is reduced, and related nodes of the Internet of things and the configuration thereof can be collected; and fifthly, the independent right reconfiguration module and the web configuration module are adopted to synthesize basic configuration information, so that single control of an internet of things cloud platform on the whole internet of things configuration iteration architecture is avoided, three comprehensive management architectures are introduced to realize diversification, multi-parameter set and multi-dimensional control of initial configuration information, dynamic integration and forwarding of configuration files under the internet of things distributed architecture in a new generation of information technology are improved to a certain extent, and the internet of things security protection performance is better than that of the prior art.

Disclosure of Invention

The present invention is directed to a system and method for securing configuration information based on a new generation of information technology, which is superior to the prior art.

In order to achieve the purpose, the technical scheme of the invention is as follows:

the configuration information safety protection system based on the new generation information technology is provided, and comprises the following modules:

the configuration pool is used for storing a first pre-stored configuration set and a second pre-stored configuration set, and combining each first pre-stored configuration set or the second pre-stored configuration set and each configuration password into one-to-one mapping in a relational database table form;

the first pre-stored configuration set is used for storing a pre-stored configuration set of a first user;

the second pre-stored configuration set is used for storing the pre-stored configuration set of the second user;

and the configuration password pre-fetching module is used for enabling the first user and the second user to pre-fetch the configuration password from the configuration password pre-fetching module and acquiring the corresponding preset first basic configuration and the second basic configuration from the configuration pool based on the configuration password.

The Web configuration module is used for acquiring a first configuration item set by taking a Web configuration page as a first entrance, wherein the Web configuration page is from an independent Web configuration module and is controlled by a first user, and the first user sets the first configuration item set at least based on first basic configuration;

the Internet of things cloud platform acquires a second configuration item set by taking the system data as a second entrance;

the weight configuration module is used for taking weight configuration parameters as a third inlet to obtain a third configuration item set, wherein the weight configuration parameters are from the independent weight configuration module and are controlled by a second user, the third configuration item set comprises configuration weight factors of all configuration items obtained by configuring the weight parameters, and the second user sets the third configuration item set at least based on second basic configuration;

the internet of things cloud platform is further used for combining a first type configuration file Con-type 1 based on the first configuration item set, the second configuration item set and the third configuration item set, wherein the first type configuration file at least comprises system data configuration items, web configuration items and configuration weight factors of the configuration items;

the configuration weight factor of each configuration item can be a default, the default represents that the weight factor is a preset system balance value, but not specified by a second user, and the value of the preset system balance value is greater than 0 and less than 1;

a first configuration overwriter, which overwrites the first type configuration file Con-stream type 1 to obtain a second type configuration file Con-stream type 2;

the second configuration overwriter is used for carrying out gathering processing on the second type configuration file Con-stream type 2 to obtain a third type configuration file Con-stream type3 after gathering;

wherein the gathering process includes at least:

the method comprises the steps of collecting hierarchy identification correlation information of each internet of things node in the internet of things configuration safety protection system, grouping the hierarchy identification correlation information based on the correlation information, grouping N specific internet of things nodes into one group, setting a grouping identification set, and so on, and when less than N internet of things nodes are left, grouping the rest less than N specific internet of things nodes into one group, and setting a grouping identification set;

combining configuration files of the same group of Internet of things nodes into a third type configuration file Con-stream type 3; introducing a set grouping identification head for the third type configuration file;

transmitting the third type configuration file Con-stream type3 to front-end filtering equipment for filtering;

and the front-end filtering equipment filters the configuration file data packets and the common data packets, releases the common data packets, determines the third type configuration file data packets matched with the aggregation grouping identification heads as abnormal data packets when detecting the third type configuration file data packets matched with the aggregation grouping identification heads, filters the abnormal data packets to a data packet discarding pool, and simultaneously informs the data packet discarding pool of detecting the aggregation grouping identification heads.

The data packet discarding pool is used for carrying out persistence processing on the data packet of the third type configuration file with the detected aggregate grouping identification head and carrying out normal discarding logic processing on other discarded data packets;

the back-end filtering device is used for traversing the data packet discarding pool, acquiring a third type configuration file data packet stored persistently and transmitting the third type configuration file data packet to the first data packet overwriter;

the first data packet overwriter is used for reading a third type configuration file data packet and sending the third type configuration file data packet to the internet of things nodes corresponding to the third type configuration file data packet according to the set group identification contained in the set group identification head of the third type configuration file data packet;

and acquiring a third type configuration file data packet corresponding to the grouped internet of things nodes, reading a second type configuration file Con-stream type 2 corresponding to the third type configuration file data packet, and performing configuration updating iteration on the third type configuration file data packet according to each configuration item of the second type configuration file Con-stream type 2.

Preferably, the web configuration page is used as a first portal to obtain a first configuration item set, where the web configuration page is from an independent web configuration module and specifically includes:

displaying a web configuration page based on a preset code in a web configuration module, wherein the web configuration page at least comprises: a primary configuration page for indexing configuration items related to system settings;

the second-level configuration page is used for indexing configuration items related to the first user, and canceling the configuration items when the configuration items related to the first user conflict with the configuration items of the first-level configuration page;

the third-level configuration page is used for indexing configuration items related to filter filtering criteria, and canceling the configuration items when the configuration items related to the filter filtering criteria conflict with the configuration items of the second-level configuration page and the configuration items of the first-level configuration page;

the filter filtering criterion identification module is used for adding a front end identification or a back end identification to the configuration items related to the filter filtering criterion, and the identification is used for identifying that the corresponding filtering criterion should be configured to the front end filtering module or the back end filtering module.

Preferably, the system further comprises a second user, and the second user specifically is:

the system operation priority is higher than that of the first user, the second user can give a configuration weight factor to each configuration item based on the influence of each configuration item on the system performance, and the value of the configuration weight factor is larger than 0 and smaller than 1 so as to represent the influence degree of the corresponding configuration item on the system performance.

Preferably, the configuration weight factor of the third-level configuration page configuration item is always greater than or equal to the configuration weight factor of the second-level configuration page configuration item;

the configuration weight factor of the second-level configuration page configuration item is always larger than or equal to the configuration weight factor of the first-level configuration page configuration item.

Preferably, the first configuration overwriter introduces the update identification configuration item as a fourth entry configuration item of the first type configuration file Con-format type 1, and the update identification configuration item and the first type configuration file Con-format type 1 together form a second type configuration file Con-format type 2.

The second type configuration file Con-stream type 2 at least contains a system data configuration item, a web configuration item, an update identification configuration item, and a configuration weight factor of each configuration item.

In addition, the invention further provides a configuration information security protection method based on a new generation information technology, which comprises the following steps:

the method comprises the following steps: storing a first pre-stored configuration set and a second pre-stored configuration set by using a configuration pool, and combining each first pre-stored configuration set or the second pre-stored configuration set and each configuration password into one-to-one mapping by using a relational database table form;

storing a pre-stored configuration set of a first user by using a first pre-stored configuration set;

storing the pre-stored configuration set of the second user by using the second pre-stored configuration set;

and using a configuration password pre-fetching module to enable the first user and the second user to pre-fetch the configuration passwords from the configuration password pre-fetching module, and acquiring corresponding preset first basic configuration and second basic configuration from the configuration pool based on the configuration passwords.

Taking a web configuration page as a first entrance, acquiring a first configuration item set, wherein the web configuration page is from an independent web configuration module and is controlled by a first user, and the first user sets the first configuration item set at least based on first basic configuration;

step two: taking the system data as a second inlet, and acquiring a second configuration item set;

step three: the weight configuration module is used for taking weight configuration parameters as a third inlet to obtain a third configuration item set, wherein the weight configuration parameters are from the independent weight configuration module and are controlled by a second user, the third configuration item set comprises configuration weight factors of all configuration items obtained by configuring the weight parameters, and the second user sets the third configuration item set at least based on second basic configuration;

step four: combining a first type configuration file Con-strategy type 1 based on a first configuration item set, a second configuration item set and a third configuration item set, wherein the first type configuration file at least comprises system data configuration items, web configuration items and configuration weight factors of the configuration items;

step five: overwriting a first type configuration file Con-stream type 1 by using a first configuration overwriter to obtain a second type configuration file Con-stream type 2;

step six: using a second configuration overwriter to carry out gathering processing on the second type configuration file Con-stream type 2 to obtain a third type configuration file Con-stream type3 after gathering;

wherein the gathering process includes at least:

step seven: transmitting the third type configuration file Con-stream type3 to front-end filtering equipment for filtering;

step eight: the front-end filtering device filters the configuration file data packets and the common data packets, releases the common data packets, determines the third type configuration file data packets matched with the aggregation grouping identification heads as abnormal data packets when detecting the third type configuration file data packets matched with the aggregation grouping identification heads, filters the abnormal data packets to a data packet discarding pool, and simultaneously informs the data packet discarding pool of detecting the aggregation grouping identification heads.

Step nine: the data packet discarding pool carries out persistence processing on the data packet of the third type configuration file of which the aggregation grouping identification head is detected, and carries out normal discarding logic processing on other discarded data packets;

step ten: the back-end filtering equipment traverses the data packet discarding pool, acquires a third type configuration file data packet stored persistently and transmits the third type configuration file data packet to the first data packet overwriter;

step eleven: the first data packet overwriter reads a third type configuration file data packet, and sends the third type configuration file data packet to the internet of things nodes corresponding to the third type configuration file data packet according to the set grouping identification contained in the set grouping identification head of the third type configuration file data packet;

step twelve: and the correspondingly grouped Internet of things nodes acquire a third type configuration file data packet, read a second type configuration file Con-stream type 2 corresponding to the third type configuration file data packet, and perform configuration updating iteration on the nodes according to each configuration item of the second type configuration file Con-stream type 2.

Preferably, the second user is specifically:

The invention provides a configuration information safety protection system and a method based on a new generation of information technology, wherein a second-level overwriting and data packet level stretching are carried out on a configuration file in the configuration information transmission process of an Internet of things platform, a particularly good safety level is provided for the anti-theft of configuration data on the premise of the original Internet of things safety protection, meanwhile, a front-end filtering device is adopted for data packet filtering after the second-level overwriting and the first-level stretching, the reconstructed configuration file is judged to discard data packets through the false 'error filtering' of the filtering device and is sent to a data packet discarding pool, and therefore, the secondary stealing before and after the front-end filtering device is avoided. And carrying out back-end filtering on the pooled data packets, monitoring false 'error filtering' of the front-end filtering equipment, judging the configuration files entering the pool, saving the configuration files from the data packet discarding pool to the first data packet overwriter, recovering the attribute of the configuration files and sending the configuration files to the Internet of things node set meeting the set requirement, thereby realizing the safe transmission of the configuration files. Thus, compared with the prior art, the method for processing the configuration information comprises the following steps: firstly, through secondary overwriting on configuration files, more system key configurations are provided compared with the configuration information of the ubiquitous Internet of things, and the whole system configuration is carried out in the primary overwriting according to the requirements of users; moreover, the configuration information transmission of the Internet of things nodes is collected through the collected second-level overwriting, so that the loss of the correlation of the configuration files is avoided, and the data transmission risk is objectively reduced; secondly, the data packet hierarchy stretching is adopted, so that the configuration data packet is expanded in an 'error' mode, the configuration data packet cannot be filtered by a filter, and the configuration file data packet is led into a bypass of matching processing by using a mechanism superior to the prior art instead of being over-matched as in the prior art; thirdly, when the configuration data is discarded, a pooled cache is introduced, the pooled configuration data is rescued by using a first data packet overwriter, namely, the data packet discarded pool is used for bypass transmission, so that the probability of attacking or stealing the configuration file is greatly reduced, and a unique persistent storage and bypass protection mechanism is provided; fourthly, a centralized configuration file is introduced in the processing process of the first data packet overwriter to be issued, so that the energy consumption of the system is reduced, and related nodes of the Internet of things and the configuration thereof can be collected; and fifthly, the independent right reconfiguration module and the web configuration module are adopted to synthesize basic configuration information, so that single control of an internet of things cloud platform on the whole internet of things configuration iteration architecture is avoided, three comprehensive management architectures are introduced to realize diversification, multi-parameter set and multi-dimensional control of initial configuration information, and improvement superior to the prior art and having certain progress is provided for dynamic integration and forwarding of configuration files under the internet of things distributed architecture in the new generation information technology.

Drawings

FIG. 1 is a basic system level block diagram illustrating a configuration information security method and system based on a new generation of information technology;

FIG. 2 is a basic block diagram illustrating one embodiment of a configuration information security protection method based on a new generation information technology;

FIG. 3 is a diagram illustrating a preferred embodiment of the present invention for updating identity configuration items in a configuration information security method and system based on new generation information technology;

fig. 4 is a diagram illustrating another preferred embodiment of the configuration information security protection method and system based on the new generation information technology according to the present invention.

FIG. 5 is a schematic diagram of a preferred embodiment of a typical database table of a password prefetching module in the configuration information security protection method and system based on the new generation information technology.

Detailed Description

Several embodiments and benefits of the configuration information security protection method and system based on new generation information technology as claimed in the present invention are described in detail below to facilitate more detailed examination and decomposition of the present invention.

For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.

It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

It should be understood that although the terms first, second, etc. may be used in embodiments of the invention to describe methods and corresponding apparatus, these keywords should not be limited to these terms. These terms are only used to distinguish keywords from each other. For example, without departing from the scope of the embodiments of the present invention, the first portal, the first configuration item set, and the first type profile may also be referred to as the second portal, the second configuration item set, and the second type profile, and similarly, the second portal, the second configuration item set, and the second type profile may also be referred to as the first portal, the first configuration item set, and the first type profile.

The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.

As shown in fig. 1, the system for configuring information security protection method based on new generation information technology according to one embodiment of the present invention includes:

as a superimposable preferred embodiment, the first pre-stored configuration set may be pre-stored in the configuration pool by the first user according to the usage habit and the comparison result between the current performance and the historical performance of the system, and between the current available configuration item and the historical configuration item of the system, and highlight a portion of the configuration item that is inconsistent with the current system configuration item, and store the portion of the configuration item in the configuration pool, and perform configuration by using a rapid deployment manner, where the rapid deployment may be any one of rapid deployment methods that are consistent with the environment of the internet of things in the prior art, and details thereof are not repeated.

as a superimposable preferred embodiment, the second pre-stored configuration set may be pre-stored in the configuration pool by the second user according to the usage habit and the comparison result between the current performance and the historical performance of the system, and between the current available configuration item and the historical configuration item of the system, and highlight a portion of the configuration item that is inconsistent with the current system configuration item, and store the portion of the configuration item in the configuration pool, and perform configuration by using a rapid deployment manner, where the rapid deployment may be any one of rapid deployment methods that are consistent with the environment of the internet of things in the prior art, and details thereof are not repeated.

The configuration password can be in one-to-one correspondence with the first configuration or the second configuration, so that a user acquires the configuration password from the configuration password pre-fetching module, acquires corresponding preset basic configuration from the configuration pool based on the configuration password, and further, the preset first/second basic configuration is used as a configuration basis to obtain a first configuration item set or a third configuration item set.

as a preferred embodiment, which can be overlaid, a web configuration module is used as a bearer module for the web configuration page and is controlled by the first user. Preferably, the first user may be a dynamic user of the configuration information security protection system, that is, the first user only occupies the configuration information security protection system of the present application for system configuration in this use or in subsequent, recent, and nearby uses, and becomes invalid after the registration/validity/availability period of the first user expires. The failure may be a failure of the identity of the first user, or a failure of the configuration of the first user, a configuration implemented by the first user, a last configuration of the first user, or a number of configurations of the first user.

As another stackable preferred embodiment, a web configuration page is presented in the web configuration module based on preset codes, and the web configuration page at least includes: a primary configuration page for indexing configuration items related to system settings;

As another stackable preferred embodiment, a third configuration item set is obtained for the third entry by using a weight configuration parameter, where the weight configuration parameter is from an independent weight configuration module and is controlled by the second user, the third configuration item set includes configuration weight factors obtained by configuring the weight parameter for each configuration item, and the configuration weight factors represent weight trends of the second user in performing weight configuration on each configuration item. The configuration weight factor and the configuration weight parameter should be values greater than 0 and less than 1, wherein the configuration weight parameter is used as an input parameter of the second user, and the configuration weight factor exists as a target configuration weight index obtained by the second user through the configuration weight module, and is obtained based on the configuration weight parameter. The configuration weight factor of each configuration item can be a default, the default represents that the weight factor is a preset system balance value, but not specified by a second user, and the value of the preset system balance value is greater than 0 and less than 1.

wherein the gathering process includes at least:

as a superimposable preferred embodiment, the second configuration overwriter further adds an aggregation grouping identification header to the third type profile packet, wherein the aggregation grouping identification header comprises a specific aggregation grouping identification for identifying the aggregation grouping of the third type profile, and preferably, the aggregation grouping identification header is a specific field of the packet header, and the length of the aggregation grouping identification header is fixed, and can be, for example, 8 bits, and a specific field start character can be adopted for marking the field, such as 0xCC 1C.

As a stackable preferred embodiment, in the configuration iterative framework of the internet of things, all internet of things nodes are endowed with identification meaning, that is, each internet of things node is characterized as an internet of things node identification, and as another stackable preferred embodiment, the internet of things node identification is a hierarchical identification and comprises the following hierarchies: the virtual subnet identifier to which the node of the internet of things belongs-the node type identifier of the internet of things-the node user identifier of the internet of things-the node network access identifier of the internet of things, and as mentioned above, the identifiers can be defined by the system when the device of the internet of things is added into the iterative framework of the configuration of the internet of things, or the identifiers are still set in the factory. For example, the hierarchy of a smart home device is identified as: VLAN201175-HOMECARE-USER3-MAC19084375, wherein the virtual subnet is identified as VLAN201175, the node type of the Internet of things is identified as HOMECARE, the USER identifier of the node of the Internet of things is identified as USER3, and the network access identifier of the node of the Internet of things is identified as MAC 19084375. Similarly, other internet of things and nodes may employ similar hierarchical identification.

As a superimposable preferred embodiment, the hierarchical identifiers of the multiple internet of things nodes are subjected to text relevance matching, and relevance ranks of the multiple internet of things nodes can be obtained, wherein a text relevance algorithm belongs to the field of the prior art, is not a key point of the present invention, and is not described herein again, and any mature text relevance algorithm in the prior art can be used. After sequencing, the N-1 devices most relevant to the device hierarchy identification and the device form an integrated group, if the existing devices in the N-1 devices are added into other groups, the devices are removed, the next device in the sequence is required to be added according to the relevance, and the like, and when less than N nodes of the Internet of things remain, the remaining nodes of the Internet of things less than N specific nodes of the Internet of things are divided into a group until no device is added into any group.

And determining an aggregation grouping identifier for each aggregation grouping, and informing each Internet of things node and the overwriter module.

As a stackable preferred embodiment, the device that actively initiates the correlation calculation may be all the internet of things node devices, or may be part of the internet of things node devices designated, preset, or set according to priority, or a device selected according to a certain algorithm.

In addition, as a preferred embodiment that can be superimposed, profiles of the same group of internet of things nodes are combined into a third type profile Con-stream type3, specifically: combining the second type configuration files by using a conventional small file combination mode in the prior art, and obtaining a third type configuration file Con-strategytype 3 under the condition of not changing the attribute of the configuration item; that is, in fact, the third type configuration file Con-format type3 is an aggregated configuration file of the second type configuration file, carries the entire content of the second type configuration file in the internet of things node packet with hierarchical identification correlation, and may be encrypted to some extent.

Or, each second type profile is coded and encrypted and then added as a separate load part to the load of the third type profile Con-stream type3, and separated by using a specific isolation field. The encryption is symmetric encryption, and an encryption key and an encryption algorithm are preset for the system and known to the first packet overwriter and each internet of things node, so that the encryption can be decoded and restored in the first packet overwriter and each internet of things node and obtained from a load field of a third type configuration file Con-stream type 3.

And reserving the mapping relation between each second type configuration file and the configuration item and the corresponding Internet of things node.

the first, second and third type profiles may be packaged into corresponding data packets and may be sub-packaged according to related technical conditions and implementation criteria in the prior art based on the size of the MTU, and the first, second and third type profiles may have independent file identifications or set identifications (e.g., third type profile) and be named as Con-stream type 1, Con-stream type 2 and Con-stream type3, respectively.

As a preferred embodiment that can be superimposed, the first type profile Con-stream type 1 at least contains a system data configuration item, a web configuration item, and configuration weight factors of the respective configuration items; the first configuration overwriter adds an update identification configuration item based on a first type configuration file Con-format type 1, the update identification configuration item is used for representing a configuration item needing real-time update, and the update identification configuration item is preset in the first configuration overwriter by the framework system, and has the following characteristics: 1. the updating identification configuration item is different from a system configuration item acquired by an internet of things cloud platform and belongs to a configuration item when a user needs to perform specific monitoring, namely the updating identification configuration item is a configuration item which is specified by the user and is related to the real-time performance or processing of the system; 2. it may still be updated during the profile transfer. For example, a FAULT rate FAULT-LOSS-ACTIVE configuration item is implemented for monitoring the overall instantaneous FAULT probability of the system, the basic calculation method is a difference value between the product of the real-time non-FAULT probabilities of the basic modules and 1, and the configuration item needs to be updated continuously because the basic modules of the system may face various situations such as online and offline, recombination, and replacement. Thus, in the first configuration overwriter, the update identification configuration item is introduced as a fourth entry configuration item of the first type configuration file Con-format type 1, and forms a second type configuration file Con-format type 2 together with the first type configuration file Con-format type 1. As a preferred embodiment that can be superimposed, the second type profile Con-stream type 2 at least contains a system data configuration item, a web configuration item, an update identification configuration item, and configuration weight factors of the respective configuration items.

In addition, typically, the second configuration overwriter may collect hierarchy identification correlation information of each internet of things node in the internet of things configuration security protection system, aggregate and group the internet of things nodes based on the correlation information, group N specific internet of things nodes into one group, set an aggregate grouping identification, and so on, and when less than N internet of things nodes remain, group the remaining less than N specific internet of things nodes into one group, set an aggregate grouping identification, and combine configuration files of the same group of internet of things nodes into a third type configuration file Con-strategy type 3; after combination, the corresponding relation between the second type configuration file of each Internet of things node in the group and the identification of the Internet of things node is reserved, and a set grouping identification head is introduced into the third type configuration file.

the internet of things nodes corresponding to the groups acquire a third type configuration file data packet and read a second type configuration file Con-format type 2 corresponding to the third type configuration file data packet,

the corresponding group of internet of things nodes obtains the third type of configuration file, and possibly, in a specific embodiment, the configuration file can be decrypted according to a decryption key and a decryption algorithm negotiated by the system (if the configuration file is not decrypted before or encrypted again), and the identity of the own internet of things node is matched with the second type of configuration file corresponding to the identity in the decrypted group of second type of configuration files. And performing configuration updating iteration on the configuration file per se according to each configuration item of the second type configuration file Con-stream type 2.

As a preferred embodiment that can be superimposed, the method includes taking a web configuration page as a first portal to obtain a first configuration item set, where the web configuration page is from an independent web configuration module and specifically includes:

As another preferred embodiment that can be superimposed, the system further includes a second user, where the second user specifically is:

As another superimposable preferred embodiment, the configuration weight factor of the third-level configuration page configuration item is always greater than or equal to the configuration weight factor of the second-level configuration page configuration item;

As another preferred embodiment that can be superimposed, the first configuration overwriter introduces the update identification configuration item, which is a fourth entry configuration item of the first type configuration file Con-format type 1, and forms the second type configuration file Con-format type 2 together with the first type configuration file Con-format type 1.

Referring to fig. 2, the specification fig. 2 shows a basic block diagram of an embodiment of the configuration information security protection method based on the new generation information technology. The method comprises the following steps:

s102: storing a first pre-stored configuration set and a second pre-stored configuration set by using a configuration pool, and combining each first pre-stored configuration set or the second pre-stored configuration set and each configuration password into one-to-one mapping by using a relational database table form;

Taking the system data as a second inlet, and acquiring a second configuration item set;

taking the weight configuration parameter as a third entry, acquiring a third configuration item set, wherein the weight configuration parameter is from the independent weight configuration module and is controlled by a second user, the third configuration item set comprises configuration weight factors of the configuration items obtained by configuring the weight parameter, and the second user sets the third configuration item set at least based on second basic configuration;

s104: combining a first type configuration file Con-strategy type 1 based on a first configuration item set, a second configuration item set and a third configuration item set, wherein the first type configuration file at least comprises system data configuration items, web configuration items and configuration weight factors of the configuration items;

s106: overwriting a first type configuration file Con-stream type 1 by using a first configuration overwriter to obtain a second type configuration file Con-stream type 2;

s108: using a second configuration overwriter to carry out gathering processing on the second type configuration file Con-stream type 2 to obtain a third type configuration file Con-stream type3 after gathering;

wherein the gathering process includes at least:

as a preferred embodiment that can be superimposed, profiles of the same group of internet of things nodes are combined into a third type profile Con-stream type3, specifically: combining the second type configuration files by using a conventional small file combination mode in the prior art, and obtaining a third type configuration file Con-format type3 under the condition of not changing the attribute of the configuration items; that is, in fact, the third type configuration file Con-format type3 is an aggregated configuration file of the second type configuration file, carries the entire content of the second type configuration file in the internet of things node packet with hierarchical identification correlation, and may be encrypted to some extent.

As a preferred embodiment that can be superimposed, the first type profile Con-stream type 1 at least contains a system data configuration item, a web configuration item, and configuration weight factors of the respective configuration items; the first configuration overwriter adds an update identification configuration item based on a first type configuration file Con-format type 1, the update identification configuration item is used for representing a configuration item needing real-time update, and the update identification configuration item is preset in the first configuration overwriter by the framework system, and has the following characteristics: 1. the updating identification configuration item is different from a system configuration item acquired by an internet of things cloud platform and belongs to a configuration item when a user needs to perform specific monitoring, namely the updating identification configuration item is a configuration item which is specified by the user and is related to the real-time performance or processing of the system; 2. it may still be updated during the profile transfer.

For example, as shown in fig. 3-4 of the specification, fig. 3-4 of the specification illustrate a preferred embodiment of the configuration information security protection method and system based on the new generation information technology according to the present invention before and after the change of the update identifier configuration item. The FAULT rate FAULT-LOSS-ACTIVE configuration item is implemented and used for monitoring the integral instant FAULT probability of the system, the basic calculation method is the difference value between the product of the real-time non-FAULT probabilities of all the basic modules and 1, the configuration item needs to be updated continuously, and the basic modules of the system can face various conditions such as online and offline, recombination, replacement and the like. Thus, in the first configuration overwriter, the update identification configuration item is introduced as a fourth entry configuration item of the first type configuration file Con-format type 1, and forms a second type configuration file Con-format type 2 together with the first type configuration file Con-format type 1. As a preferred embodiment that can be superimposed, the second type profile Con-stream type 2 at least contains a system data configuration item, a web configuration item, an update identification configuration item, and configuration weight factors of the respective configuration items.

As an overlappable preferred embodiment, as shown in the attached figure 5 in the specification, the attached figure 5 in the specification shows a schematic diagram of a preferred embodiment of configuring a password prefetching module typical database table in the configuration information security protection method and system based on the new generation information technology. The configuration items are each first or second basic configuration items, and the corresponding configuration password is a pre-stored password, which can be preset in the system by the first or second user, for example, in the following format shown in fig. 5:

CON11A03：

the first three bits CON identify that it belongs to the configuration password;

the fourth bit 1 identifies it as the first base configuration item;

the fifth bit 1 identifies the 1 st base configuration which is the first base configuration item;

bits 6-8 identify the user-settable configuration item, either as a correction bit or a user ID bit.

As set forth above, at least 16 preset first base configurations and 16 second base configurations are supported.

The first basic configuration and the second basic configuration may be a set of configuration items and historical configuration values of the corresponding configuration items, where the historical configuration values of the corresponding configuration items may be historical configuration values that optimize system performance or historical configuration values specified by a user, and a differential configuration item between the historical configuration item and a current system configuration item is highlighted for the user to refer to.

S110: transmitting the third type configuration file Con-stream type3 to front-end filtering equipment for filtering;

the front-end filtering device filters the configuration file data packets and the common data packets, releases the common data packets, determines the third type configuration file data packets matched with the aggregation grouping identification heads as abnormal data packets when detecting the third type configuration file data packets matched with the aggregation grouping identification heads, filters the abnormal data packets to a data packet discarding pool, and simultaneously informs the data packet discarding pool of detecting the aggregation grouping identification heads.

S112: the data packet discarding pool carries out persistence processing on the data packet of the third type configuration file of which the aggregation grouping identification head is detected, and carries out normal discarding logic processing on other discarded data packets;

s114: the back-end filtering equipment traverses the data packet discarding pool, acquires a third type configuration file data packet stored persistently and transmits the third type configuration file data packet to the first data packet overwriter;

s116: the first packet overwriter reads the third type configuration file packet, and in a specific embodiment, the configuration file can be decrypted according to a decryption key and a decryption algorithm negotiated by a system, and the configuration file is sent to the internet of things node of the corresponding group according to the set group identifier contained in the set group identifier header;

s118: the internet of things nodes corresponding to the groups acquire a third type configuration file data packet and read a second type configuration file Con-stream type 2 corresponding to the third type configuration file data packet;

at this step, the corresponding group of internet-of-things nodes obtains the third type profile, and possibly, in a specific embodiment, the configuration file may be decrypted according to a decryption key and a decryption algorithm negotiated by the system (if it is not decrypted previously or encrypted again), and the identity of the own internet-of-things node is matched with the second type profile corresponding to the identity in the decrypted group of second type profiles.

S120: and performing configuration updating iteration on the configuration file per se according to each configuration item of the second type configuration file Con-stream type 2.

As a preferred embodiment that can be superimposed, the second user specifically is:

As a superimposable preferred embodiment, the configuration weight factor of the third-level configuration page configuration item is always greater than or equal to the configuration weight factor of the second-level configuration page configuration item;

As a preferred embodiment that can be superimposed, the first configuration overwriter introduces the update identification configuration item, which is a fourth entry configuration item of the first type configuration file Con-format type 1, and forms the second type configuration file Con-format type 2 together with the first type configuration file Con-format type 1.

In all the above embodiments, in order to meet the requirements of some special data transmission and read/write functions, the above method and its corresponding devices may add devices, modules, devices, hardware, pin connections or memory and processor differences to expand the functions during the operation process.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described method, apparatus and unit may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the method steps into only one logical or functional division may be implemented in practice in another manner, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as individual steps of the method, apparatus separation parts may or may not be logically or physically separate, or may not be physical units, and may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, the method steps, the implementation thereof, and the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

The above-described method and apparatus may be implemented as an integrated unit in the form of a software functional unit, which may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), an NVRAM, a magnetic disk, or an optical disk, and various media capable of storing program codes.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

It should be noted that: the above embodiments are only used to explain and illustrate the technical solution of the present invention more clearly, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A configuration information security protection system based on new generation information technology, the system comprising the following modules:

wherein the gathering process includes at least:

2. The system according to claim 1, wherein the web configuration page is taken as a first portal to obtain a first configuration item set, wherein the web configuration page is derived from an independent web configuration module, specifically:

3. The system according to claim 1, wherein the second user is specifically:

4. The new-generation information technology-based configuration information security protection system according to claim 3, wherein:

the configuration weight factor of the third-level configuration page configuration item is always greater than or equal to the configuration weight factor of the second-level configuration page configuration item;

5. The new-generation information technology-based configuration information security protection system of claim 1, wherein:

the first configuration overwriter introduces the update identification configuration item as a fourth entry configuration item of the first type configuration file Con-format type 1, and the update identification configuration item and the first type configuration file Con-format type 1 together form a second type configuration file Con-format type 2.

6. A configuration information security protection method based on a new generation information technology comprises the following steps:

step three: taking the weight configuration parameter as a third entry, acquiring a third configuration item set, wherein the weight configuration parameter is from the independent weight configuration module and is controlled by a second user, the third configuration item set comprises configuration weight factors of the configuration items obtained by configuring the weight parameter, and the second user sets the third configuration item set at least based on second basic configuration;

wherein the gathering process includes at least:

step twelve: and the correspondingly grouped Internet of things nodes acquire a third type configuration file data packet, read a second type configuration file Con-stream type 2 corresponding to the third type configuration file data packet, and perform configuration updating iteration on the third type configuration file data packet according to each configuration item of the second type configuration file Con-stream type 2.

7. The method for configuration information security protection based on new generation information technology according to claim 6, wherein the web configuration page is taken as a first portal to obtain a first configuration item set, wherein the web configuration page is from an independent web configuration module and specifically comprises:

8. The method for protecting configuration information based on new-generation information technology according to claim 6, wherein the second user specifically is:

9. The method for securing configuration information based on new-generation information technology according to claim 8, wherein:

10. The new-generation information technology-based configuration information security protection method according to claim 6, characterized in that: