CN112511494B - Safety protection system and method suitable for electric power intelligent terminal equipment - Google Patents
Safety protection system and method suitable for electric power intelligent terminal equipment Download PDFInfo
- Publication number
- CN112511494B CN112511494B CN202011223633.0A CN202011223633A CN112511494B CN 112511494 B CN112511494 B CN 112511494B CN 202011223633 A CN202011223633 A CN 202011223633A CN 112511494 B CN112511494 B CN 112511494B
- Authority
- CN
- China
- Prior art keywords
- intelligent terminal
- data
- terminal equipment
- security
- electric
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000004891 communication Methods 0.000 claims abstract description 41
- 238000012795 verification Methods 0.000 claims abstract description 34
- 230000003993 interaction Effects 0.000 claims abstract description 19
- 238000005516 engineering process Methods 0.000 claims description 40
- 238000002955 isolation Methods 0.000 claims description 39
- 238000004458 analytical method Methods 0.000 claims description 37
- 238000012550 audit Methods 0.000 claims description 33
- 238000012544 monitoring process Methods 0.000 claims description 30
- 238000007726 management method Methods 0.000 claims description 26
- 238000001514 detection method Methods 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 24
- 238000001914 filtration Methods 0.000 claims description 21
- 230000007246 mechanism Effects 0.000 claims description 21
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 238000005259 measurement Methods 0.000 claims description 14
- 241001397104 Dima Species 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 230000005856 abnormality Effects 0.000 claims description 6
- 239000004973 liquid crystal related substance Substances 0.000 claims description 6
- 238000012536 packaging technology Methods 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 5
- 230000009545 invasion Effects 0.000 claims description 4
- 244000035744 Hura crepitans Species 0.000 claims description 3
- 230000002265 prevention Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000002787 reinforcement Effects 0.000 description 3
- 230000003014 reinforcing effect Effects 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a safety protection system and a safety protection method suitable for electric intelligent terminal equipment, wherein the safety protection system comprises the following steps: the invention relates to a terminal equipment shell protection unit, a verification unit, a data interaction control unit, a communication control unit and a center control unit, wherein the terminal equipment shell protection unit, the verification unit, the data interaction control unit, the communication control unit and the center control unit are positioned at the center side.
Description
Technical Field
The invention relates to the technical field of power industrial control, in particular to a safety protection system and method suitable for power intelligent terminal equipment.
Background
The electric power intelligent terminal equipment is an important component of the intelligent power grid, the application of the electric power intelligent terminal is more and more popular, the application of the electric power intelligent terminal is more and more important to the intelligent power grid, but the electric power intelligent terminal faces a plurality of security threats, a protection scheme for systematically improving the security of the electric power intelligent terminal does not exist at present, and the electric power intelligent terminal is likely to become a springboard and a medium for attacking the intelligent power grid. The working environment of the electric intelligent terminal is complex, the types are numerous, the safety standards of different manufacturers are different, and a unified safety protection scheme is needed for improving the safety of the electric intelligent terminal.
Therefore, a protection scheme capable of comprehensively improving the electric power intelligent terminal is needed to comprehensively improve the safety of the electric power intelligent terminal equipment.
Disclosure of Invention
The invention provides a safety protection system and a safety protection method suitable for electric intelligent terminal equipment, which are used for solving the problem of how to place the electric intelligent terminal equipment to be attacked.
To solve the above problems, according to an aspect of the present invention, there is provided a safety protection system adapted for an electric intelligent terminal device, the system comprising: a terminal equipment shell protection unit, a verification unit, a data interaction control unit, a communication control unit and a center control unit positioned at the center side,
The terminal equipment shell protection unit is used for acquiring sensing data, fingerprint information and face information of an operation object at least one hardware interface of the electric intelligent terminal equipment and protecting the shell of the electric intelligent terminal equipment according to the sensing data, the fingerprint information and the face information;
the verification unit is used for carrying out security verification on the kernel image of the operating system based on an operating system dynamic integrity measurement framework (Dynamic Integrity Measurement Architecture, DIMA) or a kernel integrity measurement framework (Linux Kemel Integrity Measurement, LKIM) according to the bootstrap program, verifying the integrity of the installed application software based on verification value comparison and digital packaging technology, and ensuring the starting security of the system;
the terminal control unit is used for controlling the hardware interface of the electric intelligent terminal equipment to realize port control; the system comprises an electric equipment, an intelligent terminal device, a power management system and a power management system, wherein the electric equipment is used for determining the data access level of the electric equipment according to the identity information and the level function information of the electric equipment, and establishing an access strategy according to the data access level so that the electric equipment performs data interaction with the intelligent terminal device according to the corresponding access strategy to realize access control and identity authentication;
The communication control unit is used for encrypting and packaging the data to be transmitted so as to ensure confidentiality and integrity of the data to be transmitted; the method is used for realizing network isolation based on a gatekeeper technology and a server side isolation technology, and providing security protection for the power intelligent terminal network by setting a security access area and identity authentication; for preventing intrusion of external systems using a traffic firewall; the method comprises the steps of analyzing and filtering a received message according to a preset protocol, and determining the sending or discarding of the message according to the analysis and filtering results;
the central control unit is used for carrying out access control, port control and identity authentication in cooperation with the terminal control unit; the system is used for monitoring and protecting application software in an application store; and the monitoring device is used for monitoring the running state of the electric intelligent terminal equipment.
Preferably, the terminal device housing protection unit is further configured to:
and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, sending abnormal information to a control center, and alarming.
Preferably, wherein the system further comprises: the application management unit and the safe storage and audit unit are positioned at the terminal side; wherein, the liquid crystal display device comprises a liquid crystal display device,
The application management unit is used for managing the downloading, updating, deploying and/or running of the application software of the operating system and performing isolation processing when the application software is abnormal;
the safe storage and audit unit is used for carrying out safe storage on the data of the power terminal equipment, recording and analyzing logs and recording the running condition of an operating system.
Preferably, the communication control unit analyzes and filters the received message according to a preset protocol, and determines the sending or discarding of the message according to the analysis and filtering result, including:
protocol processing is implemented, and received messages are analyzed and filtered; if the received message is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the received message passes through the ARP message, sending a data packet, and if the received message does not pass through the ARP message, discarding the data packet; if the received message is not ARP message, checking the IP message, checking the source IP and destination IP, TCP message and source port and destination port, if the checking is passed, transmitting data packet, otherwise discarding.
Preferably, the central control unit monitors and protects application software in the application store, and includes:
The uploaded application software is safely monitored by adopting a feature matching and behavior analysis technology, and the safety and the integrity of the application software in a store are protected by adopting a digital signature;
the central control unit monitors the running state of the electric power intelligent terminal equipment and comprises:
and collecting audit data of the terminal side, extracting key information by adopting a log automation analysis tool (Performance Analysis of Log, PAL), and monitoring the running state of the electric intelligent terminal equipment according to the extracted key information.
According to another aspect of the present invention, there is provided a security protection method applicable to an electric power intelligent terminal device, the method comprising:
acquiring sensing data, fingerprint information and face information of an operation object at least one hardware interface of the electric intelligent terminal equipment by using a terminal equipment shell protection unit, and protecting the shell of the electric intelligent terminal equipment according to the sensing data, the fingerprint information and the face information;
the verification unit is utilized to verify the security of the kernel mirror image of the operating system based on the dynamic integrity measurement framework DIMA or the kernel integrity measurement framework LKIM of the operating system according to the bootstrap program, and verify the integrity of the installed application software based on the verification value comparison and the digital packaging technology, so that the starting security of the system is ensured;
The terminal control unit is utilized to control the hardware interface of the electric intelligent terminal equipment, so that port control is realized; determining the data access level of the electric equipment according to the identity information and the level function information of the electric equipment, and establishing an access strategy according to the data access level, so that the electric equipment performs data interaction with the electric intelligent terminal equipment according to the corresponding access strategy to realize access control and identity authentication;
encrypting and packaging the data to be transmitted by using a communication control unit so as to ensure confidentiality and integrity of the data to be transmitted; network isolation is realized based on a gateway technology and a server side isolation technology, and safety protection is provided for the electric intelligent terminal network by setting a safety access area and identity authentication; adopting a flow firewall to prevent invasion of an external system; analyzing and filtering the received message according to a preset protocol, and determining the sending or discarding of the message according to the analysis and filtering results;
the central control unit cooperates with the terminal control unit to perform access control, port control and identity authentication; monitoring and protecting application software in an application store; and monitoring the running state of the electric intelligent terminal equipment.
Preferably, wherein the method further comprises:
and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, the terminal equipment shell protection unit is used for sending abnormal information to a control center to alarm.
Preferably, wherein the method further comprises:
the method comprises the steps that an application management unit is used for managing the downloading, updating, deployment and/or running of application software of an operating system, and isolation processing is carried out when the application software is abnormal;
and the safe storage and audit unit is used for carrying out safe storage on the data of the power terminal equipment, recording and analyzing the log and recording the running condition of the operating system.
Preferably, the communication control unit analyzes and filters the received message according to a preset protocol, and determines the sending or discarding of the message according to the analysis and filtering result, including:
protocol processing is implemented, and received messages are analyzed and filtered; if the received message is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the received message passes through the ARP message, sending a data packet, and if the received message does not pass through the ARP message, discarding the data packet; if the received message is not ARP message, checking the IP message, checking the source IP and destination IP, TCP message and source port and destination port, if the checking is passed, transmitting data packet, otherwise discarding.
Preferably, the monitoring and protecting the application software in the application store by using the central control unit includes:
the uploaded application software is safely monitored by adopting a feature matching and behavior analysis technology, and the safety and the integrity of the application software in a store are protected by adopting a digital signature;
monitoring the running state of the electric intelligent terminal equipment by using a central control unit, wherein the monitoring comprises the following steps:
and collecting audit data of a terminal side, extracting key information by adopting a log automation analysis tool PAL, and monitoring the running state of the electric intelligent terminal equipment according to the extracted key information.
The invention provides a safety protection system and a safety protection method suitable for electric intelligent terminal equipment, which are characterized in that the safety protection system and the safety protection method are used for protecting by protecting and reinforcing a shell, processing physical signals, starting equipment safety guide, protecting equipment kernel safety, controlling equipment ports, setting a firewall, constructing an intrusion detection system, setting a network isolation area, a safety access area and setting access control authority of equipment from outside to inside layer by layer, and can be used for protecting by protecting physical, communication and an electric intelligent terminal operating system.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
fig. 1 is a schematic diagram of the result of a security protection system 100 suitable for an electric intelligent terminal device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a safety protection system suitable for an electric intelligent terminal device according to an embodiment of the present invention;
FIG. 3 is a diagram of physical layer security according to an embodiment of the present invention;
FIG. 4 is a diagram of operating system layer security according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a secure boot according to an embodiment of the present invention;
FIG. 6 is a flow chart of application management in accordance with an embodiment of the present invention;
FIG. 7 is a schematic diagram of communication layer security protection according to an embodiment of the present invention;
FIG. 8 is a flow chart of protocol analysis according to an embodiment of the present invention;
fig. 9 is a flowchart of a security protection method 900 applicable to an electric intelligent terminal device according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a schematic diagram of the result of a security protection system 100 suitable for an electric intelligent terminal device according to an embodiment of the present invention. As shown in fig. 1, the security protection system suitable for an electric power intelligent terminal device provided by the embodiment of the invention is configured from outside to inside layer by layer to protect the electric power intelligent terminal device by protecting and reinforcing a shell, processing physical signals, starting equipment security guidance, protecting equipment kernel security, managing and controlling equipment ports, setting up a firewall, constructing an intrusion detection system, setting a network isolation area, a security access area and setting access control authority of the equipment, and can effectively prevent the electric power intelligent terminal system from being attacked and comprehensively improve the security of the electric power intelligent terminal by reinforcing a physical, communication and an electric power intelligent terminal operating system. The safety protection system suitable for the electric intelligent terminal equipment provided by the embodiment of the invention comprises the following components: a terminal device housing protection unit 101, a verification unit 102, a data interaction control unit 103, a communication control unit 104, and a center control unit 105 on the center side on the terminal side.
Preferably, the terminal device shell protection unit 101 is configured to obtain sensing data at least one hardware interface of the electric power intelligent terminal device, fingerprint information of an operation object, and face information, and protect a shell of the electric power intelligent terminal device according to the sensing data, the fingerprint information, and the face information.
Preferably, the terminal device housing protection unit 101 is further configured to:
and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, sending abnormal information to a control center, and alarming.
As shown in fig. 2, to construct a safety protection system suitable for an electric intelligent terminal device according to an embodiment of the present invention, a frame of the safety protection system includes: a terminal side and a center side, wherein the terminal side is responsible for specific equipment protection; and the central side realizes the control of the terminal equipment. The terminal side is divided into a physical layer, an operating system layer and a communication layer. The physical layer is responsible for improving isolation and fault tolerance of the power intelligent terminal equipment. The operating system layer is responsible for the safety of an operating system of the equipment and ensures the interaction safety of software and hardware of the intelligent electric equipment; the communication layer is responsible for communication safety, and confidentiality, integrity and availability of communication of the electric intelligent terminal are guaranteed.
In the invention, a terminal equipment shell protection unit is positioned on a physical layer and is used for acquiring sensing data, fingerprint information and face information of an operation object at least at one hardware interface of an electric intelligent terminal equipment and protecting the shell of the electric intelligent terminal equipment according to the sensing data, the fingerprint information and the face information; and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, abnormal information is sent to a control center to alarm.
As shown in fig. 3, the terminal equipment shell protection unit guarantees the safety of the terminal equipment through a shell protection mechanism and an access control mechanism from outside to inside. The shell protection mechanism and the access control mechanism are mainly realized through fingerprint identification and face recognition protection shells. The power staff needs to pass authentication before operating the device. The hardware detection mechanism is realized by a sensor arranged at an important interface of the equipment, the sensor can monitor the integrity of the hardware, and if the hardware is in a problem, the sensor can upload to a control center to send out an alarm.
Preferably, the verification unit 102 is configured to perform security verification on a kernel image of the operating system based on the dynamic integrity measurement framework DIMA or the kernel integrity measurement framework LKIM of the operating system according to the bootstrap program, and verify the integrity of the installed application software based on the verification value comparison and the digital packaging technology, so as to ensure the starting security of the system.
Preferably, the terminal control unit 103 is configured to control a hardware interface of the electric intelligent terminal device, so as to implement port control; the method is used for determining the data access level of the electric equipment according to the identity information and the level function information of the electric equipment, and establishing an access strategy according to the data access level, so that the electric equipment performs data interaction with the electric intelligent terminal equipment according to the corresponding access strategy, and access control and identity authentication are realized.
Preferably, wherein the system further comprises: the application management unit and the safe storage and audit unit are positioned at the terminal side; wherein, the liquid crystal display device comprises a liquid crystal display device,
the application management unit is used for managing the downloading, updating, deploying and/or running of the application software of the operating system and performing isolation processing when the application software is abnormal;
the safe storage and audit unit is used for carrying out safe storage on the data of the power terminal equipment, recording and analyzing logs and recording the running condition of an operating system.
As shown in fig. 2 and 4, the operating system layer is further divided into a boot layer, a kernel layer, and an application layer. The verification unit is located on the guiding layer, and the terminal control unit, the application management unit and the secure storage and audit unit are located on the kernel layer.
The verification unit of the guiding layer starts from the guiding program, performs security verification on the kernel image of the operating system based on the DIMA or LKIM framework, judges the integrity of the kernel, verifies the integrity of the application software based on verification value comparison and digital envelope technology, and ensures the system starting security, and the specific flow is shown in figure 5.
The terminal control unit of the kernel layer is used for realizing the safety of resource access control and implementing access control, port control and identity authentication. The access control and identity authentication means that the access level of the equipment is classified according to the level functions of the electric equipment and the like when the information of the electric equipment terminal is interacted, and an access strategy is established. The port control means to control the important port of the electric intelligent terminal equipment. The access control adopts a role-based access control (RBAC) technology, creates a list of trusted devices, establishes a device access policy according to the list, and sets read-only rights or read-write rights of various electric devices. The port control adopts a monitoring-early warning mechanism and responds to the connection of unauthorized equipment in time. Based on the traditional password authentication method, the identity authentication is added with a random factor and a time stamp to improve the security authentication strength. The application management unit is used for managing and controlling application software of the operating system based on a process sandbox isolation technology, carrying out macroscopic management on downloading, updating, deployment and running of the software, and carrying out isolation processing once abnormality occurs. The safety storage module of the safety storage and audit unit can protect important data of the electric intelligent terminal equipment, prevent buffer overflow, and the safety audit module is used for log recording and log analysis, recording operating system running conditions and providing guarantee for processing abnormality and ensuring safety. The security storage module is based on cryptographic algorithms such as SM1, SM2 and SM3, and comprises a buffer overflow attack prevention mechanism, and performs high-level encryption storage on system data. The security audit module is responsible for log analysis, adopts Lynis tools to carry out deep security scanning on the system, and judges the security state of the system according to the scanning result.
The application layer is responsible for controlling the downloading, installation, deployment and operation of application software of the electric intelligent terminal equipment, and the specific flow is shown in fig. 6. And downloading application software adopts message authentication codes, digital signatures and data timeliness verification to ensure the source legitimacy and data integrity of the software. The running process of the application software is based on the security storage module and the security audit module, and the service data locally stored by the application software is encrypted and protected by adopting a forced access strategy.
Preferably, the communication control unit 104 is configured to encrypt and encapsulate the data to be transmitted, so as to ensure confidentiality and integrity of the data to be transmitted; the method is used for realizing network isolation based on a gatekeeper technology and a server side isolation technology, and providing security protection for the power intelligent terminal network by setting a security access area and identity authentication; for preventing intrusion of external systems using a traffic firewall; the method is used for analyzing and filtering the received message according to a preset protocol, and determining the sending or discarding of the message according to the analysis and filtering results.
Preferably, the communication control unit 104 analyzes and filters the received message according to a preset protocol, and determines sending or discarding of the message according to the analysis and filtering result, including:
Protocol processing is implemented, and received messages are analyzed and filtered; if the received message is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the received message passes through the ARP message, sending a data packet, and if the received message does not pass through the ARP message, discarding the data packet; if the received message is not ARP message, checking the IP message, checking the source IP and destination IP, TCP message and source port and destination port, if the checking is passed, transmitting data packet, otherwise discarding.
As shown in fig. 2 and 7, the communication control unit is located in a communication layer, and the communication layer is divided into a data layer, an interaction layer and a protocol layer, and the protocol is transmitted. The data layer protects confidentiality and integrity of data of the electric intelligent terminal equipment through an encryption module, and the encryption module adopts an SM2 algorithm of ECC (error correction code) and ensures safety of the data based on digital signature and symmetric encryption technology.
The interaction layer comprises a network access control module and an intrusion detection module. The network access control module provides security protection for a network used by the electric intelligent terminal equipment, and realizes network isolation and network identity authentication; the method comprises the steps of realizing network isolation based on a general gateway technology and a server-side isolation technology, and providing security protection for a power intelligent terminal network by setting a security access area and identity authentication. The intrusion detection module prevents external effective network attack from entering the system, and can predictively restore the internal program of the system, so that the device has self-repairing capability; the intrusion detection module effectively prevents the intrusion of an external system by adopting a flow filtering firewall, and establishes an intrusion detection system by adopting intelligent intrusion detection and wireless network intrusion detection technology.
The protocol layer ensures the safety of an information transmission protocol through a protocol transmission module, and performs safety analysis on a transmission protocol and a protocol data packet used by the electric intelligent terminal equipment. The transmission protocol module is divided into two parts, namely protocol analysis and network attack detection, and is used for analyzing a communication protocol used by the electric intelligent terminal equipment, so that the protocol safety is ensured. The protocol analysis flow is shown in fig. 8, and includes: protocol processing is implemented, and received messages are analyzed and filtered; if the packet is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the ARP message passes, sending a data packet, and if the data packet does not pass, discarding the data packet; if the packet is not ARP packet, checking the IP packet, checking the source IP and destination IP, TCP packet and source port and destination port, if the check is passed, transmitting the data packet, otherwise discarding.
Preferably, the central control unit 105 is configured to perform access control, port control and identity authentication in cooperation with the terminal control unit; the system is used for monitoring and protecting application software in an application store; and the monitoring device is used for monitoring the running state of the electric intelligent terminal equipment.
Preferably, the central control unit monitors and protects application software in the application store, and includes:
The uploaded application software is safely monitored by adopting a feature matching and behavior analysis technology, and the safety and the integrity of the application software in a store are protected by adopting a digital signature;
the central control unit monitors the running state of the electric power intelligent terminal equipment and comprises:
and collecting audit data of a terminal side, extracting key information by adopting a log automation analysis tool PAL, and monitoring the running state of the electric intelligent terminal equipment according to the extracted key information.
As shown in fig. 2, the central control unit is located at the central side, and the central control unit is divided into three parts of terminal equipment management and control, security application store and security audit. The terminal equipment management and control part is in charge of monitoring the access authority of the equipment, the access of the equipment is monitored by the center side, and the access data is uploaded to the center side; and the terminal equipment controls and cooperates with the terminal side equipment to perform access control, port control and identity authentication. The safety application store part provides a platform for the software of the electric intelligent terminal equipment, and provides a software application with higher suitability and safer for the electric intelligent terminal equipment. The application store is used for providing a software application platform for the electric intelligent terminal equipment, adopting a feature matching and behavior analysis technology to carry out safety monitoring on the uploaded application program, and adopting a digital signature to protect the safety and the integrity of the application software in the store. The security audit module collects audit data of the terminal side, adopts PAL automatic log analysis to extract key information, and realizes monitoring of the running state of the terminal.
The protection scheme of the embodiment of the invention can be carried out layer by layer from the four parts, and can also be synchronously carried out. The specific process of layer-by-layer deployment is as follows: 1. the method comprises the following steps of shell protection reinforcement, physical signal processing, equipment safety guide starting, equipment kernel safety protection, equipment port management and control, firewall setting, intrusion detection system construction, network isolation area and safety access area setting, and equipment access control authority setting. The protection scheme is deployed in sequence from outside to inside in a layer-by-layer protection mode, and the safety of the electric intelligent terminal is comprehensively improved. Layer-by-layer deployment is a global considered holistic approach, but can be layered as the case may be. The safety reinforcement can be performed by taking any one of the four layers as an access point. Physical layer protection attaches importance to physical protection of electric power intelligent terminal equipment, including physical security and hardware security. The operating system layer protection starts from an operating system used by the electric power intelligent terminal equipment, and provides higher safety requirements for the electric power intelligent terminal operating system, and the operating system protection measures point out the safety requirements that the electric power intelligent terminal operating system should pay attention to in the design and operation process. The communication layer protection mainly protects the communication safety of the electric intelligent terminal, prevents virus invasion and protects important data. The central side protection is a centralized control strategy, and is used for performing centralized control on the electric intelligent terminal equipment, so that the protection measures such as access control, identity verification, security audit and the like are mainly realized. According to the protection scheme, the safety of the electric power intelligent terminal equipment is reinforced through the reinforcement of the physical, communication and electric power intelligent terminal operating system, so that the electric power intelligent terminal system can be effectively prevented from being attacked, and the safety of the electric power intelligent terminal can be comprehensively improved.
Fig. 9 is a flowchart of a security protection method 900 applicable to an electric intelligent terminal device according to an embodiment of the present invention. As shown in fig. 9, a security protection method 900 applicable to an electric power intelligent terminal device according to an embodiment of the present invention starts from step 901, acquires, in step 901, sensing data at least one hardware interface of the electric power intelligent terminal device, fingerprint information and face information of an operation object by using a terminal device housing protection unit, and protects a housing of the electric power intelligent terminal device according to the sensing data, the fingerprint information and the face information.
Preferably, wherein the method further comprises:
and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, the terminal equipment shell protection unit is used for sending abnormal information to a control center to alarm.
In step 902, the verification unit is utilized to verify the security of the kernel image of the operating system based on the dynamic integrity measurement framework DIMA or the kernel integrity measurement framework LKIM of the operating system according to the boot program, and verify the integrity of the installed application software based on the verification value comparison and the digital packaging technology, so as to ensure the starting security of the system.
Preferably, wherein the method further comprises:
the method comprises the steps that an application management unit is used for managing the downloading, updating, deployment and/or running of application software of an operating system, and isolation processing is carried out when the application software is abnormal;
and the safe storage and audit unit is used for carrying out safe storage on the data of the power terminal equipment, recording and analyzing the log and recording the running condition of the operating system.
In step 903, the hardware interface of the electric intelligent terminal device is controlled by using the terminal control unit to realize port control; and determining the data access level of the electric equipment according to the identity information and the level function information of the electric equipment, and establishing an access strategy according to the data access level, so that the electric equipment performs data interaction with the electric intelligent terminal equipment according to the corresponding access strategy, and access control and identity authentication are realized.
In step 904, encrypting and packaging the data to be transmitted by using the communication control unit to ensure confidentiality and integrity of the data to be transmitted; network isolation is realized based on a gateway technology and a server side isolation technology, and safety protection is provided for the electric intelligent terminal network by setting a safety access area and identity authentication; adopting a flow firewall to prevent invasion of an external system; analyzing and filtering the received message according to a preset protocol, and determining the sending or discarding of the message according to the analysis and filtering results.
Preferably, the communication control unit analyzes and filters the received message according to a preset protocol, and determines the sending or discarding of the message according to the analysis and filtering result, including:
protocol processing is implemented, and received messages are analyzed and filtered; if the received message is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the received message passes through the ARP message, sending a data packet, and if the received message does not pass through the ARP message, discarding the data packet; if the received message is not ARP message, checking the IP message, checking the source IP and destination IP, TCP message and source port and destination port, if the checking is passed, transmitting data packet, otherwise discarding.
In step 905, the central control unit cooperates with the terminal control unit to perform access control, port control and identity authentication; monitoring and protecting application software in an application store; and monitoring the running state of the electric intelligent terminal equipment.
Preferably, the monitoring and protecting the application software in the application store by using the central control unit includes:
the uploaded application software is safely monitored by adopting a feature matching and behavior analysis technology, and the safety and the integrity of the application software in a store are protected by adopting a digital signature;
Monitoring the running state of the electric intelligent terminal equipment by using a central control unit, wherein the monitoring comprises the following steps:
and collecting audit data of a terminal side, extracting key information by adopting a log automation analysis tool PAL, and monitoring the running state of the electric intelligent terminal equipment according to the extracted key information.
The security protection method 900 applicable to the electric power intelligent terminal device according to the embodiment of the present invention corresponds to the security protection system 100 applicable to the electric power intelligent terminal device according to another embodiment of the present invention, and is not described herein.
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed invention are equally possible within the scope of the invention, as defined by the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a/an/the [ means, component, etc. ]" are to be interpreted openly as referring to at least one instance of said means, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (4)
1. A safety protection system suitable for an electric power intelligent terminal device, the system comprising: a terminal equipment shell protection unit, a verification unit, a terminal control unit, a communication control unit and a center control unit positioned at the center side,
the terminal equipment shell protection unit is used for acquiring sensing data, fingerprint information and face information of an operation object at least one hardware interface of the electric intelligent terminal equipment and protecting the shell of the electric intelligent terminal equipment according to the sensing data, the fingerprint information and the face information;
the verification unit is used for carrying out security verification on the kernel mirror image of the operating system based on the dynamic integrity measurement framework DIMA or the kernel integrity measurement framework LKIM of the operating system according to the bootstrap program, verifying the integrity of the installed application software based on the verification value comparison and the digital packaging technology, and ensuring the starting security of the system;
the terminal control unit is used for controlling the hardware interface of the electric intelligent terminal equipment to realize port control; the system comprises an electric equipment, an intelligent terminal device, a power management system and a power management system, wherein the electric equipment is used for determining the data access level of the electric equipment according to the identity information and the level function information of the electric equipment, and establishing an access strategy according to the data access level so that the electric equipment performs data interaction with the intelligent terminal device according to the corresponding access strategy to realize access control and identity authentication;
The communication control unit is used for encrypting and packaging the data to be transmitted so as to ensure confidentiality and integrity of the data to be transmitted; the method is used for realizing network isolation based on a gatekeeper technology and a server side isolation technology, and providing security protection for the power intelligent terminal network by setting a security access area and identity authentication; for preventing intrusion of external systems using a traffic firewall; the method comprises the steps of analyzing and filtering a received message according to a preset protocol, and determining the sending or discarding of the message according to the analysis and filtering results;
the central control unit is used for carrying out access control, port control and identity authentication in cooperation with the terminal control unit; the system is used for monitoring and protecting application software in an application store; the power intelligent terminal equipment is used for monitoring the running state of the power intelligent terminal equipment;
the communication control unit analyzes and filters a received message according to a preset protocol, determines the sending or discarding of the message according to the analysis and filtering results, and comprises the following steps:
protocol processing is implemented, and received messages are analyzed and filtered; if the received message is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the received message passes through the ARP message, sending a data packet, and if the received message does not pass through the ARP message, discarding the data packet; if the received message is not ARP message, checking the IP message, checking the source IP and the destination IP, TCP message and the source port and the destination port, if the check is passed, transmitting the data packet, otherwise discarding the data packet;
The system further comprises: the application management unit and the safe storage and audit unit are positioned at the terminal side; wherein, the liquid crystal display device comprises a liquid crystal display device,
the application management unit is used for managing the downloading, updating, deploying and/or running of the application software of the operating system and performing isolation processing when the application software is abnormal;
the safe storage and audit unit is used for carrying out safe storage on the data of the power terminal equipment, recording and analyzing logs and recording the running condition of an operating system;
the central control unit monitors and protects application software in an application store, and comprises:
the uploaded application software is safely monitored by adopting a feature matching and behavior analysis technology, and the safety and the integrity of the application software in a store are protected by adopting a digital signature;
the central control unit monitors the running state of the electric power intelligent terminal equipment and comprises:
collecting audit data of a terminal side, extracting key information by adopting a log automation analysis tool PAL, and monitoring the running state of the electric intelligent terminal equipment according to the extracted key information;
the terminal side is divided into a physical layer, an operating system layer and a communication layer; the physical layer is responsible for improving the isolation and fault tolerance of the electric intelligent terminal equipment; the operating system layer is responsible for the safety of an operating system of the equipment and ensures the interaction safety of software and hardware of the intelligent electric equipment; the communication layer is responsible for communication safety, and confidentiality, integrity and availability of communication of the electric intelligent terminal are guaranteed;
The terminal equipment shell protection unit guarantees the safety of the terminal equipment through a shell protection mechanism and an access control mechanism from outside to inside, and a hardware detection mechanism; the shell protection mechanism and the access control mechanism are realized through fingerprint identification and face recognition protection shells;
the operating system layer is divided into a guide layer, a kernel layer and an application layer; the terminal control unit, the application management unit and the secure storage and audit unit are positioned in the kernel layer;
the verification unit of the guiding layer starts from the guiding program, performs security verification on the kernel mirror image of the operating system based on the DIMA or LKIM framework, judges the integrity of the kernel, verifies the integrity of the application software based on verification value comparison and digital envelope technology, and ensures the system starting security;
the terminal control unit of the kernel layer is used for realizing the safety of resource access control and implementing access control, port control and identity authentication; the access control and identity authentication means that when the information of the electric equipment terminal is interacted, the access level of the equipment is classified according to the level function of the electric equipment, and an access strategy is established; the port control means that important ports of the electric intelligent terminal equipment are controlled; the access control adopts a role-based access control technology, a list of trusted devices is created, a device access strategy is established according to the list, and read-only rights or read-write rights of various electric devices are set; the port control adopts a monitoring-early warning mechanism and responds to the connection of unauthorized equipment in time; based on the traditional password authentication method, the identity authentication is added with a random factor and a time stamp to improve the security authentication strength; the application management unit is used for managing and controlling application software of the operating system based on a process sandbox isolation technology, carrying out macroscopic management on the downloading, updating, deployment and running of the software, and carrying out isolation treatment once abnormality occurs; the safety storage module of the safety storage and audit unit can protect important data of the electric intelligent terminal equipment, prevent buffer overflow, and the safety audit module is used for log recording and log analysis, recording operating system running conditions and providing guarantee for processing abnormality and ensuring safety; the security storage module is based on SM1, SM2 and SM3 cryptographic algorithms and comprises a buffer overflow attack prevention mechanism, and performs high-level encryption storage on system data; the security audit module is responsible for log analysis, adopts a Lynis tool to perform deep security scanning on the system, and judges the security state of the system according to the scanning result;
The downloading of the application software adopts message authentication codes, digital signatures and data timeliness verification to ensure the source legitimacy and data integrity of the software; the running process of the application software is based on a security storage module and a security audit module, and the service data locally stored by the application software is encrypted and protected by adopting a forced access strategy;
the communication layer is divided into a data layer, an interaction layer and a protocol layer; the data layer protects confidentiality and integrity of data of the electric intelligent terminal equipment through an encryption module, the encryption module adopts an SM2 algorithm of ECC, and the security of the data is ensured based on digital signature and symmetric encryption technology;
the interaction layer comprises a network access control module and an intrusion detection module; the network access control module provides security protection for a network used by the electric intelligent terminal equipment, and realizes network isolation and network identity authentication; the method comprises the steps of realizing network isolation based on a general gateway technology and a server side isolation technology, and providing security protection for an electric intelligent terminal network by setting a security access area and identity authentication; the intrusion detection module prevents external effective network attack from entering the system, and can predictively restore the internal program of the system, so that the device has self-repairing capability; the intrusion detection module effectively prevents the intrusion of an external system by adopting a flow filtering firewall, and establishes an intrusion detection system by adopting intelligent intrusion detection and wireless network intrusion detection technology.
2. The system of claim 1, wherein the terminal device housing protection unit is further configured to:
and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, sending abnormal information to a control center, and alarming.
3. A security protection method suitable for an electric power intelligent terminal device, the method comprising:
acquiring sensing data, fingerprint information and face information of an operation object at least one hardware interface of the electric intelligent terminal equipment by using a terminal equipment shell protection unit, and protecting the shell of the electric intelligent terminal equipment according to the sensing data, the fingerprint information and the face information;
the verification unit is utilized to verify the security of the kernel mirror image of the operating system based on the dynamic integrity measurement framework DIMA or the kernel integrity measurement framework LKIM of the operating system according to the bootstrap program, and verify the integrity of the installed application software based on the verification value comparison and the digital packaging technology, so that the starting security of the system is ensured;
the terminal control unit is utilized to control the hardware interface of the electric intelligent terminal equipment, so that port control is realized; determining the data access level of the electric equipment according to the identity information and the level function information of the electric equipment, and establishing an access strategy according to the data access level, so that the electric equipment performs data interaction with the electric intelligent terminal equipment according to the corresponding access strategy to realize access control and identity authentication;
Encrypting and packaging the data to be transmitted by using a communication control unit so as to ensure confidentiality and integrity of the data to be transmitted; network isolation is realized based on a gateway technology and a server side isolation technology, and safety protection is provided for the electric intelligent terminal network by setting a safety access area and identity authentication; adopting a flow firewall to prevent invasion of an external system; analyzing and filtering the received message according to a preset protocol, and determining the sending or discarding of the message according to the analysis and filtering results;
the central control unit cooperates with the terminal control unit to perform access control, port control and identity authentication; monitoring and protecting application software in an application store; monitoring the running state of the electric intelligent terminal equipment;
the communication control unit analyzes and filters the received message according to a preset protocol, and determines the sending or discarding of the message according to the analysis and filtering result, including:
protocol processing is implemented, and received messages are analyzed and filtered; if the received message is an ARP message, checking a source Mac and a destination Mac of the ARP message, if the received message passes through the ARP message, sending a data packet, and if the received message does not pass through the ARP message, discarding the data packet; if the received message is not ARP message, checking the IP message, checking the source IP and the destination IP, TCP message and the source port and the destination port, if the check is passed, transmitting the data packet, otherwise discarding the data packet;
The method further comprises the steps of:
the method comprises the steps that an application management unit is used for managing the downloading, updating, deployment and/or running of application software of an operating system, and isolation processing is carried out when the application software is abnormal;
the data of the power terminal equipment is safely stored by utilizing a safe storage and auditing unit, and the data is used for recording and analyzing logs and recording the running condition of an operating system;
the monitoring and protecting of the application software in the application store by the central control unit comprises the following steps:
the uploaded application software is safely monitored by adopting a feature matching and behavior analysis technology, and the safety and the integrity of the application software in a store are protected by adopting a digital signature;
monitoring the running state of the electric intelligent terminal equipment by using a central control unit, wherein the monitoring comprises the following steps:
collecting audit data of a terminal side, extracting key information by adopting a log automation analysis tool PAL, and monitoring the running state of the electric intelligent terminal equipment according to the extracted key information;
the terminal side is divided into a physical layer, an operating system layer and a communication layer; the physical layer is responsible for improving the isolation and fault tolerance of the electric intelligent terminal equipment; the operating system layer is responsible for the safety of an operating system of the equipment and ensures the interaction safety of software and hardware of the intelligent electric equipment; the communication layer is responsible for communication safety, and confidentiality, integrity and availability of communication of the electric intelligent terminal are guaranteed;
The terminal equipment shell protection unit guarantees the safety of the terminal equipment through a shell protection mechanism and an access control mechanism from outside to inside, and a hardware detection mechanism; the shell protection mechanism and the access control mechanism are realized through fingerprint identification and face recognition protection shells;
the operating system layer is divided into a guide layer, a kernel layer and an application layer; the terminal control unit, the application management unit and the secure storage and audit unit are positioned in the kernel layer;
the verification unit of the guiding layer starts from the guiding program, performs security verification on the kernel mirror image of the operating system based on the DIMA or LKIM framework, judges the integrity of the kernel, verifies the integrity of the application software based on verification value comparison and digital envelope technology, and ensures the system starting security;
the terminal control unit of the kernel layer is used for realizing the safety of resource access control and implementing access control, port control and identity authentication; the access control and identity authentication means that when the information of the electric equipment terminal is interacted, the access level of the equipment is classified according to the level function of the electric equipment, and an access strategy is established; the port control means that important ports of the electric intelligent terminal equipment are controlled; the access control adopts a role-based access control technology, a list of trusted devices is created, a device access strategy is established according to the list, and read-only rights or read-write rights of various electric devices are set; the port control adopts a monitoring-early warning mechanism and responds to the connection of unauthorized equipment in time; based on the traditional password authentication method, the identity authentication is added with a random factor and a time stamp to improve the security authentication strength; the application management unit is used for managing and controlling application software of the operating system based on a process sandbox isolation technology, carrying out macroscopic management on the downloading, updating, deployment and running of the software, and carrying out isolation treatment once abnormality occurs; the safety storage module of the safety storage and audit unit can protect important data of the electric intelligent terminal equipment, prevent buffer overflow, and the safety audit module is used for log recording and log analysis, recording operating system running conditions and providing guarantee for processing abnormality and ensuring safety; the security storage module is based on SM1, SM2 and SM3 cryptographic algorithms and comprises a buffer overflow attack prevention mechanism, and performs high-level encryption storage on system data; the security audit module is responsible for log analysis, adopts a Lynis tool to perform deep security scanning on the system, and judges the security state of the system according to the scanning result;
The downloading of the application software adopts message authentication codes, digital signatures and data timeliness verification to ensure the source legitimacy and data integrity of the software; the running process of the application software is based on a security storage module and a security audit module, and the service data locally stored by the application software is encrypted and protected by adopting a forced access strategy;
the communication layer is divided into a data layer, an interaction layer and a protocol layer; the data layer protects confidentiality and integrity of data of the electric intelligent terminal equipment through an encryption module, the encryption module adopts an SM2 algorithm of ECC, and the security of the data is ensured based on digital signature and symmetric encryption technology;
the interaction layer comprises a network access control module and an intrusion detection module; the network access control module provides security protection for a network used by the electric intelligent terminal equipment, and realizes network isolation and network identity authentication; the method comprises the steps of realizing network isolation based on a general gateway technology and a server side isolation technology, and providing security protection for an electric intelligent terminal network by setting a security access area and identity authentication; the intrusion detection module prevents external effective network attack from entering the system, and can predictively restore the internal program of the system, so that the device has self-repairing capability; the intrusion detection module effectively prevents the intrusion of an external system by adopting a flow filtering firewall, and establishes an intrusion detection system by adopting intelligent intrusion detection and wireless network intrusion detection technology.
4. A method according to claim 3, characterized in that the method further comprises:
and when the sensing data indicate that the hardware interface of the electric intelligent terminal equipment is abnormal, the terminal equipment shell protection unit is used for sending abnormal information to a control center to alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011223633.0A CN112511494B (en) | 2020-11-05 | 2020-11-05 | Safety protection system and method suitable for electric power intelligent terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011223633.0A CN112511494B (en) | 2020-11-05 | 2020-11-05 | Safety protection system and method suitable for electric power intelligent terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112511494A CN112511494A (en) | 2021-03-16 |
| CN112511494B true CN112511494B (en) | 2023-10-31 |
Family
ID=74955259
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011223633.0A Active CN112511494B (en) | 2020-11-05 | 2020-11-05 | Safety protection system and method suitable for electric power intelligent terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112511494B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114285598A (en) * | 2021-11-23 | 2022-04-05 | 贵州电网有限责任公司 | Safety protection design method of intelligent measurement system |
| CN114301649A (en) * | 2021-12-21 | 2022-04-08 | 青岛鼎信通讯股份有限公司 | Information security protection method for electric power measurement and control terminal |
| CN114978769B (en) * | 2022-07-19 | 2023-08-18 | 济南慧天云海信息技术有限公司 | Unidirectional leading-in device, unidirectional leading-in method, unidirectional leading-in medium and unidirectional leading-in equipment |
| CN115086233B (en) * | 2022-08-17 | 2022-11-11 | 北京左江科技股份有限公司 | FPGA-based network message key information extraction and forwarding method |
| CN116401722A (en) * | 2023-03-29 | 2023-07-07 | 河南奕磐信息技术有限公司 | Information technology terminal with safety protection based on big data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880826A (en) * | 2012-08-29 | 2013-01-16 | 华南理工大学 | Dynamic integrity measurement method for security of electronic government cloud platform |
| WO2015149663A1 (en) * | 2014-04-03 | 2015-10-08 | 国家电网公司 | System and method for trapping network attack on embedded device in smart power grid |
| CN110691064A (en) * | 2018-09-27 | 2020-01-14 | 国家电网有限公司 | Safety access protection and detection system for field operation terminal |
| CN110958262A (en) * | 2019-12-15 | 2020-04-03 | 国网山东省电力公司电力科学研究院 | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry |
-
2020
- 2020-11-05 CN CN202011223633.0A patent/CN112511494B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880826A (en) * | 2012-08-29 | 2013-01-16 | 华南理工大学 | Dynamic integrity measurement method for security of electronic government cloud platform |
| WO2015149663A1 (en) * | 2014-04-03 | 2015-10-08 | 国家电网公司 | System and method for trapping network attack on embedded device in smart power grid |
| CN110691064A (en) * | 2018-09-27 | 2020-01-14 | 国家电网有限公司 | Safety access protection and detection system for field operation terminal |
| CN110958262A (en) * | 2019-12-15 | 2020-04-03 | 国网山东省电力公司电力科学研究院 | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112511494A (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112511494B (en) | Safety protection system and method suitable for electric power intelligent terminal equipment | |
| CN110691064B (en) | Safety access protection and detection system for field operation terminal | |
| US11818098B2 (en) | Security system, device, and method for protecting control systems | |
| US9298917B2 (en) | Enhanced security SCADA systems and methods | |
| EP2887576B1 (en) | Software key updating method and device | |
| US8868907B2 (en) | Device, method, and system for processing communications for secure operation of industrial control system field devices | |
| CA2980033C (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| US10530749B1 (en) | Security system, device, and method for operational technology networks | |
| US9674164B2 (en) | Method for managing keys in a manipulation-proof manner | |
| EP1964016B1 (en) | Secure system-on-chip | |
| EP3179322B1 (en) | A method and system for detecting attempted malicious re-programming of a plc in scada systems | |
| JP2006065515A (en) | Client device, server device, and method for controlling authority | |
| EP3675455B1 (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| CN114301705A (en) | Industrial control defense method and system based on trusted computing | |
| WO2020206185A1 (en) | Smart edge co-processor | |
| WO2021231246A1 (en) | Time-stamping for industrial unidirectional communication device with data integrity management | |
| CN115314286A (en) | Safety guarantee system | |
| CN113132412B (en) | Computer network security test and inspection method | |
| Katulić et al. | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes | |
| Nilsson et al. | Creating a secure infrastructure for wireless diagnostics and software updates in vehicles | |
| WO2020137852A1 (en) | Information processing device | |
| WO2023205208A1 (en) | Method for safety responses to security policy violations | |
| US20220247748A1 (en) | System For Remote Execution Code-Based Node Control Flow Management, And Method Therefor | |
| WO2019212547A1 (en) | Executing sotware | |
| CN110933028B (en) | Message transmission method, device, network equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |