CN113676446A - Communication network safety error-proof control method, system, electronic equipment and medium - Google Patents

Abstract

The invention provides a communication network security anti-error control method, a system, electronic equipment and a medium, wherein the method part needs to be subjected to security authorization and/or anti-error authorization, and comprises the steps of receiving a network control demand instruction and generating a control scheme preset data script; generating control scheme data according to a control scheme preset data script, and verifying the feasibility and/or safety of the control scheme data; generating a control script command according to the control scheme data after the feasibility verification and/or the safety verification; and verifying the legality of the control script command, sending the legal control script command to the network manager, and receiving a control result returned by the network manager. According to the invention, by means of technical means such as an active preset scheme, an active checking scheme and the like, passivity of network control of the power communication network is solved, a safe and efficient active control function of network control of the communication network is realized, and control efficiency can be improved under the condition of ensuring safety and reliability.

Description

Communication network safety error-proof control method, system, electronic equipment and medium

Technical Field

The present invention relates to the field of communication control technologies, and in particular, to a method, a system, an electronic device, and a medium for communication network security error prevention control.

Background

A common application scenario of communication operation management and control is power enterprises, that is, production management is performed by related power enterprise communication departments to ensure normal operation of a communication network and smooth communication in the whole process and the whole network. For the field of communication operation management and control, the development trend is standardization, high efficiency and intellectualization, so that the establishment of a communication operation management and control system has higher practical significance.

However, the operation of the communication operation management and control system faces a severe network security risk and a severe misoperation risk, and how to improve the communication operation management and control system for network security and misoperation prevention control is a challenge in the industry.

For example, the prior art includes a method for scheduling remote safe remote control checking based on services, which supports a service-oriented architecture, and employs a request/response mode provided by a service bus, when a master station is scheduled to perform remote control, a substation remote control checking service is called through an interface provided by the service bus, and triple remote control information checking is performed on remote control checking information to obtain a checking result, so as to implement a remote control checking function and improve the safety and reliability of remote control operation. Triple remote control information check refers to safety certification of a service bus, and remote control check service is used for performing information check and remote control check of a measurement and control device.

Although the prior art has the advantages of high flexibility and no need of directly calling the substation, the specific implementation details of the service provided by the substation are not needed to be known, but the problems of incomplete network security risk prevention and control and no support for error prevention guarantee exist.

Similarly, other prior arts also often have the problems that the network security risk and the misoperation risk are not comprehensive in prevention and control, the control scheme is generated independently by a third party without presetting, and the like.

Therefore, the communication network safety anti-error control system, method, electronic equipment and medium are provided, so that the communication operation management and control which is more standard, efficient and intelligent is realized, and the intelligent operation management and control system is built, and has higher value.

Disclosure of Invention

To solve the problems in the prior art, embodiments of the present invention provide a method, a system, an electronic device, and a medium for communication network security anti-error control.

The invention provides a communication network safety anti-error control method, which comprises the following steps:

after safety authorization and/or error-proof authorization, receiving a network control demand instruction, and generating a control scheme preset data script;

after safety authorization and/or error-proof authorization, generating control scheme data according to a control scheme preset data script, and verifying feasibility and/or safety of the control scheme data;

after safety authorization and/or anti-error authorization, generating a control script command according to control scheme data after feasibility verification and/or safety verification;

after the security authorization and/or the error-proof authorization, the validity of the control script command is verified, the legal control script command is sent to the network manager, and a control result returned by the network manager is received.

According to the communication network security anti-error control method provided by the invention, the steps of receiving a network control demand instruction and generating a control scheme preset data script after security authorization and/or anti-error authorization comprise:

receiving a network control demand instruction after the authorization of the first security guarantee; after the authorization of the first safety guarantee, compiling and/or importing control target data; after the first security guarantee authorization, compiling and/or importing constraint condition data; after the authorization of the first safety guarantee, generating a control scheme preset data script according to the control target data and/or the constraint condition data;

the first security assurance authorization comprises any one or any combination of face identification, fingerprint identification, USBKey authentication, password verification and short message verification code verification.

According to the communication network security anti-error control method provided by the invention, after security authorization and/or anti-error authorization, control scheme data is generated according to a control scheme preset data script, and the step of verifying the feasibility and/or the security of the control scheme data comprises the following steps:

receiving a control scheme preset data script after the authorization of the second safety guarantee; after the authorization of the second safety guarantee, generating control scheme data and performing error-proof check; and after the authorization of the second safety guarantee, performing static verification and/or dynamic verification on the control scheme data: if the verification result is safe and feasible, continuing to perform the set operation after the error checking prevention authorization; if the verification result is unsafe and/or infeasible, stopping or terminating the control scheme data transmission;

the static verification refers to performing feasibility and/or safety verification on control scheme data according to static data input by a resource system;

the dynamic verification refers to performing feasibility and/or safety verification on control scheme data according to dynamic real-time data acquired by comprehensive monitoring;

the feasibility verification comprises any one or any combination of more of topology reachable check, resource quantity check, route check and constraint condition check;

the safety verification comprises any one or any combination of more of resource state checking, performance state checking and service number checking;

the second security assurance authorization comprises any one or any combination of data encryption, digital signatures, dedicated channels, and whitelist policies;

and the error checking prevention comprises the judgment of the human operation error and/or the judgment of the accuracy of the scheme data.

According to the communication network security anti-error control method provided by the invention, after security authorization and/or anti-error authorization, the step of generating the control script command according to the control scheme data after feasibility verification and/or security verification comprises the following steps:

after the third safety guarantee authorization, receiving control scheme data with a verification result of safety and feasibility; after the authorization of the third safety guarantee, the control scheme data is packaged; after the third safety guarantee authorization, encrypting the control scheme data to generate a control script command; after the third safety guarantee authorization, issuing a control script command;

the third security assurance authorization comprises any one or any combination of proprietary protocols, data encryption, digital signatures, dedicated channels, and whitelist policies.

According to the communication network safety anti-error control method provided by the invention, after safety authorization and/or anti-error authorization, the validity of the control script command is verified, the legal control script command is sent to the network manager, and the step of receiving the control result returned by the network manager comprises the following steps:

after the fourth safety guarantee authorization, receiving a control script command and performing error proofing; after the fourth safety guarantee authorization, performing validity check on the control script command; after the authorization of the fourth safety guarantee, if the result of the validity check is illegal, the data transmission of the control scheme is stopped or terminated; after the authorization of the fourth safety guarantee, if the validity check result is legal, a control script command is issued; after the fourth security guarantee authorization, receiving a control result returned by the network manager; updating the database after the fourth security guarantee authorization;

the fourth security assurance authorization comprises any one or any combination of proprietary protocols, data encryption, digital signatures, dedicated channels, and whitelist policies;

the validity check comprises any one or combination of more of packaging format validity check, packaging parameter validity check, input type check and non-input type check;

and the error checking prevention comprises the judgment of the human operation error and/or the judgment of the accuracy of the scheme data.

According to the communication network safety anti-error control method provided by the invention, the anti-error check comprises the following steps:

extracting safety error-prevention feature data through natural language processing, calculating to obtain association degree data based on the safety error-prevention feature data, and judging whether error operation exists according to the association degree data: if the judgment result is that no misoperation exists, continuing to perform the set operation; and if the judgment result is that the misoperation exists, stopping or terminating the misoperation.

The invention also provides a communication network safety anti-error control system, which comprises a safety guarantee module, a control condition preset module, a control scheme check module, a control interface service module and a network management adaptation service module;

the control condition presetting module can receive a network control demand instruction and generate a control scheme preset data script;

the control scheme checking module can generate control scheme data according to a control scheme preset data script and verify the feasibility and/or the safety of the control scheme data;

the control interface service module can generate a control script command according to control scheme data after feasibility verification and/or security verification;

the network management adaptation service module can verify the validity of the control script command, send the legal control script command to the network management and receive a control result returned by the network management;

the safety guarantee module is matched with any one or any combination of a control condition presetting module, a control scheme checking module, a control interface service module and a network management adaptation service module to provide safety authorization and/or anti-misoperation authorization.

According to the communication network safety anti-error control system provided by the invention, the control condition presetting module comprises a triggering unit, a control target unit, a constraint unit and a control scheme presetting unit;

the triggering unit can receive a network control demand instruction and trigger the control target unit and/or the constraint unit to work;

the control target unit can compile and/or import control target data;

the constraint unit can compile and/or import constraint condition data;

the control scheme presetting unit can generate a control scheme preset data script according to the control target data and/or the constraint condition data.

According to the communication network safety anti-error control system provided by the invention, the safety guarantee module comprises any one or combination of a control condition preset module safety guarantee unit, a control scheme check module safety check unit, a control interface service module safety guarantee unit, a network management adaptation service module safety check unit and a safety anti-error control unit;

the control condition presetting module safety guarantee unit is matched with the control condition presetting module and comprises any one or any combination of a face identification verification subunit, a fingerprint identification verification subunit, a USBKey verification subunit, a password verification subunit and a short message verification code verification subunit;

the control scheme checking module safety guarantee unit is matched with the control scheme checking module and comprises any one or combination of a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the control scheme checking module safety checking subunit is matched with the control scheme checking module and comprises any one or combination of more of a topology reachable checking subunit, a resource quantity checking subunit, a route checking subunit, a constraint condition checking subunit, a resource state checking subunit, a performance state checking subunit and a service number checking subunit;

the control interface service module security guarantee unit is matched with the control interface service module and comprises any one or any combination of a private protocol subunit, a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the network management adaptation service module security guarantee unit is matched with the network management adaptation service module and comprises any one or any combination of a private protocol subunit, a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the network management adaptation service module security check unit is matched with the network management adaptation service module and comprises any one or combination of more of a packaging format legality check subunit, a packaging parameter legality check subunit, an input type check subunit and a non-input type check subunit;

the safety error prevention control unit can extract safety error prevention characteristic data through natural language processing, obtains association degree data based on the safety error prevention characteristic data calculation, and judges whether error operation exists according to the association degree data: if the judgment result is that no misoperation exists, continuing to perform the set operation; and if the judgment result is that the misoperation exists, stopping or terminating the misoperation.

According to the communication network safety anti-error control system provided by the invention, the communication network safety anti-error control system is only operated when in use, and stops operating and locks service after use; before the communication network safety anti-error control system is started, carrying out program package consistency check and/or service starting time check;

the procedure package consistency check comprises the following steps: remote backup of a program package in different places, before starting the program, comparing the executed program package with the backup package, checking the file content, the file modification time and other dimensions, and judging whether the program package is maliciously tampered: if the malicious tampering exists, stopping or stopping starting; if the malicious tampering does not exist, continuing to perform the set operation;

the service starting time checking means that: recording the starting time of each service starting, the local configuration file record and the database record; before starting the service, comparing the two starting times, and judging whether the service has an abnormal starting condition: if the abnormal starting exists, stopping or stopping the starting; if the abnormal starting does not exist, the set operation is continued.

The invention also provides an electronic device, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the program, the steps of the communication network safety anti-error control method are realized.

The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for communication network security anti-error control as described in any of the above.

According to the communication network safety anti-error control method, the electronic equipment and the medium, the passivity of power communication network control is solved through technical means such as an active preset scheme and an active checking scheme, the safe, efficient and active control function of communication network control is realized, and the control efficiency can be improved under the condition of ensuring safety and reliability.

According to the communication network safety anti-misoperation control system provided by the invention, the control condition preset module is arranged and matched with other system modules, so that the control capability of the power communication network is improved, the safety and stability of the control work of the power communication network are improved, and the safe, credible and reliable control of the system can be realized.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a schematic flow chart of a communication network security anti-error control method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a communication network security anti-error control system according to an embodiment of the present invention;

fig. 3 is a second schematic flowchart of a communication network security anti-error control method according to an embodiment of the present invention;

fig. 4 is a third schematic flowchart of a communication network security anti-error control method according to an embodiment of the present invention;

fig. 5 is a fourth schematic flowchart of a communication network security anti-error control method according to an embodiment of the present invention;

fig. 6 is a fifth flowchart illustrating a method for preventing error control in communication network security according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a security control flow in the communication network security anti-error control system according to the embodiment of the present invention;

fig. 8 is a schematic flowchart of security check of a J1 control scheme check module in the communication network security anti-error control system according to the embodiment of the present invention;

fig. 9 is a schematic flowchart of security check of a J2 network management adaptation service module in the communication network security anti-error control system according to the embodiment of the present invention;

fig. 10 is a schematic flow chart of F1 security anti-error control in the communications network security anti-error control system according to the embodiment of the present invention;

fig. 11 is a schematic flowchart of malicious tampering or invoking a control program for preventing a network attack in the system for preventing error control in communication network security according to the embodiment of the present invention;

FIG. 12 is a diagram illustrating the control of the circuit activation process according to an embodiment of the present invention;

FIG. 13 is a diagram illustrating a circuit turn-on procedure in an embodiment of the present invention;

fig. 14 is a schematic diagram of a main/standby switching flow in the embodiment of the present invention;

FIG. 15 is a schematic diagram of a loopback control flow in an embodiment of the present invention;

fig. 16 is a schematic structural diagram of an electronic device provided by the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The communication network security anti-error control method of the present invention is described below with reference to the accompanying drawings.

As shown in fig. 1, an embodiment of the present invention provides a method for preventing error in communication network security, including:

after safety authorization and/or error-proof authorization, receiving a network control demand instruction, and generating a control scheme preset data script;

after safety authorization and/or error-proof authorization, generating control scheme data according to a control scheme preset data script, and verifying feasibility and/or safety of the control scheme data;

after safety authorization and/or anti-error authorization, generating a control script command according to control scheme data after feasibility verification and/or safety verification;

after the security authorization and/or the error-proof authorization, the validity of the control script command is verified, the legal control script command is sent to the network manager, and a control result returned by the network manager is received.

The beneficial effect of this embodiment lies in:

by means of technical means such as an active preset scheme, an active checking scheme and the like, passivity of network control of the power communication network is solved, a safe and efficient active control function of the network control of the communication network is achieved, and control efficiency can be improved under the condition of ensuring safety and reliability.

According to the above embodiment, in the present embodiment:

as shown in fig. 3, the step of receiving a network control requirement instruction and generating a control scheme preset data script after the security authorization and/or the anti-error authorization includes:

receiving a network control demand instruction after the authorization of the first security guarantee; after the authorization of the first safety guarantee, compiling and/or importing control target data; after the first security guarantee authorization, compiling and/or importing constraint condition data; after the authorization of the first safety guarantee, generating a control scheme preset data script according to the control target data and/or the constraint condition data;

the first security assurance authorization comprises any one or any combination of face identification, fingerprint identification, USBKey authentication, password verification and short message verification code verification.

The beneficial effect of this embodiment lies in:

the pre-security authentication authorization is added in the step of receiving the network control demand instruction and generating the control scheme preset data script, so that the operation security is improved;

the reliability and the convenience of the authentication operation are enhanced by the technical means of being compatible with biological identification in the security authentication authorization;

by compiling and/or importing data and generating the control scheme preset data script by the preset data, the forming process of the control scheme is standardized and consistent, and the problems of human errors, non-standardization, security holes and the like are avoided.

According to any of the embodiments described above, in this embodiment:

as shown in fig. 4, after the security authorization and/or the anti-error authorization, generating control scheme data according to a control scheme preset data script, and verifying the feasibility and/or the security of the control scheme data includes:

receiving a control scheme preset data script after the authorization of the second safety guarantee; after the authorization of the second safety guarantee, generating control scheme data and performing error-proof check; and after the authorization of the second safety guarantee, performing static verification and/or dynamic verification on the control scheme data: if the verification result is safe and feasible, continuing to perform the set operation after the error checking prevention authorization; if the verification result is unsafe and/or infeasible, stopping or terminating the control scheme data transmission;

the static verification refers to performing feasibility and/or safety verification on control scheme data according to static data input by a resource system;

the dynamic verification refers to performing feasibility and/or safety verification on control scheme data according to dynamic real-time data acquired by comprehensive monitoring;

the feasibility verification comprises any one or any combination of more of topology reachable check, resource quantity check, route check and constraint condition check;

the safety verification comprises any one or any combination of more of resource state checking, performance state checking and service number checking;

the second security assurance authorization comprises any one or any combination of data encryption, digital signatures, dedicated channels, and whitelist policies;

and the error checking prevention comprises the judgment of the human operation error and/or the judgment of the accuracy of the scheme data.

The beneficial effect of this embodiment lies in:

the control scheme data is generated by presetting the data script through the control scheme, so that the safety and the effectiveness of the control scheme are ensured, the malicious modification of the control scheme is avoided, and the content of the control scheme is controllable; meanwhile, a control scheme preset script is formed through preset data, and then the control scheme preset script generates a control scheme, so that the step of editing the scheme is omitted; furthermore, the control scheme which is not edited by a third party is natural and reliable, the step of checking the control scheme is omitted again, and the operation efficiency is improved.

According to any of the embodiments described above, in this embodiment:

as shown in fig. 5, the step of generating a control script command according to the control scheme data after the feasibility verification and/or the security verification after the security authorization and/or the anti-error authorization includes:

after the third safety guarantee authorization, receiving control scheme data with a verification result of safety and feasibility; after the authorization of the third safety guarantee, the control scheme data is packaged; after the third safety guarantee authorization, encrypting the control scheme data to generate a control script command; after the third safety guarantee authorization, issuing a control script command;

the third security assurance authorization comprises any one or any combination of proprietary protocols, data encryption, digital signatures, dedicated channels, and whitelist policies.

The beneficial effect of this embodiment lies in:

by adding the preposed security authentication authorization in the step of generating the control script command, the operation security is improved;

data are transmitted by adopting a private protocol encapsulation and encryption technology, so that the data are prevented from being stolen, and the safety and the high efficiency of data transmission are guaranteed.

According to any of the embodiments described above, in this embodiment:

as shown in fig. 6, after the security authorization and/or the anti-error authorization, the step of verifying the validity of the control script command, sending the legal control script command to the network manager, and receiving the control result returned by the network manager includes:

after the fourth safety guarantee authorization, receiving a control script command and performing error proofing; after the fourth safety guarantee authorization, performing validity check on the control script command; after the authorization of the fourth safety guarantee, if the result of the validity check is illegal, the data transmission of the control scheme is stopped or terminated; after the authorization of the fourth safety guarantee, if the validity check result is legal, a control script command is issued; after the fourth security guarantee authorization, receiving a control result returned by the network manager; updating the database after the fourth security guarantee authorization;

the fourth security assurance authorization comprises any one or any combination of proprietary protocols, data encryption, digital signatures, dedicated channels, and whitelist policies;

the validity check comprises any one or combination of more of packaging format validity check, packaging parameter validity check, input type check and non-input type check;

and the error checking prevention comprises the judgment of the human operation error and/or the judgment of the accuracy of the scheme data.

The beneficial effect of this embodiment lies in:

by adopting the technologies of digital signature and the like, the command validity is verified, the illegal data request is prevented, and the data is prevented from being tampered.

According to any of the embodiments described above, in this embodiment:

the error proofing check comprises:

extracting safety error-prevention feature data through natural language processing, calculating to obtain association degree data based on the safety error-prevention feature data, and judging whether error operation exists according to the association degree data: if the judgment result is that no misoperation exists, continuing to perform the set operation; and if the judgment result is that the misoperation exists, stopping or terminating the misoperation.

Specifically, in this embodiment, the safety anti-error feature data includes:

object name characteristics: and calculating the similarity between the object name of the scheme and the resource object name, the comprehensive monitoring object name and the network management object name based on the Text-Matching network, and marking the result as alpha.

On-time characteristics: calculating the difference between the scheme object opening time and the resource object opening time, the comprehensive monitoring object opening time and the network management object opening time, and performing normalization processing to obtain a result t₁。

Anti-square feature:

the calculation method of the relevancy data is as follows.

Carrying out nonlinear mapping (square operation) on the safety anti-misoperation characteristics; splicing the new features output by mapping with the original features to obtain overall features; and finally, processing the whole characteristic by using a logistic regression function, outputting the association degree of the scheme data and the actual data of the network manager, and finally judging whether the misoperation condition exists according to the association degree.

The beneficial effect of this embodiment lies in:

on the basis of the embodiment, whether misoperation exists or not is judged by using a natural language processing technology, and the reliability of the information flow is further guaranteed.

The communication network security anti-error control system provided by the invention is described below, and the communication network security anti-error control system described below and the communication network security anti-error control method described above can be referred to correspondingly.

As shown in fig. 2, an embodiment of the present invention provides a communication network security anti-error control system, which includes a security assurance module, a control condition presetting module, a control scheme checking module, a control interface service module, and a network management adaptation service module;

the control condition presetting module can receive a network control demand instruction and generate a control scheme preset data script;

the control scheme checking module can generate control scheme data according to a control scheme preset data script and verify the feasibility and/or the safety of the control scheme data;

the control interface service module can generate a control script command according to control scheme data after feasibility verification and/or security verification;

the network management adaptation service module can verify the validity of the control script command, send the legal control script command to the network management and receive a control result returned by the network management;

the safety guarantee module is matched with any one or any combination of a control condition presetting module, a control scheme checking module, a control interface service module and a network management adaptation service module to provide safety authorization and/or anti-misoperation authorization.

The beneficial effect of this embodiment lies in:

through setting up the control condition and presetting the module, cooperate other system modules, improved electric power communication network control ability, promoted electric power communication network control work's security and stability, can realize the safe credible reliable control of system.

According to any of the embodiments described above, in this embodiment:

the control condition presetting module comprises a triggering unit, a control target unit, a constraint unit and a control scheme presetting unit;

the triggering unit can receive a network control demand instruction and trigger the control target unit and/or the constraint unit to work;

the control target unit can compile and/or import control target data;

the constraint unit can compile and/or import constraint condition data;

the control scheme presetting unit can generate a control scheme preset data script according to the control target data and/or the constraint condition data.

The beneficial effect of this embodiment lies in:

basic data of the control scheme is preset through the control target unit and/or the constraint unit, and then the preset data generates a preset data script of the control scheme, so that the forming process of the control scheme is standardized, and the problems of human errors, non-standardization, security holes and the like are avoided.

According to any of the embodiments described above, in this embodiment:

the safety guarantee module comprises any one or any combination of a control condition preset module safety guarantee unit, a control scheme checking module safety check unit, a control interface service module safety guarantee unit, a network management adaptation service module safety check unit and a safety error prevention control unit;

the control condition presetting module safety guarantee unit is matched with the control condition presetting module and comprises any one or any combination of a face identification verification subunit, a fingerprint identification verification subunit, a USBKey verification subunit, a password verification subunit and a short message verification code verification subunit;

the control scheme checking module safety guarantee unit is matched with the control scheme checking module and comprises any one or combination of a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the control scheme checking module safety checking subunit is matched with the control scheme checking module and comprises any one or combination of more of a topology reachable checking subunit, a resource quantity checking subunit, a route checking subunit, a constraint condition checking subunit, a resource state checking subunit, a performance state checking subunit and a service number checking subunit;

the control interface service module security guarantee unit is matched with the control interface service module and comprises any one or any combination of a private protocol subunit, a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the network management adaptation service module security guarantee unit is matched with the network management adaptation service module and comprises any one or any combination of a private protocol subunit, a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the network management adaptation service module security check unit is matched with the network management adaptation service module and comprises any one or combination of more of a packaging format legality check subunit, a packaging parameter legality check subunit, an input type check subunit and a non-input type check subunit;

the safety error prevention control unit can extract safety error prevention characteristic data through natural language processing, obtains association degree data based on the safety error prevention characteristic data calculation, and judges whether error operation exists according to the association degree data: if the judgment result is that no misoperation exists, continuing to perform the set operation; and if the judgment result is that the misoperation exists, stopping or terminating the misoperation.

The beneficial effect of this embodiment lies in:

by adding the preposed security authentication authorization in each step, the operation security is improved;

the reliability and the convenience of the authentication operation are enhanced by the technical means of being compatible with biological identification in the security authentication authorization;

data is transmitted by adopting a private protocol encapsulation and encryption technology, so that the data is prevented from being stolen, and the safety and the high efficiency of data transmission are guaranteed;

by adopting the technologies of digital signature and the like, the command validity is verified, the illegal data request is prevented, and the data is prevented from being tampered;

on the basis of the safety guarantee, the natural language processing technology is utilized to judge whether misoperation exists or not, and the reliability of the information flow is further guaranteed

According to any of the embodiments described above, in this embodiment:

the communication network safety anti-misoperation control system only operates when in use, stops operating after use and locks service; before the communication network safety anti-error control system is started, carrying out program package consistency check and/or service starting time check;

the procedure package consistency check comprises the following steps: remote backup of a program package in different places, before starting the program, comparing the executed program package with the backup package, checking the file content, the file modification time and other dimensions, and judging whether the program package is maliciously tampered: if the malicious tampering exists, stopping or stopping starting; if the malicious tampering does not exist, continuing to perform the set operation;

the service starting time checking means that: recording the starting time of each service starting, the local configuration file record and the database record; before starting the service, comparing the two starting times, and judging whether the service has an abnormal starting condition: if the abnormal starting exists, stopping or stopping the starting; if the abnormal starting does not exist, the set operation is continued.

The beneficial effect of this embodiment lies in:

in order to prevent malicious operation and control, the control service adopts a quick-start and quick-stop containerized deployment mode, stops when used up and locks the service, so that the service is prevented from running for a long time, the risk of malicious attack on the service is reduced, and the safety level and efficiency of network control are improved.

According to any one of the above embodiments, the present embodiment includes:

s01 controls the condition presetting module: the module mainly realizes manual network control triggering or automatic network control requirement triggering by a program, control target programming or control target importing and constraint condition programming. The input information includes: object, port, slot, bandwidth, affiliated network, and related routing information.

The S02 control scheme checking module: the module mainly realizes compiling a control scheme or a lead-in scheme, and checking the feasibility and the reliability of the control scheme, wherein the feasibility checking comprises whether the topology is reachable or not and whether resources are enough or not; the reliability check comprises whether the resource object has alarm, fault, same route check and the like.

S03 control interface service module: the module mainly realizes the generation of the control script. Generating a control script instruction according to a self-defined private protocol, and encrypting data encapsulated by the instruction by adopting a dynamic key; the instruction format is: source end, host end, signaling identification, request number, request parameter.

S04 network management adaptation service module: the module mainly realizes script validity check, instruction issuing execution and instruction control result return.

Safety guarantee and prevent mistake module:

the security control flow of the embodiment is shown in fig. 7, the control method and the system adopt a more secure and credible authorization technology, and adopt a U-shield authentication technology and a biometric identification technology to assist in implementing security management and control, so that misoperation and error control caused by errors of operators can be avoided, unauthorized persons are prevented from controlling, authorized persons, credible equipment, correct schemes and accurate control are realized, and the security level and efficiency of network control are improved. The private protocol encapsulation and encryption technology is adopted to transmit data, so that the data is prevented from being stolen, and the safety and high efficiency of data transmission are guaranteed. And the digital signature technology is adopted to prevent illegal data requests and prevent data from being tampered. The file improves the security consciousness, periodically changes the high-security password, forbids browsing unsafe websites and downloading installation software packages, and prevents the attack.

This module has the following advantages:

safety: and the operation safety is greatly improved after authorized safety certification.

Reliability: each biological property is in principle unique.

Convenience: in a scenario where authentication is required, biometric techniques may be used.

Specifically, the contents related to the safety guarantee and error prevention module are described as follows.

Fingerprint identification: fingerprint recognition, which can be said to be the first form of biometric technology, has been widely used in systems. The credibility and the reliability of the identity of the operator can be guaranteed through fingerprint identification.

Face recognition: the face recognition system measures the face geometry based on tens of nodes. The face node may be converted to a unique signature for unique identity verification.

Identity authentication of USBKey: the USBKey mainly comprises two blocks: a cryptographic chip and a space with secure storage. The encryption chip can realize various algorithms of data abstract, data encryption and decryption and signature used in a PKI system, the encryption and decryption algorithms are carried out in the USBKey, and the user key is ensured not to appear in a computer memory, so that the possibility that the user key is intercepted by a hacker is avoided.

Password verification: carrying out user validity verification on the user name and the password;

short message verification: verifying the validity of the user in real time through the short message verification code;

data encryption: a key K is generated for encrypting a plaintext cipher, the encryption and decryption keys being the same in a symmetric encryption algorithm. The key is generated by the negotiation between the receiving party and the sending party, but cannot be directly transmitted on the network, otherwise, the key can be leaked, and the key is usually encrypted through an asymmetric encryption algorithm and then transmitted to the opposite party through the network, or the key is directly subjected to face-to-face trading. The key is absolutely not leaked, otherwise, an attacker can restore the ciphertext and steal the confidential data.

Digital signature: the data file is processed by a one-way hash function to generate a 128-bit abstract, the 128-bit abstract is encrypted by using a private key A to obtain an encrypted abstract, the data file, the encrypted abstract and a public key A are packaged and sent to a server, and the server decrypts the received encrypted abstract by using the public key A to perform verification comparison. The core problem solved by the digital signature is to ensure that the received file is not changed and prevent the data from being tampered.

A special channel: the encryption device is connected by a special line, and the software adopts a developed private protocol to encrypt data, so that the safe transmission of the data is ensured.

White list policy: appointing information such as IP, MAC address, hard disk serial number, system ID and the like to further verify the validity of the user and the equipment;

private protocol: and the data transmission adopts a private protocol for encapsulation and encryption. The protocol consists of a fixed-length header and a non-fixed-length content body; and the body encapsulates information such as a source end, a sink end, a check code, a signaling identifier, a request number, a request parameter and the like, and encrypts the information. The protocol format is as follows: heder (3B head mark |3B length) + body (source end | host end | check code | signaling mark | request number | request parameter)

And N1 controls the condition presetting module to guarantee safety: the module safety guarantee measures comprise face recognition, fingerprint recognition, USBKey authentication, password verification and short message verification code verification.

And (3) checking module safety guarantee by an N2 control scheme: the module security assurance measures comprise data encryption, digital signature, a special channel and a white list strategy.

As shown in fig. 8, the J1 control scheme checks module security checks:

whether the topology is reachable: and checking whether the routing between the target objects can be reached or not, and if the routing is not passed, the scheme is not feasible.

Whether the resources are sufficient: and checking whether the scheme controls the target resource object to be enough, such as whether a port and a time slot are idle, and if the resource is not enough, the scheme is not feasible.

And (3) route checking: and checking whether the same routing condition exists among the same service channels, if so, the scheme is not feasible.

Whether the constraint condition is satisfied: and checking whether the resource attributes such as the resource object, the service configuration and the like meet constraint conditions.

Checking the resource state: checking the state of the resource object in the scheme, such as the state of the equipment, whether the equipment has a fault or an alarm in the current time period, if so, the final target or result of the scheme may not be realized after the scheme is executed, and if so, the risk factor exists, so that the scheme is unsafe and the checking does not pass.

Checking the performance state: a high or low current performance value for a recipe resource object may result in the recipe performing with less than expected results.

Checking the number of the services: checking the number of the services currently carried by the resource object, and increasing the execution risk of the scheme if the number of the services currently carried by the equipment is excessive.

The N3 control interface service module security guarantee: the module security assurance measures include proprietary protocols, data encryption, digital signatures, dedicated channels, white list policies.

The N4 network management adaptation service module security guarantee: the module security assurance measures include proprietary protocols, data encryption, digital signatures, dedicated channels, white list policies.

As shown in fig. 9, the J2 webmaster adaptation service module security check: the network management adaptation service checks the validity of the script, and ensures the reliability and stability of network management operation. The script validity check comprises the following operations:

packaging format validity: checking whether the script packaging format accords with the network management operation specification or not, and packaging according to the agreed protocol rule or not.

Packaging parameter validity: checking whether the script package parameter accords with the network management operation specification, whether the parameter length is in the appointed rule range, and whether the parameter name accords with the network management operation specification.

Input type checking: inputting illegal, non-existent input object, wrong ccInclusion input, wrong netPInclusion input, wrong ZEND input, etc.;

non-input type checking: when the SNC is created by a non-full route, the sncType only supports ST _ SIMPLE, does not support the service creation of a specified layerRate level, an incorrect ZEND crossing rate level and the like;

as shown in fig. 10, F1 safety error prevention control: common misoperation comprises human operation errors and scheme data errors, in order to prevent unintentional misoperation and error control, the name of a control object and the opening time of a resource need to be checked by mistake, specifically:

a. the artificial operation has errors: when a control object is artificially selected, a plurality of objects are similar in name to cause selection errors; the system needs to check the situation and needs to manually confirm again after checking.

b. The scheme data has errors: aiming at the situation that the scheme data is wrong, the control object and other scheme data need to be checked in three dimensions according to the resource static data, the comprehensive monitoring dynamic data and the network management collected data.

The safety error-proof check adopts an artificial intelligent natural language processing technology, and various characteristics are extracted based on the data preprocessing results of the scheme data and other three dimensional data, wherein the characteristics are as follows:

object name characteristics: and calculating the similarity between the object name of the scheme and the resource object name, the comprehensive monitoring object name and the network management object name based on the Text-Matching network, and marking the result as alpha.

On-time characteristics: calculating the difference between the scheme object opening time and the resource object opening time, the comprehensive monitoring object opening time and the network management object opening time, and performing normalization processing to obtain a result t₁。

Anti-square feature:

carrying out nonlinear mapping (square operation) on the characteristics; splicing the new features output by mapping with the original features to obtain overall features; and finally, processing the whole characteristic by using a logistic regression function, outputting the association degree of the scheme data and the actual data of the network manager, and finally judging whether the misoperation condition exists according to the association degree.

The purpose of this embodiment is to realize more normal, high-efficient and intelligent communication operation management and control, the intelligent operation management and control system of construction. The network control function based on the northbound interface standard is researched and developed, the communication transmission network control function and the anti-misoperation function are provided, the safe, reliable and reliable control of a circuit opening, a circuit deleting, a circuit modifying and the like is realized, and the control function realizes the functions of circuit adding, deleting, object identification modifying, protection switching testing, port loopback testing and the like.

According to the above embodiment, in the present embodiment:

contains 5 major module functions: the system comprises a control condition presetting module, a control scheme checking module, a control interface service module, a network management adaptation service module and a safety guarantee and safety error prevention module;

safety guarantee: the security guarantee service runs through the whole control method and system, whether the operation is trusted, authorized or legal is required to be confirmed before each link is operated, and the security, the reliability and the credibility of the whole control method and the whole control process are guaranteed through security measures such as fingerprint identification, face identification, private protocols and the like.

Safe anti-misoperation: and starting the safety anti-error monitoring service, and performing safety anti-error check according to the programmed target and the preset constraint condition. The error proofing comprises two aspects of human error operation and inaccurate scheme data. The manual misoperation needs to check whether the control target and the constraint condition are selected by people; on the other hand, the method is used for checking the inadvertent misoperation caused by inaccurate data; the safety error-proof check adopts an artificial intelligent natural language processing technology, various characteristics are extracted based on the data preprocessing results of three dimensional data of scheme data and resources, comprehensive monitoring and network management, the overall characteristics are processed by using a logistic regression function, the association degree of the scheme data and the actual data of the network management is output, and finally whether the misoperation condition exists or not is judged according to the association degree.

And (3) checking the security of the resource system: and after the safety anti-error check is passed, the resource system automatically generates a control scheme according to the programming target and the preset constraint condition. The resource system can check the scheme according to the entered static data; the feasible check comprises check on the aspects of whether the control object topology is reachable, whether resources are enough, check on the same route, whether constraint conditions are met and the like; the reliable check includes: checking resource state (whether there is alarm or not and whether there is fault or not), checking performance state, checking service number and the like. After the two aspects of checking pass, the control flow can go to the next step.

Comprehensive monitoring and safety checking: the comprehensive monitoring system dynamically checks the scheme according to the collected service data and configuration data, and verifies the feasibility and the safety of the scheme; if the control script passes the control script generation step, generating a control script; if not, returning to modify the control target or reintroducing the control target;

and (3) packaging the control script: generating a control script instruction according to a self-defined private protocol, and encrypting data encapsulated by the instruction by adopting a dynamic key; the protocol format is: heder (3B header indicates |3B length) + body (source | sink | check code | signaling identification | request number | request parameter).

And (3) checking the validity of the script: and checking the legality of the control script, wherein the legality checking comprises whether the packaging format is legal or not, whether the packaging parameters are legal or not, input type checking and non-input type checking. If the checking is passed, an instruction is issued to the network manager; if not, returning to regenerate the control script;

issuing an execution instruction: if the command is legal and executable, the command and the control script are issued to the network manager; the network manager executes the instruction and returns a control result according to the received instruction; updating the original database and the application database according to the result returned by the network manager;

as shown in fig. 11, the network attack malicious tampering prevention or calling control program: in order to prevent malicious operation and control, the control service adopts a container deployment mode of quick start and quick stop, stops when the control service is used up, and locks the service. Locking the container, namely, locking the container in a default condition, and unlocking and starting the container when the scheme passes static verification and the request is trusted authorization; checking whether the program package is tampered before the service is requested to be started, recording the last service starting time through the configuration file and the database to judge whether the service is abnormally started or not, if the program package is not tampered, normally starting the service, immediately stopping the service and closing a container after the service is executed, avoiding long-time running of the service, and reducing the risk that the service is maliciously attacked.

Safe and efficient control system: the invention is a network control method and system based on the northbound interface standard, which has the functions of communication transmission network control and error prevention; the method realizes safe, reliable and reliable control of opening, deleting, modifying and the like of the circuit, and realizes functions of adding, deleting, modifying object identification, protecting, switching, port loopback testing and the like of the circuit.

The beneficial effect of this embodiment lies in:

A) the network control function based on the northbound interface standard is realized, the communication transmission network control function and the anti-error function are realized, the control function consists of 5 modules, namely a control condition presetting module, a control scheme checking module, a control interface service module, a network management adaptation service module and a safety guarantee and anti-error module, and the safe, reliable and reliable control of opening a circuit, deleting the circuit, modifying the circuit and the like is realized. The control capability of the power communication network is improved, and the safety and the stability of the control work of the power communication network are also improved.

b) The passivity of the network control of the power communication network is solved, the safe and efficient active control function of the network control of the communication network is realized, the functions of circuit addition and deletion modification, object identification modification, protection switching test, port loopback test and the like are realized, and the control efficiency is improved under the condition of ensuring safety and reliability.

c) The safety guarantee, the safety check and the safety error prevention are performed in the whole network control flow. The credible authentication of equipment and personnel is realized by utilizing technologies and equipment such as encryption technology, biological identification authentication, USBKey and the like; the resource management and control and the comprehensive monitoring system are used for carrying out safety check on static data and dynamic data on the scheme data, so that the reliability of the control scheme is guaranteed; and an artificial intelligent natural language processing technology is adopted, and various characteristics are extracted based on the data preprocessing results of the scheme data and other three dimensional data, so that the safety anti-misoperation control checking function is realized. Through error prevention measures, accurate control of only authorized personnel on the trusted equipment according to a correct scheme is finally achieved.

d) In order to prevent malicious operation and control, the control service adopts a quick-start and quick-stop containerized deployment mode, stops when used up and locks the service, so that the service is prevented from running for a long time, the risk of malicious attack on the service is reduced, and the safety level and efficiency of network control are improved.

In addition, the present invention further provides a preferred embodiment of the above system and/or method embodiment in a circuit opening application scenario, which is specifically described as follows.

The method is combined with the research and development of a northbound interface control function, an intelligent communication channel opening method and a safety control scheme are researched and developed, a programmed control function of a circuit is researched and opened, a service opening flow is reconstructed, a safety service control flow, a control strategy, safety check, safety control and the like are researched and ensured, and the control efficiency is improved under the condition of ensuring safety. As shown in fig. 12, the specific flow is governed as follows:

1) and filling a resource application form in the management and control system, wherein the filled information comprises an application form title, an application type, opening time, an opener and the like.

2) The operator on duty accepts the mode application form.

3) The mode special personnel design mode list comprises information such as circuit speed, a network, A-end equipment, an A-end port, an A-end time slot, Z-end equipment, a Z-end port, a Z-end time slot and the like, and the circuit opening mode comprises the following two modes:

a. full routing mode

A step of operating a control module service control flow circuit opening, which is to specify a network, A-end equipment, an A-end port, an A-end time slot, Z-end equipment, a Z-end port and a Z-end time slot, specify internal cross information, namely specify full routing information, package the information and send the information to a network manager for circuit opening; the network management circuit returns the relevant information after successful or failed opening.

b. Non-full routing mode

A step of activating a service control flow circuit of the operation control module, which is to designate a network, A-side equipment, an A-side port, an A-side time slot, Z-side equipment, a Z-side port and a Z-side time slot; and appointing the network elements, ports, time slots, SNC and TL which must pass through and appointing the network elements, ports, time slots, SNC and TL which must not pass through, packaging the information and sending the information to the network manager to open the circuit; the network management circuit returns the relevant information after successful or failed opening.

4) According to the control system shown in fig. 2, the circuit control requirements (circuit turn-on, circuit activation, circuit deletion) are performed with reference to any of the above embodiments, and the circuit control results are fed back.

5) Manually checking whether the circuit is reasonably turned on, if not, judging whether the circuit needs to be deleted, and if so, issuing a circuit deleting instruction according to the control system shown in the figure 2 by referring to the flow of any embodiment; if the circuit is not deleted, a mode specialist redesigns the circuit and sends a circuit opening instruction to the comprehensive monitoring system; if the circuit is reasonably opened, triggering the activation instruction of the comprehensive monitoring circuit, and activating the opened circuit by the network manager.

6) And issuing and archiving the mode list.

According to the above embodiment, in this embodiment:

by utilizing the system and/or the method provided by any embodiment of the invention, each link of the control method carries out safety guarantee and safety error prevention control such as face identification, fingerprint identification, USBKey authentication, password verification, short message verification code verification and the like, thereby ensuring that each link is accurately controlled by credible authorization; selecting a control object: the A end object is a Cyprinus carpio river power plant 5800-E, B end object is a Huadu change 5800E; selecting a constraint object: the main ASON network carries the load, the bandwidth is 2M, and the main route: 6-6 of power plants at bridgehead, Yangjiang-Huadu; standby routing: bridgemouth power plants 13-13 qujiang-kuwan-west-flower city; generating a control scheme, namely generating a control script through a private encryption protocol after checking the dynamic and static data of the comprehensive monitoring system and the resource system, wherein the content of the control script is an encrypted data string; and after the script passes the safety check, issuing the script to a network manager, opening the circuit and returning circuit information, and warehousing the circuit information to generate a routing graph. As shown in fig. 13.

The present invention further provides a preferred embodiment of the foregoing system and/or method embodiment in a scenario of active/standby switching application of a route, which is specifically described as follows.

The main/standby switch of the route, the circuit of opening the self-healing ring supports the main/standby switch, and the system and/or the method provided by any embodiment of the invention are utilized to select the port: south China network Zhongxing ASON transmission network/412-evaluation base-E-2 slot-EPE 1-E disc-1; if there are multiple spare routes, one of them can be selected to switch; the standby route is 5800E-Cubay change 5800 of a closed evaluation standard base of south network materials company, namely 5800-West Change 5800-kapok change 5800-south network general tone (main) 5800-1; generating a control scheme, namely generating a control script through a private encryption protocol after checking the dynamic and static data of the comprehensive monitoring system and the resource system, wherein the content of the control script is an encrypted data string; after the script safety check is passed, the script safety check is issued to the network management system, after the execution of the network management system is completed, the master-slave switching alarm is generated, and after the master-slave switching is completed, the alarm is automatically eliminated. The main/standby switching control process utilizes the safety measures invented by this patent, as shown in fig. 14.

The present invention further provides a preferred embodiment of the above system and/or method embodiment in a loopback control application scenario, which is specifically described as follows.

And (4) loopback control, namely, sending a loopback test data instruction at the end A, returning the data to the Z end after receiving the data, and finishing loopback control test if the end A successfully receives the instruction. By using the system and/or method provided by any embodiment of the invention, the name of the control device is selected: an ultrahigh pressure command building 5800E; selecting a constraint object: the route is the ultra-high pressure command building 5800E-Guangzhou transform 5800-Luo cave transform 5800-Xijiang transform 5800-Jiangmen transform 5800-Qiaoxiang transform 5800; generating a control scheme, namely generating a control script through a private encryption protocol after checking the dynamic and static data of the comprehensive monitoring system and the resource system, wherein the content of the control script is an encrypted data string; after the script safety check is passed, the script safety check is issued to the network management system, after the execution of the network management system is completed, a loopback alarm is generated, meanwhile, the A end receives the completely sent data, and after a loopback control instruction is completed, the alarm is automatically eliminated. As shown in fig. 15.

Fig. 16 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 16: a processor (processor)810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. The processor 810 may invoke logic instructions in the memory 830 to perform a method of communications network security anti-error control, the method comprising:

receiving a network control demand instruction, and generating a control scheme preset data script;

generating control scheme data according to a control scheme preset data script, and verifying the feasibility and/or safety of the control scheme data;

generating a control script command according to the control scheme data after the feasibility verification and/or the safety verification;

and verifying the legality of the control script command, sending the legal control script command to the network manager, and receiving a control result returned by the network manager.

In addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Further, the present invention also provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor implements the steps of any of the above-mentioned communication network security anti-error control methods when executing the program.

Still further, the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the communication network security anti-error control method as described in any one of the above.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (12)

1. A communication network security anti-error control method is characterized by comprising the following steps:

after safety authorization and/or error-proof authorization, receiving a network control demand instruction, and generating a control scheme preset data script;

after safety authorization and/or error-proof authorization, generating control scheme data according to a control scheme preset data script, and verifying feasibility and/or safety of the control scheme data;

after safety authorization and/or anti-error authorization, generating a control script command according to control scheme data after feasibility verification and/or safety verification;

after the security authorization and/or the error-proof authorization, the validity of the control script command is verified, the legal control script command is sent to the network manager, and a control result returned by the network manager is received.

2. The communication network security anti-error control method according to claim 1, wherein the step of receiving a network control demand instruction and generating a control scheme preset data script after the security authorization and/or the anti-error authorization comprises:

receiving a network control demand instruction after the authorization of the first security guarantee; after the authorization of the first safety guarantee, compiling and/or importing control target data; after the first security guarantee authorization, compiling and/or importing constraint condition data; after the authorization of the first safety guarantee, generating a control scheme preset data script according to the control target data and/or the constraint condition data;

the first security assurance authorization comprises any one or any combination of face identification, fingerprint identification, USBKey authentication, password verification and short message verification code verification.

3. The communication network security anti-error control method according to claim 1, wherein the step of generating control scheme data according to a control scheme preset data script after the security authorization and/or the anti-error authorization, and verifying the feasibility and/or the security of the control scheme data comprises:

receiving a control scheme preset data script after the authorization of the second safety guarantee; after the authorization of the second safety guarantee, generating control scheme data and performing error-proof check; and after the authorization of the second safety guarantee, performing static verification and/or dynamic verification on the control scheme data: if the verification result is safe and feasible, continuing to perform the set operation after the error checking prevention authorization; if the verification result is unsafe and/or infeasible, stopping or terminating the control scheme data transmission;

the static verification refers to performing feasibility and/or safety verification on control scheme data according to static data input by a resource system;

the dynamic verification refers to performing feasibility and/or safety verification on control scheme data according to dynamic real-time data acquired by comprehensive monitoring;

the feasibility verification comprises any one or any combination of more of topology reachable check, resource quantity check, route check and constraint condition check;

the safety verification comprises any one or any combination of more of resource state checking, performance state checking and service number checking;

the second security assurance authorization comprises any one or any combination of data encryption, digital signatures, dedicated channels, and whitelist policies;

and the error checking prevention comprises the judgment of the human operation error and/or the judgment of the accuracy of the scheme data.

4. The communication network security anti-error control method according to claim 1, wherein the step of generating a control script command according to the control scheme data after the feasibility verification and/or the security verification after the security authorization and/or the anti-error authorization comprises:

after the third safety guarantee authorization, receiving control scheme data with a verification result of safety and feasibility; after the authorization of the third safety guarantee, the control scheme data is packaged; after the third safety guarantee authorization, encrypting the control scheme data to generate a control script command; after the third safety guarantee authorization, issuing a control script command;

the third security assurance authorization comprises any one or any combination of proprietary protocols, data encryption, digital signatures, dedicated channels, and whitelist policies.

5. The method according to claim 1, wherein the steps of verifying the validity of the control script command, sending the valid control script command to the network manager, and receiving the control result returned by the network manager after the security authorization and/or the error-proof authorization include:

after the fourth safety guarantee authorization, receiving a control script command and performing error proofing; after the fourth safety guarantee authorization, performing validity check on the control script command; after the authorization of the fourth safety guarantee, if the result of the validity check is illegal, the data transmission of the control scheme is stopped or terminated; after the authorization of the fourth safety guarantee, if the validity check result is legal, a control script command is issued; after the fourth security guarantee authorization, receiving a control result returned by the network manager; updating the database after the fourth security guarantee authorization;

the fourth security assurance authorization comprises any one or any combination of proprietary protocols, data encryption, digital signatures, dedicated channels, and whitelist policies;

the validity check comprises any one or combination of more of packaging format validity check, packaging parameter validity check, input type check and non-input type check;

and the error checking prevention comprises the judgment of the human operation error and/or the judgment of the accuracy of the scheme data.

6. The communication network security anti-error control method according to claim 3 or 5, wherein the anti-error check comprises:

extracting safety error-prevention feature data through natural language processing, calculating to obtain association degree data based on the safety error-prevention feature data, and judging whether error operation exists according to the association degree data: if the judgment result is that no misoperation exists, continuing to perform the set operation; and if the judgment result is that the misoperation exists, stopping or terminating the misoperation.

7. A communication network security anti-error control system is characterized by comprising a security guarantee module, a control condition preset module, a control scheme check module, a control interface service module and a network management adaptation service module;

the control condition presetting module can receive a network control demand instruction and generate a control scheme preset data script;

the control scheme checking module can generate control scheme data according to a control scheme preset data script and verify the feasibility and/or the safety of the control scheme data;

the control interface service module can generate a control script command according to control scheme data after feasibility verification and/or security verification;

the network management adaptation service module can verify the validity of the control script command, send the legal control script command to the network management and receive a control result returned by the network management;

the safety guarantee module is matched with any one or any combination of a control condition presetting module, a control scheme checking module, a control interface service module and a network management adaptation service module to provide safety authorization and/or anti-misoperation authorization.

8. The system according to claim 7, wherein the control condition presetting module comprises a triggering unit, a control target unit, a constraint unit and a control scheme presetting unit;

the triggering unit can receive a network control demand instruction and trigger the control target unit and/or the constraint unit to work;

the control target unit can compile and/or import control target data;

the constraint unit can compile and/or import constraint condition data;

the control scheme presetting unit can generate a control scheme preset data script according to the control target data and/or the constraint condition data.

9. The system according to claim 7, wherein the security module comprises any one or any combination of a control condition presetting module security assurance unit, a control scheme checking module security checking unit, a control interface service module security assurance unit, a network management adaptation service module security checking unit, and a security error prevention control unit;

the control condition presetting module safety guarantee unit is matched with the control condition presetting module and comprises any one or any combination of a face identification verification subunit, a fingerprint identification verification subunit, a USBKey verification subunit, a password verification subunit and a short message verification code verification subunit;

the control scheme checking module safety guarantee unit is matched with the control scheme checking module and comprises any one or combination of a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the control scheme checking module safety checking subunit is matched with the control scheme checking module and comprises any one or combination of more of a topology reachable checking subunit, a resource quantity checking subunit, a route checking subunit, a constraint condition checking subunit, a resource state checking subunit, a performance state checking subunit and a service number checking subunit;

the control interface service module security guarantee unit is matched with the control interface service module and comprises any one or any combination of a private protocol subunit, a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the network management adaptation service module security guarantee unit is matched with the network management adaptation service module and comprises any one or any combination of a private protocol subunit, a data encryption subunit, a digital signature subunit, a special channel subunit and a white list subunit;

the network management adaptation service module security check unit is matched with the network management adaptation service module and comprises any one or combination of more of a packaging format legality check subunit, a packaging parameter legality check subunit, an input type check subunit and a non-input type check subunit;

the safety error prevention control unit can extract safety error prevention characteristic data through natural language processing, obtains association degree data based on the safety error prevention characteristic data calculation, and judges whether error operation exists according to the association degree data: if the judgment result is that no misoperation exists, continuing to perform the set operation; and if the judgment result is that the misoperation exists, stopping or terminating the misoperation.

10. The communication network security anti-error control system according to any one of claims 7 to 9, wherein the communication network security anti-error control system is operated only when in use, and is stopped and services are locked after use; before the communication network safety anti-error control system is started, carrying out program package consistency check and/or service starting time check;

the procedure package consistency check comprises the following steps: remote backup of a program package in different places, before starting the program, comparing the executed program package with the backup package, checking the file content, the file modification time and other dimensions, and judging whether the program package is maliciously tampered: if the malicious tampering exists, stopping or stopping starting; if the malicious tampering does not exist, continuing to perform the set operation;

the service starting time checking means that: recording the starting time of each service starting, the local configuration file record and the database record; before starting the service, comparing the two starting times, and judging whether the service has an abnormal starting condition: if the abnormal starting exists, stopping or stopping the starting; if the abnormal starting does not exist, the set operation is continued.

11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method for communication network security anti-error control according to any of claims 1 to 6 are implemented when the processor executes the program.

12. A non-transitory computer readable storage medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, implements the steps of the communication network security anti-error control method according to any one of claims 1 to 6.

Images