CN114422459A - Method, apparatus and computer equipment for instant message transmission - Google Patents

Abstract

An instant message communication method, the method includes: setting up an edge node in an organization, the edge node can acquire an instant message sent by a first client, and divide the instant message into message data and signaling data, wherein the message data is used for Indicates the content transmitted from the first client to the second client, and the signaling data is used to verify the security of the user belonging to the first client. Then, the edge node transmits the instant message to the second client according to the preset rule. In this way, the risk of leakage caused by uploading sensitive and effective instant messages to the cloud is reduced, and the security of message data transmission and storage during the entire communication process is enhanced.

Description

Method, apparatus and computer equipment for instant message transmission

technical field

The present application relates to the field of communication technologies, and in particular, to a method, apparatus and computer equipment for instant message transmission.

Background technique

With the development of cloud services, the business of enterprises is gradually migrated to the data center, and the data center provides business services to the enterprise in the form of services. For example, the data center can provide instant messaging services to the enterprise, that is, the instant messaging server is deployed on the data center. In order to reduce the maintenance workload of enterprises, the above migration process can also be called cloud deployment of instant messaging. Instant messaging (IM) service is a service for real-time communication between users/organizations through the network, allowing two or more users (or organizations) to use tools or applications that support instant messaging services to transmit text, files, Messages in the form of images, voice, or video. However, since the client and server of the instant message are deployed in the private network (also called the local area network) where the enterprise is located and the public network where the data center is located, the transmission process of the instant message needs to span the private network and the public network, and the content of the instant message exists. It is brute force cracked, which affects the security of user data. Therefore, how to provide a secure instant message transmission method has become an urgent technical problem to be solved.

SUMMARY OF THE INVENTION

The present application provides a method, apparatus and computer equipment for instant message transmission, thereby providing a more secure instant message transmission method and improving the security of user data.

A first aspect provides an instant message transmission method, the method comprising: an edge node first obtains an instant message sent by a first client; and then divides the instant message into message data and signaling data, wherein the message data is used to indicate The content transmitted by the first client to the second client, and the signaling data is used to verify the security of the user to which the first client belongs; then, transmit the instant message to the second client according to preset rules. information. Through the above method, an edge node is set up in the organization, and the message data of the instant message involving sensitive data is stored in the edge node, and the message data does not need to be transmitted to the data center, which improves the security of instant message transmission and storage.

In a possible implementation manner, the edge node presets an attribute tag list, where the attribute tag is used to identify the sensitivity of at least one of the user to which the first client belongs and the organization to which the user belongs to the first client. Through the attribute label, the sensitivity of users and/or organizations can be preset. During the instant message transmission process, the edge node can determine the sensitivity of the instant message according to the preset attribute list, and then select sensitive users and/or sensitive users. The organization's message data is stored to the edge nodes, so that the message data does not involve the transmission of local area networks and public networks, ensuring the security of user data.

In another possible implementation method, when the user identifier of the user belonging to the first client terminal exists in the preset attribute tag, the edge node stores the message data of the instant message to the edge node; when the preset attribute tag does not contain the first When a client belongs to the user identifier of the user, the edge node uploads the message data of the instant message to the data center; wherein, the user identifier is used to globally uniquely identify a user. Through the description of the above method, edge nodes can identify sensitive users and ordinary users, and store instant messages sent by sensitive users in edge nodes, thereby improving the security of instant message transmission and storage for sensitive users.

In another possible implementation method, when the identifier of the organization where the first client belongs to the user exists in the preset attribute tag, the edge node stores the message data of the instant message to the edge node; when the preset attribute tag does not exist When the first client belongs to the identity of the organization where the user belongs, the edge node uploads the message data of the instant message to the data center for storage. Through the description of the above method, edge nodes can identify sensitive organizations and non-sensitive organizations, store the instant messages of sensitive organizations to edge nodes, and ensure the security of instant message transmission and storage of sensitive organizations.

In another possible implementation method, the edge node can also retrieve whether the message data includes a sensitive field and/or a preset format, wherein the preset format includes at least one of text, video, and voice; transmission of messages.

In another possible implementation, when the retrieved message data has sensitive fields and/or formats, the edge node identifies the instant message as a sensitive instant message, and stores the message data of the instant message to the edge node; when the message data does not When there are sensitive fields and/or formats, the edge node identifies the instant message as a common instant message, and uploads the message data of the instant message to the data center for storage. Through the description of the above method, the sensitivity of the instant message can be identified according to the content contained in the message data, and the sensitive instant message can be stored to the edge node to improve the security of the message data containing sensitive fields and/or formats.

In another possible implementation manner, the edge node stores the message data in the memory of the edge node, and periodically clears the data stored in the memory. Since the edge nodes are set inside the organization, the local area network is used in the same organization to realize the communication connection between the client and the edge nodes, and the message data is stored in the edge nodes, which can effectively improve the security of instant message storage. In addition, periodically updating the message data stored in the edge node is beneficial to the effective use of storage space.

In another possible implementation manner, before the edge node obtains the message data sent by the first client, the edge node may obtain the message index of the first client, where the message index is used to indicate the instant message sent by the first client sequence identifier. The edge node sends the message index to the data center to instruct the data center to send the message index to the second client; and then receives the message index sent by the second client, and then sends the message data to the second client. Through the description of the above method, the sequence of the instant messages is identified by the message index, and the second client can accurately obtain the corresponding message data according to the message index, which improves the efficiency of the instant message transmission process.

In another possible implementation manner, before the edge node transmits the instant message to the second client according to preset rules, the edge node may also send instruction data to the data center; The authentication result of the terminal identity; when the authentication result of the first client is successful, send an instant message to the second client according to the preset rules. Through the description of the above method, the instant message transmission method provided by the present application can verify the security of the first client, can reduce the risk of non-login users performing operations, and improve the security of instant message transmission.

In a second aspect, the present application provides an instant message transmission apparatus, where the transmission apparatus includes various modules for executing the instant message transmission method of the first aspect or any possible implementation manner of the first aspect.

In a third aspect, the present application provides an instant message transmission system, where the transmission system includes an edge node and a data center. The edge node and the data center are respectively used to implement the operation steps of the method performed by the corresponding subject in the above-mentioned first aspect and any possible implementation manner of the first aspect. Through the above instant message transmission system, an edge node is set in the organization, and the message data of the instant message sent by the first client is stored in the edge node, which improves the instant message transmission and efficiency between the first client and the second client. storage security.

In a fourth aspect, the present application provides a computer device, the computer device includes a processor and a memory, the memory is used to store computer execution instructions, and when the computer device is running, the processor executes the memory in the memory. The computer executes the instructions to use hardware resources in the computer device to perform the operation steps of the method in the first aspect or any possible implementation manner of the first aspect.

In a fifth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium to enable the computer to execute the first aspect or any one of the first aspects when it runs on a computer. Operation steps of the method described in the implementation manner.

In a sixth aspect, the present application provides a computer program product comprising instructions that, when run on a computer, cause the computer to perform the operation steps of the method described in the first aspect or any possible implementation manner of the first aspect.

On the basis of the implementation manners provided by the above aspects, the present application may further combine to provide more implementation manners.

Description of drawings

FIG. 1 is a schematic structural diagram of an instant message communication system 100 provided by an embodiment of the present application;

FIG. 2 is a schematic flowchart of an instant message communication method 200 provided by an embodiment of the present application;

FIG. 3 is a schematic structural diagram of an instant message communication apparatus 300 provided by an embodiment of the present application;

FIG. 4 is a schematic structural diagram of a computer device 400 provided by an embodiment of the present application.

Detailed ways

The method, apparatus and device for instant message transmission provided by the present application will be described in detail below with reference to the accompanying drawings.

The instant message involved in this application can be divided into message data and signaling data. Among them, the message data is used to indicate the specific content that the user needs to send to other users or organizations; and the signaling data is used to indicate the part other than the message data, for example, user name, user account, user password or specified in the message. The receiver's user identifier (identifier, ID), etc. The transport protocols of instant messages include Extensible Messaging and Presence Protocol (XMPP), Extensible Messaging and Presence Protocol (EMPP) or Session Initiation Protocol (Session Initiation). Protocol for Instant Messaging and Presence LeveragingExtensions, SIMPLE), or can be customized based on Transmission Control Protocol (Transmission Control Protocol, TCP) or User Datagram Protocol (User Datagram Protocol, UDP).

FIG. 1 is a schematic structural diagram of an instant messaging system 100 according to an embodiment of the present application. As shown in the figure, the system 100 includes a data center 101, a network 102, and edge nodes (for example, the edge node 1031 and the edge node 1032 in FIG. 1 ). ) and clients 104-108, data center 101, edge nodes 103, and clients 104-108 communicate through network 102. The data center 101 refers to a system for implementing instant messaging services, and the system includes multiple devices, for example, devices 1011 to 1013 in FIG. 1 . Specifically, the data center 101 may include devices for implementing computing functions (eg, servers), devices for storage (eg, storage arrays) functions, and devices for network (eg, switches) functions. The network 102 includes wired or wireless transmission modes, wherein the wired transmission mode includes data transmission in the form of ether, optical fiber, etc., and the wireless transmission mode includes mobile hotspot (Wi-Fi), Bluetooth, infrared and other transmission modes. In a specific implementation process, one or more switches and/or routers may be used to implement the communication connection between the data center 101 and the organization.

It should be understood that the number of devices in the data center 101 does not constitute a limitation to the present application, and FIG. 1 only takes the data center including three devices as an example for illustration. In addition, the present application also does not limit the types of devices and virtualization management methods in the data center.

或其它兼容x86指令集的处理器芯片和

操作系统的服务器。Edge nodes are used to identify sensitivity identifiers, distinguish message data and instruction data in instant messages, store and forward client instant messages, and other functions. In specific implementation, the edge node 1031 may be a software module deployed in a server, a server, a server cluster composed of several servers, or a cloud computing service center. Not limited. Among them, a server, also called a server, is a device that provides computing services. In the embodiment of the present application, the server may be an X86 server, and the X86 server is also called a complex instruction set computer (CISC) architecture server, that is, a commonly referred to as a personal computer (personal computer, PC) server, which is based on a PC machine architecture, using Intel

or other processor chips compatible with the x86 instruction set and

operating system server.

Edge nodes can also be used to receive messages sent by clients within or outside the organization. For example, the edge node 1031 can receive messages sent by the clients 1041 and 1042 in the organization 1, and can also receive messages sent by the clients 1043 outside the organization 1.

The instant message communication system shown in FIG. 1 also includes one or more organizations, and the same organization uses a local area network to realize the communication connection between the client and the edge node. The local area network (also called a private network) refers to a limited A computer network that interconnects multiple devices to achieve data transmission and resource sharing within a geographical range. Each organization can be an enterprise, a department of the same enterprise, or a group. Each organization can set up an edge node for the secure transmission and storage of instant messages.

Optionally, in addition to setting an edge node for each organization as shown in FIG. 1 , multiple organizations can also form an organization group, and secure instant message processing can be implemented through the same edge node or a cluster composed of multiple edge nodes.

Each organization includes one or more users, and each user interacts with other users through the client. A user can be associated with one or more clients for sending and receiving instant messages. At the same time, a client can also be used by one or more users, but can only be used by one user at a time. For example, user 1052 of organization 1 can communicate with other users using client 1042 deployed in organization 1, or user 1052 of organization 1 can also communicate with other users using client 1043 deployed outside organization, for example, user 1052 Use the client 1043 to communicate with other users at home or on business trips. When a user communicates with other users through a client, the user may also be referred to as the home user of the client. The client is an agent program deployed in the device, which is used to send and receive instant messages between different users. The device on which the client is deployed may be a server, a smart device (eg, a smart terminal, a tablet computer, etc.), or a personal computer (personal computer, PC). In addition, the device on which the client is deployed may be the same type of communication device, or may be different communication devices, which is not limited in this application.

Optionally, in addition to users belonging to an organization, there are users who do not belong to any organization, and such users may also be called independent users. An independent user can choose to access an edge node in any organization, so that the client to which the user belongs can use the edge node to realize the function of instant message security processing. The manner in which the client to which the independent user belongs selects the edge node includes selection based on physical distance, random selection, and designated selection. For example, in FIG. 1 , user 1053 is an independent user, and client 1043 is a client to which user 1053 belongs. Client 1043 can select the edge node 1031 of organization 1 to which the user for message transmission belongs to realize instant message transmission.

Since the instant messaging service is deployed in the data center, the message data related to instant messages needs to be transmitted across the local area network and the public network. In addition, the message data of instant messages will also be stored in the data center, and according to the different data security requirements of different organizations , the organization, the user, and the instant message can be divided into different categories according to the sensitivity in at least one of the following manners.

The first way is to divide the organizations into sensitive organizations and common organizations according to the different sensitivities of the organizations.

Sensitive organizations need to protect the message data of instant messages sent by users in the organization, and do not store the message data of instant messages in the data center. For example, organizations involved in core critical technologies can be classified as sensitive organizations. Organizations other than the above-mentioned sensitive organizations can be called ordinary organizations. For ordinary organizations, there is no need to protect the message data of instant messages sent by users in the organization.

In the second method, users are divided into sensitive users and ordinary users according to their sensitivity.

Sensitive users refer to classifying users into different security levels according to their attributes. Users with high security levels may be involved in the sending and receiving of sensitive data. For example, users who have core business information can be classified as sensitive users. Among them, the attributes of the user include the user's position in the organization, the nature of work (for example, whether it involves core technology, etc.) and other information related to identifying the user's characteristics. Users other than the above-mentioned sensitive users can be called ordinary users.

In the third method, the instant messages are divided into sensitive instant messages and ordinary instant messages according to the message data of the instant messages.

That is to say, if the message data contains sensitive content, for example, with sensitive fields such as "password", "account number", or "customer identity information", or, the message data includes information used to indicate a preset format (for example, a picture) , the instant message carrying the message data belongs to the sensitive instant message. Message data other than the above-mentioned sensitive message data may be referred to as common message data. In the specific implementation, the sensitive content can be pre-configured by each organization or maintenance personnel through the management node of the data center, and sent to the edge node, so that the edge node can identify the sensitivity of the instant message according to the preset sensitive field or preset format, and then The transmission of instant messages is done according to this sensitivity.

The above classification method for organizations and users is only an example. In the specific implementation process, the classification method and classification rules can be refined according to business requirements, and the instant message transmission can be performed according to the classification result.

It should be noted that the instant message communication system architecture shown in FIG. 1 is only an example of the system architecture provided by the instant message communication method provided by the present application, and does not constitute a limitation to the embodiments of the present application.

The present application provides an instant message communication method. After the instant message service is migrated to a data center for unified deployment, an edge node is introduced, and the edge node divides the instant message sent by the user into message data and instruction data, and according to the enterprise sending the message The sensitivity of the organization, or the sensitivity of the user who sends the message, or the sensitivity of the instant message, executes the instant message transmission processing according to the preset rules, thereby improving the security during the instant message transmission process.

Next, based on the system shown in FIG. 1 , the instant message communication method provided by the present application is described in detail with reference to FIG. 2 . FIG. 2 is a schematic flowchart of an instant message communication method provided by the present application, taking the example of a first client sending an instant message to a second client, and realizing that a user of the first client sends an instant message to a home user of the second client as an example The technical solutions to be protected by this application are further introduced. The method includes two stages of initialization and message transmission, as shown in the figure, and the specific methods include:

S201. The first client sends user information to the data center.

S202. The data center sends the user identifier and the token to the first client.

Before users use the client to transmit instant messages, they need to complete the user initialization process in the data center, including user login and edge node configuration. For the user login process, refer to the description of steps S201 to S202, and for the configuration of the edge node, refer to the description of steps S203 to S204.

Each user can send user information to the data center 101 through the client where the user is located, and then complete the user's login operation in the instant messaging service. The data center 101 can assign a unique user ID to the user and save the user's user information. The user ID is a number generated by the data center 101 for each user according to the user login sequence or user information, and is usually composed of numbers and/or letters, such as 00001 or SZ000001. The data center 101 may also generate a token for the user, and return the token to the corresponding client, so as to use the token to complete the identity verification of the user in the subsequent instant message transmission process. Optionally, the data center 101 may also periodically generate a token for each user, so as to improve the security of user identity verification. Tokens can also be called authentication tokens. Optionally, in addition to using tokens, the data center may utilize other forms of authenticating user identities.

User information includes, but is not limited to, one or more of the following data: user name, user nickname, user account, user password, job title to which the user belongs, and organization name to which the user belongs. In this embodiment of the present application, the client terminal may provide the user with a login interface, and the user may log in to the data center by inputting user information through an input box of the login interface.

Optionally, in the process of user login, in addition to the user logging in by sending user information to the data center through the client, the login process may also be that the first client sends the user's contact information (for example, a mobile phone number or email address) to the data center. , the data center sends a verification code to the first client, and then the user enters the verification code through the client to verify the data center, thereby reducing the risk of others pretending to be the target user to operate, and improving communication security.

S203. The first client sends an edge node configuration command to the data center.

S204. The data center returns the edge node address to the first client.

After the user logs in to the instant messaging service through the client, the data center needs to configure an edge node for the client to transmit and store the instant messages sent by the client. Depending on the user type, the configuration method can be any of the following methods:

Method 1: When the user to which the first client belongs has an organization, the data center directly retrieves the edge node deployed in the organization according to the name of the organization to which the user belongs, and returns the Internet Protocol (Internet Protocol) of the edge node to the first client. , IP) address.

Method 2: When the home user of the first client is an independent user, the data center may select a nearby edge node to transmit the instant message of the user. Specifically, the client sends a configuration command to the data center, obtains the geographic location of the client from the data, and then selects an edge node closest to the first client based on the geographic location to transmit the instant message of the user, and sends the selected The IP address of the edge node is sent to the first client.

Optionally, the user can also configure the edge node in a random manner, and the specific steps include: the user sends a random selection command to the data center through the client, randomly selects an edge node in the data as the user's edge node, and uses the selected edge node. The IP address of the node is sent to the first client.

Optionally, the client may not be configured with an edge node. In this case, the first client directly sends an instant message to the data center, and the data center completes the instant message transmission process.

Through the above operation process, the processing of the instant message service initialization phase can be completed. Next, the user can use the client to complete the transmission and storage of the instant message through the matching edge node. This process can also be called the message transmission phase, which includes:

S205. The edge node acquires the instant message sent by the first client.

The client can be any one of the clients in FIG. 1, for example, any one of the clients 1041-1045.

Optionally, the instant message may further include a user ID and/or an organization name, and the edge node may determine the sensitivity of the instant message according to whether the user ID and/or organization name exists in the attribute tag, as detailed in step S206.

Optionally, the instant message may further include a message index (index), where the message index is used to indicate the sequence identifier of the message sent by the first client. Specifically, when a client sends an instant message, the data center will generate a message index associated with the instant message, which is used to indicate the sequence of instant messages sent by the client. Corresponding message data can be obtained from the edge node through the message index.

In addition, the user can send an instant message to another client through the first client, and at this time, the home users of the two clients can communicate with the instant message. In addition, the home user of the first client can also send multiple instant messages to the home users of multiple clients at the same time. At this time, the home user of the first client and the home users of other clients can communicate through instant messages.

S206, the edge node identifies the sensitivity of the instant message, and executes the transmission of the instant message according to the sensitivity.

The edge node may preset a list of attribute labels, and the attribute labels are used to identify the sensitivity of at least one of the user to which the client belongs and the organization to which the user belongs to the client. The edge node can judge the sensitivity of the instant message according to the attribute label and the user ID and/or organization name carried in the instant message.

In a specific implementation, the preset attribute label list may be set by maintenance personnel according to requirements in the enterprise planning stage, or may be a sensitivity pre-specified by a user. In addition, the list of preset attribute labels can also be dynamically adjusted according to business requirements. For example, according to the sensitivity of the enterprise or user, and changes in sensitive fields or preset formats, user IDs or organization names in the preset attribute labels can be added or deleted.

Exemplarily, Table 1 is a list of preset attribute labels provided by this embodiment of the present application. As shown in the table, at least one of a user ID and an organization name can be used to indicate the sensitivity of the instant message. When the user ID and/or organization name included in the instant message exists in the preset attribute tag list, the sensitivity of the instant message is valid, and the edge node stores the message data in the instant message sent by the user to the edge node. When the user ID and/or organization name included in the instant message does not exist in the preset attribute tag list, the sensitivity of the instant message is invalid, and the edge node uploads the message data in the instant message sent by the user to the data center. For example, the edge node stores two threshold attribute lists, preset attribute list 1 and preset attribute list 2, preset attribute list 1 is used to record user IDs with sensitivity, and preset attribute list 2 is used to record Organization name with sensitivity. That is to say, when the user ID is 00001 or the organization name is enterprise 1 and enterprise 2 in the instant message, the sensitivity of the instant message is valid. At this time, the edge node will further divide the instant message into message data and instructions. data, and store message data to edge nodes.

Table 1. List of preset attribute labels 1

User ID 00001 00002 00005 00010 00021

Table 2. List of preset attribute labels 2

name of association Enterprise 1 Enterprise 2

Optionally, in addition to the preset attribute label lists shown in Table 1 and Table 2, the edge node can also preset a list of sensitive fields or preset formats, which are used to identify the instant message sent by the user belonging to the first client. Sensitivity, where the sensitive fields include "password", "account", "phone" and other sensitive fields related to the user's personal sensitive information; the preset format includes at least one of image, audio, video and other formats.

Edge nodes can also retrieve instant messages, and execute instant message transmission according to the retrieval results. Specifically, when any one of sensitive fields or sensitive formats exists in the instant message, the sensitivity of the instant message is valid, and the edge node further divides the instant message into message data and instruction data, and stores the message data in the edge node. , use the instruction data to authenticate to the data center, and complete the message data transmission process. When there is no sensitive field or sensitive format in the instant message, the sensitivity of the instant message is invalid, and the edge node sends the instant message to the data center, and the data center completes the transmission of the instant message.

As a possible implementation, if the instant message includes both the user ID and the organization name, as long as there is one item in the preset attribute label list, the sensitivity of the instant message is considered to be valid.

The following is a detailed explanation of how the edge node performs the transmission of instant messages according to the sensitivity:

S2061. The edge node transmits an instant message to the second client according to a preset rule.

The second client is the receiver of the instant message, and the edge node can transmit the instant message to the second client according to a preset rule. Among them, the preset rule means that the edge node can complete the instant message transmission according to the sensitivity of the preset attribute label, which specifically includes the following two situations:

Case 1: When the sensitivity of the instant message is valid, the edge node stores the message data in the instant message to the edge node.

Case 2: When the sensitivity of the instant message is invalid, the edge node sends the instant message to the data center.

For the second case, the instant message can be directly sent to the data center, and the data center completes the transmission of the instant message.

Optionally, for the second case, in order to further improve the security of the instant message transmission process, the edge node can also divide the instant message into message data and instruction data, and then store the message data in the edge node, and use the instruction data to pair the instant messages. The first client performs identity verification, and then completes the instant message transmission according to the processing procedure with effective sensitivity.

For case 1, when the edge node transmits the instant message to the second client, it also needs to use the instruction data in the instant message to complete the identity verification of the first client. The data center verifies the validity of the token and sends the verification result to the edge node; when the identity verification of the first client is successful, the edge node can continue to transmit instant messages to the second client. The detailed process is as follows:

S20611. The data center notifies the second client to receive the instant message.

Optionally, the data center may also send the message index generated by the data center for the instant message to the second client.

Optionally, the data center may also send the IP address of the edge node to the second client.

S20612. The second client sends a message index to the edge node, requesting to obtain corresponding message data, and carries the authentication identifier of the user to which the second client belongs.

S20613. The edge node verifies the security of the second client according to the authentication identifier of the home user of the second client.

The process of verifying the security of the second client by the edge node is similar to the process of verifying the security of the first client, and the authentication is also performed by sending the authentication identifier (for example, a token) of the home user of the second client to the data center. It is concise and will not be repeated here.

S20614. After the authentication of the second client is successful, the edge node sends message data to the second client.

It can be seen from the description of the above process that in this application, by adding edge nodes in the local area network, the edge nodes identify the sensitivity of instant messages, and complete the transmission of instant messages according to different sensitivities, so as to ensure that the message data of instant messages with effective sensitivity are only stored in the Edge nodes avoid potential security risks in the process of storing sensitive data in the data center and improve the security of data processing. Further, edge nodes can divide instant messages into message data and instruction data, and store sensitive data directly to edge nodes without transmitting message data to the data center, reducing sensitive data being intercepted and brute force cracking during network transmission. risks, and also ensures the security of the instant messaging service during the transmission process.

As a possible implementation manner, in addition to transmitting the instant message according to the process of the above steps S20611 to S20614, the edge node can also determine the IP address of the second client according to the identifier of the second client carried in the instant message, and then, through the second client The IP address of the client to transmit instant messages. Specifically, the edge node can send a request for querying the second client to the data center, the request carries the identifier of the second client, and the data center can return the IP address of the second client to the edge node according to the identifier of the second client, so as to realize A process in which the edge node transmits an instant message to the second client according to the IP address of the second client.

As a possible implementation solution, the present application also provides a graphical user interface (GUI), and the program of the GUI can be deployed in edge nodes and/or data centers to provide maintenance personnel with adding or updating organizations, A visual interface for users or sensitive content and preset formats. Maintenance personnel can view and modify preset attribute labels through the above-mentioned graphical user interface. Optionally, the above-mentioned visual interface can also present the sensitivity identification results of the instant messages with index identifiers, including whether the sensitivity of the instant messages associated with each index identifier is valid and the storage location of the instant messages.

Next, with reference to the system shown in FIG. 1 , the technical solutions to be protected by the present application are further explained in three scenarios.

Scenario 1: Instant message transmission between two users belonging to the same organization.

In this scenario, the edge node belongs to the same organization as the first client and the second client. The communication process between the two users is similar to that shown in Figure 2. The instant message transmission process is performed by the edge node in the organization. The sensitivity of the instant message is identified, and the transmission of the instant message is performed according to the sensitivity. For the sake of brevity, details are not repeated here.

Scenario 2: Instant message transmission between two users belonging to different organizations.

In this scenario each organization may have one edge node. For example, the first client and the first edge node belong to the same organization, and the second client and the second edge node belong to another organization. Optionally, an edge node may also be set in only one of the organizations, and the edge node implements instant message transmission between the first client and the second client.

When the first edge node and the second edge node are distributed in different organizations, the process of the first edge node transmitting the instant message to the second client specifically includes:

Step 1: The first edge node sends an index message to the data center.

Step 2: The data center sends an index message to the second edge node.

Step 3: The second edge node sends an index message to the second client.

Step 4: The second client sends a request for acquiring message data to the second edge node, where the request includes the index message and the authentication identifier of the second client.

Step 5: The second edge node verifies the security of the second client to the data center according to the authentication identifier of the second client.

Step 6: After the authentication of the second client is passed, the second edge node sends the message index to the first edge node.

Step 7: The first edge node sends the message data of the instant message to the second edge node according to the message index.

Through the above operation process, the first client and the second client can respectively complete authentication and instant message transmission through their matching edge nodes, and the message data involving sensitive information is neither transmitted to the data center nor stored in the data center. , to ensure the security of instant message data transmission and storage process.

Scenario 3: IM transmission between users belonging to the organization and independent users.

In this scenario, there are two edge nodes, one is deployed in the organization where the user of the first client belongs, and the other is an edge node configured for independent users in the data center. When the two edge nodes happen to be the same node, the communication process between the two users is exactly the same as the process in scenario 1; when the two edge nodes are not the same node, the communication process between the two users is the same as the process in scenario 2 It is completely consistent and will not be repeated here.

To sum up, the instant message communication method provided by the embodiments of this application can deploy edge nodes in an organization, and the edge nodes can identify the sensitivity of instant messages through at least one of the three dimensions of user, organization, and message data in instant messages, The message data of sensitive users, sensitive organizations, and sensitive instant messages is stored in the edge node, and other message data is uploaded to the data center for storage. In the process of message interaction between the client and the data center, the data center is not involved in receiving and processing sensitive content, effectively preventing the leakage of message data during transmission to the data center and the instability caused by storing message data in the data center. Improve the security of the entire communication process.

It should be noted that, for the sake of simple description, the above method embodiments are expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence.

Other reasonable step combinations that those skilled in the art can think of based on the above description also fall within the protection scope of the present application. Secondly, those skilled in the art should also be familiar with that, the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the present application.

The instant message transmission method provided according to the embodiment of the present application is described in detail above with reference to FIG. 1 and FIG. 2 , and the apparatus for instant message transmission provided according to the embodiment of the present application will be further described below with reference to FIG. 3 and FIG. 4 . and computer equipment.

FIG. 3 is a schematic diagram of an instant message transmission apparatus 300 provided by this application, including an acquisition unit 310 , a processing unit 320 and a transmission unit 330 .

The obtaining unit 310 is configured to obtain the instant message sent by the first client.

The processing unit 320 is configured to divide the instant message acquired by the acquiring unit 310 into message data and signaling data, wherein the message data is used to indicate the content transmitted by the first client to the second client, and the signaling data is used to verify all the information. Describe the security of the home user of the first client.

The transmission unit 330 is configured to transmit the instant message to the second client according to a preset rule.

It should be understood that the transmission apparatus 300 in this embodiment of the present application may be implemented by an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), and the above-mentioned PLD may be a complex program logic device (complex programmable logical device, CPLD), field-programmable gate array (field-programmable gate array, FPGA), general array logic (generic array logic, GAL) or any combination thereof. When the instant message transmission method shown in FIG. 2 can also be implemented by software, the transmission apparatus 300 and its respective modules can also be software modules.

Optionally, the processing unit 320 is further configured to preset an attribute label list, where the attribute label is used to identify the sensitivity of at least one of the user to which the first client belongs and the organization to which the user belongs to the first client .

Optionally, when the attribute label is used to identify the sensitivity of the user to which the first client belongs, the transmission unit 330 is further configured to, when the preset attribute label contains the attribution of the first client When the user identification of the user is used, the message data of the instant message is stored in the edge node; and when the user identification of the user belonging to the first client does not exist in the preset attribute label, the instant message is stored in the instant message. The message data of the message is uploaded to the data center; wherein, the user identifier is used to globally uniquely identify a user.

Optionally, when the attribute label is used to identify the sensitivity of the organization where the first client belongs to the user, the transmission unit 330 is further configured to, when the first client exists in the preset attribute label When the identifier of the organization to which the user belongs to the terminal is stored, the message data of the instant message is stored in the edge node; and, when the identifier of the organization to which the first client belongs to the user does not exist in the preset attribute label, The message data of the instant message is uploaded to the data center for storage.

Optionally, the processing unit 320 is further configured to retrieve whether the message data includes a sensitive field and/or a preset format, and the preset format includes at least one of text, video, and voice; and execute the query according to the retrieval result Transmission of the instant message.

Optionally, the processing unit 320 is further configured to identify the instant message as a sensitive instant message when the message data has a sensitive field and/or format, and the transmission unit 330 is further configured to convert the instant message to the the message data of the instant message is stored to the edge node; and,

The processing unit 320 is further configured to identify the instant message as a common type of instant message when the message data does not have sensitive fields and/or formats, and the transmission unit 330 is further configured to convert the instant message The message data is uploaded to the data center for storage.

Optionally, the transmission apparatus 300 further includes a storage unit 340, configured to store the message data in the memory of the edge node, and periodically clear the data stored in the memory.

Optionally, the obtaining unit 310 is further configured to obtain a message index of the first client before obtaining the message data sent by the first client, where the message index is used to indicate the message sent by the first client the identification of the sequence of messages;

The transmission unit 330 is further configured to send the message index to the data center, so as to instruct the data center to send the message index to the second client; and receive the message sent by the second client. The message index is used to send the message data to the second client.

Optionally, the processing unit 320 is further configured to send the instruction data to the data center before transmitting the instant message to the second client according to a preset rule; the first client identity verification result; and, when the first client identity verification result is successful, the transmission unit sends the instant message to the second client according to the preset rule.

The transmission apparatus 300 according to the embodiments of the present application may correspond to executing the methods described in the embodiments of the present application, and the above-mentioned and other operations and/or functions of the various units in the transmission apparatus 300 are respectively to implement the corresponding methods of the respective methods in FIG. 2 . The process, for the sake of brevity, will not be repeated here.

To sum up, in the transmission device 300 provided by the embodiment of the present application, the processing unit can, from multiple dimensions, send instant messages sent by sensitive users and users belonging to sensitive organizations, and instant messages containing sensitive content in the message data. It is identified and stored in the storage unit, which reduces the risk of leakage of sensitive information within the organization, enhances the security of the entire communication process and message data, and can be applied to the service of internal communication with sensitive information or communication with other external organizations Scenes.

4 is a schematic diagram of a computer device 400 provided by an embodiment of the present application. As shown in the figure, the computer device 400 includes a processor 401 , a memory 402 , a communication interface 403 , a bus 404 , and a memory 405 . The processor 401 , the memory 402 , the communication interface 403 , and the memory 405 communicate through the bus 404 , and can also communicate through other means such as wireless transmission. The memory 405 is used to store computer-executed instructions, and the processor 401 is used to execute the computer-executed instructions stored in the memory 405 to implement the following operation steps:

Obtain the instant message sent by the first client;

Divide the instant message into message data and signaling data, where the message data is used to indicate the content transmitted by the first client to the second client, and the signaling data is used to authenticate the first client the security of the attributable user;

The instant message is transmitted to the second client according to a preset rule.

It should be understood that in this embodiment of the present application, the processor 401 may be a CPU, and the processor 401 may also be other general-purpose processors, digital signal processors (digital signal processing, DSP), application specific integrated circuits (application specific integrated circuits) , ASIC), field programmable gate array (fieldprogrammable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like.

The memory 402 may include read only memory and random access memory, and provides instructions and data to the processor 401 . Memory 402 may also include non-volatile random access memory. For example, memory 402 may also store device type information.

The memory 402 may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which acts as an external cache. By way of illustration and not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), Double data rate synchronous dynamic random access memory (double data date SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlinkDRAM, SLDRAM) and direct memory Bus random access memory (direct rambus RAM, DR RAM).

In addition to the data bus, the bus 404 may also include a power bus, a control bus, a status signal bus, and the like. However, for clarity of illustration, the various buses are labeled as bus 404 in the figure.

It should be understood that the computing device 400 according to the embodiment of the present application may correspond to the transmission apparatus 300 in the embodiment of the present application, and may correspond to the corresponding subject in executing the method 200 shown in FIG. 2 according to the embodiment of the present application, and calculate The above and other operations and/or functions of each module in the device 400 are to implement the corresponding flow of each method in the figure, and are not repeated here for brevity.

To sum up, the computer equipment provided by the embodiments of the present application divides instant messages into message data and message signaling according to the sensitivity of instant messages, stores message data with effective instant message sensitivity to edge nodes, and protects such messages The transmission and storage of IM is always located within the organization's local area network, which reduces the risk of leakage caused by the transmission of sensitive and effective IM message data to the data center, and improves the security during IM transmission.

The present application also provides an instant message transmission system, including an edge node and a data center. The edge node and the data center are respectively used to implement the operation steps of the method executed by the corresponding subject in the above-mentioned transmission apparatus or computer equipment. Through the above instant message transmission system, an edge node is set in the organization, and the message data of the instant message sent by the first client is stored in the edge node, which improves the instant message transmission and efficiency between the first client and the second client. storage security.

The above embodiments may be implemented in whole or in part by software, hardware, firmware or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that contains one or more sets of available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media. The semiconductor medium may be a solid state drive (SSD).

The above descriptions are merely specific embodiments of the present application. Those skilled in the art can think of changes or substitutions based on the specific embodiments provided by the present application, which should all fall within the protection scope of the present application.

Claims (20)

1. A method for transmitting an instant message, the method comprising:

the method comprises the steps that an edge node obtains an instant message sent by a first client;

the edge node divides the instant message into message data and signaling data, wherein the message data is used for indicating the content transmitted from the first client to the second client, and the signaling data is used for verifying the security of the home subscriber of the first client;

and the edge node transmits the instant message to the second client according to a preset rule.

2. The method of claim 1, wherein the edge node presets a list of attribute tags that identify at least one of a sensitivity of the first client home subscriber and an organization in which the first client home subscriber is located.

3. The method according to claim 1 or 2, wherein when the attribute tag is used for identifying a sensitivity of the first client home user, the performing the transmission of the instant message according to a preset rule comprises:

when the user identification of the first client home subscriber exists in the preset attribute label, the edge node stores the message data of the instant message to the edge node;

when the user identification of the first client home subscriber does not exist in the preset attribute label, the edge node uploads the message data of the instant message to a data center;

the user identification is used for globally and uniquely identifying one user.

4. The method according to claim 1 or 2, wherein when the attribute tag is used to identify a sensitivity of an organization in which the first client home subscriber is located, the performing the transmission of the instant message according to a preset rule includes:

when the identifier of the organization where the first client belongs to is in the preset attribute label, the edge node stores the message data of the instant message to the edge node;

and when the preset attribute label does not have the identifier of the organization where the first client belongs to, the edge node uploads the message data of the instant message to a data center for storage.

5. The method of claim 1, wherein the performing the transmission of the instant message according to the preset rule comprises:

retrieving whether the message data comprises a sensitive field and/or a preset format, wherein the preset format comprises at least one of characters, videos and voices;

and executing the transmission of the instant message according to the retrieval result.

6. The method of claim 5, wherein the performing the transmission of the instant message according to the retrieval result comprises:

when the message data has sensitive fields and/or formats, the edge node identifies the instant message as a sensitive instant message, and stores the message data of the instant message to the edge node;

when the message data has no sensitive field and/or format, the edge node identifies the instant message as a common instant message, and uploads the message data of the instant message to a data center for storage.

7. The method of any of claims 1-6, the edge node storing the message data to a memory of the edge node and periodically cleaning the data stored in the memory.

8. The method according to any of claims 1-7, before the edge node retrieves the message data sent by the first client, the method further comprising:

the edge node acquires a message index of the first client, wherein the message index is used for indicating an identifier of the sequence of instant messages sent by the first client;

the edge node transmits the instant message to the second client according to a preset rule, including:

the edge node sends the message index to the data center to instruct the data center to send the message index to the second client;

and the edge node receives the message index sent by the second client and sends the message data to the second client.

9. The method according to any of claims 1-8, wherein before the edge node transmits the instant message to the second client according to a preset rule, the method further comprises:

the edge node sends the instruction data to the data center;

the edge node receives the authentication result of the data center on the first client;

and when the first client identity authentication result is successful, sending the instant message to the second client according to the preset rule.

10. An instant message transmission device, characterized in that the device comprises an acquisition unit, a processing unit and a transmission unit:

the acquisition unit is used for acquiring the instant message sent by the first client;

the processing unit is configured to divide the instant message acquired by the acquisition unit into message data and signaling data, where the message data is used to indicate content transmitted from the first client to the second client, and the signaling data is used to verify security of a home subscriber of the first client;

and the transmission unit is used for transmitting the instant message to the second client according to a preset rule.

11. The apparatus of claim 10,

the processing unit is further configured to preset an attribute tag list, where the attribute tag is used to identify at least one of the first client home subscriber and a sensitivity of an organization in which the first client home subscriber is located.

12. The apparatus according to claim 10 or 11, wherein when the attribute tag is used to identify a sensitivity of the first client home user,

the transmission unit is further configured to store the message data of the instant message to the edge node when the user identifier of the first client home user exists in the preset attribute tag; when the user identification of the first client home subscriber does not exist in the preset attribute label, uploading the message data of the instant message to a data center; the user identification is used for globally and uniquely identifying one user.

13. The apparatus according to claim 10 or 11, wherein when the attribute tag is used to identify the sensitivity of the organization in which the first client home user is located,

the transmission unit is further configured to store the message data of the instant message to the edge node when the identifier of the organization where the first client belongs to exists in the preset attribute tag; and when the preset attribute label does not have the identifier of the organization where the first client belongs to the user, uploading the message data of the instant message to a data center for storage.

14. The apparatus of claim 10,

the processing unit is further configured to retrieve whether the message data includes a sensitive field and/or a preset format, where the preset format includes at least one of a text, a video, and a voice; and executing the transmission of the instant message according to the retrieval result.

15. The apparatus of claim 14,

the processing unit is further configured to identify the instant message as a sensitive instant message when the message data is retrieved and the sensitive field and/or format are/is present; and when no sensitive field and/or format exists in the message data, identifying the instant message as a common instant message;

the transmission unit is further configured to store the message data of the instant message to the edge node when the processing unit identifies the instant message as a sensitive instant message; and the instant message processing unit is further used for uploading the message data of the instant message to a data center for storage when the processing unit identifies the instant message as a common instant message.

16. The apparatus according to any one of claims 10-15, wherein the apparatus further comprises:

and the storage unit is used for storing the message data to a memory of the edge node and periodically cleaning the data stored in the memory.

17. The apparatus according to any one of claims 10 to 16,

the obtaining unit is further configured to obtain a message index of a first client before obtaining message data sent by the first client, where the message index is used to indicate an identifier of an order of messages sent by the first client;

the transmission unit is further configured to send the message index to the data center to instruct the data center to send the message index to the second client; and receiving the message index sent by the second client, and sending the message data to the second client.

18. The apparatus according to any one of claims 10 to 17,

the processing unit is further configured to send the instruction data to the data center before transmitting the instant message to the second client according to a preset rule; receiving the authentication result of the data center to the first client; and when the first client authentication result is successful, the transmission unit sends the instant message to the second client according to the preset rule.

19. A computer device comprising a processor and a memory, the memory being configured to store computer-executable instructions, the processor executing the computer-executable instructions in the memory to cause the computer device to perform the operational steps of the method of any one of claims 1-9.

20. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the operational steps of the method of any one of claims 1 to 9.

Images