CN114422459A - Instant message transmission method and device and computer equipment - Google Patents

Instant message transmission method and device and computer equipment Download PDF

Info

Publication number
CN114422459A
CN114422459A CN202011073785.7A CN202011073785A CN114422459A CN 114422459 A CN114422459 A CN 114422459A CN 202011073785 A CN202011073785 A CN 202011073785A CN 114422459 A CN114422459 A CN 114422459A
Authority
CN
China
Prior art keywords
client
message
instant message
data
edge node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011073785.7A
Other languages
Chinese (zh)
Inventor
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Priority to CN202011073785.7A priority Critical patent/CN114422459A/en
Publication of CN114422459A publication Critical patent/CN114422459A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/04Real-time or near real-time messaging, e.g. instant messaging [IM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method of instant messaging, the method comprising: the method comprises the steps that an edge node is set in an organization, the edge node can obtain instant messages sent by a first client and divide the instant messages into message data and signaling data, wherein the message data are used for indicating contents transmitted from the first client to a second client, and the signaling data are used for verifying the security of a home subscriber of the first client. And then, the edge node transmits the instant message to the second client according to a preset rule. Therefore, the risk of leakage caused by uploading the sensitive and effective instant messages to the cloud is reduced, and the safety of message data transmission and storage in the whole communication process is enhanced.

Description

Instant message transmission method and device and computer equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting an instant message, and a computer device.
Background
With the development of cloud services, businesses of an enterprise are gradually migrated to a data center, and the data center provides business services to the enterprise in a service form, for example, the data center may provide an instant message service to the enterprise, that is, a service end of an instant message is deployed in the data center, so as to reduce the maintenance workload of the enterprise, and the migration process may also be referred to as cloud deployment of the instant message. An Instant Messaging (IM) service is a service for real-time communication between users/organizations over a network, allowing two or more users (or organizations) to transmit messages including text, files, images, voice or video, etc. in the form of messages using tools or applications supporting the IM service. However, because the client and the server of the instant message are respectively deployed in a private network (also referred to as a local area network) where the enterprise is located and a public network where the data center is located, the transmission process of the instant message needs to span the private network and the public network, and the problem that the content of the instant message is cracked violently, which affects the data security of the user exists. Therefore, how to provide a secure instant message transmission method becomes a technical problem to be solved urgently.
Disclosure of Invention
The application provides a method and a device for transmitting instant messages and computer equipment, so that a safer method for transmitting instant messages is provided, and the safety of user data is improved.
In a first aspect, a method for transmitting an instant message is provided, where the method includes: the method comprises the steps that an edge node firstly obtains an instant message sent by a first client; dividing the instant message into message data and signaling data, wherein the message data is used for indicating the content transmitted from the first client to the second client, and the signaling data is used for verifying the security of the home subscriber of the first client; and then transmitting the instant message to the second client according to a preset rule. By the method, the edge nodes are arranged in the organization, the message data of the instant messages related to the sensitive data are stored to the edge nodes, the message data do not need to be transmitted to a data center, and the safety of transmission and storage of the instant messages is improved.
In a possible implementation manner, the edge node presets an attribute tag list, where the attribute tag is used to identify at least one of the first client home subscriber and an organization in which the first client home subscriber is located. The sensitivity of the user and/or the organization can be preset through the attribute tag, in the transmission process of the instant message, the edge node can determine the sensitivity of the instant message according to the preset attribute list, and then the message data of the sensitive user and/or the sensitive organization is selected to be stored in the edge node, so that the message data does not relate to the transmission of a local area network and a public network, and the safety of the user data is ensured.
In another possible implementation method, when a user identifier of a first client home user exists in a preset attribute tag, an edge node stores message data of an instant message to the edge node; when the user identification of the first client home user does not exist in the preset attribute label, the edge node uploads the message data of the instant message to the data center; the user identification is used for globally and uniquely identifying one user. Through the description of the method, the edge node can identify the sensitive users and the common users, and the instant messages sent by the sensitive users are stored in the edge node, so that the safety of the instant message transmission and storage of the sensitive users is improved.
In another possible implementation method, when the identifier of the organization where the first client belongs to exists in the preset attribute tag, the edge node stores message data of the instant message to the edge node; and when the identifier of the organization where the first client belongs to does not exist in the preset attribute label, the edge node uploads the message data of the instant message to a data center for storage. Through the description of the method, the edge node can identify the sensitive type organization and the non-sensitive type organization, store the instant message of the sensitive type organization to the edge node, and ensure the security of the instant message transmission and storage of the sensitive type organization.
In another possible implementation method, the edge node may further retrieve whether the message data includes a sensitive field and/or a preset format, where the preset format includes at least one of text, video, and voice; and performing transmission of the instant message according to the retrieval result.
In another possible implementation manner, when the retrieved message data has sensitive fields and/or formats, the edge node identifies the instant message as a sensitive instant message, and stores the message data of the instant message to the edge node; when the message data does not have sensitive fields and/or formats, the edge node identifies the instant message as a common instant message, and uploads the message data of the instant message to the data center for storage. Through the description of the method, the sensitivity of the instant message can be identified according to the content contained in the message data, the sensitive instant message is stored to the edge node, and the safety of the message data containing the sensitive field and/or format is improved.
In another possible implementation, the edge node stores the message data to a memory of the edge node, and periodically cleans up the data stored in the memory. Because the edge node is arranged in the organization, the local area network is used in the same organization to realize the communication connection between the client and the edge node, and the message data is stored in the edge node, the safety of instant message storage can be effectively improved. In addition, the message data stored in the edge node is periodically updated, which is beneficial to the effective utilization of the storage space.
In another possible implementation manner, before the edge node acquires the message data sent by the first client, the edge node may acquire a message index of the first client, where the message index is used to indicate an identification of an order in which the instant messages are sent by the first client. The edge node sends the message index to the data center to indicate the data center to send the message index to the second client; and then, receiving the message index sent by the second client, and then sending message data to the second client. Through the description of the method, the order of the instant messages is identified by the message indexes, and the second client can accurately acquire corresponding message data according to the message indexes, so that the efficiency of the transmission process of the instant messages is improved.
In another possible implementation manner, before the edge node transmits the instant message to the second client according to the preset rule, the edge node may further send instruction data to the data center; then receiving a verification result of the data center on the identity of the first client according to the instruction data; and when the first client identity authentication result is successful, sending an instant message to the second client according to a preset rule. Through the description of the method, the instant message transmission method provided by the application can verify the safety of the first client, can reduce the operation risk of the non-login user, and improves the safety of instant message transmission.
In a second aspect, the present application provides an instant message transmission apparatus, which includes various modules for executing the instant message transmission method in the first aspect or any one of the possible implementation manners of the first aspect.
In a third aspect, the present application provides an instant message transmission system, which includes an edge node and a data center. The edge node and the data center are respectively configured to implement the operation steps of the method performed by the corresponding subject matter in any one of the possible implementations of the first aspect and the first aspect. By the instant message transmission system, the edge node is arranged in the organization, and the message data of the instant message sent by the first client side is stored in the edge node, so that the safety of instant message transmission and storage between the first client side and the second client side is improved.
In a fourth aspect, the present application provides a computer device, where the computer device includes a processor and a memory, where the memory is used to store computer execution instructions, and when the computer device runs, the processor executes the computer execution instructions in the memory to utilize hardware resources in the computer device to execute the operation steps of the method in the first aspect or any one of the possible implementation manners of the first aspect.
In a fifth aspect, the present application provides a computer-readable storage medium having stored therein instructions, which, when executed on a computer, cause the computer to perform the operational steps of the method according to the first aspect or any one of the possible implementations of the first aspect.
In a sixth aspect, the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the operational steps of the method of the first aspect or any one of the possible implementations of the first aspect.
The present application can further combine to provide more implementations on the basis of the implementations provided by the above aspects.
Drawings
Fig. 1 is a schematic structural diagram of an instant messaging system 100 according to an embodiment of the present application;
fig. 2 is a flowchart illustrating an instant message communication method 200 according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an instant message communication device 300 according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a computer device 400 according to an embodiment of the present application.
Detailed Description
The following describes a method, an apparatus, and a device for instant messaging provided by the present application in detail with reference to the accompanying drawings.
Instant messages to which the present application relates can be distinguished into message data and signalling data. The message data is used for indicating specific content which is required to be sent to other users or organizations by the user; the signaling data is used to indicate parts other than the message data, such as a user name, a user account, a user password, or a user Identifier (ID) of a receiver specified in the message. The Transmission Protocol of the Instant message includes an Extensible Messaging and Presence Protocol (XMPP), an Extensible Messaging and Presentation Protocol (EMPP), an Instant message and Presence extension of a meeting initialization Protocol (SIMPLE), which may be a custom Transmission Control Protocol (TCP) or a User Datagram Protocol (UDP).
Fig. 1 is a schematic structural diagram of an instant messaging system 100 according to an embodiment of the present disclosure, where as shown in the figure, the system 100 includes a data center 101, a network 102, edge nodes (e.g., the edge nodes 1031 and 1032 in fig. 1) and clients 104 and 108, and the data center 101, the edge nodes 103 and the clients 104 and 108 communicate via the network 102. The data center 101 refers to a system for implementing an instant messaging service, and the system includes a plurality of devices, for example, the devices 1011 to 1013 in fig. 1. In particular, devices for implementing computing functions (e.g., servers), storage (e.g., storage arrays) functions, and network (e.g., switch) functions may be included in the data center 101. The network 102 includes wired or wireless transmission modes, wherein the wired transmission mode includes data transmission in forms of ethernet, optical fiber and the like, and the wireless transmission mode includes transmission modes such as mobile hotspot (Wi-Fi), bluetooth, infrared and the like. In particular embodiments, one or more switches and/or routers may be utilized to facilitate communication between data center 101 and an organization.
It should be understood that the number of devices in the data center 101 is not limiting to the present application, and fig. 1 only illustrates that the data center includes three devices as an example. In addition, the present application is not limited to the type of the device in the data center and the virtualization management method.
The edge node is used for identifying the sensitivity identification, distinguishing message data and instruction data in the instant message, storing and forwarding the instant message of the client and the like. In a specific implementation, the edge node 1031 may be a software module deployed in a server, may also be one server, may also be a server cluster composed of a plurality of servers, or may be a cloud computing service center, which is not limited in this embodiment of the present application. A server, also called a server, is a device that provides computing services. In the embodiment of the present application, the server may be an X86 server, and the X86 server is also called a Complex Instruction Set (CISC) architecture server, that is, a Personal Computer (PC) server in general, which is based on a PC architecture and uses intel
Figure BDA0002716064070000041
Or other x86 instruction set compatible processor chip and
Figure BDA0002716064070000042
a server of an operating system.
The edge node may also be used to receive messages sent by clients within or outside the organization. For example, edge node 1031 may receive messages sent by client 1041 and client 1042 in organization 1, and may also receive messages sent by client 1043 outside organization 1.
The instant messaging system shown in fig. 1 further includes one or more organizations, and the local area network (which may also be referred to as a private network) is used in the same organization to implement communication connection between the client and the edge node, where the local area network is a computer network that interconnects a plurality of devices within a limited geographic range to implement data transmission and resource sharing. Each organization may be a business, a department of the same business, or a group. Each organization may have an edge node for secure transmission and storage of instant messages.
Optionally, besides that each organization shown in fig. 1 is provided with an edge node, a plurality of organizations may also form an organization group, and secure processing of instant messages is implemented by the same edge node or a cluster formed by a plurality of edge nodes.
Each organization includes one or more users, each of which interacts with other users through a client for messages. A user may be associated with one or more clients for sending and receiving instant messages. Meanwhile, one client can be used by one or more users, but can be used by only one user at the same time. For example, user 1052 of organization 1 may communicate with other users using client 1042 deployed within organization 1, or user 1052 of organization 1 may also communicate with other users using client 1043 deployed outside of the organization, e.g., user 1052 communicates with other users at home or during a business trip using client 1043. When a user communicates with other users through a client, the user may also be referred to as the home user of the client. The client is a proxy program deployed in the device and used for realizing the sending and receiving of instant messages among different users. The device deploying the client may be a server, a smart device (e.g., a smart terminal, a tablet, etc.), a Personal Computer (PC). In addition, the devices in which the client is deployed may be the same type of communication device or different communication devices, which is not limited in this application.
Alternatively, there may be users that do not belong to any organization in addition to users that belong to the organization, and such users may also be referred to as independent users. The independent user can realize the function of realizing the safety processing of the instant message by the client to which the user belongs by utilizing the edge node through selecting the edge node accessed into any organization. The method for selecting the edge node by the client to which the independent user belongs comprises the following steps of proximity selection, random selection and designated selection according to the physical distance. For example, in fig. 1, the user 1053 is an independent user, the client 1043 is a client to which the user 1053 belongs, and the client 1043 may select the edge node 1031 of the organization 1 where the user with whom the message is transmitted is located to implement transmission of the instant message.
Because the instant message service is deployed in the data center, the message data related to the instant message needs to be transmitted across the local area network and the public network, and in addition, the message data of the instant message is also stored in the data center, and according to the difference of the data security requirements of different organizations, the users and the instant messages can be divided into different categories according to the sensitivity according to at least one of the following modes.
In the first mode, tissues are divided into sensitive tissues and common tissues according to different sensitivities of the tissues.
Sensitive organizations need to protect the message data of instant messages sent by users in the organizations, and do not store the message data of instant messages in a data center. For example, an organization that involves core critical technologies may be assigned to a sensitive class of organization. Tissues other than the sensitive type of tissue described above may all be referred to as normal type of tissue. For a common type of organization, the message data of the instant messages sent by the users in the organization does not need to be protected.
And in the second mode, the users are divided into sensitive users and common users according to the sensitivity of the users.
The sensitive users are classified into different security levels according to the attributes of the users, and the users with high security levels may be involved in the transmission and reception of sensitive data. For example, users that have mastered core business information may be attributed as sensitive class users. The attributes of the user include, among other things, the user's position in the organization, the nature of the work (e.g., whether core technology is involved, etc.), and other information related to identifying characteristics of the user. Users other than the sensitive class of users described above may all be referred to as generic class of users.
And thirdly, dividing the instant message into a sensitive instant message and a common instant message according to the message data of the instant message.
That is, if the message data contains sensitive content, for example, with a sensitive field such as "password", "account number", or "customer identity information", or the message data includes a preset format (for example, a picture), the instant message carrying the message data belongs to a sensitive type instant message. Message data other than the sensitive type message data described above may be referred to as general type message data. In specific implementation, the sensitive content may be configured in advance by each organization or maintenance personnel through a management node of the data center and sent to the edge node, so that the edge node may identify the sensitivity of the instant message according to a preset sensitive field or a preset format, and further complete the transmission of the instant message according to the sensitivity.
The classification mode of the organization and the user is only an example, and in the specific implementation process, the classification mode and the classification rule can be further refined according to the service requirement, and the transmission of the instant message can be executed according to the classification result.
It should be noted that the instant messaging system architecture shown in fig. 1 is only an example of the system architecture provided for better explaining the instant messaging method provided in the present application, and does not constitute a limitation to the embodiments of the present application.
The application provides an instant message communication method, after an instant message service is migrated to a data center to be uniformly deployed, an edge node is introduced, instant messages sent by users are divided into message data and instruction data by the edge node, and transmission processing of the instant messages is executed according to the sensitivity of enterprise organizations sending the messages, or the sensitivity of the users sending the messages, or the sensitivity of the instant messages, and a preset rule, so that the safety in the transmission process of the instant messages is improved.
Next, based on the system shown in fig. 1, the instant messaging method provided in the present application will be further described in detail with reference to fig. 2. Fig. 2 is a schematic flow chart of an instant message communication method provided in the present application, which further introduces the technical solution to be protected by the present application by taking an example that a first client sends an instant message to a second client, and a first client home subscriber sends an instant message to a second client home subscriber. The method comprises two stages of initialization and message transmission, and as shown in the figure, the specific method comprises the following steps:
s201, the first client sends user information to the data center.
S202, the data center sends the user identification and the token to the first client.
Before a user transmits an instant message by using a client, the initialization process of the user in a data center, including user login and edge node configuration, needs to be completed. The user login process is described in steps S201 to S202, and the edge node configuration is described in steps S203 to S204.
Each user can send user information to the data center 101 through the client where the user is located, so that login operation of the user in the instant message service is completed, the data center 101 can allocate a unique user identifier for the user, and the user information of the user is stored. The user identification is a number generated by the data center 101 for each user according to the user login order or user information, and is usually composed of numbers and/or letters, such as 00001 or SZ 000001. The data center 101 may also generate a token (token) for the user, and return the token to the corresponding client, so that the identity of the user is verified by using the token in the subsequent instant message transmission process. Optionally, the data center 101 may also generate a token for each user periodically, so as to improve the security of user identity verification. The token may also be referred to as an authentication identity. Alternatively, the data center may verify the user identity using other forms in addition to using the token.
The user information includes, but is not limited to, one or more of the following data: user name, user nickname, user account, user password, job name of user and organization name of user. In the embodiment of the application, the client can provide a login interface for a user, and the user can input user information through an input box of the login interface so as to log in the data center.
Optionally, in the process of user login, in addition to the user sending user information to the data center through the client to log in, the login process may also be that the first client sends the contact information (for example, a mobile phone number or a mailbox) of the user to the data center, the data center sends the verification code to the first client, and then the user inputs the verification code through the client to verify the data center, so that the risk that others impersonate the target user to operate is reduced, and the communication safety is improved.
S203, the first client sends an edge node configuration command to the data center.
S204, the data center returns the edge node address to the first client.
After the user logs in the instant message service through the client, the data center also needs to configure an edge node for the client to transmit and store the instant message sent by the client. According to different user types, the configuration method can adopt any one of the following methods:
the method comprises the following steps: when the first client-side home user has a home organization, the data center directly searches the edge node deployed in the organization according to the name of the organization to which the user belongs, and returns the Internet Protocol (IP) address of the edge node to the first client-side.
The second method comprises the following steps: when the first client home subscriber is an independent subscriber, the data center can select a nearby edge node to realize the transmission of the instant message of the subscriber. Specifically, the client sends a configuration command to the data center, acquires the geographic position of the client from the data, selects the edge node closest to the first client according to the geographic position to transmit the instant message of the user, and sends the IP address of the selected edge node to the first client.
Optionally, the user may also configure the edge node in a random manner, and the specific steps include: the user sends a random selection command to the data center through the client, an edge node is randomly selected from the data to serve as the edge node of the user, and the IP address of the selected edge node is sent to the first client.
Optionally, the client may not configure the edge node, and at this time, the first client directly sends the instant message to the data center, and the data center completes the transmission process of the instant message.
Through the above operation process, the processing of the instant message service initialization stage can be completed, and then, the user can complete the transmission and storage of the instant message through the edge node matched with the client by using the client, and the process may also be referred to as a message transmission stage, and specifically includes:
s205, the edge node acquires the instant message sent by the first client.
The client may be any one of the clients in fig. 1, for example, any one of the clients 1041 and 1045.
Optionally, the instant message may further include a user identifier and/or an organization name, and the edge node may determine the sensitivity of the instant message according to whether the user identifier and/or the organization name exists in the attribute tag, which is described in step S206.
Optionally, the instant message may further include a message index (index), where the message index is used to indicate an order identifier for the first client to send the message. Specifically, when the client sends the instant message, the data center generates a message index associated with the instant message, which is used to indicate the order of the instant messages sent by the client, and in the message receiving process, the client receiving the instant message can obtain the corresponding message data in the edge node through the message index.
In addition, the user can send an instant message to another client through the first client, and at the moment, the home users of the two clients can carry out instant message communication. In addition, the home subscriber of the first client may also send multiple instant messages to the home subscribers of multiple clients at the same time, and at this time, the home subscriber of the first client and the home subscribers of other clients may communicate through instant messages.
S206, the edge node identifies the sensitivity of the instant message and transmits the instant message according to the sensitivity.
The edge node may preset an attribute tag list, where the attribute tag is used to identify at least one of a client home subscriber and an organization in which the client home subscriber is located. The edge node can judge the sensitivity of the instant message according to the attribute label and the user identification and/or the organization name carried in the instant message.
In a specific implementation, the preset attribute tag list may be set by a maintenance worker according to a requirement in an enterprise planning stage, or may be a sensitivity pre-specified by a user. In addition, the preset attribute tag list may also be dynamically adjusted according to business requirements, for example, according to the sensitivity of an enterprise or a user, and changes of a sensitive field or a preset format, a user identifier or an organization name in the preset attribute tag may be added or deleted.
For example, table 1 is a preset attribute tag list provided in this embodiment of the present application, and as shown in the table, at least one of a user identifier and an organization name may be used to indicate a sensitivity of an instant message. When the user identification and/or the organization name included in the instant message exist in the preset attribute label list, the sensitivity of the instant message is effective, and the edge node stores the message data in the instant message sent by the user to the edge node. When the user identification and/or the organization name included in the instant message do not exist in the preset attribute tag list, the sensitivity of the instant message is invalid, and the edge node uploads the message data in the instant message sent by the user to the data center. For example, two threshold attribute lists, a preset attribute list 1 and a preset attribute list 2 are stored in the edge node, where the preset attribute list 1 is used to record a user identifier with sensitivity, and the preset attribute list 2 is used to record an organization name with sensitivity. That is, when the instant message includes the user identifier 00001 or the organization names enterprise 1 and enterprise 2, the sensitivity of the instant message is valid, and at this time, the edge node further divides the instant message into message data and instruction data and stores the message data to the edge node.
Table 1, list of preset attribute tags 1
User identification
00001
00002
00005
00010
00021
Table 2, preset attribute tag list 2
Organization name
Enterprise
1
Enterprise 2
Optionally, in addition to presetting the attribute tag lists shown in tables 1 and 2, the edge node may also preset a sensitive field or a list in a preset format, which is used to identify the sensitivity of the instant message sent by the first client home subscriber, where the sensitive field includes a "password", "account", "phone", and other sensitive fields related to personal sensitive information of the user; the preset format comprises at least one of formats such as pictures, audio and video.
The edge node can also retrieve the instant message and transmit the instant message according to the retrieval result. Specifically, when any one of a sensitive field and a sensitive format exists in the instant message, the sensitivity of the instant message is valid, the edge node further divides the instant message into message data and instruction data, stores the message data to the edge node, performs identity authentication to the data center by using the instruction data, and completes the transmission process of the message data. When any one of the sensitive field or the sensitive format does not exist in the instant message, the sensitivity of the instant message is invalid, the edge node sends the instant message to the data center, and the data center completes the transmission of the instant message.
As a possible implementation manner, if the instant message includes both the user identifier and the organization name, the sensitivity of the instant message is considered to be valid as long as one of the items exists in the preset attribute tag list.
The following explains in detail how the edge node performs the transmission of the instant message according to the sensitivity:
s2061, the edge node transmits the instant message to the second client according to the preset rule.
The second client is a receiving end of the instant message, and the edge node can transmit the instant message to the second client according to a preset rule. The preset rule means that the edge node can respectively complete transmission of the instant messages according to the sensitivity of the preset attribute tag, and specifically includes the following two conditions:
the first condition is as follows: when the sensitivity of the instant message is effective, the edge node stores the message data in the instant message to the edge node.
Case two: when the sensitivity of the instant message is invalid, the edge node sends the instant message to the data center.
For the second case, the instant message can be directly sent to the data center, and the data center completes the transmission of the instant message.
Optionally, in case two, in order to further improve the security of the instant message transmission process, the edge node may also divide the instant message into message data and instruction data, then store the message data to the edge node, perform identity authentication on the first client by using the instruction data, and then complete the transmission of the instant message according to a sensitive and effective processing process.
For the first case, when the edge node transmits the instant message to the second client, the edge node further needs to complete the identity authentication of the first client by using the instruction data in the instant message, and the specific process includes: the edge node sends a token carried by a first client to the data center; the data center verifies the validity of the token and sends a verification result to the edge node; after the authentication of the first client is successful, the edge node may continue to transmit the instant message to the second client. The detailed process is as follows:
s20611, the data center notifies the second client to receive the instant message.
Optionally, the data center may also send a message index generated by the data center for the instant message to the second client.
Optionally, the data center may also send the IP address of the edge node to the second client.
S20612, the second client sends the message index to the edge node, requests to obtain the corresponding message data, and carries the authentication identification of the second client home subscriber.
S20613, the edge node verifies the security of the second client according to the authentication identification of the home subscriber of the second client.
The process of verifying the security of the second client by the edge node is similar to the process of verifying the security of the first client, and the authentication is performed by sending an authentication identifier (e.g., a token) of a home subscriber of the second client to the data center, which is not described herein again for brevity.
S20614, after the second client terminal identity authentication is successful, the edge node sends message data to the second client terminal.
According to the description of the process, the edge nodes are added in the local area network, the edge nodes identify the sensitivity of the instant messages, the transmission of the instant messages is completed according to different sensitivities, the message data of the instant messages with effective sensitivities are only stored in the edge nodes, the potential safety hazard caused by the process of storing the sensitive data in a data center is avoided, and the safety of the data processing process is improved. Furthermore, the edge node can divide the instant message into message data and instruction data, sensitive data can be directly stored in the edge node, the message data is not transmitted to a data center, the risk that the sensitive data is intercepted in the network transmission process and is violently cracked is reduced, and the safety in the instant message service transmission process is also ensured.
As a possible implementation manner, in addition to transmitting the instant message according to the process of the above steps S20611 to S20614, the edge node may also determine the IP address of the second client according to the identifier of the second client carried in the instant message, and then transmit the instant message through the IP address of the second client. Specifically, the edge node may send a request for querying the second client to the data center, where the request carries an identifier of the second client, and the data center may return an IP address of the second client to the edge node according to the identifier of the second client, so as to implement a process in which the edge node transmits the instant message to the second client according to the IP address of the second client.
As a possible implementation scheme, the present application further provides a Graphical User Interface (GUI), where a program of the GUI may be deployed in an edge node and/or a data center, and provides a visual interface for maintenance personnel to add or update an organization, a user or sensitive content, and a preset format, and the maintenance personnel may view and modify a preset attribute tag through the GUI. Optionally, the visual interface may also present a sensitivity recognition result of the instant message with the index identifier, including whether the sensitivity of each index identifier associated with the instant message is valid and the storage location of the instant message.
Next, the technical solution to be protected in the present application is further explained in three scenarios with reference to the system shown in fig. 1.
Scene one: instant messaging is performed between two users belonging to the same organization.
In this scenario, the edge node and the first client and the second client belong to the same organization, the communication flow between the two users is similar to the flow shown in fig. 2, the sensitivity of the instant message is identified by the edge node in the organization in the transmission process of the instant message, and the transmission of the instant message is performed according to the sensitivity, which is not described herein again for brevity.
Scene two: instant messaging between two users belonging to different organizations.
In this scenario, one edge node may be set per organization. For example, a first client and a first edge node belong to the same organization, and a second client and a second edge node belong to another organization. Alternatively, an edge node may be provided in only one of the organizations, and the edge node may implement the instant messaging between the first client and the second client.
When the first edge node and the second edge node are distributed and arranged in different organizations, the process of the first edge node transmitting the instant message to the second client specifically includes:
step 1: the first edge node sends an index message to the data center.
Step 2: the data center sends an index message to the second edge node.
And step 3: the second edge node sends the index message to the second client.
And 4, step 4: and the second client sends a request for acquiring the message data to the second edge node, wherein the request comprises the index message and the authentication identification of the second client.
And 5: and the second edge node verifies the security of the second client to the data center according to the authentication identifier of the second client.
Step 6: and after the second client passes the authentication, the second edge node sends the message index to the first edge node.
And 7: the first edge node sends message data of the instant message to the second edge node according to the message index.
Through the operation process, the first client and the second client can respectively complete identity authentication and transmission of the instant message through the edge nodes matched with the first client and the second client, and message data related to sensitive information is not transmitted to the data center or stored in the data center, so that the safety of the data transmission and storage process of the instant message is ensured.
Scene three: instant messaging between users belonging to an organization and independent users.
In this scenario, there are two edge nodes, one of which is deployed in the organization where the first client belongs to, and the other is an edge node configured by the data center for the independent user. When the two edge nodes happen to be the same node, the communication flow between the two users is completely consistent with the flow of the scene one; when the two edge nodes are not the same node, the communication flow between the two users is completely consistent with the scene flow, and details are not repeated here.
In summary, the instant message communication method provided in the embodiment of the present application may deploy edge nodes in an organization, where the edge nodes identify the sensitivity of an instant message through at least one of three dimensions of a user, the organization, and message data in the instant message, store the message data of a sensitive user, a sensitive organization, and a sensitive instant message in the edge nodes, and upload other message data to a data center for storage. In the message interaction process of the client and the data center, the data center does not relate to receiving and processing sensitive content, leakage of message data in the process of transmitting the message data to the data center and instability caused by storing the message data in the data center are effectively prevented, and the safety of the whole communication process is improved.
It should be noted that, for simplicity of description, the above method embodiments are described as a series of acts or combination of acts, but those skilled in the art should understand that the present application is not limited by the order of acts or combination of acts described.
Other reasonable combinations of steps that can be conceived by one skilled in the art from the above description are also within the scope of the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
The instant message transmission method provided by the embodiment of the present application is described in detail above with reference to fig. 1 and fig. 2, and the instant message transmission apparatus and the computer device provided by the embodiment of the present application will be further described below with reference to fig. 3 and fig. 4.
Fig. 3 is a schematic diagram of an instant message transmission apparatus 300 provided in the present application, which includes an obtaining unit 310, a processing unit 320, and a transmitting unit 330.
The obtaining unit 310 is configured to obtain an instant message sent by a first client.
The processing unit 320 is configured to divide the instant message acquired by the acquiring unit 310 into message data and signaling data, where the message data is used to indicate content transmitted from the first client to the second client, and the signaling data is used to verify security of a home user of the first client.
The transmitting unit 330 is configured to transmit the instant message to the second client according to a preset rule.
It should be understood that the transmission apparatus 300 according to the embodiment of the present application may be implemented by an application-specific integrated circuit (ASIC), or a Programmable Logic Device (PLD), which may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. When the instant message transmission method shown in fig. 2 can also be implemented by software, the transmission device 300 and its modules may also be software modules.
Optionally, the processing unit 320 is further configured to preset an attribute tag list, where the attribute tag is used to identify at least one sensitivity of the first client home subscriber and an organization where the first client home subscriber is located.
Optionally, when the attribute tag is used to identify a sensitivity of the first client home subscriber, the transmission unit 330 is further configured to store the message data of the instant message to the edge node when the preset attribute tag includes the user identifier of the first client home subscriber; when the user identification of the first client home subscriber does not exist in the preset attribute label, uploading the message data of the instant message to a data center; the user identification is used for globally and uniquely identifying one user.
Optionally, when the attribute tag is used to identify a sensitivity of an organization in which the first client home subscriber is located, the transmission unit 330 is further configured to store the message data of the instant message to the edge node when the preset attribute tag includes the identification of the organization in which the first client home subscriber is located; and when the preset attribute label does not have the identifier of the organization where the first client belongs to the user, uploading the message data of the instant message to a data center for storage.
Optionally, the processing unit 320 is further configured to retrieve whether the message data includes a sensitive field and/or a preset format, where the preset format includes at least one of a text, a video, and a voice; and executing the transmission of the instant message according to the retrieval result.
Optionally, the processing unit 320 is further configured to identify that the instant message is a sensitive instant message when the message data has a sensitive field and/or format, and the transmitting unit 330 is further configured to store the message data of the instant message to the edge node; and the number of the first and second groups,
the processing unit 320 is further configured to identify that the instant message is a general instant message when the message data does not have a sensitive field and/or format, and the transmitting unit 330 is further configured to upload the message data of the instant message to a data center for storage.
Optionally, the transmitting apparatus 300 further includes a storage unit 340, configured to store the message data in a memory of the edge node, and periodically clean up the data stored in the memory.
Optionally, the obtaining unit 310 is further configured to, before obtaining message data sent by a first client, obtain a message index of the first client, where the message index is used to indicate an identifier of an order of messages sent by the first client;
the transmission unit 330 is further configured to send the message index to the data center to instruct the data center to send the message index to the second client; and receiving the message index sent by the second client, and sending the message data to the second client.
Optionally, the processing unit 320 is further configured to send the instruction data to the data center before transmitting the instant message to the second client according to a preset rule; receiving the authentication result of the data center to the first client; and when the first client authentication result is successful, the transmission unit sends the instant message to the second client according to the preset rule.
The transmission apparatus 300 according to the embodiment of the present application may correspond to performing the method described in the embodiment of the present application, and the above and other operations and/or functions of each unit in the transmission apparatus 300 are respectively for implementing corresponding flows of each method in fig. 2, and are not described herein again for brevity.
In summary, in the transmission apparatus 300 provided in this embodiment of the present application, the processing unit may identify the instant messages sent by the sensitive users and the users belonging to the sensitive organizations and the instant messages containing sensitive content in the message data from multiple dimensions, and store the identified instant messages in the storage unit, so as to reduce the risk of leakage of sensitive information inside the organizations, enhance the security of the whole communication process and the message data, and be applicable to service scenarios of internal communication of organizations with sensitive information or communication with other external organizations.
Fig. 4 is a schematic diagram of a computer device 400 according to an embodiment of the present disclosure, and as shown in the figure, the computer device 400 includes a processor 401, a storage 402, a communication interface 403, a bus 404, and a memory 405. The processor 401, the memory 402, the communication interface 403, and the memory 405 may communicate via the bus 404, or may communicate via other means such as wireless transmission. The memory 405 is used for storing computer executable instructions, and the processor 401 is used for executing the computer executable instructions stored in the memory 405 to realize the following operation steps:
acquiring an instant message sent by a first client;
dividing the instant message into message data and signaling data, wherein the message data is used for indicating the content transmitted from the first client to the second client, and the signaling data is used for verifying the security of the home subscriber of the first client;
and transmitting the instant message to the second client according to a preset rule.
It should be understood that, in the embodiment of the present application, the processor 401 may be a CPU, and the processor 401 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or any conventional processor or the like.
The memory 402 may include both read-only memory and random access memory, and provides instructions and data to the processor 401. The memory 402 may also include non-volatile random access memory. For example, the memory 402 may also store device type information.
The memory 402 may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and direct bus RAM (DR RAM).
The bus 404 may include a power bus, a control bus, a status signal bus, and the like, in addition to a data bus. But for clarity of illustration the various busses are labeled in the figures as bus 404.
It should be understood that the computing device 400 according to the embodiment of the present application may correspond to the transmission apparatus 300 in the embodiment of the present application, and may correspond to a corresponding main body in executing the method 200 shown in fig. 2 in the embodiment of the present application, and the above and other operations and/or functions of each module in the computing device 400 are respectively for implementing a corresponding flow of each method in the diagram, and are not described again here for brevity.
To sum up, the computer device provided in the embodiment of the present application divides the instant message into the message data and the message signaling according to the sensitivity of the instant message, and stores the message data with the effective sensitivity of the instant message to the edge node, thereby protecting the transmission and storage of such messages from being always located in the range of the organized local area network, reducing the risk of leakage caused in the process of transmitting the message data of the instant message with the effective sensitivity to the data center, and improving the security in the process of transmitting the instant message.
The application also provides a transmission system of the instant message, which comprises the edge node and the data center. The edge node and the data center are respectively used for realizing the operation steps of the method executed by the corresponding main body in the transmission device or the computer equipment. By the instant message transmission system, the edge node is arranged in the organization, and the message data of the instant message sent by the first client side is stored in the edge node, so that the safety of instant message transmission and storage between the first client side and the second client side is improved.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded or executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a Solid State Drive (SSD).
The foregoing is only illustrative of the present application. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided in the present application, and all such changes or substitutions are intended to be included within the scope of the present application.

Claims (20)

1. A method for transmitting an instant message, the method comprising:
the method comprises the steps that an edge node obtains an instant message sent by a first client;
the edge node divides the instant message into message data and signaling data, wherein the message data is used for indicating the content transmitted from the first client to the second client, and the signaling data is used for verifying the security of the home subscriber of the first client;
and the edge node transmits the instant message to the second client according to a preset rule.
2. The method of claim 1, wherein the edge node presets a list of attribute tags that identify at least one of a sensitivity of the first client home subscriber and an organization in which the first client home subscriber is located.
3. The method according to claim 1 or 2, wherein when the attribute tag is used for identifying a sensitivity of the first client home user, the performing the transmission of the instant message according to a preset rule comprises:
when the user identification of the first client home subscriber exists in the preset attribute label, the edge node stores the message data of the instant message to the edge node;
when the user identification of the first client home subscriber does not exist in the preset attribute label, the edge node uploads the message data of the instant message to a data center;
the user identification is used for globally and uniquely identifying one user.
4. The method according to claim 1 or 2, wherein when the attribute tag is used to identify a sensitivity of an organization in which the first client home subscriber is located, the performing the transmission of the instant message according to a preset rule includes:
when the identifier of the organization where the first client belongs to is in the preset attribute label, the edge node stores the message data of the instant message to the edge node;
and when the preset attribute label does not have the identifier of the organization where the first client belongs to, the edge node uploads the message data of the instant message to a data center for storage.
5. The method of claim 1, wherein the performing the transmission of the instant message according to the preset rule comprises:
retrieving whether the message data comprises a sensitive field and/or a preset format, wherein the preset format comprises at least one of characters, videos and voices;
and executing the transmission of the instant message according to the retrieval result.
6. The method of claim 5, wherein the performing the transmission of the instant message according to the retrieval result comprises:
when the message data has sensitive fields and/or formats, the edge node identifies the instant message as a sensitive instant message, and stores the message data of the instant message to the edge node;
when the message data has no sensitive field and/or format, the edge node identifies the instant message as a common instant message, and uploads the message data of the instant message to a data center for storage.
7. The method of any of claims 1-6, the edge node storing the message data to a memory of the edge node and periodically cleaning the data stored in the memory.
8. The method according to any of claims 1-7, before the edge node retrieves the message data sent by the first client, the method further comprising:
the edge node acquires a message index of the first client, wherein the message index is used for indicating an identifier of the sequence of instant messages sent by the first client;
the edge node transmits the instant message to the second client according to a preset rule, including:
the edge node sends the message index to the data center to instruct the data center to send the message index to the second client;
and the edge node receives the message index sent by the second client and sends the message data to the second client.
9. The method according to any of claims 1-8, wherein before the edge node transmits the instant message to the second client according to a preset rule, the method further comprises:
the edge node sends the instruction data to the data center;
the edge node receives the authentication result of the data center on the first client;
and when the first client identity authentication result is successful, sending the instant message to the second client according to the preset rule.
10. An instant message transmission device, characterized in that the device comprises an acquisition unit, a processing unit and a transmission unit:
the acquisition unit is used for acquiring the instant message sent by the first client;
the processing unit is configured to divide the instant message acquired by the acquisition unit into message data and signaling data, where the message data is used to indicate content transmitted from the first client to the second client, and the signaling data is used to verify security of a home subscriber of the first client;
and the transmission unit is used for transmitting the instant message to the second client according to a preset rule.
11. The apparatus of claim 10,
the processing unit is further configured to preset an attribute tag list, where the attribute tag is used to identify at least one of the first client home subscriber and a sensitivity of an organization in which the first client home subscriber is located.
12. The apparatus according to claim 10 or 11, wherein when the attribute tag is used to identify a sensitivity of the first client home user,
the transmission unit is further configured to store the message data of the instant message to the edge node when the user identifier of the first client home user exists in the preset attribute tag; when the user identification of the first client home subscriber does not exist in the preset attribute label, uploading the message data of the instant message to a data center; the user identification is used for globally and uniquely identifying one user.
13. The apparatus according to claim 10 or 11, wherein when the attribute tag is used to identify the sensitivity of the organization in which the first client home user is located,
the transmission unit is further configured to store the message data of the instant message to the edge node when the identifier of the organization where the first client belongs to exists in the preset attribute tag; and when the preset attribute label does not have the identifier of the organization where the first client belongs to the user, uploading the message data of the instant message to a data center for storage.
14. The apparatus of claim 10,
the processing unit is further configured to retrieve whether the message data includes a sensitive field and/or a preset format, where the preset format includes at least one of a text, a video, and a voice; and executing the transmission of the instant message according to the retrieval result.
15. The apparatus of claim 14,
the processing unit is further configured to identify the instant message as a sensitive instant message when the message data is retrieved and the sensitive field and/or format are/is present; and when no sensitive field and/or format exists in the message data, identifying the instant message as a common instant message;
the transmission unit is further configured to store the message data of the instant message to the edge node when the processing unit identifies the instant message as a sensitive instant message; and the instant message processing unit is further used for uploading the message data of the instant message to a data center for storage when the processing unit identifies the instant message as a common instant message.
16. The apparatus according to any one of claims 10-15, wherein the apparatus further comprises:
and the storage unit is used for storing the message data to a memory of the edge node and periodically cleaning the data stored in the memory.
17. The apparatus according to any one of claims 10 to 16,
the obtaining unit is further configured to obtain a message index of a first client before obtaining message data sent by the first client, where the message index is used to indicate an identifier of an order of messages sent by the first client;
the transmission unit is further configured to send the message index to the data center to instruct the data center to send the message index to the second client; and receiving the message index sent by the second client, and sending the message data to the second client.
18. The apparatus according to any one of claims 10 to 17,
the processing unit is further configured to send the instruction data to the data center before transmitting the instant message to the second client according to a preset rule; receiving the authentication result of the data center to the first client; and when the first client authentication result is successful, the transmission unit sends the instant message to the second client according to the preset rule.
19. A computer device comprising a processor and a memory, the memory being configured to store computer-executable instructions, the processor executing the computer-executable instructions in the memory to cause the computer device to perform the operational steps of the method of any one of claims 1-9.
20. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the operational steps of the method of any one of claims 1 to 9.
CN202011073785.7A 2020-10-09 2020-10-09 Instant message transmission method and device and computer equipment Pending CN114422459A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011073785.7A CN114422459A (en) 2020-10-09 2020-10-09 Instant message transmission method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011073785.7A CN114422459A (en) 2020-10-09 2020-10-09 Instant message transmission method and device and computer equipment

Publications (1)

Publication Number Publication Date
CN114422459A true CN114422459A (en) 2022-04-29

Family

ID=81260399

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011073785.7A Pending CN114422459A (en) 2020-10-09 2020-10-09 Instant message transmission method and device and computer equipment

Country Status (1)

Country Link
CN (1) CN114422459A (en)

Similar Documents

Publication Publication Date Title
US11323472B2 (en) Identifying automated responses to security threats based on obtained communication interactions
US11252256B2 (en) System for association of customer information across subscribers
US11088903B2 (en) Hybrid cloud network configuration management
US10587550B1 (en) System and method for evaluating domains to send emails while maintaining sender reputation
US11681757B2 (en) Similar email spam detection
CN108696581B (en) Distributed information caching method and device, computer equipment and storage medium
US20140090056A1 (en) Security alert prioritization
WO2023050933A1 (en) Method and apparatus for determining lost host
CN114600426B (en) Email security in a multi-tenant email service
CN110909030B (en) Information processing method and server cluster
US20220123989A1 (en) Management and resolution of alarms based on historical alarms
US11531716B2 (en) Resource distribution based upon search signals
CN106921557B (en) Mail sending method and equipment
US20190158584A1 (en) Load balancing method and related apparatus
US11677758B2 (en) Minimizing data flow between computing infrastructures for email security
CN111885190A (en) Service request processing method and system
US8375089B2 (en) Methods and systems for protecting E-mail addresses in publicly available network content
US8731532B2 (en) Method for delivering electronic documents using mobile telephony identifiers in a secure manner in conjunction with internet protocols and address systems
CN114422459A (en) Instant message transmission method and device and computer equipment
US10218650B2 (en) Information processing system
US20200244682A1 (en) Determining criticality of identified enterprise assets using network session information
CN110677417A (en) Anti-crawler system and method
US20160248596A1 (en) Reflecting mdns packets
CN106559271A (en) A kind of resource access method and system
JP6396882B2 (en) Information processing apparatus, mail transmission / reception system, mail transmission / reception method, and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination