CN114531266A - Power distribution network data protection system and method based on intermediate database - Google Patents
Power distribution network data protection system and method based on intermediate database Download PDFInfo
- Publication number
- CN114531266A CN114531266A CN202111466412.0A CN202111466412A CN114531266A CN 114531266 A CN114531266 A CN 114531266A CN 202111466412 A CN202111466412 A CN 202111466412A CN 114531266 A CN114531266 A CN 114531266A
- Authority
- CN
- China
- Prior art keywords
- server
- database server
- database
- terminal
- power distribution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a power distribution network data protection system and method based on an intermediate database. In order to solve the problem of lower security of the power distribution network exposed in the network during communication in the prior art, the invention adopts the intermediate database server to hide the real database server, the terminal server communicates with the real server through the intermediate database server, and the intermediate server performs authority verification on the communication request of the terminal server, closes the illegal communication request, sets a double-layer key, and prevents the real database server from being attacked; even if the intermediate database server is attacked, an attacker can only obtain limited authority and cannot threaten the real database server, so that the security of the single network data is greatly improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a power distribution network data protection system and a power distribution network data protection method based on an intermediate database.
Background
In recent years, the power industry in China is rapidly developed, more and more new technologies are applied to power systems, a power distribution network is used as an important node of power transmission, and the power distribution network has higher construction standards, natural power supply advantages and perfect communication networks and has various conditions for constructing energy storage stations, electric vehicle charging stations and data centers; the electric power industry explores that a power distribution network, a comprehensive energy station and a data center station are fused to form a mode of a smart energy station, and the method is provided in order to guarantee the safety of the smart energy station monitoring system, prevent hackers, malicious codes and the like from attacking and damaging the monitoring system, prevent breakdown or paralysis of the monitoring system and equipment accidents or safety accidents caused by the breakdown or paralysis, and combine the information interaction characteristics of the smart energy station monitoring system. The communication information safety of the medium-voltage distribution network is one of the preconditions for the normal operation of the distribution network. The information security attack incident to medium voltage distribution network is increasingly frequent, and the safety protection equipment is relatively isolated, and the phenomenon of safe isolated island is outstanding. The harm of malicious network attack to the power distribution network is serious, which may cause the data leakage of the power distribution network terminal, and even may cause social harm such as large-area power failure. In the prior art, when data exchange with power grid data is needed, an application terminal is usually used for directly communicating with a power distribution network, and the method enables a power distribution network data center to be directly exposed in the network and face the danger of malicious attack.
For example, a "network security system of an intelligent power distribution network system" disclosed in chinese patent literature, whose publication number CN105208106A includes a remote monitoring unit, a network communication unit, a server unit, a power supply unit and a power distribution load unit, where the remote monitoring unit is connected to the network communication unit by a wired or wireless lan to perform remote monitoring and control; the network communication unit is electrically connected with the server unit in a wired mode to play a role in providing network data; the server unit is electrically connected with the network communication unit, the power supply unit and the power distribution load unit, and has the function of intelligently controlling the power distribution network. But still at a greater risk of attack.
Disclosure of Invention
The invention mainly solves the problem of lower security of the power distribution network exposed in the network during communication in the prior art; a power distribution network data protection system and a method thereof based on an intermediate database are provided.
The technical problem of the invention is mainly solved by the following technical scheme:
the power distribution network data protection system comprises a database server, a terminal server and an intermediate database server, wherein the terminal server is in data communication with the database server through the intermediate database server, and the IP address and the corresponding idle port of the intermediate database server comprise a mapping for services provided by the database server. The database server is hidden by the intermediate database server, and an application terminal, namely a terminal server, indirectly exchanges data with the database server through the intermediate database server, so that a malicious attacker is difficult to attack the real database server, and the safety of the power distribution network information is greatly improved.
Preferably, the intermediate database server is provided with a bidirectional communication port, and the intermediate database server communicates with the database server and the terminal server through the bidirectional communication port.
Preferably, the intermediate data server includes:
a service mapping module: the terminal server is used for receiving a connection request of the terminal server; the service mapping module maps the services provided by the database server to the IP address and the designated idle port of the middle database server, the middle database server can establish mapping relation with a plurality of database servers at the same time, and the middle database server can establish corresponding communication after verifying the terminal server when the terminal server sends a communication request.
A key processing module: the encryption device is used for carrying out encryption processing, key generation and decryption operation on communication information. The key generated by the middle database server is distributed to each terminal server, and simultaneously, the key is also generated and distributed to each database server, the encrypted communication information between each terminal server and the middle database is decrypted by using the key between the terminal server and the middle database server, the middle database server sends the encrypted information to the database server after verification, and the database server decrypts by using the key between the middle database server and the database server to realize data exchange. And the communication security is improved through double-layer secret key encryption.
Also discloses a power distribution network data protection method based on the intermediate database, which comprises the following steps: a1: establishing an intermediate database;
a2: mapping services provided by a database server into the intermediate database server;
a3: the intermediate database server receives a communication request from the terminal server;
a4: the intermediate database server judges whether the terminal server has communication authority, if so, the step A5 is executed; if not, closing the connection;
a5: and the intermediate database server decrypts and encrypts the communication information of the terminal server and transmits the encrypted communication information to the database server.
Preferably, the step of the intermediate database server determining whether the terminal server has the communication right includes:
a41: the intermediate database server carries out IP verification on the terminal server, and if the IP of the terminal server is an illegal IP, the connection is closed; if the IP is legal, executing the step A42;
a42: the intermediate database server analyzes the database name and the user name of the terminal server, checks whether the IP and the user name are combined legally, and establishes communication if the IP and the user name are combined legally; if not, closing the connection. The legal combination of the IP and the user name of the terminal server is stored in the intermediate database server in advance, and the legal combination of the IP and the user name of the terminal server can be updated in real time according to needs.
Preferably, a symmetric key is set up between the intermediate database server and the terminal server; a symmetric key is established between the intermediate database server and the database server. Even if an attacker finds the database server through the intermediate database server, the attacker cannot directly communicate with the database server, so that the information security is ensured.
Preferably, the intermediate database server decrypts the communication information using the common key with the terminal server, encrypts the communication information using the common key with the database server, and transmits the encrypted communication information to the database server.
Preferably, the key between the intermediate database server and the database server is updated periodically. The security of the system is improved by updating the key regularly.
The invention has the beneficial effects that:
1. through the intermediate database, the direct communication of the terminal applied to the data server is avoided, and the database server is prevented from being attacked;
2. the safety is improved through the double-layer verification of the middle database server;
3. by the double-layer key, the risk of being attacked is reduced.
Drawings
FIG. 1 is a block diagram of a power distribution network data protection system based on an intermediate database according to the present invention;
FIG. 2 is a schematic flow chart of a method for protecting power distribution network data based on an intermediate database according to the present invention;
in the figure, 1 is a database server, 2 is a middle database server, and 3 is a terminal server.
Detailed Description
The technical scheme of the invention is further specifically described by the following embodiments and the accompanying drawings.
Example (b):
the power distribution network data protection system based on the intermediate database is shown in fig. 1 and comprises an intermediate database server 2, a database server 1 and a terminal server 3, wherein the intermediate database server 2 is equivalent to a false server, the database server 1 is a real server, the intermediate database server 2 exposes itself to the network and communicates with the terminal server 3, the intermediate database server 2 can be used for replacing the database server 1 to be attacked, and even if the intermediate database server 2 is attacked, an attacker can only obtain limited authority and cannot threaten the database server 1, so that the purpose of protecting the data security of the database is achieved. The middle database server 2 comprises a service mapping module and a key processing module, wherein the service mapping module maps the service provided by the database server 1 to the IP address and the idle port of the middle database server 2, so that the middle database server can establish communication with the terminal server like a database server and perform data exchange; the key processing module performs encryption and decryption operations on communication information. The intermediate database server 2 is provided with a bidirectional communication port which can simultaneously communicate with the database server 1 and the terminal server 3.
The embodiment also discloses a power distribution network data protection method based on the intermediate database, which comprises the following steps: a1: establishing an intermediate database; the IP address, the user name, the legal combination of the IP and the user name of the terminal server 3 which can establish communication with the database server 1 are pre-stored in the intermediate database for verifying the legality of the terminal server, and key information is also stored;
a2: mapping the services provided by the database server 1 into the intermediate database server 2; through mapping, the intermediate database server 2 can establish connection with the terminal server 3 and receive a connection request of the terminal server 3;
a3: the intermediate database server 2 receives a communication request from the terminal server 3;
a4: the intermediate database server 2 judges whether the terminal server 3 has a communication authority, and if so, executes step a 5; if not, closing the connection; the step of judging whether the terminal server has the communication authority by the intermediate database server comprises the following steps: a41: the intermediate database server 2 carries out IP verification on the terminal server 3, and if the IP of the terminal server 3 is an illegal IP, the connection is closed; if the IP is legal, executing the step A42;
a42: the intermediate database server 2 analyzes the database name and the user name of the terminal server 3, checks whether the IP and the user name are combined legally, and establishes communication if the IP and the user name are combined legally; if not, closing the connection. Through two layers of authority verification, an illegal terminal trying to establish connection with the database server can be identified, so that the database server is prevented from being attacked;
a5: the intermediate database server 2 decrypts and encrypts the communication information of the terminal server 3 and transmits the communication information to the database server 1. A symmetric key is set up between the intermediate database server 2 and the terminal server 3; a symmetric key is set up between the intermediate database server 2 and the database server 1; the terminal server 3 encrypts information such as a communication request, a user name and an IP (Internet protocol) and transmits the information to the intermediate database server 2, the intermediate database server 2 decrypts the information by using a symmetric key between the intermediate database server 2 and the terminal server 3, the information such as a connection request is encrypted again and transmitted to the database server 1 after verification is legal, and the database server 1 decrypts the information by using a key between the intermediate database server 2 and the database server 1, wherein the key between the database server 1 and the intermediate database server 2 is different from the key between the terminal server 3 and the intermediate database server 2; in addition, the key between the intermediate database server 2 and the database server 1 is updated regularly to prevent the key information from being broken and losing the protection effect.
In the embodiment, the communication between the database server 1 and the terminal server 3 is established through the intermediate database server 2, so that the database server 1 is not directly exposed in a network, and the risk that the database server 1 is attacked is reduced; the safety of communication information is protected through multi-level encryption; and communication safety is ensured through multi-level authority verification.
It should be understood that the examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Further, it should be understood that various changes or modifications of the present invention may be made by those skilled in the art after reading the teaching of the present invention, and such equivalents may fall within the scope of the present invention as defined in the appended claims.
Claims (8)
1. The power distribution network data protection system based on the intermediate database is characterized by comprising a database server, a terminal server and an intermediate database server, wherein the terminal server is in data communication with the database server through the intermediate database server, and an IP address and a corresponding idle port of the intermediate database server comprise a mapping for services provided by the database server.
2. The system according to claim 1, wherein the staging database server is provided with a bidirectional communication port, and the staging database server communicates with the database server and the terminal server through the bidirectional communication port.
3. The system according to claim 2, wherein the intermediate data server comprises:
a service mapping module: the terminal server is used for receiving a connection request of the terminal server;
a key processing module: the encryption device is used for carrying out encryption processing on communication information, and carrying out key generation and decryption operations.
4. A power distribution network data protection method based on a middle database is realized by a power distribution network data protection system based on the middle database as claimed in any one of claims 1-3, and is characterized by comprising the following steps: a1: establishing an intermediate database;
a2: mapping services provided by a database server into the intermediate database server;
a3: the intermediate database server receives a communication request from the terminal server;
a4: the intermediate database server judges whether the terminal server has communication authority, if so, the step A5 is executed; if not, closing the connection;
a5: and the intermediate database server decrypts and encrypts the communication information of the terminal server and transmits the encrypted communication information to the database server.
5. The method for protecting the data of the power distribution network based on the staging database as claimed in claim 4, wherein the step of the staging database server determining whether the terminal server has the communication right includes:
a41: the intermediate database server carries out IP verification on the terminal server, and if the IP of the terminal server is an illegal IP, the connection is closed; if the IP is legal, executing the step A42;
a42: the intermediate database server analyzes the database name and the user name of the terminal server, checks whether the IP and the user name are combined legally, and establishes communication if the IP and the user name are combined legally; if not, closing the connection.
6. The method for protecting the data of the power distribution network based on the staging database as claimed in claim 4, wherein a symmetric key is established between the staging database server and the terminal server; a symmetric key is established between the intermediate database server and the database server.
7. The method for protecting data of the power distribution network based on the staging database as claimed in claim 6, wherein the staging database server decrypts the communication information by using the public key with the terminal server, encrypts the communication information by using the public key with the database server, and transmits the encrypted communication information to the database server.
8. The method for protecting data of the power distribution network based on the staging database as claimed in claim 6, wherein the key between the staging database server and the database server is updated periodically.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111466412.0A CN114531266A (en) | 2021-12-03 | 2021-12-03 | Power distribution network data protection system and method based on intermediate database |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111466412.0A CN114531266A (en) | 2021-12-03 | 2021-12-03 | Power distribution network data protection system and method based on intermediate database |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114531266A true CN114531266A (en) | 2022-05-24 |
Family
ID=81619823
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111466412.0A Pending CN114531266A (en) | 2021-12-03 | 2021-12-03 | Power distribution network data protection system and method based on intermediate database |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114531266A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115643017A (en) * | 2022-12-23 | 2023-01-24 | 云加速(北京)科技有限公司 | Software identification validity checking method based on hybrid coding model |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007318518A (en) * | 2006-05-26 | 2007-12-06 | Nippon Telegraph & Telephone West Corp | Common encrypting and decrypting method, common encrypting and decrypting device, encryption communication system, program, and recording medium |
CN101515931A (en) * | 2009-03-24 | 2009-08-26 | 北京理工大学 | Method for enhancing the database security based on agent way |
CN102722667A (en) * | 2012-03-07 | 2012-10-10 | 甘肃省电力公司信息通信公司 | Database security protection system and method based on virtual databases and virtual patches |
CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
CN105227577A (en) * | 2015-10-27 | 2016-01-06 | 江苏电力信息技术有限公司 | Unified database access agent equalization methods under a kind of multi-client |
KR20190069230A (en) * | 2017-12-11 | 2019-06-19 | 건국대학교 산학협력단 | Security communication method using key management server in software defined network controller and apparatus for perfoming the same |
CN111191266A (en) * | 2019-12-31 | 2020-05-22 | 中国广核电力股份有限公司 | File encryption method and system and decryption method and system |
-
2021
- 2021-12-03 CN CN202111466412.0A patent/CN114531266A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007318518A (en) * | 2006-05-26 | 2007-12-06 | Nippon Telegraph & Telephone West Corp | Common encrypting and decrypting method, common encrypting and decrypting device, encryption communication system, program, and recording medium |
CN101515931A (en) * | 2009-03-24 | 2009-08-26 | 北京理工大学 | Method for enhancing the database security based on agent way |
CN102722667A (en) * | 2012-03-07 | 2012-10-10 | 甘肃省电力公司信息通信公司 | Database security protection system and method based on virtual databases and virtual patches |
CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
CN105227577A (en) * | 2015-10-27 | 2016-01-06 | 江苏电力信息技术有限公司 | Unified database access agent equalization methods under a kind of multi-client |
KR20190069230A (en) * | 2017-12-11 | 2019-06-19 | 건국대학교 산학협력단 | Security communication method using key management server in software defined network controller and apparatus for perfoming the same |
CN111191266A (en) * | 2019-12-31 | 2020-05-22 | 中国广核电力股份有限公司 | File encryption method and system and decryption method and system |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115643017A (en) * | 2022-12-23 | 2023-01-24 | 云加速(北京)科技有限公司 | Software identification validity checking method based on hybrid coding model |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106789015B (en) | Intelligent power distribution network communication safety system | |
CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
CN101355459B (en) | Method for monitoring network based on credible protocol | |
CN111711625A (en) | Power system information security encryption system based on power distribution terminal | |
CN106992984A (en) | A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net | |
CN104618369A (en) | Method, device and system for unique authorization of Internet-of-Things equipment based on OAuth | |
CN108650261B (en) | Mobile terminal system software burning method based on remote encryption interaction | |
CN106549502B (en) | A kind of safe distribution of electric power protecting, monitoring system | |
CN104506500A (en) | GOOSE message authentication method based on transformer substation | |
CN111447067A (en) | Encryption authentication method for power sensing equipment | |
CN111988328A (en) | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station | |
CN105471901A (en) | Industrial information security authentication system | |
CN112270020B (en) | Terminal equipment safety encryption device based on safety chip | |
CN112468504B (en) | Industrial control network access control method based on block chain | |
CN110324820A (en) | A kind of Internet of Things safety right appraisal method, system and readable medium | |
CN115001717B (en) | Terminal equipment authentication method and system based on identification public key | |
CN115065469B (en) | Data interaction method and device for power internet of things and storage medium | |
CN114531266A (en) | Power distribution network data protection system and method based on intermediate database | |
CN104333547A (en) | Safety protection method of two-way interaction intelligent ammeter | |
CN112311553B (en) | Equipment authentication method based on challenge response | |
CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
CN114254352A (en) | Data security transmission system, method and device | |
CN114286331A (en) | Identity authentication method and system suitable for 5G data terminal of power Internet of things | |
Zhang et al. | Design and Implementation of IEC61850 Communication Security Protection Scheme for Smart Substation based on Bilinear Function |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |