CN115081498A - Industrial data processing method and device and industrial gateway - Google Patents

Industrial data processing method and device and industrial gateway Download PDF

Info

Publication number
CN115081498A
CN115081498A CN202110261130.0A CN202110261130A CN115081498A CN 115081498 A CN115081498 A CN 115081498A CN 202110261130 A CN202110261130 A CN 202110261130A CN 115081498 A CN115081498 A CN 115081498A
Authority
CN
China
Prior art keywords
industrial data
classification
industrial
data processing
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110261130.0A
Other languages
Chinese (zh)
Inventor
范紫君
张建宇
孟阼君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202110261130.0A priority Critical patent/CN115081498A/en
Publication of CN115081498A publication Critical patent/CN115081498A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure discloses an industrial data processing method, an industrial data processing device and an industrial gateway, and relates to the technical field of network security. The method comprises the following steps: determining a classification result and a classification result corresponding to the industrial data according to the classification characteristic of the industrial data and a set classification rule; determining a disposal strategy corresponding to the industrial data according to the classification result and the grading result corresponding to the industrial data; and processing the industrial data according to the disposal strategy corresponding to the industrial data. The method and the system meet the national supervision requirement of classified management of industrial data under the condition of not building a virtual private network or other gateways.

Description

工业数据处理方法、装置和工业网关Industrial data processing method, device and industrial gateway

技术领域technical field

本公开涉及网络安全技术领域,尤其涉及一种工业数据处理方法、装置和工业网关。The present disclosure relates to the technical field of network security, and in particular, to an industrial data processing method, device and industrial gateway.

背景技术Background technique

工业互联网打开了工业企业的防护边界,生产经营数据在企业园区、私有数据中心、公有云、行业监管机构中流动,缺少有效的监管机制。The Industrial Internet has opened the protection boundaries of industrial enterprises. Production and operation data flows in enterprise parks, private data centers, public clouds, and industry regulatory agencies, and there is a lack of effective regulatory mechanisms.

相关技术中,5GUPF(User Plane Function,用户面功能)基于五元组对数据进行分流,分类方法少,不满足安全需求;需要运营商进行配置或者搭建虚拟专网、管理复杂;并且,该方案只能分流,若需要其他操作,则需要再串接其他网元,会降低数据的安全性和可靠性。而SDN服务链主要用于云和广域网中,分布式部署,不适合用于企业出口防护。In related technologies, 5GUPF (User Plane Function, User Plane Function) divides data based on quintuple, and has few classification methods, which does not meet security requirements; it requires operators to configure or build a virtual private network, and the management is complicated; moreover, this solution Only traffic can be shunted. If other operations are required, other network elements need to be connected in series, which will reduce the security and reliability of data. The SDN service chain is mainly used in the cloud and wide area network, distributed deployment, and is not suitable for enterprise export protection.

发明内容SUMMARY OF THE INVENTION

本公开要解决的一个技术问题是,提供一种工业数据处理方法、装置和工业网关,能够在无需搭建虚拟专网或其他网关的情况下,满足国家对工业数据有分级分类管理的监管要求。A technical problem to be solved by the present disclosure is to provide an industrial data processing method, device and industrial gateway, which can meet the national regulatory requirements for hierarchical and classified management of industrial data without building a virtual private network or other gateways.

根据本公开一方面,提出一种工业数据处理方法,包括:根据工业数据的分类分级特征和设定的分类分级规则,确定工业数据对应的分类结果和分级结果;根据工业数据对应的分类结果和分级结果,确定工业数据对应的处置策略;以及根据工业数据对应的处置策略,对工业数据进行处理。According to an aspect of the present disclosure, an industrial data processing method is proposed, which includes: determining a classification result and a classification result corresponding to the industrial data according to the classification and classification features of the industrial data and a set classification and classification rule; According to the classification result, the disposal strategy corresponding to the industrial data is determined; and the industrial data is processed according to the disposal strategy corresponding to the industrial data.

在一些实施例中,基于深度包检测DPI技术对工业数据进行分析,得到工业数据的五元组信息和业务行为中的至少一项;以及根据工业数据的五元组信息、时间信息、外部环境特征和业务行为中的一项或多项,确定工业数据的分类分级特征。In some embodiments, the industrial data is analyzed based on the deep packet inspection DPI technology to obtain at least one item of quintuple information and business behavior of the industrial data; and according to the quintuple information, time information, external environment of the industrial data One or more of characteristics and business behaviors that determine the classification and classification characteristics of industrial data.

在一些实施例中,预先配置对应于业务的工业数据的分类分级规则和处置策略。In some embodiments, classification and grading rules and handling policies of industrial data corresponding to services are preconfigured.

在一些实施例中,处置策略包括:加密工业数据、解密工业数据、丢弃工业数据、记录工业数据、高优先级转发工业数据、对工业数据进行签名、重定向工业数据、隧道化封装工业数据中的一种或多种。In some embodiments, the disposition policy includes: encrypting industrial data, decrypting industrial data, discarding industrial data, logging industrial data, forwarding industrial data with high priority, signing industrial data, redirecting industrial data, tunneling in encapsulating industrial data one or more of.

在一些实施例中,分类规则包括生产类别、经营类别和管理类别中的两种或三种;以及分级规则包括普通级别、企业机密级别和国家机密级别中的两种或三种。In some embodiments, the classification rules include two or three of production, business, and management categories; and the classification rules include two or three of general, corporate secret, and state secret.

根据本公开的另一方面中,还提出一种业务数据处理装置,包括:数据分类分级模块,被配置为根据工业数据的分类分级特征和设定的分类分级规则,确定工业数据对应的分类结果和分级结果;策略实施模块,被配置为根据工业数据对应的分类结果和分级结果,确定工业数据对应的处置策略;以及数据处理模块,被配置为根据工业数据对应的处置策略,对工业数据进行处理。According to another aspect of the present disclosure, a business data processing device is also proposed, comprising: a data classification and grading module configured to determine a classification result corresponding to the industrial data according to the classification and classification features of the industrial data and the set classification and classification rules and grading results; a strategy implementation module, configured to determine a disposal strategy corresponding to the industrial data according to the classification results and grading results corresponding to the industrial data; and a data processing module, configured to perform processing on the industrial data according to the disposal strategy corresponding to the industrial data deal with.

在一些实施例中,该工业数据处理装置还包括:数据获取单元,被配置为基于深度包检测DPI技术获取工业数据,根据工业数据的五元组信息、时间信息、外部环境特征和业务行为中的一项或多项,确定工业数据的分类分级特征。In some embodiments, the industrial data processing apparatus further includes: a data acquisition unit configured to acquire industrial data based on the deep packet inspection DPI technology, according to the quintuple information, time information, external environment characteristics and business behavior of the industrial data. One or more items to determine the classification and classification characteristics of industrial data.

在一些实施例中,该工业数据处理装置还包括:策略配置存储模块,被配置为预先配置对应于业务的工业数据的分类分级规则和处置策略。In some embodiments, the industrial data processing apparatus further includes: a policy configuration storage module configured to pre-configure the classification and grading rules and disposal policies of the industrial data corresponding to the business.

根据本公开的另一方面中,还提出一种工业数据处理装置,包括:存储器;以及耦接至存储器的处理器,处理器被配置为基于存储在存储器的指令执行如上述的工业数据处理方法。According to another aspect of the present disclosure, an industrial data processing apparatus is also proposed, comprising: a memory; and a processor coupled to the memory, the processor is configured to execute the industrial data processing method as described above based on instructions stored in the memory .

根据本公开的另一方面中,还提出一种工业网关,包括:上述的工业数据处理装置。According to another aspect of the present disclosure, an industrial gateway is also provided, comprising: the above-mentioned industrial data processing device.

根据本公开的另一方面中,还提出一种非瞬时性计算机可读存储介质,其上存储有计算机程序指令,该指令被处理器执行时实现上述的工业数据处理方法。According to another aspect of the present disclosure, a non-transitory computer-readable storage medium is also provided, having computer program instructions stored thereon, the instructions implementing the above-mentioned industrial data processing method when executed by a processor.

本公开实施例中,根据分类分级规则,确定工业数据的分类分级特征对应的分类结果和分级结果后,确定相应的处理策略,并进行处理。在无需搭建虚拟专网或其他网关的情况下,满足国家对工业数据有分级分类管理的监管要求。In the embodiment of the present disclosure, according to the classification and classification rules, after determining the classification results and classification results corresponding to the classification and classification features of the industrial data, a corresponding processing strategy is determined and processed. Without the need to build a virtual private network or other gateways, it can meet the national regulatory requirements for hierarchical and classified management of industrial data.

通过以下参照附图对本公开的示例性实施例的详细描述,本公开的其它特征及其优点将会变得清楚。Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments of the present disclosure with reference to the accompanying drawings.

附图说明Description of drawings

构成说明书的一部分的附图描述了本公开的实施例,并且连同说明书一起用于解释本公开的原理。The accompanying drawings, which form a part of the specification, illustrate embodiments of the present disclosure and together with the description serve to explain the principles of the present disclosure.

参照附图,根据下面的详细描述,可以更加清楚地理解本公开,其中:The present disclosure may be more clearly understood from the following detailed description with reference to the accompanying drawings, wherein:

图1为本公开的工业数据处理方法的一些实施例的流程示意图。FIG. 1 is a schematic flowchart of some embodiments of the disclosed industrial data processing method.

图2为本公开的工业数据处理方法的另一些实施例的流程示意图。FIG. 2 is a schematic flowchart of other embodiments of the disclosed industrial data processing method.

图3为本公开的工业数据处理方法的另一些实施例的流程示意图。FIG. 3 is a schematic flowchart of other embodiments of the disclosed industrial data processing method.

图4为本公开的业务数据处理装置的一些实施例的结构示意图。FIG. 4 is a schematic structural diagram of some embodiments of the service data processing apparatus of the present disclosure.

图5为本公开的业务数据处理装置的另一些实施例的结构示意图。FIG. 5 is a schematic structural diagram of other embodiments of the service data processing apparatus of the present disclosure.

图6为本公开的业务数据处理装置的另一些实施例的结构示意图。FIG. 6 is a schematic structural diagram of other embodiments of the service data processing apparatus of the present disclosure.

具体实施方式Detailed ways

现在将参照附图来详细描述本公开的各种示例性实施例。应注意到:除非另外具体说明,否则在这些实施例中阐述的部件和步骤的相对布置、数字表达式和数值不限制本公开的范围。Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.

同时,应当明白,为了便于描述,附图中所示出的各个部分的尺寸并不是按照实际的比例关系绘制的。Meanwhile, it should be understood that, for the convenience of description, the dimensions of various parts shown in the accompanying drawings are not drawn in an actual proportional relationship.

以下对至少一个示例性实施例的描述实际上仅仅是说明性的,决不作为对本公开及其应用或使用的任何限制。The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application or uses in any way.

对于相关领域普通技术人员已知的技术、方法和设备可能不作详细讨论,但在适当情况下,技术、方法和设备应当被视为授权说明书的一部分。Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but where appropriate, techniques, methods, and apparatus should be considered part of the authorized description.

在这里示出和讨论的所有示例中,任何具体值应被解释为仅仅是示例性的,而不是作为限制。因此,示例性实施例的其它示例可以具有不同的值。In all examples shown and discussed herein, any specific value should be construed as illustrative only and not as limiting. Accordingly, other examples of exemplary embodiments may have different values.

应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步讨论。It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further discussion in subsequent figures.

为使本公开的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本公开进一步详细说明。In order to make the objectives, technical solutions and advantages of the present disclosure clearer, the present disclosure will be further described in detail below with reference to the specific embodiments and the accompanying drawings.

图1为本公开的工业数据处理方法的一些实施例的流程示意图。该实施例由工业网关执行,或者由位于工业网关的工业数据处理装置执行。FIG. 1 is a schematic flowchart of some embodiments of the disclosed industrial data processing method. This embodiment is performed by an industrial gateway, or by an industrial data processing device located at the industrial gateway.

在步骤110,根据工业数据的分类分级特征和设定的分类分级规则,确定工业数据对应的分类结果和分级结果。In step 110, a classification result and a classification result corresponding to the industrial data are determined according to the classification and classification features of the industrial data and the set classification and classification rules.

在一些实施例中,预先配置对应于业务的工业数据的分类分级规则和处置策略。在获取工业数据的分类分级特征后,通过查找分类分级规则,可以确定该工业数据对应的分类结果和分级结果。In some embodiments, classification and grading rules and handling policies of industrial data corresponding to services are preconfigured. After obtaining the classification and grading features of the industrial data, by searching for the classification and grading rules, the classification results and grading results corresponding to the industrial data can be determined.

在步骤120,根据工业数据对应的分类结果和分级结果,确定工业数据对应的处置策略。In step 120, a disposal strategy corresponding to the industrial data is determined according to the classification result and the classification result corresponding to the industrial data.

在一些实施例中,对属于不同分类结果和分级结果的工业数据实施不同的处置策略。例如,加密该工业数据、解密该工业数据、丢弃该工业数据、记录该工业数据、高优先级转发该工业数据、对该工业数据进行签名、重定向该工业数据、隧道化封装该工业数据等。In some embodiments, different treatment strategies are implemented for industrial data belonging to different classification results and ranking results. For example, encrypt the industrial data, decrypt the industrial data, discard the industrial data, log the industrial data, forward the industrial data with high priority, sign the industrial data, redirect the industrial data, tunnel the industrial data, etc. .

在步骤130,根据工业数据对应的处置策略,对工业数据进行处理。In step 130, the industrial data is processed according to the disposal strategy corresponding to the industrial data.

在上述实施例中,根据分类分级规则,确定工业数据的分类分级特征对应的分类结果和分级结果后,确定相应的处理策略,并进行处理。在无需搭建虚拟专网或其他网关的情况下,满足国家对工业数据有分级分类管理的监管要求。In the above embodiment, according to the classification and classification rules, after determining the classification results and classification results corresponding to the classification and classification features of the industrial data, a corresponding processing strategy is determined and processed. Without the need to build a virtual private network or other gateways, it can meet the national regulatory requirements for hierarchical and classified management of industrial data.

图2为本公开的工业数据处理方法的另一些实施例的流程示意图。该实施例由工业网关执行。FIG. 2 is a schematic flowchart of other embodiments of the disclosed industrial data processing method. This embodiment is implemented by an industrial gateway.

在步骤210,预先配置对应于业务的工业数据的分类分级规则和处置策略。In step 210, the classification and grading rules and treatment strategies of the industrial data corresponding to the business are pre-configured.

在一些实施例中,通过工业网关的WEB管理界面或TR069远程管理能力,配置对应于业务的工业数据的分类分级规则和处置策略。In some embodiments, through the WEB management interface of the industrial gateway or the TR069 remote management capability, the classification and grading rules and treatment strategies of the industrial data corresponding to the service are configured.

在一些实施例中,分类规则包括生产类别、经营类别和管理类别等,分级规则包括普通级别、企业机密级别和国家机密级别等。In some embodiments, the classification rules include production categories, business categories, management categories, and the like, and the classification rules include common levels, corporate secret levels, and state secret levels, among others.

在步骤220,通过工业网关获取工业数据。At step 220, industrial data is acquired through the industrial gateway.

在步骤230,基于DPI(Deep packet inspection,深度包检测)技术对工业数据进行分析,得到工业数据的五元组信息和业务行为中的至少一项,根据工业数据的五元组信息、时间信息、外部环境特征和业务行为中的一项或多项,确定工业数据的分类分级特征。In step 230, the industrial data is analyzed based on the DPI (Deep packet inspection, deep packet inspection) technology to obtain at least one item of quintuple information and business behavior of the industrial data. According to the quintuple information and time information of the industrial data , one or more of external environment characteristics and business behaviors to determine the classification and classification characteristics of industrial data.

在一些实施例中,外部环境特征包括安全态势等级。In some embodiments, the external environment characteristic includes a security situation level.

在一些实施例中,业务行为包括用户误操作行为的判定、用户违规操作、非法设备接入、网络攻击等。In some embodiments, the business behavior includes determination of user misoperation, illegal user operation, illegal device access, network attack, and the like.

在步骤240,根据工业数据的分类分级特征,通过查找分类分级规则,确定该工业数据对应的分类结果和分级结果。In step 240, according to the classification and classification features of the industrial data, by searching for classification and classification rules, the classification results and classification results corresponding to the industrial data are determined.

在一些实施例中,对所有局域网内的数据流量进行分析处理。In some embodiments, all data traffic within the local area network is analyzed.

在一些实施例中,对返回的流量也作对应的逆向处理。In some embodiments, corresponding reverse processing is also performed on the returned traffic.

在步骤250,根据工业数据对应的分类结果和分级结果,确定工业数据对应的处置策略。In step 250, a disposal strategy corresponding to the industrial data is determined according to the classification results and classification results corresponding to the industrial data.

在步骤260,根据工业数据对应的处置策略,对工业数据进行处理。In step 260, the industrial data is processed according to the disposal strategy corresponding to the industrial data.

在上述实施例中,根据预先配置的分类分级规则和处置策略,对工业数据进行分类和分级处理后,按照分类和分级结果对该工业数据实时不同的处理策略,能够在提高数据安全性和可靠性的同时,实现对数据的分类分级保护以及数据处理。In the above embodiment, after classifying and grading the industrial data according to the pre-configured classification and grading rules and treatment strategies, the industrial data can be processed differently in real time according to the classification and grading results, which can improve data security and reliability. At the same time, it can realize the classification and hierarchical protection of data and data processing.

图3为本公开的工业数据处理方法的另一些实施例的流程示意图。FIG. 3 is a schematic flowchart of other embodiments of the disclosed industrial data processing method.

在步骤310,工业网关收到内部的数据转发请求。In step 310, the industrial gateway receives an internal data forwarding request.

在步骤320,判断是否触发分类分级规则,若是,则执行步骤330,否则,执行步骤360。In step 320, it is judged whether the classification and grading rule is triggered, if so, step 330 is executed, otherwise, step 360 is executed.

在步骤330,根据数据的分类分级特征,确定数据的分类和分级结果。In step 330, the classification and classification results of the data are determined according to the classification and classification features of the data.

在一些实施例中,如表1所示,根据数据中的五元组信息设置网络分组,搭配时间戳,增加流量限度实现企业内部稳态数据的分类分级。In some embodiments, as shown in Table 1, the network grouping is set according to the quintuple information in the data, the time stamp is matched, and the traffic limit is increased to realize the classification and grading of the steady state data within the enterprise.

表1Table 1

Figure BDA0002970034800000061
Figure BDA0002970034800000061

在步骤340,查找该数据对应的处置策略。In step 340, the treatment strategy corresponding to the data is searched.

在步骤350,按照处置策略执行处理动作。At step 350, processing actions are performed according to the processing policy.

例如,生产数据向数据中心传输的数据,在固定时间点内安全态势等级为1级的情况下,流量的限额在10K以下,需要加密转发传输。For example, when the production data is transmitted to the data center, if the security situation level is level 1 at a fixed time point, the traffic limit is less than 10K, and it needs to be encrypted for forwarding and transmission.

在步骤360,完成数据转发。At step 360, data forwarding is completed.

在上述实施例中,能够实现对工业企业流出的数据,实施符合国家监管要求的管理和控制。In the above-mentioned embodiment, the management and control of the data flowing out of the industrial enterprise can be implemented in compliance with the national regulatory requirements.

图4为本公开的业务数据处理装置的一些实施例的结构示意图。该装置包括:数据分类分级模块410、策略实施模块420和数据处理模块430。FIG. 4 is a schematic structural diagram of some embodiments of the service data processing apparatus of the present disclosure. The apparatus includes: a data classification and grading module 410 , a policy implementation module 420 and a data processing module 430 .

数据分类分级模块410被配置为根据工业数据的分类分级特征和设定的分类分级规则,确定工业数据对应的分类结果和分级结果。The data classification and classification module 410 is configured to determine classification results and classification results corresponding to the industrial data according to the classification and classification features of the industrial data and the set classification and classification rules.

在一些实施例中,将数据分为生产类别、经营类别、管理类别等。In some embodiments, the data is divided into production categories, business categories, management categories, and the like.

在一些实施例中,根据保密级别,将数据分为普通级别、企业机密级别、国家机密级别等。In some embodiments, according to the security level, the data is classified into a general level, an enterprise secret level, a state secret level, and the like.

策略实施模块420被配置为根据工业数据对应的分类结果和分级结果,确定工业数据对应的处置策略。The policy implementation module 420 is configured to determine a disposal policy corresponding to the industrial data according to the classification results and classification results corresponding to the industrial data.

在一些实施例中,处置策略包括:加密工业数据、解密工业数据、丢弃工业数据、记录工业数据、高优先级转发工业数据、对工业数据进行签名、重定向工业数据、隧道化封装工业数据等。In some embodiments, the disposal policy includes: encrypting industrial data, decrypting industrial data, discarding industrial data, logging industrial data, forwarding industrial data with high priority, signing industrial data, redirecting industrial data, tunneling encapsulating industrial data, etc. .

数据处理模块430被配置为根据工业数据对应的处置策略,对工业数据进行处理。The data processing module 430 is configured to process the industrial data according to the disposal strategy corresponding to the industrial data.

在上述实施例中,根据分类分级规则,确定工业数据的分类分级特征对应的分类结果和分级结果后,确定相应的处理策略,并进行处理。无需搭建虚拟专网或其他网关的情况下,满足国家对工业数据有分级分类管理的监管要求。In the above embodiment, according to the classification and classification rules, after determining the classification results and classification results corresponding to the classification and classification features of the industrial data, a corresponding processing strategy is determined and processed. Without the need to build a virtual private network or other gateways, it can meet the national regulatory requirements for hierarchical and classified management of industrial data.

在本公开的另一些实施例中,如图5所示,该装置还包括数据获取单元510,被配置为基于DPI技术对工业数据进行分析,得到工业数据的五元组信息和业务行为中的至少一项,根据工业数据的五元组信息、时间信息、外部环境特征和业务行为中的一项或多项,确定工业数据的分类分级特征。In other embodiments of the present disclosure, as shown in FIG. 5 , the apparatus further includes a data acquisition unit 510, which is configured to analyze the industrial data based on the DPI technology, and obtain the quintuple information of the industrial data and the data in the business behavior. At least one item, according to one or more of the quintuple information, time information, external environment characteristics and business behavior of the industrial data, to determine the classification and grading characteristics of the industrial data.

在该实施例中,利用DPI技术能够动态获取工业数据,根据五元组设置网络分组,搭配时间戳,能够增加流量限度,实现企业内部稳态数据的分类分级。In this embodiment, the DPI technology can be used to dynamically obtain industrial data, set network groupings according to quintuple, and match timestamps to increase the traffic limit and realize the classification and grading of internal stable data of the enterprise.

在本公开的另一些实施例中,如图5所示,该装置还包括策略配置存储模块520,被配置为预先配置对应于业务的工业数据的分类分级规则和处置策略。In other embodiments of the present disclosure, as shown in FIG. 5 , the apparatus further includes a policy configuration storage module 520, which is configured to pre-configure classification and grading rules and processing policies of industrial data corresponding to services.

在一些实施例中,通过工业网关的WEB管理界面或TR069远程管理能力,配置对应于业务的数据分类分级规则、处置策略。In some embodiments, through the WEB management interface of the industrial gateway or the TR069 remote management capability, data classification and grading rules and treatment strategies corresponding to services are configured.

在一些实施例中,该装置还能够接收其他控制平台下发的处置策略。In some embodiments, the apparatus can also receive treatment policies issued by other control platforms.

图6为本公开的业务数据处理装置的另一些实施例的结构示意图。该装置包括600包括存储器610和处理器620。其中:存储器610可以是磁盘、闪存或其它任何非易失性存储介质。存储器用于存储图1-3所对应实施例中的指令。处理器620耦接至存储器610,可以作为一个或多个集成电路来实施,例如微处理器或微控制器。该处理器620用于执行存储器中存储的指令。FIG. 6 is a schematic structural diagram of other embodiments of the service data processing apparatus of the present disclosure. The apparatus includes 600 including a memory 610 and a processor 620 . Wherein: the memory 610 may be a magnetic disk, flash memory or any other non-volatile storage medium. The memory is used to store the instructions in the embodiments corresponding to Figures 1-3. The processor 620 is coupled to the memory 610 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 620 is used to execute instructions stored in the memory.

在一些实施例中,处理器620通过BUS总线630耦合至存储器610。该装置600还可以通过存储接口640连接至外部存储系统650以便调用外部数据,还可以通过网络接口660连接至网络或者另外一台计算机系统(未标出)。此处不再进行详细介绍。In some embodiments, processor 620 is coupled to memory 610 through BUS bus 630 . The apparatus 600 can also be connected to an external storage system 650 through a storage interface 640 for recalling external data, and can also be connected to a network or another computer system (not shown) through a network interface 660 . It will not be described in detail here.

在该实施例中,通过存储器存储数据指令,再通过处理器处理上述指令,在无需搭建虚拟专网或其他网关的情况下,满足国家对工业数据有分级分类管理的监管要求。In this embodiment, the data instructions are stored by the memory, and the above-mentioned instructions are processed by the processor, so as to meet the national regulatory requirements for hierarchical and classified management of industrial data without building a virtual private network or other gateways.

在本公开的另一些实施例中,保护一种工业网关,该工业网关为在工业控制应用场景中使用的能进行网络连接的设备,能够实现数据采集,协议转换,数据转发等功能。在该工业网关中增加工业数据处理装置,基于数据的分类分级特征和预先配置的对应于业务的工业数据的分类分级规则和处置策略,对工业企业流出的数据实施符合国家监管要求的管理和控制。本公开采集集中式部署,分类分级策略灵活,处理和分类在同一节点,更安全高效。In other embodiments of the present disclosure, an industrial gateway is protected. The industrial gateway is a network-connectable device used in an industrial control application scenario, and can implement functions such as data collection, protocol conversion, and data forwarding. An industrial data processing device is added to the industrial gateway. Based on the classification and grading characteristics of the data and the pre-configured classification and grading rules and disposal strategies of industrial data corresponding to the business, the management and control of the data flowing out of industrial enterprises that meet the national regulatory requirements are implemented. . The disclosed collection is centralized and deployed, the classification and grading strategy is flexible, and the processing and classification are in the same node, which is more secure and efficient.

在另一些实施例中,一种计算机可读存储介质,其上存储有计算机程序指令,该指令被处理器执行时实现图1-3所对应实施例中的方法的步骤。本领域内的技术人员应明白,本公开的实施例可提供为方法、装置、或计算机程序产品。因此,本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可用非瞬时性存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。In other embodiments, a computer-readable storage medium has computer program instructions stored thereon, the instructions, when executed by a processor, implement the steps of the methods in the embodiments corresponding to FIGS. 1-3 . As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein .

本公开是参照根据本公开实施例的方法、设备(系统)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

至此,已经详细描述了本公开。为了避免遮蔽本公开的构思,没有描述本领域所公知的一些细节。本领域技术人员根据上面的描述,完全可以明白如何实施这里公开的技术方案。So far, the present disclosure has been described in detail. Some details that are well known in the art are not described in order to avoid obscuring the concept of the present disclosure. Those skilled in the art can fully understand how to implement the technical solutions disclosed herein based on the above description.

虽然已经通过示例对本公开的一些特定实施例进行了详细说明,但是本领域的技术人员应该理解,以上示例仅是为了进行说明,而不是为了限制本公开的范围。本领域的技术人员应该理解,可在不脱离本公开的范围和精神的情况下,对以上实施例进行修改。本公开的范围由所附权利要求来限定。While some specific embodiments of the present disclosure have been described in detail by way of examples, those skilled in the art will appreciate that the above examples are provided for illustration only, and are not intended to limit the scope of the present disclosure. Those skilled in the art will appreciate that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.

Claims (11)

1. An industrial data processing method, comprising:
determining a classification result and a classification result corresponding to the industrial data according to the classification characteristics of the industrial data and a set classification rule;
determining a disposal strategy corresponding to the industrial data according to a classification result and a grading result corresponding to the industrial data; and
and processing the industrial data according to a disposal strategy corresponding to the industrial data.
2. The industrial data processing method of claim 1, further comprising:
analyzing the industrial data based on a Deep Packet Inspection (DPI) technology to obtain at least one of quintuple information and business behavior of the industrial data; and
and determining classification and grading characteristics of the industrial data according to one or more of quintuple information, time information, external environment characteristics and business behaviors of the industrial data.
3. The industrial data processing method of claim 1, further comprising:
classification rules and disposal policies corresponding to industrial data of the business are pre-configured.
4. The industrial data processing method of any one of claims 1 to 3, wherein the disposition policy comprises: one or more of encrypting the industrial data, decrypting the industrial data, discarding the industrial data, recording the industrial data, high priority forwarding the industrial data, signing the industrial data, redirecting the industrial data, tunneling the industrial data.
5. The industrial data processing method according to any one of claims 1 to 3,
the classification rules comprise two or three of a production category, an operation category and a management category; and
the classification rules include two or three of a general level, an enterprise confidentiality level, and a national confidentiality level.
6. A service data processing apparatus, comprising:
the data classification and classification module is configured to determine a classification result and a classification result corresponding to the industrial data according to classification and classification characteristics of the industrial data and a set classification and classification rule;
the policy implementation module is configured to determine a disposal policy corresponding to the industrial data according to a classification result and a grading result corresponding to the industrial data; and
the data processing module is configured to process the industrial data according to a disposal strategy corresponding to the industrial data.
7. The industrial data processing apparatus of claim 6, further comprising:
the data acquisition unit is configured to analyze the industrial data based on a Deep Packet Inspection (DPI) technology to obtain at least one of quintuple information and business behavior of the industrial data, and determine classification and classification characteristics of the industrial data according to one or more of the quintuple information, time information, external environment characteristics and the business behavior of the industrial data.
8. The industrial data processing device of claim 6 or 7, further comprising:
a policy configuration storage module configured to pre-configure classification rules and handling policies corresponding to the industrial data of the business.
9. An industrial data processing apparatus comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the industrial data processing method of any of claims 1 to 5 based on instructions stored in the memory.
10. An industrial gateway, comprising:
an industrial data processing device according to any one of claims 6 to 9.
11. A non-transitory computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the industrial data processing method of any one of claims 1 to 5.
CN202110261130.0A 2021-03-10 2021-03-10 Industrial data processing method and device and industrial gateway Withdrawn CN115081498A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110261130.0A CN115081498A (en) 2021-03-10 2021-03-10 Industrial data processing method and device and industrial gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110261130.0A CN115081498A (en) 2021-03-10 2021-03-10 Industrial data processing method and device and industrial gateway

Publications (1)

Publication Number Publication Date
CN115081498A true CN115081498A (en) 2022-09-20

Family

ID=83240958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110261130.0A Withdrawn CN115081498A (en) 2021-03-10 2021-03-10 Industrial data processing method and device and industrial gateway

Country Status (1)

Country Link
CN (1) CN115081498A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070133549A1 (en) * 2005-12-08 2007-06-14 Electronics & Telecommunications Research Institute Apparatus and method for managing traffic using VID in EPON
CN107612846A (en) * 2017-11-01 2018-01-19 北京天创凯睿科技有限公司 A kind of business datum adaptive transmission method and device
CN111126729A (en) * 2018-10-30 2020-05-08 千寻位置网络有限公司 Intelligent safety event closed-loop disposal system and method thereof
CN112307133A (en) * 2020-10-29 2021-02-02 平安普惠企业管理有限公司 Security protection method and device, computer equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070133549A1 (en) * 2005-12-08 2007-06-14 Electronics & Telecommunications Research Institute Apparatus and method for managing traffic using VID in EPON
CN107612846A (en) * 2017-11-01 2018-01-19 北京天创凯睿科技有限公司 A kind of business datum adaptive transmission method and device
CN111126729A (en) * 2018-10-30 2020-05-08 千寻位置网络有限公司 Intelligent safety event closed-loop disposal system and method thereof
CN112307133A (en) * 2020-10-29 2021-02-02 平安普惠企业管理有限公司 Security protection method and device, computer equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
董育宁等: "多媒体通信业务流识别与分类方法综述", 《南京邮电大学学报( 自然科学版)》, vol. 33, no. 3, 30 June 2013 (2013-06-30), pages 35 - 44 *

Similar Documents

Publication Publication Date Title
US11379602B2 (en) Internal controls engine and reporting of events generated by a network or associated applications
US20240346137A1 (en) Data loss prevention of enterprise information stored on a cloud computing service (ccs)
US20170366416A1 (en) Gui and high-level api wrapper for software defined networking and software defined access for controlling network routing and rules
CN103688489B (en) Method for strategy processing and network equipment
JP6518844B1 (en) Middleware security layer for cloud computing services
US10212224B2 (en) Device and related method for dynamic traffic mirroring
US9813447B2 (en) Device and related method for establishing network policy based on applications
US9584393B2 (en) Device and related method for dynamic traffic mirroring policy
US9230213B2 (en) Device and related method for scoring applications running on a network
US9256636B2 (en) Device and related method for application identification
CN105933361B (en) Big data security protection cloud system based on trusted calculation
US20150347773A1 (en) Method and system for implementing data security policies using database classification
US8656478B1 (en) String based detection of proxy communications
US8055767B1 (en) Proxy communication string data
CN116094696B (en) Data security protection method, data security management platform, system and storage medium
EP4002866A1 (en) A device and method to establish a score for a computer application
Dao et al. Adaptive suspicious prevention for defending DoS attacks in SDN-based convergent networks
CN103457952A (en) IPSec processing method and device based on encrypting engine
CN102217248A (en) Distributed packet flow inspection and processing
US20220253430A1 (en) Cloud-based Data Loss Prevention
Hegarty et al. Extrusion detection of illegal files in cloud-based systems
CN118590216B (en) Data security sharing and content management and control method, device and system based on zero trust
Ding et al. Multi-granular aggregation of network flows for security analysis
CN115081498A (en) Industrial data processing method and device and industrial gateway
CN103973675A (en) Method for detecting segmented redundancy in cross-domain collaboration firewalls

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20220920

WW01 Invention patent application withdrawn after publication