CN115150174B - Industrial safety isolation exchange method and system - Google Patents
Industrial safety isolation exchange method and system Download PDFInfo
- Publication number
- CN115150174B CN115150174B CN202210789068.7A CN202210789068A CN115150174B CN 115150174 B CN115150174 B CN 115150174B CN 202210789068 A CN202210789068 A CN 202210789068A CN 115150174 B CN115150174 B CN 115150174B
- Authority
- CN
- China
- Prior art keywords
- protocol
- score
- data packet
- sequence table
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
- H04L47/62—Queue scheduling characterised by scheduling criteria
- H04L47/625—Queue scheduling characterised by scheduling criteria for service slots or service orders
- H04L47/6275—Queue scheduling characterised by scheduling criteria for service slots or service orders based on priority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The application relates to an industrial security isolation exchange method and system, which belong to the field of network security, wherein the method is applied to an external terminal machine and comprises the following steps: acquiring a data packet uploaded by an industrial control system; identifying a protocol used by the data packet, and merging the same protocol to obtain a total protocol type; acquiring data packet units allowed to pass through by each protocol type according to the total protocol type, and calculating the number of data packets to be sent by each protocol according to the data packet units; calculating the ratio of the protocol of which the number of data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type; judging whether the total protocol type is smaller than a preset first threshold value and whether the ratio is smaller than a preset second threshold value; if not, sorting a plurality of protocols according to importance degrees based on the total protocol types to obtain a transmission sequence table; and transmitting the data packet according to the protocol in the transmission sequence table. The method and the device have the characteristic of guaranteeing the instantaneity of data transmission.
Description
Technical Field
The present application relates to the field of network security, and in particular, to an industrial security isolation switching system and method.
Background
In the informatization process of the production system, in order to improve the safety of service data transmission, a firewall is introduced at a logic isolation layer, and a mobile storage medium or a one-way light valve formed by combining an external terminal machine and an internal terminal machine is introduced at a physical isolation layer, so that the safety of service data transmission is ensured through double isolation.
However, various industrial private protocols exist in the service data flow, and the various industrial private protocols are connected to form a protocol stack, so that a plurality of transmission paths of the service data are caused, the transmission lines are prolonged, the industrial control system is complicated, the generated service data volume is large, and a large amount of service data passes through the longer transmission lines, so that the network protocol is overloaded, and the instantaneity is reduced.
Disclosure of Invention
The application provides an industrial safety isolation exchange system and method, which have the characteristic of guaranteeing the instantaneity of data transmission.
The purpose of the application is to provide an industrial safety isolation exchange method.
The first object of the present application is achieved by the following technical solutions:
an industrial safety isolation exchange method is applied to an external terminal machine and comprises the following steps:
acquiring a data packet uploaded by an industrial control system;
identifying a protocol used by the data packet, and merging the same protocol to obtain a total protocol type;
acquiring data packet units allowed to pass through by each protocol type according to the total protocol type, and calculating the number of data packets to be sent by each protocol according to the data packet units;
calculating the ratio of the protocol of which the number of data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type;
judging whether the total protocol type is smaller than a preset first threshold value and whether the ratio is smaller than a preset second threshold value;
if not, sorting a plurality of protocols according to importance degrees based on the total protocol types to obtain a transmission sequence table;
and transmitting the data packet according to the protocol in the transmission sequence table.
By adopting the technical scheme, in the process of transmitting service data, the external terminal can judge the load condition of the network protocol according to two factors, namely whether the total protocol type used by the data packets is smaller than a preset first threshold value, whether the ratio of the total protocol type of the protocol of which the number of the data packets to be transmitted reaches the preset data packet number threshold value is smaller than a preset second threshold value, and if any one or two factors belong to the reached condition, the network protocol is determined to be overloaded, and the external terminal enters the instant mode. After entering the instant mode, the external terminal machine sorts the multiple protocols according to the importance degree to obtain a sending sequence table, and then transmits the data packets according to the protocols in the sending sequence table so as to ensure that the important protocols transmit the data packets preferentially, thereby ensuring the transmission instantaneity of the important data packets in the service data under the condition that the network protocols are overloaded.
The present application may be further configured in a preferred example to: the step of identifying the protocol used by the data packet includes: and carrying out double identification by adopting an identification technology based on a port and an identification technology based on a message load characteristic.
By adopting the technical scheme, the identification technology based on the port has high identification efficiency and identification accuracy, and the identification accuracy of the identification technology based on the message load characteristics is higher than that of the identification technology based on the port, so that the identification accuracy and the identification efficiency are ensured by adopting the dual identification technology.
The present application may be further configured in a preferred example to: the step of ordering the protocols according to importance degrees based on the total protocol type to obtain a transmission sequence list comprises the following steps:
obtaining a using frequency score according to the using frequency of the protocol and a preset first scoring model;
obtaining a scoring mark after the protocol is manually used, and obtaining a manual marking score according to the scoring mark and a preset second scoring model;
obtaining a scoring value of the protocol in an association field, wherein the association field is as follows: in a preset protocol database, all fields in the same category are related fields, and the grading value is an average value of the grading values of the protocols in the related fields;
obtaining a degree score according to the frequency score, the manual marking score, the score value and the preset weight;
and arranging the scores according to the degree of the protocol from large to small to obtain a transmission sequence table.
By adopting the technical scheme, the importance degree of the protocol is considered from three aspects of the use frequency, the manual marking and the grading value of the related field, so that the reliability of the transmission sequence table according to the importance degree of the protocol is higher.
The present application may be further configured in a preferred example to: the step of obtaining the degree score according to the using frequency score, the manual marking score, the scoring value and the preset weight comprises the following steps:
degree score = use frequency score x 30% + artificial mark score x 40% + score x 30%.
The present application may be further configured in a preferred example to: the first scoring model is:
when the frequency of use is within 10 times per week, the frequency of use score = x;
when the frequency of use is within 10 to 30 times per week, the frequency of use score=x+5;
when the frequency of use is within 30 to 60 times per week, the frequency of use score=x+10;
when the frequency of use is 60 times per week or more, the frequency of use score=x+20;
where x is the frequency of use.
The present application may be further configured in a preferred example to: the second scoring model is:
receiving a grading mark returned after manual protocol use;
the scoring marks are:
when the score mark is one star, the manual mark score = 10;
when the score mark is two stars, the manual mark score = 30;
when the score mark is three stars, the manual mark score=50;
when the score mark is four stars, the manual mark score=80;
when the score is marked five stars, the manual marking score=100.
The present application may be further configured in a preferred example to: in the process of transmitting the data packet according to the protocol in the transmission sequence table:
when detecting that any protocol transmits an abnormal data packet, generating alarm information;
the abnormal data packet is a data packet transmitted by a non-protocol.
By adopting the technical scheme, the early warning function can be played for the user under the condition of abnormal data packet transmission.
The second purpose of the application is to provide an industrial safety isolation exchange method.
The second object of the present application is achieved by the following technical scheme:
an industrial safety isolation exchange method, which is applied to an inner terminal machine and comprises the following steps:
acquiring a starting instruction output by an enterprise office system;
judging whether the starting instruction contains information for entering an instant mode, wherein the instant mode information is that an external terminal machine transmits a data packet according to a protocol in a transmitting sequence table;
if yes, a receiving sequence table is called, wherein the receiving sequence table is the same as the transmitting sequence table;
and receiving the data packet according to the protocol in the receiving sequence table.
By adopting the technical scheme, in the process of receiving service data, the inner terminal machine can select one of the two receiver formulas to receive the data packet according to whether the outer terminal machine enters the instant mode, when the outer terminal machine is confirmed to enter the instant mode, namely, the network protocol is overloaded, the receiving sequence table corresponding to the transmitting sequence table generated in the outer terminal machine is obtained from the isolation card, the data packet is received according to the receiving sequence table, and the priority received data packet is transmitted to the enterprise office system, so that the enterprise office system can timely obtain important data packets in the service data.
The third object of the present application is to provide an industrial safety isolation exchange system.
The third object of the present application is achieved by the following technical solutions:
an industrial safety isolation switching system, comprising: the device comprises an outer terminal machine, an inner terminal machine and an isolation card for connecting the outer terminal machine and the inner terminal machine; the external terminal includes:
the data acquisition module is used for acquiring the data packet uploaded by the industrial control system;
the first processing module is used for identifying the protocol used by the data packet, and combining the same protocol to obtain the total protocol type;
the second processing module is used for acquiring data packet units allowed to pass through by each protocol type according to the total protocol type, and calculating the quantity of data packets to be sent by each protocol according to the data packet units;
the data calculation module calculates the ratio of the protocol of which the number of data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type;
the data judging module is used for judging whether the total protocol type is smaller than a preset first threshold value and whether the ratio is smaller than a preset second threshold value;
the third processing module is used for sorting a plurality of protocols according to importance degrees based on the total protocol types to obtain a transmission sequence table when the total protocol types reach a preset first threshold value and/or the ratio reaches a preset second threshold value;
a logic output module; for transmitting data packets according to the protocol in the transmit sequence table;
the inner end mill includes:
a first receiving module, configured to obtain a start instruction output by an enterprise office system
The first judging module is used for judging whether the starting instruction contains the information of entering the instant mode, wherein the instant mode information is that the external terminal machine transmits a data packet according to a protocol in a transmitting sequence table;
the data calling module is used for calling a receiving sequence table when the starting instruction contains the information of entering the instant mode, and the receiving sequence table is the same as the transmitting sequence table;
and the second receiving module is used for receiving the data packet according to the protocol in the receiving sequence table.
The present application may be further configured in a preferred example to: the isolation card is used for ferrying the data packet to the inner terminal according to a protocol in the transmission sequence table, and outputting the transmission sequence table generated by the outer terminal as a receiving sequence table to be transmitted to the inner terminal.
By adopting the technical scheme, the isolation card outputs the sending sequence table generated by the outer terminal machine as the receiving sequence table to be transmitted to the inner terminal machine, so that technical support is provided for the inner terminal machine to receive the data packet transmitted by the outer terminal machine.
In summary, the present application includes at least one of the following beneficial technical effects:
1. in the process of transmitting service data, the external terminal can judge the load condition of the network protocol according to two factors, namely whether the total protocol type used by the data packets is smaller than a preset first threshold value, whether the ratio of the number of the data packets to be transmitted to reach the preset data packet number threshold value to the total protocol type is smaller than a preset second threshold value, and if any one or both of the two factors belong to the reached condition, the network protocol is determined to be overloaded, and the external terminal enters an instant mode. After entering the instant mode, the external terminal machine sequences a plurality of protocols according to the importance degree to obtain a transmission sequence table, and then transmits data packets according to the protocols in the transmission sequence table so as to ensure that the important protocols transmit the data packets preferentially, thereby ensuring the transmission instantaneity of the important data packets in the service data under the condition that the network protocol is overloaded;
2. in the process of receiving service data, the inner terminal machine selects one of the two receiver formulas according to whether the outer terminal machine enters an instant mode or not to receive the data packet, when the outer terminal machine is confirmed to enter the instant mode, namely, when the network protocol is overloaded, a receiving sequence table corresponding to a transmitting sequence table generated in the outer terminal machine is obtained from the isolating card, the data packet is received according to the receiving sequence table, and the preferentially received data packet is transmitted to an enterprise office system, so that the enterprise office system can timely obtain important data packets in the service data.
Drawings
Fig. 1 is a block diagram of an industrial security isolation switching system according to an embodiment of the present application.
Fig. 2 is a flowchart of an industrial security isolation switching method applied to an external terminal according to an embodiment of the application.
Fig. 3 is a flowchart of a sequence list of a plurality of protocols ordered according to importance degrees in an embodiment of the present application.
Fig. 4 is a flow chart of an industrial security isolation switching method applied to an internal terminal according to an embodiment of the application.
Reference numerals illustrate: 10. an external terminal; 11. a first base component; 12. a data acquisition module; 13. a first processing module; 14. a second processing module; 15. a data calculation module; 16. a data judging module; 17. a third processing module; 18. a logic output module; 20. an isolation card; 30. an inner end machine; 31. a second base component; 32. a first receiving module; 33. a first judgment module; 34. a data calling module; 35. and a second receiving module.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The application provides an industrial safety isolation exchange system, referring to fig. 1, the system comprises an outer terminal machine 10, an inner terminal machine 30 and an isolation card 20, wherein the inner terminal machine 30 and the outer terminal machine 10 are respectively provided with independent storage and operation units and are provided with independent buses; the external terminal machine 10 and the internal terminal machine 30 are connected in a physical unidirectional way by adopting the isolation card 20, namely the isolation card 20 is used for ferrying service data on the external terminal machine 10 to the internal terminal machine 30.
The external terminal 10 is disposed in an industrial control system, which is used in the production control layer in this embodiment to control production equipment and monitoring equipment in the production control layer, so as to achieve the purpose of automatic production, for example, the external terminal is applied to a conventional production system of the production control layer such as textile industry, printing factory, etc.
The external terminal 10 is provided with an external network interface, and the external terminal 10 is connected with an industrial control system through the external network interface. The external terminal 10 is internally provided with a first basic component 11, and the first basic component 11 comprises an instruction exchange management module, a data buffer module, an encryption authentication module, a connection management module, a depth protocol filtering module, a strategy management module and a security audit module. The instruction exchange management module is used for storing instructions, programs, codes, code sets or instruction sets, and is also used for storing instructions for realizing an operating system, namely at least one instruction for realizing an industrial safety isolation exchange method. The data buffer module may store data involved in implementing an industrial secure quarantine exchange method. The encryption authentication module supports the connection of the two-way certificate encryption authentication mode, so that the external terminal 10 is more strictly and reliably realized, and meanwhile, the encryption authentication module also provides technical support for the external network interface to support the encryption authentication modes such as SSL, TLS and the like, so that the service data is ensured not to be monitored and tampered. The connection management module supports dynamic port functions such as OPC, and the system can automatically open and close the industrial control protocol dynamic port without special configuration. The deep protocol filtering module analyzes the deep message of the protocol contained in the industrial control system, and illegal messages cannot be ferred to an enterprise office system. The policy management module supports the IP whitelist policy function. The security audit module supports the remote log output of a custom protocol and the standard syslog log output, further carries out detailed record audit on the connection behavior, dynamic port opening and other operations of the external terminal 10, and carries out alarm processing and message uploading on illegal message content.
In one possible implementation, the external terminal 10 further includes a data acquisition module 12, a first processing module 13, a second processing module 14, a data calculation module 15, a data determination module 16, a third processing module 17, and a logic output module 18. The data acquisition module 12, the first processing module 13, the second processing module 14, and the data calculation module 15 are sequentially connected, the data determination module 16 is respectively connected with the first processing module 13 and the data calculation module 15, and the data determination module 16, the third processing module 17, and the logic output module 18 are sequentially connected.
The internal terminal 30 is disposed in an enterprise office system, and in this embodiment, the enterprise office system is a management platform for data management, data monitoring and making a strategy decision according to service data, and the enterprise office system sequentially obtains service data from an industrial control system through the internal terminal 30, the isolation card 20 and the external terminal 10, and makes a strategy according to the service data to instruct the industrial control system to perform work, thereby achieving the purpose of remote monitoring production. The inner terminal 30 is provided with an intranet interface, and the inner terminal 30 is connected with an enterprise office system through the intranet interface. The second base assembly 31, which is identical to the first base assembly 11 of the outer terminal 10, is disposed in the inner terminal 30, and the function of each module of the second base assembly 31 is identical to the function of the module with the same name in the first base assembly 11, so that the description thereof will not be repeated here.
In one possible implementation manner, the inner terminal 30 further includes a first receiving module 32, a first judging module 33, a data retrieving module 34, and a second receiving module 35, where the first receiving module 32, the first judging module 33, the data retrieving module 34, and the second receiving module 35 are sequentially connected.
It should be noted that, the units or modules described in the embodiments of the present application may be implemented by software, or may be implemented by hardware. The names of these units or modules are not limiting in any way to the unit or module itself, for example, the data acquisition module 12 may also be described as "a module for acquiring data packets uploaded by an industrial control system".
The method is based on a system structure of '2+1', dedicated hardware and dedicated communication protocols effectively isolate direct connection between an industrial control system and an enterprise office system, and fine-grained control is carried out on service data by means of a strict security policy, so that malicious attacks and leakage of sensitive information are prevented, and safe and reliable isolation and controlled exchange of information between networks are effectively ensured. Meanwhile, under the background of safe and reliable service data transmission, an industrial safety isolation exchange method is provided to realize the purpose of preventing the problem of poor instantaneity of service data transmission caused by overload of a network protocol.
The above is an introduction of a system embodiment, and the following further describes the technical solution through a method embodiment.
The present application provides an industrial security isolation method, which is applied to an external terminal 10, and the main flow of the method is described below with reference to fig. 2:
step S110: and obtaining the data packet uploaded by the industrial control system.
As can be seen from the system embodiment, when the external terminal 10 is connected to the industrial control system through the external network interface, the external terminal 10 can obtain the data packet uploaded by the industrial control system through the external network interface.
Step S120: the protocol used by the data packet is identified, and the same protocol is combined to obtain the total protocol type.
The data packet is data output by devices in the industrial control system, and the data packets output by all the devices in the industrial control system are combined into service data, each device adopts at least one protocol to transmit the data packet, and each data packet only uses one protocol, but the same protocol can allow different data packets to pass through. In order to identify the protocol used by the data packet, the application adopts a port-based identification technology and a message load characteristic-based identification technology to perform double identification.
For port-based identification techniques, the network environment used by the industrial control system is closed, so that the devices, services, topologies, etc. that are connectable in the network are known. In a closed network, unknown new application cannot be greatly generated, and the port number change condition of the known service can be obtained, so that the coverage rate and the identification rate of the message can be ensured by the port-based identification technology. In addition, the identification technology based on the port has higher identification efficiency than other commonly used protocol identification technologies, so that the instantaneity of service data can be effectively ensured by using the identification technology based on the port. For the recognition technology based on the message load characteristics, the algorithm checks the application layer load part on the TCP header or the UDP header of each data packet in the service data, and if the fingerprint characteristics of the application protocol are checked, the service data allowed to pass through the application layer load part is marked as the corresponding application protocol, so that the accuracy of the recognition technology based on the message load characteristics is higher, and therefore, the accuracy of the recognition result can be effectively ensured by adopting the protocol for recognizing the data packets by adopting the double recognition technology.
After all protocols used by the industrial control system for transmitting the service data are obtained, the same protocols are combined into one class by adopting a method of seeking identity, and different protocols are stored in a strategy management module, so that the total protocol type used by the industrial control system for transmitting the service data is obtained.
Step S130: and acquiring the data packet units allowed to pass through by each protocol type according to the total protocol type, and calculating the number of data packets to be transmitted by each protocol according to the data packet units.
The packet unit is the minimum length of a packet transmitted by the protocol. Because the minimum length of the data packets allowed to pass through by each protocol type is different, the data packet units allowed to pass through by each protocol need to be recorded, and after the data packet units allowed to pass through by each protocol type are obtained, the number of the data packets to be sent by each protocol is conveniently calculated according to the data packet units allowed to pass through by each protocol type and the data packets contained in service data. In short, the number of packets to be transmitted refers to the number of packets that the protocol needs to pass, for example, the first packet a1, the second packet a2, and the third packet a3 all use the protocol a, and the numbers of the first packet a1, the second packet a2, and the third packet a3 are 3, 7, and 8, respectively, so that the number of packets to be transmitted by the protocol a=3+7+8=18.
The number of packets to be transmitted per protocol is calculated in order to facilitate knowing how many packets are queued per protocol, thereby facilitating control of several important protocol transmissions when the number of packets queued is excessive, while preventing overload of the network protocol.
Step S140: and calculating the ratio of the protocol of which the number of the data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type.
Each protocol is provided with a preset data packet number threshold, that is, each protocol is provided with a data packet number threshold to be sent, so that data packets are prevented from being queued longer.
And calculating the ratio of the protocol of which the number of the data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type, so that the ratio of the protocol of the data packets currently transmitted in a queuing manner to the total protocol type can be conveniently obtained according to the ratio, and further the network protocol load condition can be obtained.
Step S150: and judging whether the total protocol type is smaller than a preset first threshold value and whether the ratio is smaller than a preset second threshold value.
In this embodiment, the preset first threshold is 95% of all protocols contained in the industrial control system, i.e., it is determined whether the total protocol type is less than 95% of all protocols contained in the industrial control system. And the preset second threshold value is 50%, namely judging whether the ratio of the protocol of which the data packet to be transmitted reaches the preset data packet quantity threshold value to the total protocol type is less than 50%.
The judging result comprises the following steps: if yes, step S180 is executed, where the network protocol load is within the normal range, and the service data can be ferred from the external terminal 10 to the internal terminal 30 through the isolation card 20. Otherwise, when the total protocol type reaches the preset first threshold and/or the ratio reaches the second threshold, step S160 is executed, i.e. the instant mode is entered. The instant mode is a method for guaranteeing the instantaneity of service data transmission, which is adopted when the network protocol is overloaded.
Step S160: and ordering the multiple protocols according to the importance degree based on the total protocol type to obtain a transmission sequence table.
Referring to fig. 3, the step of obtaining a transmission sequence list includes:
step S161: and obtaining the frequency of use score according to the frequency of use of the protocol and a preset first scoring model. In this embodiment, the first scoring model is:
when the frequency of use is within 10 times per week, the frequency of use score = x;
when the frequency of use is within 10 to 30 times per week, the frequency of use score=x+5;
when the frequency of use is within 30 to 60 times per week, the frequency of use score=x+10;
when the frequency of use is 60 times per week or more, the frequency of use score=x+20;
where x is the frequency of use.
It should be noted that the usage frequency merely indicates the number of usage times, and the duration of each usage is not recorded.
Step S162: and obtaining a scoring mark after manual use of the protocol, and obtaining a manual marking score according to the scoring mark and a preset second scoring model. In this embodiment, the second scoring model is:
receiving a grading mark returned after manual protocol use;
the scoring marks are:
when the score mark is one star, the manual mark score = 10;
when the score mark is two stars, the manual mark score = 30;
when the score mark is three stars, the manual mark score=50;
when the score mark is four stars, the manual mark score=80;
when the score is marked five stars, the manual marking score=100.
In short, after the service data is transmitted, a scoring marking page is generated, and the user marks each protocol according to the service condition, wherein the scoring marking is performed in a star-marking mode. When the protocol is first used, then the score is marked sporadically, i.e., the manual score is 0.
Step S163: and obtaining the grading value of the protocol in the associated field.
The associated fields are as follows: in the preset protocol database, all the fields in the same category are related fields, for example, in the production refining field, the production refining device is a large category, and the reforming device, the catalytic device, the atmospheric and vacuum device and the like included in the large category of the production refining device are related fields.
And the score is the average value of the degree scores of the protocols in the relevant fields, for example, the class B comprises the B1 field, the B2 field, the B3 field and the B4 field, and the degree scores of the protocols A in the B2 field, the B3 field and the B4 field are 60, 70 and 80 respectively, when the calculated protocol A is in the B field, the method is characterized in that
After the usage frequency score, the manual marking score, and the score value are obtained through the steps S161 to S163, step S164 is performed to obtain the degree score according to the preset weight:
degree score = use frequency score x 30% + artificial mark score x 40% + score x 30%.
The degree score of each protocol is calculated in sequence according to the degree score formula, the degree scores of each protocol are compared, the degree scores of the protocols are arranged from large to small to obtain a sending list, and therefore when the network protocol is overloaded, data packets are sent according to the sending list, so that important protocols are guaranteed to preferentially transmit the data packets, and the problem that the transmission time length of the data packets with high instantaneity requirements is prolonged due to network protocol overload, and service data lose use value is avoided.
Step S170: and transmitting the data packet according to the protocol in the transmission sequence table. After the data packets are transmitted according to the transmission sequence table, a part of the data packets firstly reach the inner terminal machine 30, the rest of the data packets still can be stored in the outer terminal machine 10, after all the data packets corresponding to the protocol in the transmission sequence table are transferred to the inner terminal machine 30, the rest of the data packets are transmitted, but in order to ensure the integrity of the service data packets, the inner terminal machine 30 firstly transmits the data packets to the enterprise office system after receiving the data packets transmitted by the outer terminal machine 10 according to the protocol in the transmission sequence table, backups the data packets, and after all the data packets are transmitted to the inner terminal machine 30, the inner terminal machine 30 transmits the complete service data to the enterprise office system again.
In the process of transmitting the data packet according to the protocol in the transmission sequence table, the external terminal 10 also packs the transmission sequence table to backup and transmits the backup to the isolation card 20, so that the internal terminal 30 receives the data packet according to the protocol in the transmission sequence table. Meanwhile, the external terminal 10 monitors the data packets transmitted by the protocols in real time, when detecting that any one protocol transmits an abnormal data packet, that is, when the data packet transmitted by the protocol exists in the data packets not transmitted by the protocol, generates alarm information, generates a log by the security audit module and reports the log to the industrial control system, and the industrial control system controls the protocol transmitting the abnormal data packet to disconnect from the isolation card 20 until the user overhauls, so that the abnormal protocol can be conducted, and the security of the external terminal 10 in transmitting service data is improved.
In summary, in the process of transmitting service data, the external terminal 10 determines the load condition of the network protocol according to two factors, namely, whether the total protocol type used by the data packets is less than 95% of all protocols included in the industrial control system, whether the ratio of the number of the data packets to be transmitted to the preset data packet number threshold to the total protocol type is less than 50%, and if either or both factors belong to the reached condition, the network protocol is determined to be overloaded, and the external terminal 10 enters the instant mode. After entering the instant mode, the external terminal 10 sorts the multiple protocols according to the importance degrees to obtain a sending sequence table, and then transmits the data packets according to the protocols in the sending sequence table, so as to ensure that the important protocols transmit the data packets preferentially, and further ensure the transmission instantaneity of the important data packets in the service data under the condition that the network protocols are overloaded.
The present application also provides an industrial safety isolation exchange method, which is applied to the inner terminal 30, and referring to fig. 4, the main flow of the exchange method applied to the inner terminal 30 is described as follows:
step S210: and acquiring a starting instruction output by the enterprise office system.
The kiosk 30 is connected to an enterprise office system that outputs a start-up instruction when the enterprise office system needs to obtain business data from the industrial control system to guide the making of strategic decisions. The start instruction may be a start instruction automatically generated by periodically acquiring service data by the enterprise office system, or may be an instruction input by a user through the enterprise office system for requesting service data.
Whether the starting command is automatically generated or input by a user, when the internal terminal 30 receives the starting command, the internal terminal enters a working state, and service data transmitted by the external terminal 10 is acquired from the isolation card 20 after the internal terminal enters the working state.
It should be noted that, the internal terminal 30 stores an authentication instruction, when the internal terminal 30 receives a start instruction, it will continuously send I/O to the isolation card 20, if the request is unsuccessful, a log will be generated, and the program in the internal terminal 30 reports through the log, so as to be convenient for notifying the user that the isolation card 20 has a fault, and it needs to be overhauled, thereby ensuring the reliability of service data transmission.
Step S220: judging whether the starting instruction contains the information of entering the instant mode.
The instant mode information means that the network protocol is overloaded, and the external terminal 10 transmits the data packet according to the protocol in the transmission sequence table. When judging that the instant mode information is contained, entering the next step; otherwise, when it is determined that the instant mode information is not included, step 250 is executed to receive service data according to all protocols included in the enterprise office system. It should be noted that, the enterprise office system and the industrial control system include not only the same number of protocols, but also each protocol corresponds to each other.
Step S230, retrieving a receiving sequence list.
The protocol contained in the reception sequence table is the same as the protocol contained in the transmission sequence table, except that the transmission sequence table is generated by the external terminal 10, and the reception sequence table is acquired by the internal terminal 30 from the external terminal 10 through the barrier card 20, so that the reception sequence table and the transmission sequence table are only different for convenience in distinguishing the terminals of the application, and are not limited to the sequence table.
Step S340: and receiving the data packet according to the protocol in the receiving sequence table.
After the inner terminal 30 receives the data packets according to the receiving sequence table, the data packets which are preferentially received are transmitted to the enterprise office system, and the data packets are backed up, when all the data packets are received, the inner terminal 30 transmits the complete service data to the enterprise office system again, so that the enterprise office system can acquire important data packets in time and complete service data, and the reliability and the practicability of the application are improved.
In summary, in the process of receiving the service data, the internal terminal 30 selects one of the two receiving modes to receive the data packet according to whether the external terminal 10 enters the instant mode, when the external terminal 10 is confirmed to enter the instant mode, that is, the network protocol is overloaded, the receiving sequence table corresponding to the transmitting sequence table generated in the external terminal 10 is obtained from the isolation card 20, the data packet is received according to the receiving sequence table, and the priority received data packet is transmitted to the enterprise office system, so as to ensure that the enterprise office system can timely obtain the important data packet in the service data.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or equivalents thereof is possible without departing from the spirit of the disclosure. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.
Claims (9)
1. An industrial safety isolation exchange method applied to an external terminal machine (10) and an internal terminal machine (30), characterized in that the method applied to the external terminal machine (10) comprises the following steps:
acquiring a data packet uploaded by an industrial control system;
identifying a protocol used by the data packet, and merging the same protocol to obtain a total protocol type;
acquiring data packet units allowed to pass through by each protocol type according to the total protocol type, and calculating the number of data packets to be sent by each protocol according to the data packet units;
calculating the ratio of the protocol of which the number of data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type;
judging whether the total protocol type is smaller than a preset first threshold value and whether the ratio is smaller than a preset second threshold value;
if not, sorting a plurality of protocols according to importance degrees based on the total protocol types to obtain a transmission sequence table;
transmitting data packets according to the protocol in the transmission sequence table;
the method applied to the inner end mill (30) comprises the following steps:
acquiring a starting instruction output by an enterprise office system;
judging whether the starting instruction contains the information of entering the instant mode, wherein the instant mode information is that the external terminal machine (10) transmits a data packet according to a protocol in a transmitting sequence table;
if yes, a receiving sequence table is called, wherein the receiving sequence table is the same as the transmitting sequence table;
and receiving the data packet according to the protocol in the receiving sequence table.
2. The industrial safety isolation switching method of claim 1, wherein the step of identifying the protocol used by the data packet comprises: and carrying out double identification by adopting an identification technology based on a port and an identification technology based on a message load characteristic.
3. The industrial safety isolation switching method according to claim 1, wherein the step of sorting the plurality of protocols by importance degree based on the total protocol type to obtain a transmission sequence list comprises:
obtaining a using frequency score according to the using frequency of the protocol and a preset first scoring model;
obtaining a scoring mark after manual use of the protocol, and obtaining according to the scoring mark and a preset second scoring model
Manually marking the score;
obtaining a scoring value of the protocol in an association field, wherein the association field is as follows: in a preset protocol database, all fields in the same category are related fields, and the grading value is an average value of the grading values of the protocols in the related fields;
obtaining a degree score according to the frequency score, the manual marking score, the score value and the preset weight;
and arranging the scores according to the degree of the protocol from large to small to obtain a transmission sequence table.
4. The industrial safety isolated switching method of claim 3, wherein the step of obtaining the degree score according to the frequency of use score, the manual marking score, the scoring value and the preset weight comprises:
degree score = use frequency score x 30% + artificial mark score x 40% + score x 30%.
5. The industrial safety isolation switching method of claim 3, wherein the first scoring model is:
when the frequency of use is within 10 times per week, the frequency of use score = x;
when the frequency of use is within 10 to 30 times per week, the frequency of use score=x+5;
when the frequency of use is within 30 to 60 times per week, the frequency of use score=x+10;
when the frequency of use is 60 times per week or more, the frequency of use score=x+20;
where x is the frequency of use.
6. The industrial safety isolation switching method of claim 3, wherein the second scoring model is:
receiving a grading mark returned after manual protocol use;
the scoring marks are:
when the score mark is one star, the manual mark score = 10;
when the score mark is two stars, the manual mark score = 30;
when the score mark is three stars, the manual mark score=50;
when the score mark is four stars, the manual mark score=80;
when the score is marked five stars, the manual marking score=100.
7. The industrial safety isolation switching method according to claim 1, wherein in the process of transmitting the data packet according to the protocol in the transmission sequence table:
when detecting that any protocol transmits an abnormal data packet, generating alarm information;
the abnormal data packet is a data packet transmitted by a non-protocol.
8. An industrial safety isolated switching system for performing the method of any of claims 1-7, comprising: an outer terminal machine (10), an inner terminal machine (30), and an isolation card (20) for connecting the outer terminal machine (10) and the inner terminal machine (30);
the external terminal (10) includes:
the data acquisition module (12) is used for acquiring data packets uploaded by the industrial control system;
the first processing module (13) is used for identifying the protocol used by the data packet, and combining the same protocol to obtain the total protocol type;
the second processing module (14) is used for acquiring data packet units allowed to pass through by each protocol type according to the total protocol type, and calculating the number of data packets to be sent by each protocol according to the data packet units;
the data calculation module (15) calculates the ratio of the protocol of which the number of data packets to be transmitted reaches a preset data packet number threshold value to the total protocol type;
a data judging module (16) for judging whether the total protocol type is smaller than a preset first threshold value and whether the ratio is smaller than a preset second threshold value;
the third processing module (17) is used for sorting a plurality of protocols according to importance degrees based on the total protocol type to obtain a transmission sequence table when the total protocol type reaches a preset first threshold value and/or the ratio reaches a preset second threshold value;
a logic output module (18); for transmitting data packets according to the protocol in the transmit sequence table;
the inner end mill (30) comprises:
a first receiving module (32) for acquiring the start instruction output by the enterprise office system
A first judging module (33) for judging whether the starting instruction contains the information of entering the instant mode, wherein the instant mode information is that the external terminal machine (10) transmits the data packet according to the protocol in the transmitting sequence table;
the data calling module (34) is used for calling a receiving sequence table when the starting instruction contains the information of entering the instant mode, and the receiving sequence table is the same as the transmitting sequence table;
and the second receiving module (35) is used for receiving the data packet according to the protocol in the receiving sequence table.
9. The industrial safety isolation switching system according to claim 8, wherein the isolation card (20) is configured to ferry the data packet to the internal terminal (30) according to a protocol in a transmission sequence table, and output the transmission sequence table generated by the external terminal (10) as a reception sequence table to be transmitted to the internal terminal (30).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210789068.7A CN115150174B (en) | 2022-07-06 | 2022-07-06 | Industrial safety isolation exchange method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210789068.7A CN115150174B (en) | 2022-07-06 | 2022-07-06 | Industrial safety isolation exchange method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115150174A CN115150174A (en) | 2022-10-04 |
| CN115150174B true CN115150174B (en) | 2023-05-05 |
Family
ID=83412924
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210789068.7A Active CN115150174B (en) | 2022-07-06 | 2022-07-06 | Industrial safety isolation exchange method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150174B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348783A (en) * | 2013-07-26 | 2015-02-11 | 海尔集团公司 | Method for rapid communication between internal machines and external machine in a multi-online system according to multiple protocols and device thereof |
| CN106850714A (en) * | 2015-12-04 | 2017-06-13 | 中国电信股份有限公司 | Caching sharing method and device |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE69905623T2 (en) * | 1999-05-21 | 2003-10-02 | Nokia Corp | PACKAGE DATA TRANSFER IN THE THIRD GENERATION MOBILE RADIO SYSTEM |
| JP2006245834A (en) * | 2005-03-02 | 2006-09-14 | Nec Corp | Communication device for ip network |
| US7739300B2 (en) * | 2005-09-09 | 2010-06-15 | Teradata Us, Inc. | System and method for processing a prioritizing protocol |
| CN101360063B (en) * | 2008-09-10 | 2011-04-13 | 中国科学院计算技术研究所 | Service stream transmission control method and system in IP network |
| CN102118361B (en) * | 2009-12-31 | 2014-07-23 | 北京金山软件有限公司 | Method and device for controlling data transmission based on network protocol |
| CN102457519B (en) * | 2011-10-21 | 2015-07-29 | 北京安天电子设备有限公司 | The self-adapted protocol method of sampling and device |
| CN103763343A (en) * | 2013-12-27 | 2014-04-30 | 乐视网信息技术(北京)股份有限公司 | Method and device for processing service access |
| CN107634908B (en) * | 2016-07-19 | 2021-06-08 | 华为技术有限公司 | Data transmission method and equipment |
| CN106911703B (en) * | 2017-03-08 | 2020-01-07 | 北京中交创新投资发展有限公司 | Method and system for building unified interface platform |
| US11477125B2 (en) * | 2017-05-15 | 2022-10-18 | Intel Corporation | Overload protection engine |
| US11895193B2 (en) * | 2020-07-20 | 2024-02-06 | Juniper Networks, Inc. | Data center resource monitoring with managed message load balancing with reordering consideration |
| CN112994984B (en) * | 2021-04-15 | 2021-07-30 | 紫光恒越技术有限公司 | Method for identifying protocol and content, storage device, security gateway and server |
| CN113315720B (en) * | 2021-04-23 | 2023-02-28 | 深圳震有科技股份有限公司 | Data flow control method, system and equipment |
-
2022
- 2022-07-06 CN CN202210789068.7A patent/CN115150174B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348783A (en) * | 2013-07-26 | 2015-02-11 | 海尔集团公司 | Method for rapid communication between internal machines and external machine in a multi-online system according to multiple protocols and device thereof |
| CN106850714A (en) * | 2015-12-04 | 2017-06-13 | 中国电信股份有限公司 | Caching sharing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115150174A (en) | 2022-10-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101248613B (en) | Authentic device admission scheme for a secure communication network, especially a secure ip telephony network | |
| US9749011B2 (en) | Physical unidirectional communication apparatus and method | |
| CN1937580B (en) | Communication system and communication management method | |
| CN100437543C (en) | Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device | |
| CN101895887A (en) | Wireless LAN access point device, unauthorized management frame detection method | |
| US7890752B2 (en) | Methods, systems, and computer program products for associating an originator of a network packet with the network packet using biometric information | |
| US8155137B2 (en) | Method and system for transmitting a multicast stream over a data exchange network | |
| EP3306868B1 (en) | Relay device, network monitoring system, and program | |
| CN103781100B (en) | The policy control method and device of terminal peripheral hardware | |
| US8942131B2 (en) | Method for filtering and processing data in a packet-switched communication network | |
| CN104660449B (en) | The method and apparatus for preventing the more main equipment Master of stacking splitting | |
| CN100428721C (en) | Link connection cutting method and access point device in WLAN | |
| CN108965297A (en) | A kind of access control equipment management system | |
| US11770325B2 (en) | Automatically selecting an optimized communication channel for communications with a deflect in an overlay network | |
| CN102752141A (en) | Method and device for detecting accessibility of IP (internet protocol) address | |
| CN102780593A (en) | BFD (Bidirectional Forwarding Detection) protocol-based link detection method and apparatus and network processor | |
| CN114268429A (en) | Terminal-specific encrypted communication access device | |
| CN115150174B (en) | Industrial safety isolation exchange method and system | |
| CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
| CN110868362A (en) | Method and device for processing MACsec uncontrolled port message | |
| Mazurczyk et al. | Hiding information in retransmissions | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| US20070104189A1 (en) | Network system and operation method thereof | |
| CN111083060B (en) | Network flow control method | |
| CN113055535B (en) | Method and system for generating 5G end-to-end call ticket |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |