CN115333847B

CN115333847B - Data transmission method, data processing system and computing device

Info

Publication number: CN115333847B
Application number: CN202211007313.0A
Authority: CN
Inventors: 鲍国顺; 赵梓健; 何祉霖; 汪旭
Original assignee: XFusion Digital Technologies Co Ltd
Current assignee: XFusion Digital Technologies Co Ltd
Priority date: 2022-08-22
Filing date: 2022-08-22
Publication date: 2024-03-19
Anticipated expiration: 2042-08-22
Also published as: CN115333847A

Abstract

A data transmission method. The method may include: receiving data information sent by the target terminal equipment and token information associated with the data information; checking whether the transmission process of the data information and the token information is abnormal or not; and if the transmission process of the data information and the token information is not abnormal, establishing communication between the first computing equipment and the target terminal equipment. The computing device can rapidly determine whether the data transmission channel between the target terminal device and the computing device is safe or not by actively analyzing the access behavior of the target terminal device. When a security risk exists in a data transmission channel between the target terminal device and the first computing device, the first computing device can quickly repair.

Description

Data transmission method, data processing system and computing device

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a data transmission method, a data processing system, and a computing device.

Background

With the development of digital transformation of enterprises and organizations, the number of IT devices in a data center is increased, and the operation and maintenance scenes of the IT devices are also increased. In the face of increasingly complex operation and maintenance work, faster fault sensing means and fault analysis tools are required to ensure service availability.

The remote operation and maintenance specifically means that a service provider or a third organization replaces a customer to implement daily operation and maintenance through remote operation, and higher operation and maintenance efficiency and operation and maintenance quality are provided compared with the self operation and maintenance of the customer. However, in an environment with high security requirements, remote operation and maintenance through a network environment may bring about extremely high security risks. Even if the logical isolation function is provided by security devices such as firewalls, malicious attacks cannot be effectively detected and resisted. In the existing remote operation and maintenance scheme, after the operated terminal and the operation terminal establish a data channel, the channel is a black box for the operation terminal, and the operation terminal cannot ensure the safety of data in the process of transmitting the channel.

Disclosure of Invention

The application provides a data transmission method, a data processing system and computing equipment. The target terminal equipment is accessed to the cloud according to the pre-generated registration code, so that the cloud can assign specific security policies to different target terminal equipment and actively conduct security management. Further, the cloud establishes a feature set aiming at the access behavior of the target terminal equipment, analyzes whether the access behavior of the target terminal equipment is abnormal according to the feature set, and maintains the safety of a data transmission channel between the target terminal equipment and the cloud.

In a first aspect, the present application provides a data transmission method applied to a first computing device, the method comprising: receiving data information sent by target terminal equipment and token information associated with the data information; checking whether the transmission process of the data information and the token information is abnormal or not; if the transmission process of the data information and the token information is not abnormal, establishing communication between the first computing equipment and the target terminal equipment.

In the scheme, the first computing device actively judges the access behavior of the target terminal device. After receiving the data information sent by the target terminal device and the token information associated with the data information, the first computing device first judges the transmission process of the data information and the token information so as to determine whether a data transmission channel between the target terminal device and the first computing device is safe or not. The first computing device establishes communication with the target terminal device when a transmission channel between the target terminal device and the first computing device is secure.

In one possible implementation, verifying whether an abnormality occurs in the transmission process of the data information and the token information includes: comparing the token information sent by the target terminal device with the token information stored in the first computing device, and determining that the transmission process of the data information and the token information is abnormal when the token information sent by the target terminal device is different from the token information stored in the first computing device.

That is, when the first computing device checks whether the transmission process of the data information and the token information is abnormal, whether the data information and the token information are hijacked or tampered in the transmission process can be determined by judging the token information.

In one possible implementation, verifying whether an abnormality occurs in the transmission process of the data information and the token information includes: acquiring a heartbeat data packet in the token information; determining the transmission time of the heartbeat data packet, comparing the transmission time with a preset time range, and determining that the transmission process of the data information and the token information is abnormal when the transmission time is not in the preset time range.

That is, when the first computing device checks whether the transmission process of the data information and the token information is abnormal, whether the data information and the token information are hijacked or tampered in the transmission process can be determined by judging the transmission time of the heartbeat data packet carried by the token information.

In one possible implementation, verifying whether an abnormality occurs in the transmission process of the data information and the token information includes: comparing the source of the heartbeat data packet with the source of the historical heartbeat data packet received by the big data platform, and determining that the transmission process of the data information and the token information is abnormal when the source of the heartbeat data packet is different from the source of the historical heartbeat data packet received by the big data platform.

That is, when the first computing device checks whether the transmission process of the data information and the token information is abnormal, whether the data information and the token information are hijacked or tampered in the transmission process can be determined by judging the source of the heartbeat data packet carried by the token information.

In one possible implementation manner, the first computing device is deployed with a big data platform, and checking whether an abnormality occurs in a transmission process of the data information and the token information includes: and the big data platform matches the data information with the historical characteristic data, and when the matching failure rate of the historical characteristic data and the data information is higher than a preset threshold value, the transmission process of the data information and the token information is determined to be abnormal.

That is, when the first computing device checks whether the transmission process of the data information and the token information is abnormal, the received data may be compared with the history feature data to determine whether the data information and the token information are hijacked or tampered in the transmission process.

In one possible implementation, the data information includes: at least one of device list data, device alert data, log data for the device.

In one possible implementation, the method further includes: determining historical feature data; determining historical feature data includes: the big data platform acquires the historical data information of the received target terminal equipment to obtain historical characteristic data; or the big data platform takes the occurrence period of the data with periodicity in the received historical data of the target terminal equipment as the historical characteristic data.

In one possible implementation, the method further includes: if the transmission process of the data information and the token information is abnormal, first information is sent to the target terminal equipment, the first information is used for indicating the target terminal equipment to communicate with the first computing equipment according to the first information, and the first information comprises: updated token information.

That is, after the first computing device determines that the transmission process of the data information and the token information is abnormal, the first computing device needs to update the token information that is communicated between the first computing device and the target terminal device. To ensure the security of data transmission between the first computing device and the target terminal device.

In one possible implementation, the method further includes: receiving registration code information sent by target terminal equipment;

Verifying whether the registration code information is legal or not; and if the registration code information is legal, sending the token information to the target terminal equipment.

That is, the target terminal device may receive the first computing device using the registration code acquired in advance when accessing the first computing device. After receiving the registration code sent by the target terminal device, the first computing device first verifies the validity of the registration code. Such as verifying whether the registration code is within the validity period, whether the number of terminal devices accessed by using the registration code exceeds a preset number, etc. The first computing device establishes a connection channel with the target terminal device only if the first computing device determines that the transmitted registration code of the target terminal device is legitimate. Furthermore, the target terminal equipment uses the registration code to access the first computing equipment, so that the problem that personal privacy data of a client need to be transmitted when the target terminal equipment is accessed to the first computing equipment is avoided, and the problem that leakage is possibly generated in the process of transmitting the personal privacy data of the client is further avoided.

In one possible implementation manner, receiving the registration code information sent by the target terminal device includes: the first computing device receives registration code information sent by the target terminal device through the cloud.

In one possible implementation manner, before receiving the first information sent by the target terminal device, the method further includes: receiving registration information of target terminal equipment input by a user; the registration information includes: at least one of organization information, contact information, mailbox information and authorization signature of the target terminal device; automatically determining access site information of target terminal equipment according to the registration information; the access site information includes: an access site, an access area and an access protocol of target terminal equipment; receiving a first operation of a user, wherein the first operation is used for indicating to generate a registration code for target terminal equipment; the registration code is used to access the first computing device; and responding to the first operation, and generating a registration code for the target terminal equipment according to the registration information of the target terminal equipment and the access site information of the target terminal equipment.

That is, the first computing device may generate a registration code for the target terminal device through registration information input by the user. The target terminal equipment is accessed to the first computing equipment by using the registration code, so that the problem that personal privacy data of a client need to be transmitted when the target terminal equipment is accessed to the first computing equipment is avoided, and the problem that the personal privacy data of the client is possibly leaked in the transmission process is further avoided.

In a second aspect, the present application provides a data sending method, applied to a cloud, where the method includes: receiving registration information of target terminal equipment input by a user; the registration information includes: at least one of organization information, contact information, mailbox information and authorization signature of the target terminal device; automatically determining access site information of target terminal equipment according to the registration information; the access site information includes: an access site, an access area and an access protocol of target terminal equipment; receiving a first operation of a user, wherein the first operation is used for indicating to generate a registration code for target terminal equipment; the registration code is used for accessing the target terminal equipment into the first computing equipment; and responding to the first operation, and generating a registration code for the target terminal equipment according to the registration information of the target terminal equipment and the access site information of the target terminal equipment.

In one possible implementation, receiving registration information of a target terminal device input by a user includes: acquiring registration information of target terminal equipment input by a user through a registration interface of a cloud; the registration interface includes: the web page registers the interface.

It will be appreciated that the advantages of the second aspect may be found in the relevant description of the first aspect, and will not be described in detail herein.

In a third aspect, the present application provides a data transmission method applied to a target terminal device, where the method includes obtaining a registration code, where the registration code is generated by inputting registration information of the target terminal device on a first computing device for registration; transmitting the registration code to the first computing device or the cloud to determine whether the registration code is legal; when the registration code is legal, receiving token information sent by the first computing device or the cloud; the token information is used for indicating the target terminal equipment to communicate with the first computing equipment according to the token information; transmitting first information to a first computing device, the first information comprising: data information transmitted by the target terminal device and token information associated with the data information.

In the scheme, the target terminal equipment can receive the first computing equipment by using the registration code acquired in advance, so that the problem that personal privacy data of a client need to be transmitted when the target terminal equipment is accessed to the first computing equipment is avoided, and the problem that the personal privacy data of the client is likely to be leaked in the transmission process is further avoided.

In one possible implementation, the method further includes: receiving second information sent by the first computing device or the cloud, wherein the second information comprises: updated token information; transmitting third information to the first computing device or the cloud, the third information comprising: updated token information and data information generated when the target terminal equipment operates.

That is, when abnormality occurs in data or token information transmitted between the target terminal device and the first computing device, the target terminal device needs to receive updated token information transmitted by the first computing device and communicate with the first computing device using the updated token information.

In a fourth aspect, the present application provides a data processing method applied to a big data platform, the method including receiving data information of a target terminal device sent by a first computing device and token information associated with the data information; checking whether the transmission process of the data information and the token information is abnormal or not; when the first information is abnormal in the transmission process, second information is sent to the first equipment; the second information is used for indicating that the first information is abnormal in the transmission process.

It will be appreciated that the advantages of the fourth aspect may be found in the related description of the first aspect, and will not be described in detail herein.

In a fifth aspect, the present application provides a data processing system comprising:

the target terminal device is used for sending the data information of the target terminal device and the token information associated with the data information to the first computing device;

the first computing device is used for checking whether the transmission process of the data information sent by the terminal device and the token information associated with the data information is abnormal or not; if the transmission process of the data information and the token information is not abnormal, establishing communication between the first computing equipment and the target terminal equipment.

In one possible implementation, the data processing system further includes a cloud end for:

receiving registration information of target terminal equipment input by a user; the registration information includes: at least one of organization information, contact information, mailbox information and authorization signature of the target terminal device;

automatically determining access site information of target terminal equipment according to the registration information; the access site information includes: an access site, an access area and an access protocol of target terminal equipment;

receiving a first operation of a user, wherein the first operation is used for indicating to generate a registration code for target terminal equipment; the registration code is used to access the first computing device;

and responding to the first operation, and generating a registration code for the target terminal equipment according to the registration information of the target terminal equipment and the access site information of the target terminal equipment.

In one possible implementation, the target terminal device is further configured to:

acquiring a registration code, wherein the registration code is generated by inputting registration information of target terminal equipment on first computing equipment for registration;

transmitting the registration code to the first computing device or the cloud to determine whether the registration code is legal;

when the registration code is legal, receiving token information sent by the first computing device or the cloud; the token information is used for indicating the target terminal equipment to communicate with the first computing equipment according to the token information;

Transmitting first information to a first computing device, the first information comprising: data information transmitted by the target terminal device and token information associated with the data information.

In one possible implementation, the first computing device is further to:

receiving registration code information sent by target terminal equipment;

verifying whether the registration code information is legal or not;

and if the registration code information is legal, sending the token information to the target terminal equipment.

In one possible implementation, the first computing device further includes: big data platform, big data platform is used for:

comparing the token information sent by the target terminal device with the token information stored in the first computing device, and determining that the transmission process of the data information and the token information is abnormal when the token information sent by the target terminal device is different from the token information stored in the first computing device.

acquiring a heartbeat data packet in the token information;

determining the transmission time of the heartbeat data packet, comparing the transmission time with a preset time range, and determining that the transmission process of the data information and the token information is abnormal when the transmission time is not in the preset time range.

comparing the source of the heartbeat data packet with the source of the historical heartbeat data packet received by the big data platform, and determining that the transmission process of the data information and the token information is abnormal when the source of the heartbeat data packet is different from the source of the historical heartbeat data packet received by the big data platform.

and the big data platform matches the data information with the historical characteristic data, and when the matching failure rate of the historical characteristic data and the data information is higher than a preset threshold value, the transmission process of the data information and the token information is determined to be abnormal.

In one possible implementation, the first computing device further includes: big data platform, big data platform still is used for:

when the transmission process of the data information and the token information is abnormal, the first computing device is instructed to send first information to the target terminal device, the first information is used for instructing the target terminal device to communicate with the first computing device according to the first information, and the first information comprises: updated token information.

It will be appreciated that the advantages of the fifth aspect may be found in the related descriptions of the first and third aspects, and are not described here again.

In a sixth aspect, the present application provides a remote operation and maintenance system, the system comprising:

and the edge acquisition module is used for acquiring data information generated when the target terminal equipment operates.

The data access module is used for receiving the data information sent by the target terminal equipment and the token information associated with the data information;

the security management module is used for checking whether the transmission process of the data information and the token information is abnormal or not;

and the data access module is also used for establishing communication between the first computing equipment and the target terminal equipment when the transmission process of the data information and the token information is not abnormal.

In one possible implementation, the data access module is further configured to:

receiving registration code information sent by target terminal equipment;

verifying whether the registration code information is legal or not;

In one possible implementation, the security management module is configured to:

acquiring a heartbeat data packet in the token information;

In one possible implementation, the security management module is further configured to:

It will be appreciated that the advantages of the sixth aspect may be found in the related description of the first aspect, and will not be described here again.

In a seventh aspect, the present application provides a terminal device, including:

the receiving module is used for acquiring a registration code, wherein the registration code is generated by inputting registration information of target terminal equipment on the first computing equipment for registration;

the sending module is used for sending the registration code to the first computing device or the cloud to determine whether the registration code is legal or not;

the receiving module is further used for receiving token information sent by the first computing device or the cloud when the registration code is legal; the token information is used for indicating the target terminal equipment to communicate with the first computing equipment according to the token information;

the apparatus further includes a transmitting module configured to transmit, to the first computing device, first information including: data information transmitted by the target terminal device and token information associated with the data information.

In one possible implementation manner, the receiving module is further configured to receive second information sent by the first computing device or the cloud, where the second information includes: updated token information;

the sending module is further configured to send third information to the first computing device or the cloud, where the third information includes: updated token information and data information generated when the target terminal equipment operates.

It will be appreciated that the advantages of the seventh aspect may be found in the related description of the third aspect, and will not be described here again.

In an eighth aspect, the present application provides a computing device comprising:

at least one memory for storing a program;

at least one processor for executing a memory-stored program, which when executed is adapted to carry out the method described in any one of the possible implementations of the first or second or third or fourth aspect described above.

In a ninth aspect, the present application provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the method described in any one of the possible implementations of the first or second aspect or the third or fourth aspect.

In a tenth aspect, the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method described in any one of the possible implementations of the first or second or third or fourth aspects above.

It will be appreciated that the advantages of the eighth to tenth aspects may be found in the related descriptions of the first and third aspects, and are not repeated here.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1a is a schematic view of an application scenario provided in an embodiment of the present application;

fig. 1b is a schematic view of another application scenario provided in an embodiment of the present application;

fig. 2 is a schematic structural diagram of a terminal device provided in an embodiment of the present application;

fig. 3 is a schematic structural diagram of a cloud server provided in an embodiment of the present application;

fig. 4 is a schematic structural diagram of a remote operation and maintenance system according to an embodiment of the present application;

fig. 5 is a schematic flow chart of a remote access method for data center operation data provided in an embodiment of the present application;

FIG. 6 is a schematic diagram of a process for applying registration codes according to an embodiment of the present application;

Fig. 7 is a flow chart of another remote access method for data center operation data provided in an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be described below with reference to the accompanying drawings.

In the description of embodiments herein, any embodiment or design that is "exemplary," "such as," or "for example" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary," "such as" or "for example," etc., is intended to present related concepts in a concrete fashion.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating an indicated technical feature. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

Technical terms involved in the present solution will be first described.

Operation and maintenance are essentially operation and maintenance of each stage of the life cycle of a network, a server and a service, so that the operation and maintenance are in acceptable states in terms of cost, stability and efficiency. Specifically, the operation and maintenance may include deploying an operating system and an operating environment, deploying code, designing and deploying monitoring, preventing vulnerabilities and attacks, and the like.

Remote operation and maintenance can be generally divided into on-site operation and remote operation and maintenance according to different positions of operation and maintenance personnel when the operation and maintenance personnel execute operation and maintenance operation. Wherein the remote operation and maintenance is generally based on the implementation of a near-end operation and maintenance terminal and a far-end operation terminal. The near end refers to the client side, including the machine room and the data center of the client side, and the far end refers to the far-end operation and maintenance center side. The remote operation and maintenance center is a place where a service provider or a third party organization performs remote operation and maintenance. According to different security requirement levels, the remote operation and maintenance center can independently configure the operation and maintenance environment for each remote operation and maintenance client, or a plurality of remote operation and maintenance clients share the remote operation and maintenance environment.

By way of example, scheme 1 illustrates a remote operation and maintenance method. And recording the video of the operation and maintenance target terminal through a camera, and sending the field maintenance data to the remote cloud in a video format. The cloud end analyzes the received video data, generates a target maintenance command set and sends the target maintenance command set to the target terminal to realize remote operation and maintenance. In the whole data transmission process, the safety of the remote operation and maintenance process is ensured by means of setting a mask for a screen picture, verifying cloud operation permission, encrypting an instruction set and the like.

In the above scheme 1, the cloud device cannot directly collect information such as alarms and logs of the target terminal device, but recognizes the state of the target terminal device through video, and the video recognition has the problems of low accuracy and untimely perception of the fault state of the target terminal device. Secondly, the state of the target terminal equipment is identified through the video, and the complete fault log context information is not available, so that the fault root cause cannot be accurately and rapidly located.

In order to solve the problem that in the remote operation and maintenance process, the operation terminal at the far end side cannot sense whether the client is safe or not and whether a data transmission channel between the operation terminal at the far end side and the client is safe or not. The embodiment of the application provides a data transmission method. The client registers on the operation terminal at the far end side, so that the operation terminal generates a corresponding registration code according to the client information. Then, the client uses the registration code to authenticate at the operation terminal, so that the problem that the client information is easy to leak when being transmitted between the client and the operation terminal is avoided when the operation of accessing the operation terminal by the client is simplified. Further, after the authentication of the client on the operation terminal passes, the operation terminal analyzes the access behavior of the client when receiving the data sent by the client, so as to achieve the purpose of continuously enhancing the safety of the data transmission channel between the operation terminal and the client.

Next, the technical solution provided in the embodiments of the present application will be described.

Fig. 1a shows an exemplary application scenario of the present application. As shown in fig. 1, the scenario may include a terminal device 100 located on the near-end side and a remote operation and maintenance center on the cloud end side. Wherein the remote operation and maintenance center comprises a first computing device 200, and a big data platform (not shown in the figure) is deployed on the first computing device 200. The first computing device 200 is configured to receive data information on the terminal device 100, and generate an operation and maintenance instruction of the terminal device 100 according to the generated data information. Then, the first computing device 200 transmits the generated operation and maintenance instruction to the terminal device 100, and remotely operates and maintains the terminal device 100 according to the operation and maintenance instruction.

Fig. 1b shows an exemplary further application scenario of the present application. In this scenario, the terminal device 100 may be a device in an operation and maintenance center. As shown in fig. 1b, the terminal device 100 transmits live or remote operation-data to a big data platform. The big data platform 300 generates an operation and maintenance instruction according to the operation and maintenance data information transmitted by the terminal device 100, thereby implementing remote operation and maintenance. Wherein a big data platform is deployed on the first computing device 200.

In some embodiments, the terminal device 100 may be a server or a BMC deployed on the server, or the like. The first computing device 200 may be a cloud server or a virtual server.

In some embodiments, the terminal device 100 and the first computing device 200 may be connected through a network such as a wired network (wireless network) or a wireless network (wireless network). For example, the network may be a local area network (local area networks, LAN) or a wide area network (wide area networks, WAN) (e.g., the internet). The network between the terminal device 100 and the first computing device 200 may be implemented using any known network communication protocol, which may be various wired or wireless communication protocols, such as an ethernet, universal serial bus (universal serialbus, USB), firewire (firewire), global system for mobile communications (global systemfor mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code divisionmultiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), new air interface (NR), bluetooth (blue) wireless fidelity (wireless fidelity, wi-Fi), etc. communication protocols.

It should be noted that the application scenarios shown in fig. 1a and fig. 1b do not limit the embodiments of the present application. In the application scenario shown in fig. 1a and 1b, the number and types of terminal devices on the near-end side are not limited. For example, the plurality of terminal devices on the near-end side can be provided, and the terminal devices on the near-end side can comprise target terminal devices which need to be operated and maintained, safety devices for ensuring the safety of operation and maintenance processes, and can also be terminal devices in a remote operation and maintenance center.

By way of example, fig. 2 shows a hardware structure of the terminal device 100. The terminal device 100 may be, but is not limited to, an electronic device such as a mobile phone, a tablet computer, a notebook computer, a wearable device, a smart television, etc. Exemplary embodiments of the electronic device include, but are not limited to, electronic devices that carry iOS, android, windows, hong system (Harmony OS) or other operating systems. The type of the electronic device is not particularly limited in the embodiments of the present application.

As shown in fig. 2, the terminal device 100 may include: including a processor 110, a memory 120, a display 130, a communication module 140, and an input device 150. Wherein the processor 110, the memory 120, the display 130, the communication module 140, and the input device 150 may be connected by a bus or other means.

The processor 110 is a computing core and a control core of the terminal device 100. Processor 110 may include one or more processing units. For example, the processor 110 may include one or more of an application processor (application processor, AP), a modem (modem), a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural-Network Processor (NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.

The memory 120 may store a program that is executable by the processor 110 such that the processor 110 performs part or all of the methods that the terminal device 100 provided in the embodiments of the present application needs to perform. Memory 120 may also store data. The processor 110 may read the data stored in the memory 120. The memory 120 and the processor 110 may be separately provided. Optionally, the memory 120 may also be integrated in the processor 110.

The display screen 130 is used to display images, videos, and the like. The display 130 includes a display panel. The display panel may employ a liquid crystal display (liquid crystal display, LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (AMOLED) or an active-matrix organic light-emitting diode (matrix organic light emitting diode), a flexible light-emitting diode (flex), a mini, a Micro led, a Micro-OLED, a quantum dot light-emitting diode (quantum dotlight emitting diodes, QLED), or the like.

The communication module 140 may include at least one of a mobile communication module and a wireless communication module. Wherein when the communication module 140 comprises a mobile communication module, the communication module 140 may provide a solution including 2G/3G/4G/5G or the like wireless communication applied on the terminal device 100. Such as global system for mobile communications (global system for mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code divisionmultiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time-division code division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), new radio, NR), etc. When the communication module 140 includes a wireless communication module, the communication module 140 may provide a solution for wireless communication including wireless local area network (wireless local area networks, WLAN) (e.g., wireless fidelity (wireless fidelity, wi-Fi) network), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), short range wireless communication technology (near field communication, NFC), infrared technology (IR), etc., applied on the terminal device 100. Illustratively, the communication module 140 may be configured to communicate with the first computing device 200 by the terminal device 100 to complete the data interaction.

In some embodiments, the terminal device 100 may also include an input device 150. Through which input device 150 information can be input to the terminal device 100 and/or control instructions can be issued, etc. By way of example, the input device 150 may be, but is not limited to, a mouse, keyboard, etc.

It is to be understood that the structure illustrated in fig. 2 of the embodiment of the present application does not constitute a specific limitation on the terminal device 100. In other embodiments of the present application, terminal device 100 may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

By way of example, fig. 3 illustrates a hardware architecture of a first computing device 200. The first computing device 200 may be a cloud server, which may be, but is not limited to, a server or a super electronic device that may establish a communication connection with the terminal device 100 and may provide a data processing function, an operation function, and/or a storage function for the terminal device 100. The cloud server may be a hardware server or may be embedded in a virtualized environment, for example, the cloud server may be a virtual machine executing on a hardware server that includes one or more other virtual machines.

As shown in fig. 3, the cloud server may include: processor 210, network interface 220, and memory 230. Wherein the processor 210, the network interface 220, and the memory 230 may be connected by a bus or other means.

In the present embodiment, the processor 210 (or referred to as a central processing unit (central processing unit, CPU)) is a computing core and a control core of the cloud server 200.

The network interface 220 may include a standard wired interface, a wireless interface (e.g., WI-FI, mobile communication interface, etc.), and is controlled by the processor 210 to receive and transmit data, e.g., data information transmitted from the terminal device 100 over a network.

Memory 230 is a memory device of a cloud server for storing programs and data, such as storing pre-trained models, and the like. It is understood that the memory 230 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one magnetic disk memory; optionally, at least one memory device located remotely from the aforementioned processor 210. Memory 230 provides storage space that stores the operating system and executable program code of the server, which may include, but is not limited to: windows (an operating system), linux (an operating system), hong (an operating system), and the like, without limitation.

It will be appreciated that the structure illustrated in fig. 3 in the embodiment of the present application does not constitute a specific limitation on the cloud server. The cloud server may include more or less components than illustrated, or may combine certain components, or split certain components, or may be a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

Exemplary, embodiments of the present application provide a remote operation and maintenance system. An application scenario shown in fig. 1 is taken as an example. In this scenario, the remote operation and maintenance system may be configured on the far-end side first computing device 200, or partially on the far-end side first computing device 200, and partially on the near-end side terminal device 100. As shown in fig. 4, the remote operation and maintenance system includes: an edge acquisition module 410, a data access module 420, a security management module 430, a remote management module 440. In one possible example, the near-end side further includes one or more of an IT infrastructure, a CT infrastructure, or a cloud computing environment. The edge collection module 410 in the remote operation and maintenance system is connected with the IT infrastructure, the CT infrastructure or the cloud computing environment, thereby realizing remote operation and maintenance on the IT infrastructure, the CT infrastructure or the cloud computing environment.

The edge collection module 410 is configured to collect data information generated during operation of the target terminal device, and send the collected data information to the data access module 420. The data information generated during the operation of the target terminal equipment comprises: alarm information, log information and performance data generated when the target terminal equipment runs. In one possible example, the edge acquisition module 410 includes: task control unit 411, alarm acquisition unit 412, log acquisition unit 413, performance acquisition unit 414. The task control unit 411 is configured to parse, execute, and control commands issued from outside. The alarm collection unit 412 is configured to monitor and collect alarm information generated during operation of the target terminal device according to the operation condition of the target terminal device. The alarm collection unit 412 then transmits the collected alarm information to the data access module 420. The log collection unit 413 is configured to collect the running log on the target terminal device, and send the collected running log to the data access module 420. The performance acquisition unit 414 is configured to acquire performance data generated during operation of the target terminal device, and send the acquired performance data to the data access module 420.

The data access module 420 is configured to establish communication with a remote operation and maintenance center on the cloud side, and transmit data information on the target terminal device on the near end side to the remote operation and maintenance center. The data information on the target terminal equipment comprises: the method comprises the steps that token information of communication between target terminal equipment and a remote operation and maintenance center on the cloud side and data information generated when the target terminal equipment operates. In one possible example, the data access module 420 includes: a security authentication unit 421, a data communication unit 422, a resource orchestrator 423, a network controller 424. The security authentication unit 421 uses the client registration information to authenticate with a remote operation and maintenance center of the cloud. After authentication is passed, the security authentication unit 421 serves to establish a unique session with a remote operation and maintenance center and manage the session. Such as updating session information, attempting reconnection, etc. The data communication unit 422 is configured to, after the security authentication unit 421 establishes a normal session with the remote operation and maintenance center, uniformly report the data information collected by the edge collection module 410 to the remote operation and maintenance center and receive an instruction set issued by the remote operation and maintenance center. When the data reporting fails or the instruction reception fails, the data communication unit 422 needs to attempt to reconnect with the remote operation and maintenance center. The resource orchestrator 423 is configured to create remote operation and maintenance tasks for the target terminal device according to an instruction set of the remote operation and maintenance center, and control scheduling relationships of the tasks. The network controller 424 is responsible for network management with a remote operation and maintenance center for a plurality of target terminal devices. Under certain conditions. The network controller 424 may also implement a gatekeeper function for physically isolating and safely controlling the remote operation and maintenance center on the cloud side from the target terminal device on the near-end side.

The security management module 430 is configured to establish a connection with a target terminal device on the near-end side, and audit and analyze access behaviors of the target terminal device to determine whether the access behaviors of the target terminal device are abnormal. In one possible example, the security management module 430 includes: a registration management unit 431, a session management unit 432, a security audit unit 433, a behavior analysis unit 434. The registration management unit 431 is used for managing the declaration period of the registration information of the target terminal device and associating the registration information of the client with the client profile information. For example, registration information is created and discarded. The session management unit 432 is configured to manage sessions between the target terminal devices and the remote operation and maintenance center, so that each target terminal device can use an independent session. The security audit unit 433 provides a security audit function, and when a security abnormality occurs in a session between the target terminal device and the remote operation and maintenance center, the abnormal session can be manually managed to eliminate potential safety hazards. The behavior analysis unit 434 is used to analyze the access behavior of the target terminal device accessed to the remote operation and maintenance center. For example, combining big data analysis capability, establishing dynamic characteristic information of each session, and comparing the dynamic characteristic information with the current characteristic to determine whether the access behavior of the current target terminal equipment has a safety problem.

The remote management module 440 is configured to analyze data generated during the operation of the target terminal device on the near-end side, and generate a corresponding operation and maintenance instruction. In one possible example, the remote management module 440 includes: remote monitoring management unit 441, remote fault diagnosis unit 442, remote early warning management unit 443, remote task management unit 444. The remote monitoring management unit 441 is configured to monitor an alarm and a health status of a target terminal device. The remote fault diagnosis unit 442 is configured to determine a fault of the target terminal device. For example, the remote fault diagnosis unit 442 can quickly diagnose the root cause of the fault according to the fault phenomenon of the target terminal device and the operation log data of the target terminal device through cloud computing and expert experience, and give corresponding processing suggestions. The remote early warning management unit 443 is configured to analyze data uploaded by the target terminal device, and discover possible faults of the target terminal device in advance. For example, the remote early warning management unit 443 may analyze failure precursor data in log data uploaded by the target terminal device, predict potential hazards or risks in the target terminal device, and process the potential hazards or risks in the target terminal device in advance. The remote task management module 444 is configured to generate a remote repair task according to the diagnosis suggestions and the risk processing suggestions generated by the remote fault diagnosis unit 442 and the remote early warning management unit 443, and send the remote repair task to the target terminal device for remote processing.

In the embodiment of the application, the operation and maintenance system can acquire the data (such as alarm data and log data) generated when the target terminal equipment runs in real time, quickly sense the health state of the client equipment according to the acquired data generated when the target terminal equipment runs, quickly analyze the root cause of the problem when the target terminal equipment is abnormal, and improve the problem processing efficiency.

Next, a data transmission method provided in the embodiments of the present application is described in a remote operation and maintenance system based on the above description.

Referring to fig. 5, fig. 5 is a flow chart of a method for remote access of data center operation and data according to an embodiment of the present application. The method can be applied to the application scenario shown in fig. 1. Referring to fig. 5, the method includes: S501-S508.

S501, a client registers in a cloud and acquires a registration code generated by the cloud according to client information.

In this embodiment, the cloud is a software platform that adopts an application virtualization technology. The cloud may be loaded on the target terminal device or on the second computing device. Wherein the second computing device may be in wired or wireless communication with the first computing device. Before the target terminal equipment is accessed to the cloud, the client registers in the cloud. Specifically, the client can fill in the client information required during registration in the cloud application registration code interface. Such as: organization information, contact phones, mailboxes, authorization signatures. The organization information refers to information of an organization to which the target terminal device belongs. The authorization signature is a credential for authorizing the data owner (target terminal device) to perform data access by the data user (cloud). After the client fills in the client information, selecting a site where the target terminal equipment to be accessed to the cloud is located. Then, the cloud automatically recommends an access area and an access protocol of the target terminal equipment according to the site information selected by the client, and generates a registration code of the target terminal equipment according to the client information and the site information of the target terminal equipment.

In one possible example, the application registration code interface of the cloud may be displayed in a web page manner.

In one possible embodiment, after the client applies for the registration code, the registration code may be used for multiple terminal devices, that is, different terminal devices may access the cloud using the same registration code. The cloud end can set the expiration time of the registration code and the number of terminal devices to which the registration code can be connected when generating the registration code for the client.

In one possible example, a process of applying for a registration code of a target terminal device by a client in the cloud is shown in fig. 6. The client firstly applies for registration code interface to fill in client information. The customer then selects the sites and areas to be accessed. After the client selects the site name and the area to be accessed, the cloud generates a registration code for the client and automatically selects the protocol and the area to be accessed for the client. After the client applies for the registration code successfully, the client can directly copy the registration code, so that the client can conveniently guide the registration code into the target terminal equipment subsequently, and one-key access of the target terminal equipment is realized.

In the embodiment, before the target terminal equipment is accessed to the cloud, the client directly registers in the cloud to generate the corresponding registration code, so that when the target terminal equipment needs to be accessed to the cloud, the target terminal equipment can be accessed according to the registration code generated in advance, and all client information clients only need to be confirmed once on the cloud, thereby greatly simplifying the operation of accessing the target terminal equipment to the cloud and avoiding the possible leakage problem of personal privacy data of the client in the transmission process. Further, when the registration code is generated for the target terminal device, after the client inputs the access site of the target terminal device, the cloud end can automatically recommend key information such as a data acquisition range, a transmission channel protocol, a data access area and the like according to national legal requirements of the target terminal device, and agree with client signature authorization information, so that the risk of data compliance is avoided.

S502, a client acquires a root certificate and a cloud certificate from the cloud, and the acquired root certificate and cloud certificate are imported to target terminal equipment.

In this embodiment, before the target terminal device accesses the cloud, the identity of the cloud needs to be checked. Specifically, the client may obtain a CA root certificate and a cloud certificate from the cloud. And then, the CA root certificate and the certificate of the cloud terminal are imported to the target terminal equipment, so that the target equipment can verify the cloud terminal according to the CA public key contained in the CA root certificate.

The certificate includes three parts, namely, information of the client, a public key of the client, and a signature of the information in the certificate by the CA center. To verify the authenticity of a certificate (i.e. to verify whether the signature of the certificate information by the CA centre is valid) requires verification with the public key of the CA centre which is present in the certificate (e.g. certificate 1) that signed the certificate. Therefore, the certificate 1 needs to be downloaded, but before the certificate 1 is used for verification, the authenticity of the certificate 1 itself needs to be verified, and thus the certificate issuing the certificate 1 needs to be used for verification. This constitutes a relationship of a chain of certificates whose end point is the root certificate. A root certificate is a special certificate whose issuer is itself. Downloading the root certificate by the client indicates that the client represents trust for all issued certificates below the root certificate.

And S503, authenticating the cloud by the target terminal equipment.

In this embodiment, before the target terminal device accesses to the cloud, the target terminal device may verify the cloud by using the CA public key included in the CA certificate. Specifically, after the target terminal device obtains the cloud end certificate, the target terminal device verifies the timeliness of the cloud end certificate content, such as verifying whether the cloud end certificate is out of date. The target terminal device then verifies the validity of the cloud's credentials (e.g., whether the credentials were changed by the string). During verification, the target terminal equipment can decrypt the digital digest in the cloud-side certificate by using the CA public key in the CA root certificate, and if the digital digest can be decrypted, the cloud-side certificate is proved to be trusted by the CA.

S504, the target terminal equipment establishes a connection channel with the cloud according to the registration code.

In this embodiment, after the target terminal device verifies the cloud end certificate, the target terminal device may use the public key provided in the cloud end certificate to communicate with the cloud end. Specifically, the target terminal device may authenticate the validity of the registration code acquired in advance to the cloud. And after the registration code authentication of the target terminal equipment by the cloud end passes, establishing a connection channel between the target terminal equipment and the cloud end.

In one possible example, the target terminal device sends a registration code of the target terminal device and a universally unique identification code (Universally Unique Identifier, UUID) to the cloud. Where UUID refers to a number generated on one machine that ensures that it is unique to all machines in the same space-time. The UUID enables all elements in the distributed system to have unique identification information without requiring identification information specification by the central control terminal.

After the cloud receives the registration code sent by the target terminal equipment, the cloud verifies the validity of the received registration code. Specifically, the cloud terminal may compare the registration code sent by the target terminal device with the registration code stored in the cloud terminal, so as to determine whether the registration code is legal. When the registration code is the same as the registration code sent by the target terminal equipment in the cloud, the cloud considers that the registration code sent by the target terminal equipment is legal. Further, the cloud end can also verify whether the registration code sent by the target terminal device is within the validity period and whether the number of terminal devices accessed by using the registration code exceeds the preset number.

Only after the cloud verifies the registration code sent by the target terminal equipment, the cloud establishes a connection channel with the target terminal equipment. The cloud returns Token information when the cloud communicates with the target terminal device to the target terminal device. The Token is a string of character strings generated by the cloud end and is used as a Token for requesting by the target terminal equipment. After the target terminal equipment logs in the cloud for the first time, the cloud generates a Token and returns the Token to the target terminal equipment, and the target terminal equipment only needs to take the Token received from the cloud to request data.

In one possible example, the cloud may take the device number of the target terminal device or the mac address of the device as Token. Specifically, when the target terminal device sends a registration code to the cloud (i.e. logs in to the cloud), the acquired device number or mac address of the device of the target terminal device is transmitted to the cloud as a parameter. After the cloud receives the parameter, the parameter is received by a variable, the received parameter is stored in a database as a Token, and the Token is set in the session. And after the registration code sent by the cloud terminal to the target terminal equipment passes verification, the cloud terminal returns a Token to the target terminal equipment. When the target terminal equipment sends information to the cloud end every time, the cloud end needs to intercept the information sent by the target terminal equipment uniformly, compares Token carried in the information sent by the target terminal equipment with Token in the cloud end session, releases the Token if the Token is the same, and refuses if the Token is different from the Token.

In another possible example, after the cloud verifies the registration code sent by the target terminal device, the cloud may return the locally acquired sessionID to the target terminal device as a Token.

In S501-S504, the cloud server receives the client information, generates a registration from the client information, and verifies the registration code sent by the target terminal device, and these operations may also be performed by the big data platform. When the above operations are performed by the big data platform, the cloud server is only used to receive and transmit information.

S505, the target terminal equipment sends first information to the cloud; the first information carries data information generated when the target terminal equipment operates and Token information when the target terminal equipment communicates with the cloud.

In this embodiment, after the target terminal device receives the Token sent by the cloud, the target terminal device updates the local Token. And then, the target terminal equipment sends the first information to the cloud by using the updated Token. The first information comprises data information generated when the target terminal equipment operates and token information for the target terminal equipment to communicate with the cloud. The data information generated during the operation of the target terminal equipment comprises: the method comprises the steps of running log information on target terminal equipment, performance data information on the target terminal equipment and alarm information generated by the target terminal equipment. The token information of the target terminal device for communication with the cloud comprises: token, token heartbeat packet. In one possible example, the Token heartbeat packet includes: the source (refer) of the HTTP request, the client information (uuid), the connection time-consuming duration information.

It should be noted that, the target terminal device needs to carry token information every time it sends information to the cloud.

In one possible example, the data information generated by the target terminal device during operation may be collected by the edge collection module 410 in the operation and maintenance system shown in fig. 4.

And S506, the cloud end sends the first information to the big data platform so that the big data platform verifies the first information, when the first information is abnormal, S507 is executed, and otherwise S508 is executed.

In this embodiment, a big data platform may be deployed on a first computing device. After the cloud receives the first information, the cloud judges the validity of the Token carried in the first information. Specifically, the cloud compares the Token carried in the information sent by the target terminal device with the Token in the cloud session, and if the Token is the same, the Token carried in the first information is considered to be valid. Then, the cloud end also needs to send the received first information to the big data platform so that the big data platform can continuously judge the received first information to determine whether the first information is safe in the transmission process.

In one possible example, after the big data platform receives the first information, the big data platform may compare the received Token heartbeat packet with the historical heartbeat packet sent by the target terminal device and received by the big data platform, so as to determine whether the heartbeat packet of the Token is abnormal. The Token heartbeat packet occurrence exception includes: the HTTP request is anomalous in source and connection time.

And aiming at abnormal connection time consumption, the big data platform compares the received connection time consumption duration information in the heartbeat data packet of the target terminal device with the historical connection time consumption duration. When the connection time-consuming time length in the heartbeat data packet of the target terminal device is not in the historical connection time-consuming time length range, the big data platform can determine that the Token heartbeat data packet sent by the target terminal device is abnormal. It should be noted that the time-consuming duration range of the historical connection is determined according to a plurality of historical heartbeat data packets sent by the target terminal device and received by the big data platform. For example, the big data platform may obtain connection time-consuming duration information in the heartbeat data packet of the target terminal device received in the past month, and take the maximum value and the minimum value of the connection time-consuming duration in the past month as the maximum value and the minimum value of the historical connection time-consuming duration range.

Aiming at the abnormal source of the HTTP request, after the big data platform receives the heartbeat data packet sent by the target terminal equipment, the big data platform acquires the HTTP request source (refer) carried in the heartbeat data packet. And then, the big data platform compares the HTTP request source carried in the heartbeat data packet with a preset HTTP request source. When the HTTP request source carried in the heartbeat data packet is different from the preset HTTP request source, the big data platform can determine that the Token heartbeat data packet sent by the target terminal equipment is abnormal.

In one possible example, the big data platform may compare the time interval in which the cloud receives the Token sent by the target terminal device with a historical backhaul threshold. When the time interval of the cloud receiving the Token sent by the target terminal device is greater than the historical return threshold, the big data platform can determine that the first information sent by the target terminal device is abnormal in the transmission process (for example, the Token is hijacked, intercepted and redirected). At this time, the big data platform stops analyzing the data information carried in the first information, and triggers the cloud to the target terminal. The device sends a new Token to enable the target terminal device to communicate with the cloud according to the new Token.

It should be noted that the history return threshold may be a normal distribution interval. When the network speed of the target terminal device is fixed, the time from the sending of the first information from the target terminal device to the receiving of the first information by the cloud is fixed (in a normally distributed curve). Therefore, the historical return threshold of the target terminal device can be obtained by analyzing the transmission time of the data when the target terminal device communicates with the cloud in a period of historical time (such as one month and one week). It should be noted that the history backhaul threshold is dynamically generated. For example, the network speed of the target terminal equipment is upgraded from hundred meganets to giganets. When the target terminal device sends information to the cloud end by using the gigabit network speed for the first time, the large data platform can determine that the transmission is abnormal because the data transmission time between the target terminal device and the cloud end is obviously shortened (not in the historical return threshold interval). At this time, the big data platform triggers the cloud to send a new Token to the target terminal device, so that the target terminal device communicates with the cloud according to the new Token. Because the historical return threshold value is dynamically updated when the target terminal communicates with the cloud terminal, when the target terminal device continuously uses the gigabit network speed to send data to the cloud terminal, the obtained historical return threshold value can be reduced along with the reduction of the communication time between the target terminal device and the cloud terminal.

Further, the big data platform can also judge the security of the data information carried in the first information.

In one possible example, the big data platform samples the data format, the data naming and the field related information of the data information carried in the first information, so as to obtain the data characteristics of the data information carried in the first information. And then, comparing the obtained data characteristics with the historical data characteristics by the big data platform, and determining that the data carried in the first information is legal by the big data platform when the similarity of the obtained data characteristics and the historical data characteristics by the big data platform is greater than or equal to a similarity threshold value, or determining that the data carried in the first information is illegal by the big data platform. The case that the data carried in the first information is illegal includes: the data carried in the first information is fake, or the data carried in the first information is intercepted in the transmission process. When the big data platform determines that the data carried in the first information is illegal, the big data platform triggers the cloud to send a new Token to the target terminal equipment, so that the target terminal equipment communicates with the cloud according to the new Token.

It should be noted that, when the big data platform samples the data carried in the first information, a plurality of data characteristic values may be generated according to the data type. For example, when the first information carries log data, performance data and alarm information. The big data platform can sample the log data, the performance data and the alarm information respectively and generate a sampling characteristic value of the log data, a sampling characteristic value of the performance data and a sampling characteristic value of the alarm information.

In one possible example, the data carried in the first information is taken as log data as an example. When the big data platform samples the log data carried in the first information, the data name of the log data, the format information of the log data and the field information of the log data can be collected. The format of the log data mainly comprises two types: a log file in units of records and a log file in units of data blocks. The Log file in units of records includes a start (star Transaction) flag for each Transaction, an end (Commit or Rollback) flag for each Transaction, all update operations for each Transaction, the start flag, end flag and each update operation for each Transaction forming a Log Record (Log Record). The log file in units of data blocks mainly includes: transaction identification, type of operation, object of operation, old value of pre-update data, new value of post-update data.

In another possible example, the big data platform may sample the historically received data information of the target terminal device, resulting in historical feature data. And then comparing the historical characteristic data with the data information carried by the first information, and determining that the first information is abnormal in the transmission process when the change of the historical characteristic data in the data information carried by the first information exceeds a preset threshold value.

In one possible example, the data information of the target terminal device received by the big data platform includes: list data of devices, alarm data of devices and log data of devices. When the big data platform determines the historical characteristic data of the equipment list data, the data center has a large number of equipment such as servers, storage, networks and the like, and equipment on/off shelf operation is included besides the normal operation of the equipment. Wherein the on/off shelf operation of the device is a low frequency operation. In order to reduce the noise effect caused by the on/off operation of the device, the large data platform can sample and collect the data of the unchanged part in the list data of the device received in the past 1 month according to the proportion of 10%, and the sampled and collected data is used as historical characteristic data. When the historical characteristic data of the equipment alarm data is determined, the big data platform has the periodic characteristic due to the alarm data. For example, a business change in a data center is often a planned and rhythmic change, which triggers alarms of the equipment, and the alarm information has a periodic characteristic. Thus, the big data platform can generate a periodic curve by counting alarms of the past year, and takes the periodic curve as historical characteristic data. The data platform, when determining the historical feature data of the device log data, also contains time-series log information (e.g., event log) because the device log data contains a fixed log portion (e.g., component configuration information of the device). And the log data of the configuration class is consistent with the sampling mode of the device list data. For the log data of the time series, the latest 10 pieces of log data in each batch of data received in the first 7 days are taken as history feature data.

Further, the big data platform compares the historical characteristic data of the device list data with the device list data carried by the first information, and when the change of the historical characteristic data in the device list data carried by the first information exceeds 20%, it can be determined that the first information is abnormal in the transmission process. The big data platform compares the historical characteristic data of the alarm data with the alarm data carried by the first information, and when the change of the historical characteristic data in the alarm data carried by the first information exceeds 20%, the first information can be determined to be abnormal in the transmission process. When the big data platform judges the log data of the target terminal equipment, the historical characteristic data of the log data of the configuration class can be compared with the log data of the configuration class carried in the first information aiming at the log data of the configuration class, and when the change of the historical characteristic data in the log data of the configuration class carried in the first information exceeds 20%, the first information is determined to be abnormal in the transmission process. And matching the historical characteristic data with the log data containing the time sequence carried by the first information aiming at the log characteristic data containing the time sequence, and determining that the first information is abnormal in the transmission process when the unsuccessful matching proportion of the historical characteristic data to the log data containing the time sequence carried by the first information exceeds 40%. In the above embodiment, the case where the big data platform samples the data uploaded by one terminal device is taken as an example for explanation. In another possible example, when there are more terminal devices accessed by the cloud, the big data platform may perform equidistant sampling when sampling data uploaded by the target terminal device accessed by the cloud. For example, when the number of target terminal devices accessed by the cloud is 30, the large data platform can extract data on the 1 st, 5 th, 10 th, 15 th, 20 th, 25 th and 30 th target terminal devices for sampling analysis when sampling.

In this embodiment, after receiving data sent by a target terminal device, the cloud end actively analyzes a data transmission process of the target terminal device based on behavior analysis and a dynamic sensing technology of big data. The safety of the data transmission channel is ensured.

S507, the big data platform sends the verification result of the first information to the cloud, and triggers the cloud to update Token information of the target terminal device.

In this embodiment, after the cloud terminal receives the first information sent by the target terminal device, the cloud terminal verifies the security of the transmission process of the first information through the big data platform. When the first information transmission process is determined to be incomplete, the cloud end needs to update the Token when the target terminal equipment is in communication, so that the communication safety of the target terminal equipment and the cloud end is ensured. Specifically, when the safety of the target terminal device in communication with the cloud is judged, whether the transmission process of the target terminal device and the cloud is safe or not is determined by verifying the validity of Token carried by the target terminal device in communication with the cloud and verifying the validity of data carried by the target terminal device in communication with the cloud.

After receiving the updated Token information sent by the cloud, the target terminal device sends second information to the cloud by using the updated Token information. Wherein the second information includes: updated Token information, and data information generated when the target terminal device operates.

S508, analyzing the data information carried in the first information by the big data platform, and generating an operation and maintenance instruction aiming at the target terminal equipment.

In this embodiment, after the cloud terminal receives the first information sent by the target terminal device, the security of the transmission process of the first information is first determined. Only if the transmission process of the first information is safe, the large data platform analyzes the data information carried in the first information to determine whether the operation process of the target terminal equipment is abnormal. When the big data platform determines that the data carried in the first information is abnormal (the 'abnormality' at the moment refers to the abnormality of the target terminal equipment, but not the abnormality generated in the data transmission process), the big data platform generates the operation and maintenance information aiming at the target terminal equipment according to the abnormality, and sends the generated operation and maintenance instruction to the target terminal equipment through the cloud.

In the embodiment of the application, a feature set is established for the access behavior of the target terminal equipment, and whether the behavior of the target terminal equipment accessed to the cloud is abnormal or not is analyzed according to the feature set so as to identify whether a security hole exists in a data transmission channel between the target terminal equipment and the cloud. When the security hole exists in the data transmission channel between the target terminal device and the cloud, the security hole can be quickly repaired. Further, in the embodiment of the application, the target terminal device accesses to the cloud according to the pre-generated registration code, so that the cloud can assign specific security policies to different target terminal devices and actively perform security management. Such as setting registration expiration time, registration connection number, token expiration time, etc.

Fig. 7 is a flow chart of another method for remote access to data center operation data according to an embodiment of the present application. The method can be applied to the application scenario shown in fig. 1. In the application scenario shown in fig. 1, the first computing device located on the far-end side may be replaced with a large data platform. Referring to fig. 7, the method includes: S701-S708.

S701, a client registers on a big data platform and acquires a registration code generated by the big data platform according to client information.

S702, the client acquires a root certificate and a big data platform certificate from the big data platform, and the acquired root certificate and big data platform certificate are imported to the target terminal equipment.

And S703, the target terminal equipment authenticates the big data platform.

And S704, the target terminal equipment establishes a connection channel with the big data platform according to the registration code.

S705, the target terminal equipment sends first information to a big data platform; the first information carries data information generated when the target terminal equipment operates and Token information when the target terminal equipment and the big data platform communicate.

S706, the big data platform verifies the first information, when the first information is abnormal, S707 is executed, otherwise S708 is executed.

S707, the big data platform sends second information to the target terminal equipment, wherein the second information comprises: updated Token information.

S708, the big data platform analyzes the data information carried in the first information and generates an operation and maintenance instruction for the target terminal equipment.

It should be noted that, the specific implementation process of S701 to S708 may refer to S501 to S508, which are not described herein.

Based on the method in the above embodiment, the present application provides a computer-readable storage medium storing a computer program, which when executed on a processor, causes the processor to perform the method in the above embodiment.

Based on the method in the above embodiment, the present application provides a computer program product, which is characterized in that the computer program product when run on a processor causes the processor to perform the method in the above embodiment.

It should be understood that, the sequence number of each step in the foregoing embodiment does not mean the execution sequence, and the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way. In addition, in some possible implementations, each step in the foregoing embodiments may be selectively performed according to practical situations, and may be partially performed or may be performed entirely, which is not limited herein.

The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by a processor executing software instructions. The software instructions may be comprised of corresponding software modules that may be stored in random access memory (random access memory, RAM), flash memory, read-only memory (ROM), programmable ROM (PROM), erasable programmable PROM (EPROM), electrically erasable programmable EPROM (EEPROM), registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

It will be appreciated that the various numerical numbers referred to in the embodiments of the present application are merely for ease of description and are not intended to limit the scope of the embodiments of the present application.

Claims

1. A data transmission method applied to a first computing device, the method comprising:

receiving registration code information sent by target terminal equipment;

verifying whether the registration code information is legal or not;

if the registration code information is legal, sending token information to the target terminal equipment;

receiving data information sent by target terminal equipment and token information associated with the data information;

comparing the token information sent by the target terminal device with the token information stored in the first computing device or matching the data information with the historical characteristic data stored in the first computing device, and determining whether the transmission process of the data information and the token information is abnormal;

and if the transmission process of the data information and the token information is not abnormal, establishing communication between the first computing equipment and the target terminal equipment.

2. The method according to claim 1, wherein comparing the token information sent by the target terminal device with the token information stored in the first computing device, and determining whether an abnormality occurs in the data information and the transmission process of the token information, comprises:

3. The method according to claim 1 or 2, wherein comparing the token information sent by the target terminal device with the token information stored in the first computing device, and determining whether an abnormality occurs in the transmission process of the data information and the token information, includes:

acquiring a heartbeat data packet in the token information;

4. The method of claim 3, wherein comparing the token information sent by the target terminal device with the token information stored in the first computing device, and determining whether an abnormality occurs in the data information and the transmission process of the token information, comprises:

Comparing the source of the heartbeat data packet with the source of the historical heartbeat data packet received by the first computing device, and determining that the transmission process of the data information and the token information is abnormal when the source of the heartbeat data packet is different from the source of the historical heartbeat data packet received by the first computing device.

5. The method of claim 1, wherein the first computing device has a large data platform deployed thereon, wherein the matching the data information with the historical feature data stored in the first computing device determines whether an abnormality occurs in the transmission process of the data information and the token information, and wherein the determining comprises:

6. The method of claim 5, wherein the data information comprises: at least one of device list data, device alert data, log data for the device.

7. The method of claim 6, wherein the method further comprises: determining the historical feature data;

the determining the historical feature data includes:

the big data platform acquires the received historical data information of the target terminal equipment to obtain historical characteristic data; or the big data platform takes the occurrence period of the data with periodicity in the received historical data of the target terminal equipment as the historical characteristic data.

8. The method according to claim 1, wherein the method further comprises:

if the transmission process of the data information and the token information is abnormal, first information is sent to the target terminal equipment, the first information is used for indicating the target terminal equipment to communicate with the first computing equipment according to the first information, and the first information comprises: updated token information.

9. The method according to claim 1, wherein the receiving the registration code information sent by the target terminal device includes:

and the first computing equipment receives the registration code information sent by the target terminal equipment through the cloud.

10. The method of claim 1, wherein prior to receiving the data information sent by the target terminal device and the token information associated with the data information, the method further comprises:

Receiving registration information of the target terminal equipment input by a user; the registration information includes: at least one of organization information, contact information, mailbox information and authorization signature of the target terminal device;

automatically determining access site information of the target terminal equipment according to the registration information; the access site information includes: the access site, the access area and the access protocol of the target terminal equipment;

receiving a first operation of a user, wherein the first operation is used for indicating to generate a registration code for target terminal equipment; the registration code is used for accessing the first computing device;

11. The data sending method is applied to the cloud, and is characterized by comprising the following steps:

Receiving a first operation of a user, wherein the first operation is used for indicating to generate a registration code for target terminal equipment; the registration code is used for accessing the target terminal equipment to the first computing equipment;

generating a registration code for the target terminal device according to the registration information of the target terminal device and the access site information of the target terminal device in response to the first operation;

and receiving a registration code of target terminal equipment sent by a user, and generating token information for the target terminal equipment under the condition that the registration code is legal, wherein the token information is used for comparing with the token information stored in first computing equipment so as to determine whether the transmission process of the token information between the target terminal equipment and the first computing equipment is abnormal or not.

12. The method of claim 11, wherein receiving registration information of the target terminal device input by the user comprises:

acquiring registration information of the target terminal equipment input by the user through a registration interface of the cloud; the registration interface includes: the web page registers the interface.

13. A data transmission method applied to a target terminal device, the method comprising:

transmitting a registration code to the first computing device or cloud to determine whether the registration code is legal;

transmitting first information to the first computing device, the first information comprising: the data information sent by the target terminal equipment and the token information associated with the data information are used for comparing the token information with the token information stored in the first computing equipment so as to determine whether the transmission process of the token information between the target terminal equipment and the first computing equipment is abnormal or not.

14. A data processing system, the system comprising:

the target terminal equipment is used for sending registration code information to the first computing equipment;

a first computing device for verifying whether the registration code information is legitimate; if the registration code information is legal, sending token information to the target terminal equipment;

The target terminal device is further used for sending the data information of the target terminal device and the token information associated with the data information to the first computing device;

the first computing device is further used for comparing the token information sent by the target terminal device with the token information stored in the first computing device or matching the data information with the historical characteristic data stored in the first computing device, and determining whether the transmission process of the data information and the token information is abnormal or not; and if the transmission process of the data information and the token information is not abnormal, establishing communication between the first computing equipment and the target terminal equipment.

15. The system of claim 14, wherein the data processing system further comprises a cloud; the cloud end is used for:

16. The system of claim 14, wherein the target terminal device is further configured to:

transmitting a registration code to a first computing device or cloud to determine whether the registration code is legal;

transmitting first information to the first computing device, the first information comprising: and the target terminal equipment sends data information and token information associated with the data information.

17. The system of any of claims 14-16, wherein the first computing device is further to:

Receiving registration code information sent by the target terminal equipment;

verifying whether the registration code information is legal or not;

and if the registration code information is legal, sending token information to the target terminal equipment.

18. The system of claim 14, wherein the first computing device further comprises: a big data platform for:

19. The system of claim 14, wherein the first computing device further comprises: a big data platform for:

acquiring a heartbeat data packet in the token information;

20. The system of claim 19, wherein the first computing device further comprises: a big data platform for:

21. The system of claim 14, wherein the first computing device further comprises: a big data platform for:

22. The system of claim 14, wherein the first computing device further comprises: a big data platform, the big data platform further configured to:

23. A computing device, comprising:

at least one memory for storing a program;

at least one processor for executing the memory-stored program, which processor is adapted to perform the method of any one of claims 1-10, or of any one of claims 11-12, or of claim 13, when the memory-stored program is executed.