CN115913663A - Data security protection method and system, storage medium and computer equipment - Google Patents
Data security protection method and system, storage medium and computer equipment Download PDFInfo
- Publication number
- CN115913663A CN115913663A CN202211347552.0A CN202211347552A CN115913663A CN 115913663 A CN115913663 A CN 115913663A CN 202211347552 A CN202211347552 A CN 202211347552A CN 115913663 A CN115913663 A CN 115913663A
- Authority
- CN
- China
- Prior art keywords
- data
- security
- strategy
- things system
- security level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a data security protection method and system, a storage medium and computer equipment, wherein the method comprises the following steps: dividing data safety protection aiming at the electric power Internet of things system into a plurality of target safety levels based on a system framework of the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level; matching corresponding target security policies to each target security level; and carrying out data security protection on the power Internet of things system by using the target security strategy corresponding to each target security level. The invention realizes multiple aspects and all-around angles to solve the possible data safety risk in the power grid intelligent Internet of things system, and ensures the safe, reliable and stable operation of the power grid intelligent Internet of things system to the maximum extent.
Description
Technical Field
The invention relates to the technical field of network data security protection, in particular to a data security protection method and system, a storage medium and computer equipment.
Background
The existing power internet of things realizes intellectualization on the basis of the traditional power internet of things, is also called as a smart power grid or a power grid 2.0, is established on the basis of an integrated high-speed bidirectional communication network, and realizes the purposes of reliability, safety, economy, high efficiency, environmental friendliness and safe use of the power grid through the application of advanced sensing and measuring technology, advanced equipment technology, advanced control method and advanced decision support system technology. At present, an electric power enterprise creates an electric network intelligent Internet of things system based on a smart electric network, interconnection of a large number of sensing devices is achieved, compared with the traditional electric power Internet of things, the connected devices are more and wider in range, and a large number of related devices and systems on the electric network side and the user side are involved. At present, a power grid company creates a power grid smart internet of things system based on the above technology, and generally thinks that the power grid smart internet of things system comprises a power grid link and an integrated energy service link, wherein the integrated energy service link is a potential service growth point of the future power grid company. Because the traditional power grid enterprises do not completely provide public services to the outside, the security defense system still adopts the traditional isolation means and does not have stable security protection capability, and in the future, if a leak occurs due to the user data security protection of the power grid intelligent Internet of things system, once information such as client electricity, energy consumption associated geographic information, electronic bills and the like is leaked, serious accidents can be caused. With hundreds of millions of things connected to a power grid, credible interconnection safety interaction needs to be realized for the safety of a smart things connected system of the power grid in the future, and a new generation of intelligent defense system needs to be constructed urgently.
Disclosure of Invention
In view of the above problems, the invention provides a data security protection method for an electric power internet of things system, which analyzes potential data security risks of the electric power internet of things system from a sensing layer, a network layer, a platform layer and an application layer respectively by establishing a data security architecture for the electric power internet of things system, and ensures safe, reliable and stable operation of the electric power internet of things system to the maximum extent.
According to a first aspect of the present invention, a data security protection method is provided, which is applied to an electric power internet of things system, and includes:
dividing data safety protection aiming at the electric power Internet of things system into a plurality of target safety levels based on a system framework of the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level;
matching corresponding target security policies to the target security levels;
and carrying out data security protection on the power Internet of things system by using the target security policy corresponding to each target security level.
Optionally, the matching of the target security level with the corresponding target security policy includes:
matching at least one of a corresponding perception layer identity authentication strategy, a terminal encryption access strategy, a terminal abnormity monitoring strategy and an equipment safety updating strategy to the perception safety layer;
the sensing layer identity authentication strategy is to establish a data acquisition terminal identity authentication mechanism based on a Merlde tree structure;
the terminal encryption access strategy is encryption access when strengthening terminal integration software through PKI-based identity authentication;
the terminal abnormity monitoring strategy is characterized in that an artificial intelligence technology is adopted to model a terminal behavior logic so as to realize automatic analysis and/or strategy matching aiming at terminal instability and randomness;
the equipment safety updating strategy is to set an equipment updating reminding mechanism so as to realize the regular updating of the equipment firmware.
Optionally, the establishing of the data acquisition terminal identity verification mechanism based on the Merlde tree structure includes:
deploying respective corresponding identity parameters for at least one terminal node, and calculating the hash value of each terminal node as the root hash value of a subtree according to the identity parameters; the terminal nodes comprise sensing nodes and data acquisition nodes; the sensing nodes are various sensors in the electric power Internet of things system; the data acquisition nodes are all data acquisition terminals in the electric power Internet of things system;
providing the root hash value to a corresponding super node; the super node is used for prestoring root hash values of subtrees in the jurisdiction area;
deploying respective corresponding identity parameters for at least one super node, calculating a hash value of each super node according to the identity parameters, and providing the hash value to a platform layer of the power Internet of things system; the platform layer prestores hash values of subtrees formed by the super nodes;
the tail end node transmits data to a platform layer through the super node and/or the convergence layer node;
wherein, the identity parameter comprises at least one of a number, an identification code, an encryption key and a decryption key.
Optionally, the matching, for each target security level, a corresponding target security policy further includes:
matching at least one of a corresponding air interface side data security policy, a corresponding transmission side data security policy and a corresponding core side data security policy to the network security level;
the air interface side data security policy is to provide slices of an air interface side for each power service in the power Internet of things system through a differentiated configuration and resource scheduling mode of a DRB;
the transmission side data security strategy is a soft isolation mechanism based on VLAN isolation and a hard isolation mechanism based on an SPN scheme and fusing an elastic Ethernet and a TDM technology;
the core side data security strategy is to provide a virtual hardware resource pool for the power Internet of things system by using a virtualization platform constructed by a NFv technology and configure various network functions for the power Internet of things system.
Optionally, the matching of the target security level with the corresponding target security policy further includes:
at least one of a strategy and a data open sharing strategy is constructed for the communication sub-tree corresponding to the platform security level;
the communication sub-tree construction strategy is to establish a tree structure-based general node transmission mechanism;
the data open sharing strategy is to establish a cloud platform and/or a big data platform to support the storage, sharing and/or integration functions of heterogeneous data.
Optionally, the matching of the target security level with the corresponding target security policy further includes:
matching at least one of a corresponding malicious intrusion detection strategy, a service independent operation strategy and a service data storage strategy to the application security level;
the malicious intrusion detection strategy is to establish an IDS intrusion detection mechanism for the electric power Internet of things system;
the service independent operation strategy is to configure each application service covered by the power Internet of things system based on a micro service architecture.
Optionally, the service data storage policy includes at least one of a user information privacy sub-policy and a service data configuration sub-policy;
the user information confidentiality sub-strategy is that a unified authority platform manages user information data so as to ensure the storage confidentiality of the user information data;
the business data configuration sub-strategy is to perform encryption storage on business data by using a national secret MD5 encryption algorithm, and store the business data by using a server-side database and/or an information intranet.
According to a second aspect of the present invention, there is provided a data security protection system applied to an electric power internet of things system, including:
the security layer dividing module is used for dividing data security protection aiming at the electric power Internet of things system into a plurality of target security layers based on a system framework of the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level;
the security policy matching module is used for matching corresponding target security policies to the target security levels;
and the security plan execution module is used for performing data security protection on the power Internet of things system by using the target security strategies corresponding to the target security levels.
According to a third aspect of the present invention, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of the data security method according to any one of the first aspect of the present invention.
According to a fourth aspect of the present invention, there is provided a computer device, characterized by comprising a memory and a processor, wherein the memory stores a computer program, and the computer program, when executed by the processor, causes the processor to perform the steps of the data security method according to any one of the first aspect of the present invention.
According to the data safety protection method and system, the storage medium and the computer equipment, provided by the invention, the data safety protection aiming at the electric power Internet of things system is divided into a plurality of target safety levels through a system framework based on the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level; matching corresponding target security policies to the target security levels; and carrying out data security protection on the power Internet of things system by using the target security policy corresponding to each target security level. According to the invention, malicious attack behaviors such as counterfeit identity and man-in-the-middle attack are effectively inhibited, and DoS attack participated by a large number of malicious Internet of things nodes is avoided; cross-tenant and cross-host network attacks and information leakage are prevented, and data storage safety of the cloud platform is guaranteed; the integrity and the confidentiality of data are guaranteed; data can be prevented from being intercepted and tampered when a user uses the platform, and sensitive information is prevented from being leaked; the method and the system realize the service expansion according to the needs and provide safe data service and safe service for the outside.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
The above and other objects, advantages and features of the present invention will become more apparent to those skilled in the art from the following detailed description of specific embodiments thereof, taken in conjunction with the accompanying drawings.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flowchart illustrating a data security protection method according to an embodiment of the present invention;
FIG. 2 illustrates a topology diagram of a node connection of a sensing layer according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating data transmission between an end node and a super node according to an embodiment of the present invention;
fig. 4 shows a schematic structural diagram of a data security protection method system according to an embodiment of the present invention;
fig. 5 shows a physical structure diagram of a computer device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
In addition, the data security protection method provided by the invention is applied to an electric power internet of things system, the electric power internet of things system is a power grid intelligent internet of things system created by a power grid company based on common power grid intellectualization, the power grid intelligent internet of things system is an intelligent service system which is constructed around each link and each department of the electric power system and has comprehensive perception, efficient strain and flexible processing under the support of communication technologies such as mobile interconnection, artificial intelligence and the like, the power grid intelligent internet of things system comprises a power grid link and a comprehensive energy service link, and in the following detailed description aiming at the method, the power grid intelligent internet of things system is used for replacing the electric power internet of things system.
The embodiment of the invention provides a data safety protection method, which is applied to an electric power Internet of things system, and as shown in fig. 1, the method at least comprises the following steps of S101-S103:
step S101, based on a system framework of the electric power Internet of things system, dividing data safety protection aiming at the electric power Internet of things system into a plurality of target safety levels.
Generally, a power grid intelligent internet of things system relates to a plurality of links such as source grid load storage and is a typical information physical system, and once a certain link goes wrong, the whole power grid is greatly influenced.
Therefore, the embodiment of the invention divides the data security protection aiming at the power grid intelligent internet of things system into a plurality of target security levels as follows: a perception security level, a network security level, a platform security level and an application security level.
The meaning and the main risks faced by each target security level are introduced as follows:
a perception security level: at present, the intelligent terminal is built on a very large scale in a power grid intelligent internet of things system, the intelligent terminal is observable and controllable basically, but the building level still needs to be further improved in the face of new potentials of large-scale access of new energy, structural change of a power grid, development of emerging industries and the like. The perception layer is used as the bottom layer, mainly relates to the perception of information and the processing of signals, and responds to the instruction that the upper layer sent immediately, that is to say, the perception layer mainly constitutes signal acquisition devices such as a large amount of all kinds of temperature and humidity sensors and current and voltage. The perception layer is used as a layer directly interacting with a user, and the risks of various perception processing devices directly concern the safety of the whole network. The risks facing the current sensing layer are mainly the following: direct physical attack or infection of the virus; communication data is monitored; a counterfeit identity; aiming at various attacks (such as Sybil attack, replay attack, man-in-the-middle attack, wormhole attack and the like) of the communication protocol of the Internet of things; denial of Service (DoS) attacks.
B, network security layer: the network layer is used for accessing and transmitting information from the sensing layer through the existing infrastructure such as the internet. In the power grid intelligent internet of things system, a network layer links a perception layer and a platform layer, and the power grid intelligent internet of things system has a strong link function. The network layer is mainly responsible for transmission of data information, and safety risks occur in the network layer, so that timely and effective transmission of data information of the sensing layer to the application layer can be directly prevented, and data risks are caused, and therefore the safe operation of the power internet of things is seriously threatened. In the future electric power internet of things, the service types are gradually increased, and if the service bearing channels are not isolated, service information is easy to leak. Network availability attacks, which are common risks of theft of data in the transmission of data information and stored data, occur primarily in the form of denial of service, resulting in communication failures or delays by depleting the communication and computing resources of the network.
C, platform safety aspect: at present, a platform layer is dedicated to large-scale internet of things platform construction work, and platform layer construction planning uses a large platform strategy and a medium platform strategy as in internet enterprises. The data can be effectively controlled by utilizing the server cluster and the large data center, and mass data information resources are integrated into network resources which can be interconnected and intercommunicated through super computing power, so that the problems of data storage, mining, protection and the like are solved. Whether the application layer positioned at the upper stage can provide perfect service products or not and the application scale directly depend on the data integration capability of the platform layer, so that the platform layer is a key ring in the construction of the smart internet of things system of the power grid. Under the condition of realizing mass downstream terminal adaptive access and network communication pipelines, the application value of the power grid intelligent Internet of things system is finally reflected in the platform and application construction of the cloud. In the service application for the transmission and transformation of the power system, the core capacity construction problem of a platform layer also exists, and the problems of acquisition, storage and integrated analysis and application of mass south-oriented heterogeneous data need to be solved.
And D, application of a safety layer: the application layer of the power grid smart internet of things system mainly faces to internal business and external business of a power grid company, wherein the internal business is only opened to the interior of the company, so that the related safety problem is relatively less. The external business is opened to the public, and according to the building outline of the power grid intelligent internet of things system, the external application layer is mainly used for improving the safe operation level of enterprises and the utilization level of energy at present. The application layer comprises an interface provided by a smart internet of things system of a power grid for a user, and relates to an externally published information platform, an APP public number, a small program and the like, and the risks of application cracking, unauthorized access, data leakage, identity counterfeit login and the like mainly exist. Emerging services of the power internet of things continuously emerge, new services are deduced in all links of power generation, power transmission, power distribution, power utilization and the like of a power system, and in the aspect of internal services, services such as customer service, power transaction, modern power enterprise intelligent supply chain, online power grid, operation and distribution link-up and the like are gradually developed; in the aspect of external services, services such as an internet of vehicles, source network load storage collaborative interaction, new energy cloud construction, comprehensive energy service, multi-station fusion development, virtual power plant operation, smart energy comprehensive service platform and the like are also comprehensively constructed. The traditional static management framework cannot meet the requirement of fast iteration of new services.
And S102, matching corresponding target security policies for each target security level.
Specifically, aiming at main risks faced by different target security levels, the embodiment of the present invention, which matches corresponding target security policies for each target security level, includes the following aspects:
a perception security level: and matching a corresponding sensing layer identity authentication strategy, a terminal encryption access strategy, a terminal abnormity monitoring strategy and an equipment security updating strategy on a sensing security layer.
A1: the sensing layer identity authentication strategy is to establish a data acquisition terminal identity authentication mechanism based on a Merlde tree structure. The data acquisition node interconnection scheme of the tree structure is established, and the Merlde tree is combined to form an identity verification chain of the acquisition nodes.
Specifically, a data acquisition terminal identity verification mechanism based on a Merlde tree structure is established, and hash values of all end nodes are calculated as root hash values of subtrees according to identity parameters by deploying respective corresponding identity parameters to at least one end node; the terminal nodes comprise sensing nodes and data acquisition nodes; the sensing nodes are various sensors in a power grid intelligent Internet of things system; the data acquisition nodes are data acquisition terminals in a power grid intelligent Internet of things system; providing the root hash value to the corresponding super node; the super node is used for prestoring root hash values of subtrees in the jurisdiction area; deploying respective corresponding identity parameters for at least one super node, calculating the hash value of each super node according to the identity parameters, and providing the hash value to a platform layer of a power grid smart internet of things system; the platform layer prestores hash values of subtrees formed by all super nodes; the end node transmits data to the platform layer through the super node and/or the sink layer node; the identity parameters include numbers, identification codes, encryption keys, decryption keys and the like.
Based on the above description, referring to the sensing layer node connection topology shown in fig. 2, the specific steps of the data acquisition terminal identity verification mechanism are as follows:
(1) Each end node (data acquisition node and sensing node) is preset with a unique serial number and an unique identification code before deployment (before delivery), and is internally provided with a symmetric encryption key (hardware encryption);
(2) Before each terminal node is deployed (before leaving factory), a hash value representing the identity of each terminal node is calculated according to a string of information of the number, the identification code and the secret key of each terminal node, and the hash value is provided for the super node so as to form a root hash value of a sub-tree;
(3) The super node prestores root hash values of subtrees in the jurisdiction area;
(4) Before deployment (before leaving factory), each super node is also preset with a unique number, an identification code and a symmetric encryption key based on hardware encryption, and a decryption key of a managed end node is also built in (namely, the key does not need to be transmitted in the communication process of two parties);
(5) Before each super node is deployed (before leaving factory), a hash value which is calculated based on the number, the identification code and the secret key of the super node and is used for identifying the identity of the super node is provided for the platform layer;
(6) The platform layer prestores the hash value of a subtree consisting of a group of super nodes (called top-level root hash value).
In fig. 2, the sensing nodes are various sensors, the data acquisition nodes are data acquisition terminals, both belong to the end equipment of the internet of things, and acquired data are transmitted into the platform layer by means of various communication networks of the network layer. If the terminal nodes and the sub-tree regions with weak capacity and too far distance exist, connection is carried out by adding the nodes of the convergence layer. And the convergence layer is transmitted into the platform layer through the network, so that data loss is prevented. Since the subtree root hash value is pre-stored in the super node before deployment, the hash value is used for verifying the credibility of the communication node in one subtree in the subsequent data communication process. It will be appreciated that based on the above steps, a secure connection between the end node and the platform tier is established.
Further, a data transmission process in which the end node transmits data to the super node and the super node summarizes data from the platform layer is shown in fig. 3, and a data transmission flow between the child node and the root node is as follows:
(1) Each child node forms a data string together with own equipment number, identification code and timestamp, and then carries out hash operation and encryption on the string information respectively.
(2) The child node transmits a packet composed of the hash value and the ciphertext to a receiver (parent node).
(3) The receiving party takes out the ciphertext from the message to decrypt, carries out hash operation on the plaintext, and compares the hash operation with the received hash value to prevent the message from being tampered. If the comparison fails, the receiving process is ended, and an error code is fed back to the sender. If the message is correct, the received identification code of the sender, the decryption key of the sender and the like are verified with the pre-stored subtree root hash value to complete the verification of the identity of the sender.
(4) After the verification passes, the timestamp of the received data is verified to ensure that no duplicate, invalid data is received.
(5) If the receiver is a super node, the collected data is temporarily stored and periodically sent to the platform layer; if the receiving party is a platform layer, the received data come from the super nodes, and after being collected to the database, subsequent data reliability verification can be carried out, so that risks such as false data injection can be found in time.
In the whole verification process, each node only needs to be proved to a father node of the node, namely, the identity of the node is verified by establishing the identity chain information of the terminal node, a credible communication environment is established, and malicious attack behaviors such as counterfeit identity, man-in-the-middle attack and the like are effectively inhibited. The end nodes do not have internet connection at first and only communicate with the root node, and the possibility of being controlled by an adversary through the internet does not exist; if some nodes have bugs and are utilized by attackers, direct intercommunication links do not exist between end nodes in the Merlde tree design, and the problem that the nodes of the same type are quickly infected by malicious codes is unlikely to occur. Because the root node has stronger precaution capacity and calculation capacity, a firewall mechanism and a stricter data access control strategy, other nodes cannot be allowed to be accessed without authorization, the direct communication between the terminal acquisition nodes can be avoided to the maximum extent, and the DoS attack participated by a large number of malicious nodes of the Internet of things is avoided.
A2: the terminal encryption access strategy is encryption access when the terminal integration software is strengthened through the PKI-based strong identity authentication.
That is, when the terminal integrates software, the enhanced encrypted access, especially the terminal with a part of installed clients, can be considered to join the enhanced identity authentication based on PKI.
A3: the terminal anomaly monitoring strategy is to adopt an artificial intelligence technology to model a terminal behavior logic so as to realize automatic analysis and/or strategy matching aiming at terminal instability and randomness.
That is to say, to the terminal unusual action in the electric wire netting wisdom thing allies oneself with the system, can adopt artificial intelligence technique to model the terminal action logic, reach the perception of security situation, realize comprehensive visual monitoring. Network behaviors and service execution conditions can be monitored and analyzed through communication flow, state acquisition at any time and any place is achieved, and risk early warning capability is improved. The artificial intelligence technology is utilized to carry out modeling analysis on the complex system, risk assessment on equipment and a network and fault diagnosis, so that the overall safety performance of the system can be improved. Aiming at the uncertainty and randomness of the terminal, the control strategy of realizing off-line analysis and on-line matching by combining the artificial intelligence technology effectively solves the defects of the traditional method in the aspects of accuracy and timeliness.
A4: the device security update strategy is to set a device update reminding mechanism so as to realize the regular update of the device firmware.
That is to say, by setting a regular device update reminder, the staff can perform conventional security patch and update on the internet of things device according to the device update reminder. Due to technological innovation, operating systems and application code face new security threats and vulnerabilities, and continuous upgrades are required to solve these problems. Considering that the ubiquitous power internet of things is huge in scale, compared with replacing outdated equipment on a large scale, updating firmware regularly is a reasonable solution. And the deployment of the firmware is ensured to be consistent, so that the network security loopholes can be repaired in time when risks appear in the following period, and the potential threat is relieved.
B: network security level: and matching the corresponding air interface side data security strategy, transmission side data security strategy and core side data security strategy to the network security level.
At present, aiming at the conditions that the service types of a power grid intelligent Internet of things system are gradually enriched and the power grid requires different services to meet physical isolation and difference quality guarantee, a 5G slicing technology can be utilized to provide a slicing channel meeting the physical isolation for the power grid intelligent Internet of things system service on three sides of an empty port, a transmission side and a core side. Wherein, the air interface side is used as an air interface for wireless access; the transmission side is equivalent to a bearing network side and bears the service data of a plurality of slices; the core side is equivalent to the core network side, is constructed based on virtualization infrastructure, and the deployment architecture of the core side is divided into a resource layer, a network function layer and a management layer.
B1: the air interface side data security strategy is to provide air interface side slices for each power service in the power grid intelligent internet of things system through the differentiated configuration and resource scheduling mode of the DRB.
On the air interface side, slices on the air interface side can be provided for different power services according to different DRBs, and the power industry is distinguished from other industries served by an operator through differentiated configuration and resource scheduling modes of the DRBs.
That is, the DRB data radio bearer is responsible for processing radio interface packets. Different types of DRBs can realize differentiated scheduling by configuring different parameters of a media access control layer, a radio link control layer and a packet data protocol layer. The air interface side is scheduled based on QOS, the network does not reserve wireless resources for the slice, the priority of the power industry is higher, and the priority of other industries is lower, so that the power industry can schedule the air interface resources preferentially, and the power industry can be distinguished from other industries served by an operator.
B2: the data security strategy at the transmission side is to set a soft isolation mechanism based on VLAN isolation and a hard isolation mechanism based on an SPN scheme fused with an elastic Ethernet and a TDM technology.
On the transmit side, both soft and hard isolation techniques may be used. The soft isolation scheme can be accomplished by mapping VLAN tags to network slice identities based on existing network mechanisms. Because the network slice has the unique slice identifier, different VLAN tags can be mapped and encapsulated for different slice data according to the slice identifier, and the isolation of the network slice in the carrier network is realized through VLAN isolation. However, the soft isolation cannot achieve the isolation of hardware and time slot layers, and after scheduling, the soft isolation and the time slot layers are still mixed together for scheduling and forwarding, so that the hard isolation cannot be achieved. And the hard isolation introduces an SPN scheme, combines the advantages of the elastic Ethernet and the TDM technology, ensures high-efficiency bearing and can ensure the quality of safe lease service. The use of bonding the elastic ethernet or FlexE with SPN can flexibly enable the creation of a smaller physical channel from a larger physical link to ensure quality of service (QoS) and inter-transport layer slice isolation. Specifically, a Time Division Multiplexing (TDM) can be introduced into the resilient ethernet to realize decoupling of the MAC layer and PHY layer interface transceivers, thereby improving the flexibility of ethernet networking.
B3: the core side data security strategy is that a virtualization platform constructed by utilizing NFv technology provides a virtual hardware resource pool for the power grid intelligent internet of things system, and various network functions are configured for the power grid intelligent internet of things system.
On the core side, in order to meet the requirement of power grid service isolation, a unified virtualization platform can be constructed by using a NFv technology. The platform provides a special virtual hardware resource pool for a power grid, and flexibly configures various network functions based on different requirements of the power grid to form a network slice with high safety and usability. Aiming at the security risk caused by the channel opening characteristic of a wireless private network and a public network in data information transmission, effective measures are mainly adopted to ensure the access and transmission security of the wireless private network and the public network, so that when key equipment really needs to transmit data through a wireless network, VPN or APN service can be applied, and through an end-to-end security cipher algorithm, the data transmission of the wireless network is effectively ensured to have stronger confidentiality and integrity, and the data security risk is avoided.
In addition, denial of service attacks are the main threats faced by ubiquitous power internet of things, and therefore an effective network layer software solution is needed to defend the denial of service attacks. The IP fast skip hides the communication content of the client and the target server, and the real IP address exists behind a large number of IP addresses of a plurality of routers in different networks to prevent the destination address of network traffic from being identified.
C: platform safety aspect: and establishing a strategy and a data open sharing strategy for the communication subtree matched with the platform security level.
C1: the communication sub-tree construction strategy is to establish a universal node transmission mechanism based on a tree structure.
The platform layer is the center of the whole system architecture, the acquisition and storage of south data and the analysis, application and sharing of north data are realized, and in order to avoid overlarge information amount caused by too many nodes, because a method for constructing a sub-tree is also adopted in the platform layer, super nodes with similar functions and similar tasks are formed into a logic area, so that the number of the super nodes in the logic area is limited, and the communication and calculation pressure possibly generated when the platform layer processes the information of all the super nodes is reduced; each super node similar to the sensing layer only communicates with the father node, and only proves itself to the father node. Therefore, too much resources are invested in the super nodes for calculation and storage, and communication pressure brought to a network layer and possibility of spreading malicious codes due to mutual contact among the super nodes are avoided.
C2: the data open sharing strategy is to establish a cloud platform and/or a big data platform to support the storage, sharing and/or integration functions of heterogeneous data.
Aiming at the characteristic that data structures of different power grid equipment terminals in a power grid intelligent Internet of things system differ from one another, a cloud platform/big data platform is provided to meet the requirement of opening and sharing data storage capacity, so that a multi-type database is provided to support integration and storage of heterogeneous data, such as a time sequence database, a non-relational database, a relational database and the like.
D: and (3) applying a safety layer: and matching a malicious intrusion detection strategy, a service independent operation strategy and a service data storage strategy corresponding to the application security level.
D1: the malicious intrusion detection strategy is to establish an IDS intrusion detection mechanism for the smart Internet of things system of the power grid.
The application layer mainly considers the safety problem when providing external services, and the core of the application layer is to ensure the safety of data. Any compromise to data integrity compromises the security of the platform layer and the application layer. Common data attacks attempt to illegally insert, modify, delete data or control commands in the communication network traffic, misleading the executor to make an erroneous decision. Therefore, sophisticated intrusion detection mechanisms must be established to ensure that the authority and integrity of the data is protected. Intrusion Detection Systems (IDS), which are important for identifying and isolating compromised networks and devices, will help trigger early warning systems to take proactive actions to mitigate impending attacks, which can be implemented through firewalls and antivirus software. And dividing various data and adopting different protective measures.
D2: the business independent operation strategy is based on various application businesses covered by the micro service architecture configuration power grid intelligent internet of things system.
From the perspective of expanding service functions, the novel power internet of things services are fast in iteration, different technical terms and storage modes can be involved among the services, in order to reduce the coupling degree among the services, a micro-service architecture is introduced, and the micro-service has the characteristics of small volume architecture, independent process, light weight communication mechanism, loose coupling and the like. The system is refined into independent and dedicated functional components by taking the business function as a module. For the single micro service, only the service function of a certain responsibility is encapsulated and can be deployed independently, the release rhythm of the system is promoted, the risk lightweight communication mechanism caused to the production environment is reduced, the lightweight communication mechanism is adopted among the micro services, the HTTP/REST interface is used for interaction, the communication mode is not limited by languages and platforms, the sufficient independence is that all the micro services have, the technical stack is not limited, the system is simpler and lighter, the architecture is more flexible, the services are loosely coupled, each application component of the system adopts a relatively independent loose coupling design at the function and data level, and each micro service can be flexibly expanded according to needs.
D3: the service data storage strategy comprises a user information privacy sub-strategy and a service data configuration sub-strategy.
The user information privacy sub-policy is that the unified authority platform manages user information data to ensure the storage privacy of the user information data.
The business data configuration sub-strategy is to encrypt and store the business data by a national secret MD5 encryption algorithm and store the business data by a server-side database and/or an information intranet.
That is, the service application configures data, and only allows the server-side database to store; and prohibiting storage in other areas of the server side and the client side. The database is deployed in an information intranet. Only allowing the server-side database to store non-important service data; the storage in other areas of the server side and the client side is forbidden, and the database is deployed in an information intranet; the important service data is only allowed to be stored in a server database, other areas of the server and client sides are forbidden to be stored, the database is deployed in an information intranet, the data is encrypted and stored by adopting a national secret MD5 encryption algorithm, and desensitization processing is carried out before client archive data is stored.
And S103, performing data security protection on the power Internet of things system by using the target security policies corresponding to the target security levels.
The power grid smart internet of things system in the embodiment of the invention comprises a plurality of target security levels, so that the power grid smart internet of things system can be respectively subjected to security protection according to target security policies corresponding to the plurality of security levels, for example, a data acquisition node interconnection scheme with a tree structure is adopted in a sensing layer, and a credible communication environment is established by combining an identity verification chain of acquisition nodes formed by a Merlde tree, so that the nodes of the internet of things are prevented from being utilized and becoming helpers for attacking other nodes; and the reliability of each node of the sensing layer is improved. A5G slicing technology is adopted in a network layer, and slicing channels meeting physical isolation are provided for power Internet of things services at three sides of an air interface, a transmission side and a core side. The platform layer reduces communication and calculation pressure which can be generated when the platform layer processes information of all super nodes, and resources are saved for calculation and storage. The integration and storage of heterogeneous data are supported by providing a multi-type database. Establishing a perfect intrusion detection mechanism for ensuring data security at an application layer, and taking a resisting action in advance to reduce the impending attack; and a micro-service architecture is introduced to each application service, so that the coupling among services is reduced, and the expandability of service functions is improved. For the specific steps of respectively performing security protection on the smart internet of things system of the power grid according to the target security policies corresponding to the target security levels, reference may be made to the description in step S102, and details of the present invention are not repeated herein.
In order to visually embody the superiority of the data security protection method for the power grid intelligent internet of things system provided by the embodiment of the invention, the embodiment of the invention also provides a data security risk quantitative evaluation method, which comprises the following steps of S1-S3:
step S1: the method is characterized in that a traditional analytic hierarchy process is adopted, a safety architecture hierarchical model of a power grid intelligent internet of things system is taken as a basis, and an index system is established from four aspects of a perception layer, a network layer, a platform layer and an application layer and is shown in table 1.
Table 1: data safety index system of power grid intelligent internet of things system
The analytic hierarchy process is a systematic method which takes a complex multi-target decision problem as a system, decomposes a target into a plurality of targets or criteria, further decomposes the targets into a plurality of layers of multi-index (or criteria, constraint), and calculates the single-layer ordering (weight) and the total ordering of the layers by a qualitative index fuzzy quantization method to be taken as the target (multi-index) and multi-scheme optimization decision. The hierarchical analysis decomposes the whole system into different hierarchies and different indexes, and finally obtains the weight of each hierarchy and each index in the system by comparing the relative importance degrees of each hierarchy and each index. The analytic hierarchy process can decompose the decision problem into different hierarchical structures according to the sequence of a total target, sub targets of each layer, evaluation criteria and specific alternative schemes, then solve and judge the method of the characteristic vector of the matrix to obtain the priority weight of each element of each layer to a certain element of the previous layer, and finally merge the final weight of each alternative scheme to the total target in a hierarchical manner by a weighted summation method, wherein the maximum weight is the optimal scheme.
Step S2: and constructing a judgment matrix.
When determining the weight between the factors of each layer, if only the qualitative result is obtained, the result is not easily accepted by others, so that a consistent matrix method is used, namely all the factors are not put together for comparison, but two factors are compared with each other, and the relative scale is adopted at the moment, so that the difficulty of comparing the factors with different properties with each other is reduced as much as possible, and the accuracy is improved. If a certain criterion is met, comparing every two schemes below the certain criterion, and grading according to the importance degree of the schemes. The importance level is divided into nine grades on a scale of 1-9 as a result of the comparison of the importance of the elements. The matrix formed by the results of the pairwise comparisons is referred to as the decision matrix. According to the layered protection framework system, the obtained judgment matrix and the layered weight value are shown in the following table 2.
Table 2: analytic hierarchy process judgment matrix
| T | Sensing layer | Network layer | Platform layer | Application layer |
| Sensing layer | 1 | 4 | 3 | 3 |
| Network layer | 1/4 | 1 | 1/2 | 1/3 |
| Platform layer | 1/3 | 2 | 1 | 1/2 |
| Application layer | 1/3 | 3 | 2 | 1 |
And step S3: calculating a feature vector and checking consistency.
After the judgment matrix is obtained, the eigenvector corresponding to the maximum eigenvalue of the judgment matrix needs to be calculated, and the hierarchical single sequence is obtained after the eigenvector is normalized, wherein the normalized eigenvector corresponding to the judgment matrix is (0.5080,0.0926,0.1545,0.2449). After the feature vectors are obtained, consistency check needs to be performed on the judgment matrix to check whether the judgment matrix is logical, wherein the consistency check result CI =0.0292, ri =0.90, and cr =0.0324 is constructed by using a bundle of 0.1.
Similarly, the above steps can be repeated at the index layer, and the final calculated total sequence is shown in table 3 below.
Table 3: electric power thing networking safety index system weight
And step S4: a comparison matrix for the target layer is calculated.
Taking the platform layer as an example, scores for two alternatives can be calculated. According to the principle of 1-9 scale, the platform layer comparison matrix is obtained as follows:
| platform layer data integrity | This scheme | Past solutions |
| This scheme | 1 | 2 |
| Past solutions | 1/2 | 1 |
Since the comparison matrix is of second order only, depending on the nature of the comparison matrix
Therefore, the maximum eigenvalue of the matrix must be 2, so the consistency test must pass, and the normalized eigenvector is (2/3,1/3), which is the score vector of the index.
Similarly, score vectors for all the indices can be obtained, and a scoring matrix can be obtained.
And multiplying the obtained weight by the obtained weight to obtain the final score of the scheme and the past scheme. The score of the scheme is 0.634, and the score of the past scheme is 0.366.
According to the final score, the effect of the scheme on the aspects of data safety, data integrity, confidentiality and various types of attack defense is better than that of the conventional scheme.
According to the data safety protection method provided by the invention, the data safety protection aiming at the electric power Internet of things system is divided into a plurality of target safety levels through a system framework based on the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level; matching corresponding target security policies to the target security levels; and carrying out data security protection on the power Internet of things system by using the target security strategy corresponding to each target security level. According to the invention, malicious attack behaviors such as counterfeit identity and man-in-the-middle attack are effectively inhibited, and DoS attack participated by a large number of malicious Internet of things nodes is avoided; cross-tenant and cross-host network attacks and information leakage are prevented, and data storage safety of the cloud platform is guaranteed; the integrity and the confidentiality of data are guaranteed; data can be prevented from being intercepted and tampered when a user uses the platform, and sensitive information is prevented from being leaked; the method and the system realize the service expansion according to the needs and provide safe data service and safe service for the outside.
Further, as a specific implementation of fig. 1, an embodiment of the present invention further provides a data security protection system, and as shown in fig. 4, the system may include: the security and protection level division module 410, the security and protection strategy matching module 420 and the security and protection plan execution module 430.
The security layer division module 410 may be configured to divide data security protection for the power internet of things system into a plurality of target security layers based on a system architecture of the power internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level;
the security policy matching module 420 may be configured to match corresponding target security policies to each target security level;
the security plan executing module 430 may be configured to perform data security protection on the power internet of things system by using a target security policy corresponding to each target security level.
Optionally, the security policy matching module 420 may be further configured to match at least one of a corresponding sensing layer identity authentication policy, a terminal encryption access policy, a terminal anomaly monitoring policy, and an equipment security update policy to the sensing security layer;
the sensing layer identity authentication strategy is to establish a data acquisition terminal identity authentication mechanism based on a Merlde tree structure;
the terminal encryption access strategy is encryption access when the terminal integrated software is strengthened through the PKI-based identity authentication;
the terminal anomaly monitoring strategy is to adopt an artificial intelligence technology to carry out modeling aiming at terminal behavior logic so as to realize automatic analysis and/or strategy matching aiming at terminal instability and randomness;
the device security update strategy is to set a device update reminding mechanism so as to realize the regular update of the device firmware.
Optionally, the security policy matching module 420 may be further configured to deploy, to at least one end node, respective corresponding identity parameters, and calculate, according to the identity parameters, a hash value of each end node as a root hash value of a sub-tree; the terminal nodes comprise sensing nodes and data acquisition nodes; the sensing nodes are various sensors in the power Internet of things system; the data acquisition nodes are all data acquisition terminals in the power Internet of things system;
providing the root hash value to the corresponding super node; the super node is used for prestoring root hash values of subtrees in the jurisdiction area;
deploying respective corresponding identity parameters for at least one super node, calculating the hash value of each super node according to the identity parameters, and providing the hash value for a platform layer of the electric power Internet of things system; the platform layer prestores the hash value of a subtree formed by each super node;
the end node transmits data to the platform layer through the super node and/or the convergence layer node;
the identity parameter comprises at least one of a number, an identification code, an encryption key and a decryption key.
Optionally, the security policy matching module 420 may be further configured to match at least one of the air interface side data security policy, the transmission side data security policy, and the core side data security policy corresponding to the network security level;
the data security policy of the air interface side is to provide slices of the air interface side for each power service in the power Internet of things system through the differentiated configuration and resource scheduling mode of the DRB;
the data security strategy at the transmission side is to set a soft isolation mechanism based on VLAN isolation and a hard isolation mechanism based on the fusion of an SPN scheme and an elastic Ethernet and a TDM technology;
the core side data security strategy is that a virtualization platform constructed by utilizing NFv technology provides a virtual hardware resource pool for the power internet of things system, and various network functions are configured for the power internet of things system.
Optionally, the security policy matching module 420 may be further configured to match the corresponding communication sub-tree to construct at least one of a policy and a data open sharing policy for the platform security level;
the communication sub-tree construction strategy is to establish a tree structure-based general node transmission mechanism;
the data open sharing strategy is to establish a cloud platform and/or a big data platform to support the storage, sharing and/or integration functions of heterogeneous data.
Optionally, the security policy matching module 420 may be further configured to match at least one of a malicious intrusion detection policy, a service independent operation policy, and a service data storage policy corresponding to the application security level;
the malicious intrusion detection strategy is to establish an IDS intrusion detection mechanism for the electric power Internet of things system;
the business independent operation strategy is to configure various application businesses covered by the electric power Internet of things system based on the micro-service architecture.
Optionally, the security policy matching module 420 may be further configured to use the service data storage policy to include at least one of a user information security sub-policy and a service data configuration sub-policy;
the user information confidentiality sub-strategy is that the unified authority platform manages user information data to ensure the storage confidentiality of the user information data;
the business data configuration sub-strategy is to encrypt and store the business data by using a national secret MD5 encryption algorithm, and store the business data by using a server-side database and/or an information intranet.
It should be noted that other corresponding descriptions of the functional modules related to the data security protection system provided in the embodiment of the present invention may refer to the corresponding description of the method shown in fig. 1, and are not described herein again.
Based on the method shown in fig. 1, correspondingly, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the data security protection method described in any of the above embodiments.
Based on the above embodiments of the method shown in fig. 1 and the system shown in the figure, an embodiment of the present invention further provides an entity structure diagram of a computer device, as shown in fig. 5, the computer device may include a communication bus, a processor, a memory, and a communication interface, and may further include an input/output interface and a display device, where the functional units may complete communication with each other through the bus. The memory stores computer programs, and the processor is used for executing the programs stored in the memory and executing the steps of the data security protection method described in the above embodiment.
It is clear to those skilled in the art that the specific working processes of the above-described systems, devices, modules and units may refer to the corresponding processes in the foregoing method embodiments, and for the sake of brevity, further description is omitted here.
In addition, the functional units in the embodiments of the present invention may be physically independent of each other, two or more functional units may be integrated together, or all the functional units may be integrated in one processing unit. The integrated functional units may be implemented in the form of hardware, or in the form of software or firmware.
Those of ordinary skill in the art will understand that: the integrated functional units, if implemented in software and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computing device (e.g., a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention when the instructions are executed. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Alternatively, all or part of the steps of implementing the foregoing method embodiments may be implemented by hardware (such as a computing device, e.g., a personal computer, a server, or a network device) associated with program instructions, which may be stored in a computer-readable storage medium, and when the program instructions are executed by a processor of the computing device, the computing device executes all or part of the steps of the method according to the embodiments of the present invention.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments can be modified or some or all of the technical features can be equivalently replaced within the spirit and principle of the present invention; such modifications or substitutions do not depart from the scope of the present invention.
Claims (10)
1. A data safety protection method is applied to an electric power Internet of things system and is characterized by comprising the following steps:
dividing data safety protection aiming at the electric power Internet of things system into a plurality of target safety levels based on a system framework of the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level;
matching corresponding target security policies to the target security levels;
and carrying out data security protection on the power Internet of things system by using the target security policy corresponding to each target security level.
2. The method of claim 1, wherein the matching of the target security level to each target security level with a corresponding target security policy comprises:
matching at least one of a corresponding sensing layer identity authentication strategy, a terminal encryption access strategy, a terminal abnormity monitoring strategy and an equipment security updating strategy to the sensing security layer;
the sensing layer identity authentication strategy is to establish a data acquisition terminal identity authentication mechanism based on a Merlde tree structure;
the terminal encryption access strategy is encryption access when strengthening terminal integration software through PKI-based identity authentication;
the terminal anomaly monitoring strategy is characterized in that an artificial intelligence technology is adopted to model a terminal behavior logic so as to realize automatic analysis and/or strategy matching aiming at terminal instability and randomness;
the equipment safety updating strategy is to set an equipment updating reminding mechanism so as to realize the regular updating of the equipment firmware.
3. The data security protection method according to claim 2, wherein the establishing of the data acquisition terminal identity verification mechanism based on the Merlde tree structure includes:
deploying respective corresponding identity parameters for at least one terminal node, and calculating the hash value of each terminal node as the root hash value of a subtree according to the identity parameters; the terminal nodes comprise sensing nodes and data acquisition nodes; the sensing nodes are various sensors in the electric power Internet of things system; the data acquisition nodes are all data acquisition terminals in the electric power Internet of things system;
providing the root hash value to a corresponding super node; the super node is used for prestoring root hash values of subtrees in the jurisdiction area;
deploying respective corresponding identity parameters for at least one super node, calculating a hash value of each super node according to the identity parameters, and providing the hash value to a platform layer of the power Internet of things system; the platform layer prestores hash values of subtrees formed by the super nodes;
the terminal node transmits data to a platform layer through the super node and/or the convergence layer node;
wherein, the identity parameter comprises at least one of a number, an identification code, an encryption key and a decryption key.
4. The data security protection method of claim 1, wherein the matching of each of the target security levels to a corresponding target security policy further comprises:
matching at least one of a corresponding air interface side data security policy, a corresponding transmission side data security policy and a corresponding core side data security policy to the network security level;
the air interface side data security policy is a slice of an air interface side provided for each power service in the power Internet of things system through a differentiated configuration and resource scheduling mode of a DRB;
the transmission side data security strategy is a soft isolation mechanism based on VLAN isolation and a hard isolation mechanism based on an SPN scheme and fusing an elastic Ethernet and a TDM technology;
the core side data security strategy is to provide a virtual hardware resource pool for the power Internet of things system by using a virtualization platform constructed by a NFv technology and configure various network functions for the power Internet of things system.
5. The data security protection method of claim 1, wherein the matching of each of the target security levels to a corresponding target security policy further comprises:
at least one of a strategy and a data open sharing strategy is constructed for the communication sub-tree corresponding to the platform security level;
the communication sub-tree construction strategy is to establish a tree structure-based general node transmission mechanism;
the data open sharing strategy is to establish a cloud platform and/or a big data platform to support the storage, sharing and/or integration functions of heterogeneous data.
6. The data security protection method of claim 1, wherein the matching of each of the target security levels to a corresponding target security policy further comprises:
matching at least one of a corresponding malicious intrusion detection strategy, a service independent operation strategy and a service data storage strategy to the application security level;
the malicious intrusion detection strategy is to establish an IDS intrusion detection mechanism for the electric power Internet of things system;
the service independent operation strategy is to configure various application services covered by the power Internet of things system based on a micro-service architecture.
7. The data security protection method according to claim 6, wherein the service data storage policy includes at least one of a user information security sub-policy and a service data configuration sub-policy;
the user information privacy sub-policy is that a unified authority platform manages user information data to ensure the storage privacy of the user information data;
the business data configuration sub-strategy is to encrypt and store the business data by using a national secret MD5 encryption algorithm, and store the business data by using a server-side database and/or an information intranet.
8. A data security protection system is applied to an electric power internet of things system and is characterized by comprising:
the security layer dividing module is used for dividing data security protection aiming at the electric power Internet of things system into a plurality of target security layers based on a system framework of the electric power Internet of things system; the target security level comprises at least one of a perception security level, a network security level, a platform security level and an application security level;
the security policy matching module is used for matching corresponding target security policies to the target security levels;
and the security plan execution module is used for performing data security protection on the power Internet of things system by using the target security strategy corresponding to each target security level.
9. A storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to carry out the steps of the data security method according to any one of claims 1 to 7.
10. A computer arrangement comprising a memory and a processor, the memory having stored thereon a computer program that, when executed by the processor, causes the processor to carry out the steps of the data security method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211347552.0A CN115913663A (en) | 2022-10-31 | 2022-10-31 | Data security protection method and system, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211347552.0A CN115913663A (en) | 2022-10-31 | 2022-10-31 | Data security protection method and system, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913663A true CN115913663A (en) | 2023-04-04 |
Family
ID=86490393
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211347552.0A Pending CN115913663A (en) | 2022-10-31 | 2022-10-31 | Data security protection method and system, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913663A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478436A (en) * | 2023-12-28 | 2024-01-30 | 深圳博瑞天下科技有限公司 | Fusion enhanced data security protection method and system |
-
2022
- 2022-10-31 CN CN202211347552.0A patent/CN115913663A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478436A (en) * | 2023-12-28 | 2024-01-30 | 深圳博瑞天下科技有限公司 | Fusion enhanced data security protection method and system |
| CN117478436B (en) * | 2023-12-28 | 2024-03-22 | 深圳博瑞天下科技有限公司 | Fusion enhanced data security protection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tselios et al. | Enhancing SDN security for IoT-related deployments through blockchain | |
| Yaacoub et al. | Cyber-physical systems security: Limitations, issues and future trends | |
| Yan et al. | Distributed denial of service attacks in software-defined networking with cloud computing | |
| Thabit et al. | Cryptography algorithms for enhancing IoT security | |
| Rauf et al. | Security and privacy for IoT and fog computing paradigm | |
| Humayun | Industry 4.0 and cyber security issues and challenges | |
| CN106464659A (en) | Security in software defined network | |
| Mishra et al. | Software defined internet of things security: properties, state of the art, and future research | |
| Vaigandla et al. | Investigation on intrusion detection systems (IDSs) in IoT | |
| Chakrabarty et al. | Secure smart cities framework using IoT and AI | |
| Di Sarno et al. | A novel security information and event management system for enhancing cyber security in a hydroelectric dam | |
| Amudhavel et al. | A survey on intrusion detection system: State of the art review | |
| CN113645213A (en) | Multi-terminal network management monitoring system based on VPN technology | |
| CN111464563A (en) | Protection method of industrial control network and corresponding device | |
| Oruma et al. | Security threats to 5G networks for social robots in public spaces: a survey | |
| Adebayo et al. | Blockchain Technology: A Panacea for IoT Security Challenge | |
| Anthi | Detecting and defending against cyber attacks in a smart home Internet of Things ecosystem | |
| CN115913663A (en) | Data security protection method and system, storage medium and computer equipment | |
| US10021070B2 (en) | Method and apparatus for federated firewall security | |
| Reddy et al. | Software-defined networking with ddos attacks in cloud computing | |
| Liang et al. | Collaborative intrusion detection as a service in cloud computing environment | |
| Jena et al. | A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment | |
| Nazir et al. | Internet of Things Security: Issues, Challenges and Counter-Measures. | |
| Alkaeed et al. | Distributed framework via block-chain smart contracts for smart grid systems against cyber-attacks | |
| Boussard et al. | A process for generating concrete architectures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |