CN117792611A

CN117792611A - Method, device, equipment and medium for processing communication data of railway vehicle on-board network

Info

Publication number: CN117792611A
Application number: CN202311861983.3A
Authority: CN
Inventors: 贾冬晓; 梁建英; 常振臣; 杜杰伟; 刘明明
Original assignee: National High Speed Train Qingdao Technology Innovation Center
Current assignee: National High Speed Train Qingdao Technology Innovation Center
Priority date: 2023-12-29
Filing date: 2023-12-29
Publication date: 2024-03-29

Abstract

The application discloses a method and a device for processing communication data of a railway vehicle-mounted network, electronic equipment and a readable storage medium, and is applied to the field of railway vehicle-mounted networks. Extracting data characteristics of vehicle-mounted network communication data of the railway vehicle, matching the data characteristics with each data security level characteristic of a security level characteristic library, and determining a security level corresponding to the vehicle-mounted network communication data; based on the mapping relation between each data security level and the data encryption mode of the security hierarchical feature library, invoking an encryption mode matched with the vehicle-mounted network communication data to carry out encryption processing; and storing the encrypted vehicle-mounted network communication data into a corresponding storage area based on the mapping relation between each data security level of the security classification feature library and the security level of the storage medium. The method and the device can solve the problem that the related technology cannot ensure that the vehicle-mounted network communication data of the railway vehicle is not leaked, and effectively improve the safety of the vehicle-mounted network communication data.

Description

Method, device, equipment and medium for processing communication data of railway vehicle on-board network

Technical Field

The present disclosure relates to the field of vehicle-mounted networks of rail vehicles, and in particular, to a method and apparatus for processing communication data of a vehicle-mounted network of a rail vehicle, an electronic device, and a readable storage medium.

Background

The railway vehicle-mounted network system is used for controlling, monitoring, fault diagnosis and data transmission of the whole railway vehicle, and connects all subsystems of the railway vehicle into an organic whole, so that safe and reliable operation of a train is realized. In the running process of the railway vehicle, the vehicle-mounted network system generates a large amount of communication data, the communication data belong to confidential data assets of the railway vehicle, and once information is leaked, great information safety hidden trouble is brought.

At present, the communication data of the vehicle-mounted network of the railway vehicle is only acquired, and safety protection equipment such as a firewall, safety audit and the like are added to the communication data transmission equipment of the vehicle-mounted network of the railway vehicle so as to avoid leakage of the communication data of the vehicle-mounted network of the railway vehicle. However, the safety protection device cannot effectively prevent the communication data from being leaked, and the safety of the communication data of the vehicle-mounted network of the railway vehicle cannot be effectively ensured.

In view of this, improving the security of the communication data of the on-board network of the rail vehicle is a technical problem that needs to be solved by those skilled in the art.

Disclosure of Invention

The application provides a method, a device, electronic equipment and a readable storage medium for processing vehicle-mounted network communication data of a railway vehicle, which can effectively improve the safety of the vehicle-mounted network communication data of the railway vehicle.

In order to solve the technical problems, the application provides the following technical scheme:

in one aspect, the present application provides a method for processing vehicle-mounted network communication data of a rail vehicle, including:

dividing a storage medium into a plurality of storage areas with security levels in advance; the storage medium uses a multi-chain block chain technology to store and manage the storage data of each storage area;

a security grading feature library comprising a plurality of levels of data security grade features is established in advance, encryption mapping relation is established between each data security grade and a data encryption mode, and mapping storage mapping relation is established between each data security grade and a storage medium security grade;

acquiring to-be-processed vehicle-mounted network communication data of a target railway vehicle, and extracting target data characteristics of the to-be-processed vehicle-mounted network communication data;

matching the target data characteristics with the data security level characteristics of the security level characteristic library, and determining a target security level corresponding to the vehicle-mounted network communication data to be processed;

Based on the encryption mapping relation, invoking an encryption mode matched with the vehicle-mounted network communication data to be processed to carry out encryption processing;

and storing the encrypted vehicle-mounted network communication data to be processed into a corresponding storage area based on the storage mapping relation.

Illustratively, the pre-establishing a security hierarchical feature library including a plurality of levels of data security hierarchical features includes:

according to the corresponding industry characteristics and service scenes of the railway vehicle, dividing the railway vehicle-mounted network communication data into control class instruction data, monitoring class data, detection class data, fault diagnosis class data, public environment class data and intermediate process class data;

extracting a plurality of historical control instruction data of the railway vehicle to obtain control instruction characteristics as fourth data security level characteristics;

the extracted data characteristics of a plurality of historical monitoring class data, a plurality of historical detection class data and a plurality of historical fault diagnosis class data of the railway vehicle are formed into monitoring characteristics to serve as third data security level characteristics;

extracting a plurality of historical public environment data of the rail vehicle to obtain public environment characteristics as second data security level characteristics;

Extracting a plurality of historical intermediate process data of the railway vehicle to obtain intermediate process characteristics serving as first data security level characteristics;

constructing a security grading feature library according to the fourth data security grade feature, the third data security grade feature, the second data security grade feature and the first data security grade feature;

and the fourth data security level characteristic, the third data security level characteristic, the second data security level characteristic and the data security level corresponding to the first data security level characteristic are gradually reduced.

Exemplary, the acquiring the vehicle-mounted network communication data to be processed of the target railway vehicle includes:

collecting a communication controller instruction, a switch instruction, a repeater instruction, a man-machine interaction interface instruction, a brake control unit instruction, a traction control unit instruction, a vehicle door controller instruction, a smoke alarm instruction, a vehicle-mounted wireless transmission device instruction, a safety monitoring host instruction and a passenger information system instruction of a target railway vehicle so as to form equipment communication instruction data;

and acquiring the equipment communication instruction data to serve as the vehicle-mounted network communication data to be processed.

Exemplary, the matching the target data feature with each data security level feature of the security level feature library, and determining the target security level corresponding to the to-be-processed vehicle network communication data includes:

pre-constructing a data tag comprising a data category attribute and a data security level attribute, and setting a tag mapping relation between the data security level attribute and the data tag security level;

matching the target data characteristics with the data security level characteristics of the security hierarchical characteristic library, determining the data category and the data security level corresponding to the vehicle-mounted network communication data to be processed, and storing the data category and the data security level to the corresponding positions of the data tags;

and acquiring the data tag security level corresponding to the to-be-processed vehicle-mounted network communication data according to the tag mapping relation, and taking the data tag security level as a target data security level.

The encryption mapping relation is an encryption policy matched with security levels of different data tags, and the method for calling an encryption mode matched with the vehicle-mounted network communication data to be processed to carry out encryption processing based on the encryption mapping relation comprises the following steps:

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a primary tag, encrypting the vehicle-mounted network communication data to be processed by adopting a first type encryption algorithm;

If the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a secondary tag, encrypting the vehicle-mounted network communication data to be processed by adopting a second type encryption algorithm;

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a three-level tag, encrypting the vehicle-mounted network communication data to be processed by adopting a third type encryption algorithm;

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a four-level tag, encrypting the vehicle-mounted network communication data to be processed by adopting a fourth type encryption algorithm;

the data security levels corresponding to the four-level tag, the three-level tag, the two-level tag and the one-level tag are reduced step by step; and the encryption levels corresponding to the fourth type encryption algorithm, the third type encryption algorithm, the second type encryption algorithm and the first type encryption algorithm are gradually reduced.

The storing mapping relation sets corresponding storage areas for different data tag security levels, and the storing the encrypted vehicle-mounted network communication data to be processed into the corresponding storage areas based on the storing mapping relation includes:

If the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a primary tag, storing the encrypted vehicle-mounted network communication data to be processed into a first storage area of the storage medium;

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a secondary tag, storing the encrypted vehicle-mounted network communication data to be processed into a second storage area of the storage medium;

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a three-level tag, storing the encrypted vehicle-mounted network communication data to be processed into a third storage area of the storage medium;

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a four-level tag, storing the encrypted vehicle-mounted network communication data to be processed into a fourth storage area of the storage medium;

the data security levels corresponding to the four-level tag, the three-level tag, the two-level tag and the one-level tag are reduced step by step; and the security levels corresponding to the fourth storage area, the third storage area, the second storage area and the first storage area are reduced step by step.

Exemplary, after storing the encrypted vehicle-mounted network communication data to be processed in the corresponding storage area based on the storage mapping relationship, the method further includes:

when a data processing request is received, carrying out identity authentication on a user corresponding to the data processing request;

if the user is authorized, executing the data processing request according to the data operation authority and the data category access authority corresponding to the user;

if the data is not authorized, the storage data of different storage areas of the storage medium are stored and backed up according to a matched backup mode, and encryption processing is carried out again according to a photographic matched secondary encryption mode.

Another aspect of the present application provides a rail vehicle on-board network communication data processing device, including:

the pre-deployment module is used for dividing the storage medium into a plurality of storage areas with security levels in advance; a security grading feature library comprising a plurality of levels of data security grade features is established in advance, encryption mapping relation is established between each data security grade and a data encryption mode, and mapping storage mapping relation is established between each data security grade and a storage medium security grade;

the data acquisition module is used for acquiring the to-be-processed vehicle-mounted network communication data of the target railway vehicle;

The feature extraction module is used for extracting target data features of the vehicle-mounted network communication data to be processed;

the grade determining module is used for matching the target data characteristics with the data security grade characteristics of the security grading characteristic library and determining the target security grade corresponding to the vehicle-mounted network communication data to be processed;

the encryption processing module is used for calling an encryption mode matched with the vehicle-mounted network communication data to be processed to carry out encryption processing based on the encryption mapping relation;

and the data storage module is used for storing the encrypted vehicle-mounted network communication data to be processed into the corresponding storage area based on the storage mapping relation.

The application also provides an electronic device comprising a processor for implementing the steps of the method for processing rail vehicle on-board network communication data according to any one of the preceding claims when executing a computer program stored in a memory.

Finally, the present application also provides a readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for processing rail vehicle on-board network communication data according to any one of the preceding claims.

The technical scheme provided by the application has the advantages that the vehicle-mounted network data of the railway vehicle are subjected to grading processing, and a safety grading feature library of the vehicle-mounted network communication data of the railway vehicle is built. For the communication data of the vehicle-mounted network which needs to be processed at present, the corresponding security level is firstly identified, and the communication data with different security levels are subjected to data encryption security processing by adopting different security encryption strategies, so that the data security can be effectively ensured. Firstly, different safety areas are divided for the storage medium, so that vehicle-mounted network communication data with different safety levels can be stored in the different safety areas after encryption processing, and the data storage safety is further effectively ensured. The storage medium stores and manages vehicle-mounted network communication data by using a multi-chain block chain technology, so that the data is stored in a decentralised mode, and the safety and the credibility of the data are ensured. In distributed nodes on a blockchain. Each participating node has a complete data copy, thereby ensuring redundant backup and fault tolerance of data, ensuring that the vehicle-mounted network communication data of the railway vehicle is not leaked to the greatest extent, and effectively improving the safety of the vehicle-mounted network communication data.

In addition, the application also provides a corresponding implementation device, electronic equipment and a readable storage medium for the railway vehicle on-board network communication data processing method, so that the method is more practical, and the device, the electronic equipment and the readable storage medium have corresponding advantages.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

For a clearer description of the technical solutions of the present application or of the related art, the drawings that are required to be used in the description of the embodiments or of the related art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.

Fig. 1 is a schematic flow chart of a method for processing vehicle-mounted network communication data of a railway vehicle;

FIG. 2 is a schematic diagram of a data tag of an exemplary application scenario provided herein;

FIG. 3 is a schematic diagram of the correspondence between the storage areas of the readable storage medium and the security level of the data tag according to an exemplary application scenario provided in the present application;

Fig. 4 is a flow chart of another method for processing vehicle-mounted network communication data of a rail vehicle provided by the present application;

FIG. 5 is a block diagram of one embodiment of a device for processing communication data of a rail vehicle network;

fig. 6 is a block diagram of an embodiment of an electronic device provided in the present application.

Detailed Description

In order to provide a better understanding of the present application, those skilled in the art will now make further details of the present application with reference to the drawings and detailed description. Wherein the terms "first," "second," "third," "fourth," and the like in the description and in the claims and in the above-described figures, are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprise" and "have," as well as any variations of the two, are intended to cover a non-exclusive inclusion. The term "exemplary" means "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

Various non-limiting embodiments of the present application are described in detail below. Numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present application. It will be understood by those skilled in the art that the present application may be practiced without these specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail so as not to obscure the present application.

Referring to fig. 1 first, fig. 1 is a flow chart of a method for processing vehicle-mounted network communication data of a rail vehicle, which may include the following contents:

s101: the storage medium is divided into a plurality of security-level storage areas in advance.

In this embodiment, the storage medium uses the multi-chain blockchain technology to store and manage the storage data of each storage area, so that the data can be stored in a decentralised manner, and the security and the reliability of the data are ensured. On the basis, the storage medium is divided into a plurality of types of storage areas according to different security levels, and the number of the storage areas can be determined according to the data quantity of the corresponding stored data security level in each type of storage area, and the application is not limited in any way. The corresponding security performance of the storage areas with different security levels is different, and the higher the security level is, the higher the security performance of the storage area with higher security level is. The security level of the storage medium can be the same as the data security level of the security grading feature library, and can be more than the data security level of the security grading feature library, so that the subsequent expansion is facilitated, and the flexibility is better.

S102: the method comprises the steps of pre-establishing a security grading feature library comprising a plurality of grades of data security grade features, establishing encryption mapping relation between each data security grade and a data encryption mode, and establishing mapping storage mapping relation between each data security grade and a storage medium security grade.

Wherein the security hierarchy feature library includes a plurality of types of data security level features, each type of data security level feature corresponding to a type of data security level, which is generated by extracting features of all data belonging to the data security level. The method and the system have the advantages that the safety performance of the vehicle-mounted network communication data of the railway vehicle is considered, meanwhile, the cost and the complexity of data processing can be considered, encryption modes of different levels are set for different data safety levels, encryption processing is carried out by adopting a proper encryption method according to the data safety levels, for facilitating subsequent encryption processing, a corresponding encryption mode can be set for each data safety level in advance through a mapping mode, the encryption mode to be used for the current vehicle-mounted network communication data can be determined later through searching an encryption mapping relation, and the encryption level of the corresponding encryption mode is gradually increased along with the increase of the data safety levels, so that the vehicle-mounted network communication data of the highest data safety level can reach the maximum level of encryption processing. Similarly, the vehicle-mounted network communication data corresponding to different data security levels are stored in storage areas of different security levels, in order to facilitate subsequent storage, the storage area of the corresponding security level can be set for each data security level in advance through a mapping mode, the storage area where the current vehicle-mounted network communication data is to be stored can be determined through searching a storage mapping relation, and along with the increase of the data security level, the security level of the corresponding storage area is gradually increased, so that the vehicle-mounted network communication data of the highest data security level can be stored in the storage area of the highest security level.

S103: and acquiring the to-be-processed vehicle-mounted network communication data of the target railway vehicle, and extracting target data characteristics of the to-be-processed vehicle-mounted network communication data.

The target railway vehicle is a railway vehicle needing to process vehicle-mounted network communication data at present, and the vehicle-mounted network communication data to be processed is vehicle-mounted network communication data needing to be stored safely. When the vehicle-mounted network communication data to be processed is obtained, any data characteristic extraction method can be adopted to extract the data characteristic corresponding to the vehicle-mounted network communication data to be processed, and the data characteristic of the vehicle-mounted network communication data to be processed is defined as the target data characteristic in the step. For example, device communication instruction data such as CCU (Communication Control Unit abbreviation, communication controller) instructions, switch instructions, repeater instructions, HMI (Human Machine Interface, human-machine interface) human-machine interface instructions, brake control unit instructions, traction control unit instructions, door controller instructions, pyrotechnic alarm instructions, WTD (Wireless Transmit Device, wireless transmission device) instructions, safety monitoring host instructions, PIS (Passenger Information System ) passenger information system instructions, etc. may be collected, these device communication instruction data are acquired as pending in-vehicle network communication data, and then device communication instruction data feature vectors are extracted as target data features. S104: and matching the target data characteristics with the data security level characteristics of the security level characteristic library, and determining the target security level corresponding to the vehicle-mounted network communication data to be processed.

Based on the extracted target data features in the previous step, performing feature matching with a railway vehicle-mounted network communication data security classification feature library so as to determine the data security level of the vehicle-mounted network communication data to be processed corresponding to the target data features, wherein the step is defined as the target data security level.

S105: and calling an encryption mode matched with the vehicle-mounted network communication data to be processed to carry out encryption processing based on the encryption mapping relation.

When the data security level of the vehicle-mounted network communication data to be processed is determined in the last step, the encryption mode adopted by the vehicle-mounted network communication data to be processed is determined based on the encryption mapping relation between the data security levels and the data encryption modes constructed in the S101, and the vehicle-mounted network communication data to be processed is encrypted, so that the vehicle-mounted network communication data to be processed cannot be interpreted in the storage and transmission processes. Encryption means include, but are not limited to, hardware encryption and software encryption, such as symmetric encryption and asymmetric encryption algorithms, which are not limited in any way herein.

S106: and storing the encrypted vehicle-mounted network communication data to be processed into a corresponding storage area based on the storage mapping relation.

And when the data security level of the vehicle-mounted network communication data to be processed is determined in the last step, determining a security area in which the vehicle-mounted network communication data to be processed is stored based on the storage mapping relation between each data security level constructed in the step S101 and the security level of the storage medium. Furthermore, when the vehicle-mounted network communication data to be processed is stored, a layering method can be adopted to divide the data according to the importance, the access frequency and the importance degree of the data, and the data are stored in storage media of different layers under the same storage area, so that the data can be effectively managed, and the access efficiency and the storage safety of the data are improved. For example, hot data (i.e. high access frequency and high importance) can be stored in a high-speed storage medium (such as a memory or a solid state disk) in a current storage area, data with moderate access frequency and general importance such as temperature data is stored in a magnetic disk in the current storage area, cold data (i.e. low access frequency and low importance) is stored in a magnetic tape or cloud storage in the current storage area, and encryption processing of different levels can be further performed again according to the importance degree of the data, so that the safety of the vehicle-mounted network communication data to be processed is ensured. In the technical scheme provided by the application, the vehicle-mounted network data of the railway vehicle are subjected to grading processing, and a safety grading feature library of the vehicle-mounted network communication data of the railway vehicle is established. For the communication data of the vehicle-mounted network which needs to be processed at present, the corresponding security level is firstly identified, and the communication data with different security levels are subjected to data encryption security processing by adopting different security encryption strategies, so that the data security can be effectively ensured. Firstly, different safety areas are divided for the storage medium, so that vehicle-mounted network communication data with different safety levels can be stored in the different safety areas after encryption processing, and the data storage safety is further effectively ensured. The storage medium stores and manages vehicle-mounted network communication data by using a multi-chain block chain technology, so that the data is stored in a decentralised mode, and the safety and the credibility of the data are ensured. In distributed nodes on a blockchain. Each participating node has a complete data copy, thereby ensuring redundant backup and fault tolerance of data, ensuring that the vehicle-mounted network communication data of the railway vehicle is not leaked to the greatest extent, and effectively improving the safety of the vehicle-mounted network communication data.

In the above embodiment, how to execute step S102 is not limited, and one construction method of the security hierarchical feature library provided in this embodiment may include the following:

and constructing a security grading feature library according to the fourth data security grade feature, the third data security grade feature, the second data security grade feature and the first data security grade feature.

In this embodiment, the in-vehicle network communication data may include: traction data, braking data, fault alarm data, detection data, fire protection data, lighting data, PIS data, IO (input output) acquisition data, air conditioning data, door control data, train-ground wireless communication data and the like. According to the industrial characteristics and service scenes of the railway vehicles, the vehicle-mounted communication data are divided into control type data, monitoring type data, detection type data, fault diagnosis type data, public environment type data and intermediate process type data. The data security level may be divided into 4 levels, i.e., SIL1, SIL2, SIL3, and SIL4. The SIL4 is highest, and the SIL1 is lowest, and accordingly, the fourth data security level feature, that is, the data security level feature corresponding to SIL4, the third data security level feature, that is, the data security level feature corresponding to SIL3, the second data security level feature, that is, the data security level feature corresponding to SIL2, and the data security level corresponding to the first data security level feature, that is, the data security level feature corresponding to SIL1, are gradually reduced. According to the industry characteristics and service scenes of the railway vehicles, the safety classification of the vehicle-mounted network communication data can be shown in the table 1 by combining the classification of the data safety classes:

Table 1 data security level and in-vehicle network communication data category correspondence table

As can be seen from the above, the present embodiment classifies and classifies the communication data according to the industry characteristics and service scenarios of the rail vehicle, and all the data do not need to be transmitted and stored in the same way, which is beneficial to improving the safety of the vehicle-mounted network communication data of the rail vehicle.

Further, in order to improve the feature matching efficiency and reduce the feature matching complexity, based on the above embodiment, the present application further provides an implementation manner for determining the target security level corresponding to the vehicle-mounted network communication data to be processed, which may include the following contents:

matching the target data characteristics with the data security level characteristics of the security level characteristic library, determining the data category and the data security level corresponding to the vehicle-mounted network communication data to be processed, and storing the data category and the data security level to the corresponding positions of the data tags;

and acquiring the data tag security level corresponding to the communication data of the vehicle-mounted network to be processed according to the tag mapping relation, and taking the data tag security level as the target data security level.

In this embodiment, as shown in fig. 2, the data tag determines information such as a data type and a data security level of the communication data according to a matching result of the vehicle-mounted network communication data to be processed and the security classification feature library, and records the information in the data tag. Correspondingly, when the encryption mapping relation is constructed, the S101 sets matched encryption strategies for different data tag security levels, and when the storage mapping relation is constructed, the S101 sets corresponding storage areas for different data tag security levels.

In this embodiment, the process of invoking the encryption method matched with the vehicle-mounted network communication data to be processed to perform encryption processing based on the encryption mapping relationship may include:

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is three-level tag, encrypting the vehicle-mounted network communication data to be processed by adopting a third type encryption algorithm;

wherein, the data label categories are divided into: primary labels, secondary labels, tertiary labels, and quaternary labels. Wherein, the four stages are highest, and the one stage is lowest. Namely, the data security levels corresponding to the four-level tag, the three-level tag, the two-level tag and the one-level tag are gradually reduced, and the corresponding relations between the data tags at different levels and the data security levels are shown in table 2:

table 2 correspondence between data tags and data security levels

Data label	Data security level
		Four-level label	L4
Three-level label	L3
		Two-stage label	L2
Primary label	L1

In this embodiment, the encryption policies corresponding to different data tags are different, and as shown in table 3, the encryption policies may include a primary encryption policy, a secondary encryption policy, a tertiary encryption policy, and a quaternary encryption policy. Four of which are highest and one of which is lowest. The primary encryption strategy encrypts communication data by adopting a reference level encryption algorithm, namely a first type encryption algorithm; the second-level encryption strategy encrypts communication data by adopting a standard-level encryption algorithm, namely a second-class encryption algorithm; the third-level encryption strategy adopts a higher-level encryption algorithm, namely a third-class encryption algorithm to encrypt communication data; the fourth-level encryption strategy encrypts the communication data by adopting an ultra-high-level encryption algorithm, namely a fourth-class encryption algorithm. The encryption levels corresponding to the fourth type encryption algorithm, the third type encryption algorithm, the second type encryption algorithm and the first type encryption algorithm are gradually reduced. The encryption mode can comprise hardware encryption, software encryption, cloud storage encryption and compressed storage encryption, and the data is converted into unreadable ciphertext through encryption, so that unauthorized access and data leakage are prevented. Hardware encryption includes, but is not limited to, hard Disk Drives (HDDs) and Solid State Disks (SSDs) having built-in hardware encryption functions, using dedicated encryption chips to encrypt and decrypt data stored therein. Software encryption includes, but is not limited to, encrypting data using a software tool and storing the encrypted data on a medium. Software encryption is applied to various storage media such as hard disk drives, USB flash drives, and the like. The choice of encryption algorithm and key management are key to ensuring the encryption security of software. Cloud storage encryption includes, but is not limited to, selecting to encrypt data uploaded to the cloud for a user using a cloud storage service. And encrypting the data locally, and uploading the encrypted data to the cloud storage service. Compressed storage encryption includes, but is not limited to, encrypting data using compressed storage techniques and tools. When data is compressed and stored, the data is selected to be encrypted so as to increase the security of storage.

Table 3 correspondence of data tags and encryption policy level

Data label	Encryption policy level
		Four-level label	Four-level encryption policy
Three-level label	Three-level encryption strategy
		Two-stage label	Two-level encryption policy
Primary label	Primary encryption policy

In this embodiment, the process of storing the encrypted vehicle-mounted network communication data to be processed into the corresponding storage area based on the storage mapping relationship may include:

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a primary tag, storing the encrypted vehicle-mounted network communication data to be processed into a first storage area of a storage medium;

if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a three-level tag, storing the encrypted vehicle-mounted network communication data to be processed into a third storage area of a storage medium;

and if the security level of the data tag corresponding to the vehicle-mounted network communication data to be processed is a four-level tag, storing the encrypted vehicle-mounted network communication data to be processed into a fourth storage area of the storage medium.

In this embodiment, the storage medium is divided into security areas of different levels, as shown in table 4, the data tag may include a fourth level tag, a third level tag, a second level tag, and a first level tag, where the security levels of the data corresponding to the fourth level tag, the third level tag, the second level tag, and the first level tag are gradually reduced. As shown in fig. 3, the corresponding relationship between the data tag and the two storage areas of the storage medium is that the security level corresponding to the fourth storage area S4, the third storage area S3, the second storage area S2, and the first storage area S1 is gradually reduced.

Table 4 correspondence between different storage areas of the storage medium and data security levels

Storage medium	Data security level
		S4 region	L4
S3 region	L3
		S2 region	L2
S1 region	L1

As can be seen from the foregoing, in this embodiment, the encryption security processing of the communication data is performed according to the tag security level of the communication data, and the security area to be stored is rapidly located through the mapping relationship between the data tag security level and the storage medium security level, which is beneficial to improving the processing efficiency of the communication data of the vehicle-mounted network of the rail vehicle.

Furthermore, in order to improve the security of the communication data of the vehicle-mounted network of the railway vehicle, the authority and the identity verification mechanism can be set to limit that only authorized personnel can access or operate different types of sensitive data, and the method can comprise the following steps:

if the user is authorized, executing a data processing request according to the data operation authority and the data category access authority corresponding to the user;

if the user is not authorized, the storage data of different storage areas of the storage medium are stored and backed up according to the matched backup mode, and meanwhile encryption processing is carried out again according to the photographic matched secondary encryption mode.

The data processing request comprises a data access request or a data operation request, wherein the data access request is used for accessing the rail vehicle on-board network communication data stored in the storage medium, and the data operation request is used for operating the rail vehicle on-board network communication data stored in the storage medium, including but not limited to modification, deletion and addition. According to different users, different data operation authorities are given, and the safety performance of the communication data of the vehicle-mounted network of the railway vehicle is further ensured. In addition, the data types of the vehicle-mounted network communication data of the railway vehicle are many, the corresponding data security levels are different, different data type access rights can be set for different users, namely, the content of the vehicle-mounted network communication data of the railway vehicle which can be read by different users is different. For each user sending the data operation request, whether the user is an authorized user or not can be verified according to the identification information or the identity information of the user, and the specific data operation authority and the data category access authority of the user are realized through modes of user account management, role control, access log and the like. Where authentication may ensure that the identity of a user or entity is trusted and that data is only accessible after authentication. This is typically done by means of a user name and password, biometric identification, smart card, etc. Authorization refers to determining the operations a user or entity can perform and the range of data that can be accessed. This is determined after the user has passed authentication, based on his role, permission level or other constraints.

Further, in order to improve the security performance of the on-vehicle network communication data processing of the rail vehicle stored in the storage medium, whenever an unauthorized user is detected to perform data access or data operation, the data stored in the current storage medium may be backed up, so as to prevent an illegal invasive user from deleting or modifying some data, and the backup may be stored on an offline device, a cloud storage service or a secure server. Data backup modes include, but are not limited to, external storage device backup, network backup, periodic backup, cold backup, and hot backup. Wherein, the external storage device backups: the data backup is created by copying the data to an external storage device, such as a removable hard disk, removable storage media, or network attached storage device. The method can provide offline backup, preventing failures related to hosts or networks from causing data to be unavailable. Network backup: the data is backed up to a remote location or cloud storage service using a network connection. Network backup provides convenient remote access and backup management and can restore data in the event of a local failure. It may include both incremental backup that only backs up data changed since the last full backup and differential backup that backs up blocks of data changed since the last full backup. These backup methods may reduce the storage space and time required for backup. Periodic backup: the backup is created according to a predetermined schedule, such as daily, weekly or monthly. Periodic backups may ensure that historical versions of data are available for recovery to cope with problems with data corruption, misdeletion, or long-term undiscovered. Cold and hot backups: cold backup is a backup performed when the system is in an inactive state, while hot backup is a backup performed when the system is operating normally.

As can be seen from the above, the embodiment sets different data operation rights and data category access rights for different users, so that the security of the vehicle-mounted network communication data of the railway vehicle can be further improved. When detecting that the unauthorized user access exists, the vehicle-mounted network data storage backup can copy the data to another storage medium or a position, so that after illegal intrusion actions occur, the original data can be recovered when the original data is lost, damaged or unavailable, and the data is protected from factors such as accidental deletion, hardware faults, catastrophic events or malicious attacks.

Finally, in order to make the technical solutions of the present application more clear to those skilled in the art, the present embodiment further provides an exemplary implementation, please refer to fig. 4, which may include the following:

step 1: and establishing a railway vehicle on-board network communication data security grading feature library.

Step 2: and after the vehicle-mounted network communication data are collected, extracting the communication data feature vector.

Step 3: and carrying out feature matching on the communication data feature vector value and a railway vehicle-mounted network communication data security hierarchical feature library.

Step 4: and determining the security level attribute of the communication data according to the feature matching result, and carrying out tag identification.

Step 5: and acquiring the security level of the communication data based on the data tag according to the security level attribute and a preset tag security level rule.

Step 6: the encryption strategies of different data tag security levels are preset, and the communication data encryption security processing is carried out according to the tag security levels of the communication data.

Step 7: the storage medium of the communication data is divided into security areas of different levels.

Step 8: and establishing a mapping relation between the security level of the data tag and the security level of the storage medium.

Step 9: and storing the encrypted communication data in a corresponding safety area according to the mapping relation and the data tag safety level of the S8 so as to construct a classification hierarchy of the communication data of the vehicle-mounted network.

Therefore, the safety of the vehicle-mounted network communication data can be effectively improved.

It should be noted that, in the present application, the steps may be performed simultaneously or may be performed in a certain preset order as long as the steps conform to the logic order, and fig. 1 and fig. 4 are only schematic, and do not represent only such an execution order.

The application also provides a corresponding device for the railway vehicle on-board network communication data processing method, so that the method is more practical. Wherein the device may be described separately from the functional module and the hardware. In the following description, a rail vehicle on-board network communication data processing apparatus provided by the present application is described, which is configured to implement the rail vehicle on-board network communication data processing method provided by the present application, in this embodiment, the rail vehicle on-board network communication data processing apparatus may include or be divided into one or more program modules, where the one or more program modules are stored in a storage medium and executed by one or more processors, to complete the rail vehicle on-board network communication data processing method disclosed in the first embodiment. Program modules in the present application refer to a series of computer program instruction segments capable of performing a specific function, which are more suitable than the program itself for describing the execution of the on-board network communication data processing device of a rail vehicle in a storage medium. The following description will specifically describe functions of each program module of the present embodiment, and a rail vehicle on-vehicle network communication data processing apparatus described below and a rail vehicle on-vehicle network communication data processing method described above may be referred to correspondingly to each other.

Based on the angle of the functional modules, referring to fig. 5, fig. 5 is a block diagram of an on-board network communication data processing device for a rail vehicle provided in the present application under a specific embodiment, where the device may include:

a pre-deployment module 501, configured to divide a storage medium into a plurality of storage areas with security levels in advance; a security grading feature library comprising a plurality of levels of data security grade features is established in advance, encryption mapping relation is established between each data security grade and a data encryption mode, and mapping storage mapping relation is established between each data security grade and a storage medium security grade;

the data acquisition module 502 is configured to acquire to-be-processed vehicle-mounted network communication data of a target rail vehicle;

a feature extraction module 503, configured to extract a target data feature of the vehicle-mounted network communication data to be processed;

the level determining module 504 is configured to match the target data feature with each data security level feature of the security level feature library, and determine a target security level corresponding to the vehicle-mounted network communication data to be processed;

the encryption processing module 505 is configured to invoke an encryption mode matched with the vehicle-mounted network communication data to be processed to perform encryption processing based on the encryption mapping relationship;

The data storage module 506 is configured to store the encrypted vehicle-mounted network communication data to be processed in the corresponding storage area based on the storage mapping relationship.

Optionally, in some implementations of this embodiment, the pre-deployment module 501 may be further configured to:

the fourth data security level characteristic, the third data security level characteristic, the second data security level characteristic and the data security level corresponding to the first data security level characteristic are gradually reduced.

As an exemplary implementation of the foregoing embodiment, the foregoing data acquisition module 502 may be further configured to:

and acquiring equipment communication instruction data to serve as vehicle-mounted network communication data to be processed.

Optionally, in other implementations of this embodiment, the level determining module 504 may be further configured to:

As an exemplary implementation of the foregoing embodiment, the foregoing encryption processing module 505 may further be configured to:

setting matched encryption strategies for different data tag security levels according to the encryption mapping relation, and encrypting the vehicle-mounted network communication data to be processed by adopting a first type encryption algorithm if the data tag security level corresponding to the vehicle-mounted network communication data to be processed is a first-level tag;

the data security levels corresponding to the four-level tag, the three-level tag, the two-level tag and the one-level tag are reduced step by step; the encryption levels corresponding to the fourth type encryption algorithm, the third type encryption algorithm, the second type encryption algorithm and the first type encryption algorithm are gradually reduced.

As an exemplary implementation of the above embodiment, the data storage module 506 may be further configured to:

setting corresponding storage areas for different data tag security levels according to the storage mapping relation, and storing the encrypted to-be-processed vehicle-mounted network communication data into the first storage area of the storage medium if the data tag security level corresponding to the to-be-processed vehicle-mounted network communication data is a primary tag;

the data security levels corresponding to the four-level tag, the three-level tag, the two-level tag and the one-level tag are reduced step by step; the security levels corresponding to the fourth storage area, the third storage area, the second storage area and the first storage area are gradually reduced.

Optionally, in other implementations of this embodiment, the apparatus may further include a post-processing module, where the post-processing module is configured to:

The functions of each functional module of the on-board network communication data processing device for the rail vehicle can be specifically implemented according to the method in the above method embodiment, and the specific implementation process of the functional module can refer to the related description of the above method embodiment, which is not repeated here.

The above-mentioned on-board network communication data processing device of the rail vehicle is described from the view of a functional module, and further, the application also provides an electronic device, which is described from the view of hardware. Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application in an implementation manner. As shown in fig. 6, the electronic device comprises a memory 60 for storing a computer program; a processor 61 for implementing the steps of the method for processing rail vehicle on-board network communication data as mentioned in any of the embodiments above when executing a computer program.

Processor 61 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and processor 61 may also be a controller, microcontroller, microprocessor, or other data processing chip, among others. The processor 61 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 61 may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 61 may be integrated with a GPU (Graphics Processing Unit, graphics processor) for taking care of rendering and drawing of content that the display screen is required to display. In some embodiments, the processor 61 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

Memory 60 may include one or more computer-readable storage media, which may be non-transitory. Memory 60 may also include high-speed random access memory as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. The memory 60 may in some embodiments be an internal storage unit of the electronic device, such as a hard disk of a server. The memory 60 may in other embodiments also be an external storage device of the electronic device, such as a plug-in hard disk provided on a server, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like. Further, the memory 60 may also include both internal storage units and external storage devices of the electronic device. The memory 60 may be used to store not only application software installed in an electronic device, but also various types of data, such as: code or the like that executes a program during the rail vehicle on-board network communication data processing method may also be used to temporarily store data that has been output or is to be output. In this embodiment, the memory 60 is at least used for storing a computer program 601, where the computer program, when loaded and executed by the processor 61, can implement the relevant steps of the method for processing on-board network communication data of a rail vehicle disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 60 may further include an operating system 602, data 603, and the like, where the storage manner may be transient storage or permanent storage. The operating system 602 may include Windows, unix, linux, among other things. The data 603 may include, but is not limited to, data corresponding to the processing result of the on-board network communication data of the railway vehicle, and the like.

In some embodiments, the electronic device may further include a display 62, an input/output interface 63, a communication interface 64, or referred to as a network interface, a power supply 65, and a communication bus 66. Among other things, the display 62, input output interface 63 such as a Keyboard (Keyboard) pertain to a user interface, which may optionally also include standard wired interfaces, wireless interfaces, etc. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like. The display may also be referred to as a display screen or display unit, as appropriate, for displaying information processed in the electronic device and for displaying a visual user interface. Communication interface 64 may optionally include a wired interface and/or a wireless interface, such as a WI-FI interface, a bluetooth interface, etc., typically used to establish a communication connection between an electronic device and other electronic devices. The communication bus 66 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 6, but not only one bus or one type of bus.

Those skilled in the art will appreciate that the configuration shown in fig. 6 is not limiting of the electronic device and may include more or fewer components than shown, for example, may also include a sensor 67 that performs various functions.

The functions of each functional module of the electronic device described in the present application may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the relevant description of the foregoing method embodiment, which is not repeated herein.

It will be appreciated that if the rail vehicle on-board network communication data processing method in the above embodiments is implemented in the form of a software functional unit and sold or used as a stand-alone product, it may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application, or a part contributing to the related art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium, performing all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrically erasable programmable ROM, registers, a hard disk, a multimedia card, a card-type Memory (e.g., SD or DX Memory, etc.), a magnetic Memory, a removable disk, a CD-ROM, a magnetic disk, or an optical disk, etc., that can store program code.

Based on this, the application further provides a readable storage medium storing a computer program which, when executed by a processor, performs the steps of the method for processing on-board network communication data of a rail vehicle according to any one of the embodiments above.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the hardware including the device and the electronic equipment disclosed in the embodiments, the description is relatively simple because the hardware includes the device and the electronic equipment corresponding to the method disclosed in the embodiments, and relevant places refer to the description of the method.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The method, the device, the electronic equipment and the readable storage medium for processing the vehicle-mounted network communication data of the railway vehicle are provided in the application. Specific examples are set forth herein to illustrate the principles and embodiments of the present application, and the description of the examples above is only intended to assist in understanding the methods of the present application and their core ideas. It should be noted that, based on the embodiments in this application, all other embodiments that can be obtained without inventive labor by those skilled in the art are within the scope of protection of this application. The present application may be subject to numerous improvements and modifications without departing from the principles of the present application, and such improvements and modifications are intended to fall within the scope of the claims of the present application.

Claims

1. A method for processing communication data of a vehicular network of a railway vehicle, comprising:

2. The method for processing on-board network communication data of a railway vehicle according to claim 1, wherein the pre-establishing a security hierarchical feature library including a plurality of levels of data security hierarchical features comprises:

3. The method for processing on-board network communication data of a rail vehicle according to claim 2, wherein the acquiring the on-board network communication data to be processed of the target rail vehicle includes:

4. The method for processing the on-board network communication data of the rail vehicle according to claim 1, wherein the matching the target data feature with each data security level feature of the security level feature library, and determining the target security level corresponding to the on-board network communication data to be processed, comprises:

5. The method for processing vehicle-mounted network communication data of a railway vehicle according to claim 4, wherein the encryption mapping relation sets matched encryption policies for different data tag security levels, and the step of calling an encryption mode matched with the vehicle-mounted network communication data to be processed to perform encryption processing based on the encryption mapping relation comprises the following steps:

6. The method for processing vehicle-mounted network communication data of a rail vehicle according to claim 4, wherein the storing the mapping relation sets corresponding storage areas for different data tag security levels, and the storing the encrypted vehicle-mounted network communication data to be processed in the corresponding storage areas based on the storing mapping relation includes:

7. The method for processing on-board network communication data of a rail vehicle according to any one of claims 1 to 6, wherein after storing the encrypted on-board network communication data to be processed in the corresponding storage area based on the memory map relationship, further comprising:

8. A rail vehicle on-board network communication data processing apparatus, comprising:

9. An electronic device comprising a processor and a memory, the processor being configured to implement the steps of the method for processing rail vehicle on-board network communication data according to any one of claims 1 to 7 when executing a computer program stored in the memory.

10. A readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, implements the steps of the method for processing on-board network communication data for rail vehicles according to any one of claims 1 to 7.