CN117955741B - Encryption communication method and system of Modbus protocol communication equipment - Google Patents
Encryption communication method and system of Modbus protocol communication equipment Download PDFInfo
- Publication number
- CN117955741B CN117955741B CN202410345969.6A CN202410345969A CN117955741B CN 117955741 B CN117955741 B CN 117955741B CN 202410345969 A CN202410345969 A CN 202410345969A CN 117955741 B CN117955741 B CN 117955741B
- Authority
- CN
- China
- Prior art keywords
- data
- encrypted
- preset
- target data
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006854 communication Effects 0.000 title claims abstract description 157
- 238000004891 communication Methods 0.000 title claims abstract description 139
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000004806 packaging method and process Methods 0.000 claims abstract description 10
- 230000002159 abnormal effect Effects 0.000 claims description 93
- 239000013598 vector Substances 0.000 claims description 44
- 238000011084 recovery Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000002776 aggregation Effects 0.000 description 4
- 238000004220 aggregation Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000011835 investigation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an encryption communication method and system of Modbus protocol communication equipment, wherein the Modbus protocol communication equipment comprises the following steps: the method comprises the following steps: acquiring data to be communicated of the transmitting end; identifying data to be encrypted in the data to be communicated, and marking first residual data; encrypting the data to be encrypted to obtain encrypted data; packaging the encrypted data and the first residual data to obtain a data packet; and sending the data packet to the receiving end. The system automatically identifies the data to be encrypted in the data to be communicated, and a user of a transmitting end does not need to manually select the data to be encrypted with higher importance from the data to be communicated, so that the labor cost is reduced, the encryption communication efficiency is improved, the comprehensiveness of encryption communication is improved, and the system is particularly suitable for the encryption communication scene of the data to be communicated with larger data volume.
Description
Technical Field
The invention relates to the technical field of encryption communication, in particular to an encryption communication method and system of Modbus protocol communication equipment.
Background
The mainstream communication protocol in the Modbus protocol is ModbusTCP protocol. However, when the ModbusTCP protocol is adopted for communication, the internet needs to be accessed, and when the ModbusTCP protocol is adopted for communication, the communication is also plaintext transmission, and if the communication is attacked in the communication process, irreversible loss can be caused. Therefore, encrypted communication is required.
Generally, when performing encrypted communication, a user at a transmitting end needs to manually select data to be encrypted with higher importance from data to be communicated, and individually encrypt the data to be encrypted. However, the data volume of the data to be communicated is often large, and the manual selection of the data to be encrypted is not only high in labor cost and low in efficiency, but also particularly easy to miss.
Thus, a solution is needed.
Disclosure of Invention
The invention provides an encryption communication method and system of Modbus protocol communication equipment, wherein the system automatically identifies data to be encrypted in data to be communicated, a user of a transmitting end does not need to manually select data to be encrypted with higher importance from the data to be communicated, labor cost is reduced, encryption communication efficiency is improved, the comprehensiveness of encryption communication is improved, and the encryption communication method and system are particularly suitable for encryption communication scenes of the data to be communicated with larger data volume.
The invention provides an encryption communication method of Modbus protocol communication equipment, which comprises the following steps: the sending end and the receiving end for carrying out data communication by adopting Modbus protocol comprise:
Acquiring data to be communicated of a transmitting end;
identifying data to be encrypted in the data to be communicated, and marking first residual data;
Encrypting the data to be encrypted to obtain encrypted data;
Packaging the encrypted data and the first residual data to obtain a data packet;
And sending the data packet to a receiving end.
Preferably, identifying data to be encrypted in the data to be communicated includes:
determining first target data from data to be communicated, and marking second residual data; the first target data accords with a first encryption condition;
determining second target data from the second remaining data; the second target data accords with a second encryption condition;
taking the second target data and the first target data as data to be encrypted;
Wherein the first encryption condition includes:
the first target data has an encryption requirement identifier, and/or the first target data accords with a preset first encryption preference corresponding to the sending end, and/or the second target data accords with a preset second encryption preference corresponding to the service type of the sending end;
wherein the second encryption condition includes:
the cost value of the second target data which is not encrypted is larger than or equal to a preset cost threshold value.
Preferably, the obtaining step of the cost value of the second target data not encrypted includes:
respectively analyzing a first data type of the first target data and a second data type of the second target data;
determining a first association relation between a first data type and a second data type from a preset association relation library;
Matching the first association relationship with a second association relationship in a preset trigger relationship library;
when the first target data and the second target data are not matched, calculating a cost value of the second target data, wherein the cost value of the second target data is not encrypted according to a preset first numerical value; otherwise, acquiring an operation sequence generated by the operation of the user of the transmitting end on the data to be communicated in the latest preset time;
Determining a target local operation sequence from the operation sequences; the target local operation sequence accords with the local operation sequence condition;
counting the sequence number of the target local operation sequences;
when the number of the sequences is larger than or equal to a preset first number threshold value, calculating a cost value of the second target data which is not encrypted as a first numerical value; otherwise, carrying out feature description on the number of sequences, the target local operation sequence and the first association relation to obtain a first feature description vector;
Determining a second numerical value corresponding to the first characteristic description vector from a preset first numerical value library;
the cost value of the second target data which is not encrypted is calculated as a second numerical value;
Wherein the local operation sequence conditions include:
The method comprises the steps that operation objects of first and last operations in a target local operation sequence are first target data, a third association relation is correspondingly arranged in an association relation library between first data types of the operation objects of the first and last operations, and at least one operation object in the middle of the target local operation sequence is second target data;
wherein the first value is less than the cost threshold.
Preferably, the cost threshold value and the disaster tolerance value of the data communication between the sending end and the receiving end are in a preset proportional relation.
Preferably, the step of obtaining the disaster tolerance value of the data communication between the sending end and the receiving end includes:
acquiring communication information for carrying out data communication between a sending end and a receiving end;
carrying out feature description on the communication information and the data packet to obtain a second feature description vector;
Determining a query constraint condition corresponding to the second feature description vector from a preset query constraint condition library;
inquiring an abnormal subtree set from a preset communication abnormal map based on the inquiry constraint condition;
determining whether the abnormal subtree set meets the set condition;
When the values are matched, the disaster tolerance value of the data communication between the sending end and the receiving end is a preset third value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector;
Determining a fourth value corresponding to the third feature description vector from a preset second value library;
The disaster tolerance value of the data communication between the sending end and the receiving end is a fourth value;
Wherein the aggregation condition includes:
at least a second preset number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions; the subtree conditions include:
The abnormal subtree comprises tree nodes with preset node types, and/or the abnormal subtree is provided with main nodes with the same types as other abnormal subtrees in the abnormal subtree.
The invention provides an encryption communication system of Modbus protocol communication equipment, which comprises the following components: the sending end and the receiving end for carrying out data communication by adopting Modbus protocol comprise:
the acquisition module is used for acquiring data to be communicated of the transmitting end;
The identification module is used for identifying the data to be encrypted in the data to be communicated and marking the first residual data;
The encryption module is used for encrypting the data to be encrypted to obtain encrypted data;
The packaging module is used for packaging the encrypted data and the first residual data to obtain a data packet;
And the sending module is used for sending the data packet to the receiving end.
Preferably, the identifying module identifies data to be encrypted in the data to be communicated, including:
determining first target data from data to be communicated, and marking second residual data; the first target data accords with a first encryption condition;
determining second target data from the second remaining data; the second target data accords with a second encryption condition;
taking the second target data and the first target data as data to be encrypted;
Wherein the first encryption condition includes:
the first target data has an encryption requirement identifier, and/or the first target data accords with a preset first encryption preference corresponding to the sending end, and/or the second target data accords with a preset second encryption preference corresponding to the service type of the sending end;
wherein the second encryption condition includes:
the cost value of the second target data which is not encrypted is larger than or equal to a preset cost threshold value.
Preferably, the obtaining step of the cost value of the second target data not encrypted includes:
respectively analyzing a first data type of the first target data and a second data type of the second target data;
determining a first association relation between a first data type and a second data type from a preset association relation library;
Matching the first association relationship with a second association relationship in a preset trigger relationship library;
when the first target data and the second target data are not matched, calculating a cost value of the second target data, wherein the cost value of the second target data is not encrypted according to a preset first numerical value; otherwise, acquiring an operation sequence generated by the operation of the user of the transmitting end on the data to be communicated in the latest preset time;
Determining a target local operation sequence from the operation sequences; the target local operation sequence accords with the local operation sequence condition;
counting the sequence number of the target local operation sequences;
when the number of the sequences is larger than or equal to a preset first number threshold value, calculating a cost value of the second target data which is not encrypted as a first numerical value; otherwise, carrying out feature description on the number of sequences, the target local operation sequence and the first association relation to obtain a first feature description vector;
Determining a second numerical value corresponding to the first characteristic description vector from a preset first numerical value library;
the cost value of the second target data which is not encrypted is calculated as a second numerical value;
Wherein the local operation sequence conditions include:
The method comprises the steps that operation objects of first and last operations in a target local operation sequence are first target data, a third association relation is correspondingly arranged in an association relation library between first data types of the operation objects of the first and last operations, and at least one operation object in the middle of the target local operation sequence is second target data;
wherein the first value is less than the cost threshold.
Preferably, the cost threshold value and the disaster tolerance value of the data communication between the sending end and the receiving end are in a preset proportional relation.
Preferably, the step of obtaining the disaster tolerance value of the data communication between the sending end and the receiving end includes:
acquiring communication information for carrying out data communication between a sending end and a receiving end;
carrying out feature description on the communication information and the data packet to obtain a second feature description vector;
Determining a query constraint condition corresponding to the second feature description vector from a preset query constraint condition library;
inquiring an abnormal subtree set from a preset communication abnormal map based on the inquiry constraint condition;
determining whether the abnormal subtree set meets the set condition;
When the values are matched, the disaster tolerance value of the data communication between the sending end and the receiving end is a preset third value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector;
Determining a fourth value corresponding to the third feature description vector from a preset second value library;
The disaster tolerance value of the data communication between the sending end and the receiving end is a fourth value;
Wherein the aggregation condition includes:
at least a second preset number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions; the subtree conditions include:
The abnormal subtree comprises tree nodes with preset node types, and/or the abnormal subtree is provided with main nodes with the same types as other abnormal subtrees in the abnormal subtree.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
Fig. 1 is a flowchart of an encryption communication method of a Modbus protocol communication device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an encryption communication system of a Modbus protocol communication device according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
The invention provides an encryption communication method of Modbus protocol communication equipment, which comprises the following steps: the sending end and the receiving end for data communication by adopting Modbus protocol, as shown in FIG. 1, include:
s1, acquiring data to be communicated of a transmitting end;
s2, identifying data to be encrypted in the data to be communicated, and marking first residual data;
S3, encrypting the data to be encrypted to obtain encrypted data;
s4, packaging the encrypted data and the first residual data to obtain a data packet;
s5, sending the data packet to a receiving end.
Such as: the client side is about to send data to the server, and is the sending end, and the receiving end is the server; the system automatically identifies the data to be encrypted in the data to be communicated, and the marked first residual data are other data except the data to be encrypted in the data to be communicated; the encryption method can be symmetric encryption, hash verification and the like, and the receiving end needs to be provided with a decryption method corresponding to the encryption method, so that the encrypted data in the data packet can be decrypted and checked conveniently. The system automatically identifies the data to be encrypted in the data to be communicated, and a user of a transmitting end does not need to manually select the data to be encrypted with higher importance from the data to be communicated, so that the labor cost is reduced, the encryption communication efficiency is improved, the comprehensiveness of encryption communication is improved, and the system is particularly suitable for the encryption communication scene of the data to be communicated with larger data volume.
In one embodiment, identifying data to be encrypted in data to be communicated includes:
determining first target data from data to be communicated, and marking second residual data; the first target data accords with a first encryption condition;
determining second target data from the second remaining data; the second target data accords with a second encryption condition;
taking the second target data and the first target data as data to be encrypted;
Wherein the first encryption condition includes:
the first target data has an encryption requirement identifier, and/or the first target data accords with a preset first encryption preference corresponding to the sending end, and/or the second target data accords with a preset second encryption preference corresponding to the service type of the sending end;
wherein the second encryption condition includes:
the cost value of the second target data which is not encrypted is larger than or equal to a preset cost threshold value.
When a user of a transmitting end manually selects first target data to be encrypted, the first target data is marked with encryption requirement marks; the user of the transmitting end can also set the data type needing to be encrypted in the communication process in advance according to the actual demand to form a first encryption preference; the system can also determine the data type possibly needing encryption in the communication process in advance according to the service type (such as data backup, data tracing and the like) of the sending end to form a second encryption preference; when the first target data accords with the first encryption condition, the first target data is required to be encrypted in the communication process and is used as data required to be encrypted; the marked second remaining data is other data than the first target data to be communicated. The cost value of the second target data which is not encrypted represents the cost degree of the second target data which is not encrypted in the communication process and is generated if the communication process is attacked; the cost threshold may be, for example: 60; when the cost value of the second target data which is not encrypted is larger than or equal to the cost threshold value, the cost degree generated when the communication process is attacked is larger when the second target data is not encrypted in the communication process, and the second target data is required to be encrypted in the communication process and is used as data to be encrypted. According to the method, the first encryption condition is set, the first target data needing to be encrypted of the foundation are identified, the cost value is set, the second target data needing to be encrypted outside the foundation are identified, and the accuracy and the comprehensiveness of identifying the data needing to be encrypted are improved; the user can actively set the first encryption preference, and passively, the system sets the second encryption preference for the user, so that humanization is improved, and user experience is improved.
In one embodiment, the obtaining of the cost value of the second target data without encryption includes:
respectively analyzing a first data type of the first target data and a second data type of the second target data;
determining a first association relation between a first data type and a second data type from a preset association relation library;
Matching the first association relationship with a second association relationship in a preset trigger relationship library;
when the first target data and the second target data are not matched, calculating a cost value of the second target data, wherein the cost value of the second target data is not encrypted according to a preset first numerical value; otherwise, acquiring an operation sequence generated by the operation of the user of the transmitting end on the data to be communicated in the latest preset time;
Determining a target local operation sequence from the operation sequences; the target local operation sequence accords with the local operation sequence condition;
counting the sequence number of the target local operation sequences;
when the number of the sequences is larger than or equal to a preset first number threshold value, calculating a cost value of the second target data which is not encrypted as a first numerical value; otherwise, carrying out feature description on the number of sequences, the target local operation sequence and the first association relation to obtain a first feature description vector;
Determining a second numerical value corresponding to the first characteristic description vector from a preset first numerical value library;
the cost value of the second target data which is not encrypted is calculated as a second numerical value;
Wherein the local operation sequence conditions include:
The method comprises the steps that operation objects of first and last operations in a target local operation sequence are first target data, a third association relation is correspondingly arranged in an association relation library between first data types of the operation objects of the first and last operations, and at least one operation object in the middle of the target local operation sequence is second target data;
wherein the first value is less than the cost threshold.
When the first association relation is matched with the second association relation, the second association relation is shown between the first data type and the second data type; when the first data type and the second data type have the second association relationship, the trigger indicates that the second target data needs to be encrypted in the communication process, for example: the second association relationship is that the usage uses of the two data types are consistent (the usage uses consistent represents that the first target data and the second target data may be cooperated or combined for use, the second target data cannot be attacked and tampered, and the importance is higher), the sending sequence of the two data types is adjacent (the sending sequence is adjacent represents that if the second target data is attacked and stolen, and the like, the sending data is interrupted between the first target data and the second target data, and therefore, the importance of the second target data is higher), and the like, and the second association relationship can be other, and can be set by technicians according to actual requirements; when the first association relation and the second association relation are not matched and matched, the fact that the second target data do not need to be encrypted in the communication process is directly described, and the cost value of the second target data which is not encrypted is calculated to be a first value smaller than a cost threshold value. The preset time may be, for example: 30 minutes; the transmitting end user performs a series of operations, such as: manually selecting encryption, browsing and viewing, and the like, and sequencing the series of operations according to the operation sequence to form an operation sequence; when the target local operation sequence accords with the local operation sequence condition, the target local operation sequence represents that the second target data does not need to be encrypted in the communication process; the first number threshold may be, for example: 5, a step of; when the sequence number of the target local operation sequences is larger than or equal to a first number threshold, directly indicating that the second target data does not need to be encrypted in the communication process, and counting the cost value of the second target data which is not encrypted as a first value smaller than the cost threshold.
In the local operation sequence condition, when the operation objects of the first operation and the last operation are first target data, the operation objects of the first operation and the last operation respectively have corresponding first data types, and when the operation objects of the first operation and the last operation correspond to a third association relationship in an association relationship library, the association exists between the operation objects of the first operation and the last operation; combining the operation object of at least one operation in the middle of the target local operation sequence as the second target data, so that the target local operation sequence screened out by using the local operation sequence condition is that a user of the transmitting end firstly operates the first target data needing to be encrypted, later operates whether the second target data unknown to be encrypted is encrypted or not, and finally operates the first target data needing to be encrypted, thus reflecting that the second target data possibly does not need to be encrypted in the communication process, the principle is as follows: the user views first target data first, then views second target data, finally views other first target data related to the first target data first, in the process, the user intentionally views the second target data after viewing the first target data, which indicates that the second target data may be related to the first target data first, the user wants to determine whether the second target data needs to be encrypted for viewing, in addition, the user views other first target data related to the first target data first last, which indicates that the process of viewing the second target data after viewing the first target data first and viewing other first target data last is most likely to be searching and determining whether a plurality of data related to the first target data first need to be encrypted or not, however, the user does not manually select to encrypt the second target data, which indicates that the user confirms that the second target data does not need to be encrypted to a certain extent.
The sequence number can reflect the encryption degree of the second target data in the communication process, and the smaller the sequence number is, the larger the reaction degree is; the target local operation sequence itself may also reflect the degree to which the second target data needs to be encrypted during the communication process, for example: the target local operation sequence is that a user firstly checks first target data, then checks second target data, finally checks other first target data which are related to the first target data which are checked first, the time length of the middle operation for checking the second target data is 60 seconds, the stay time length is longer, the higher the user confirms that the second target data does not need to be encrypted, the smaller the degree of the response of the target local operation sequence is; likewise, the first association relationship may reflect the encryption degree of the second target data in the communication process, for example: the first association relation is that the use uses of the two data types are consistent, and the degree of reaction is quite large. Based on the feature description of the sequence number, the target local operation sequence and the first association relation, determining a second value corresponding to the obtained first feature description vector from a preset first value library, and calculating a cost value of the second target data, which is not encrypted, as the second value; the first numerical library is provided with second numerical values corresponding to different first feature description vectors, and a technician can set the second numerical values in advance according to the different sequence numbers, different target local operation sequences and the different first association relations to comprehensively reflect the degree of encryption of second target data in the communication process, so as to build the library.
When the cost value of the second target data which is not encrypted is obtained, firstly, whether the cost value is required to be a first value is determined based on the trigger relation library, and if so, the subsequent operation is not performed, so that the working resources of the system are reduced, and the working efficiency of the system is improved; screening out a target local operation sequence by utilizing a local operation sequence condition, determining whether the cost value is required to be a first value according to the size relation between the sequence number of the target local operation sequence and a first number threshold value, and if so, not performing subsequent operation, thereby further reducing the working resources of the system and improving the working efficiency; and finally, the cost value is comprehensively determined by utilizing the first feature description vector and the first numerical library in a multi-mode manner, so that the accuracy and the comprehensiveness of obtaining the cost value are improved.
In one embodiment, the cost threshold value and the disaster tolerance value of the data communication between the sending end and the receiving end are in a preset proportional relationship.
The proportional relation can be preset; the disaster tolerance value represents the capacity degree of recovering if affected when the data communication is carried out between the sending end and the receiving end; the cost threshold is in direct proportion to the disaster recovery value, the larger the disaster recovery value is, the larger the representative recovery capacity is, so that the quantity of data to be encrypted is reduced as much as possible on the premise of ensuring stable and safe communication; and the rationality of the self-adaptive operation of the system is improved.
In one embodiment, the step of obtaining the disaster tolerance value of the data communication between the sending end and the receiving end includes:
acquiring communication information for carrying out data communication between a sending end and a receiving end;
carrying out feature description on the communication information and the data packet to obtain a second feature description vector;
Determining a query constraint condition corresponding to the second feature description vector from a preset query constraint condition library;
inquiring an abnormal subtree set from a preset communication abnormal map based on the inquiry constraint condition;
determining whether the abnormal subtree set meets the set condition;
When the values are matched, the disaster tolerance value of the data communication between the sending end and the receiving end is a preset third value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector;
Determining a fourth value corresponding to the third feature description vector from a preset second value library;
The disaster tolerance value of the data communication between the sending end and the receiving end is a fourth value;
Wherein the aggregation condition includes:
at least a second preset number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions; the subtree conditions include:
The abnormal subtree comprises tree nodes with preset node types, and/or the abnormal subtree is provided with main nodes with the same types as other abnormal subtrees in the abnormal subtree.
The communication information includes: a communication port, a communication distance and the like for carrying out data communication between the transmitting end and the receiving end; carrying out feature description on the communication information and the data packet, and determining a query constraint condition corresponding to the obtained second feature description vector from a query constraint condition library; the communication information and the data packet reflect the current communication situation of the data to be communicated which is currently transmitted to the receiving end through the transmitting end, and the query constraint condition constrains the query in the communication abnormal map to query the abnormal subtrees related to the current communication situation; the specific construction process of the communication anomaly spectrum comprises the following steps: when a communication abnormal event adopting Modbus protocol for data communication occurs in history, collecting related event progress nodes (event occurrence, event investigation, event processing, processing results and the like) of the communication abnormal event, and sequentially connecting the related event progress nodes according to the progress sequence of the related event progress nodes to form an abnormal subtree, wherein the abnormal subtrees are combined to form a communication abnormal map; when the abnormal subtree set accords with the set condition, the capability degree of recovering if being influenced when the data communication is carried out between the sending end and the receiving end is larger, and the abnormal subtree set is directly counted as a larger third numerical value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector; the abnormal subtree set itself may reflect the ability of the transmitting end and the receiving end to recover if affected during data communication, for example: the more the number of the abnormal subtrees in the abnormal subtrees (more communication abnormal events similar to the current communication situation occur historically, the stronger the coping capability is), the more the related event progress nodes on the abnormal subtrees in the abnormal subtrees (the more the related event progress nodes are, the more the processing progress is comprehensive when the communication abnormal events similar to the current communication situation occur historically are represented), the greater the capability degree of recovering if being influenced when the data communication is carried out between the transmitting end and the receiving end is reflected, therefore, a fourth numerical value corresponding to the third feature description vector can be determined from the second numerical library, and the disaster tolerance value is the fourth numerical value; the second database has fourth values corresponding to different third feature vectors, and the technician can set the fourth values in advance according to different abnormal subtrees representing the recovery capability degree if affected during the data communication between the sending end and the receiving end.
In the aggregate condition, the second number threshold may be, for example: 10; the main node of each abnormal subtree is the first relevant event progress node, namely an event occurrence node, the abnormal subtrees have the same type of main nodes as other abnormal subtrees in the abnormal subtrees, which indicates that the types of communication abnormal events aimed by the two abnormal subtrees are the same, the tree nodes are relevant event progress nodes which are sequentially connected with the main nodes, namely event investigation nodes, event processing nodes, processing result nodes and the like, and the preset node types are relevant event progress node types which represent the proper response of the abnormal subtrees to the communication abnormal events, such as: the event processing node, which has described that communication abnormal events have been historically processed, therefore, when at least a second number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions, represents that the degree of ability to recover if affected when data communication is performed between the transmitting end and the receiving end is large.
When the disaster tolerance value of the data communication between the sending end and the receiving end is obtained, the abnormal subtree set is inquired from the communication abnormal map by utilizing the inquiry constraint condition, whether the subsequent operation is carried out or not is determined according to whether the abnormal subtree set is set, the set condition is set, whether the recovery capacity degree is larger if the recovery capacity degree is influenced when the data communication is carried out between the sending end and the receiving end is rapidly determined, and if the recovery capacity degree is larger, the third numerical value is directly used as the disaster tolerance value, so that the working resources of the system are reduced, and the working efficiency of the system is improved; when the abnormal subtree set does not accord with the set condition, the third characteristic description vector and the second numerical library are utilized to quickly determine a fourth numerical value serving as a disaster tolerance value, so that the working efficiency of the system is further improved.
It should be noted that the first, second, third and fourth values may be set in advance by a technician according to actual needs.
The invention provides an encryption communication system of Modbus protocol communication equipment, which comprises the following components: the sending end and the receiving end for data communication by adopting Modbus protocol, as shown in FIG. 2, include:
the acquisition module 1 is used for acquiring data to be communicated of a sending end;
The identification module 2 is used for identifying the data to be encrypted in the data to be communicated and marking the first residual data;
The encryption module 3 is used for encrypting the data to be encrypted to obtain encrypted data;
the packaging module 4 is used for packaging the encrypted data and the first residual data to obtain a data packet;
And the sending module 5 is used for sending the data packet to the receiving end.
The identification module 2 identifies data to be encrypted in the data to be communicated, including:
determining first target data from data to be communicated, and marking second residual data; the first target data accords with a first encryption condition;
determining second target data from the second remaining data; the second target data accords with a second encryption condition;
taking the second target data and the first target data as data to be encrypted;
Wherein the first encryption condition includes:
the first target data has an encryption requirement identifier, and/or the first target data accords with a preset first encryption preference corresponding to the sending end, and/or the second target data accords with a preset second encryption preference corresponding to the service type of the sending end;
wherein the second encryption condition includes:
the cost value of the second target data which is not encrypted is larger than or equal to a preset cost threshold value.
The obtaining step of the cost value of the second target data which is not encrypted comprises the following steps:
respectively analyzing a first data type of the first target data and a second data type of the second target data;
determining a first association relation between a first data type and a second data type from a preset association relation library;
Matching the first association relationship with a second association relationship in a preset trigger relationship library;
when the first target data and the second target data are not matched, calculating a cost value of the second target data, wherein the cost value of the second target data is not encrypted according to a preset first numerical value; otherwise, acquiring an operation sequence generated by the operation of the user of the transmitting end on the data to be communicated in the latest preset time;
Determining a target local operation sequence from the operation sequences; the target local operation sequence accords with the local operation sequence condition;
counting the sequence number of the target local operation sequences;
when the number of the sequences is larger than or equal to a preset first number threshold value, calculating a cost value of the second target data which is not encrypted as a first numerical value; otherwise, carrying out feature description on the number of sequences, the target local operation sequence and the first association relation to obtain a first feature description vector;
Determining a second numerical value corresponding to the first characteristic description vector from a preset first numerical value library;
the cost value of the second target data which is not encrypted is calculated as a second numerical value;
Wherein the local operation sequence conditions include:
The method comprises the steps that operation objects of first and last operations in a target local operation sequence are first target data, a third association relation is correspondingly arranged in an association relation library between first data types of the operation objects of the first and last operations, and at least one operation object in the middle of the target local operation sequence is second target data;
wherein the first value is less than the cost threshold.
The cost threshold value and the disaster tolerance value of the data communication between the sending end and the receiving end are in a preset proportional relation.
The obtaining step of the disaster tolerance value of the data communication between the sending end and the receiving end comprises the following steps:
acquiring communication information for carrying out data communication between a sending end and a receiving end;
carrying out feature description on the communication information and the data packet to obtain a second feature description vector;
Determining a query constraint condition corresponding to the second feature description vector from a preset query constraint condition library;
inquiring an abnormal subtree set from a preset communication abnormal map based on the inquiry constraint condition;
determining whether the abnormal subtree set meets the set condition;
When the values are matched, the disaster tolerance value of the data communication between the sending end and the receiving end is a preset third value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector;
Determining a fourth value corresponding to the third feature description vector from a preset second value library;
The disaster tolerance value of the data communication between the sending end and the receiving end is a fourth value;
Wherein the aggregation condition includes:
at least a second preset number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions; the subtree conditions include:
The abnormal subtree comprises tree nodes with preset node types, and/or the abnormal subtree is provided with main nodes with the same types as other abnormal subtrees in the abnormal subtree.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (6)
1. A method of encrypted communication for a Modbus protocol communication device, the Modbus protocol communication device comprising: adopt Modbus protocol to carry out data communication's transmitting terminal and receiving terminal, its characterized in that includes:
acquiring data to be communicated of the transmitting end;
Identifying data to be encrypted in the data to be communicated, and marking first residual data;
Encrypting the data to be encrypted to obtain encrypted data;
packaging the encrypted data and the first residual data to obtain a data packet;
transmitting the data packet to the receiving end;
the identifying the data to be encrypted in the data to be communicated comprises the following steps:
Determining first target data from the data to be communicated, and marking second residual data; the first target data accords with a first encryption condition;
Determining second target data from the second residual data; the second target data accords with a second encryption condition;
taking the second target data and the first target data as the data to be encrypted;
Wherein the first encryption condition includes:
The first target data has an encryption requirement identifier, and/or accords with a preset first encryption preference corresponding to the sending end, and/or accords with a preset second encryption preference corresponding to the service type of the sending end;
wherein the second encryption condition includes:
the cost value of the second target data which is not encrypted is larger than or equal to a preset cost threshold value;
the step of obtaining the cost value of the second target data which is not encrypted comprises the following steps:
Respectively analyzing a first data type of the first target data and a second data type of the second target data;
determining a first association relationship between the first data type and the second data type from a preset association relationship library;
Matching the first association relationship with a second association relationship in a preset trigger relationship library;
When the first target data and the second target data are not matched, calculating a cost value of the second target data, wherein the cost value of the second target data is not encrypted according to a preset first numerical value; otherwise, acquiring an operation sequence generated by the operation of the user of the transmitting end on the data to be communicated in the latest preset time;
determining a target local operation sequence from the operation sequences; the target local operation sequence accords with the local operation sequence condition;
Counting the sequence number of the target local operation sequences;
When the number of the sequences is larger than or equal to a preset first number threshold value, calculating the cost value of the second target data which is not encrypted as the first numerical value; otherwise, carrying out feature description on the sequence number, the target local operation sequence and the first association relation to obtain a first feature description vector;
Determining a second numerical value corresponding to the first characteristic description vector from a preset first numerical library;
The cost value of the second target data which is not encrypted is calculated as the second numerical value;
Wherein the local operation sequence condition includes:
the operation objects of the first operation and the last operation in the target local operation sequence are the first target data, a second association relation is corresponding in the association relation library between the first data types of the operation objects of the first operation and the last operation, and the operation object of at least one operation in the middle in the target local operation sequence is the second target data;
wherein the first value is less than the cost threshold.
2. The encryption communication method of Modbus protocol communication equipment according to claim 1, wherein the cost threshold value and a disaster tolerance value of data communication between the sending end and the receiving end are in a preset proportional relation.
3. The encryption communication method of Modbus protocol communication device as set forth in claim 2, wherein the obtaining the disaster tolerance value of the data communication between the transmitting end and the receiving end comprises:
acquiring communication information for carrying out data communication between the sending end and the receiving end;
Carrying out feature description on the communication information and the data packet to obtain a second feature description vector;
determining a query constraint condition corresponding to the second feature description vector from a preset query constraint condition library;
inquiring an abnormal subtree set from a preset communication abnormal map based on the inquiry constraint condition;
determining whether the abnormal subtree set meets a set condition;
when the disaster tolerance values are consistent, the disaster tolerance value of the data communication between the sending end and the receiving end is a preset third value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector;
Determining a fourth value corresponding to the third feature description vector from a preset second value library;
the disaster tolerance value of the data communication between the sending end and the receiving end is calculated as the fourth numerical value;
Wherein the set condition includes:
At least a preset second number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions; the subtree condition includes:
the abnormal subtree comprises tree nodes with preset node types, and/or the abnormal subtree is provided with main nodes with the same types as other abnormal subtrees in the abnormal subtree.
4. An encrypted communication system of a Modbus protocol communication device, the Modbus protocol communication device comprising: adopt Modbus protocol to carry out data communication's transmitting terminal and receiving terminal, its characterized in that includes:
the acquisition module is used for acquiring the data to be communicated of the sending end;
The identification module is used for identifying the data to be encrypted in the data to be communicated and marking first residual data;
the encryption module is used for encrypting the data to be encrypted to obtain encrypted data;
The packaging module is used for packaging the encrypted data and the first residual data to obtain a data packet;
the sending module is used for sending the data packet to the receiving end;
The identification module identifies the data to be encrypted in the data to be communicated, and comprises the following steps:
Determining first target data from the data to be communicated, and marking second residual data; the first target data accords with a first encryption condition;
Determining second target data from the second residual data; the second target data accords with a second encryption condition;
taking the second target data and the first target data as the data to be encrypted;
Wherein the first encryption condition includes:
The first target data has an encryption requirement identifier, and/or accords with a preset first encryption preference corresponding to the sending end, and/or accords with a preset second encryption preference corresponding to the service type of the sending end;
wherein the second encryption condition includes:
the cost value of the second target data which is not encrypted is larger than or equal to a preset cost threshold value;
the step of obtaining the cost value of the second target data which is not encrypted comprises the following steps:
Respectively analyzing a first data type of the first target data and a second data type of the second target data;
determining a first association relationship between the first data type and the second data type from a preset association relationship library;
Matching the first association relationship with a second association relationship in a preset trigger relationship library;
When the first target data and the second target data are not matched, calculating a cost value of the second target data, wherein the cost value of the second target data is not encrypted according to a preset first numerical value; otherwise, acquiring an operation sequence generated by the operation of the user of the transmitting end on the data to be communicated in the latest preset time;
determining a target local operation sequence from the operation sequences; the target local operation sequence accords with the local operation sequence condition;
Counting the sequence number of the target local operation sequences;
When the number of the sequences is larger than or equal to a preset first number threshold value, calculating the cost value of the second target data which is not encrypted as the first numerical value; otherwise, carrying out feature description on the sequence number, the target local operation sequence and the first association relation to obtain a first feature description vector;
Determining a second numerical value corresponding to the first characteristic description vector from a preset first numerical library;
The cost value of the second target data which is not encrypted is calculated as the second numerical value;
Wherein the local operation sequence condition includes:
the operation objects of the first operation and the last operation in the target local operation sequence are the first target data, a second association relation is corresponding in the association relation library between the first data types of the operation objects of the first operation and the last operation, and the operation object of at least one operation in the middle in the target local operation sequence is the second target data;
wherein the first value is less than the cost threshold.
5. The encryption communication system of claim 4, wherein the cost threshold is in a preset proportional relationship with a disaster tolerance value of the data communication between the sending end and the receiving end.
6. The cryptographic communication system of a Modbus protocol communication device according to claim 5, wherein the obtaining of the disaster tolerance value for data communication between the transmitting end and the receiving end comprises:
acquiring communication information for carrying out data communication between the sending end and the receiving end;
Carrying out feature description on the communication information and the data packet to obtain a second feature description vector;
determining a query constraint condition corresponding to the second feature description vector from a preset query constraint condition library;
inquiring an abnormal subtree set from a preset communication abnormal map based on the inquiry constraint condition;
determining whether the abnormal subtree set meets a set condition;
when the disaster tolerance values are consistent, the disaster tolerance value of the data communication between the sending end and the receiving end is a preset third value; otherwise, carrying out feature description on the abnormal subtree set to obtain a third feature description vector;
Determining a fourth value corresponding to the third feature description vector from a preset second value library;
the disaster tolerance value of the data communication between the sending end and the receiving end is calculated as the fourth numerical value;
Wherein the set condition includes:
At least a preset second number of threshold abnormal subtrees in the abnormal subtrees meet subtree conditions; the subtree condition includes:
the abnormal subtree comprises tree nodes with preset node types, and/or the abnormal subtree is provided with main nodes with the same types as other abnormal subtrees in the abnormal subtree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410345969.6A CN117955741B (en) | 2024-03-26 | 2024-03-26 | Encryption communication method and system of Modbus protocol communication equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410345969.6A CN117955741B (en) | 2024-03-26 | 2024-03-26 | Encryption communication method and system of Modbus protocol communication equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117955741A CN117955741A (en) | 2024-04-30 |
| CN117955741B true CN117955741B (en) | 2024-06-11 |
Family
ID=90794610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410345969.6A Active CN117955741B (en) | 2024-03-26 | 2024-03-26 | Encryption communication method and system of Modbus protocol communication equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117955741B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697353A (en) * | 2004-05-12 | 2005-11-16 | 北京信威通信技术股份有限公司 | Encryption and encrypted communication method suitable to personal wireless communication system |
| WO2009093084A2 (en) * | 2008-01-24 | 2009-07-30 | Vodafone Group Plc | A method of sending providing data security over an unsecured network |
| CN205901794U (en) * | 2016-08-22 | 2017-01-18 | 成都比特信安科技有限公司 | System for it encrypts to carry out selectivity to big data content |
| CN111859423A (en) * | 2020-07-17 | 2020-10-30 | 山东广鹏信息科技有限公司 | Information security encryption method and device |
| CN112671757A (en) * | 2020-12-22 | 2021-04-16 | 无锡江南计算技术研究所 | Encrypted flow protocol identification method and device based on automatic machine learning |
| CN113010745A (en) * | 2021-03-18 | 2021-06-22 | 中国建设银行股份有限公司 | Cash management network map construction method and device, electronic equipment and medium |
| CN113765900A (en) * | 2021-08-24 | 2021-12-07 | 深圳融安网络科技有限公司 | Protocol interaction information output transmission method, adapter device and storage medium |
| CN114090784A (en) * | 2021-10-27 | 2022-02-25 | 北京科技大学 | Entity label clustering method and device for knowledge graph in material field |
| CN115225320A (en) * | 2022-06-10 | 2022-10-21 | 北卡科技有限公司 | Data transmission encryption and decryption method |
| CN115481442A (en) * | 2022-10-18 | 2022-12-16 | 北京人大金仓信息技术股份有限公司 | Encryption method for data in database table, machine-readable storage medium and computer equipment |
| CN116643972A (en) * | 2023-04-28 | 2023-08-25 | 浙江之科云启科技有限公司 | Test service method and system |
| CN116933253A (en) * | 2022-03-29 | 2023-10-24 | 华为技术有限公司 | Method for detecting lux software, related system and storage medium |
| CN117579294A (en) * | 2023-10-07 | 2024-02-20 | 中国人民解放军战略支援部队航天工程大学 | Defensive data security communication method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060262931A1 (en) * | 2003-10-29 | 2006-11-23 | Hirofumi Nakano | Radio apparatus |
| CN101521667B (en) * | 2009-04-15 | 2012-04-04 | 山东渔翁信息技术股份有限公司 | Method and device for safety data communication |
| CN111200543A (en) * | 2020-01-16 | 2020-05-26 | 福建奇点时空数字科技有限公司 | Encryption protocol identification method based on active service detection engine technology |
| CN116127485A (en) * | 2022-12-26 | 2023-05-16 | 北京人大金仓信息技术股份有限公司 | Encryption method for database data, storage medium and computer equipment |
| CN116150796B (en) * | 2023-04-18 | 2023-12-08 | 安羚科技(杭州)有限公司 | Data protection method and device for data leakage prevention system |
-
2024
- 2024-03-26 CN CN202410345969.6A patent/CN117955741B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697353A (en) * | 2004-05-12 | 2005-11-16 | 北京信威通信技术股份有限公司 | Encryption and encrypted communication method suitable to personal wireless communication system |
| WO2009093084A2 (en) * | 2008-01-24 | 2009-07-30 | Vodafone Group Plc | A method of sending providing data security over an unsecured network |
| CN205901794U (en) * | 2016-08-22 | 2017-01-18 | 成都比特信安科技有限公司 | System for it encrypts to carry out selectivity to big data content |
| CN111859423A (en) * | 2020-07-17 | 2020-10-30 | 山东广鹏信息科技有限公司 | Information security encryption method and device |
| CN112671757A (en) * | 2020-12-22 | 2021-04-16 | 无锡江南计算技术研究所 | Encrypted flow protocol identification method and device based on automatic machine learning |
| CN113010745A (en) * | 2021-03-18 | 2021-06-22 | 中国建设银行股份有限公司 | Cash management network map construction method and device, electronic equipment and medium |
| CN113765900A (en) * | 2021-08-24 | 2021-12-07 | 深圳融安网络科技有限公司 | Protocol interaction information output transmission method, adapter device and storage medium |
| CN114090784A (en) * | 2021-10-27 | 2022-02-25 | 北京科技大学 | Entity label clustering method and device for knowledge graph in material field |
| CN116933253A (en) * | 2022-03-29 | 2023-10-24 | 华为技术有限公司 | Method for detecting lux software, related system and storage medium |
| CN115225320A (en) * | 2022-06-10 | 2022-10-21 | 北卡科技有限公司 | Data transmission encryption and decryption method |
| CN115481442A (en) * | 2022-10-18 | 2022-12-16 | 北京人大金仓信息技术股份有限公司 | Encryption method for data in database table, machine-readable storage medium and computer equipment |
| CN116643972A (en) * | 2023-04-28 | 2023-08-25 | 浙江之科云启科技有限公司 | Test service method and system |
| CN117579294A (en) * | 2023-10-07 | 2024-02-20 | 中国人民解放军战略支援部队航天工程大学 | Defensive data security communication method |
Non-Patent Citations (3)
| Title |
|---|
| Twitter加密网络行为自动识别方法;朱贺军;祝烈煌;;计算机工程;20151215(第12期);全文 * |
| 基于DES加密算法的数据库二级加密密钥技术;侯有利;杨雄;;广西师范大学学报(自然科学版);20110930(第03期);全文 * |
| 张威.《CSO进阶之路 从安全工程师到首席安全官》.机械工业出版社,2021,196-198页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117955741A (en) | 2024-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865815B (en) | Flow classification method and system based on federal learning | |
| CN102447684B (en) | Data processing method and equipment | |
| CN109657107B (en) | Terminal matching method and device based on third-party application | |
| CN110224808B (en) | Bank data sharing method and device based on block chain, computer equipment and storage medium | |
| KR19990087633A (en) | Method and apparatus for checking validity of data packet in paging system | |
| CN110417801B (en) | Server side identification method and device, equipment and storage medium | |
| US7975273B2 (en) | Fuzzing system and method of distributed computing environment (DCE) remote procedure call (RPC) | |
| CN114363412A (en) | Message data processing method and device, computer equipment and storage medium | |
| CN107562555A (en) | The cleaning method and server of duplicate data | |
| CN117955741B (en) | Encryption communication method and system of Modbus protocol communication equipment | |
| CN101741745A (en) | Method and system for identifying application traffic of peer-to-peer network | |
| CN107426798B (en) | WIFI module network distribution method and device | |
| CN115801530A (en) | Network management type network switch with modular design | |
| CN113297583B (en) | Vulnerability risk analysis method, device, equipment and storage medium | |
| CN113055535B (en) | Method and system for generating 5G end-to-end call ticket | |
| CN113946862A (en) | Data processing method, device and equipment and readable storage medium | |
| CN114584370A (en) | Server data interaction network security system | |
| CN112468285A (en) | Data processing method and device based on privacy protection and server | |
| CN112311536A (en) | Key hierarchical management method and system | |
| KR101646172B1 (en) | Data brokering server and data brokering system using the same | |
| CN117201053B (en) | Video security-based transmission and storage method and system | |
| CN115168907B (en) | Data matching method, system, equipment and storage medium for protecting data privacy | |
| CN109831293B (en) | Decryption method and system based on Aes algorithm | |
| CN113162678B (en) | Method, terminal, electronic device and medium for key switching and data transmission | |
| CN116257887B (en) | Data query method, device, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |