[go: up one dir, main page]

CN112866361A - Safe transmission method of industrial data - Google Patents

Safe transmission method of industrial data Download PDF

Info

Publication number
CN112866361A
CN112866361A CN202110012623.0A CN202110012623A CN112866361A CN 112866361 A CN112866361 A CN 112866361A CN 202110012623 A CN202110012623 A CN 202110012623A CN 112866361 A CN112866361 A CN 112866361A
Authority
CN
China
Prior art keywords
message
remote server
acquisition terminal
connection
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110012623.0A
Other languages
Chinese (zh)
Inventor
戴振卿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202110012623.0A priority Critical patent/CN112866361A/en
Publication of CN112866361A publication Critical patent/CN112866361A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/143Termination or inactivation of sessions, e.g. event-controlled end of session
    • H04L67/145Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Cardiology (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a safe transmission method of industrial data, which comprises the following steps: the method comprises the steps that preset terminal information is stored in a remote server side in advance; the acquisition terminal sends a request message for connection establishment to the remote server; the remote server receives the request message and detects whether the received request message is matched with the pre-stored terminal information; if the connection is matched with the industrial data, the remote server returns a response message indicating that the connection is successfully established to the acquisition terminal, and the connection is established and the industrial data is allowed to be transmitted; if not, the remote server returns a response message indicating that the connection establishment fails; after the connection is established, the remote server detects whether the acquisition terminal is in a keep-alive state according to preset time, and if so, the remote server keeps the connection with the acquisition terminal; if not, the remote server disconnects the connection with the acquisition terminal. To improve the security of industrial data transmission.

Description

Safe transmission method of industrial data
Technical Field
The invention relates to the field of data transmission, in particular to a safe transmission method of industrial data.
Background
In recent years, with the rapid development of emerging technologies such as 5G and internet of things, more and more industrial enterprises apply the technologies to the industries, such as the fields of energy, traffic, home furnishing and the like. The equipment in industrial production is connected with the network and accessed into the system, so that the informatization integration of production data is realized.
Based on the collected data information, the enterprise can analyze and mine data of deeper layers, so that the industrial production efficiency and quality are improved, and finally, the enterprise develops towards the target of industrial intelligence. Therefore, the informationized data is the basis for realizing intellectualization in industry.
Traditional industrial data collection is often done within a local area network. Because the data transmission of the local area network does not involve the safety problem, the data transmission can be completed by depending on the traditional industrial communication protocol, such as the Modbus protocol which is common in the industry. However, once the terminal needs to access the system from the public network, the conventional protocol is not sufficient to support and complete the whole acquisition process — the conventional protocol does not support wireless transmission, nor complex scenarios such as terminal identity verification and asynchronous communication.
In order to support wireless acquisition and transmission of industrial data, many coping strategies in the industrial field are relatively simple, and generally do not have a relatively perfect design in terms of data transmission security.
Therefore, how to ensure the safety and reliability of industrial data in public networks is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention provides a safe transmission method of industrial data, which aims to improve the safety of industrial data transmission in a public network.
The application discloses a safe transmission method of industrial data, which comprises the following steps:
the method comprises the steps that preset terminal information is stored in a remote server side in advance;
the acquisition terminal sends a request message for connection establishment to the remote server;
the remote server receives the request message and detects whether the received request message is matched with the terminal information; if the connection is matched with the industrial data, the remote server returns a response message indicating that the connection is successfully established to the acquisition terminal, and the connection is established and the industrial data is allowed to be transmitted; if not, the remote server returns a response message indicating that the connection establishment fails;
after the connection is established, the remote server detects whether the acquisition terminal is in a keep-alive state according to preset time, and if so, the remote server keeps the connection with the acquisition terminal; if not, the remote server disconnects the connection with the acquisition terminal.
Optionally, the information structure of the request message includes a length header, a request message code, a coding indication, and a terminal ID; the message structure of the response message comprises a length header, a response message code, a request response result value and a response message body;
wherein the length header represents a length of the packet; the request message code represents a connection establishment request; the encoding indication characterizes an encoding or encryption method of the current information; the terminal ID is the ID of the acquisition terminal; the response message code represents a connection establishment request response message; the request response result value represents a result of the connection establishment request; and when the connection establishment request is successful, the response message body carries a coded session ID, the coding mode of the session ID is consistent with that of the request message, and each acquisition terminal only corresponds to one session ID.
Optionally, after the connection is established, the step of detecting, by the remote server, whether the acquisition terminal is in the keep-alive state according to the preset time includes:
the remote server detects whether any message from the acquisition terminal is received or not according to preset time, if so, the remote server judges that the remote server is in a keep-alive state, and if not, the remote server judges that the remote server is not in the keep-alive state;
the acquisition terminal can actively send a keep-alive request message to a remote server, wherein the keep-alive request message is one of any messages;
the message structure of the keep-alive request message comprises a length header, a keep-alive request message code and a session ID, wherein the length header represents the length of an information packet; the keep-alive request message code represents a keep-alive request message; and filling the session ID obtained after the connection is successfully established by the session ID.
Optionally, if the connection request is matched with the connection request, the remote server returns a connection establishment request response message to the acquisition terminal, and the step of establishing the connection and allowing transmission of the industrial data further includes the following steps:
and when detecting that the remote server sends a service request message to the acquisition terminal, the acquisition terminal replies a service response message according to the service request message.
Optionally, the message structure of the service request message includes a length header, a service message code, a session ID, and a service message body; the message structure of the service response message comprises a length header, a service response message code, a session ID, a service response result value and a service response message body;
the length head represents the length of a message packet, the service message code represents the service type, the session ID fills in the session ID after the connection is successfully established, the service message body fills in the encoded service request based on the ModbusTCP protocol, and the encoding mode is consistent with that of the request message; the service response message code is filled according to the service type; the service response result value represents the result of the service response, the service response message body fills in the encoded service response based on the ModbusTCP protocol, and the encoding mode is consistent with the encoding mode in the connection establishment request message.
Optionally, if the connection request is matched with the connection request, the remote server returns a connection establishment request response message to the acquisition terminal, and the step of establishing the connection and allowing transmission of the industrial data further includes the following steps:
when detecting that the acquisition terminal sends an offline request message to the remote server, the remote server replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal;
when the remote server is detected to send an offline request message to the acquisition terminal, the acquisition terminal replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal.
Optionally, the message structure of the offline request message includes a length header, an offline request message code, a session ID, and an offline reason; the message structure of the off-line request response message comprises a length header, an off-line response message code, a session ID and an off-line response result value;
the length header indicates the length of the message packet, the offline request message code indicates an offline request message, the session ID fills a session ID obtained after the connection is successfully established, the offline response message code indicates an offline request response message, and the offline response result value indicates an offline response result.
Optionally, if the connection request is matched with the connection request, the remote server returns a connection establishment request response message to the acquisition terminal, and the step of establishing the connection and allowing transmission of the industrial data further includes the following steps:
when the remote server receives the unrecognized message, the remote server replies an error flow message to the acquisition terminal which sends the unrecognized message; the message structure of the error flow message comprises a length header, an error message code and an error code;
wherein the length header represents the length of the message packet, the error message code represents the error flow message, and the error code represents the type of error.
Optionally, if the connection request is matched with the connection request, the remote server returns a connection establishment request response message to the acquisition terminal, and the step of establishing the connection and allowing transmission of the industrial data further includes the following steps:
when detecting that the remote server sends a service request message to the acquisition terminal, the acquisition terminal replies a service response message according to the service request message;
when detecting that the acquisition terminal sends an offline request message to the remote server, the remote server replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal; when the remote server is detected to send an offline request message to the acquisition terminal, the acquisition terminal replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal;
the step of storing preset terminal information at a remote server in advance comprises the following steps:
and when the remote server receives the unknown information, the remote server replies an error flow message to the acquisition terminal which sends the unknown information.
Optionally, the acquisition terminal acquires industrial data, the acquisition terminal includes a remote terminal unit and a data transmission unit, and the remote terminal unit is connected with the data transmission unit or a local server;
the data transmission unit is connected with a remote server through a public network.
In the invention, when the remote server receives the request message, whether the received request message is matched with the prestored terminal information is detected, and only when the received request message is matched with the prestored terminal information, the acquisition terminal is connected to the server, so that the safety of industrial data transmission is ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the application, are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 is a flow chart of a method for secure transmission of industrial data according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a method of secure transmission according to another embodiment of the present application;
FIG. 3 is a flow chart of a method of secure transmission according to another embodiment of the present application;
FIG. 4 is a flow chart of a method of secure transmission according to another embodiment of the present application;
FIG. 5 is a flow chart of a secure transmission method according to yet another embodiment of the present application;
FIG. 6 is a schematic diagram of a secure transmission method of an embodiment of the present application;
fig. 7 is another schematic diagram of a secure transmission method according to an embodiment of the present application.
10, a remote terminal unit; 20. a data transmission unit; 30. a remote server; 40. and (5) acquiring a terminal.
Detailed Description
It is to be understood that the terminology, the specific structural and functional details disclosed herein are for the purpose of describing particular embodiments only, and are representative, but that the present application may be embodied in many alternate forms and should not be construed as limited to only the embodiments set forth herein.
In the description of the present application, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating relative importance or as implicitly indicating the number of technical features indicated. Thus, unless otherwise specified, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature; "plurality" means two or more. The terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that one or more other features, integers, steps, operations, elements, components, and/or combinations thereof may be present or added.
Further, terms of orientation or positional relationship indicated by "center", "lateral", "upper", "lower", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, are described based on the orientation or relative positional relationship shown in the drawings, are simply for convenience of description of the present application, and do not indicate that the referred device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present application.
Furthermore, unless expressly stated or limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly and may include, for example, fixed connections, removable connections, and integral connections; can be mechanically or electrically connected; either directly or indirectly through intervening media, or through both elements. The specific meaning of the above terms in the present application can be understood by those of ordinary skill in the art as appropriate.
After the rapid development of the industrial internet of things, many large-scale industrial enterprises need to collect device data (or industrial data) by means of a public network, and the security problem of data transmission follows. If all the devices can perform security verification according to a certain principle during public network access and interaction, the security problem of data transmission can be solved. The invention aims to solve the safety problem of data transmission on the public network by designing a safe transmission method of industrial data.
The invention will be further elucidated with reference to the drawings and alternative embodiments.
Fig. 1 is a flowchart of a secure transmission method of industrial data according to an embodiment of the present application, and referring to fig. 1, the secure transmission method of the present application includes the steps of:
s11, storing preset terminal information in the remote server end in advance;
s12, the acquisition terminal sends a request message for connection establishment to the remote server;
s13, the remote server receives the request message and detects whether the received request message is matched with the pre-stored terminal information; if the connection is matched with the industrial data, the remote server returns a response message indicating that the connection is successfully established to the acquisition terminal, and the connection is established and the industrial data is allowed to be transmitted; if not, the remote server returns a response message indicating that the connection establishment fails;
s14, after the connection is established, the remote server detects whether the acquisition terminal is in a keep-alive state according to preset time, if so, the remote server keeps the connection with the acquisition terminal; if not, the remote server disconnects the connection with the acquisition terminal.
In the invention, when the remote server receives the request message, whether the received request message is matched with the prestored terminal information is detected, and only when the received request message is matched with the prestored terminal information, the acquisition terminal is connected to the server, so that the safety of industrial data transmission is ensured.
The secure transmission method of the present application is based on a TCP/IP protocol, and the steps S11 and S12 are an important phase of establishing a connection between the acquisition terminal and the remote server, which may also be referred to as an access flow, and are a first link of accessing the acquisition terminal to the remote server system, which is also an important ring of security assurance.
Specifically, regarding the steps S11-S13, before the terminal sends data, the terminal needs to perform step S11, that is, the terminal stores preset terminal information in the remote server for subsequent security verification; and then the acquisition terminal sends a request message for connection establishment to the remote server. The request message structure includes a length header (2 bytes), a request message code (1 byte), a coding indication (1 byte) and a terminal ID (variable length). The length header indicates the length of the message packet, and the maximum length of each packet of messages is set to 64 kbytes. The request message code, filled with 1, indicates a connection establishment request. The encoding indication represents an encoding or encryption method of the current message, including 0 (no encryption), 1(base64 encoding), 2(zlib compression encoding), 3(lz4 compression encoding), 16(AES symmetric encryption), and 32(RSA asymmetric encryption). The terminal ID represents an ID of the terminal (for example, an IMEI number of a 4G network device is used), the same terminal ID must be configured in advance on the remote server side as preset terminal information, the terminal ID serves as an identifier of the terminal identity, if an illegal ID carried by the acquisition terminal is acquired, access to the remote server is denied, and the message length of the terminal ID is 4-11 bytes.
After receiving the message of the connection establishment request, the remote server returns a response message to the terminal, wherein the structure of the response message comprises a length header (2 bytes), a response message code (1 byte), a request result value (1 byte) and a response message body (variable length). The length header indicates the message length. The response message code, filled with 2, represents a connection establishment request response message. And the request response result value represents the result of the connection establishment request, wherein 0 represents success, and the others represent failure, and comprise 1: the terminal is accessed, 2: no terminal ID, 3: an encoding indication error and 4: the message content has errors. And the response message body carries a coded session ID when the connection establishment request is successfully accessed to the remote server, the coding mode is consistent with that of the request message, each terminal ID only corresponds to one session ID, and once the message is accessed from a new socket, the remote server initiates an offline process aiming at the old connection.
Regarding step S14, it is a keep-alive procedure, in which the collection terminal sends a keep-alive request message to the remote server to inform the remote server that the collection terminal is still active. The keep-alive state of the remote server can be represented by keep-alive time, namely in the keep-alive time, the remote server receives any message (can be a keep-alive request message or any other message) from the acquisition terminal, then considers that the acquisition terminal is still in the keep-alive state, the keep-alive can be configured, the default is 2 minutes, and if the server receives any message from the client within 2 minutes, then the remote server considers that the remote server is still in normal connection with the client; otherwise, the remote server can directly break the link, so that the connection between the remote server and the acquisition terminal is disconnected.
Accordingly, the collection terminal may periodically (for example, less than or equal to 2 minutes) send 1 keep-alive request message, or may start to send the next keep-alive request message again even after replying to the message according to itself. The message structure of the keep-alive request message comprises a length header (2 bytes), a keep-alive request message code (1 byte), and a session ID (1 byte); the length header indicates the length of the message packet; keep-alive request message code, can fill in into 5, represent the request message of keep-alive; and filling the session ID obtained after the access is successful.
In addition, the remote server can reply to the keep-alive request response message in response to the keep-alive request message, the message structure of the keep-alive request response including a length header (2 bytes), a keep-alive request response message code (1 byte), a session ID (1 byte), and a keep-alive request response result value (1 byte). A length header indicating a message length; the keep-alive request response message code is filled into 6 and represents the keep-alive request message; the session ID is obtained after the access is successful; keep-alive request response result values include 0: keep-alive success and 103: session ID invalidity.
In addition to the flow shown in fig. 1, the secure transmission method of the present application is further improved:
fig. 2 is a flowchart of a secure transmission method according to another embodiment of the present application, and referring to fig. 2, as can be seen from fig. 1, if there is a match, the remote server returns a connection establishment request response message to the acquisition terminal, and the step of establishing a connection and allowing transmission of industrial data further includes the following steps:
s15: and when detecting that the remote server sends a service request message to the acquisition terminal, the acquisition terminal replies a service response message according to the service request message.
The steps S14 and S15 may be reversed in order as long as the steps S13 are followed, at least one of the steps S13, S14 and S15 is executed, and the number of times of executing each step is not limited to 1.
That is, when the remote server sends the service request message to the acquisition terminal, the terminal can reply the service response message, and after the service connection is completed, the data transmission related to the service can be performed, so that the safety of the industrial data is further improved.
Specifically, the message structure of the service request message includes a length header (2 bytes), a service message code (1 byte), a session ID (1 byte), and a service message body (variable length); the length header indicates the length of the message packet, the service message code indicates the service type, and the service is filled according to the service type, for example, the message code for acquiring data is 7, and the service is a request message for acquiring data; the session ID fills in the session ID after the connection is successfully established; the service message body fills in the coded service request based on the ModbusTCP protocol, and the coding mode is consistent with that of the request message; the service response message code is filled according to the service type; the service response result value represents the result of the service response, the service response message body fills in the encoded service response based on the ModbusTCP protocol, and the encoding mode is consistent with the encoding mode in the connection establishment request message.
The message structure of the service response message comprises a length header (2 bytes), a service response message code (1 byte), a session ID (1 byte), a service response result value (1 byte) and a service response message body (variable length); and a length header indicating a message length. The service response message code is filled according to the service type, for example, the message code of the collected data response is 8, which indicates that the service is a request message for collecting data. And filling the session ID obtained after the access is successful. And a service response result value of 0: indicating success, 1: the session ID has errors, 2: the request message format has errors, and 3: the terminal is busy and requires the server to access later. And the service response message body fills in the encoded service response based on the ModbusTCP protocol, and the encoding mode is consistent with the encoding mode in the connection establishment request message.
Fig. 3 is a flowchart of a secure transmission method according to another embodiment of the present application, referring to fig. 3 in combination with fig. 1, in the secure transmission method, if the information matches, the remote server returns a connection establishment request response message to the acquisition terminal, and after the step of establishing the connection and allowing transmission of the industrial data, the method further includes the steps of:
s16: when detecting that the acquisition terminal sends an offline request message to the remote server, the remote server replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal; when the remote server is detected to send an offline request message to the acquisition terminal, the acquisition terminal replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal.
The steps S14 and S16 may be reversed in order as long as the steps are performed after S13, and at least one of the steps S13, S14 and S16 is performed, and the number of times of performing each step is not limited to 1.
In addition, in this embodiment, when the acquisition terminal sends the offline request message to the remote server, or when the remote server sends the offline request message to the acquisition terminal, the receiver may set that the offline request message is formally offline when a preset time is reached after the offline request message is received, so as to avoid occurrence of situations such as data damage due to immediate offline when the offline request message is received.
The offline process enables the acquisition terminal and the remote server to be actively disconnected when needed, for example, after the acquisition terminal acquires and completes industrial data transmission, the connection is actively disconnected, so that resources of the remote server can be saved for connection of other acquisition terminals; for another example, when the remote server fails, the connection with the acquisition terminal may be actively disconnected, and even the acquisition terminal may be notified to reconnect after a period of time to complete the transmission of the industrial data.
Specifically, the acquisition terminal and the remote server may both actively initiate an offline process. The request message structure of the offline procedure includes a length header (2 bytes), an offline request message code (1 byte), a session ID (1 byte), and an offline reason (1 byte). And a length header indicating a message length. Offline request message code, filled to 3, representing offline request message; the session ID is obtained after the access is successful; the off-line reasons comprise 0 normal exit, 100 on-line of other devices with the same ID, 101 keep-alive failure and 102 overhigh server load.
The request response message structure of the offline procedure includes a length header (2 bytes), an offline response message code (1 byte), a session ID (1 byte), and an offline response result value (1 byte). A length header indicating a message length; offline response message code, filled to 4, representing offline request response message; the session ID is obtained after the access is successful; the offline response result value comprises 0: offline success and 103: session ID invalidity.
Fig. 4 is a flowchart of a secure transmission method according to another embodiment of the present application, referring to fig. 4 in combination with fig. 1, in the secure transmission method, if the information matches, the remote server returns a connection establishment request response message to the acquisition terminal, and after the step of establishing the connection and allowing transmission of the industrial data, the method further includes the steps of:
s17: and when the remote server receives the unknown information, the remote server replies an error flow message to the acquisition terminal which sends the unknown information.
The sequence of the step S14 and the step S17 can be exchanged, the sequence of the step S13 and the step S17 can be exchanged, and at least one of the step S13, the step S14 and the step S17 is executed, and the number of times of executing each step is not limited to 1.
In step S17, if the remote server receives the unknown message, the IP address of the unknown message is registered, and when the IP address used by the unknown message is found for multiple times (for example, 3 times, and when the unknown message is received each time, the error flow message can be recovered to remind the acquisition terminal to backup the terminal message to the remote server first, and if the messages occur multiple times, the terminals may not be the terminals of the enterprise of the same party), a request message for connection establishment is sent, and the connection of the IP address is rejected, so as to avoid virus messages and the like possibly sent by the IP address, and improve the security. And, after connection of the IP address is rejected, a warning message may be generated to draw the attention of an engineer.
The remote server replies an error flow message after receiving the unknown message, if the new acquisition terminal does not back up the terminal information in the remote server in advance, the acquisition terminal can back up as soon as possible, so that the system has better fault-tolerant and error-correcting capabilities.
The message structure of the error flow message comprises a length header, an error message code and an error code; wherein the length header represents the length of the message packet, the error message code represents the error flow message, and the error code represents the type of error.
Specifically, the error process is a prompt for replying to the error process when the remote server receives an unknown message. The structure of the error flow message comprises a length header (2 bytes), an error message code (1 byte), and an error code (1 byte); and a length header indicating a message length. An error message code, filled 255, representing an error flow message; and (3) error code: 1: session ID is wrong, 2: unknown message.
By designing the message structure, such as introducing the message code, the asynchronous problems of disorder and the like of the message in transmission can be well solved. The remote server can design a better fault-tolerant or error-correcting scheme according to the message code. (the message code, not only plays a role in the step S17, but also plays a role in solving asynchronous problems such as disorder and the like in the transmission of the message and realizing better fault tolerance or error correction in the steps S12-S16.)
Fig. 5 is a flowchart of a secure transmission method according to still another embodiment of the present application, and as can be seen from fig. 1 to fig. 4, in this embodiment, the secure transmission method includes an access flow, a keep-alive flow, an offline flow, a service flow, and an error flow, where five flows are counted, where four flows, such as the access flow, the keep-alive flow, the offline flow, and the service flow, all occur after step S11, and an error step may occur at any time, and the five flows are distinguished by sequence numbers, but the sequence of each step is not limited, as long as a triggered mechanism is met, that is, the corresponding step is executed, the following steps have a sequence, but are only for convenience of description, and do not represent a limitation on the execution sequence of the step, and specifically:
the present application differs from the embodiment shown in fig. 1 in that: if the data is matched with the industrial data, the remote server returns a connection establishment request response message to the acquisition terminal, and the steps of establishing the connection and allowing the industrial data to be transmitted further comprise the following steps:
s15, when detecting that the remote server sends the service request message to the collection terminal, the collection terminal replies a service response message according to the service request message;
s16, when detecting that the acquisition terminal sends off-line request message to the remote server, the remote server replies off-line request response message and disconnects the connection between the remote server and the acquisition terminal; when the remote server is detected to send an offline request message to the acquisition terminal, the acquisition terminal replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal;
the step of storing preset terminal information at a remote server in advance comprises the following steps:
and S17, when the remote server receives the unknown information, the remote server replies an error flow message to the acquisition terminal which sends the unknown information.
In the embodiment, five processes are adopted, so that the safe transmission of industrial data is no longer a problem, the data exchange efficiency of enterprises is greatly improved, and the improvement of the production efficiency is facilitated.
After the connection is successfully established, the terminal data collected in step S15 (service process) is based on ModbusTCP protocol, and the data is transmitted from the collection terminal to the remote server based on wireless networks such as 3G/4G/5G. According to the method and the device, a set of upper layer protocols are designed mainly by means of a wireless network, and the security of industrial data acquisition is ensured by means of conversation ID, keep-alive flow, message body structure (for example, the problem of message out-of-order/asynchronous communication can be solved by means of message codes, and various encryption modes can be selected by means of encryption fields) and the like.
Fig. 6 is a schematic diagram of a secure transmission method according to an embodiment of the present application, and fig. 1 to 5 may be understood in conjunction with the present diagram, wherein the collection terminal 40 and the remote server 30 interact with each other through at least one of the above-mentioned steps S12, S13, S14, S15, step 16, and step S17.
Fig. 7 is another schematic diagram of the secure transmission method according to the embodiment of the present application, referring to fig. 7, as can be seen from fig. 1 to fig. 6, in an embodiment of the secure transmission method according to the present application, the acquisition terminal 40 is used for acquiring industrial data, the acquisition terminal 40 includes a remote terminal unit 10(RTU, remote terminal units) and a data transmission unit 20(DTU, data transmission unit), and the remote terminal unit 10 is connected to the data transmission unit 20 or the local server 30; the collection terminal 40 can implement industrial data transmission with the remote server 30 through ethernet or by means of the data transmission unit 20 with wireless function.
The data transmission unit is connected with the remote server through a public network (which may be 3G, 4G, and 5G, may be ethernet, may also be the internet of things, or other public networks without limitation, and multiple networks may exist simultaneously, for example, the data transmission unit may be connected with the remote server through ethernet and 5G at the same time to ensure the integrity of data transmission).
In this embodiment, the secure transmission method may further include a network switching module, where the network switching module may be disposed at an output end of the data transmission unit, so as to implement switching between the public network and the local server. In addition, only two acquisition terminals 40 are shown in the figure, but in practice, the number of acquisition terminals 40 is not limited.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
It should be noted that, the limitations of the steps involved in the present disclosure are not considered to limit the order of the steps without affecting the implementation of the specific embodiments, and the steps written in the foregoing may be executed first, or executed later, or even executed simultaneously, and as long as the present disclosure can be implemented, all should be considered to belong to the protection scope of the present disclosure.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (10)

1. A method for secure transmission of industrial data, comprising the steps of:
the method comprises the steps that preset terminal information is stored in a remote server side in advance;
the acquisition terminal sends a request message for connection establishment to the remote server;
the remote server receives the request message and detects whether the received request message is matched with the pre-stored terminal information; if the connection is matched with the industrial data, the remote server returns a response message indicating that the connection is successfully established to the acquisition terminal, and the connection is established and the industrial data is allowed to be transmitted; if not, the remote server returns a response message indicating that the connection establishment fails;
after the connection is established, the remote server detects whether the acquisition terminal is in a keep-alive state according to preset time, and if so, the remote server keeps the connection with the acquisition terminal; if not, the remote server disconnects the connection with the acquisition terminal.
2. The method for securely transmitting industrial data according to claim 1, wherein the information structure of the request message comprises a length header, a request message code, a coding indication and a terminal ID; the message structure of the response message comprises a length header, a response message code, a request response result value and a response message body;
wherein the length header represents a length of the packet; the request message code represents a connection establishment request; the encoding indication characterizes an encoding or encryption method of the current information; the terminal ID is the ID of the acquisition terminal; the response message code represents a connection establishment request response message; the request response result value represents a result of the connection establishment request; and when the connection establishment request is successful, the response message body carries a coded session ID, the coding mode of the session ID is consistent with that of the request message, and each acquisition terminal only corresponds to one session ID.
3. The method for securely transmitting industrial data according to claim 2, wherein the step of the remote server detecting whether the acquisition terminal is in a keep-alive state according to the preset time after the connection is established comprises:
the remote server detects whether any message from the acquisition terminal is received or not according to preset time, if so, the remote server judges that the remote server is in a keep-alive state, and if not, the remote server judges that the remote server is not in the keep-alive state;
the acquisition terminal can actively send a keep-alive request message to a remote server, wherein the keep-alive request message is one of any messages;
the message structure of the keep-alive request message comprises a length header, a keep-alive request message code and a session ID, wherein the length header represents the length of an information packet; the keep-alive request message code represents a keep-alive request message; and filling the session ID obtained after the connection is successfully established by the session ID.
4. The method for securely transmitting industrial data according to claim 1, wherein if the industrial data is matched with the industrial data, the remote server returns a connection establishment request response message to the collection terminal, and the step of establishing the connection and allowing the industrial data to be transmitted further comprises the following steps:
and when detecting that the remote server sends a service request message to the acquisition terminal, the acquisition terminal replies a service response message according to the service request message.
5. The method for securely transmitting industrial data according to claim 4, wherein the message structure of the service request message comprises a length header, a service message code, a session ID and a service message body; the message structure of the service response message comprises a length header, a service response message code, a session ID, a service response result value and a service response message body;
the length head represents the length of a message packet, the service message code represents the service type, the session ID fills in the session ID after the connection is successfully established, the service message body fills in the encoded service request based on the ModbusTCP protocol, and the encoding mode is consistent with that of the request message; the service response message code is filled according to the service type; the service response result value represents the result of the service response, the service response message body fills in the encoded service response based on the ModbusTCP protocol, and the encoding mode is consistent with the encoding mode in the connection establishment request message.
6. The method for securely transmitting industrial data according to claim 1, wherein if the industrial data is matched with the industrial data, the remote server returns a connection establishment request response message to the collection terminal, and the step of establishing the connection and allowing the industrial data to be transmitted further comprises the following steps:
when detecting that the acquisition terminal sends an offline request message to the remote server, the remote server replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal;
when the remote server is detected to send an offline request message to the acquisition terminal, the acquisition terminal replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal.
7. The method for securely transmitting industrial data according to claim 6, wherein the message structure of the offline request message comprises a length header, an offline request message code, a session ID and an offline reason; the message structure of the off-line request response message comprises a length header, an off-line response message code, a session ID and an off-line response result value;
wherein the length header represents a length of a message packet; the offline request message code represents an offline request message; the session ID is obtained after the session ID filling connection is successfully established; the offline response message code represents an offline request response message; the offline response result value represents a result of an offline response.
8. The method for securely transmitting industrial data according to claim 1, wherein the step of storing the preset terminal information at the remote server in advance further comprises the steps of:
when the remote server receives the unrecognized message, the remote server replies an error flow message to the acquisition terminal which sends the unrecognized message;
the message structure of the error flow message comprises a length header, an error message code and an error code;
wherein the length header represents the length of the message packet, the error message code represents the error flow message, and the error code represents the type of error.
9. The method for securely transmitting industrial data according to claim 1, wherein if the industrial data is matched with the industrial data, the remote server returns a connection establishment request response message to the collection terminal, and the step of establishing the connection and allowing the industrial data to be transmitted further comprises the following steps:
when detecting that the remote server sends a service request message to the acquisition terminal, the acquisition terminal replies a service response message according to the service request message;
when detecting that the acquisition terminal sends an offline request message to the remote server, the remote server replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal; when the remote server is detected to send an offline request message to the acquisition terminal, the acquisition terminal replies an offline request response message and disconnects the connection between the remote server and the acquisition terminal;
the step of storing preset terminal information at a remote server in advance comprises the following steps:
and when the remote server receives the unknown information, the remote server replies an error flow message to the acquisition terminal which sends the unknown information.
10. The method for safely transmitting industrial data according to claim 1, wherein the acquisition terminal is used for acquiring industrial data, the acquisition terminal comprises a remote terminal unit and a data transmission unit, and the remote terminal unit is connected with the data transmission unit or a local server;
the data transmission unit is connected with a remote server through a public network.
CN202110012623.0A 2021-01-06 2021-01-06 Safe transmission method of industrial data Pending CN112866361A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110012623.0A CN112866361A (en) 2021-01-06 2021-01-06 Safe transmission method of industrial data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110012623.0A CN112866361A (en) 2021-01-06 2021-01-06 Safe transmission method of industrial data

Publications (1)

Publication Number Publication Date
CN112866361A true CN112866361A (en) 2021-05-28

Family

ID=76004260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110012623.0A Pending CN112866361A (en) 2021-01-06 2021-01-06 Safe transmission method of industrial data

Country Status (1)

Country Link
CN (1) CN112866361A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115361455A (en) * 2022-08-22 2022-11-18 中能融合智慧科技有限公司 Data transmission and storage method and device and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090265471A1 (en) * 2007-07-24 2009-10-22 Huawei Technologies Co., Ltd. Method, system, server and terminal for processing message
CN106656534A (en) * 2015-10-29 2017-05-10 奇点新源国际技术开发(北京)有限公司 Data communication method and system
CN106790283A (en) * 2017-02-24 2017-05-31 广州华睿电子科技有限公司 A kind of Internet of things system framework and data communications method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090265471A1 (en) * 2007-07-24 2009-10-22 Huawei Technologies Co., Ltd. Method, system, server and terminal for processing message
CN106656534A (en) * 2015-10-29 2017-05-10 奇点新源国际技术开发(北京)有限公司 Data communication method and system
CN106790283A (en) * 2017-02-24 2017-05-31 广州华睿电子科技有限公司 A kind of Internet of things system framework and data communications method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115361455A (en) * 2022-08-22 2022-11-18 中能融合智慧科技有限公司 Data transmission and storage method and device and computer equipment
CN115361455B (en) * 2022-08-22 2024-01-23 中能融合智慧科技有限公司 Data transmission storage method and device and computer equipment

Similar Documents

Publication Publication Date Title
EP2441232B1 (en) Methods, apparatuses, and related computer program product for network element recovery
US7530095B2 (en) Authentication, authorization and accounting (diameter) protocol-based accounting method using batch processing
JP5036868B2 (en) Security error detection method and apparatus in mobile communication system
RU2461147C2 (en) Method of processing radio protocol in mobile communication system and mobile communication transmitter
CN101771564B (en) Session context processing method, device and system
KR101870548B1 (en) Overload control for trusted wlan access to epc
CN101867476B (en) 3G virtual private dialing network user safety authentication method and device thereof
WO2013170376A1 (en) Tls abbreviated session identifier protocol
WO2007012275A1 (en) Authentication authorization accounting protocol message transmitting method
KR101369793B1 (en) Method, devices and computer program product for encoding and decoding media data
JP4755173B2 (en) Method and apparatus for generating a compressed status report updated to indicate data to be received later
KR100473607B1 (en) Building and transmitting method of subscriber profile of home subscriber in ip multimedia core network
CN102404158A (en) Method, device and system for network fault handling
CN112866361A (en) Safe transmission method of industrial data
RU2640573C1 (en) Method for correcting failure, data packet network, mobility control node and network system
CN106170949B (en) Dead peer detection method, IPsec peer and network equipment
US10447549B2 (en) Neighbor establishment method and system, and device
CN112468357A (en) IPsec tunnel connectivity rapid detection method, detection system and storage medium
CN101640680B (en) Network access control method, system and device
CN100488101C (en) Charging server detecting system and method in wide-band inserting system
CN109639553B (en) IPSec (Internet protocol Security) negotiation method and device
CN110121215B (en) Data connection establishment method and device of 5G terminal and 5G terminal
CN114125583B (en) Communication control method of distributed control network
CN115514541B (en) Internet of Things access authentication method and device
JP3617609B2 (en) Data communication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210528