[go: up one dir, main page]

CN114629803A - Zero-trust data monitoring architecture and method based on security key - Google Patents

Zero-trust data monitoring architecture and method based on security key Download PDF

Info

Publication number
CN114629803A
CN114629803A CN202210156689.1A CN202210156689A CN114629803A CN 114629803 A CN114629803 A CN 114629803A CN 202210156689 A CN202210156689 A CN 202210156689A CN 114629803 A CN114629803 A CN 114629803A
Authority
CN
China
Prior art keywords
module
data
signal line
monitoring
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210156689.1A
Other languages
Chinese (zh)
Inventor
程颖
吴胜初
林圳鑫
吴毓峰
朱德培
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Wangwei Co ltd
Original Assignee
Xiamen Wangwei Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Wangwei Co ltd filed Critical Xiamen Wangwei Co ltd
Priority to CN202210156689.1A priority Critical patent/CN114629803A/en
Publication of CN114629803A publication Critical patent/CN114629803A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于安全密钥的零信任数据监控架构及方法,包括系统前端、数据采集模块、校验申请模块、数据封装模块、传输模块、系统后端、服务代理端、数据接收模块、系统应用、应用监控模块、拓扑管理模块、告警管理模块、性能管理模块、运行状态管理模块、用户端和数据库,步骤包括步骤一,采集信息;步骤二,身份校验;步骤三,数据传输;步骤四,数据储存;步骤五,数据应用;步骤六,终端呈现;本发明相较于现有的网管系统,通过数字签名确保接入的设备身份,通过数据的封装与验证实现传输的零信任,并使用国密算法加密保存数据,从而解决数据安全的特殊需求,保证了数据在面对内网渗透攻击时的保密性。

Figure 202210156689

The invention discloses a zero-trust data monitoring architecture and method based on security keys, comprising a system front end, a data acquisition module, a verification application module, a data encapsulation module, a transmission module, a system back end, a service agent end, and a data receiving module , system application, application monitoring module, topology management module, alarm management module, performance management module, running state management module, client and database, the steps include step 1, collecting information; step 2, identity verification; step 3, data transmission step 4, data storage; step 5, data application; step 6, terminal presentation; compared with the existing network management system, the present invention ensures the identity of the access device through digital signatures, and realizes zero transmission through data encapsulation and verification. Trust, and use the national secret algorithm to encrypt and save data, so as to solve the special needs of data security and ensure the confidentiality of data in the face of intranet penetration attacks.

Figure 202210156689

Description

一种基于安全密钥的零信任数据监控架构及方法A security key-based zero-trust data monitoring architecture and method

技术领域technical field

本发明涉及网络管理技术领域,具体为一种基于安全密钥的零信任数据监控架构及方法。The invention relates to the technical field of network management, in particular to a zero-trust data monitoring architecture and method based on a security key.

背景技术Background technique

随着5G技术业务场景的推广,万物互联带来了极大的便利,对于物联网及互联网各个设备的网管应用已进入市场争夺阶段数据安全对于每个系统都十分的重要,但现有的大部分网管系统都不能对自身传输的数据进行保护,且数据保存方面均采用明文保存,随着物联网的兴起,网管系统将承载大量设施的管理信息,在面对内网渗透攻击的情况下,无法保证数据的保密性。With the promotion of 5G technology business scenarios, the Internet of Everything has brought great convenience. The network management applications for the Internet of Things and various Internet devices have entered the stage of market competition. Data security is very important for each system, but the existing large Some network management systems cannot protect the data transmitted by themselves, and the data is stored in plaintext. With the rise of the Internet of Things, the network management system will carry a large number of management information of facilities. In the face of intranet penetration attacks, it cannot be Guarantee the confidentiality of data.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于提供一种基于安全密钥的零信任数据监控架构及方法,以解决上述背景技术中提出的问题。The purpose of the present invention is to provide a zero-trust data monitoring architecture and method based on a security key, so as to solve the problems raised in the above background art.

为实现上述目的,本发明提供如下技术方案:一种基于安全密钥的零信任数据监控架构,包括系统前端、传输模块、系统后端和数据库,所述系统前端通过信号线连接有传输模块,系统前端包括数据采集模块、校验申请模块和数据封装模块,数据传输模块通过信号线连接有数据采集模块,传输模块通过信号线连接有校验申请模块,传输模块通过信号线连接有数据封装模块。In order to achieve the above purpose, the present invention provides the following technical solutions: a zero-trust data monitoring architecture based on a security key, comprising a system front end, a transmission module, a system back end and a database, and the system front end is connected with a transmission module through a signal line, The front end of the system includes a data acquisition module, a verification application module and a data encapsulation module. The data transmission module is connected to a data acquisition module through a signal line, the transmission module is connected to a verification application module through a signal cable, and the transmission module is connected to a data encapsulation module through a signal cable. .

优选的,所述传输模块通过信号线连接有系统后端,系统后端包括服务代理端、系统应用和用户端,服务代理端包括数据接收模块、校验模块和数据解封模块,传输模块通过信号线连接有数据接收模块,传输模块通过信号线连接有校验模块,传输模块通过信号线连接有数据解封模块。Preferably, the transmission module is connected with a system back end through a signal line, the system back end includes a service agent end, a system application and a user end, the service agent end includes a data receiving module, a verification module and a data decapsulation module, and the transmission module passes through The signal line is connected with the data receiving module, the transmission module is connected with the verification module through the signal line, and the transmission module is connected with the data decapsulation module through the signal line.

优选的,所述数据解封模块通过信号线连接有数据库,数据库通过信号线连接有系统应用。Preferably, the data decapsulation module is connected with a database through a signal line, and the database is connected with a system application through a signal line.

优选的,所述系统应用包括应用监控模块、拓扑管理模块、告警管理模块、性能管理模块和运行状态管理模块,数据库通过信号线连接有应用监控模块,数据库通过信号线连接有拓扑管理模块,数据库通过信号线连接有告警管理模块,数据库通过信号线连接有性能管理模块,数据库通过信号线连接有运行状态管理模块。Preferably, the system application includes an application monitoring module, a topology management module, an alarm management module, a performance management module and a running state management module, the database is connected to an application monitoring module through a signal line, the database is connected to a topology management module through a signal line, and the database The alarm management module is connected through the signal line, the performance management module is connected with the database through the signal line, and the running state management module is connected with the database through the signal line.

优选的,所述系统应用通过信号线连接有用户端,用户端包括图表展示模块、监控数据分析模块、告警发布模块和数据配置模块,系统应用通过信号线连接有图表展示模块,系统应用通过信号线连接有监控数据分析模块,系统应用通过信号线连接有告警发布模块。Preferably, the system application is connected to a user terminal through a signal line, the user terminal includes a chart display module, a monitoring data analysis module, an alarm release module and a data configuration module, the system application is connected to a chart display module through a signal cable, and the system application is connected through a signal line. A monitoring data analysis module is connected to the line, and an alarm issuing module is connected to the system application through a signal line.

一种基于安全密钥的零信任数据监控架构的监控方法,包括步骤一,采集信息;步骤二,身份校验;步骤三,数据传输;步骤四,数据储存;步骤五,数据应用;步骤六,终端呈现;A monitoring method for a zero-trust data monitoring architecture based on a security key, comprising: step 1, collecting information; step 2, identity verification; step 3, data transmission; step 4, data storage; step 5, data application; step 6 , the terminal renders;

其中上述步骤一中,在系统前端部署客户端节点,客户端节点通过数据采集模块11采集设备的监控数据;In the above step 1, a client node is deployed at the front end of the system, and the client node collects the monitoring data of the device through the data acquisition module 11;

其中上述步骤二中,由校验申请模块发送身份校验申请,通过传输模块传至校验模块,采用数字签名技术确认接入端身份是否可信;In the above step 2, the identity verification application is sent by the verification application module, and is transmitted to the verification module through the transmission module, and the digital signature technology is used to confirm whether the identity of the access terminal is credible;

其中上述步骤三中,将监控数据通过数据封装模块在 TCP报文头部新增安全字段,通过传输模块传至数据解封模块解封,匹配TCP报文的安全字段是否符合预定义设置,若符合则由数据接收模块接收数据,若不符合则丢弃数据;In the above-mentioned step 3, the monitoring data is added to the header of the TCP message through the data encapsulation module, and then sent to the data decapsulation module through the transmission module for decapsulation, and whether the security field of the matching TCP message conforms to the predefined settings, if If it matches, the data receiving module will receive the data, if not, the data will be discarded;

其中上述步骤四中,接受数据后,采用国密算法进行加密处理,将监控数据存入数据库中;In the above step 4, after receiving the data, the national secret algorithm is used for encryption processing, and the monitoring data is stored in the database;

其中上述步骤五中,数据库中的监控数据经解密处理后即可形成系统应用,来反映设备具体情况;In the above step 5, the monitoring data in the database can be decrypted and processed to form a system application to reflect the specific conditions of the equipment;

其中上述步骤六中,最后用户端提取系统应用中的具体数据来详细直观的对用户进行展示。In the above-mentioned step 6, finally, the user terminal extracts the specific data in the system application to display it to the user in a detailed and intuitive manner.

优选的,所述步骤一中,传输模块可支持各类网络连接方式,如物联网、物联网和无线网等。Preferably, in the first step, the transmission module can support various network connection methods, such as the Internet of Things, the Internet of Things, and wireless networks.

与现有技术相比,本发明的有益效果是:本发明相较于现有的网管系统,通过数字签名确保接入的设备身份,通过数据的封装与验证实现传输的零信任,并使用国密算法加密保存数据,从而解决数据安全的特殊需求,保证了数据在面对内网渗透攻击时的保密性。Compared with the prior art, the beneficial effects of the present invention are: compared with the existing network management system, the present invention ensures the identity of the connected device through digital signatures, realizes zero trust in transmission through data encapsulation and verification, and uses national The encryption algorithm encrypts and saves the data, so as to solve the special needs of data security and ensure the confidentiality of the data in the face of intranet penetration attacks.

附图说明Description of drawings

图1为本发明的系统模块框架图;Fig. 1 is the system module frame diagram of the present invention;

图2为本发明的系统流程图;Fig. 2 is the system flow chart of the present invention;

图3为本发明的方法流程图;Fig. 3 is the method flow chart of the present invention;

图4为本发明的设备连接图;Fig. 4 is the device connection diagram of the present invention;

图中:1、系统前端;11、数据采集模块;12、校验申请模块;13、数据封装模块;2、传输模块;3、系统后端;4、服务代理端;41、数据接收模块;42、校验模块;43、数据解封模块;5、系统应用;51、应用监控模块;52、拓扑管理模块;53、告警管理模块;54、性能管理模块;55、运行状态管理模块;6、用户端;61、图表展示模块;62、监控数据分析模块;63、告警发布模块;64、数据配置模块;7、数据库。In the figure: 1. System front-end; 11. Data acquisition module; 12. Verification application module; 13. Data encapsulation module; 2. Transmission module; 3. System back-end; 4. Service agent; 41. Data receiving module; 42. Verification module; 43. Data decapsulation module; 5. System application; 51. Application monitoring module; 52. Topology management module; 53. Alarm management module; 54. Performance management module; 55. Running status management module; 6 61. Chart display module; 62. Monitoring data analysis module; 63. Alarm issuing module; 64. Data configuration module; 7. Database.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

请参阅图1,本发明提供的一种实施例:一种基于安全密钥的零信任数据监控架构,包括系统前端1、传输模块2、系统后端3和数据库7,系统前端1通过信号线连接有传输模块2,系统前端1包括数据采集模块11、校验申请模块12和数据封装模块13,数据传输模块2通过信号线连接有数据采集模块11,传输模块2通过信号线连接有校验申请模块12,传输模块2通过信号线连接有数据封装模块13;传输模块2通过信号线连接有系统后端3,系统后端3包括服务代理端4、系统应用5和用户端6,服务代理端4包括数据接收模块41、校验模块42和数据解封模块43,传输模块2通过信号线连接有数据接收模块41,传输模块2通过信号线连接有校验模块42,传输模块2通过信号线连接有数据解封模块43,数据接收模块41用于接收监控数据,校验模块42用于校验身份,数据解封模块43用于解封验证数据报文;数据解封模块43通过信号线连接有数据库7,数据库7通过信号线连接有系统应用5,数据库7用于储存数据,系统应用5用于数据的具体应用;系统应用5包括应用监控模块51、拓扑管理模块52、告警管理模块53、性能管理模块54和运行状态管理模块55,数据库7通过信号线连接有应用监控模块51,数据库7通过信号线连接有拓扑管理模块52,数据库7通过信号线连接有告警管理模块53,数据库7通过信号线连接有性能管理模块54,数据库7通过信号线连接有运行状态管理模块55,应用监控模块51用于应用的实时监控,拓扑管理模块52用于调节节点功能,告警管理模块53用于发出异常警告,性能管理模块54用于调节整体性能,运行状态管理模块55用于管理系统运行;系统应用5通过信号线连接有用户端6,用户端6包括图表展示模块61、监控数据分析模块62、告警发布模块63和数据配置模块64,系统应用5通过信号线连接有图表展示模块61,系统应用5通过信号线连接有监控数据分析模块62,系统应用5通过信号线连接有告警发布模块63,图表展示模块61用于监控数据的直观显示,监控数据分析模块62可以对数据进行具体分析,告警发布模块63用于发布异常警告,数据配置模块64用于分配数据。Please refer to FIG. 1, an embodiment provided by the present invention: a zero-trust data monitoring architecture based on security keys, including a system front end 1, a transmission module 2, a system back end 3 and a database 7, and the system front end 1 passes through a signal line. A transmission module 2 is connected, and the system front end 1 includes a data acquisition module 11, a verification application module 12 and a data encapsulation module 13. The data transmission module 2 is connected to a data acquisition module 11 through a signal line, and the transmission module 2 is connected to a verification module through a signal cable. The application module 12, the transmission module 2 is connected with a data encapsulation module 13 through a signal line; the transmission module 2 is connected with a system backend 3 through a signal line, and the system backend 3 includes a service agent end 4, a system application 5 and a user end 6, and the service agent The terminal 4 includes a data receiving module 41, a verification module 42 and a data decapsulation module 43. The transmission module 2 is connected with a data receiving module 41 through a signal line, the transmission module 2 is connected with a verification module 42 through a signal line, and the transmission module 2 is connected with a signal cable. The line is connected with a data decapsulation module 43, the data receiving module 41 is used to receive monitoring data, the verification module 42 is used to verify the identity, and the data decapsulation module 43 is used to decapsulate and verify the data message; the data decapsulation module 43 passes the signal The line is connected with a database 7, the database 7 is connected with a system application 5 through a signal line, the database 7 is used for storing data, and the system application 5 is used for the specific application of the data; the system application 5 includes an application monitoring module 51, a topology management module 52, and an alarm management module. Module 53, performance management module 54 and operating state management module 55, database 7 is connected with application monitoring module 51 through signal lines, database 7 is connected with topology management module 52 through signal lines, database 7 is connected with alarm management module 53 through signal lines, The database 7 is connected with a performance management module 54 through a signal line, the database 7 is connected with a running state management module 55 through a signal line, an application monitoring module 51 is used for real-time monitoring of applications, a topology management module 52 is used for adjusting node functions, and an alarm management module 53 It is used to issue abnormal warnings, the performance management module 54 is used to adjust the overall performance, and the operation status management module 55 is used to manage the operation of the system; the system application 5 is connected to a user terminal 6 through a signal line, and the user terminal 6 includes a chart display module 61, monitoring data The analysis module 62 , the alarm issuing module 63 and the data configuration module 64 , the system application 5 is connected with the chart display module 61 through the signal line, the system application 5 is connected with the monitoring data analysis module 62 through the signal line, and the system application 5 is connected with the alarm through the signal line The publishing module 63, the chart display module 61 is used for visual display of monitoring data, the monitoring data analysis module 62 can perform specific analysis on the data, the alarm publishing module 63 is used for publishing abnormal warnings, and the data configuration module 64 is used for allocating data.

请参阅图2-4,本发明提供的一种实施例:一种基于安全密钥的零信任数据监控架构的监控方法,包括步骤一,采集信息;步骤二,身份校验;步骤三,数据传输;步骤四,数据储存;步骤五,数据应用;步骤六,终端呈现;Please refer to FIG. 2-4, an embodiment provided by the present invention: a monitoring method of a zero-trust data monitoring architecture based on a security key, including step 1, collecting information; step 2, identity verification; step 3, data transmission; step 4, data storage; step 5, data application; step 6, terminal presentation;

其中上述步骤一中,在系统前端1部署客户端节点,客户端节点通过数据采集模块11采集设备的监控数据,其中,传输模块2可支持各类网络连接方式,如物联网、物联网和无线网等;In the above step 1, the client node is deployed in the front end 1 of the system, and the client node collects the monitoring data of the device through the data acquisition module 11, wherein the transmission module 2 can support various network connection methods, such as the Internet of Things, the Internet of Things and wireless network, etc.;

其中上述步骤二中,由校验申请模块12发送身份校验申请,通过传输模块2传至校验模块42,采用数字签名技术确认接入端身份是否可信;In the above step 2, the identity verification application is sent by the verification application module 12, and is transmitted to the verification module 42 through the transmission module 2, and the digital signature technology is used to confirm whether the identity of the access terminal is credible;

其中上述步骤三中,将监控数据通过数据封装模块13在 TCP报文头部新增安全字段,通过传输模块2传至数据解封模块43解封,匹配TCP报文的安全字段是否符合预定义设置,若符合则由数据接收模块41接收数据,若不符合则丢弃数据;In the above-mentioned step 3, the monitoring data is added with a security field in the header of the TCP message through the data encapsulation module 13, and is transmitted to the data decapsulation module 43 through the transmission module 2 for decapsulation, and matches whether the security field of the TCP message conforms to the predefined Set, if it matches, the data receiving module 41 will receive the data, and if it does not match, the data will be discarded;

其中上述步骤四中,接受数据后,采用国密算法进行加密处理,将监控数据存入数据库7中;Wherein in the above-mentioned step 4, after accepting the data, adopt the national secret algorithm to carry out encryption processing, and store the monitoring data in the database 7;

其中上述步骤五中,数据库7中的监控数据经解密处理后即可形成系统应用5,来反映设备具体情况;Wherein, in the above-mentioned step 5, the monitoring data in the database 7 can be formed into a system application 5 after being decrypted to reflect the specific situation of the equipment;

其中上述步骤六中,最后用户端6提取系统应用5中的具体数据来详细直观的对用户进行展示。In the above-mentioned step 6, finally, the user terminal 6 extracts the specific data in the system application 5 to display it to the user in a detailed and intuitive manner.

基于上述,本发明的优点在于,进行数据传输保存时,首先在系统前端1中部署客户端节点,客户端节点通过数据采集模块11采集设备的监控数据,同时校验申请模块12使用数字签名技术通过校验模块42进行认证,然后数据封装模块13在TCP报文头部新增安全字段,通过传输模块2传至数据解封模块43解封,匹配TCP报文的安全字段是否符合预定义设置,若符合则由服务代理端4中的数据接收模块41接收数据,若不符合则丢弃数据,接受数据后,采用国密算法进行加密处理,将监控数据存入数据库7中,数据库7中的监控数据经解密处理后应用到系统应用5中的各个模块上,如应用监控模块51、拓扑管理模块52、告警管理模块53、性能管理模块54和运行状态管理模块55,最后用户端6可有图表展示模块61、监控数据分析模块62、数据配置模块64显示设备数据具体信息,其中,系统后端3用于信息的处理应用,告警发布模块63用于发布异常警告。Based on the above, the advantage of the present invention is that when data transmission and storage is performed, a client node is first deployed in the system front end 1, and the client node collects the monitoring data of the device through the data acquisition module 11, and the verification application module 12 uses the digital signature technology at the same time. Authentication is performed by the verification module 42, and then the data encapsulation module 13 adds a security field to the header of the TCP message, which is transmitted to the data decapsulation module 43 through the transmission module 2 for decapsulation, and matches whether the security field of the TCP message conforms to the predefined settings , if the data is received by the data receiving module 41 in the service agent 4, if not, the data is discarded, after receiving the data, the national secret algorithm is used for encryption processing, and the monitoring data is stored in the database 7, the data in the database 7 After the monitoring data is decrypted, it is applied to each module in the system application 5, such as the application monitoring module 51, the topology management module 52, the alarm management module 53, the performance management module 54, and the running state management module 55. Finally, the client 6 may have The chart display module 61 , the monitoring data analysis module 62 , and the data configuration module 64 display the specific information of the device data, wherein the system backend 3 is used for information processing and application, and the alarm issuing module 63 is used for issuing abnormal warnings.

对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化囊括在本发明内。不应将权利要求中的任何附图标记视为限制所涉及的权利要求。It will be apparent to those skilled in the art that the present invention is not limited to the details of the above-described exemplary embodiments, but that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics of the invention. Therefore, the embodiments are to be regarded in all respects as illustrative and not restrictive, and the scope of the invention is to be defined by the appended claims rather than the foregoing description, which are therefore intended to fall within the scope of the claims. All changes within the meaning and range of the equivalents of , are included in the present invention. Any reference signs in the claims shall not be construed as limiting the involved claim.

Claims (7)

1.一种基于安全密钥的零信任数据监控架构,包括系统前端(1),其特征在于:所述系统前端(1)通过信号线连接有传输模块(2),系统前端(1)包括数据采集模块(11)、校验申请模块(12)和数据封装模块(13),数据传输模块(2)通过信号线连接有数据采集模块(11),传输模块(2)通过信号线连接有校验申请模块(12),传输模块(2)通过信号线连接有数据封装模块(13)。1. A zero-trust data monitoring architecture based on security keys, comprising a system front end (1), characterized in that: the system front end (1) is connected with a transmission module (2) through a signal line, and the system front end (1) includes A data acquisition module (11), a verification application module (12) and a data encapsulation module (13), the data transmission module (2) is connected with a data acquisition module (11) through a signal line, and the transmission module (2) is connected with a signal line with The verification application module (12), the transmission module (2) is connected with a data encapsulation module (13) through a signal line. 2.根据权利要求1所述的一种基于安全密钥的零信任数据监控架构,其特征在于:所述传输模块(2)通过信号线连接有系统后端(3),系统后端(3)包括服务代理端(4)、系统应用(5)和用户端(6),服务代理端(4)包括数据接收模块(41)、校验模块(42)和数据解封模块(43),传输模块(2)通过信号线连接有数据接收模块(41),传输模块(2)通过信号线连接有校验模块(42),传输模块(2)通过信号线连接有数据解封模块(43)。2. A zero-trust data monitoring architecture based on security keys according to claim 1, characterized in that: the transmission module (2) is connected with a system back-end (3) through a signal line, and the system back-end (3) ) includes a service agent (4), a system application (5) and a client (6), and the service agent (4) includes a data receiving module (41), a verification module (42) and a data decapsulation module (43), The transmission module (2) is connected with a data receiving module (41) through a signal line, the transmission module (2) is connected with a verification module (42) through a signal line, and the transmission module (2) is connected with a data decapsulation module (43) through a signal line ). 3.根据权利要求2所述的一种基于安全密钥的零信任数据监控架构,其特征在于:所述数据解封模块(43)通过信号线连接有数据库(7),数据库(7)通过信号线连接有系统应用(5)。3. A security key-based zero-trust data monitoring architecture according to claim 2, characterized in that: the data decapsulation module (43) is connected to a database (7) through a signal line, and the database (7) passes through The signal line is connected with the system application (5). 4.根据权利要求3所述的一种基于安全密钥的零信任数据监控架构,其特征在于:所述系统应用(5)包括应用监控模块(51)、拓扑管理模块(52)、告警管理模块(53)、性能管理模块(54)和运行状态管理模块(55),数据库(7)通过信号线连接有应用监控模块(51),数据库(7)通过信号线连接有拓扑管理模块(52),数据库(7)通过信号线连接有告警管理模块(53),数据库(7)通过信号线连接有性能管理模块(54),数据库(7)通过信号线连接有运行状态管理模块(55)。4. A zero-trust data monitoring architecture based on security keys according to claim 3, characterized in that: the system application (5) comprises an application monitoring module (51), a topology management module (52), an alarm management module The module (53), the performance management module (54) and the running state management module (55), the database (7) is connected with the application monitoring module (51) through the signal line, and the database (7) is connected with the topology management module (52) through the signal line ), the database (7) is connected to an alarm management module (53) through a signal line, the database (7) is connected to a performance management module (54) through a signal line, and the database (7) is connected to an operating state management module (55) through a signal line . 5.根据权利要求4所述的一种基于安全密钥的零信任数据监控架构,其特征在于:所述系统应用(5)通过信号线连接有用户端(6),用户端(6)包括图表展示模块(61)、监控数据分析模块(62)、告警发布模块(63)和数据配置模块(64),系统应用(5)通过信号线连接有图表展示模块(61),系统应用(5)通过信号线连接有监控数据分析模块(62),系统应用(5)通过信号线连接有告警发布模块(63)。5. A zero-trust data monitoring architecture based on a security key according to claim 4, characterized in that: the system application (5) is connected with a user terminal (6) through a signal line, and the user terminal (6) includes The chart display module (61), the monitoring data analysis module (62), the alarm release module (63) and the data configuration module (64), the system application (5) is connected with the chart display module (61) through the signal line, and the system application (5) ) is connected with the monitoring data analysis module (62) through the signal line, and the system application (5) is connected with the alarm issuing module (63) through the signal line. 6.一种基于安全密钥的零信任数据监控架构的监控方法,包括步骤一,采集信息;步骤二,身份校验;步骤三,数据传输;步骤四,数据储存;步骤五,数据应用;步骤六,终端呈现;其特征在于:6. A monitoring method for a zero-trust data monitoring architecture based on a security key, comprising: step 1, collecting information; step 2, identity verification; step 3, data transmission; step 4, data storage; step 5, data application; Step 6, terminal presentation; it is characterized in that: 其中上述步骤一中,在系统前端(1)部署客户端节点,客户端节点通过数据采集模块11采集设备的监控数据;In the above step 1, the client node is deployed at the front end of the system (1), and the client node collects the monitoring data of the device through the data acquisition module 11; 其中上述步骤二中,由校验申请模块(12)发送身份校验申请,通过传输模块(2)传至校验模块(42),采用数字签名技术确认接入端身份是否可信;In the above-mentioned step 2, the identity verification application is sent by the verification application module (12), and is transmitted to the verification module (42) through the transmission module (2), and the digital signature technology is used to confirm whether the identity of the access terminal is credible; 其中上述步骤三中,将监控数据通过数据封装模块(13)在 TCP报文头部新增安全字段,通过传输模块(2)传至数据解封模块(43)解封,匹配TCP报文的安全字段是否符合预定义设置,若符合则由数据接收模块(41)接收数据,若不符合则丢弃数据;In the above-mentioned step 3, the monitoring data is added with a security field in the header of the TCP message through the data encapsulation module (13), and is transmitted to the data decapsulation module (43) through the transmission module (2) for decapsulation, and matches the TCP message. Whether the security field conforms to the predefined settings, if so, the data receiving module (41) receives the data, and if not, discards the data; 其中上述步骤四中,接受数据后,采用国密算法进行加密处理,将监控数据存入数据库(7)中;In the above step 4, after receiving the data, the national secret algorithm is used for encryption processing, and the monitoring data is stored in the database (7); 其中上述步骤五中,数据库(7)中的监控数据经解密处理后即可形成系统应用(5),来反映设备具体情况;In the above step 5, the monitoring data in the database (7) can be formed into a system application (5) after being decrypted to reflect the specific conditions of the equipment; 其中上述步骤六中,最后用户端(6)提取系统应用(5)中的具体数据来详细直观的对用户进行展示。In the above-mentioned step 6, finally, the user terminal (6) extracts the specific data in the system application (5) to display it to the user in a detailed and intuitive manner. 7.根据权利要求8所述的一种基于安全密钥的零信任数据监控架构的监控方法,其特征在于:所述步骤一中,传输模块(2)可支持各类网络连接方式,如物联网、物联网和无线网等。7 . The monitoring method for a zero-trust data monitoring architecture based on a security key according to claim 8 , wherein in the step 1, the transmission module (2) can support various network connection methods, such as physical Internet of Things, Internet of Things, and Wi-Fi, etc.
CN202210156689.1A 2022-02-21 2022-02-21 Zero-trust data monitoring architecture and method based on security key Pending CN114629803A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210156689.1A CN114629803A (en) 2022-02-21 2022-02-21 Zero-trust data monitoring architecture and method based on security key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210156689.1A CN114629803A (en) 2022-02-21 2022-02-21 Zero-trust data monitoring architecture and method based on security key

Publications (1)

Publication Number Publication Date
CN114629803A true CN114629803A (en) 2022-06-14

Family

ID=81899712

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210156689.1A Pending CN114629803A (en) 2022-02-21 2022-02-21 Zero-trust data monitoring architecture and method based on security key

Country Status (1)

Country Link
CN (1) CN114629803A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070278285A1 (en) * 2004-02-19 2007-12-06 Cypak Ab Secure Data Management Device and Method
US20140281523A1 (en) * 2013-03-13 2014-09-18 Vector Vex Inc. System and method of secure remote authentication of acquired data
CN106205090A (en) * 2016-07-22 2016-12-07 汤亮 A kind of electric power network real-time monitoring system and control method thereof
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN112102516A (en) * 2020-09-22 2020-12-18 国网山东省电力公司电力科学研究院 Intelligent robot inspection system for transformer substation and access operation method thereof
CN112995612A (en) * 2021-05-06 2021-06-18 信联科技(南京)有限公司 Safe access method and system for power video monitoring terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070278285A1 (en) * 2004-02-19 2007-12-06 Cypak Ab Secure Data Management Device and Method
US20140281523A1 (en) * 2013-03-13 2014-09-18 Vector Vex Inc. System and method of secure remote authentication of acquired data
CN106205090A (en) * 2016-07-22 2016-12-07 汤亮 A kind of electric power network real-time monitoring system and control method thereof
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN112102516A (en) * 2020-09-22 2020-12-18 国网山东省电力公司电力科学研究院 Intelligent robot inspection system for transformer substation and access operation method thereof
CN112995612A (en) * 2021-05-06 2021-06-18 信联科技(南京)有限公司 Safe access method and system for power video monitoring terminal

Similar Documents

Publication Publication Date Title
US10728229B2 (en) Method and device for communicating securely between T-box device and ECU device in internet of vehicles system
WO2020237868A1 (en) Data transmission method, electronic device, server and storage medium
CN112823503B (en) Data access method, data access device and mobile terminal
CN113225351B (en) Request processing method and device, storage medium and electronic equipment
CN114650181B (en) E-mail encryption and decryption method, system, device and computer-readable storage medium
WO2014117275A1 (en) Method and system for protecting data using data passports
CN115225269A (en) Key management method, device and system for distributed cryptographic card
CN112968910A (en) Replay attack prevention method and device
CN107919970A (en) A kind of log management realization method and system of safe O&M service cloud platform
CN117978447A (en) System and method for cross-network and cross-domain transmission based on physical isolation
CN106878324B (en) Short message authentication method, short message authentication server and terminal
CN107124385B (en) Mirror flow-based SSL/TLS protocol plaintext data acquisition method
CN116506848B (en) Secret transmission method and device for upgrading data packet, electronic equipment and storage medium
CN117254966A (en) A method to implement bypass decryption of HTTPS data traffic
CN114629803A (en) Zero-trust data monitoring architecture and method based on security key
CN103414703A (en) System and method for secure subscription publishing based on wireless sensor network and cloud computing
CN115396468B (en) Data transmission method and data service bus system
CN118714116A (en) A system for generating addresses based on IP6 encryption
CN118368279A (en) HTTP interface authentication method and related equipment
CN111404659A (en) Privacy-preserving communication method, server and communication system based on chaotic system
CN117978525A (en) Secure data transmission method and system with standby line
CN118042462A (en) Bluetooth encryption communication method, system, electronic equipment and storage medium
CN117097551A (en) Industrial control system communication protocol security enhancement method, system, equipment and storage medium
CN211930752U (en) Monitoring system for video encryption
CN108600173A (en) A kind of distributed travelling wave ranging System and method for having cryptographic security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220614

RJ01 Rejection of invention patent application after publication