Intelligent virtual private network system of industrial Internet of things
Technical Field
The invention relates to an industrial internet platform, in particular to an industrial Internet of things intelligent virtual private network system.
Background
With the advent of the big data age, more and more government, enterprise, etc. organizations are becoming aware that data is becoming the most important asset for an organization, and data analysis capabilities are becoming the core competitiveness of an organization and are beginning to invest in large amounts.
In the informatization development process, the system is built in different periods and is limited by different investment sources of various projects, different construction and management, scattered operation and maintenance and the like, various business application systems exist in various links in large quantity, information resources are scattered, interfaces among the business systems are complicated, and information isolated islands exist. The method is lack of a unified management mechanism of information resources and insufficient in integration degree of information construction and business management service.
And a large amount of data are repeatedly acquired and stored, so that a large amount of information transmission and storage resources are occupied, and the data utilization rate is extremely low. According to the statistics of the utilization rate of the data collected, uploaded and stored by a pipeline company in the near-sighted years, the actual data utilization rate only accounts for 0.75% of the total data, and the collected data occupies a large amount of data transmission bandwidth resources and storage resources.
Data of the existing civil cloud platform are stored and managed by the platform, data security and privacy cannot be guaranteed, and the possibility of data leakage exists. Cannot be used in the industrial field.
The inventor of the invention finds that in the industrial field, a data control platform which can be used for various applications in an enterprise or used by multiple enterprises in public and can effectively guarantee the control right of data owners on the data is lacked.
Disclosure of Invention
The invention aims to provide an industrial Internet of things intelligent virtual private network system, which can effectively ensure the safety of industrial information, avoid repeated acquisition, transmission and processing of the industrial information, save data transmission and storage resources, effectively avoid external applications from directly contacting the industrial data, and provide a uniform and convenient data calling environment for various external applications while ensuring the safety of the industrial data.
In order to solve the above technical problem, an embodiment of the present invention provides an intelligent virtual private network system for industrial internet of things, including:
the management platform comprises a first network IP address, and each application establishes communication connection with the management platform through the first network and sends a data request to the management platform;
the management platform is connected with each data source object node through a second network, and the management platform and each data source object node respectively comprise a second network IP address; the first network and the second network are independent of each other;
the management platform comprises a data management server, the data management server is used for performing authorization authentication on the application when the management platform receives data requests from each application, if the data requests pass the authorization authentication, a second network IP address is distributed to the application, and the second network IP address and the data request content of the application are sent to a data source node to which the requested data belong; and instructing the data source object node to establish a second network security connection with the application through a second network IP address of the application, and sending the requested data to the application.
Compared with the prior art, the data are directly stored in the local data source object nodes and do not need to be uploaded to a data center, and the data are in a distributed state, so that a large amount of data transmission and storage resources are saved, and meanwhile, the difficulty of external invasion and stealing of the data is enhanced. And moreover, data source nodes for storing data are distributed in the private second network and are completely isolated from the public first network, so that the data security is further guaranteed from the aspect of hardware configuration. In addition, in the embodiment, only the management platform having the first network IP address does not store any data, and an external hacker cannot acquire any data even if the external hacker attacks the management platform. The management platform is only responsible for auditing the authority of a data demander, after the data demander passes the auditing, the data demander and the data source node are safely connected, and the data are directly uploaded to the data demander passing the auditing by the data source node, so that the data transmission is reduced to the minimum by the reserved node, the data leakage probability is reduced to the minimum, and the transmission and storage resources are saved to the maximum extent while the safety is ensured.
As a further improvement, the first network is typically a public internet and the second network is typically an industrial internet.
As a further improvement, the second network includes an independent domain name resolution server, and when each data source object node is registered in the management platform, the domain name resolution server allocates the second network IP address to the data source object node. Through an independent domain name resolution mechanism, the second network is guaranteed to be absolutely independent of the first network physically and mechanically.
As a further improvement, the data management server of the management platform performing authorization authentication on the application at least comprises:
authenticating the identity information of the application; and/or
And performing permission examination on the data request content of the application.
As a further improvement, the data management server is further configured to store data authorization files of the data source object nodes, find a data authorization file corresponding to the data source object node to which the requested data belongs when receiving a data request from an application, and perform authorization authentication on the application according to the data authorization file. And the data authorization file of each data source object node is set to the management platform by the owner of the data source object node. The data management server is only an executive party of the data authorization file, does not have the authority for setting the data authorization file, and cannot permit or prohibit data transmission without permission, so that the possibility of data leakage in the management platform can be effectively eliminated, the fact that only a data resource owner has the transmission control authority of the data resource is ensured, and the rights and interests of the data source object node owner are effectively guaranteed.
As a further improvement, the data management server is further configured to, when receiving a data authorization file set by a data source node owner, request a data authorization backup file stored by the data source node corresponding to the data authorization file, compare the data authorization file with the received data authorization backup file, and if the data authorization file is consistent with the received data authorization backup file, store the data authorization file. Therefore, even if the data authorization file is tampered in the transmission process, the data information cannot be actually influenced, and the safety of the data information is effectively guaranteed.
As a further improvement, the data management server is further configured to, when receiving a modified data authorization file from a data source node owner, request a data transmission authorization rule backup file stored in the data source node corresponding to the data authorization file to be modified, compare the received data authorization file with the data transmission authorization rule backup file, and if the received data authorization file is consistent with the data transmission authorization rule backup file, replace the original file with the modified data authorization file.
When an asset owner needs to modify a data authorization file of a data source object node owned by the asset owner, the modified data authorization file needs to be sent to the industrial data management platform, and meanwhile, a modified data transmission authorization rule backup file needs to be stored on the data source object node; and the data management server compares the received data authorization file with a data transmission authorization rule backup file on a data source object node, and if the received data authorization file is consistent with the data transmission authorization rule backup file, the modified data authorization file is replaced by the original file. Therefore, even if a hacker attacks the industrial data management platform and tampers with the data authorization file, the data authorization file cannot be stored, and the industrial data management platform compares the tampered authorization rule file with the backup file on the data source object node to find a bug, so that modification is refused. The data information security of the data asset owner is effectively guaranteed.
As a further improvement, the data management server is further configured to request all data source node under the owner name for a data transmission authorization rule backup file stored in the data source node when the number of the data source node owned by the data source node owner is more than one; and comparing the data authorization files to be stored or replaced with the received data transmission authorization rule backup files one by one, and if the matching rate is greater than a preset value, storing or replacing the data authorization files. Therefore, the difficulty of a hacker tampering with the data transmission rule backup file is further increased, and the data information security of the data asset owner is enhanced.
As a further improvement, the management platform is further configured to verify the identity of the owner of the data source object node according to the identity information of the owner set during registration of the data source object node, and receive the data authorization file of the owner of the data source object node after passing the identity authentication of the owner of the data source object node.
As a further improvement, the second network security connection between the data source node and the application is: a unidirectional virtual private connection of the data source object node to the application. Therefore, even if the connection is established between the external application and the data source object node, the data which passes the authorization and the verification can only be obtained from the object node, and the data source object node cannot be operated at all, so that the safety of the data source object node in the second network is guaranteed.
As a further refinement, the application is from any of the following devices: personal PCs, mobile terminals, cloud platforms, or central servers, etc.
As a further improvement, when the management platform sends the second network IP address of the application and the data request content to the data source node to which the requested data belongs, the management platform further includes data set transmission control information; the data transmission control information includes one of the following or any combination thereof: data transmission starting time, data transmission time length, data transmission ending time, data transmission file type and connection establishing type; and instructing the data source object node to establish a second network security connection with the application within the range indicated by the transmission control information, and sending the requested data to the application. By carrying out safety limitation on the data transmission time and the transmission form, the data transmission chain can be further prevented from being cracked and stolen by lawbreakers.
As a further improvement, the data source object node at least includes a data acquisition and storage function, and is used to acquire and store various industrial data information of the industrial control equipment, where the industrial data information at least includes one of the following:
industrial data information generated in the operation process of the industrial control equipment, detection data information obtained by monitoring the industrial control equipment, and the like.
Drawings
Fig. 1 is a block diagram of an industrial internet of things intelligent virtual private network system according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solutions claimed in the claims of the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments.
A preferred embodiment of the present invention relates to an industrial internet of things intelligent virtual private network system, as shown in fig. 1, including:
the management platform comprises a first network IP address, and each application establishes communication connection with the management platform through the first network and sends a data request to the management platform;
the management platform is connected with each data source object node through a second network, and the management platform and each data source object node respectively comprise a second network IP address; the first network and the second network are independent of each other;
the management platform comprises a data management server, the data management server is used for performing authorization authentication on the application when the management platform receives data requests from each application, if the data requests pass the authorization authentication, a second network IP address is distributed to the application, and the second network IP address and the data request content of the application are sent to a data source node to which the requested data belong; and instructing the data source object node to establish a second network security connection with the application through a second network IP address of the application, and sending the requested data to the application.
Compared with the prior art, the data are directly stored in the local data source object nodes and do not need to be uploaded to a data center, and the data are in a distributed state, so that a large amount of data transmission and storage resources are saved, and meanwhile, the difficulty of external invasion and stealing of the data is enhanced. And moreover, data source nodes for storing data are distributed in the private second network and are completely isolated from the public first network, so that the data security is further guaranteed from the aspect of hardware configuration. In addition, in the embodiment, only the management platform having the first network IP address does not store any data, and an external hacker cannot acquire any data even if the external hacker attacks the management platform. The management platform is only responsible for auditing the authority of the data demander, after the data demander passes the auditing, the data demander and the data source object node are connected safely, and the data is directly uploaded to the data demander passing the auditing by the data source object node, so that the transmission and storage resources are saved to the greatest extent while the safety is ensured.
As a further improvement, the first network is typically a public internet and the second network is typically an industrial internet.
As a further improvement, the second network includes an independent domain name resolution server, and when each data source object node is registered in the management platform, the domain name resolution server allocates the second network IP address to the data source object node. Through an independent domain name resolution mechanism, the second network is guaranteed to be absolutely independent of the first network physically and mechanically.
As a further improvement, the data management server of the management platform performing authorization authentication on the application at least comprises:
authenticating the identity information of the application; and/or
And performing permission examination on the data request content of the application.
As a further improvement, the data management server is further configured to store data authorization files of the data source object nodes, find a data authorization file corresponding to the data source object node to which the requested data belongs when receiving a data request from an application, and perform authorization authentication on the application according to the data authorization file. The data management server is only an executive party of the data authorization file, does not have the authority for setting the data authorization file, and cannot permit or prohibit data transmission without permission, so that the possibility of data leakage in the management platform can be effectively eliminated, and the rights and interests of the owner of the data source object node can be effectively guaranteed.
As a further improvement, the data authorization file of each data source object node is set to the management platform by a data source object node owner. Thereby ensuring that only and not all data resource owners have transmission control authority of the data resources.
As a further improvement, the data management server is further configured to, when receiving a data authorization file set by a data source node owner, request a data authorization backup file stored by the data source node corresponding to the data authorization file, compare the data authorization file with the received data authorization backup file, and if the data authorization file is consistent with the received data authorization backup file, store the data authorization file. Therefore, even if the data authorization file is tampered in the transmission process, the data information cannot be actually influenced, and the safety of the data information is effectively guaranteed.
As a further improvement, the data management server is further configured to, when receiving a modified data authorization file from a data source node owner, request a data transmission authorization rule backup file stored in the data source node corresponding to the data authorization file to be modified, compare the received data authorization file with the data transmission authorization rule backup file, and if the received data authorization file is consistent with the data transmission authorization rule backup file, replace the original file with the modified data authorization file.
When an asset owner needs to modify a data authorization file of a data source object node owned by the asset owner, the modified data authorization file needs to be sent to the industrial data management platform, and meanwhile, a modified data transmission authorization rule backup file needs to be stored on the data source object node; and the data management server compares the received data authorization file with a data transmission authorization rule backup file on a data source object node, and if the received data authorization file is consistent with the data transmission authorization rule backup file, the modified data authorization file is replaced by the original file. Therefore, even if a hacker attacks the industrial data management platform and tampers with the data authorization file, the data authorization file cannot be stored, and the industrial data management platform compares the tampered authorization rule file with the backup file on the data source object node to find a bug, so that modification is refused. The data information security of the data asset owner is effectively guaranteed.
As a further improvement, the data management server is further configured to request all data source node under the owner name for a data transmission authorization rule backup file stored in the data source node when the number of the data source node owned by the data source node owner is more than one; and comparing the data authorization files to be stored or replaced with the received data transmission authorization rule backup files one by one, and if the matching rate is greater than a preset value, storing or replacing the data authorization files. Therefore, the difficulty of a hacker tampering with the data transmission rule backup file is further increased, and the data information security of the data asset owner is enhanced.
As a further improvement, the management platform is further configured to verify the identity of the owner of the data source object node according to the identity information of the owner set during registration of the data source object node, receive the data authorization file of the owner after passing the identity authentication of the owner of the data source object node, and store or replace the original file.
As a further improvement, the second network security connection between the data source node and the application is: a unidirectional virtual private connection of the data source object node to the application. Therefore, even if the connection is established between the external application and the data source object node, the data which passes the authorization and the verification can only be obtained from the object node, and the data source object node cannot be operated at all, so that the safety of the data source object node in the second network is guaranteed.
As a further refinement, the application is from any of the following devices: personal PCs, mobile terminals, cloud platforms, or central servers, etc.
As a further improvement, when the management platform sends the second network IP address of the application and the data request content to the data source node to which the requested data belongs, the management platform further includes data set transmission control information; the data transmission control information includes one of the following or any combination thereof: data transmission starting time, data transmission time length, data transmission ending time, data transmission file type and connection establishing type; and instructing the data source object node to establish a second network security connection with the application within the range indicated by the transmission control information, and sending the requested data to the application. By carrying out safety limitation on the data transmission time and the transmission form, the data transmission chain can be further prevented from being cracked and embezzled by lawless persons.
As a further improvement, the data source object node at least includes a data acquisition and storage function, and is used to acquire and store various industrial data information of the industrial control equipment, where the industrial data information at least includes one of the following:
industrial data information generated in the operation process of the industrial control equipment, detection data information obtained by monitoring the industrial control equipment, and the like.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.