CN-121984923-A - Heterogeneous service data isolation and secure exchange method and system across security domains

Abstract

A heterogeneous service data isolation and security exchange method and system across security domains relates to the multiplexing communication field, in the method, data transmission is realized through a sending end host, a receiving end host and a physical isolation device. The transmitting end divides the data into high and low priority according to the service characteristics, interrupts the low priority data being transmitted when the high priority data is required to be transmitted, and records interrupt positions and service identifications by using specific header information (a suspension header, a priority header and a recovery header). And the receiving end directly forwards the high-priority data according to the header information, and simultaneously, the interrupted low-priority data is recombined and recovered. The method and the device are used for reducing queuing waiting time of key signaling and improving real-time performance and transmission efficiency of cross-domain interaction of high-priority service on the premise of guaranteeing physical isolation safety.

Inventors

• KE ZHIWEN
• FANG YONG

Assignees

• 福建点景科技股份有限公司

Dates

Publication Date

20260505

Application Date

20260203

Claims (10)

1. 1. The heterogeneous service data isolation and secure exchange method across security domains is applied to a system, and is characterized in that the system comprises a sending end host, a receiving end host and a physical isolation device for connecting the sending end host and the receiving end host, and the method comprises the following steps: according to a preset service feature library, the sending end host divides payload data of an original data packet into first service data and second service data; The sending end host stores the first service data into a low-priority queue, stores the second service data into a high-priority queue, and writes data into the physical isolation device by the low-priority queue; Under the condition that the second service data to be transmitted exists in the high-priority queue and the calculated remaining transmission time length of the data block currently being written is larger than a preset time delay threshold value, stopping writing the data by the transmitting end host computer, and taking the writing pointer position at the stopping moment as a cut-off offset; The sending end host generates a suspension head containing the cut-off offset and a global service identifier, encapsulates the suspension head at the tail of the written current data block to form a first cut-off frame, and submits the first cut-off frame to the physical isolation device; The sending end host reads the second service data from the high priority queue to generate a priority header containing a high priority identifier, encapsulates the priority header in the header of the second service data to obtain a high priority atomic frame, and writes the high priority atomic frame into the physical isolation device; the sending end host generates a recovery header containing the cutoff offset and the global service identifier; the sending end host encapsulates the recovery header in the header of the remaining data which is not written in the current data block to form a second remaining frame, and writes the second remaining frame into the physical isolation device; When the receiving end host reads the high-priority atomic frame from the physical isolation device, forwarding the second service data in the high-priority atomic frame to a target service system according to the Gao You mark; when the receiving end host reads the first truncated frame, storing the first truncated frame into a reorganization buffer according to the global service identifier in the suspension header; When the receiving end host reads out the second residual frame, matching a corresponding first cut-off frame in the reorganization buffer according to the global service identifier in the recovery header, and splicing residual data in the second residual frame to the tail end of the first cut-off frame according to the cut-off offset to obtain the first service data.
2. 2. The method according to claim 1, wherein the sending end host divides the payload data of the original data packet into first service data and second service data according to a preset service feature library, specifically including: the sending end host extracts the source port number, the destination port number and the tuple information of the protocol type of the original data packet, and reads a service function code from a preset offset position of the payload data; The transmitting end host combines the tuple information with the service function code to generate a current service feature vector; The sending end host carries out multidimensional matching on the current service feature vector and a reference feature vector in the preset service feature library so as to determine the service security level of the original data packet; the sending end host determines payload data with the service security level higher than a preset emergency response threshold value as second service data; And the sending end host determines the payload data with the service security level not higher than the preset emergency response threshold value as first service data.
3. 3. The method according to claim 1, wherein the sending end host divides the payload data of the original data packet into first service data and second service data according to a preset service feature library, specifically including: The sending end host extracts the byte length of the payload data of the original data packet and marks the byte length as the current payload length; The sending end host acquires the current system time of receiving the original data packet, calculates the difference between the current system time and the system time of last receiving the homologous data packet, and records the difference as an arrival time interval; when the current load length is smaller than a preset length threshold and the arrival time interval is smaller than a preset frequency threshold, the sending end host determines the payload data of the original data packet as second service data; and when the current load length is greater than or equal to the preset length threshold value or the arrival time interval is greater than or equal to the preset frequency threshold value, the sending end host determines the payload data of the original data packet as first service data.
4. 4. The method according to claim 1, wherein the method further comprises: The receiving end host acquires a receiving time stamp of the first cut-off frame as logic generation time of the first service data, and acquires execution completion time of the second service data; The receiving end host judges whether the first service data and the second service data are aimed at the same service object or not; if yes, the receiving end host compares the logic generation time with the execution completion time; under the condition that the logic generation time is determined to be earlier than the execution completion time, judging the first service data to be time sequence inversion data; The receiving end host executes state conflict detection on the time sequence inversion data; Under the condition that the fact that the execution result of the second service data and the execution request of the first service data are logically mutually exclusive is detected, discarding the first service data by the receiving end host; if not, the receiving end host submits the first service data to an application layer for processing.
5. 5. The method of claim 4, wherein the receiving end-host performs state conflict detection on the time-series inversion data, specifically comprising: The receiving end host analyzes the execution result of the second service data and extracts the current state value of the service object; The receiving end host analyzes the execution request of the first service data and extracts an instruction to be executed aiming at the service object; and under the condition that the to-be-executed instruction is determined to belong to the corresponding forbidden execution instruction in the preset conflict mapping table, judging that the execution result of the second service data and the execution request of the first service data are logically mutually exclusive.
6. 6. The method of claim 4, wherein after the receiving end-host discards the first traffic data, the method further comprises: the receiving end host records the transaction identification of the first service data into a failure transaction list; when the receiving end host receives third service data, extracting an associated transaction identifier carried in the third service data; and the receiving end host intercepts and discards the third service data under the condition that the associated transaction identifier is determined to exist in the invalid transaction list.
7. 7. The method of claim 6, wherein the receiving end host records the transaction identifier of the first service data into a failure transaction list, and specifically comprises: The receiving end host associates and stores the transaction identification of the first service data with the current system timestamp into the invalidation transaction list; And the receiving end host removes the target transaction identifier from the invalid transaction list under the condition that the storage duration of the target transaction identifier is detected to exceed a preset transaction life cycle threshold.
8. 8. A heterogeneous traffic data isolation and security switching system across a security domain, the system comprising: One or more processors and memory coupled with the one or more processors, the memory to store computer program code, the computer program code comprising computer instructions that the one or more processors invoke to cause the system to perform the method of any of claims 1-7.
9. 9. A computer readable storage medium comprising instructions which, when run on a system, cause the system to perform the method of any of claims 1-7.
10. 10. A computer program product, characterized in that the computer program product, when run on a system, causes the system to perform the method according to any of claims 1-7.

Description

Heterogeneous service data isolation and secure exchange method and system across security domains Technical Field The application belongs to the field of multiplexing communication, and particularly relates to a method and a system for heterogeneous service data isolation and secure exchange across secure domains. Background In a security protection system of a power grid, in order to defend high-level network attacks and prevent core confidentiality from being leaked, a protection principle of transverse isolation and longitudinal authentication is strictly followed, and the network is divided into areas with different security levels, such as a production control large area, a management information large area and the like. However, the continuity of the service requires that data flow must be performed between different security domains, for example, sensitive settlement data in cross-border transactions is transmitted to a supervision domain, or real-time operation data of a power grid production area is synchronized to a management area for analysis, and how to realize efficient and safe exchange of data on the premise of ensuring physical or logical isolation between different security domains is an important point of continuous attention in the current information security domain. The related technology generally adopts a high-performance safety isolation and information exchange system based on special hardware, adopts a unique ' 2+1 ' architecture of a double host and a special isolation component ', and performs data ferry by cutting off TCP/IP connection of an internal network and an external network on a physical level and utilizing a private protocol or a non-network mode. The technology not only has strong anti-attack capability, can block penetration and Trojan transmission based on a general network protocol, but also integrates advanced functions such as deep packet detection, protocol termination and restoration, and the like, and can carry out deep compliance cleaning on transmission contents. However, in daily operation and maintenance and emergency treatment of the power grid, the channel contains massive non-real-time whole-network audit logs or equipment health state historical data and scattered control signaling or key distribution data which is sensitive to time delay. The above related art generally performs strict protocol stripping and load restoration operations before data enters the isolation device, so that the isolation device mainly focuses on the integrity and isolation of the data at the physical conduction level. When massive audit data and key control signaling are transmitted concurrently, the massive data often occupy the exchange channel of the isolation component for a long time, so that the following key signaling generates queuing phenomenon due to competition of transmission resources, the real-time performance of high-priority service data interaction is reduced, and the response delay fluctuation of the system when processing high-concurrency mixed service flows is increased. Disclosure of Invention The application provides a heterogeneous service data isolation and security exchange method and system across security domains, which are used for reducing queuing waiting time of key signaling and improving real-time performance and transmission efficiency of high-priority service cross-domain interaction on the premise of ensuring physical isolation security. According to a first aspect, the application provides a heterogeneous service data isolation and security switching method across security domains, a sending end host divides payload data of an original data packet into first service data and second service data according to a preset service feature library, the sending end host stores the first service data into a low priority queue, stores the second service data into a high priority queue, writes the low priority queue into a physical isolation device, reads the second service data from the high priority queue to generate a priority frame containing a high priority identifier when it is determined that the second service data to be sent exists in the high priority queue and the calculated remaining transmission time of a currently-written data block is longer than a preset time delay threshold, stops writing the data, takes a write pointer position at the stop moment as a cut-off offset, the sending end host generates a hanging head containing the cut-off offset and a global service identifier, the sending end host encapsulates the hanging head at the tail of the written current data block to form a first cut-off frame, the sending end host reads the second service data from the high priority queue to form a physical isolation device, and the high priority frame is received from the high priority queue, and the high priority frame is restored from the physical isolation device when the high priority frame is formed by the high priority frame and the hig