Disclosure of Invention
This section is intended to outline some aspects of embodiments of the application and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description of the application and in the title of the application, which may not be used to limit the scope of the application.
In view of the existing problems, a centralized control power station communication topological structure suitable for public networks and an application method thereof are provided.
Therefore, the technical problems solved by the application are as follows: the existing communication topological structure can not meet the safety protection requirement of a public communication network and ensure the normal production requirement.
In order to solve the technical problems, the application provides the following technical scheme: the production area comprises an intranet production area server which is used as a communication master station and is used for transmitting downlink data of the master station to the access area, processing uplink data and writing the uplink data into a local production area system; the access area is used for receiving and processing the downlink data of the production area, transmitting the processed downlink data through the communication channel, processing the uplink data and transmitting the processed uplink data to the production area; and a communication channel as a transmission channel between the access areas.
As a preferable scheme of the communication topology structure of the centralized control power station applicable to the public network, the application comprises the following steps: the production area comprises a centralized control side production area and a power station side production area, and the access area comprises a centralized control side access area and a power station side access area; the centralized control side production area transmits the downlink data of the main station to the centralized control side access area, the centralized control side access area receives the downlink data of the main station to process the downlink data and transmits the downlink data to the power station side access area through the communication channel, the centralized control side access area processes the uplink data of the power station side access area and transmits the uplink data to the centralized control side production area, and the centralized control side production area processes the uplink data after receiving the uplink data and writes the uplink data into the local production area system.
As a preferable scheme of the communication topology structure of the centralized control power station applicable to the public network, the application comprises the following steps: the power station side production area transmits uplink data to the power station side access area, the power station side access area processes the uplink data received by the power station side production area and transmits the uplink data to the centralized control side access area through the communication channel, and the power station side access area processes and responds to the downlink data received by the centralized control side access area.
As a preferable scheme of the communication topology structure of the centralized control power station applicable to the public network, the application comprises the following steps: the isolation device comprises a first isolation device and a second isolation device, and is used for isolating the production area from the access area; the centralized control side production area and the centralized control side access area are isolated by a first isolation device, and the power station side production area and the power station side access area are isolated by a second isolation device; the first isolation device comprises a first forward isolation device and a reverse isolation device, and the second isolation device comprises a second forward isolation device.
As a preferable scheme of the communication topology structure of the centralized control power station applicable to the public network, the application comprises the following steps: the isolation device is also used for data transmission, the centralized control side production area transmits downlink data of the main station to the centralized control side access area through the first forward isolation device, the centralized control side access area transmits the received uplink data of the power station side access area to the centralized control side production area through the reverse isolation device, the power station side production area transmits the uplink data to the power station side access area through the second forward isolation device, and the power station side access area transmits the received downlink data of the centralized control side access area to the power station side production area through the second reverse isolation device.
As a preferable scheme of the communication topology structure of the centralized control power station applicable to the public network, the application comprises the following steps: the centralized control side production area and the power station side production area both comprise two servers, the two servers respectively comprise two servers which are mutually active and standby, the two servers of the centralized control side production area are used as communication master stations, and the two servers of the power station side production area are used as power station data acquisition terminals.
As a preferable scheme of the communication topology structure of the centralized control power station applicable to the public network, the application comprises the following steps: the communication channel is a satellite public network and is provided with a longitudinal encryption device, a router and a switch.
As a preferable scheme of the application method of the communication topological structure of the centralized control power station applicable to the public network, the application comprises the following steps: the method comprises the steps of collecting power station data by utilizing the production area server; the access area processes the data collected by the production area, and transmits the processed data to the production area based on the communication channel and the isolation device, so that the interaction of uplink and downlink data on the centralized control side is realized.
As a preferable scheme of the application method of the communication topological structure of the centralized control power station applicable to the public network, the application comprises the following steps: in the communication process of the communication channel and the isolation device, encrypting communication data by using an encryption algorithm, wherein the encryption algorithm comprises the steps of obtaining a first key, a second key and a third key of the encryption algorithm; encrypting the power station data to be transmitted through the first key to generate first encrypted data; decrypting the first encrypted data by the second key to generate second encrypted data; and encrypting the second encrypted data through the third key to generate encrypted power station data.
As a preferable scheme of the application method of the communication topological structure of the centralized control power station applicable to the public network, the application comprises the following steps: and carrying out integrity verification on the encrypted power station data by utilizing a data integrity algorithm, and prohibiting transmission of the power station data if the encrypted power station data is incomplete.
The application has the beneficial effects that: on the basis of original private line private network communication, satellite public network communication is added as a standby channel, the private line private network communication is preferentially conducted, the private line private network communication faults are automatically switched to the satellite public network channel, the private line private network channel is recovered and automatically switched back, a safety access area is set for the satellite public network channel, and forward and reverse isolation equipment is used for isolating the public network from the internal network to ensure the safety protection requirement.
Detailed Description
So that the manner in which the above recited objects, features and advantages of the present application can be understood in detail, a more particular description of the application, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present application is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the application. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
While the embodiments of the present application have been illustrated and described in detail in the drawings, the cross-sectional view of the device structure is not to scale in the general sense for ease of illustration, and the drawings are merely exemplary and should not be construed as limiting the scope of the application. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
Also in the description of the present application, it should be noted that the orientation or positional relationship indicated by the terms "upper, lower, inner and outer", etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of describing the present application and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present application. Furthermore, the terms "first, second, or third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected, and coupled" should be construed broadly in this disclosure unless otherwise specifically indicated and defined, such as: can be fixed connection, detachable connection or integral connection; it may also be a mechanical connection, an electrical connection, or a direct connection, or may be indirectly connected through an intermediate medium, or may be a communication between two elements. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.
Example 1
Referring to fig. 1, for an embodiment of the present application, there is provided an application method of a communication topology structure of a centralized control power station applicable to a public network, including:
s1: collecting power station data by using a server of the production area 100;
s2: the access area 200 processes the data collected by the production area 100, and transmits the processed data to the production area 100 based on the communication channel 300 and the isolation device 400, so as to realize the interaction of the uplink data and the downlink data on the centralized control side.
It should be noted that, in the communication process of the communication channel 300 and the isolation device 400, the communication data is encrypted by using an encryption algorithm, where the encryption algorithm includes:
acquiring a first key, a second key and a third key of an encryption algorithm;
encrypting the power station data to be transmitted through a first key to generate first encrypted data;
decrypting the first encrypted data by the second key to generate second encrypted data;
and encrypting the second encrypted data through a third key to generate encrypted power station data.
The 3DES encryption process comprises the following steps: c=ek3 (Dk 2 (Ek 1 (P))), 3DES decryption process is: p=dk1 (ek2 (dk3 (C)));
definition Ek () and Dk () represent encryption and decryption processes of DES algorithm, K represents a key used by DES algorithm, P represents plaintext, and C represents ciphertext.
The partial code used to implement the algorithm is as follows:
an asymmetric encryption algorithm is used to realize identity authentication and key exchange,
wherein, the asymmetric encryption is that encryption and decryption use not the same key: only the same public key-private key pair can normally encrypt and decrypt, and partial codes for realizing the algorithm are as follows:
further, the integrity of the encrypted power station data is verified by using a data integrity algorithm, and if the encrypted power station data is incomplete, the transmission of the power station data is forbidden.
The data integrity algorithm is as follows:
wherein corr is the data integrity check result, m and n are vector constants, A is the number of bytes of the encrypted production access area power station data, and B is the production access area power station data.
When the output result is greater than 0.85, the data is complete.
In order to verify and explain the technical effects adopted in the method, the application selects the plaintext transmission of the traditional method and adopts the method to carry out comparison test, and the test results are compared by a scientific demonstration means to verify the true effects of the method.
The traditional technical scheme is as follows: the reliability of the communication of the centralized control power station is low, the network safety protection requirement cannot be met, the centralized control power station is easy to monitor, attack and even tamper on the data transmission node, and in order to verify that the method has higher safety compared with the traditional method, the application adopts the traditional method and the method to respectively measure and compare the attack and tamper success rate of the communication data of the centralized control power station in real time.
Test environment: and simulating transmission of communication data of the centralized control power station on the simulation platform, starting the automatic test equipment by adopting a traditional method and the method, realizing simulation test of the two methods by adopting MATLB software programming, simulating monitoring, attack and malicious tampering of a protocol on a simulation network, and obtaining simulation data according to experimental results. 500 groups of data are tested by each method, each group of data transmission results are obtained through calculation, errors are calculated by comparing the data with the actual centralized control power station communication data input through simulation, and the results are shown in table 1.
Table 1: comparison table of experimental results.
| Experimental sample | Traditional method one | The method of the application |
| Success rate of tampering | 65% | 1.2% |
As can be seen from the above table, the method of the present application has high safety compared with the conventional method.
Example 2
Referring to fig. 2, another embodiment of the present application, which is different from the first embodiment, provides a communication topology structure of a centralized control power station applicable to a public network, including:
the production area 100 comprises an intranet production area server as a communication station, and is used for transmitting downlink/uplink data of the master station to the access area 200 and processing the uplink data and writing the uplink data into a local production area system;
an access area 200, configured to receive and process downlink/uplink data of the production area 100, transmit the processed downlink/uplink data through the communication channel 300, and process the downlink/uplink data and transmit the processed downlink/uplink data to the production area 100; the method comprises the steps of,
the communication channel 300 is used as a transmission channel between the access areas 200, wherein the communication channel 300 is a satellite public network, and is configured with a longitudinal encryption device 301, a router 302 and a switch 303.
The isolation device 400 comprises a first isolation device 401 and a second isolation device 402, and the isolation device 400 is used for isolating the production area 100 from the access area 200.
The production area 100 comprises a centralized control side production area 101 and a power station side production area 102, and the access area 200 comprises a centralized control side access area 201 and a power station side access area 202;
the centralized control side production area 101 transmits the downlink data of the main station to the centralized control side access area 201, the centralized control side access area 201 receives the downlink data of the main station to process the downlink data and transmits the downlink data to the power station side access area 202 through the communication channel 300, the centralized control side access area 201 processes the uplink data of the power station side access area 202 and transmits the uplink data to the centralized control side production area 101, and the centralized control side production area 101 processes the uplink data and writes the uplink data into the local production area system after receiving the uplink data.
The power station side production area 102 transmits uplink data to the power station side access area 202, the power station side access area 202 processes the uplink data received by the power station side production area 102 and transmits the uplink data to the centralized control side access area 201 through the communication channel, the power station side access area 202 processes the downlink data received by the centralized control side access area 201 and transmits the downlink data to the power station side production area 102, and the power station side production area 102 processes the downlink data received by the power station side production area 102 and writes the downlink data into the local production area system.
Further, the centralized control side production area 101 and the centralized control side access area 201 are isolated by a first isolation device 401, and the power station side production area 102 and the power station side access area 202 are isolated by a second isolation device 402;
wherein the first isolation device 401 comprises a first forward isolation device 401-a and a reverse isolation device 401-b, and the second isolation device 402 comprises a second forward isolation device 402-a and a second reverse isolation device.
Still further, the isolation device 400 is further used for data transmission, the centralized control side production area 101 transmits the downlink data of the master station to the centralized control side access area 201 through the first forward isolation device 401-a, the centralized control side access area 201 transmits the received uplink data of the power station side access area 202 to the centralized control side production area 101 through the reverse isolation device 401-b, the power station side production area 102 transmits the uplink data to the power station side access area 202 through the second forward isolation device 402-a, and the power station side access area 202 transmits the received downlink data of the centralized control side access area 202 to the power station side production area 102 through the second reverse isolation device 402-b.
The centralized control side production area 101 and the power station side production area 201 both comprise two servers, the two servers respectively comprise two servers which are mutually active and standby, the two servers of the centralized control side production area 101 serve as communication master stations, and the two servers of the power station side production area 201 serve as power station data acquisition terminals.
The network topology structure is specifically as follows:
(1) The centralized control side is divided into two parts, namely a centralized control side intranet production area and a centralized control side safety access area, and the middle is isolated by a forward and reverse isolating device;
(2) The power station side is divided into a power station side intranet production area and a power station side safety access area, and the middle is isolated by a forward isolation device;
(3) The channel between the centralized control side safety access area and the power station side safety access area is a satellite public network.
Wherein:
(1) The centralized control side hardware is configured as follows:
the multi-network card server 2 is a jkmain1 and a jkmain2 respectively and is used as a centralized control side intranet production area server;
the forward isolation device 1 is used as an inner net production area on the centralized control side to be isolated from a safety access area on the centralized control side;
the reverse isolation device 1 is used as an inner net production area at the centralized control side and is isolated from a safety access area at the centralized control side;
the security access area system 1 is set.
(2) The power station side hardware configuration is as follows:
the multi-network card server 2 is respectively dzmain1 and dzmain2 and serves as a power station side intranet production area server;
the forward isolation device is 1 station, and is used as an intranet production area at the power station side to be isolated from a safety access area at the power station side;
the security access area system 1 is set.
(3) The channels between the centralized control side safety access area and the power station side safety access area are satellite public networks, and equipment such as a longitudinal encryption device, a router, a switch and the like is configured according to boundary protection requirements.
The working flow is as follows:
(1) Two servers jkmain1 and jkmain2 in the production area of the centralized control side intranet are mutually active and standby, and serve as a communication master station, and the two servers transmit downlink data of the master station to the centralized control side safety access area through the forward isolation device.
(2) And the centralized control side safety access area system processes the downlink data of the centralized control side intranet production area after receiving the downlink data and transmits the downlink data to the power station side safety access area through the satellite channel.
(3) And the centralized control side safety access area system processes the uplink data received by the power station side safety access area and transmits the uplink data to the centralized control intranet production area through the reverse isolation device.
(4) And the centralized control side intranet production area server processes and writes the uplink data of the centralized control side safety access area system into the local production area system after receiving the uplink data.
(5) The power station side data processing workflow is in the reverse direction of the centralized control side flow.
Furthermore, the communication topology structure of the centralized control power station is that satellite public network communication is used as a standby channel, the communication topology structure is connected with the existing private line private network communication, and when the private line private network communication fault is automatically switched to the satellite public network channel, the private line private network channel is restored and automatically switched back.
Specifically, the operation state data of private line private network communication is analyzed by using a deep neural network, the operation state of the private line private network communication is predicted in advance for at least 100 ms-220 ms, and when the private line private network communication is likely to fail according to the predicted operation state, the time t of the standby channel in the opening time range s under different failure conditions is divided into 3 ranges, and each time range corresponds to different failure types:
t≤100ms;
100ms<t≤220ms;
t>220ms。
if t is less than or equal to 100ms, defining a control strategy that a standby channel is opened, continuously monitoring the availability of private network communication within 7-8 hours when the time for opening the standby channel is more than 8-12 hours, and immediately closing the standby channel and switching to the private network communication if the availability is available;
if t is more than 100ms and less than or equal to 100ms, defining a control strategy that the standby channel is opened for 2-8 h, continuously monitoring the availability of private network communication within 1-2 h, and if the availability is met, immediately closing the standby channel and switching to the private network communication;
if t is more than 220ms, defining a control strategy that the opening time of the standby channel is less than 2h, continuously monitoring the availability of private line private network communication within 2h, and if the availability is available, immediately closing the standby channel and switching to the private line private network communication;
if the related technician sends out the instruction of opening the standby channel, judging the time range of the special line private network communication fault type, selecting different control strategies according to the time range, and determining the adopted corresponding strategy.
It should be appreciated that embodiments of the application may be implemented or realized by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer readable storage medium configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, in accordance with the methods and drawings described in the specific embodiments. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Furthermore, the operations of the processes described herein may be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes (or variations and/or combinations thereof) described herein may be performed under control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications), by hardware, or combinations thereof, collectively executing on one or more processors. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable computing platform, including, but not limited to, a personal computer, mini-computer, mainframe, workstation, network or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and so forth. Aspects of the application may be implemented in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optical read and/or write storage medium, RAM, ROM, etc., such that it is readable by a programmable computer, which when read by a computer, is operable to configure and operate the computer to perform the processes described herein. Further, the machine readable code, or portions thereof, may be transmitted over a wired or wireless network. When such media includes instructions or programs that, in conjunction with a microprocessor or other data processor, implement the steps described above, the application described herein includes these and other different types of non-transitory computer-readable storage media. The application also includes the computer itself when programmed according to the methods and techniques of the present application. The computer program can be applied to the input data to perform the functions described herein, thereby converting the input data to generate output data that is stored to the non-volatile memory. The output information may also be applied to one or more output devices such as a display. In a preferred embodiment of the application, the transformed data represents physical and tangible objects, including specific visual depictions of physical and tangible objects produced on a display.
As used in this disclosure, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, the components may be, but are not limited to: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. Furthermore, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above embodiments are only for illustrating the technical solution of the present application and not for limiting the same, and although the present application has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present application may be modified or substituted without departing from the spirit and scope of the technical solution of the present application, which is intended to be covered in the scope of the claims of the present application.