CN108769076B - Data acquisition system, method and device with network isolation function - Google Patents
Data acquisition system, method and device with network isolation function Download PDFInfo
- Publication number
- CN108769076B CN108769076B CN201810737914.4A CN201810737914A CN108769076B CN 108769076 B CN108769076 B CN 108769076B CN 201810737914 A CN201810737914 A CN 201810737914A CN 108769076 B CN108769076 B CN 108769076B
- Authority
- CN
- China
- Prior art keywords
- data
- data acquisition
- module
- acquisition
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 80
- 238000000034 method Methods 0.000 title abstract description 27
- 230000005540 biological transmission Effects 0.000 claims abstract description 114
- 238000004891 communication Methods 0.000 claims abstract description 78
- 238000012545 processing Methods 0.000 claims description 23
- 238000007781 pre-processing Methods 0.000 claims description 19
- 238000004458 analytical method Methods 0.000 claims description 17
- 230000003139 buffering effect Effects 0.000 claims description 17
- 238000012546 transfer Methods 0.000 claims description 10
- 238000007405 data analysis Methods 0.000 claims description 5
- 238000013500 data storage Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 44
- 238000013480 data collection Methods 0.000 description 26
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000000694 effects Effects 0.000 description 7
- 238000001914 filtration Methods 0.000 description 6
- 239000000872 buffer Substances 0.000 description 5
- 230000036541 health Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a collecting device with a network isolation function, which comprises a first data collecting body, wherein the first data collecting body comprises a first collecting configuration module, is used for carrying out transmission configuration with the network isolation function and obtaining collecting configuration information, and the collecting configuration information comprises collecting configuration information of target equipment; the data acquisition module is used for acquiring data of the target equipment according to the transmission configuration of the first acquisition configuration module and the acquired acquisition configuration information; the first data sending module is used for outputting the data acquired by the data acquisition module. The invention also provides a data acquisition system and a data acquisition method with a network isolation function, which can realize the acquisition of medical equipment data from the internal network of a hospital without causing direct communication between the internal network and the external network of the hospital, thereby thoroughly solving the difficult problem of large data acquisition of medical equipment.
Description
Technical Field
The invention relates to the technical field of network isolation, in particular to a data acquisition system, method and device with a network isolation function.
Background
The extraction of equipment fault data and operation data from large medical equipment, and the remote equipment fault diagnosis equipment management based on big data analysis have been the trend of current technology development. But medical equipment is an important asset of hospitals, and ensuring the data security of medical equipment is an important responsibility of hospital managers. In order to ensure the data security of medical equipment, most hospitals adopt networking schemes with physical isolation of internal and external networks, namely all medical equipment is connected in an internal network of the hospital, and the medical equipment can only be connected with an internal network server of the hospital. The networking mode causes great obstacle to the big data acquisition of medical equipment, and the traditional data acquisition device with the external network communication function is directly added in the internal network of a hospital, so that the internal network and the external network of the hospital are directly communicated, the potential safety hazard of the hospital equipment is caused, and especially, great data potential safety hazard can be brought to the medical equipment. Therefore, how to collect and apply the data of the medical equipment on the basis of ensuring the data security becomes an urgent problem in the industry.
Disclosure of Invention
One of the purposes of the invention is to provide a device with network isolation, which not only can realize the acquisition of medical equipment data from the internal network of a hospital, but also can not cause the direct communication between the internal network and the external network of the hospital, thereby thoroughly solving the difficult problem of the acquisition of big data of medical equipment.
In order to achieve the object, according to one aspect of the present invention, there is provided an acquisition apparatus with a network isolation function, including a first data acquisition body including a first acquisition configuration module for performing a transmission configuration with the network isolation function and acquiring acquisition configuration information, wherein the acquisition configuration information includes acquisition configuration information for a target device; the data acquisition module is used for acquiring data of the target equipment according to the transmission configuration of the first acquisition configuration module and acquisition configuration information according to the transmission configuration setting; the first data sending module is used for outputting the data acquired by the data acquisition module. Therefore, the first acquisition configuration module can be connected with the appointed target equipment, so that the situation that acquired data are not targeted due to the fact that a plurality of pieces of equipment are matched simultaneously is avoided, and subsequent data transmission is not facilitated. Through the configuration information matched with each other, corresponding connection is performed again, and data are transmitted through the matched first data transmission module, so that a sub-network can be effectively established, high-risk data of an external network are isolated, and the effect of protecting the data safety of medical equipment is achieved.
In some embodiments, the above-mentioned acquisition device may further include a second data acquisition body, and the second data acquisition body may include a second acquisition configuration module configured to set communication configuration information for the second data acquisition body, where the communication configuration information includes acquisition body matching relationship information; the data receiving module is used for communicating with the first data acquisition body based on the communication configuration information and receiving the data output by the first data transmitting module; the second data sending module is used for transmitting the data received by the data receiving module to an external network; the transmission configuration of the first acquisition configuration module with the network isolation function is realized by configuring the first data sending module to be capable of only one-way communication with the data receiving module, and only transmitting data from the first data sending module to the data receiving module; collecting configuration information also comprises collecting body matching relation information. Therefore, network isolation can be established between the second data acquisition body and the first data acquisition body, and the second acquisition configuration module can also obtain data of corresponding equipment in a targeted manner, wherein the first data transmission module is in one-way communication, so that medical equipment data can be acquired from the internal network of a hospital, direct communication between the internal network and the external network of the hospital can not be caused, high-risk data of the external network can be isolated, and the effect of protecting data safety of the medical equipment is achieved.
In some embodiments, the communication between the first data transmitting module and the data receiving module is a bluetooth-based unidirectional data transmission. The first data sending module is designed as Bluetooth master equipment, the data receiving module is designed as Bluetooth slave equipment, only the slave equipment can be connected with the slave equipment, and the slave equipment is written in by the data unidirectional slave master equipment, so that unidirectional data transmission from an internal network to an external network is realized, the unidirectional data transmission mode for maintaining data safety is utilized, the second data acquisition body of the external network can be effectively isolated, and the safety of the data of the internal network equipment is effectively protected due to active connection of malicious operation.
In some embodiments, the communication between the first data sending module and the data receiving module is unidirectional data transmission based on FTP (File Transport Protocol, file transfer protocol). The first data sending module is designed as an FTP client, the data receiving module is designed as an FTP server, the data receiving module is configured to initiate connection to the server only from the client, and control data to be pushed to the server from the client in one direction, so that one-way data transmission from an intranet to an extranet is realized, and the safety of intranet equipment data is effectively protected. Meanwhile, a server (namely, only an FTP client) which does not run any protocol in the first data acquisition body cannot initiate any form of connection from the external network, so that invasion of an external network hacker is effectively avoided.
In some embodiments, the communication manner between the first data sending module and the data receiving module of the collecting device is configured for unidirectional data transmission based on serial ports. Therefore, unidirectional transmission on physical connection can be realized through the serial port, and the operation is simpler.
In some embodiments, the first data acquisition body may further include a connection control module, where the connection control module includes a first connection control unit connected to the target device, and is configured to provide a channel for the data acquisition module to acquire data from the target device; the second connection control unit is connected with the external network and is used for providing a channel for transmitting data to the external network by the first data transmission module, and controlling the switching unit to generate a switching signal according to the transmission configuration of the first acquisition configuration module, which has a network isolation function, and controlling the on-off of the first connection control unit and the second connection control unit; wherein the first connection control unit and the second connection control unit are configured to be non-simultaneously turned on according to the control of the control switching unit. Therefore, the acquisition state of the first data acquisition body and the connection with the external network can be controlled according to the two connection control units, the data transmission mode can be more flexible and easy to control, the invasion of the external network to the first data acquisition body can be effectively prevented, and the safety of hospital equipment is protected.
In some embodiments, the transmission configuration with the network isolation function of the first acquisition configuration module in the acquisition device is implemented as detecting the external network connection in real time, controlling the configuration of the switching unit, generating a switching signal according to the detected external network connection information, and controlling the on-off of the first connection control unit and the second connection control unit. Therefore, the first acquisition configuration module can control the transmission type and state of data more timely during data transmission, effectively isolate the garbage data of the external network, maintain the data health of network transmission and protect the safety and health of equipment and internal network.
In some embodiments, the transmission configuration with the network isolation function of the first acquisition configuration module in the acquisition device is implemented as configuring an acquisition frequency of the target device, and the control switching unit is configured to generate a switching signal according to the acquisition frequency and control on-off of the first connection control unit and the second connection control unit. Therefore, the data can be acquired for the target equipment in a time-sharing isolation mode by configuring the acquisition frequency, so that the data safety of the equipment is effectively protected, and early warning is timely carried out.
In some embodiments, the transmission configuration of the first acquisition configuration module in the acquisition device with the network isolation function is implemented as an independent communication network port configuring the first data acquisition body and the target device, and the data acquisition module is configured to communicate with the target device based on the independent communication network port and acquire the data of the target device according to the acquisition configuration information; the first data sending module is configured to be connected with an external network and output the data acquired by the data acquisition module to the external network. Therefore, the direct communication with the target equipment can be realized through the configured independent communication network port, and the safety of data transmission is higher without passing through the intranet, and the data transmission of other equipment in the intranet to the external network can not be caused by certain misoperation.
In some embodiments, the transmission configuration with the network isolation function of the first acquisition configuration module of the acquisition device is implemented as a firewall configured to communicate with the target device by the first data acquisition body, and the data acquisition module is configured to communicate with the target device based on a data channel defined by the firewall and acquire data of the target device according to the acquisition configuration information; the first data sending module is configured to be connected with an external network and output the data acquired by the data acquisition module to the external network. The firewall is established to effectively provide security guarantee for the intranet, so that only appointed target equipment can be accessed during collection, the equipment data are collected from the intranet more safely, and the problem of data security caused by direct communication between the intranet and the extranet in a hospital is avoided.
In some embodiments, the first data acquisition body of the acquisition device further includes a data preprocessing module, configured to process the data of the target device acquired by the data acquisition module, and generate data to be processed; the data caching module is used for caching the generated data to be processed in real time; the first data sending module is further used for obtaining data to be processed from the data caching module and outputting the data. Therefore, the data of the target equipment can be processed in a unified format through the data preprocessing module and the data caching module, so that the data transmission process is more regular, the data caching module can acquire the data of the current equipment in real time, the stability of data transmission is ensured, the loss of effective data is prevented, and the effect of protecting the data safety of the equipment is achieved.
In some embodiments, the second data acquisition body of the acquisition device further includes a data processing module, configured to analyze the data received by the data receiving module, and generate analysis data; the second data caching module is used for caching the generated analysis data in real time; the second data sending module is used for acquiring analysis data from the second data caching module and transmitting the analysis data to the external network. Therefore, the data processing module of the second data acquisition body can analyze the integrated format data, acquire the data type required by the analysis of the external network, and buffer the data to be processed, so that the integrity of the data is ensured, and the data security of the equipment is protected.
The invention also provides a data acquisition system with the network isolation function, which can comprise a data acquisition device and a remote server, wherein the data acquisition device acquires data from target equipment and transmits the data to the remote server for data storage and/or data analysis through an external network, and the data acquisition device is the acquisition device with the network isolation function. Therefore, the data acquisition system can acquire medical equipment data from the internal network of the hospital, the direct communication function of the internal network and the external network of the hospital can not be caused, the appointed target equipment is effectively acquired through the data acquisition device, and the data safety is effectively protected.
The invention also provides a network isolation method for data acquisition, which can comprise the following steps: a data acquisition device with a network isolation function is configured between an intranet where the target equipment is located and an extranet where the remote server is located; acquiring target equipment data through a data acquisition device and outputting the target equipment data to an external network; the network isolation function of the data acquisition device is realized by carrying out transmission configuration with the network isolation function and acquiring configuration information according to transmission configuration setting. Therefore, the data of the target equipment can be acquired according to the configured data acquisition body, the sub-network can be effectively established, the high-risk data of the external network can be isolated, and the effect of protecting the data security of the medical equipment can be achieved
In some embodiments, in the above network isolation method for data collection, a data collection device with a network isolation function is configured between an intranet where a target device is located and an extranet where a remote server is located, and the method is implemented as follows: configuring a first data acquisition body and a second data acquisition body; connecting the first data acquisition body with target equipment; connecting the second data acquisition body with an external network; and carrying out transmission configuration and configuration setting on the first data acquisition body and the second data acquisition body, wherein the configuration setting can only carry out one-way communication, and the one-way communication direction is that the second data acquisition body can only receive the data sent by the first data acquisition body. Therefore, network isolation can be established through the configured first data acquisition body and second data acquisition body, and the unidirectional communication of the first data acquisition body and the second data acquisition body can realize the acquisition of medical equipment data from the internal network of a hospital, and the direct communication of the internal network and the external network of the hospital can not be caused, so that the high-risk data of the external network can be isolated, and the effect of protecting the data security of the medical equipment is achieved.
In some embodiments, in the network isolation method for data collection, a data collection device with a network isolation function is configured between an intranet where a target device is located and an extranet where a remote server is located, and the method is implemented as follows: configuring a first data acquisition body; configuring a switching signal for controlling the on-off of the first data acquisition body network; one end of the first data acquisition body is connected with target equipment, and the other end of the first data acquisition body is connected with an external network; and controlling the on-off of one end and the other end according to the switching signal, so that only one end is in a connected state. Therefore, the acquisition states of the first data acquisition body and the second data acquisition body and the connection with the external network can be controlled according to the switching signals, the data transmission mode can be more flexible and easy to control, and timely damage stopping and harmful data isolation can be realized when high-risk garbage data enter the internal network.
In some embodiments, the above network isolation method for data acquisition, the switching signal is configured to be generated according to an external network connection state detected in real time or according to a data acquisition frequency of the first data acquisition body to the target device. For real-time detection of the switching signal on the external network connection, the transmission type and state of the data can be controlled more timely during data transmission, the junk data of the external network are effectively isolated, the data health of network transmission is maintained, and the safety and health of equipment and an internal network are protected. The data can be acquired by configuring the acquisition frequency in a time-sharing isolation mode for the target equipment, the data security of the target data can be continuously monitored, the data security of the equipment is effectively protected, and early warning is timely carried out
In some embodiments, in the network isolation method for data collection, a data collection body with a network isolation function is configured between an intranet where a target device is located and an extranet where a remote server is located, and the method is implemented as follows: configuring an independent communication network port at the target equipment; and configuring a first data acquisition body which is directly communicated with the independent communication network port. Therefore, the direct communication with the target equipment can be realized through the configured independent communication network port, and the safety of data transmission is higher without passing through the intranet, and the data transmission of other equipment in the intranet to the external network can not be caused by certain misoperation.
In some embodiments, in the network isolation method for data collection, a data collection body with a network isolation function is configured between an intranet where a target device is located and an extranet where a remote server is located, and the method is implemented as follows: configuring a first data acquisition body; a firewall is configured between the target device and the first data acquisition body and configured such that the first data acquisition body communicates with the target device based on a data channel defined by the firewall. The firewall is established to effectively provide security guarantee for the intranet, so that only appointed target equipment can be accessed during collection, the equipment data are collected from the intranet more safely, and the problem of data security caused by direct communication between the intranet and the extranet in a hospital is avoided.
In some embodiments, before transmitting the acquired target device data to the external network, the method further includes: and performing data processing and caching on the acquired data of the target device to generate data which is suitable for being read by a remote server. Therefore, the data which is more matched with the remote server can be generated by carrying out data processing on the acquired data of the target equipment, so that the remote server acquires more complete data, and subsequent data analysis is easy.
Drawings
Fig. 1 is a block diagram of an acquisition device with network isolation function according to an embodiment of the present invention;
fig. 2 is a block diagram of a specific implementation example of a transmission configuration with a network isolation function for an acquisition device according to an embodiment of the present invention;
fig. 3 is a block diagram of a specific implementation example of a transmission configuration with a network isolation function for an acquisition device according to another embodiment of the present invention;
fig. 4 is a block diagram of a specific implementation example of a transmission configuration with a network isolation function for an acquisition device according to still another embodiment of the present invention;
fig. 5 is a block diagram of a specific implementation example of a transmission configuration with a network isolation function for an acquisition device according to still another embodiment of the present invention;
FIG. 6 is a system frame diagram of a data acquisition system with network isolation according to an embodiment of the present invention;
FIG. 7 is a flow chart of a network isolation method for data acquisition according to an embodiment of the present invention;
FIG. 8 is a flow chart of a network isolation method for data acquisition according to another embodiment of the present invention;
FIG. 9 is a flow chart of a network isolation method for data acquisition according to yet another embodiment of the present invention;
FIG. 10 is a flow chart of a network isolation method for data acquisition according to another embodiment of the present invention;
FIG. 11 is a flow chart of a network isolation method for data acquisition according to another embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the accompanying drawings.
Fig. 1 schematically illustrates an acquisition device with network isolation according to an embodiment of the present invention, as shown in the figure, the device includes a data acquisition body 2, and an internal structure of the data acquisition body 2 may include an acquisition configuration module 201 that may be used to perform a transmission configuration with network isolation function and set up to acquire configuration information according to the transmission configuration, where the transmission configuration with network isolation function may be implemented in a variety of ways, and specific embodiments will be described in more detail below in connection with fig. 2 to 5. And the acquisition configuration information set according to the transmission configuration at least includes acquisition configuration information for the target device, for example, including: the ID or IP of the target device 1, the log file path and file name of the target device 1, and the file acquisition manner of the target device 1 (may be ftp, ssh, telnet, file sharing, etc.). The configuration information of the target device 1 may be manually input by a user on the data acquisition body, or input by a human-computer interface, or input by a configuration web page, or obtained from a database by connecting to a cloud server (the user needs to input a user name, a password and an IP address of a corresponding cloud server on the data acquisition body, and then the user can connect to the cloud server through a data communication module connected to an external network, such as 3G, 4G, wifi, ethernet, etc., so as to obtain the configuration information). As shown in fig. 1, the data acquisition body 2 may further include a data acquisition module 202, configured to acquire data of the target device 1 according to the transmission configuration and the set acquisition configuration information of the acquisition configuration module (the data acquired according to the requirement may include, for example, fault log data of the device, operation log data of the device, basic parameters of the device, and key subcomponent parameters of the device), and acquire relevant data of the target device 1 according to the user requirement, so that the operation condition of the current device can be comprehensively and systematically mastered, which is beneficial for a staff to acquire correct log data to perform timely maintenance and repair on the device. In the implementation manner of acquiring the configuration information from the database by connecting the cloud server, when the data acquisition module 202 can normally read data from the target device according to the configuration information, a confirmation message of successful connection is returned and output to the data acquisition configuration module, and the data acquisition configuration module automatically deletes the IP address, the user name and the password of the cloud server according to the confirmation message of successful connection, so that disconnection of network connection between the data acquisition body and the cloud server is realized, and disconnection of connection between the data acquisition body 2 and the external network is ensured in the subsequent data acquisition process. As shown in fig. 1, the data acquisition body 2 may further include a data sending module 205, configured to output data acquired by the data acquisition module 202. In the embodiment of the present invention, when the data sending module 205 outputs data, data communication is performed according to the transmission configuration of the acquisition configuration module and the set acquisition configuration information, and according to the configuration, the data sending module 205 realizes the isolation of the internal network and the external network when sending the data, so that the target device 1 can be effectively isolated from the external network, and when the data is transmitted, only the data is acquired from the internal network, but the data of the external network cannot enter the internal network, thereby protecting the security of the target device 1 and the local area network of the hospital where the target device 1 is located, and avoiding the data security problem caused by the direct communication between the internal network and the external network of the hospital.
In other preferred embodiments, the system may further include a data preprocessing module and a data buffering module, where after receiving the data of the target device 1, the data preprocessing module processes the data: adjusting the data arrangement sequence of the target device 1; carrying out integrity check on the log data; dividing the data according to types and the like; metadata (such as device ID, timestamp, line number, etc.) is added to the data of the target device 1, and the data to be processed is generated and output after processing. The data caching module caches the data of the target device 1 which is updated continuously, and the integrity of the acquired data is guaranteed.
Fig. 2 schematically illustrates a specific implementation example of a transmission configuration with a network isolation function for an acquisition device according to an embodiment, as shown in fig. 2, in this implementation example, the transmission configuration with a network isolation function is implemented by setting the data acquisition body 2 to include the first data acquisition body 21 and the second data acquisition body 3, that is, the acquisition device with a network isolation function in this embodiment is implemented as: the system comprises a first data acquisition body 21 and a second data acquisition body 3, wherein the first data acquisition body 21 is used for being connected with an intranet where target equipment is located so as to acquire data from the target equipment, and the second data acquisition body 3 is respectively connected with the first data acquisition body 21 and an external network and used for transmitting the acquired data of the target equipment to the external network. As shown in fig. 2, in the present embodiment, the internal structure of the first data acquisition body 21 includes: a first acquisition configuration module 2011, a data acquisition module 202, and a first data transmission module 2051. The first data acquisition configuration module 201 is configured to perform transmission configuration on the first data acquisition body 21 and set acquisition configuration information, and the transmission configuration in this embodiment is configured to limit the first data acquisition body 21 to only perform unidirectional communication with the second data acquisition body 3, and the unidirectional communication is performed in a data transmission direction in which only the first data acquisition body 21 can send data to the second data acquisition body 3, and in this embodiment, the transmission configuration may be implemented by using a conventional technology, such as bluetooth technology, so a detailed description will not be given herein, and it should be understood by those skilled in the art that any communication manner capable of implementing unidirectional transmission in the prior art may be regarded as one of specific embodiments of the present invention. In this embodiment, the set acquisition configuration information includes acquisition configuration information of the target device 1 and connection relationship configuration information between the target device 1 and the second data acquisition body 3, where the content and the setting manner of the acquisition configuration information may refer to the configuration manner shown in fig. 1, and the connection relationship configuration information between the acquisition configuration information and the second data acquisition body 3 includes matching relationship information between the acquisition bodies, for example, a connection identifier of the second data acquisition body 3 is stored, and through the connection identifier, the first data acquisition body 21 can find and identify the second data acquisition body 3, and establish a connection with the second data acquisition body 3, so that data can be transmitted from the first data acquisition body 21 to the second data acquisition body 3. The specific content of the connection identifier depends on the communication mode between the two data acquisition bodies, for example, when bluetooth connection is adopted between the two data acquisition bodies, the matching relationship information between the acquisition bodies stored in the first data acquisition body 21 is implemented as a bluetooth pairing name and a bluetooth device id of the second data acquisition body 3, so that matching between the two data acquisition bodies can be implemented. The data acquisition module 202 is configured to acquire data of the target device 1 according to the set acquisition configuration information, that is, acquire corresponding log file data from the target device according to the ID or IP of the device defined by the acquisition configuration information and the defined file path and file acquisition mode, where the acquired data content may be various data as described above, or may be other data defined according to the user requirement, and the data may be acquired from a specific file path by a corresponding file acquisition mode as long as the data conforms to the configured file path and file acquisition mode. The first data sending module 2051 is configured to output data acquired by the data acquisition module 202 to the second data acquisition body 3 according to the connection matching information between the acquisition bodies in the transmission configuration and the acquisition configuration information, that is, establish connection with the corresponding second data acquisition body 3 according to the connection matching information, and then unidirectionally transmit the data acquired by the data acquisition module to the second data acquisition body 3 according to the unidirectional transmission configuration. The second data acquisition body 3 comprises: a second acquisition configuration module 301, a data receiving module 302 and a second data transmitting module 305. The second collection configuration module 301 is configured to set communication configuration information for the second data collection body 3, where the communication configuration information includes matching relationship information of devices of the first data collection body 3 (may be matching relationship information of two collection bodies connected through a handshake protocol or a network protocol), and a specific setting manner may be input through a human-computer interface, input through a configuration web page, or/and may also be acquired from a database through automatic connection with a cloud server (only the cloud server is connected in a configuration process, and the cloud server may be disconnected after the configuration is completed). In use, the second data acquisition body 3 is placed in the extranet and the first data acquisition body 21 is then matched with the second data acquisition body 3. The data receiving module 302 is configured to communicate with the first data acquisition body 2 based on the above-mentioned communication configuration information, and can only receive the data transmitted by the first data transmitting module 203. The second data sending module 303 is configured to transmit the data received by the data receiving module 302 to an external network. In this embodiment, the first data sending module may be implemented as a bluetooth sending module (e.g. designed as a bluetooth master device), the data receiving module may be implemented as a bluetooth receiving module (e.g. designed as a bluetooth slave device, and the connection to the slave device may only be initiated from the master device and the data is written into the slave device from the master device in a unidirectional manner), and the second data sending module may be implemented to transmit data to a cloud server of an external network in a manner of 3G connection, 4G connection, wifi connection, ethernet connection, etc., which may be implemented with reference to a network connection and a data transmission manner of an existing data acquisition box. According to the embodiment, the unidirectional data transmission channel between the internal network and the external network is established by arranging the first data acquisition body and the second data acquisition body of unidirectional communication, the unidirectional transmission communication mode can be used for acquiring medical equipment data from the internal network of the hospital, direct communication between the internal network and the external network of the hospital is avoided, high-risk data of the external network can be isolated, the effect of protecting data safety of medical equipment is achieved, functions of isolating garbage data of the external network and the like are effectively achieved, and data safety of a local area network of the hospital is protected.
In other embodiments, the first data sending module may be implemented as a serial port sending module, the data receiving module may be implemented as a serial port receiving module, and the specific implementation manner may be to implement both the first data sending module and the data receiving module as serial port communication ports (refer to implementation in the prior art), and communicate the first data sending module and the data receiving module through serial port communication transmission lines, such as RS232, where, in order to implement unidirectional data transmission based on serial ports, before connecting the first data sending module and the data receiving module through RS232 serial port lines, the transmission lines are further processed, and a line in the serial port lines for transmitting data from the data receiving module to the first data sending module is removed, so that only one transmission line for unidirectional data transmission is implemented in the data transmission lines, and therefore, compared with a communication manner configured with bluetooth, only unidirectional data transmission can be truly implemented physically, and security is higher.
In other embodiments, the first data sending module may be implemented as a file transfer protocol client, and the data receiving module may be implemented as a file transfer protocol server, where the specific implementation manner is to implement the first data sending module and the data receiving module as communication based on a file transfer protocol (with reference to the implementation of the prior art), so that connection to the server of the file transfer protocol may be initiated only by the file transfer protocol client, and unidirectional data transmission from the client to the server may be controlled, thereby implementing unidirectional data transmission from the intranet to the extranet, and effectively protecting security of intranet device data. Meanwhile, a server which does not run any protocol in the first data acquisition body cannot initiate any form of connection from the external network, so that invasion of an external network hacker is effectively avoided.
As a preferred embodiment, a data processing and data buffering module may be further configured in the collecting device, so as to perform corresponding analysis processing on the data acquired from the target device, so as to meet the data requirement of the user. Moreover, because the network transmission mode from the target device 1 to the first data acquisition body 21 is gigabit network or hundred mega network, the transmission mode from the first data acquisition body 21 to the second data acquisition body 3 is Bluetooth, gigabit network or hundred mega network, and the network transmission mode from the second data acquisition body 3 to the external network is 3G, 4G or WIFI, the data transmission mismatch caused by network transmission at different rates can be eliminated by arranging the data buffer module, and the problem of data loss in the transmission process can be also overcome. As shown in fig. 2, as a preferred embodiment, the first data acquisition body 21 includes a data preprocessing module 203 and a data buffering module 204, where the data preprocessing module 203 is configured to process the data of the target device acquired by the data acquisition module to generate data to be processed; the data caching module 204 is configured to cache the generated data to be processed in real time. After acquiring the data of the target device 1, the data preprocessing module 203 receives the data of the target device 1 and processes the data, which specifically includes: the data preprocessing module 203 outputs the processed data generated after processing, after adjusting the data arrangement sequence of the target device 1, performing integrity check on the log data thereof, dividing the data according to the type and the like, adding metadata (such as device ID, timestamp, line number and the like) to the data of the target device 1, and the like. The data buffering module 204 buffers the data to be processed of the target device 1, which is continuously updated and output by the data preprocessing module 203, so that when the first data sending module performs data transmission, the data in the data buffering module 204 is output. Similarly, as shown in fig. 2, the second data acquisition body 3 further includes a data processing module 303 and a second data buffer module 304, where the data processing module 303 is configured to perform analysis, for example, format conversion, on the acquired data to be processed, so that the data is converted into a file format required by external analysis (such as analysis by a cloud server), so as to generate analysis data output, so that an external server can acquire and analyze data of the target device 1 in a required format; in addition, when the analysis data is obtained through the data processing module 303, the analysis data is also buffered in real time through the second data buffering module 304, so that when the second data transmitting module transmits the data, the data in the second data buffering module 304 is output to the external network, and the data loss is avoided.
It should be understood by those skilled in the art that in other embodiments, the data processing module, the data preprocessing module and the data buffering module may not be provided, or only the data buffering module may be provided, and the data processing module and/or the data preprocessing module may not be provided (in this case, the data buffering module directly buffers the acquired data to avoid the data transmission mismatch caused by the data transmission rates between different networks), and the settings of these modules may be flexibly combined and deleted according to the user requirements.
Fig. 3 schematically shows a block diagram of a specific implementation example of a transmission configuration with a network isolation function for an acquisition device according to another embodiment of the present invention, as shown in fig. 3: the collecting device with the network isolation function comprises a first data collecting body 21, wherein the first data collecting body 21 comprises a first collecting configuration module 201, a data collecting module 202, a data preprocessing module 203, a data caching module 204, a connection control module 4 and a first data sending module 2051, and specific implementation modes of the data collecting module 202, the data preprocessing module 203 and the data caching module 204 can refer to implementation modes of corresponding modules of the first data collecting body 21 shown in fig. 2. The first acquisition configuration module 201 is configured to perform transmission configuration on the first data acquisition body 21 and set acquisition configuration information, where the setting manner and content of the acquisition configuration information in this embodiment are described above, and the transmission configuration is implemented by setting the IP of the target device in the acquisition configuration information and the IP of the first data acquisition body 21 as filtering condition parameters, and the connection control module 4 includes a first connection control unit 401, a second connection control unit 402, and a control switching unit 403, and the control switching unit 403 is configured to detect an external network connection in real time according to the filtering condition parameters, treat both network connections different from the filtering condition parameters as external network connections, and generate a switching signal when the detected external network connection information controls the connection and disconnection of the first connection control unit 401 and the second connection control unit 402. The first connection control unit 401 is connected to the target device 1, and is used for providing a channel for the data acquisition module 202 to acquire data from the target device 1; the second connection control unit 402 is connected to the external network, and is configured to provide a channel for transmitting data to the external network by the first data sending module 2051; wherein, the dynamic connection of the first connection control unit 401 and the second connection control unit 402 with the target device 1 and the external network is realized by controlling the switching unit 403 to realize the logic of controlling the connection or disconnection of the network according to the detection result. The control logic for controlling the switching unit 403 to implement network connection or disconnection may be implemented by a software program or implemented by hardware such as circuit control, for example, by using a netstat command of a Linux operating system to control the switching unit 403, all connections established with the data acquisition box may be detected, the present acquisition box IP and the target device IP are filtered according to the filtering condition parameters, the rest is the connection from the external network, and when the external network connection is detected, the ifdown < intranet port name > command of the Linux system in the first data acquisition body 21 may be used to cut off the connection of the intranet port; when the control switching unit 403 detects that there is no external network connection, the connection of the internal network port may be restored using an ifup < internal network port name > command of the Linux system. According to the above control principle, in the use process, after the control switching unit 403 detects that the active connection from the external network is disconnected, the first connection control unit 401 is controlled to connect with the target device 1 of the internal network, so as to avoid simultaneous connection of the internal network and the external network. In a preferred embodiment, after the control switch unit 403 detects active connection from the external network for multiple times, a network intrusion alert may also be sent to the operator, for example, by means of an audible alarm, an LED lamp indication, or sending information to a preset terminal device, and the operator intervenes to solve the intrusion problem. Therefore, the data transmission safety is higher, and the external disturbance is completely isolated in the data transmission process. It should be noted that, in this embodiment, the first connection control unit 401 and the second connection control unit 402 may be existing communication modules, for example, a bluetooth module or a network card module, and the control switching unit 403 performs on-off control of the network for the first connection control unit 401 and the second connection control unit 402 according to the detection result.
In another embodiment, the transmission configuration in the first acquisition configuration module 201 may be further implemented to set the acquisition frequency of the data of the target device 1 (which may be artificial preset or learning of machine experience), in this embodiment, the control switching unit 403 is configured to acquire the acquisition frequency and perform timing, generate a switching signal according to the acquisition frequency, and control the on-off of the first connection control unit 401 and the second connection control unit 402, for example, according to the acquisition frequency being configured to acquire data once per hour when the transmission configuration is performed, control the switching unit 403 to resume connection of the intranet port using the ifup < intranet port name > command of the Linux system in the first data acquisition body 21 at each point, and after the data is acquired, resume connection of the intranet port using the ifdown < intranet port name > command of the Linux system. In this way, the control switching unit 403 controls the on-off of the first connection control unit 401 and the second connection control unit 402 according to the acquisition frequency preset in the first acquisition configuration module 201, so as to achieve time-sharing acquisition of the data of the target device 1, monitor the data security of the target data continuously, effectively protect the data security of the device, and early warn in time.
It should be noted that, in the embodiment of using the Linux system instruction to perform the network on-off control, the switching signal generated by the control switching unit is the Linux system instruction. In other implementations, the generated switching signal may also be other signals, such as a level signal or a character signal, etc., according to a specific implementation.
Fig. 4 schematically shows a block diagram of a specific example of a transmission configuration with network isolation function for an acquisition device according to another embodiment of the present invention, as shown in fig. 4,
the data collection device of this embodiment includes a first data collection body 21, where the first data collection body 21 includes a first collection configuration module 2011, a data collection module 202, a data preprocessing module 203, a data buffering module 204, and a first data sending module 2051, and specific implementation manners of the data preprocessing module 203, the data buffering module 204, and the first data sending module 2051 are the same as the foregoing. The difference is that, in this embodiment, the transmission configuration of the first acquisition configuration module 2011 for performing the network isolation function is implemented by configuring an independent communication network between the first data acquisition body 2 and the target device 1, and establishing communication between the first data acquisition body 2 and the target device 1 through the independent communication network port 5 (when the independent communication network port is connected to the target device 1, hardware such as a network card and a usb port needs to be added to the target device 1), and the manner for setting the acquisition configuration information and the content of the set acquisition configuration information of the first acquisition configuration module may be implemented by referring to the foregoing. In this embodiment, the data acquisition module 202 is configured to communicate with the target device 1 based on the independent communication portal 5, and directly establish a contact with the target device 1 according to the acquisition configuration information to acquire the data of the target device 1; therefore, the first data acquisition body 21 and the target device 1 can be directly connected one to one without passing through an intranet, so that the data of the target device 1 can be obtained, the network separation can be effectively established, the high-risk data of the external network can be isolated, and the effect of protecting the data security of the medical device can be achieved.
FIG. 5 schematically shows a block diagram of a specific example of a transmission configuration with network isolation for an acquisition device according to another embodiment of the present invention, as shown in FIG. 5
The data collection device of this embodiment includes a first data collection body 21, where the first data collection body 21 includes a first collection configuration module 2011, a data collection module 202, a data preprocessing module 203, a data buffering module 204, and a first data sending module 2051, and specific implementation manners of the data preprocessing module 203, the data buffering module 204, and the first data sending module 2051 are the same as the foregoing. The difference is that, in the present embodiment, the transmission configuration of the first acquisition configuration module 2011 for performing the network isolation function is implemented by configuring the firewall 6 between the first data acquisition body 2 and the target device 1, the data acquisition module 202 is configured to communicate with the target device 1 based on a data channel defined by the firewall, and acquire the data of the target device 1 according to the acquisition configuration information, and the first data transmission module 2051 is configured to connect with an external network and output the data acquired by the data acquisition module 202 to the external network. The firewall may be configured by logging in a firewall setting page before use (the logging method is operated according to a firewall usage specification, generally, logging in through a network cable connection and using a browser), entering a security policy setting page, setting an IP address and an accessible port of the target device (the port needs to be set according to a file acquisition mode and a port provided by the target device, for example, 21-ftp, 22-ssh, 23-telnet, etc.), setting an IP address of the first data acquisition body, and setting the security policy such that the first data acquisition body can only access the IP of the target device and only access a designated port of the target device. Thus, when the first data collection body 21 and the target device 1 are connected and data is transmitted, the first data collection body 21 and the target device 1 are preferentially accessed through the firewall 6 and through the firewall 6, so that a communication channel between the first data collection body 21 and the target device 1 is limited to a communication interface set by a firewall security policy, and therefore the data collection box can only access a designated port of the designated target device 1, cannot access other ports of the designated target device 1 and cannot access any other devices except the target device 1. All data collected by the data collection box can be monitored through the firewall 6, so that the data collection box can only obtain the log file of the target device 1, namely the fault log data of the device, the operation log data of the device, the basic parameters of the device and the key sub-component parameters of the device, and does not obtain any other irrelevant data.
Fig. 6 schematically illustrates a data acquisition system with network isolation according to an embodiment of the invention, as shown in the following:
the data acquisition system with the network isolation function comprises a data acquisition device 7 and a remote server 8, wherein the data acquisition device 7 acquires data (fault log data of equipment, operation log data of equipment, basic parameters of equipment and key sub-component parameters of equipment) from the target equipment 1, and transmits the data to the remote server 8 for data storage and/or data analysis through an external network, wherein the data acquisition device can be any acquisition device with the network isolation function. The system can collect medical equipment data from the internal network of the hospital, can not cause direct communication between the internal network and the external network of the hospital, effectively collects appointed target equipment through the data collecting device, and effectively protects data safety.
In the above embodiment, each data acquisition body, that is, the data acquisition body 2, the first data acquisition body 21 and the second data acquisition body 3, may be implemented by selecting a data acquisition box in the prior art or referring to a data acquisition box in the prior art, at least the data acquisition module may be implemented by referring to an implementation manner of implementing data acquisition by using a data acquisition box in the prior art, and the data processing module, the data preprocessing module and the data buffering module may be implemented by using a program or a hardware implementation manner according to the above-described implementation functions and roles thereof.
Fig. 7 schematically shows a flow chart of a network isolation method for data acquisition according to an embodiment of the invention, as shown, comprising the steps of:
step S701: and configuring a data acquisition device with a network isolation function between an intranet where the target equipment is located and an extranet where the remote server is located. The specific implementation manner of the step can be as follows: and respectively connecting the data acquisition devices between an intranet and an extranet, and carrying out network isolation configuration on the data acquisition devices. The data acquisition device is respectively connected between the intranet and the extranet, and the network isolation configuration of the data acquisition device can be achieved in various manners, including transmission configuration of the data acquisition device and setting acquisition configuration information according to the transmission configuration, and more specific embodiments will be described in more detail below in connection with fig. 8 to 11.
Step S702: and acquiring data of the target equipment by using the configured data acquisition device. The obtained data of the target device 1 may be fault log data of the device, operation log data of the device, basic parameters of the device and/or key sub-component parameters of the device, etc. The method for acquiring the data of the target device can be realized by establishing connection based on the acquisition configuration information according to the structure and principle of the configured data acquisition device, and specific realization can refer to corresponding description in the implementation embodiments of the various acquisition devices, and the description is omitted herein.
Step S703: and performing data processing and caching on the acquired data of the target device to generate data which is suitable for being read by a remote server. The method is concretely realized as follows: and adjusting the data arrangement sequence of the obtained target equipment, carrying out integrity check on the log data, dividing the data according to types and the like, adding metadata into the data of the target equipment, and generating data to be processed and outputting the data to be processed after processing. The implementation manner of data sorting, integrity checking, data segmentation and metadata adding can be specifically implemented with reference to the related prior art. After processing the acquired data of the target device, the embodiment also caches the processed data, so that the acquired data can adapt to transmission errors among different network transmission rates. In other preferred embodiments, the processing of the acquired data further includes processing the generated data to be processed, for example, performing format conversion, converting the data to data in a required format, buffering the data, and outputting the data.
Step S704: outputting the processed data to an external network, wherein the method is specifically implemented as follows: and sequentially acquiring processed data from the data cache, and outputting the processed data to a server, a cloud end or the like for analysis, processing, research and the like through connection established between the data acquisition device and an external network. The connection between the data acquisition device and the external network is established through 3G, 4G, wifi, ethernet, etc., and reference may be made to the description of the foregoing data acquisition device.
Fig. 8 is a flow chart schematically illustrating a network isolation method for data acquisition according to an embodiment of the present invention, taking a configured data acquisition device as an example of the data acquisition device shown in fig. 2, and includes the following steps as shown in the figure:
step S801: configuring a first data acquisition body and a second data acquisition body; the specific implementation mode is as follows: and connecting the first data acquisition body with an intranet where the target equipment is located so as to acquire data from the target equipment, and connecting the second data acquisition body with the first data acquisition body and an external network respectively so as to transmit the acquired data of the target equipment to the external network.
Step S802: and setting acquisition configuration information for the first data acquisition body and the second data acquisition body. The method is concretely realized as follows: and configuring acquisition configuration information of the first data acquisition body, wherein the acquisition configuration information comprises acquisition configuration information of the target equipment and connection relation configuration information between the target equipment and the second data acquisition body, and configuring communication information of the second data acquisition body. Specific configuration information and manner may be referred to above.
Step S803: and carrying out transmission configuration on the first data acquisition body and the second data acquisition body, and setting the first data acquisition body and the second data acquisition body to be capable of unidirectional communication only. The specific implementation mode is as follows: based on the communication function of the first data acquisition body and the second data acquisition body, the first data acquisition body is configured to have the transmission configuration of the network isolation function, is configured to be capable of only carrying out unidirectional communication with the second data acquisition body based on Bluetooth, and is configured to be capable of only sending data from the first data acquisition body to the second data acquisition body. The functions of isolating the garbage data of the external network and the like are effectively achieved, and the data security of the local area network of the hospital is protected.
The specific implementation manner of step S804 to step S806 refers to the implementation manner of step S702 to step S704.
Fig. 9 is a flow chart schematically illustrating a network isolation method for data acquisition according to another embodiment of the present invention, taking the configured data acquisition device as an example of the data acquisition device shown in fig. 3, and as shown in the figure, includes the following steps:
step S901: and configuring a first data acquisition body. The method is concretely realized as follows: the first data acquisition body is provided with a first connection control unit and a second connection control unit, the first connection control unit is connected with an intranet where the target equipment is located, and the second connection control unit is connected with an extranet. The first connection control unit and the second connection control unit may be specifically implemented as described above.
Step S902: the method comprises the steps of configuring transmission configuration parameters for controlling network on-off of a first connection control unit and a second connection control unit of a first data acquisition body, and generating switching signals for controlling on-off of an internal network and an external network based on the configured transmission configuration parameters; the specific implementation mode is as follows: and configuring a transmission configuration parameter for switching network on and off in the first data acquisition body, wherein the transmission configuration parameter can be a filtering condition parameter for detecting external network connection and/or acquisition frequency of target equipment. The configuration manner of the filtering condition parameters and the acquisition frequency of the target device, and the implementation process of generating the switching signal to control the network on-off of the first connection control unit and the second connection control unit based on the configuration may refer to the corresponding description of the foregoing apparatus part.
Step S903 to step S905: and acquiring target equipment data through a data acquisition device and outputting the target equipment data to an external network. For a specific implementation, reference may be made to the implementation of step S702 to step S704.
Fig. 10 is a flow chart schematically illustrating a network isolation method for data acquisition according to another embodiment of the present invention, taking the configured data acquisition device as an example of the data acquisition device shown in fig. 4, and as shown in the figure, includes the following steps:
step S1001: and configuring an independent communication network port at the target equipment. The method is concretely realized as follows: the method comprises the steps of adding hardware such as a network card and a USB port on target equipment to form an independent port, generally configuring the network card for the target equipment, and installing a device for transferring the USB port on the USB port of the target equipment when the network card configured for the target equipment does not have redundant ports when the USB is configured for the target equipment (the device is available in the prior art directly), and then installing a driver of the device for transferring the USB port in an operating system of the target equipment. The first data acquisition body and the target equipment are directly connected through the USB socket or the network cable without being connected through an intranet, so that data of the target equipment are acquired.
Step S1002: and configuring a first data acquisition body which is directly communicated with the independent communication network port. The specific implementation mode is as follows: the first data acquisition body is configured to communicate based on the independent network port of the target device by setting acquisition configuration information (the configuration is performed based on the configured independent communication network port, the setting content and the setting mode are described in the foregoing description), if the network card or the network port of the target device has a spare network port, the network interface of the operating system of the target device is accessed first, a fixed IP address is configured for the spare network port, the spare network port is connected with the first data acquisition body through a network cable, and data is acquired from the target device by using the set IP address. If the network card of the target device has no spare network port, when the device for converting the USB network port is adopted (the device is in the prior art and can be directly purchased), a driver of the device for converting the USB network port needs to be installed in an operating system of the target device, a fixed IP address is configured for the newly added network port on a network configuration page of the operating system of the target device, the newly added network port is connected with a first data acquisition body through a network cable, and data are acquired from the target device by using the set IP address. Thus, the data of the target device can be obtained only through the target device without passing through the intranet of the hospital.
Step S1003 to step S1005: and acquiring target equipment data through a data acquisition device and outputting the target equipment data to an external network. For a specific implementation, reference may be made to the implementation of step S702 to step S704.
Fig. 11 is a flow chart schematically illustrating a network isolation method for data acquisition according to another embodiment of the present invention, taking the configured data acquisition device as an example of the data acquisition device shown in fig. 5, and as shown in the figure, includes the following steps:
step S1101: and configuring a first data acquisition body. The specific implementation mode is that a first data acquisition body is configured between an intranet where target equipment is located and an extranet, one end of the first data acquisition body is connected with the intranet where the target equipment is located, and the other end of the first data acquisition body is connected with the extranet. The connection manner of the first data acquisition body and the internal network and the external network can be referred to the description of the device part.
Step S1102: and configuring a firewall between the target equipment and the first data acquisition body, and setting acquisition configuration information of the first data acquisition body based on the configured firewall information. The specific implementation mode is as follows: a firewall is set in the first data acquisition body, wherein the firewall setting mode is a login firewall setting page (a login method is operated according to a firewall using specification, generally through network cable connection and uses a browser to log in), a security policy setting page is entered, an IP address and an accessible port of the target device are set (the port needs to be set according to a file acquisition mode and a location provided by the target device, for example, 21 port-ftp, 22 port-ssh, 23 port-telnet and the like), the IP address of the first data acquisition body is set, and the security policy is set so that the first data acquisition body can only access the IP of the target device and only access a designated port of the target device. After the firewall is set, setting the acquisition configuration information of the first data acquisition body. Therefore, the first data acquisition body is communicated with the target equipment based on the data channel defined by the firewall, and the data of the target equipment are acquired according to the acquisition configuration information. And acquiring target equipment data through the firewall, so that when the first data acquisition body is connected with the target equipment for data transmission, the data is transmitted preferentially through the firewall, and the data acquisition box can only access the designated target equipment and cannot access any other equipment except the designated target equipment through firewall configuration. All data collected by the data collection box can be monitored through the firewall, so that the data collection box is ensured to only obtain the log file of the target device, namely the fault log data of the device, the operation log data of the device, the basic parameters of the device and the key sub-component parameters of the device, but not obtain any other irrelevant data.
Step S1103 to step S1105: and acquiring target equipment data through a data acquisition device and outputting the target equipment data to an external network. Specific implementation steps refer to implementation manners of step S702 to step S704.
The main application field of the invention is the medical field, but can be applied to other fields, such as large-scale industrial fields, fire-fighting fields and the like.
What has been described above is merely some embodiments of the present invention. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit of the invention.
Claims (9)
1. The acquisition device with the network isolation function is characterized by comprising a first data acquisition body and a second data acquisition body, wherein the first data acquisition body is used for being connected with an intranet where target equipment is located to acquire data from the target equipment, the second data acquisition body is respectively connected with the first data acquisition body and an external network and used for transmitting the acquired data of the target equipment to the external network, unidirectional communication connection is directly established between the first data acquisition body and the second data acquisition body, and the data transmission direction of unidirectional communication is that the first data acquisition body can only transmit data to the second data acquisition body;
The first data acquisition body comprises
The first acquisition configuration module is used for setting acquisition configuration information, wherein the acquisition configuration information comprises acquisition configuration information of target equipment, and the acquisition configuration information comprises an ID or IP of the target equipment, a file path of the target equipment and a file acquisition mode of the target equipment;
the data acquisition module is used for acquiring corresponding target equipment data from the target equipment according to the ID or IP of the target equipment defined by the acquisition configuration information, the defined file path and the defined file acquisition mode;
the data preprocessing module is used for processing the data of the target equipment acquired by the data acquisition module to generate data to be processed;
the data caching module is used for caching the generated data to be processed in real time;
the first data sending module is used for unidirectionally communicating with the second data acquisition body based on Bluetooth or gigabit network or hundred mega network, and outputting the data acquired by the data acquisition module to the second data acquisition body; the first data sending module obtains data to be processed from the data caching module and outputs the data to the second data acquisition body through Bluetooth or gigabit network or hundred meganetworks; the second data acquisition body comprises
The data receiving module is used for carrying out unidirectional communication with the first data acquisition body, and the unidirectional communication mode is that only the data output by the first data transmitting module can be received;
the data processing module is used for analyzing the data received by the data receiving module and generating analysis data;
the second data caching module is used for caching the generated analysis data in real time;
the second data sending module is used for transmitting the data received by the data receiving module to an external network through 3G, 4G, wifi or Ethernet; the second data sending module obtains analysis data from the second data caching module and transmits the analysis data to the external network through 3G, 4G, wifi or Ethernet.
2. The acquisition device of claim 1, wherein the unidirectional communication connection established directly between the first data acquisition body and the second data acquisition body is a bluetooth-based unidirectional data transmission communication connection.
3. The acquisition apparatus according to claim 2, wherein the first data transmission module is implemented as a bluetooth transmission module as a master device, and the data reception module is implemented as a bluetooth reception module as a slave device, the bluetooth reception module being configured to be able to initiate only a connection from the master device to the slave device and to write data unidirectionally from the master device to the slave device.
4. The acquisition device of claim 1, wherein the unidirectional communication connection established directly between the first data acquisition body and the second data acquisition body is a file transfer protocol based unidirectional data transfer communication connection.
5. The acquisition device of claim 4 wherein the first data transmission module is implemented as a file transfer protocol client and the data reception module is implemented as a file transfer protocol server and no protocol server is running within the first data acquisition body.
6. The acquisition device of claim 1, wherein the unidirectional communication connection established directly between the first data acquisition body and the second data acquisition body is a serial port based unidirectional data transmission communication connection.
7. The acquisition device of claim 6, wherein the first data transmitting module is implemented as a serial port transmitting module having a serial port communication port, the data receiving module is implemented as a serial port receiving module having a serial port communication port, and the serial port communication ports of the first data transmitting module and the serial port receiving module are directly connected through a serial port communication transmission line, wherein a transmission line of the serial port communication transmission line for transmitting data from the data receiving module to the first data transmitting module is removed, so that the serial port communication transmission line has only one transmission line for transmitting data unidirectionally.
8. The data acquisition system with the network isolation function comprises a data acquisition device and a remote server, wherein the data acquisition device acquires data from target equipment and transmits the data to the remote server for data storage and/or data analysis through an external network, and the data acquisition device is the acquisition device with the network isolation function according to any one of claims 1 to 7.
9. A network isolation method for data acquisition, comprising:
a data acquisition device with a network isolation function is configured between an intranet where the target equipment is located and an extranet where the remote server is located;
acquiring target equipment data through the data acquisition device;
performing data processing and buffering on the acquired data of the target equipment to generate data which is suitable for being read by the remote server;
sequentially acquiring processed data from the data cache and outputting the processed data to an external network;
the data acquisition device is an acquisition device with a network isolation function according to any one of claims 1 to 7, and the configuration of the data acquisition device with the network isolation function between the intranet where the target device is located and the extranet where the remote server is located is implemented as follows:
Configuring a first data acquisition body and a second data acquisition body;
connecting the first data acquisition body with the target equipment;
connecting the second data acquisition body with an external network;
and the unidirectional communication connection is directly established between the first data acquisition body and the second data acquisition body, the unidirectional communication direction is configured to be capable of only transmitting data from the first data acquisition body to the second data acquisition body, and the second data acquisition body is capable of only receiving the data transmitted by the first data acquisition body.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810737914.4A CN108769076B (en) | 2018-07-06 | 2018-07-06 | Data acquisition system, method and device with network isolation function |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810737914.4A CN108769076B (en) | 2018-07-06 | 2018-07-06 | Data acquisition system, method and device with network isolation function |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108769076A CN108769076A (en) | 2018-11-06 |
CN108769076B true CN108769076B (en) | 2023-12-05 |
Family
ID=63972659
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810737914.4A Active CN108769076B (en) | 2018-07-06 | 2018-07-06 | Data acquisition system, method and device with network isolation function |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108769076B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277582A (en) * | 2020-01-15 | 2020-06-12 | 上海至数企业发展有限公司 | Internal and external network data distribution device for hospital |
CN111768846A (en) * | 2020-05-27 | 2020-10-13 | 医利捷(上海)信息科技有限公司 | Clinical data management method |
CN113329002B (en) * | 2021-05-20 | 2022-06-21 | 普天通信有限责任公司 | Internet of things data aggregation system |
CN113609052A (en) * | 2021-07-30 | 2021-11-05 | 上海创景信息科技有限公司 | Chip simulation system based on FPGA and microprocessor and implementation method |
CN115664841B (en) * | 2022-11-14 | 2024-10-18 | 济南大学 | Data acquisition system and method with network isolation and unidirectional encryption transmission functions |
Citations (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1791008A (en) * | 2004-12-17 | 2006-06-21 | 北邮英科(北京)信息技术研究所有限公司 | Isolation method and isolation switch apparatus between multiple different safety class networks |
CN1808971A (en) * | 2006-02-09 | 2006-07-26 | 南京工业大学 | Method and system for realizing safety communication between internal and external networks of computer based on simplex communication principle |
CN2850148Y (en) * | 2005-01-28 | 2006-12-20 | 朱寿祥 | Unidirectional physics isolation type network safety device |
CN101902448A (en) * | 2009-05-27 | 2010-12-01 | 厦门敏讯信息技术股份有限公司 | Method and system for implementing data transmission through serial ports |
CN102752286A (en) * | 2012-06-05 | 2012-10-24 | 东莞市博晟电子科技有限公司 | Network isolation system |
CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁系统软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
CN103997495A (en) * | 2014-05-23 | 2014-08-20 | 中国人民解放军理工大学 | Security isolation file transmission control method |
CN104092673A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军第二军医大学 | A system and method for realizing one-way data secure transmission between networks |
CN104202300A (en) * | 2014-08-06 | 2014-12-10 | 广东电网公司电力科学研究院 | Data communication method and device based on network isolating device |
CN104243426A (en) * | 2013-06-19 | 2014-12-24 | 鞍钢股份有限公司 | Protocol-isolated internal and external network data communication method |
CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
CN204596143U (en) * | 2015-05-13 | 2015-08-26 | 中科汉华医学科技(北京)有限公司 | A kind of data collector based on hospital |
CN204719759U (en) * | 2015-07-09 | 2015-10-21 | 河北软创实业有限公司 | A kind of computer network virus shielding system |
CN105391613A (en) * | 2015-11-19 | 2016-03-09 | 四川中鼎自动控制有限公司 | Hydropower station Ethernet-type security isolation device inside-outside universal data bridge |
CN105550380A (en) * | 2016-02-16 | 2016-05-04 | 国网浙江新昌县供电公司 | High-power-distribution user power data acquisition and access system and working method thereof |
CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
CN106713281A (en) * | 2016-11-30 | 2017-05-24 | 国网北京市电力公司 | Monitoring system |
CN107424105A (en) * | 2016-08-01 | 2017-12-01 | 北京绪水互联科技有限公司 | Medical imaging equipment payment omitted intelligent management system and method |
CN107622078A (en) * | 2017-07-27 | 2018-01-23 | 国网辽宁省电力有限公司 | A method for real-time monitoring of the health status of power consumption information collection equipment |
CN107749863A (en) * | 2017-12-01 | 2018-03-02 | 广州来米信息科技有限公司 | A kind of method of information systems internetting security isolation |
CN210093254U (en) * | 2018-07-06 | 2020-02-18 | 北京绪水互联科技有限公司 | Data acquisition system and device with network isolation function |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8307065B2 (en) * | 2006-08-22 | 2012-11-06 | Centurylink Intellectual Property Llc | System and method for remotely controlling network operators |
-
2018
- 2018-07-06 CN CN201810737914.4A patent/CN108769076B/en active Active
Patent Citations (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1791008A (en) * | 2004-12-17 | 2006-06-21 | 北邮英科(北京)信息技术研究所有限公司 | Isolation method and isolation switch apparatus between multiple different safety class networks |
CN2850148Y (en) * | 2005-01-28 | 2006-12-20 | 朱寿祥 | Unidirectional physics isolation type network safety device |
CN1808971A (en) * | 2006-02-09 | 2006-07-26 | 南京工业大学 | Method and system for realizing safety communication between internal and external networks of computer based on simplex communication principle |
CN101902448A (en) * | 2009-05-27 | 2010-12-01 | 厦门敏讯信息技术股份有限公司 | Method and system for implementing data transmission through serial ports |
CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁系统软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
CN102752286A (en) * | 2012-06-05 | 2012-10-24 | 东莞市博晟电子科技有限公司 | Network isolation system |
CN104243426A (en) * | 2013-06-19 | 2014-12-24 | 鞍钢股份有限公司 | Protocol-isolated internal and external network data communication method |
CN103997495A (en) * | 2014-05-23 | 2014-08-20 | 中国人民解放军理工大学 | Security isolation file transmission control method |
CN104092673A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军第二军医大学 | A system and method for realizing one-way data secure transmission between networks |
CN104202300A (en) * | 2014-08-06 | 2014-12-10 | 广东电网公司电力科学研究院 | Data communication method and device based on network isolating device |
CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
CN204596143U (en) * | 2015-05-13 | 2015-08-26 | 中科汉华医学科技(北京)有限公司 | A kind of data collector based on hospital |
CN204719759U (en) * | 2015-07-09 | 2015-10-21 | 河北软创实业有限公司 | A kind of computer network virus shielding system |
CN105391613A (en) * | 2015-11-19 | 2016-03-09 | 四川中鼎自动控制有限公司 | Hydropower station Ethernet-type security isolation device inside-outside universal data bridge |
CN105550380A (en) * | 2016-02-16 | 2016-05-04 | 国网浙江新昌县供电公司 | High-power-distribution user power data acquisition and access system and working method thereof |
CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
CN107424105A (en) * | 2016-08-01 | 2017-12-01 | 北京绪水互联科技有限公司 | Medical imaging equipment payment omitted intelligent management system and method |
CN106713281A (en) * | 2016-11-30 | 2017-05-24 | 国网北京市电力公司 | Monitoring system |
CN107622078A (en) * | 2017-07-27 | 2018-01-23 | 国网辽宁省电力有限公司 | A method for real-time monitoring of the health status of power consumption information collection equipment |
CN107749863A (en) * | 2017-12-01 | 2018-03-02 | 广州来米信息科技有限公司 | A kind of method of information systems internetting security isolation |
CN210093254U (en) * | 2018-07-06 | 2020-02-18 | 北京绪水互联科技有限公司 | Data acquisition system and device with network isolation function |
Non-Patent Citations (1)
Title |
---|
胡建理.一种基于安全隔离网闸技术的医院内部网安全解决方案.《医院数字化》.2010,正文第1-3页. * |
Also Published As
Publication number | Publication date |
---|---|
CN108769076A (en) | 2018-11-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108769076B (en) | Data acquisition system, method and device with network isolation function | |
US10721135B1 (en) | Edge computing system for monitoring and maintaining data center operations | |
US11924238B2 (en) | Cyber threat defense system, components, and a method for using artificial intelligence models trained on a normal pattern of life for systems with unusual data sources | |
CN210573773U (en) | Data acquisition device and system with network isolation function | |
EP3772209B1 (en) | A cyber threat defense system, components, and a method for using artificial intelligence models trained on a normal pattern of life for systems with unusual data sources | |
CN207039655U (en) | A network security emergency disposal device capable of remote assistance operation | |
CN111031018B (en) | A substation network security monitoring client system and its realization method | |
CN105527910A (en) | Remote monitoring system based on OPC UA (OLE for Process Control Unified Architecture) and fault removal method | |
CN103905219A (en) | System and method for monitoring and storing communication information in service platform | |
WO2018119643A1 (en) | Device monitoring method, apparatus and system | |
CN103096038B (en) | The method for supervising of the fusion video monitoring system of multi-protocol video watch-dog access | |
CN111385332A (en) | Internet of things equipment, Internet of things platform access method and equipment | |
CN104122877A (en) | Remote monitoring system and remote monitoring method for boilers | |
CN117997572A (en) | Industrial Internet safety supervision system | |
CN114584366A (en) | Power monitoring network safety detection system and method | |
CN114979214A (en) | Intelligent cooperative alarm system, method and device for power transmission line | |
US20240244064A1 (en) | Systems and methods for intrusion detection using federated learning | |
CN108539852A (en) | Switchgear house remote monitoring system and long-distance monitoring method | |
CN109587130B (en) | Integrated operation support system based on RTI space-time consistency | |
CN103618697A (en) | State access controller based on multiple interfaces and multiple protocols | |
US11128551B2 (en) | Method and apparatus for immediate and reaction-free transmission of log messages | |
CN117369412A (en) | Fault diagnosis device and platform of DCS system | |
CN212009372U (en) | Industrial control data fusion acquisition system | |
CN111026662A (en) | Remote debugging method, system and medium for terminal equipment of Internet of things | |
CN114363347A (en) | Self-adaptive industrial equipment data acquisition method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Room 668, floor 6, building a, yard 19, Ronghua Middle Road, Beijing Economic and Technological Development Zone, Daxing District, Beijing 102600 Applicant after: BEIJING XUSHUI INTERCONNECTION TECHNOLOGY CO.,LTD. Address before: 100160 Beijing Daxing District Beijing economic and Technological Development Zone, Tongji Middle Road 7, 18, 5, 2, unit 506 Applicant before: BEIJING XUSHUI INTERCONNECTION TECHNOLOGY CO.,LTD. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |