A method, device and medium for secure transmission of environmental protection monitoring data
By generating environmental spatiotemporal feature vectors, constructing a dual verification model, and applying the TLS secure transmission protocol, the problems of the encryption process being disconnected from the application scenario and the low level of protection in environmental protection monitoring data transmission are solved, achieving adaptation to dynamic environmental changes and efficient secure transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TAIZHOU BOYANG ENVIRONMENTAL TECHNOLOGY CO LTD
- Filing Date
- 2025-10-15
- Publication Date
- 2026-07-03
Smart Images

Figure CN121261963B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of environmental protection monitoring technology, and in particular to a method, equipment and medium for secure transmission of environmental protection monitoring data. Background Technology
[0002] With the rapid development of the Internet of Things (IoT), environmental monitoring is increasingly being applied to ecological governance and pollution control, playing a crucial role in ensuring the sustainable development of the ecological environment. Simultaneously, the multimodal data generated during environmental monitoring has become a high-value and vulnerable target, facing threats such as theft, tampering, and replay attacks during transmission. Traditional secure transmission methods use AES symmetric encryption and TLS / SSL protocols for data encryption, achieving basic communication security. In recent years, elliptic curve cryptography (ECC) and other encryption technologies have been widely applied to key negotiation and data encryption, improving transmission security to a certain extent.
[0003] However, current methods for transmitting environmental monitoring data still have several shortcomings. First, traditional data transmission often employs fixed-key encryption, failing to fully utilize the multimodal information carried by environmental monitoring data. This leads to a disconnect between the encryption process and actual application scenarios, making it vulnerable to targeted threats such as replay attacks and affecting the environmental adaptability of data transmission. Second, existing security verification mechanisms largely rely on packet-level verification (such as MD5), lacking risk awareness and defense capabilities, resulting in low protection levels and difficulty in coping with persistent threats in complex environments. Summary of the Invention
[0004] In view of the aforementioned existing problems, the present invention is proposed.
[0005] Therefore, this invention provides a secure transmission method for environmental protection monitoring data to address the problems of insufficient environmental adaptability and low protection levels.
[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution:
[0007] In a first aspect, the present invention provides a method for secure transmission of environmental protection monitoring data, which includes collecting environmental protection monitoring data, adding sampling timestamps to the environmental protection monitoring data, and simultaneously using a GIS spatial registration algorithm to perform coordinate system transformation and spatial interpolation to generate an environmental spatiotemporal feature vector.
[0008] The SHA hash function is used to perform hash transformation and orthogonalization on the environmental spatiotemporal feature vector to form a dynamic encryption matrix; based on the dynamic encryption matrix, block XOR encryption is performed on the environmental protection monitoring data to obtain preliminary encrypted data blocks;
[0009] The initial encrypted data block is input into the dual verification model. The integrity assessment layer performs distribution consistency verification, the risk assessment layer performs attack pattern identification, and outputs a secure encrypted data block.
[0010] The TLS secure transport protocol is applied to perform session key negotiation on secure encrypted data blocks, obtain transmission-ready data packets, perform real-time error detection and selective retransmission, and output a secure transmission data stream.
[0011] As a preferred embodiment of the secure transmission method for environmental protection monitoring data described in this invention, the environmental protection monitoring data includes sensor data, satellite remote sensing images, and ground monitoring videos.
[0012] As a preferred embodiment of the secure transmission method for environmental protection monitoring data according to the present invention, the generation of the environmental spatiotemporal feature vector specifically includes the following steps.
[0013] The sampling timestamps of environmental protection monitoring data are embedded and time-series aligned by using the PTP time synchronization protocol to form a unified time-series data sequence.
[0014] The GIS spatial registration algorithm is used to perform coordinate system transformation on the time-series unified data sequence to obtain unified geocoding data, and kriging spatial interpolation is performed on the unified geocoding data to generate environmental spatiotemporal feature vectors.
[0015] As a preferred embodiment of the secure transmission method for environmental protection monitoring data according to the present invention, the formation of the dynamic encryption matrix specifically includes the following steps.
[0016] The environmental spatiotemporal feature vector is used as a random seed and input into the SHA hash function to perform a hash transformation, thereby obtaining a hash digest string;
[0017] The hash digest string is orthogonalized and decomposed using singular values to form a dynamic encryption matrix.
[0018] As a preferred embodiment of the secure transmission method for environmental protection monitoring data according to the present invention, the step of obtaining the preliminary encrypted data block specifically includes the following steps.
[0019] The dynamic encryption matrix is used as the key seed, and a cyclic concatenation expansion is performed to form a valid encryption key;
[0020] Based on the valid encryption key, byte-by-byte block division and byte-by-byte XOR operation are performed on the environmental protection monitoring data to obtain preliminary encrypted data blocks.
[0021] As a preferred embodiment of the secure transmission method for environmental protection monitoring data according to the present invention, the dual verification model is constructed as follows:
[0022] A fully connected network is used to build an integrity assessment layer, and a convolutional neural network is used to build a risk assessment layer.
[0023] Perform parameter initialization on the integrity assessment layer and the risk assessment layer, and apply skip connections for cross-stacking to build a dual-validation model.
[0024] As a preferred embodiment of the secure transmission method for environmental protection monitoring data according to the present invention, the output of the secure encrypted data block specifically includes the following steps.
[0025] The initial encrypted data block is input into the dual verification model. The integrity assessment layer applies kernel density estimation to perform a distribution consistency check on the initial encrypted data block and generates an integrity verification label.
[0026] The risk assessment layer performs attack pattern identification on the initial encrypted data blocks and generates potential risk levels.
[0027] Based on the integrity verification label and potential risk level, the number of AES encryption rounds and transmission frame length of the initial encrypted data block are adjusted by a fuzzy PID controller to output a secure encrypted data block.
[0028] As a preferred embodiment of the secure transmission method for environmental protection monitoring data according to the present invention, the output secure transmission data stream specifically includes the following steps.
[0029] The CRC cyclic redundancy check algorithm is used to perform real-time error detection on the ready data packets and form an accuracy check flag.
[0030] Based on the accuracy check flag, selectively retransmit ready data packets and output a secure transmission data stream.
[0031] In a second aspect, the present invention provides a computer device, including a memory and a processor, wherein the memory stores a computer program, wherein when the computer program is executed by the processor, it implements any step of the secure transmission method for environmental protection monitoring data as described in the first aspect of the present invention.
[0032] Thirdly, the present invention provides a computer-readable storage medium having a computer program stored thereon, wherein: when the computer program is executed by a processor, it implements any step of the secure transmission method for environmental protection monitoring data as described in the first aspect of the present invention.
[0033] The beneficial effects of this invention are as follows: Firstly, by utilizing the SHA hash function to perform hash transformation and orthogonalization on the generated environmental spatiotemporal feature vector, a dynamic encryption matrix is formed, achieving deep coupling between the encryption key and environmental protection monitoring data, thus enhancing the encryption process's adaptability to dynamic environmental changes. Secondly, by constructing a dual verification model and performing distributed consistency checks, transmission path modeling, and attack pattern identification, multimodal joint verification can be achieved, enhancing the proactive defense capability during data transmission and thereby improving the overall intelligence level of protection. Attached Figure Description
[0034] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0035] Figure 1 A flowchart for a method of securely transmitting environmental protection monitoring data.
[0036] Figure 2 A flowchart for generating environmental spatiotemporal feature vectors.
[0037] Figure 3 A flowchart illustrating how the dual-validation model works.
[0038] Figure 4 A flowchart for generating a dynamic encryption matrix. Detailed Implementation
[0039] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
[0040] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.
[0041] Secondly, the term "one embodiment" or "embodiment" as used herein refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. The phrase "in one embodiment" appearing in different places in this specification does not necessarily refer to the same embodiment, nor is it a single or selective embodiment that is mutually exclusive with other embodiments.
[0042] Reference Figures 1-4As one embodiment of the present invention, this embodiment provides a secure transmission method for environmental protection monitoring data, comprising the following steps:
[0043] S1. Collect environmental protection monitoring data and add sampling timestamps to the environmental protection monitoring data. At the same time, use GIS spatial registration algorithm to perform coordinate system transformation and spatial interpolation to generate environmental spatiotemporal feature vectors.
[0044] S1.1 Collect environmental protection monitoring data, which includes sensor data, satellite remote sensing images, and ground monitoring videos.
[0045] Sensor data includes temperature, humidity, air pressure, and PM concentration. Temperature and humidity are collected using temperature and humidity sensors, air pressure is collected using air pressure sensors, and PM concentration is collected using particulate matter monitors. Satellite remote sensing images are collected using hyperspectral sensors, and ground monitoring videos are collected using high-definition network cameras.
[0046] S1.2. The sampling timestamps of environmental protection monitoring data are embedded and time-series aligned using the PTP time synchronization protocol to form a unified time-series data sequence.
[0047] The environmental protection monitoring data is connected to a high-precision time source (such as a GPS clock) through the PTP time synchronization protocol to unify the time base and form a global time reference frame. The Precise Time Code (PTP) of the global time reference frame is extracted as the sampling timestamp, and the sampling timestamp is embedded into the environmental protection monitoring data according to the data encapsulation protocol to output the original time stamp data.
[0048] It should be noted that the data encapsulation protocol is defined based on the actual accuracy requirements of the sampling timestamp and the data integrity verification requirements.
[0049] The original time-stamped data undergoes time alignment processing. Furthermore, the original time-stamped data sequence is smoothed in the time domain using a Hanning window sliding window to obtain window-aligned data. Then, a Kalman filter factor is used to compensate for clock drift in the window-aligned data, eliminating time deviations caused by network latency or device clock failures, thus forming a time-uniform data sequence. The time-uniform data sequence not only retains complete environmental parameter information but also provides strict time order guarantees, providing a time-ordered data foundation for subsequent encrypted transmission.
[0050] It should be noted that the Kalman filter factor is used to estimate and correct the clock offset, and is defined based on the clock deviation statistics of historical window alignment data, with an exemplary value range of 0.1 to 0.9.
[0051] S1.3. Use the GIS spatial registration algorithm to perform coordinate system transformation on the time-series unified data sequence, obtain unified geocoding data, and perform kriging spatial interpolation on the unified geocoding data to generate environmental spatiotemporal feature vectors.
[0052] The time-series unified data sequence is projected using a GIS spatial registration algorithm to obtain projected coordinate data. An affine transformation is then performed on the projected coordinate data to convert it into a unified geographic coordinate system, resulting in baseline unified coordinates. The thin plate spline function (TPS) is used to perform nonlinear deformation correction on the baseline unified coordinates to eliminate spatial errors caused by terrain undulations and projection deformation, thereby obtaining spatially corrected coordinates. Finally, geographic object encoding is performed on the spatially corrected coordinates to generate unified geographic coded data.
[0053] It should be noted that the thin plate spline function achieves nonlinear deformation correction by matching control points and minimizing bending energy on the reference unified coordinates; geoobject coding refers to the process of geometrically structuring the spatial correction coordinates and binding them to a spatial reference system according to the OGC geoinformation coding specification (called through the SpatialReference parameter of the OGR library).
[0054] Kriging interpolation coefficients are applied to spatially interpolate the unified geocoding data to obtain an initial interpolation grid. The inverse distance weighting method is then used to perform neighborhood-weighted aggregation on the initial interpolation grid to obtain smooth interpolated data. Gaussian convolution kernels are used to perform noise filtering on the smooth interpolated data to generate denoised spatial interpolated data. Z-score standardization is then used to normalize the denoised spatial interpolated data and the temporal unified data sequence to a unified dimension, followed by linear weighted fusion to form an environmental spatiotemporal feature vector. This environmental spatiotemporal feature vector characterizes the joint distribution characteristics of monitoring parameters in the spatiotemporal dimension, providing a standardized input with spatiotemporal correlation for subsequent encrypted transmission.
[0055] It should be noted that the Kriging interpolation coefficients are used to adjust the interpolation smoothness of the unified geocoding data. They are defined based on the spatial autocorrelation decay rate of historical unified geocoding data, and the exemplary value range is 0.1 to 0.9. The inverse distance weighting method achieves neighborhood weighted aggregation by performing neighborhood search and power distance weighting on the initial interpolation grid.
[0056] S2. Use the SHA hash function to perform hash transformation and orthogonalization on the environmental spatiotemporal feature vector to form a dynamic encryption matrix; based on the dynamic encryption matrix, perform block XOR encryption on the environmental protection monitoring data to obtain preliminary encrypted data blocks.
[0057] S2.1. Using the environmental spatiotemporal feature vector as a random seed, input it into the SHA hash function to perform a hash transformation and obtain a hash digest string.
[0058] The environmental spatiotemporal feature vector is used as a random seed and binary serialization is performed. For example, the positive floating-point value of the random seed is encoded as 1 and the negative floating-point value of the random seed is encoded as 0, and a binary byte stream is output.
[0059] It should be noted that positive and negative floating-point values are determined by performing sign bit detection on the random seed and non-zero verification of the exponent field.
[0060] The binary byte stream is evenly divided into multiple message blocks, and multiple rounds (e.g., 64 rounds) of message expansion and bit operation combinations are performed on each message block to obtain an intermediate hash state. The intermediate hash state is iterated and updated round by round using the SHA hash function to output a hash value of fixed length (e.g., 256 bits). The fixed-length hash value is then Base16 encoded to obtain a hash digest string. The hash digest string not only has anti-collision properties but also maintains the entropy characteristics of the input data.
[0061] It should be noted that message expansion refers to the process of bit stuffing and cyclic shifting of a message block using a shift register; bit operation combination refers to the process of non-linear transformation and linear diffusion of a message block; Base16 encoding conversion refers to the process of character replacement and length alignment of a fixed-length hash value based on a hexadecimal character map (called through the ASCII code conversion protocol).
[0062] S2.2. Perform orthogonalization and singular value decomposition on the hash digest string to form a dynamic encryption matrix.
[0063] The hash digest string is hexadecimal decoded and byte blocks are reassembled to obtain a hash byte matrix, which is then orthogonalized. Further, the hash byte matrix is subjected to a vector inner product to obtain the projection components, and the projection components are orthogonally projected to generate orthogonal basis vectors. The orthogonal basis vectors are normalized by applying L2 norm normalization to obtain an identity orthogonal matrix.
[0064] It should be noted that hexadecimal decoding refers to the process of parsing characters and generating byte sequences from a hash digest string using an ASCII code conversion protocol.
[0065] Singular Value Decomposition (SVD) is performed on the orthogonal identity matrix, decomposing it into a left singular matrix, a singular value matrix, and a right singular matrix. The left singular matrix, the singular value matrix, and the right singular matrix are truncated respectively, and the first k singular values are extracted and integrated to obtain the principal singular value component. The principal singular value component is used as the initial encryption component, and Min-Max normalization is used for scaling to generate a dynamic encryption matrix.
[0066] It should be noted that the value of k is determined based on the rank of the identity orthogonal matrix. For example, for an 8x8 identity orthogonal matrix with a rank of 5, all its singular values are 1. If the energy retention threshold is set to 90%, since all singular values are equal, the cumulative energy percentage of the first k singular values is k / 5. Therefore, the smallest integer k=5 that satisfies k / 5 ≥ 0.9 is selected, that is, all 5 singular values are retained.
[0067] S2.3. Use the dynamic encryption matrix as the key seed and perform cyclic concatenation expansion to form a valid encryption key.
[0068] A dynamic encryption matrix is used as the key seed, and the AES block encryption algorithm is used to non-linearly obfuscate the key seed to ensure that the key seed has good statistical randomness, resulting in an obfuscated key stream. The obfuscated key stream is cyclically shifted through a shift register to achieve state diffusion, forming an initial key fragment. The HKDF key derivation function is then applied to the initial key fragment to perform key expansion, generating an initial expanded key.
[0069] It should be noted that a shift register is a digital circuit with shift function, which performs cyclic shift by cyclically shifting the obfuscated key stream to the left and right; the AES block encryption algorithm achieves non-linear obfuscation by performing byte substitution and row shift transformation on the key seed; and the HKDF key derivation function achieves key expansion by performing salt mixing and context binding on the initial key fragment.
[0070] The length of the initial expansion key is detected using the EVP query function in the OpenSSL cryptographic library. If the length of the initial expansion key is less than the target data block length, further multiple loop concatenations are performed. For example, if the target data block length is 1024 bytes and the length of the initial expansion key is 200 bytes, the initial expansion key is concatenated in 5 complete loops, and the first 24 bytes of the initial expansion key are padded at the end until the length of the initial expansion key reaches the target data block length, at which point the complete expansion key is output. The complete expansion key is then subjected to a balance constraint to form a valid encryption key. The valid encryption key has high entropy characteristics, providing a secure matching key stream for subsequent block XOR encryption.
[0071] It should be noted that the target data block length is based on the transmission frame structure definition of the environmental protection monitoring data to be encrypted; the balance constraint refers to the process of optimizing the bit distribution and limiting the run length of the full extended key using the NIST Statistical Test Suite.
[0072] S2.4. Based on the valid encryption key, perform byte-by-byte block division and byte-by-byte XOR operation on the environmental protection monitoring data to obtain the initial encrypted data block.
[0073] The environmental protection monitoring data is divided into contiguous byte blocks according to a preset length (determined based on the length of the effective encryption key, e.g., 128 bytes), ensuring that the length of each contiguous byte block strictly matches the length of the effective encryption key. Starting from the first byte of each contiguous byte block, each byte in the contiguous byte block is XORed with a byte in the effective encryption key to obtain a byte encryption vector. The specific mathematical formula is as follows.
[0074]
[0075] in, Represents a byte encryption vector. Indicates byte index, Indicates the first byte in a consecutive block of bytes The original value of 1 byte, This indicates a bitwise XOR operation. Indicates the first valid encryption key The original value of one byte;
[0076] It should be noted that the original values of the bytes were obtained by performing binary conversion operations on the valid encryption key and the consecutive byte blocks, respectively.
[0077] The byte encryption vector is encrypted by inter-block association using Cipher Block Chaining (CBC) mode to generate a chain of ciphertext segments; according to the TLS record layer protocol rules, the chain of ciphertext segments are encapsulated with sequence numbers and standardized in structure to generate preliminary encrypted data blocks.
[0078] It should be noted that the cipher block chaining mode achieves inter-block association encryption by mixing ciphertext blocks and passing feedback between blocks to the byte encryption vector; the TLS record layer protocol rules are based on the record layer frame format specification definition of the TLS protocol.
[0079] S3. Input the initial encrypted data block into the dual verification model. The integrity assessment layer performs distribution consistency verification, the risk assessment layer performs attack pattern identification, and outputs a secure encrypted data block.
[0080] S3.1 Build and train a dual-validation model.
[0081] In the TensorFlow framework, the fully connected network is called through the Sequential API parameters and initialized. For example, the input dimension is set to the initial encrypted data block byte length, the hidden layer dimension is set to [512, 256, 128], and the activation function is set to Tanh. Kernel density estimation is then applied after the fully connected network to perform distribution consistency checks, and a Dropout layer is used to randomly drop neurons to prevent overfitting, thus completing the construction of the integrity evaluation layer.
[0082] The convolutional neural network is invoked using the Functional API parameters and initialized. For example, the number of convolutional kernels is set to [32, 64], the kernel size is set to 3×3, and the pooling method is set to max pooling. Feature normalization is performed in the post-batch normalization layer of the convolutional neural network to complete the construction of the risk assessment layer.
[0083] The integrity assessment layer and the risk assessment layer are concatenated using residual connections to obtain multimodal fusion features. The multimodal fusion features are then aggregated with contextual information and dynamically weighted using an attention mechanism to obtain a weighted joint feature representation. The weighted joint feature representation is then nonlinearly transformed using a Softmax function to generate feature importance weights. Based on the feature importance weights, the integrity assessment layer and the risk assessment layer are cross-stacked using skip connections to complete the construction of the dual-validation model.
[0084] It should be noted that, compared with existing single verification mechanisms (such as integrity verification that relies solely on hash verification), the dual verification model not only achieves parallel evaluation of the integrity and security risks of the initial encrypted data block from two dimensions, but also achieves deep fusion and weighting of the feature layer through residual connections and attention mechanisms. This solves the problems that existing single verification mechanisms cannot effectively cope with complex attacks due to their single verification dimension, and that the information isolation between different verification processes leads to one-sided evaluation results. The dual verification model has higher detection accuracy and stronger generalization ability.
[0085] Next, the dual-validation model is trained. Further, the initial encrypted historical data block is divided into a sample set, a training set, and a validation set. On the sample set, a data augmenter (such as the DataGenerator in the TensorFlow framework) is used to expand sample diversity, and SMOTE oversampling is used for class balancing to achieve a balanced sample distribution and improve the ability to identify minority class samples, forming augmented samples. On the training set, the Adam optimizer is used to perform gradient backpropagation on the augmented samples, and a synchronous learning rate scheduler is used to dynamically adjust the learning rate to obtain optimized dual-validation model parameters. On the validation set, an early stopping mechanism is used to monitor the generalization performance of the optimized dual-validation model parameters to obtain the validation set loss. When the validation set loss exceeds the convergence threshold for several consecutive epochs (e.g., 10 times), training terminates, and the trained dual-validation model is output synchronously.
[0086] It should be noted that the convergence threshold is defined based on the average fluctuation of the historical validation set loss, with an exemplary range of 0.001 to 0.005.
[0087] S3.2 The integrity assessment layer applies kernel density estimation to perform distribution consistency checks on the initially encrypted data blocks and generates integrity verification labels.
[0088] The initial encrypted data block is input into the integrity evaluation layer through an asynchronous data pipeline (such as Apache Kafka), and feature transformation is performed through a fully connected network with two parallel branches. Further, the first branch performs linear projection on the initial encrypted data block and performs nonlinear activation using the Tanh function to obtain a high-dimensional dense feature representation. The second layer applies an attention mechanism to assign attention weights to the initial encrypted data block and performs dimensionality compression to form a low-dimensional sparse feature representation. Information fusion and dimensional alignment are performed on the high-dimensional dense feature representation and the low-dimensional sparse feature representation to generate a multi-scale joint feature representation. The multi-scale joint feature representation not only retains the nonlinear features of the high-dimensional space, but also compresses the key discriminative information in the low-dimensional space.
[0089] Kernel density estimation is applied to perform bandwidth optimization and smooth convolution operations on the multi-scale joint feature representation to generate continuous probability density distribution values. The specific mathematical formula is as follows.
[0090] ;
[0091] in, Represents the continuous probability density distribution value. This represents the total number of samples for multi-scale joint feature representation. Indicates the bandwidth coefficient. The sample index represents the joint feature representation of multiple scales. This represents the natural exponential function. The eigenvector representing the probability density to be estimated. Indicates the first The feature vector values of each sample;
[0092] It should be noted that the bandwidth coefficient is used to adjust the smoothness of the kernel density estimation, based on the scale variance definition of the multi-scale joint feature representation, with an exemplary value range of [0.1, 1.5]; the feature vector of the probability density to be estimated is obtained by performing principal component extraction and dimension concatenation on the multi-scale joint feature representation; the feature vector value is obtained by performing numerical normalization on the multi-scale joint feature representation.
[0093] Based on the continuous probability density distribution value, a distribution consistency check is performed on the preliminary encrypted data block. For example, the continuous probability density distribution value of the preliminary encrypted data block is compared with the baseline probability density distribution value to obtain the distribution deviation. When the distribution deviation is lower than the consistency threshold, it indicates that the corresponding preliminary encrypted data block meets the distribution consistency requirements, is defined as a compliant data block, and is labeled "complete". When the distribution deviation is higher than the consistency threshold, it indicates that the distribution consistency of the corresponding preliminary encrypted data block is deviated, is defined as an abnormal data block, and is labeled "incomplete". The labels of all preliminary encrypted data blocks are integrated to obtain the integrity verification label.
[0094] It should be noted that the baseline probability density distribution value is based on the statistical definition of the actual probability density distribution of historical secure transmission samples; the consistency threshold is defined based on the sliding window mean of the historical distribution deviation, for example, based on the moving average of the daily distribution deviation over the past three months, and considering an empirical tolerance range, with an exemplary value range of [0.05, 0.15].
[0095] S3.3, Risk assessment layer: Initial encrypted data block execution attack pattern identification, generating potential risk levels.
[0096] The original transport frame header data of the initial encrypted data block is extracted by a protocol parsing engine (such as Wireshark), and the fields are decoded and the metadata is reassembled to obtain the transport path metadata, including source / destination IP, hop count, latency fluctuation, etc.
[0097] Spatiotemporal feature extraction is performed on the transmission path metadata using a convolutional neural network. Furthermore, the three-dimensional convolutional kernel of the spatiotemporal convolutional neural network is used to perform temporal convolution and spatial pooling on the transmission path metadata to capture the dynamic evolution of the transmission path metadata and obtain spatiotemporal joint features. Long-term dependency modeling is performed on the spatiotemporal joint features through a gated recurrent mechanism (GRU) to obtain the path spatiotemporal feature sequence.
[0098] It should be noted that the gated loop mechanism achieves long-term dependency modeling by updating the gated filtering and resetting the gated forgetting operations on the spatiotemporal joint features; by combining the three-dimensional convolution kernel and the gated loop mechanism, it can simultaneously capture the dynamic correlation of path features in spatial topology and time series, solving the problem of insufficient modeling capability in traditional methods based on static topology analysis or independent time series analysis.
[0099] An attention mechanism is used to weight the spatiotemporal feature sequences of the path based on their importance and to concatenate the features to obtain path enhancement features. The path enhancement features are then compared with the attack signature features in the attack feature library (such as the Snort rule set). If the similarity exceeds a reasonable threshold, it indicates that there is a potential attack behavior in the transmission path, and the corresponding path enhancement features are defined as potential threat features.
[0100] It should be noted that the reasonable threshold is defined based on the dynamic baseline mean of historical similarity, with an exemplary range of 0.85 to 0.95.
[0101] The Euclidean distance-weighted formula is used to quantify the potential threat characteristics and generate a threat risk value. The specific mathematical formula is as follows.
[0102] ;
[0103] in, Indicates the threat risk value. Indicates the total number of dimensions. Indicates a dimension index. Indicates the first The importance weight coefficients of each dimension Indicates the first A multi-dimensional potential threat feature vector Indicates the first A multi-dimensional attack signature feature vector;
[0104] It should be noted that the importance weight coefficient is defined based on the information entropy ratio of the potential threat features, and the exemplary value range is 0 to 1; the potential threat feature vector and the attack signature feature vector are obtained by performing principal component analysis and L2 norm normalization on the potential threat features and attack signature features, respectively.
[0105] Based on the threat risk value, the initial encrypted data blocks are classified into risk levels. For example, when the threat risk value is within the first-level risk range (e.g., 0.0-0.3), the threat impact is negligible, and the corresponding initial encrypted data block is defined as low-risk. When the threat risk value is within the second-level risk range (e.g., 0.3-0.7), the threat requires attention, and the corresponding initial encrypted data block is defined as medium-risk. When the threat risk value is within the third-level risk range (e.g., 0.7-1.0), the threat may cause serious damage, and the corresponding initial encrypted data block is defined as high-risk. The classified risk levels are then integrated to output the potential risk level.
[0106] It should be noted that the risk range is based on the statistical quantile definition of historical threat risk values.
[0107] S3.4. Based on the integrity verification label and potential risk level, adjust the number of AES encryption rounds and transmission frame length of the initial encrypted data block using a fuzzy PID controller, and output a secure encrypted data block.
[0108] The integrity verification labels and potential risk levels are dimensionally aligned and linearly weighted to obtain a fused judgment index. An ADC converter is used to perform digital-to-analog conversion on the fused judgment index, converting it into an analog control signal. This signal is then input into a fuzzy PID controller for three coordinated adjustments: the proportional term amplifies the analog control signal to quickly respond to sudden changes in threat levels; the integral term accumulates historical errors in the analog control signal to eliminate steady-state security deviations; and the derivative term compensates for the rate of change of the analog control signal to suppress oscillations in the transmission environment and output an adjustment control signal. Based on cryptographic security mapping rules (based on the statistical distribution characteristics of historical adjustment control signals and the definition of threat response patterns), the adjustment control signal is parameter-mapped to obtain the encryption parameter adjustment amount.
[0109] Based on the adjustment of encryption parameters, the key length of the initial encrypted data block is reset and the encryption context is updated through the AES interface in the OpenSSL encryption library to dynamically adjust the number of AES encryption rounds. At the same time, a smart network interface card (such as Mellanox ConnectX-6) is used to reassemble the initial encrypted data block to optimize the transmission frame length. The adjusted initial encrypted data block is then encapsulated to output a secure encrypted data block.
[0110] S4. Apply the TLS secure transport protocol to perform session key negotiation on the secure encrypted data block, obtain the transmission-ready data packet, perform real-time error detection and selective retransmission, and output a secure transmission data stream.
[0111] S4.1. Use the TLS secure transport protocol to negotiate the session key for the secure encrypted data block and obtain the transmission-ready data packet.
[0112] In a trusted execution environment (such as Intel SGX), session key negotiation is performed on the secure encrypted data block according to the TLS secure transport protocol. Further, two-way certificate authentication is performed on the secure encrypted data block to obtain two-way authenticated communication data. The two-way authenticated communication data is then encrypted using the RSA asymmetric encryption algorithm to obtain an encrypted and authenticated ready data payload. According to the TLS protocol format specification, padding, length field addition, and encapsulation are performed on the encrypted and authenticated ready data payload to ensure compliance and integrity of the transmission syntax, outputting a transmission-ready data packet.
[0113] It should be noted that two-way certificate authentication refers to the process of authenticating both the client and the server of secure encrypted data blocks using an X.509 digital certificate; the TLS protocol format specification is defined based on the record layer protocol requirements of the TLS secure transport protocol.
[0114] S4.2. Use the CRC cyclic redundancy check algorithm to perform real-time error detection on the transmission-ready data packets and form an accuracy check flag. Based on the accuracy check flag, selectively retransmit the transmission-ready data packets and output a secure transmission data stream.
[0115] At the sending end, a cyclic redundancy check (CRC) is performed on the transmission-ready data packet to obtain a frame check sequence. This frame check sequence is then further encoded; for example, the high-order byte of the frame check sequence is encoded as a high-order coefficient, and the low-order byte is encoded as a low-order coefficient, generating a CRC code. This CRC code is appended to the end of the transmission-ready data packet to form a data frame to be transmitted. The data frame is then transmitted to the receiving end via a wireless communication channel (such as a 4G / 5G network or LoRa link). The receiving end performs integrity restoration on the received data frame using a CRC check circuit to obtain a local check code.
[0116] It should be noted that Cyclic Redundancy Check (CRC) refers to the process of performing polynomial modulo division and remainder generation on the ready data packet using the CRC algorithm; the high-order byte and low-order byte are determined by comparing the byte order of the frame check sequence.
[0117] The cyclic redundancy check (CRC) code and the local check code are compared bit by bit. If the two check codes are completely identical, it means that the data transmission is accurate and error-free, and the accuracy check flag of the ready data packet is marked as "true". If the two check codes do not match, it means that an error has occurred in the data transmission process, and the accuracy check flag of the ready data packet is marked as "false".
[0118] Based on the accuracy verification flag, the ready data packets are selectively retransmitted. Furthermore, the ready data packets marked as "true" are confirmed to have been successfully received and buffered and forwarded to complete the normal data transmission process. The ready data packets marked as "false" are discarded due to errors and retransmission requests are triggered to achieve selective retransmission, ultimately forming an accurate and orderly secure data transmission stream.
[0119] This embodiment also provides a computer device applicable to the secure transmission method of environmental protection monitoring data, including: a memory and a processor; the memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions to realize the secure transmission method of environmental protection monitoring data as proposed in the above embodiment.
[0120] The computer device can be a terminal, comprising a processor, memory, communication interface, display screen, and input devices connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, carrier networks, NFC (Near Field Communication), or other technologies. The display screen can be an LCD screen or an e-ink screen. The input devices can be a touch layer covering the display screen, buttons, a trackball, or a touchpad on the computer device's casing, or an external keyboard, touchpad, or mouse.
[0121] This embodiment also provides a storage medium storing a computer program, which, when executed by a processor, implements the secure transmission method for environmental protection monitoring data as proposed in the above embodiments. The storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read Only Memory (EPROM), Programmable Red-Only Memory (PROM), Read-Only Memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.
[0122] In summary, this invention achieves deep coupling between the encryption key and environmental monitoring data by utilizing the SHA hash function to perform hash transformation and orthogonalization on the generated environmental spatiotemporal feature vector, forming a dynamic encryption matrix. This enhances the encryption process's adaptability to dynamic environmental changes. Furthermore, by constructing a dual-verification model and performing distributed consistency checks, transmission path modeling, and attack pattern identification, multimodal joint verification is achieved, enhancing proactive defense capabilities during data transmission and thus improving the overall intelligence level of protection.
[0123] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.
Claims
1. A method for securely transmitting environmental protection monitoring data, characterized in that: include, The process involves collecting environmental protection monitoring data, adding sampling timestamps to the data, and using GIS spatial registration algorithms to perform coordinate system transformation and spatial interpolation to generate environmental spatiotemporal feature vectors. The specific steps include the following: The sampling timestamps of environmental protection monitoring data are embedded and time-series aligned by using the PTP time synchronization protocol to form a unified time-series data sequence. The GIS spatial registration algorithm is used to perform coordinate system transformation on the time-series unified data sequence to obtain unified geocoding data, and kriging spatial interpolation is performed on the unified geocoding data to generate environmental spatiotemporal feature vectors. The SHA hash function is used to perform hash transformation and orthogonalization on the environmental spatiotemporal feature vector to form a dynamic encryption matrix. Based on the dynamic encryption matrix, block-based XOR encryption is performed on the environmental protection monitoring data to obtain preliminary encrypted data blocks. The specific steps include the following: The dynamic encryption matrix is used as the key seed, and a cyclic concatenation expansion is performed to form a valid encryption key; Based on the valid encryption key, perform byte-by-byte block division and byte-by-byte XOR operation on the environmental protection monitoring data to obtain preliminary encrypted data blocks; The initial encrypted data block is input into the dual-verification model. The integrity assessment layer performs distribution consistency verification, the risk assessment layer performs attack pattern identification, and the secure encrypted data block is output. The specific steps include the following: The initial encrypted data block is input into the dual verification model. The integrity assessment layer applies kernel density estimation to perform a distribution consistency check on the initial encrypted data block and generates an integrity verification label. The risk assessment layer performs attack pattern identification on the initial encrypted data blocks and generates potential risk levels. Based on the integrity verification label and potential risk level, the number of AES encryption rounds and transmission frame length of the initial encrypted data block are adjusted by a fuzzy PID controller to output a secure encrypted data block. The TLS secure transport protocol is applied to perform session key negotiation on secure encrypted data blocks, obtain transmission-ready data packets, perform real-time error detection and selective retransmission, and output a secure transmission data stream.
2. The secure transmission method for environmental protection monitoring data as described in claim 1, characterized in that: The environmental protection monitoring data includes sensor data, satellite remote sensing images, and ground monitoring videos.
3. The secure transmission method for environmental protection monitoring data as described in claim 2, characterized in that: The formation of the dynamic encryption matrix specifically includes the following steps. The environmental spatiotemporal feature vector is used as a random seed and input into the SHA hash function to perform a hash transformation, thereby obtaining a hash digest string; The hash digest string is orthogonalized and decomposed using singular values to form a dynamic encryption matrix.
4. The secure transmission method for environmental protection monitoring data as described in claim 1, characterized in that: The specific construction process of the dual verification model is as follows. A fully connected network is used to build an integrity assessment layer, and a convolutional neural network is used to build a risk assessment layer. Perform parameter initialization on the integrity assessment layer and the risk assessment layer, and apply skip connections for cross-stacking to build a dual-validation model.
5. The secure transmission method for environmental protection monitoring data as described in claim 1, characterized in that: The output secure data stream specifically includes the following steps. The CRC cyclic redundancy check algorithm is used to perform real-time error detection on the ready data packets and form an accuracy check flag. Based on the accuracy check flag, selectively retransmit ready data packets and output a secure transmission data stream.
6. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that: When the processor executes the computer program, it implements the steps of the secure transmission method for environmental protection monitoring data as described in any one of claims 1 to 5.
7. A computer-readable storage medium having a computer program stored thereon, characterized in that: When the computer program is executed by the processor, it implements the steps of the secure transmission method for environmental protection monitoring data as described in any one of claims 1 to 5.