Network packet control method and device based on three-level label and storage medium

By collaboratively parsing three levels of tags, the flow direction, access control, and business scenario tags of network data packets are generated, which solves the problem of disconnect between network and power services in the traditional IaaS cloud architecture and realizes dynamic adaptation and efficient scheduling of network resources and power services.

CN122160165APending Publication Date: 2026-06-05STATE GRID BEIJING ELECTRIC POWER CO +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
STATE GRID BEIJING ELECTRIC POWER CO
Filing Date
2026-04-07
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Traditional IaaS cloud architectures struggle to dynamically respond to varying demands for latency, bandwidth, security, and reliability in the power business environment. This leads to a mismatch between network resources and business load, a lack of awareness of business semantics, and a disconnect between the network and the power business scenario.

Method used

A three-level tag-based network packet control method is adopted. By acquiring flow information and application layer payload, a first tag, a second tag, and a third tag are generated to represent the flow characteristics, access control permissions, behavior type and risk level of network packets, as well as the business scenario and priority information they belong to. The three tags are then analyzed collaboratively to determine the network control strategy.

Benefits of technology

It enables automatic adaptation of network control strategies to power business scenarios, enhances the dynamic scheduling capability of network resources, and improves the stability and security of power services.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160165A_ABST
    Figure CN122160165A_ABST
Patent Text Reader

Abstract

The application discloses a network packet control method and device based on three-level labels and a storage medium, and relates to the technical cross field of cloud computing and power network. The method comprises the following steps: acquiring flow direction information and application layer load of a network packet; generating a first label according to the flow direction information and a preset access control strategy; obtaining security behavior information of the network packet by detecting the application layer load, and then generating a second label according to the security behavior information; querying and matching a corresponding business scenario from a preset business knowledge graph according to the flow direction information and / or the security behavior information, and generating a third label according to the matched business scenario; and determining a network control strategy and executing the network control strategy based on the collaborative analysis results of the first label, the second label and the third label. The application solves the technical problems that the network and the power business scenario are disconnected in the traditional IAAS cloud architecture, and the network strategy cannot be dynamically adapted according to the business demand.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the intersection of cloud computing and power grid technology, and more specifically, to a network data packet control method, apparatus, and storage medium based on three-level tags. Background Technology

[0002] In the process of digital transformation of the power system, cloud infrastructure, as the core platform supporting key businesses such as intelligent dispatching, renewable energy consumption, and electricity consumption information collection, urgently needs to have network control capabilities that are deeply adapted to business scenarios.

[0003] However, current mainstream IaaS (Infrastructure as a Service) cloud architectures generally adopt static network topologies and coarse-grained isolation mechanisms. Their network policies are mostly configured based on fixed IP addresses or ports, making it difficult to dynamically respond to the differentiated needs of power services in terms of latency, bandwidth, security, and reliability. Especially in multi-tenant, high-concurrency, and low-latency power service environments, traditional network architectures suffer from rigid resource scheduling, lagging policy adjustments, and insufficient granularity of traffic identification, leading to a mismatch between network resources and service load, affecting the stable operation of critical services. In addition, existing network equipment often relies on vendor-specific protocols, with tightly coupled control and forwarding functions, resulting in a lack of awareness of business semantics, highlighting the technical problem of network disconnect between traditional IaaS cloud architectures and power service scenarios.

[0004] There is currently no effective solution to the above problems. Summary of the Invention

[0005] This application provides a network data packet control method, apparatus, and storage medium based on three-level tags, to at least solve the technical problem of the disconnect between network and power service scenarios in traditional IaaS cloud architecture, and the inability to dynamically adapt network policies according to service needs.

[0006] According to one aspect of the embodiments of this application, a network data packet control method based on three-level tags is provided, comprising: acquiring the flow direction information and application layer payload of network data packets; generating a first tag based on the flow direction information and a preset access control policy, the first tag being used to characterize the flow direction characteristics and access control permissions of the network data packets; obtaining security behavior information of the network data packets by detecting the application layer payload, and then generating a second tag based on the security behavior information, the second tag being used to characterize the behavior type and risk level of the network data packets; querying and matching corresponding business scenarios from a preset business knowledge graph based on the flow direction information and / or security behavior information, and generating a third tag based on the matched business scenario, the third tag being used to characterize the business scenario to which the network data packets belong and the priority information of the business scenario; and determining and executing a network control policy for the network data packets based on the collaborative parsing results of the first tag, the second tag, and the third tag.

[0007] Optionally, obtaining the flow information and application layer payload of network data packets includes: performing layer-by-layer decapsulation processing on network data packets, sequentially parsing the Ethernet frame header, IP header, and transport layer header until the original application layer payload is obtained; and parsing the flow information from the decapsulated data, wherein the flow information includes at least: source IP address, destination IP address, source port, destination port, transport protocol, and data transmission direction.

[0008] Optionally, a first label is generated based on the flow information and a preset access control policy, including: converting each information element in the flow information into binary code according to a preset encoding rule, wherein the flow information includes the source IP address, destination IP address, transmission protocol, and data transmission direction; based on a role-based access control model, using the destination IP address and destination port parsed from the flow information as resource identifiers and the transmission protocol and data transmission direction as operation type identifiers, determining whether the access role corresponding to the network data packet has access permissions to the target resource and the target operation type, and generating a binary access control permission code based on the determination result, wherein the target resource is the resource pointed to by the resource identifier and the target operation type is the operation type executed by the operation type identifier; concatenating the binary code and the access control permission code into binary bits to generate a binary flow label; and using the binary flow label as the first label.

[0009] Optionally, determining whether the access role corresponding to the network data packet has access permissions to the target resource and target operation type based on the access control model includes: defining a set of roles corresponding to the access role, wherein the set of roles includes administrator roles, scheduler roles, and ordinary user roles; defining a set of access permissions corresponding to the access role, wherein the set of access permissions includes at least one of the permission configurations of allow access, deny access, and limit bandwidth; determining an access control judgment function based on the set of roles and the set of access permissions; wherein the access control judgment function is used to at least implement: when the flow information meets the access conditions set for the access role in the set of access permissions, the access control judgment function outputs a first judgment result indicating that the network data packet is allowed to pass; the first judgment result indicates that the access role corresponding to the network data packet has access permissions to the target resource and target operation type; when the flow information does not meet the access conditions set for the access role in the set of access permissions, the access control judgment function outputs a second judgment result indicating that the network data packet is denied to pass or the bandwidth of the network data packet is limited; the second judgment result indicates that the access role corresponding to the network data packet does not have access permissions to the target resource and target operation type.

[0010] Optionally, the binary encoding and access control authorization encoding are concatenated bit by bit to generate a binary flow direction label, including: converting the source IP address into a binary source IP address segment encoding according to a preset address segment encoding rule; converting the destination IP address into a binary destination IP address segment encoding according to a preset address segment encoding rule; converting the transmission protocol into a binary transmission protocol encoding according to a preset protocol encoding mapping table, wherein different types of transmission protocols correspond to different binary transmission protocol encodings; converting the data transmission direction into a binary transmission direction encoding according to a preset direction encoding mapping table, wherein the uplink transmission direction and downlink transmission direction correspond to different binary transmission direction encodings; and concatenating the binary source IP address segment encoding, binary destination IP address segment encoding, binary transmission protocol encoding, and binary transmission direction encoding bit by bit to obtain a binary flow direction label.

[0011] Optionally, by detecting the application layer payload to obtain security behavior information of network data packets, and then generating a second label based on the security behavior information, the process includes: using a field-programmable gate array (FPGA) as a hardware acceleration engine to perform decapsulation and feature detection on the application layer payload, wherein the hardware acceleration engine has a built-in preset behavior feature library, the feature detection is used to extract data features of the application layer payload, and multi-pattern matching is performed on the behavior feature library based on the data features to output a set of matched behavior features; the set of matched behavior features is input into a pre-trained neural network model, and the neural network model outputs the behavior type and risk level of the network data packets based on the behavior feature set, wherein the behavior type includes at least normal access behavior, abnormal access behavior, and malicious access behavior; the behavior time, behavior subject, behavior object, and behavior effect of the network data packets are extracted to constitute security behavior information, wherein the behavior effect includes at least access success, access failure, and access anomaly; each information element in the security behavior information and the behavior type and risk level output by the neural network model are converted into binary code according to preset encoding rules, and binary bits are concatenated to generate a binary behavior label; the generated binary behavior label is used as the second label.

[0012] Optionally, the various information elements in the safety behavior information, as well as the behavior type and risk level output by the neural network model, are converted into binary codes according to preset encoding rules, and then the binary bits are concatenated to generate a binary behavior label. This includes: converting the behavior time into a behavior time code according to preset time encoding rules, with the behavior time using a unified coordinated time format; converting the behavior type into a behavior type code according to a preset behavior type encoding mapping table; converting the address information of the behavior subject into a behavior subject code according to preset address encoding rules; converting the address information of the behavior object into a behavior object code according to preset address encoding rules; converting the behavior effect into a behavior effect code according to a preset behavior effect encoding mapping table; converting the identified risk level into a risk level code according to a preset risk level encoding mapping table; and concatenating the behavior time code, behavior type code, behavior subject code, behavior object code, behavior effect code, and risk level code into binary bits according to a preset bit allocation order to obtain a binary behavior label.

[0013] Optionally, based on flow direction information and / or security behavior information, the corresponding business scenario is queried and matched from a preset business knowledge graph, and a third label is generated based on the matched business scenario. This includes: performing data governance on multi-source power business data to obtain structured data after governance, where data governance includes data collection, data cleaning, data integration, and data standardization; constructing a business knowledge graph based on the structured data, wherein the business knowledge graph includes a set of nodes and a set of edges, where the set of nodes includes business scenario nodes, device nodes, user nodes, and data nodes, and the edges in the set of edges are used to represent the relationships between nodes; performing graph matching query in the business knowledge graph based on the information elements in the flow direction information and / or security behavior information to determine the business scenario to which the network data packet belongs; obtaining the business scenario identifier, business type, data type, data identifier, association weight, and business priority of the business scenario to which the network data packet belongs; converting the business scenario identifier, business type, data type, data identifier, association weight, and business priority into binary encoding according to preset encoding rules, concatenating the binary bits to obtain a binary business label; and using the binary business label as the third label.

[0014] Optionally, the node set includes at least: business scenario nodes, representing power business scenarios, including scenario ID, business type, and performance requirement attribute information; device nodes, representing power equipment, including device ID, equipment type, and operating status attribute information; user nodes, representing power business users, including user ID, role, and permission attribute information; data nodes, representing power business data, including data ID, data type, and data volume attribute information; and edges in the edge set are used to represent the relationships between nodes, including at least the relationships between power business scenarios and power equipment, power business scenarios and power business data, power equipment and power business data, and power business users and power business scenarios. Each edge in the edge set includes the relationship type and relationship weight attribute between any two nodes.

[0015] Optionally, the business scenario identifier, business type, data type, data identifier, association weight, and business priority are converted into binary codes according to preset encoding rules, and the binary bits are concatenated to obtain a binary business label. This includes: converting the business scenario identifier into a business scenario identifier code according to preset scenario identifier encoding rules, wherein the business scenario identifier includes power business type, area code, and sequence number information; converting the business type into a business type code according to a preset business type encoding mapping table, wherein the business type includes at least intelligent dispatch, renewable energy consumption, electricity consumption information collection, and electricity trading; and converting the data type into a data type code according to a preset data type encoding mapping table, wherein the data type is up to... The data includes at least scheduling data, electricity consumption data, transaction data, and equipment data. Data identifiers are converted into data identifier codes according to preset data identifier encoding rules. Association weights are converted into association weight codes according to preset weight encoding rules; association weights represent the degree of matching between data packets and business scenarios. Based on business priorities, data is converted into business priority codes according to a preset priority encoding mapping table, with business priorities including at least high, medium, and low priorities. The business scenario identifier code, business type code, data type code, data identifier code, association weight code, and business priority code are then concatenated into binary bits according to a preset bit allocation order to obtain a binary business label.

[0016] Optionally, based on the collaborative parsing results of the first label, second label, and third label, a network control policy is determined for the network data packet and executed. This includes: parsing the first label to extract the access control permission code, and determining whether the network data packet has access permissions based on the access control permission code; if it does not have access permissions, it is dropped or rate-limited; if the network data packet is detected to have access permissions, the second label is parsed to extract the risk level code and behavior type code, and it is determined whether the risk level of the network data packet exceeds a preset threshold or whether the behavior type is malicious based on the risk level code and behavior type code; if so, the network data packet is intercepted and an alarm message is generated; if the risk level does not exceed the preset threshold and the behavior type is not malicious, the third label is parsed to extract the business scenario identifier and business priority, and the business scenario to which the network data packet belongs is determined based on the business scenario identifier; based on the preset performance requirements and business priority of the business scenario to which the network data packet belongs, a network control policy is determined for the network data packet and executed. The network control policy is used to dynamically determine the data forwarding path and allocate network resources.

[0017] Optionally, the first label, the second label, and the third label have a hierarchical collaborative working relationship, wherein: the first label serves as the basic identification layer, used to implement entry access control and preliminary flow identification of network data packets; the second label serves as the security management layer, performing security detection and behavior analysis on network data packets after access control by the first label; and the third label serves as the service matching layer, matching network data packets with power service scenarios after dual filtering by the first and second labels.

[0018] According to another aspect of the embodiments of this application, a network data packet control device based on three-level tags is also provided, comprising: an acquisition unit, configured to acquire flow direction information and application layer payload of network data packets; a first tag generation unit, configured to generate a first tag based on the flow direction information and a preset access control policy, the first tag being used to characterize the flow direction characteristics and access control permissions of the network data packets; a second tag generation unit, configured to obtain security behavior information of network data packets by detecting the application layer payload, and then generate a second tag based on the security behavior information, the second tag being used to characterize the behavior type and risk level of the network data packets; a third tag generation unit, configured to query and match corresponding business scenarios from a preset business knowledge graph based on the flow direction information and / or security behavior information, and generate a third tag based on the matched business scenario, the third tag being used to characterize the business scenario to which the network data packets belong and the priority information of the business scenario; and a determination unit, configured to determine a network control policy for the network data packets and execute the network control policy based on the collaborative parsing results of the first tag, the second tag, and the third tag.

[0019] According to another aspect of the embodiments of this application, a computer-readable storage medium is also provided, which stores a computer program, wherein when the computer program is executed, the device where the computer-readable storage medium is located executes the above-described network data packet control method based on three-level tags.

[0020] According to another aspect of the embodiments of this application, an electronic device is also provided, including one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to perform the above-described network packet control method based on three-level tags.

[0021] According to another aspect of the embodiments of this application, a computer program product is also provided, including a computer program or instructions that, when executed by a processor, implement the above-described network data packet control method based on three-level tags.

[0022] In this application, the network packet control method based on three-level tags first obtains the flow information and application layer payload of the network packets; based on the flow information and a preset access control policy, a first tag is generated, which is used to characterize the flow characteristics and access control permissions of the network packets; by detecting the application layer payload, the security behavior information of the network packets is obtained, and then a second tag is generated based on the security behavior information, which is used to characterize the behavior type and risk level of the network packets; based on the flow information and / or security behavior information, the corresponding business scenario is queried and matched from a preset business knowledge graph, and a third tag is generated based on the matched business scenario, which is used to characterize the business scenario to which the network packets belong and the priority information of that business scenario; based on the collaborative parsing results of the first tag, the second tag, and the third tag, a network control policy is determined for the network packets and the network control policy is executed.

[0023] In this embodiment, a collaborative parsing approach based on three levels of tags—flow direction, behavior, and business—is adopted. This involves generating a first tag from the flow direction information and access control policies of network data packets, extracting security behavior information from deep application layer load detection to generate a second tag, and combining flow direction or behavior information with a business knowledge graph to match business scenarios and generate a third tag. This achieves the goal of dynamically embedding multi-dimensional business semantic identifiers into each data packet, thereby realizing the technical effect of automatically adapting network control policies to the needs of power business scenarios. This solves the technical problem in traditional IaaS cloud architecture where network and power business scenarios are disconnected, and network policies cannot be dynamically adapted according to business needs. Attached Figure Description

[0024] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0025] Figure 1 This is a flowchart of an optional network packet control method based on three-level tags according to an embodiment of this application;

[0026] Figure 2 This is a schematic diagram of an optional network packet control device based on a three-level tag, according to an embodiment of this application. Detailed Implementation

[0027] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.

[0028] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0029] According to an embodiment of this application, a method embodiment of a network packet control method based on three-level tags is provided. It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions. Furthermore, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in a different order than that shown here.

[0030] According to the embodiments of this application, a network packet control system based on three-level tags (hereinafter referred to as the system) can be used as the execution subject of the network packet control method based on three-level tags in the embodiments of this application. The network packet control system based on three-level tags can be a software system or an embedded system combining software and hardware. Of course, the execution subject of the method in the embodiments of this application can also be other forms of execution subject, such as devices or equipment. Those skilled in the art should know that this application does not particularly limit the specific form of the execution subject.

[0031] Figure 1 This is a flowchart of an optional network packet control method based on three-level tags according to an embodiment of this application, such as... Figure 1 As shown, the method includes the following steps:

[0032] Step S101: Obtain the flow information of network data packets and application layer payload.

[0033] Optionally, flow information refers to the network layer and transport layer metadata carried by network data packets during transmission, including source IP address, destination IP address, source port, destination port, transmission protocol, and transmission direction (uplink / downlink).

[0034] Optionally, the application layer payload refers to the original business data content remaining after the Ethernet frame header, IP header, and TCP / UDP header are stripped from the data packet, such as the URL in an HTTP request, the domain name in a DNS query, the register value of a Modbus command, and the command field of a power dispatch message.

[0035] Step S102: Generate a first tag based on the flow information and the preset access control policy. The first tag is used to characterize the flow characteristics and access control permissions of network data packets.

[0036] Optionally, the first tag is a 32-bit fixed-length binary encoded tag whose structure is jointly encoded by flow information and access control permissions, serving as the first pass identifier at the network layer.

[0037] Optionally, the preset access control policy is a set of predefined role-based access control rules based on the security requirements of the power business scenario. The policy is stored in the network orchestration layer in the form of a policy library and supports dynamic updates.

[0038] Optionally, the system queries the policy library based on the extracted flow information, calls a judgment function, and determines whether the data packet conforms to the access permissions of the current user role. If the judgment is successful, it is encoded in a 32-bit tag: the first 8 bits are the source IP segment, the next 8 bits are the destination IP segment, bits 17–20 are the protocol encoding, bits 21–24 are the direction encoding, and bits 25–32 are the permission encoding. If the judgment is denied, the permission encoding is 00000010, and a drop or rate limiting action is triggered. The entire encoding process is completed in parallel by the tag orchestration module in the hardware acceleration unit, which helps to synchronize tag generation and data packet forwarding.

[0039] Optionally, the first label enables a leap from static to dynamic semantic authorization in network access control. Traditional networks can only perform coarse-grained isolation based on IP segments, while this application can make rapid decisions locally based on labels, achieving fine-grained access control with low latency, high concurrency, and traceability, which is conducive to the network boundary security of core power businesses.

[0040] Step S103: By detecting the application layer payload, security behavior information of network data packets is obtained, and then a second label is generated based on the security behavior information. The second label is used to characterize the behavior type and risk level of the network data packets.

[0041] Optionally, the second tag is a 64-bit fixed-length binary tag used to structurally express security behavior information. It is a network-level behavioral fingerprint used to identify potential threats and abnormal operations.

[0042] Optionally, after the data packet is rapidly decapsulated in the hardware acceleration module, the application layer payload is sent to the deep packet inspection engine. The deep packet inspection engine uses the AC automaton algorithm to perform feature matching on the payload, quickly identifying known attack patterns. Subsequently, the matching results are input into a long short-term memory neural network model, combined with historical behavior data, to identify the behavior type and risk level. The system converts the UTC timestamp to 32-bit binary, encodes the behavior type as 8 bits, and the risk level as 4 bits, and combines this with the subject / object IP encoding to generate a complete 64-bit second tag. The entire process is completed on the forwarding path without introducing additional latency.

[0043] Optionally, the second tag can enable a security paradigm upgrade from passive defense to proactive behavior recognition, enabling the network to have the ability to generalize the recognition of unknown threats and provide quantifiable risk basis for subsequent policy scheduling, thereby improving the power system's ability to detect and block advanced persistent threats.

[0044] Step S104: Based on the flow information and / or security behavior information, query and match the corresponding business scenario from the preset business knowledge graph, and generate a third tag based on the matched business scenario. The third tag is used to characterize the business scenario to which the network data packet belongs and the priority information of the business scenario.

[0045] Optionally, the business knowledge graph is a semantic network for power business constructed with a graph structure. Nodes include business scenarios, equipment, users, and data types, while edges represent relationships.

[0046] Optionally, the third tag is a 64-bit binary tag that encodes the business scenario ID, business type, data type, data ID, knowledge graph association weight, and business priority, serving as a semantic bridge between the network and the business scenario.

[0047] Optionally, after receiving the first and second tags, the topology definition module of the network orchestration layer extracts the source / destination IP and behavior type / object as query keywords and inputs them into the business knowledge graph system. The system uses a graph neural network inference engine to search for the business scenario node in the graph that best matches the IP pair or behavior pattern, and obtains attributes such as association weight and priority. Subsequently, the scenario ID is encoded as 16 bits, the business type as 8 bits, the data type and weight as 8 bits, and the priority are combined into a 64-bit third tag.

[0048] Optionally, the third tag enables deep binding of network traffic with power business semantics. Through semantic reasoning of the knowledge graph, each data packet carries its own identity tag, which clarifies the business scenario and importance level to which it belongs, providing a basis for subsequent differentiated resource scheduling, bandwidth guarantee and fault isolation.

[0049] Step S105: Based on the collaborative parsing results of the first label, the second label, and the third label, determine the network control policy for the network data packet and execute the network control policy.

[0050] Optionally, the collaborative resolution result refers to the network orchestration layer's policy scheduling module simultaneously reading the first label, the second label, and the third label, performing multi-dimensional joint reasoning, and deriving the final network control command.

[0051] Optionally, the network control policy is a set of forwarding rules dynamically generated by the network orchestration layer, including path selection, bandwidth allocation, priority scheduling, forwarding acceleration methods, failover paths, etc., which are execution instructions that match network resources with service requirements.

[0052] Optionally, all policies are distributed to the forwarding devices at the infrastructure layer via standardized interfaces, and the devices perform matching and forwarding at the hardware level based on the tag content. Through the coordination of three tags, the system enables the network to have the ability to self-awareness, self-decision-making, and self-adjustment.

[0053] In one optional embodiment, obtaining the flow direction information and application layer payload of network data packets includes: performing layer-by-layer decapsulation processing on the network data packets, sequentially parsing the Ethernet frame header, IP header, and transport layer header until the original application layer payload is obtained; and parsing the flow direction information from the decapsulated data, wherein the flow direction information includes at least: source IP address, destination IP address, source port, destination port, transport protocol, and data transmission direction.

[0054] Optionally, the system first performs layer-by-layer decapsulation processing on the incoming network data packets. This process strictly follows the OSI seven-layer model, stripping data from the bottom layer to the application layer in reverse: First, the 14-byte frame header of the data link layer is parsed to obtain the source MAC address and destination MAC address, used to confirm whether the data packet is within the receiving range of this node. However, this information does not participate in subsequent tag generation and is only used for local link forwarding judgment. After confirming that the Ethernet frame is valid, the IPv4 or IPv6 header of the network layer is parsed to extract key fields: source IP address and destination IP address, used to identify the network nodes at both ends of the communication. The TCP or UDP header is then parsed to extract the source port and destination port, used to identify the specific application service. At the same time, the protocol type field is read to determine whether it is TCP, UDP, or other protocols, in order to determine the rule set for subsequent parsing semantics. After completing the above three-layer header parsing, the remaining part of the data packet is the original application layer payload, such as the binary message of power dispatch instructions, the JSON data packet of electricity consumption information collection, etc.

[0055] Optionally, after decapsulation, the system extracts flow information from the stripped header information in a structured manner. This flow information consists of six core parameters: source IP address (a unique identifier for the initiating device in the IP network, identifying the data source); destination IP address (the IP address of the target receiving node, determining the data destination); source port (the transport layer port number used by the initiator, identifying the application process, with a value range of 0 to 65535); destination port (the port number listened to by the target service, identifying the service type); transport protocol (the transport layer protocol used by the data packet, directly affecting subsequent behavior parsing strategies); and data transmission direction (determining whether it is uplink or downlink based on preset rules of the power business network topology, distinguishing business semantics).

[0056] Optionally, by systematically and standardizedly parsing the protocol stack header of network data packets, the six-dimensional flow information of source / destination IP, port, protocol and transmission direction can be completely extracted. This not only solves the problem of traditional networks where only the address is known but not the intent, but also constructs a semantic awareness entry point that can be encoded, traced and reasoned.

[0057] In one optional embodiment, generating a first tag based on flow information and a preset access control policy includes: converting each information element in the flow information into binary code according to a preset encoding rule, wherein the flow information includes source IP address, destination IP address, transmission protocol, and data transmission direction; determining whether the access role corresponding to the network data packet has access rights to the target resource and target operation type based on a role-based access control model, using the destination IP address and destination port parsed from the flow information as resource identifiers and the transmission protocol and data transmission direction as operation type identifiers, and generating a binary access control permission code based on the determination result, wherein the target resource is the resource pointed to by the resource identifier and the target operation type is the operation type executed by the operation type identifier; concatenating the binary code and the access control permission code into binary bits to generate a binary flow tag; and using the binary flow tag as the first tag.

[0058] Optionally, the preset encoding rules are a set of binary encoding mapping specifications predefined by the system to achieve label standardization and fixed length, as follows:

[0059] Source IP address: Use IPv4 or IPv6 format, divide it into four segments of 8 bits each, and take the first 8 bits as the encoding, which occupies 8 bits;

[0060] Destination IP address: in IPv4 or IPv6 format;

[0061] Transmission protocols: TCP=0001, UDP=0010, ICMP=0011, other protocols are uniformly encoded as 1111;

[0062] Data transmission direction: Uplink = 0001, Downlink = 0010.

[0063] Optionally, the system converts unstructured text / numerical information such as IP addresses, protocols, and directions into standardized, machine-readable binary codes, providing a unified format input for subsequent tag splicing. This reduces parsing ambiguities caused by differences in address formats or inconsistent protocol descriptions, and helps tags achieve consistency and interoperability across network devices.

[0064] Optionally, the resource identifier is a combination of the destination IP address and the destination port, used to uniquely identify the target service being accessed.

[0065] Optionally, the operation type identifier is composed of a combination of the transport protocol and the direction of data transmission, used to describe the nature of the access behavior.

[0066] Optionally, the access control permission code is an 8-bit binary field used to encode the final access determination result, where 00000001 indicates access is allowed; 00000010 indicates access is denied; 00000100 indicates bandwidth is limited; and 11111111 indicates an undefined or unmatched policy.

[0067] Optionally, the system queries the policy database for the role to which the current data packet belongs based on its source IP address. Then, the system compares the resource identifier and operation type identifier of the current data packet to see if they completely match the rule. If they match, access is allowed, and permission code 00000001 is generated; otherwise, access is denied.

[0068] Furthermore, the system concatenates the generated 16-bit flow direction element code with the 8-bit access control permission code at the bit level to form an intermediate code with a total length of 24 bits. In this application, since the first tag is 32 bits, to satisfy structural integrity, the system adds reserved bits (all 0s) to the first 8 bits, finally generating a complete 32-bit binary flow direction tag, which can be directly embedded in the packet header, allowing downstream forwarding devices to perform zero-query, single-cycle matching at the hardware level, realizing efficient execution of the tag as policy.

[0069] Optionally, the formula for generating the flow direction label is:

[0070] (1)

[0071] Among them, Encode() is the encoding function that converts each field's encoding into a 32-bit binary flow label; Encoding the source IP address range Encodes the destination IP address range. For transmission protocol encoding, Encoding for transmission direction, Encoding for access control permissions.

[0072] For example, if a data packet has a source IP of 192.168.1.100, a destination IP of 10.0.0.50, a transport protocol of TCP, a transport direction of UP, and an access permission of "allow access", then its flow label encoding is: 00000001 00000010 0001 000100000001.

[0073] Optionally, the system will ultimately inject the generated 32-bit binary flow label directly into the scalable metadata area of ​​the data packet by the network orchestration layer, and enter the forwarding device of the infrastructure layer along with the data packet. This will become the starting point for the subsequent collaborative parsing of the second and third labels, and will be the first semantic anchor point for the system to realize business scenario-driven network policy decisions. This will help solve the pain points of rigid policies, slow response, and ambiguous permissions in power networks.

[0074] In an optional embodiment, determining whether the access role corresponding to the network data packet has access permissions to the target resource and the target operation type based on the access control model includes: defining a set of roles corresponding to the access role, wherein the set of roles includes administrator roles, scheduler roles, and ordinary user roles; defining a set of access permissions corresponding to the access role, wherein the set of access permissions includes at least one of the permission configurations of allow access, deny access, and limit bandwidth; determining an access control judgment function based on the set of roles and the set of access permissions; wherein the access control judgment function is used to at least implement: when the flow information meets the access conditions set for the access role in the set of access permissions, the access control judgment function outputs a first judgment result indicating that the network data packet is allowed to pass; the first judgment result indicates that the access role corresponding to the network data packet has access permissions to the target resource and the target operation type; when the flow information does not meet the access conditions set for the access role in the set of access permissions, the access control judgment function outputs a second judgment result indicating that the network data packet is denied to pass or the bandwidth of the network data packet is limited; the second judgment result indicates that the access role corresponding to the network data packet does not have access permissions to the target resource and the target operation type.

[0075] Optionally, the access role refers to the permission identity corresponding to the entity that initiates or receives data packets in the network. This identity is dynamically bound to the source IP address or device identifier by the power business system when the user logs in or the device registers.

[0076] Optionally, the system predefines a set of standardized identity types to classify and manage the network access capabilities of different users or devices. In this embodiment, roles are divided into three categories: administrator roles, who have configuration, auditing, and emergency intervention permissions for all network resources, and are usually system maintenance personnel; dispatcher roles, who can access dispatch command services and issue control commands, but cannot modify network policies; and ordinary user roles, who are only allowed to access public data services and are prohibited from accessing core control channels.

[0077] Optionally, during the initialization phase, the system obtains user / device identities through the identity authentication platform of the power business system and maps them to role identifiers. Secondly, the system presets a corresponding set of permissions for each role and configures it in the policy library.

[0078] Optionally, when the system receives a data packet, it first queries the role set from the source IP address to determine the access role, then extracts traffic information, and finally searches the policy library for the permission set corresponding to the role, matching the resource and operation type to see if they match. If the first judgment result is obtained, i.e., access is allowed, the system determines that the access role corresponding to the data packet has full access rights to the target resource and the target operation type. If the second judgment result is obtained, i.e., access is denied or rate-limited, if access is denied, the data packet is discarded and an audit log is recorded; if bandwidth is limited, the data packet is retained, but the rate is limited to a preset value through the quality of service mechanism, and the permission code is set to 00000100.

[0079] Optionally, the system implements a closed-loop intelligent access control driven by business roles at the edge of the power network through a three-in-one design of roles, permissions, and judgment functions, which solves the core problems of chaotic permission configuration, high response latency, and difficulty in unifying policies in the traditional IaaS architecture.

[0080] In one optional embodiment, binary encoding and access control permission encoding are concatenated bit-by-bit to generate a binary flow label, including: converting the source IP address into a binary source IP address segment encoding according to a preset address segment encoding rule; converting the destination IP address into a binary destination IP address segment encoding according to a preset address segment encoding rule; converting the transmission protocol into a binary transmission protocol encoding according to a preset protocol encoding mapping table, wherein different types of transmission protocols correspond to different binary transmission protocol encodings; converting the data transmission direction into a binary transmission direction encoding according to a preset direction encoding mapping table, wherein the uplink transmission direction and downlink transmission direction correspond to different binary transmission direction encodings; and concatenating the binary source IP address segment encoding, binary destination IP address segment encoding, binary transmission protocol encoding, and binary transmission direction encoding bit-by-bit to obtain a binary flow label.

[0081] Optionally, to save label space and maintain coding consistency, the address segment encoding rule uses only the first segment of the IPv4 address as the encoding basis, rather than the complete 32-bit address. This design is based on the centralized management characteristics of power network topology, where devices within the same area or subnet typically have the same prefix segment, and the first segment is sufficient to distinguish the main service domains. The first decimal segment of the source IP address is converted into an 8-bit binary number through address segment encoding to form a fixed-length code.

[0082] Optionally, the binary destination IP address segment encoding follows the same source IP encoding rule, where the first decimal value is converted into an 8-bit binary code to identify the business domain to which the target service belongs.

[0083] Optionally, the protocol encoding mapping table is a predefined system-defined unique mapping relationship between protocols and binary codes, which helps to uniquely identify different protocols and reduce ambiguity.

[0084] Optionally, the system concatenates the 8-bit binary source address segment code, the binary destination IP address segment code, the binary transmission protocol code, and the binary transmission direction code in a fixed order to form an intermediate code with a total length of 24 bits.

[0085] Optionally, the system uses standardized encoding and bit-level concatenation to achieve a digital, structured, and machine-readable representation of network traffic characteristics. This allows downstream forwarding devices to perform access control, path selection, and quality of service scheduling simply by matching tags, without needing to parse IP headers or protocol headers, thus achieving an efficient tag-as-policy execution mechanism.

[0086] In one optional embodiment, security behavior information of network data packets is obtained by detecting the application layer payload, and then a second label is generated based on the security behavior information. This includes: using a field-programmable gate array (FPGA) as a hardware acceleration engine to perform decapsulation and feature detection on the application layer payload. The hardware acceleration engine has a built-in preset behavior feature library. Feature detection is used to extract data features from the application layer payload and perform multi-pattern matching on the behavior feature library based on the data features, outputting a set of matched behavior features; inputting the set of matched behavior features into a pre-trained neural network model, which outputs the behavior type and risk level of the network data packets based on the behavior feature set. The behavior type includes at least normal access behavior, abnormal access behavior, and malicious access behavior; extracting the behavior time, behavior subject, behavior object, and behavior effect of the network data packets to constitute security behavior information. The behavior effect includes at least successful access, failed access, and abnormal access; converting each information element in the security behavior information and the behavior type and risk level output by the neural network model into binary encoding according to preset encoding rules, and concatenating the binary bits to generate a binary behavior label; and using the generated binary behavior label as the second label.

[0087] Alternatively, a field-programmable gate array (FPGA) is a reconfigurable hardware chip that can process data packets in parallel at the logic gate level, thereby enabling a fast response throughout the entire process from message reception to tag generation.

[0088] Optionally, the behavioral signature database is a collection of structured attack patterns built by power industry security experts, containing signatures of known malicious behaviors, such as SQL injection, malicious code transmission, port scanning, and abnormal protocols.

[0089] Optionally, feature detection refers to a parallel matching engine running in a field-programmable gate array (FPGA) that scans the application layer payload byte by byte, quickly locates matching items in the feature library, and outputs a set of all matched feature fragments.

[0090] Optionally, after the data packet enters the network device, its application layer payload is fed into the decapsulation pipeline of the field-programmable gate array (FPGA):

[0091] 1. Packet decapsulation: Stripping the packet header layer by layer (Ethernet frame header, IP header, TCP / UDP header, application layer header) until the original payload is parsed;

[0092] 2. Feature Extraction: Extract application layer features of data packets (such as HTTP URLs, DNS query domains, TLS SNI fingerprints, etc.).

[0093] 3. Behavior Recognition: Based on the extracted features, identify the security behavior of data packets, including behavior time, behavior type, behavior effect, etc.

[0094] 4. Behavioral assessment: Conduct risk assessments on identified security behaviors to determine whether they are malicious (such as SQL injection, malicious code transmission, etc.).

[0095] The feature matching algorithm employs the AC automaton algorithm to quickly match application layer features of data packets, identifying application types and behavioral characteristics. The core of the AC automaton algorithm is to construct a pattern tree, building a pattern tree from known behavioral features, and then traversing the payload of the data packets to quickly match features in the pattern tree, achieving a matching efficiency of O(n), where n is the length of the data packet payload.

[0096] Let the known set of behavioral features be Pattern={P1,P2,……P}. k}, where the data packet payload is Data, and the feature matching function is Match(Data, Pattern), as shown in formula (2):

[0097] (2)

[0098] That is, to match all known behavioral characteristics contained in the packet payload.

[0099] In addition, the behavior recognition algorithm, based on feature matching results and combined with a machine learning model, identifies the security behavior type and risk level of data packets. Let the feature matching result be M, the behavior recognition model be Model, and the behavior recognition function be Recognize(M,Model), as shown in formula (3):

[0100] (3)

[0101] Here, TYPE represents the identified behavior type, and RISK represents the identified risk level.

[0102] Optionally, this system employs a Long Short-Term Memory (LSTM) network as the neural network model for behavior recognition, trained on historical power network logs. The input is a set of behavioral features, and the output is the behavior type and risk level. The behavior type refers to the classification of the business intent reflected in the data packet, defined as three categories: normal access behavior, abnormal access behavior, and malicious access behavior. The risk level is quantified from 0 to 5, where 0 = no risk and 5 = fatal risk.

[0103] Optionally, the system encodes the feature set into a fixed-length feature vector, inputs it into a trained long short-term memory network model, and outputs the behavior category and risk level.

[0104] The network layer structure of the Long Short-Term Memory (LSTM) network model consists of the following three parts:

[0105] 1. Input layer: Receives a fixed-dimensional feature vector generated by encoding the behavioral feature set. Each time step corresponds to a behavioral feature, forming a time-series input sequence.

[0106] 2. Core Layer: Contains three gating structures and one cell state:

[0107] (1) Forget gate: determines which information from the cell state at the previous moment should be discarded;

[0108] (2) Input gate: determines which new information should be updated to the cell state at the current moment;

[0109] (3) Output gate: determines which parts of the cell state at the current moment will be output;

[0110] (4) Cell state: a memory channel that runs through the entire sequence and is used to store key semantic information for a long time to avoid gradient vanishing.

[0111] 3. Output Layer: Receives the final hidden state from the core layer and maps it to the output dimension through a fully connected layer.

[0112] (1) Use the Softmax activation function to output the classification probability distribution of behavior types;

[0113] (2) The Sigmoid activation function is used to output continuous predicted values ​​of risk levels or discretized into 6 types of output.

[0114] Optionally, the system directly extracts the behavior time, behavior subject, behavior object, and behavior effect from the packet metadata. The behavior time refers to the UTC time of the packet arrival at the network device, used for tracing and auditing. The behavior subject is the identity of the device or user initiating the behavior, typically represented by the source IP address or bound user ID in the first tag. The behavior object is the target resource being accessed, identified by the destination IP address and destination port. The behavior effect is the execution result of the behavior at the target end, categorized as: successful access, failed access, and abnormal access. By associating complete security behavior information with each network packet, the system forms an audit trail that can be recorded and queried, thereby providing data support for fault backtracking and attack chain reconstruction.

[0115] Optionally, to meet the 64-bit fixed length requirement, the system defines a standard field mapping: 32-bit behavior time, 8-bit behavior type, 8-bit behavior subject, 8-bit behavior object, 4-bit behavior effect, and 4-bit risk level. The system's concatenation order is: [32-bit time][8-bit type][8-bit subject][8-bit object][4-bit effect][4-bit risk].

[0116] Optionally, a 64-bit binary behavior label is injected into the metadata area of ​​the data packet by the label orchestration module and enters the forwarding path with the packet. The subsequent topology definition module and policy scheduling module will dynamically determine whether to enable isolation tunnels, allocate high-priority queues, trigger alarms, and other policies based on this label.

[0117] In one optional embodiment, the various information elements in the safety behavior information, as well as the behavior type and risk level output by the neural network model, are converted into binary codes according to preset encoding rules, and then the binary bits are concatenated to generate a binary behavior label. This includes: converting the behavior time into a behavior time code according to preset time encoding rules, with the behavior time using a unified coordinated time format; converting the behavior type into a behavior type code according to a preset behavior type encoding mapping table; converting the address information of the behavior subject into a behavior subject code according to preset address encoding rules; converting the address information of the behavior object into a behavior object code according to preset address encoding rules; converting the behavior effect into a behavior effect code according to a preset behavior effect encoding mapping table; converting the identified risk level into a risk level code according to a preset risk level encoding mapping table; and concatenating the behavior time code, behavior type code, behavior subject code, behavior object code, behavior effect code, and risk level code into binary codes according to a preset bit allocation order to obtain a binary behavior label.

[0118] Optionally, the behavior time encoding uses the number of milliseconds accumulated since 00:00:00 UTC on January 1, 1970, converted into a 32-bit unsigned integer representation. Its coverage is long and can meet the needs of long-term operation and log archiving of power business.

[0119] Optionally, the 8-bit behavior type can be mapped as: Normal = 00000001, Abnormal = 00000010, Malicious = 00000100; the 4-bit behavior effect can be mapped as: Success = 0001, Failure = 0010, Abnormal = 0011; the 4-bit risk level 0–5 is mapped as: 0000–0101, and 6 and above as 1111.

[0120] Optionally, the system ultimately concatenates the following in sequence: 32-bit behavior time code, 8-bit behavior type code, 8-bit behavior subject code, 8-bit behavior object code, 4-bit behavior effect code, and 4-bit risk level code to form a binary behavior tag, which is directly injected into the data packet metadata and used as a second tag. Its total length is 64 bits.

[0121] Optionally, the formula for generating behavior tags is formula (4):

[0122] (4)

[0123] Among them, Encode() is the encoding function that converts each field into a 64-bit binary line label; Encoding behavior time, Encoding behavior types, Encode the subject of the action. Encoding behavior objects, Encoding the effect of behavior, Risk level coding.

[0124] For example, if a data packet's behavior time is 2026-03-10 14:34:00.123, its behavior type is normal behavior, its behavior subject is 192.168.1.100, its behavior object is 10.0.0.50, its behavior effect is success, and its risk level is 0, then its behavior tag code is: 00000001 00000010 00000011 00000100 00000001 00000001 00010000.

[0125] Optionally, the system achieves global consistency, resolvability, and hardware readability of tags through standardized bit layout, enabling downstream forwarding devices to complete closed-loop control of behavior recognition, policy matching, and action execution within a single cycle without relying on external systems.

[0126] In one optional embodiment, based on flow direction information and / or security behavior information, a corresponding business scenario is queried and matched from a preset business knowledge graph, and a third label is generated based on the matched business scenario. This includes: performing data governance on multi-source power business data to obtain structured data after governance, where data governance includes data collection, data cleaning, data integration, and data standardization; constructing a business knowledge graph based on the structured data, wherein the business knowledge graph includes a set of nodes and a set of edges, where the set of nodes includes business scenario nodes, device nodes, user nodes, and data nodes, and the edges in the set of edges are used to represent the relationships between nodes; performing graph matching query in the business knowledge graph based on the information elements in the flow direction information and / or security behavior information to determine the business scenario to which the network data packet belongs; obtaining the business scenario identifier, business type, data type, data identifier, association weight, and business priority of the business scenario to which the network data packet belongs; converting the business scenario identifier, business type, data type, data identifier, association weight, and business priority into binary encoding according to preset encoding rules, concatenating the binary bits to obtain a binary business label; and using the binary business label as the third label.

[0127] Optionally, multi-source power business data refers to heterogeneous data from different business systems, including: business data, such as dispatch instructions and power transaction records; equipment data, such as substation terminal operating status and communication gateway logs; and user data, such as dispatcher login behavior and operation records of maintenance personnel.

[0128] Optionally, data governance involves the system performing four standardized steps to improve data quality and availability:

[0129] 1. Data Acquisition: Data is periodically extracted from platforms such as EMS, DMS, and electricity information collection systems via protocols such as API, MQTT, and IEC 104;

[0130] 2. Data cleaning: Remove duplicates, missing values, and outliers; use interpolation to fill in missing points and the Isolation Forest algorithm to remove outliers.

[0131] 3. Data Integration: Align data from different systems using primary keys such as timestamp, device ID, and user ID to create a unified data view;

[0132] 4. Data standardization: Unify naming conventions, encoding rules, time formats, and units to ensure data consistency.

[0133] Optionally, the evaluation indicators for data governance include data accuracy, data integrity, and data consistency, with the specific calculation formulas as follows:

[0134] The formula for calculating data accuracy is formula (5):

[0135] (5)

[0136] The formula for calculating data integrity is formula (6):

[0137] (6)

[0138] The formula for calculating data consistency is formula (7):

[0139] (7)

[0140] Optionally, the business knowledge graph is a semantic network that models power business entities and their semantic relationships using a graph structure. The node set includes four types of entities: business scenario nodes, equipment nodes, user nodes, and data nodes. The edge set represents the semantic relationships between nodes, with each edge containing a relationship type and a relationship weight. The system automatically learns entity relationships in structured data using a graph neural network algorithm, transforming the originally discrete business data into a semantically interconnected network structure, enabling the network system to understand specific semantic information.

[0141] Optionally, when a data packet enters the system, the tag orchestration module extracts key fields from its first and second tags, and then performs subgraph matching in the knowledge graph to determine the business scenario. After determining the business scenario, the system extracts six attributes of the node from the knowledge graph as the encoding basis for the third tag, including: business scenario identifier, business type, data type, data identifier, association weight, and business priority. Specifically, the business scenario identifier is 16 bits long, the business type is 8 bits, the data type is 8 bits, the data identifier is 16 bits, the association weight is 8 bits, and the business priority is 8 bits.

[0142] Optionally, the system injects binary service tags into the data packet metadata area, which together with the first tag and the second tag form a three-level tag system, and enters the forwarding path with the data packet.

[0143] Optionally, the business knowledge graph models the semantic relationships between four types of entities in the power system—business, equipment, users, and data—through a graph structure, providing accurate association basis for the generation of third labels. This graph is automatically generated by the topology definition module of the network orchestration layer based on structured data after data governance, and uses graph neural networks for relationship mining, which contributes to the automation and high accuracy of relationship generation.

[0144] In one optional embodiment, the node set includes at least: a business scenario node, representing a power business scenario, including scenario ID, business type, and performance requirement attribute information; a device node, representing a power device, including device ID, device type, and operating status attribute information; a user node, representing a power business user, including user ID, role, and permission attribute information; and a data node, representing power business data, including data ID, data type, and data volume attribute information. The edges in the edge set are used to represent the association relationships between nodes, including at least the association relationship between power business scenarios and power devices, the association relationship between power business scenarios and power business data, the association relationship between power devices and power business data, and the association relationship between power business users and power business scenarios. Each edge in the edge set includes the association type and association weight attribute of any two nodes.

[0145] In one optional embodiment, the business scenario identifier, business type, data type, data identifier, association weight, and business priority are converted into binary codes according to preset encoding rules, and the binary bits are concatenated to obtain a binary business tag. This includes: converting the business scenario identifier into a business scenario identifier code according to preset scenario identifier encoding rules; the business scenario identifier includes power business type, area code, and sequence number information; converting the business type into a business type code according to a preset business type encoding mapping table; the business type includes at least intelligent dispatching, renewable energy consumption, electricity consumption information collection, and electricity trading; and converting the data type into a data type code according to a preset data type encoding mapping table. The data types include at least scheduling data, electricity consumption data, transaction data, and equipment data. Data identifiers are converted into data identifier codes according to preset data identifier encoding rules. Association weights are converted into association weight codes according to preset weight encoding rules; association weights represent the degree of matching between the data packet and the business scenario. Based on business priority, data is converted into business priority codes according to a preset priority encoding mapping table; business priorities include at least high priority, medium priority, and low priority. The business scenario identifier code, business type code, data type code, data identifier code, association weight code, and business priority code are concatenated into binary bits according to a preset bit allocation order to obtain a binary business label.

[0146] Optionally, the business scenario identifier is a structured string that uniquely identifies a power business scenario, formatted as SC-{business type}-{region code}-{serial number}, such as SC-DD-001-001 representing an intelligent dispatch scenario, region 001, and serial number 001. The three parts of the SCID are uniformly mapped to a 16-bit binary code, i.e., the business scenario identifier code. Using a pre-allocated hash or static mapping table helps ensure global uniqueness.

[0147] Optionally, the business type refers to one of the four core business scenario categories defined in the power system, which are defined by the business scenario layer and have clear semantic boundaries. In this application, intelligent dispatch = 00000001, renewable energy consumption = 00000010, electricity consumption information collection = 00000100, electricity trading = 00001000, and undefined = 11111111.

[0148] Optionally, data type refers to the category of data content processed or transmitted in the business scenario, which is the content dimension of business semantics. In this application, scheduling data = 00000001, electricity consumption data = 00000010, transaction data = 00000100, equipment data = 00001000, and undefined = 11111111.

[0149] Optionally, the data identifier is a string that uniquely identifies a specific data instance and is mapped to a 16-bit binary code through hashing or pre-allocation, which helps to ensure that the same data has a consistent code across different nodes.

[0150] Optionally, the association weight represents the semantic matching strength between network data packets and the target business scenario, calculated from the knowledge graph, ranging from 0.00 to 1.00, with precision retained to two decimal places. A floating-point number is multiplied by 255, mapped to an integer between 0 and 255, and then encoded into 8 bits to achieve high-precision quantization.

[0151] Optionally, when the weight is greater than or equal to 0.9, it is considered a strong correlation and a dedicated channel is enabled; when the weight is less than 0.5, it is considered a weak correlation and is downgraded or discarded, thereby reducing the false triggering of the strategy due to graph matching noise.

[0152] Optionally, the service priority is the scheduling priority defined by the operation and maintenance strategy or SLA agreement, which determines the order of resource allocation. In this application, high priority = 0000000, medium priority = 00000010, low priority = 00000100, and undefined = 11111111.

[0153] Optionally, the system concatenates the following codes in the following order: 16-bit business scenario identifier code, 8-bit business type code, 8-bit data type code, 16-bit data identifier code, 8-bit association weight code, and 8-bit business priority code. This helps to ensure the consistency of coding across all network devices and cannot be changed.

[0154] Optionally, the formula for generating the business tag is formula (8):

[0155] (8)

[0156] Among them, Encode() is the encoding function that converts each field's encoding into a 64-bit binary business label; Encode the business scenario ID. Encode the business type. Encode the data type. Encode the data ID. Encoding the association weights of the knowledge graph. Encode business priorities.

[0157] For example, if a data packet corresponds to a business scenario ID of SC-DD-001-001, the business type is intelligent scheduling, the data type is scheduling data, the data ID is DATA-001, the association weight is 0.95, and the business priority is high priority, then its business tag code is: 00000001 00000001 00000001 00000001 00000001 10010110 00000001.

[0158] Optionally, the role of binary service tags is to compress the six-dimensional business semantic information extracted from the business knowledge graph, namely scene identifier, business type, data type, data identifier, association weight, and business priority, into a fixed-length 64-bit binary code. This enables network forwarding devices to identify business intent in milliseconds without accessing a database or graph system at the hardware level, thereby triggering differentiated forwarding strategies.

[0159] In one optional embodiment, based on the collaborative parsing results of the first label, second label, and third label, a network control policy is determined for network data packets and executed. This includes: parsing the first label to extract access control permission codes; determining whether the network data packet has access permissions based on the access control permission codes; if it does not have access permissions, performing a drop or rate limiting operation; if the network data packet is detected to have access permissions, parsing the second label to extract risk level codes and behavior type codes; determining whether the risk level of the network data packet exceeds a preset threshold or whether the behavior type is malicious based on the risk level codes and behavior type codes; if so, intercepting the network data packet and generating an alarm message; if the risk level does not exceed the preset threshold and the behavior type is not malicious, parsing the third label to extract business scenario identifiers and business priorities; determining the business scenario to which the network data packet belongs based on the business scenario identifiers; and determining and executing a network control policy for the network data packet based on the preset performance requirements and business priorities of the business scenario to which the network data packet belongs. The network control policy is used to dynamically determine data forwarding paths and allocate network resources.

[0160] Optionally, when a network data packet enters the OSAS network entry point, its first tag is read by the FPGA parsing module. The access control code is extracted for determination: if the access control code is 00000010, access is denied, the packet is discarded, and it is immediately cleared without proceeding to the next stage; if the access control code is 00000100, bandwidth is limited, triggering a rate-limiting policy and restricting the traffic rate according to preset rules for the business scenario; if the access control code is 00000001, access is allowed, and the process proceeds to the next stage.

[0161] Optionally, in the second tag, when the risk level is greater than level 3 or the behavior type is malicious, an interception is triggered. That is, the data packet is immediately intercepted and its forwarding is blocked; at the same time, a security alarm is triggered, a log is generated, and pushed to the security posture platform; in addition, the alarm is linked to the knowledge graph, marking the behavior subject node as a suspicious account and initiating the permission freezing process.

[0162] Optionally, in the third tag, the business scenario identifier encoding is first decoded, and then the system queries the business scenario metadata database to obtain the preset performance requirements of the scenario.

[0163] Optionally, the network control policy is a set of forwarding and resource allocation instructions dynamically generated by the policy scheduling module based on the SLA requirements and priorities of the business scenario, including: forwarding path selection, resource allocation, and network topology activation.

[0164] Optionally, the network control policy is dynamically generated by the policy scheduling module of the network orchestration layer based on the three-level collaborative parsing of the first tag, the second tag, and the third tag, forming a three-level closed-loop control process of permission verification, security filtering, and service adaptation. This process is executed in parallel in a hardware pipeline manner in intelligent forwarding devices that support tag parsing, controlling the policy decision and data forwarding latency to the microsecond level, thereby meeting the real-time and reliability requirements of critical services such as power dispatching.

[0165] In one optional embodiment, the first label, the second label, and the third label have a hierarchical collaborative working relationship, wherein: the first label serves as a basic identification layer, used to implement entry access control and preliminary flow identification of network data packets; the second label serves as a security management layer, performing security detection and behavior analysis on network data packets after access control by the first label; and the third label serves as a service matching layer, matching network data packets with power service scenarios after dual filtering by the first and second labels.

[0166] Optionally, the first tag, the second tag, and the third tag constitute a three-level collaborative tag system of "flow-behavior-business" in the OSAS cloud infrastructure. The three tags form a strictly hierarchical, progressive, and condition-triggered collaborative working relationship, realizing semantic connectivity from the network layer to the business layer.

[0167] Figure 2 This is a schematic diagram of an optional network packet control device based on three-level tags according to an embodiment of this application. According to another aspect of an embodiment of this application, a network packet control device based on three-level tags is also provided, including: an acquisition unit 201, a first tag generation unit 202, a second tag generation unit 203, a third tag generation unit 204, and a determination unit 205.

[0168] The system includes: an acquisition unit 201 for acquiring the flow direction information and application layer payload of network data packets; a first tag generation unit 202 for generating a first tag based on the flow direction information and a preset access control policy, wherein the first tag characterizes the flow direction characteristics and access control permissions of the network data packets; a second tag generation unit 203 for obtaining security behavior information of network data packets by detecting the application layer payload, and then generating a second tag based on the security behavior information, wherein the second tag characterizes the behavior type and risk level of the network data packets; a third tag generation unit 204 for querying and matching corresponding business scenarios from a preset business knowledge graph based on the flow direction information and / or security behavior information, and generating a third tag based on the matched business scenario, wherein the third tag characterizes the business scenario to which the network data packets belong and the priority information of that business scenario; and a determination unit 205 for determining and executing network control policies for network data packets based on the collaborative parsing results of the first, second, and third tags.

[0169] Optionally, the acquisition unit 201 includes: an acquisition subunit, used to perform layer-by-layer decapsulation processing on network data packets, sequentially parsing to obtain the Ethernet frame header, IP header and transport layer header, until the original application layer payload is obtained; and a parsing subunit, used to parse the flow information from the decapsulated data, wherein the flow information includes at least: source IP address, destination IP address, source port, destination port, transport protocol and data transmission direction.

[0170] Optionally, the first tag generation unit 202 includes: a conversion subunit, used to convert each information element in the flow information into binary code according to a preset encoding rule, wherein the flow information includes source IP address, destination IP address, transmission protocol, and data transmission direction; a judgment subunit, used to determine whether the access role corresponding to the network data packet has access rights to the target resource and target operation type based on a role-based access control model, using the destination IP address and destination port parsed from the flow information as resource identifiers and the transmission protocol and data transmission direction as operation type identifiers, and generating a binary format access control permission code based on the judgment result, wherein the target resource is the resource pointed to by the resource identifier and the target operation type is the operation type executed by the operation type identifier; a splicing subunit, used to splice the binary code and the access control permission code into binary bits to generate a binary flow tag; and a determination subunit, used to use the binary flow tag as the first tag.

[0171] Optionally, the judgment subunit includes: a first definition module, used to define a set of roles corresponding to the access role, wherein the set of roles includes administrator roles, scheduler roles, and ordinary user roles; a second definition module, used to define a set of access permissions corresponding to the access role, wherein the set of access permissions includes at least one of the following permission configurations: allow access, deny access, and limit bandwidth; and a determination module, used to determine an access control judgment function based on the set of roles and the set of access permissions; wherein the access control judgment function is used to at least implement: when the flow information meets the access conditions set for the access role in the set of access permissions, the access control judgment function outputs a first judgment result indicating that the network data packet is allowed to pass; the first judgment result indicates that the access role corresponding to the network data packet has access permissions to the target resource and the target operation type; when the flow information does not meet the access conditions set for the access role in the set of access permissions, the access control judgment function outputs a second judgment result indicating that the network data packet is denied to pass or the bandwidth of the network data packet is limited; the second judgment result indicates that the access role corresponding to the network data packet does not have access permissions to the target resource and the target operation type.

[0172] Optionally, the splicing subunit includes: a first conversion module for converting the source IP address into a binary source IP address segment code according to a preset address segment encoding rule; a second conversion module for converting the destination IP address into a binary destination IP address segment code according to a preset address segment encoding rule; a third conversion module for converting the transmission protocol into a binary transmission protocol code according to a preset protocol encoding mapping table, wherein different types of transmission protocols correspond to different binary transmission protocol codes; a fourth conversion module for converting the data transmission direction into a binary transmission direction code according to a preset direction encoding mapping table, wherein the uplink transmission direction and the downlink transmission direction correspond to different binary transmission direction codes; and a splicing module for concatenating the binary source IP address segment code, the binary destination IP address segment code, the binary transmission protocol code, and the binary transmission direction code into binary bits to obtain a binary flow direction tag.

[0173] Optionally, the second tag generation unit 203 includes: a first processing subunit, used to use a field-programmable gate array as a hardware acceleration engine to perform decapsulation and feature detection on the application layer payload, wherein the hardware acceleration engine has a built-in preset behavior feature library, the feature detection is used to extract data features of the application layer payload, and multi-pattern matching is performed on the behavior feature library based on the data features to output the matched behavior feature set; a second processing subunit, used to input the matched behavior feature set into a pre-trained neural network model, and the neural network model outputs the behavior type and risk level of the network data packet based on the behavior feature set, wherein the behavior type includes at least normal access behavior, abnormal access behavior, and malicious access behavior; a third processing subunit, used to extract the behavior time, behavior subject, behavior object, and behavior effect of the network data packet to constitute security behavior information, wherein the behavior effect includes at least access success, access failure, and access anomaly; a fourth processing subunit, used to convert each information element in the security behavior information and the behavior type and risk level output by the neural network model into binary code according to preset encoding rules, and perform binary bit concatenation to generate a binary behavior tag; and a determination subunit, used to use the generated binary behavior tag as the second tag.

[0174] Optionally, the fourth processing subunit includes: a first conversion module, used to convert behavior time into behavior time code according to a preset time coding rule, wherein the behavior time adopts a unified coordinated time format; a second conversion module, used to convert behavior type into behavior type code according to a preset behavior type coding mapping table; and convert the address information of the behavior subject into behavior subject code according to a preset address coding rule; a third conversion module, used to convert the address information of the behavior object into behavior object code according to a preset address coding rule; convert behavior effect into behavior effect code according to a preset behavior effect coding mapping table; and convert the identified risk level into risk level code according to a preset risk level coding mapping table; and a splicing module, used to splice the behavior time code, behavior type code, behavior subject code, behavior object code, behavior effect code, and risk level code into binary bits according to a preset bit allocation order to obtain a binary behavior tag.

[0175] Optionally, the third label generation unit 204 includes: a data governance subunit, used to perform data governance on multi-source power business data to obtain structured data after governance, the data governance including data collection, data cleaning, data integration and data standardization; a construction subunit, used to construct a business knowledge graph based on the structured data, wherein the business knowledge graph includes a node set and an edge set, the node set including business scenario nodes, device nodes, user nodes and data nodes, and the edges in the edge set are used to represent the association relationship between nodes; a determination subunit, used to perform graph matching query in the business knowledge graph according to the information elements in the flow information and / or security behavior information to determine the business scenario to which the network data packet belongs; an acquisition and conversion subunit, used to acquire the business scenario identifier, business type, data type, data identifier, association weight and business priority of the business scenario to which the network data packet belongs; convert the business scenario identifier, business type, data type, data identifier, association weight and business priority into binary code according to the preset encoding rules, and perform binary bit concatenation to obtain a binary business label; and a determination subunit, used to use the binary business label as the third label.

[0176] Optionally, the sub-unit includes: a node set comprising at least: a business scenario node, representing a power business scenario, including scenario ID, business type, and performance requirement attribute information; a device node, representing power equipment, including device ID, device type, and operating status attribute information; a user node, representing a power business user, including user ID, role, and permission attribute information; and a data node, representing power business data, including data ID, data type, and data volume attribute information; and edges in the edge set representing the relationships between nodes, including at least the relationships between power business scenarios and power equipment, power business scenarios and power business data, power equipment and power business data, and power business users and power business scenarios, with each edge in the edge set including the relationship type and relationship weight attributes between any two nodes.

[0177] Optionally, the acquisition and conversion subunit includes: a first conversion module, used to convert the business scenario identifier into a business scenario identifier code according to a preset scenario identifier coding rule, wherein the business scenario identifier includes power business type, area code, and sequence number information; a second conversion module, used to convert the business type into a business type code according to a preset business type code mapping table, wherein the business types include at least intelligent dispatch, renewable energy consumption, electricity consumption information collection, and electricity trading; a third conversion module, used to convert the data type into a data type code according to a preset data type code mapping table, wherein the data type includes at least dispatch data, electricity consumption data, transaction data, and equipment data; and a fourth conversion module, used to convert the data identifier into a data type code. The first conversion module converts the data packet into a data identifier code according to a preset data identifier encoding rule; the second conversion module converts the association weight into an association weight code according to a preset weight encoding rule, where the association weight represents the degree of matching between the data packet and the business scenario; the third conversion module converts the data packet into a business priority code according to the business priority and a preset priority encoding mapping table, where the business priority includes at least high priority, medium priority, and low priority; the fourth conversion module concatenates the business scenario identifier code, business type code, data type code, data identifier code, association weight code, and business priority code into binary bits according to a preset bit allocation order to obtain a binary business tag.

[0178] Optionally, the determining unit 205 includes: a first parsing subunit, used to parse the first tag, extract the access control permission code, and determine whether the network data packet has access permission based on the access control permission code; if it does not have access permission, it performs a drop or rate limiting operation; a second parsing subunit, used to parse the second tag, extract the risk level code and behavior type code if the network data packet is detected to have access permission, and determine whether the risk level of the network data packet exceeds a preset threshold or whether the behavior type is malicious based on the risk level code and behavior type code; if so, it intercepts the network data packet and generates an alarm message; a third parsing subunit, used to parse the third tag, extract the business scenario identifier and business priority if the risk level is not exceeded and the behavior type is not malicious, and determine the business scenario to which the network data packet belongs based on the business scenario identifier; and a determining subunit, used to determine a network control policy for the network data packet and execute the network control policy based on the preset performance requirements and business priority of the business scenario to which the network data packet belongs, wherein the network control policy is used to dynamically determine the data forwarding path and allocate network resources.

[0179] Optionally, the network data packet control device based on three-level labels further includes: a hierarchical collaborative working relationship between the first label, the second label, and the third label, wherein: the first label serves as the basic identification layer, used to realize entry access control and preliminary flow identification of network data packets; the second label serves as the security management layer, performing security detection and behavior analysis on network data packets after access control by the first label; and the third label serves as the service matching layer, matching network data packets with power service scenarios after dual filtering by the first and second labels.

[0180] According to another aspect of the embodiments of this application, a computer-readable storage medium is also provided, which stores a computer program, wherein when the computer program is executed, the device where the computer-readable storage medium is located executes the above-described network data packet control method based on three-level tags.

[0181] According to another aspect of the embodiments of this application, an electronic device is also provided, including one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to perform the above-described network packet control method based on three-level tags.

[0182] According to another aspect of the embodiments of this application, a computer program product is also provided, including a computer program or instructions that, when executed by a processor, implement the above-described network data packet control method based on three-level tags.

[0183] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.

[0184] In the above embodiments of this application, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0185] In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units can be a logical functional division, and in actual implementation, there may be other division methods. For instance, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual coupling, direct coupling, or communication connection may be through some interfaces; the indirect coupling or communication connection between units or modules may be electrical or other forms.

[0186] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0187] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0188] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.

[0189] The above description is only a preferred embodiment of this application. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of this application, and these improvements and modifications should also be considered within the scope of protection of this application.

Claims

1. A method for controlling network packets based on three-level tags, characterized in that, include: Obtain information on the flow of network data packets and application layer payload; Based on the flow information and the preset access control policy, a first tag is generated. The first tag is used to characterize the flow characteristics and access control permissions of the network data packets. By detecting the application layer payload, the security behavior information of the network data packets is obtained, and then a second tag is generated based on the security behavior information. The second tag is used to characterize the behavior type and risk level of the network data packets. Based on the flow information and / or the security behavior information, the corresponding business scenario is queried and matched from the preset business knowledge graph, and a third tag is generated based on the matched business scenario. The third tag is used to characterize the business scenario to which the network data packet belongs and the priority information of the business scenario. Based on the collaborative parsing results of the first tag, the second tag, and the third tag, a network control policy is determined for the network data packet and the network control policy is executed.

2. The method according to claim 1, characterized in that, Obtain network packet flow information and application layer payload, including: The network data packets are decapsulated layer by layer, and the Ethernet frame header, IP header and transport layer header are parsed in sequence until the original application layer payload is obtained. The flow information is parsed from the decapsulated data, wherein the flow information includes at least: source IP address, destination IP address, source port, destination port, transmission protocol, and data transmission direction.

3. The method according to claim 1, characterized in that, Based on the flow information and the preset access control policy, a first tag is generated, including: Each information element in the flow information is converted into binary code according to a preset encoding rule. The flow information includes source IP address, destination IP address, transmission protocol, and data transmission direction. Based on the role-based access control model, the destination IP address and destination port parsed from the flow information are used as resource identifiers, and the transmission protocol and data transmission direction are used as operation type identifiers. It is determined whether the access role corresponding to the network data packet has access rights to the target resource and the target operation type. Based on the determination result, a binary format access control permission code is generated, wherein the target resource is the resource pointed to by the resource identifier, and the target operation type is the operation type executed by the operation type identifier. The binary code and the access control permission code are concatenated bitwise to generate a binary flow label; The binary flow label is used as the first label.

4. The method according to claim 3, characterized in that, Based on the access control model, it is determined whether the access role corresponding to the network data packet has access permissions to the target resource and the target operation type, including: Define a set of roles corresponding to the access role, wherein the set of roles includes administrator roles, scheduler roles, and ordinary user roles; Define the access permission set corresponding to the access role, wherein the access permission set includes at least one of the following permission configurations: allow access, deny access, and limit bandwidth; The access control judgment function is determined based on the set of roles and the set of access permissions; The access control judgment function is configured to at least implement the following: when the flow information satisfies the access conditions set for the access role in the access permission set, the access control judgment function outputs a first judgment result indicating that the network data packet is allowed to pass; the first judgment result indicates that the access role corresponding to the network data packet has access permissions to the target resource and the target operation type; when the flow information does not satisfy the access conditions set for the access role in the access permission set, the access control judgment function outputs a second judgment result indicating that the network data packet is denied or the bandwidth of the network data packet is limited; the second judgment result indicates that the access role corresponding to the network data packet does not have access permissions to the target resource and the target operation type.

5. The method according to claim 3, characterized in that, The binary code and the access control permission code are concatenated bit by bit to generate a binary flow label, including: The source IP address is converted into binary source IP address segment encoding according to a preset address segment encoding rule; The destination IP address is converted into a binary destination IP address segment code according to a preset address segment encoding rule; The transmission protocol is converted into binary transmission protocol code according to a preset protocol code mapping table, wherein different types of transmission protocols correspond to different binary transmission protocol codes; The data transmission direction is converted into binary transmission direction code according to a preset direction code mapping table, wherein the uplink transmission direction and the downlink transmission direction correspond to different binary transmission direction codes; The binary source IP address segment encoding, the binary destination IP address segment encoding, the binary transmission protocol encoding, and the binary transmission direction encoding are concatenated bit by bit to obtain the binary flow direction tag.

6. The method according to claim 1, characterized in that, By detecting the application layer payload, security behavior information of the network data packets is obtained, and then a second tag is generated based on the security behavior information, including: A field-programmable gate array (FPGA) is used as a hardware acceleration engine to perform decapsulation and feature detection on the application layer payload. The hardware acceleration engine has a built-in preset behavioral feature library. The feature detection is used to extract the data features of the application layer payload and perform multi-pattern matching on the behavioral feature library based on the data features, and output the matched behavioral feature set. The matched set of behavioral features is input into a pre-trained neural network model, and the neural network model outputs the behavior type and risk level of the network data packet based on the set of behavioral features. The behavior type includes at least normal access behavior, abnormal access behavior, and malicious access behavior. The network data packets are extracted to determine the behavior time, behavior subject, behavior object, and behavior effect, which constitute the security behavior information. The behavior effect includes at least access success, access failure, and access anomaly. Each information element in the safety behavior information, as well as the behavior type and risk level output by the neural network model, are converted into binary code according to a preset encoding rule, and the binary bits are concatenated to generate binary behavior labels. The generated binary behavior label is used as the second label.

7. The method according to claim 6, characterized in that, Each information element in the safety behavior information, as well as the behavior type and risk level output by the neural network model, are converted into binary code according to a preset encoding rule, and then binary bits are concatenated to generate binary behavior labels, including: The behavior time is converted into behavior time code according to a preset time coding rule, and the behavior time adopts a unified coordinated time format; The behavior type is converted into a behavior type code according to a preset behavior type encoding mapping table; the address information of the behavior subject is converted into a behavior subject code according to a preset address encoding rule; The address information of the behavior object is converted into a behavior object code according to a preset address encoding rule; the behavior effect is converted into a behavior effect code according to a preset behavior effect encoding mapping table; and the identified risk level is converted into a risk level code according to a preset risk level encoding mapping table. The behavior time code, behavior type code, behavior subject code, behavior object code, behavior effect code, and risk level code are concatenated into binary bits according to a preset bit allocation order to obtain the binary behavior label.

8. The method according to claim 1, characterized in that, Based on the flow information and / or the security behavior information, query and match the corresponding business scenario from the preset business knowledge graph, and generate a third tag based on the matched business scenario, including: Data governance is performed on multi-source power business data to obtain structured data after governance. The data governance includes data acquisition, data cleaning, data integration and data standardization. A business knowledge graph is constructed based on the structured data, wherein the business knowledge graph includes a set of nodes and a set of edges. The set of nodes includes business scenario nodes, device nodes, user nodes, and data nodes, and the edges in the set of edges are used to represent the relationships between nodes. Based on the information elements in the flow information and / or the security behavior information, a graph matching query is performed in the business knowledge graph to determine the business scenario to which the network data packet belongs; Obtain the business scenario identifier, business type, data type, data identifier, association weight, and business priority of the business scenario to which the network data packet belongs; convert the business scenario identifier, business type, data type, data identifier, association weight, and business priority into binary codes according to preset encoding rules, and concatenate the binary bits to obtain a binary business tag; The binary service tag is used as the third tag.

9. The method according to claim 8, characterized in that, The node set includes at least: business scenario nodes, representing power business scenarios, including scenario ID, business type, and performance requirement attribute information; device nodes, representing power equipment, including device ID, equipment type, and operating status attribute information; user nodes, representing power business users, including user ID, role, and permission attribute information; and data nodes, representing power business data, including data ID, data type, and data volume attribute information. The edges in the edge set are used to represent the relationships between nodes, including at least the relationships between power business scenarios and power equipment, power business scenarios and power business data, the relationships between power equipment and power business data, and the relationships between power business users and power business scenarios. Each edge in the edge set includes the relationship type and relationship weight attribute between any two nodes.

10. The method according to claim 8, characterized in that, The business scenario identifier, business type, data type, data identifier, association weight, and business priority are each converted into binary code according to a preset encoding rule. The binary bits are then concatenated to obtain a binary business tag, including: The business scenario identifier is converted into a business scenario identifier code according to a preset scenario identifier encoding rule. The business scenario identifier includes power business type, area code and serial number information. The business types are converted into business type codes according to a preset business type code mapping table. The business types include at least intelligent scheduling, new energy consumption, electricity consumption information collection, and electricity trading. The data types are converted into data type codes according to a preset data type encoding mapping table. The data types include at least scheduling data, electricity consumption data, transaction data, and equipment data. The data identifier is converted into a data identifier code according to a preset data identifier encoding rule; The association weights are converted into association weight codes according to preset weight encoding rules. The association weights represent the degree of matching between the data packet and the business scenario. According to the service priority, it is converted into a service priority code according to a preset priority code mapping table. The service priority includes at least high priority, medium priority and low priority. The business scenario identifier code, business type code, data type code, data identifier code, association weight code, and business priority code are concatenated into binary bits according to a preset bit allocation order to obtain the binary business tag.

11. The method according to claim 1, characterized in that, Based on the collaborative parsing results of the first tag, the second tag, and the third tag, a network control policy is determined for the network data packet and the network control policy is executed, including: The first tag is parsed to extract the access control permission code. The network data packet is then judged to have access permission based on the access control permission code. If the data packet does not have access permission, it is dropped or rate-limited. If the network data packet is detected to have access permissions, the second tag is parsed to extract the risk level code and behavior type code. Based on the risk level code and behavior type code, it is determined whether the risk level of the network data packet exceeds a preset threshold or whether the behavior type is malicious. If so, the network data packet is intercepted and an alarm message is generated. If the risk level is detected to be below the preset threshold and the behavior type is not malicious, then the third tag is parsed, the business scenario identifier and business priority are extracted, and the business scenario to which the network data packet belongs is determined based on the business scenario identifier. Based on the preset performance requirements and service priorities of the service scenario to which the network data packets belong, a network control policy is determined for the network data packets and the network control policy is executed. The network control policy is used to dynamically determine the data forwarding path and allocate network resources.

12. The method according to claim 1, characterized in that, The first tag, the second tag, and the third tag have a hierarchical collaborative working relationship, wherein: the first tag serves as a basic identification layer, used to implement entry access control and preliminary flow identification of network data packets; the second tag serves as a security management layer, performing security detection and behavior analysis on the network data packets after access control by the first tag; and the third tag serves as a service matching layer, matching the network data packets with power service scenarios after dual filtering by the first and second tags.

13. A network data packet control device based on three-level tags, characterized in that, include: The acquisition unit is used to acquire the flow direction information and application layer payload of network data packets; The first tag generation unit is used to generate a first tag based on the flow information and the preset access control policy. The first tag is used to characterize the flow characteristics and access control permissions of the network data packets. The second tag generation unit is used to obtain the security behavior information of the network data packet by detecting the application layer payload, and then generate a second tag based on the security behavior information. The second tag is used to characterize the behavior type and risk level of the network data packet. The third tag generation unit is used to query and match the corresponding business scenario from the preset business knowledge graph according to the flow information and / or the security behavior information, and generate a third tag according to the matched business scenario. The third tag is used to characterize the business scenario to which the network data packet belongs and the priority information of the business scenario. The determining unit is used to determine a network control policy for the network data packet based on the collaborative parsing results of the first tag, the second tag, and the third tag, and to execute the network control policy.

14. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, wherein when the computer program is executed, the device containing the computer-readable storage medium performs the network packet control method based on three-level tags as described in any one of claims 1 to 12.

15. An electronic device, characterized in that, It includes one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to perform the network packet control method based on any one of claims 1 to 12.

16. A computer program product, characterized in that, It includes a computer program or instructions that, when executed by a processor, implement the network packet control method based on any one of claims 1 to 12.