A ship communication control method, device, equipment, medium and product
By verifying digital certificates between the ship and shore of unmanned engineering vessels, generating and dividing temporary session keys, and encrypting their transmission, and combining blockchain and encryption algorithms, the cybersecurity issues of unmanned engineering vessels operating at sea are solved, achieving a high level of communication protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NAT ENG RES CENT OF DREDGING TECH & EQUIP
- Filing Date
- 2026-05-09
- Publication Date
- 2026-06-05
AI Technical Summary
Unmanned engineering vessels face risks of complex electromagnetic interference and malicious attacks when operating at sea. Traditional encryption schemes have key management vulnerabilities, and identity authentication is vulnerable to attacks. They cannot adapt to the communication needs of high mobility and cross-domain collaboration, leading to leakage of operational data or loss of equipment control.
Before establishing a communication link between the ship and the shore, digital certificates are verified and identities are authenticated. Temporary session keys are generated and divided into multiple key fragments and stored in blockchain nodes. Key fragments are obtained through the communication link, and the keys are reconstructed and transmitted encrypted. By combining symmetric and asymmetric encryption algorithms, communication traffic characteristics are analyzed in real time to identify and block attacks.
It reduces the risk of eavesdropping, tampering, and spoofing attacks on remote control data during transmission, meets the requirements of high-security communication, and constructs a three-dimensional security protection system from the physical layer to the application layer.
Smart Images

Figure CN122160770A_ABST
Abstract
Description
Technical Field
[0001] The embodiments of the present invention relate to the field of communication technology, and in particular to a ship communication control method, apparatus, equipment, medium and product. Background Technology
[0002] Unmanned engineering vessels refer to dredgers that achieve automated operations through intelligent systems and artificial intelligence technology. They can complete dredging tasks in waterways, ports, and other bodies of water without direct human intervention under specific working conditions. These vessels are typically controlled autonomously by AI (Artificial Intelligence) based on real-time hydrological and geological data, significantly improving operational safety and efficiency. The communication system of unmanned engineering vessels is a core component ensuring remote control, data transmission, and operational safety. Communication methods mainly include satellite, cellular networks (4G / 5G), radio (2.4GHz / 433MHz), long-range WiFi (Wireless Fidelity), and high-power wireless module communication.
[0003] As a crucial component of intelligent shipping, encrypted and authenticated communication is of paramount importance for unmanned engineering vessels. This not only affects the safe operation of the vessels themselves but also directly impacts navigation safety, data integrity, and the stability of the entire maritime logistics system. Secure encryption and authentication ensure communication confidentiality, support compliance requirements, prevent unauthorized access and impersonation attacks, build trust relationships between systems, and enable operational traceability. However, existing unmanned engineering vessels face risks from complex electromagnetic interference and malicious attacks during maritime operations. Traditional encryption schemes suffer from key management vulnerabilities, making authentication susceptible to attacks and potentially leading to data leaks or equipment malfunctions. Furthermore, current technologies lack dynamic security mechanisms tailored to engineering scenarios and cannot meet the communication demands of high mobility and cross-domain collaboration. Therefore, providing a more effective and secure encryption and authentication communication solution for unmanned engineering vessels is crucial. Summary of the Invention
[0004] This invention provides a ship communication control method, apparatus, equipment, medium, and product to reduce the risks of eavesdropping, tampering, and spoofing attacks on remote control data during transmission in ship communication, and to meet the high-security communication requirements for network security encryption and identity authentication for unmanned engineering vessels.
[0005] According to one aspect of the present invention, a ship communication control method is provided, which is applied to the ship end and the shore end, wherein the ship end and the shore end are respectively configured with communication architecture to form a communication link between the ship end and the shore end; The method includes: Before establishing a communication link between the ship and the shore, the digital certificates of the ship and the shore are verified and identity authentication is performed. Once the digital certificate verification and identity authentication are successful, the communication link between the ship and the shore is established. After establishing a communication link between the ship and the shore, a temporary session key is generated and divided into multiple key fragments, which are then stored in multiple blockchain nodes. During message transmission between the ship and shore via a communication link, the ship and shore respectively obtain key fragments from the blockchain node, reassemble and restore them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission.
[0006] According to another aspect of the present invention, a ship communication control device is provided, the device comprising: The communication link establishment module is used to verify the digital certificates of the ship and the shore before establishing a communication link between the ship and the shore, and to perform identity authentication. After the digital certificate verification and identity authentication are successful, the communication link between the ship and the shore is established. The session key generation module is used to generate a temporary session key after a communication link is established between the ship and the shore, and to divide the temporary session key into multiple key fragments and store each key fragment in multiple blockchain nodes. The message transmission module is used to control the ship and shore to obtain key fragments from the blockchain node, reassemble and restore them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission.
[0007] According to another aspect of the present invention, an electronic device is provided, the electronic device comprising: At least one processor; and A memory communicatively connected to the at least one processor; wherein, The memory stores a computer program that can be executed by the at least one processor, which enables the at least one processor to perform the ship communication control method according to any embodiment of the present invention.
[0008] According to another aspect of the present invention, a computer-readable storage medium is provided, the computer-readable storage medium storing computer instructions for causing a processor to execute and implement the ship communication control method according to any embodiment of the present invention.
[0009] According to another aspect of the present invention, embodiments of the present invention also provide a computer program product, which includes a computer program that, when executed by a processor, implements the ship communication control method described in any embodiment of the present invention.
[0010] This invention establishes a communication link between the ship and shore by configuring communication architectures at both ends. Before establishing the communication link, the digital certificates of both the ship and shore are verified and identity authentication is performed. Once the digital certificate verification and identity authentication are successful, the communication link between the ship and shore is established. After the communication link is established, a temporary session key is generated and divided into multiple key fragments, which are stored on multiple blockchain nodes. During message transmission between the ship and shore via the communication link, both ends retrieve the key fragments from the blockchain nodes, reassemble them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission. This invention reduces the risks of eavesdropping, tampering, and spoofing attacks on remote control data during transmission in ship communication, meeting the network security encryption and identity authentication requirements for unmanned engineering vessels with high-security communication standards.
[0011] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of the present invention, nor is it intended to limit the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description
[0012] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention and should not be regarded as a limitation on the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0013] Figure 1 This is a flowchart of a ship communication control method according to an embodiment of the present invention; Figure 2 This is a schematic diagram of the structure of a ship communication control device according to an embodiment of the present invention; Figure 3 This is a schematic diagram of the structure of an electronic device that implements the ship communication control method of this invention. Detailed Implementation
[0014] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.
[0015] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and their derivatives, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0016] It is understood that before using the technical solutions disclosed in the various embodiments of this disclosure, users should be informed of the types, scope of use, and usage scenarios of the personal information involved in this disclosure in an appropriate manner in accordance with relevant laws and regulations, and user authorization should be obtained.
[0017] Example 1 The ship communication control method of this invention is applied to both the ship's end and the shore end. The ship's end can be, for example, an unmanned engineering vessel, and the shore end can be, for example, a shore control center. Communication architectures are configured on both the ship's end and the shore end to form a communication link between them. The communication architecture can be, for example, one of the following: WiFi (Wireless Fidelity), mobile communication (4G / 5G communication), satellite communication, microwave communication, and fiber optic communication.
[0018] Figure 1 This is a flowchart of a ship communication control method according to an embodiment of the present invention. This embodiment is applicable to the communication control of unmanned engineering vessels. The method can be executed by the ship communication control device in this embodiment, which can be implemented in software and / or hardware, such as... Figure 1 As shown, the method specifically includes the following steps: S101. Before establishing a communication link between the ship and the shore, verify the digital certificates of the ship and the shore and perform identity authentication. After the digital certificate verification and identity authentication are successful, establish a communication link between the ship and the shore.
[0019] In this embodiment, before establishing a communication connection between the ship and the shore, both parties exchange digital certificates. The digital certificate contains the device's public key, unique device identifier, and certificate validity period. Verifying the legitimacy of the other party's digital certificate includes verifying the certificate signature chain, checking the certificate validity period, and querying the certificate revocation list. After successful certificate verification, the unique device identifier is extracted and used in conjunction with a locally stored device whitelist for access control. Devices that fail verification are denied access to establish a communication connection. Subsequently, the hardware identity is confirmed using the unique device identifier, the user identity is verified using a dynamic password mechanism, and the operator identity is verified using biometric recognition. If all three factors are successful, a communication session is allowed; if any factor fails, access is denied and an audit log is recorded.
[0020] S102. After establishing a communication link between the ship and the shore, a temporary session key is generated, and the temporary session key is divided into multiple key fragments, which are then stored in multiple blockchain nodes.
[0021] The temporary session key serves as a key to ensure the security of transmitted messages during communication between the ship and shore. A unique session key is generated temporarily for each communication, avoiding the use of long-term, fixed static keys.
[0022] Specifically, after establishing a communication link between the ship and the shore, a temporary session key can be generated using a symmetric encryption algorithm. This temporary session key is then divided into multiple key fragments and stored on multiple blockchain nodes using distributed ledger technology.
[0023] S103. During the message transmission process between the ship and the shore via the communication link, the ship and the shore are controlled to obtain key fragments from the blockchain node, reassemble and restore them to obtain a temporary session key, and then encrypt the transmitted message based on the temporary session key before transmission.
[0024] Among these, the transmitted messages can be, for example, control commands and business data transmitted between the ship and the shore.
[0025] Specifically, during the message transmission process between the ship and the shore via the communication link, both parties obtain key fragments from the blockchain node and reassemble them to restore the complete temporary session key for this communication.
[0026] This invention establishes a communication link between the ship and shore by configuring communication architectures at both ends. Before establishing the communication link, the digital certificates of both the ship and shore are verified and identity authentication is performed. Once the digital certificate verification and identity authentication are successful, the communication link between the ship and shore is established. After the communication link is established, a temporary session key is generated and divided into multiple key fragments, which are stored on multiple blockchain nodes. During message transmission between the ship and shore via the communication link, both ends retrieve the key fragments from the blockchain nodes, reassemble them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission. This invention reduces the risks of eavesdropping, tampering, and spoofing attacks on remote control data during transmission in ship communication, meeting the network security encryption and identity authentication requirements for unmanned engineering vessels with high-security communication standards.
[0027] Optionally, the method further includes: During message transmission between the ship and shore via a communication link, the characteristics of communication traffic are analyzed in real time.
[0028] Among them, communication traffic characteristics include: time characteristics, spatial characteristics, content characteristics, behavioral characteristics, and sequence characteristics.
[0029] For example, time characteristics may include: packet sending interval, burst traffic time, session duration; spatial characteristics may include: source IP (Internet Protocol), destination IP, port, MAC (Media Access Control) address, geographical location; content characteristics may include: packet length distribution, protocol type, payload entropy value; behavioral characteristics may include: connection frequency, retransmission rate, handshake delay; sequence characteristics may include: TCP (Transmission Control Protocol Sequence Number) sequence number continuity, application layer sequence number.
[0030] The attack type is determined by comparing the characteristics of communication traffic with the attack signature database.
[0031] In this embodiment, the attack signature database can be a pre-set database used to store the mapping relationship between various communication traffic features and corresponding attack types.
[0032] The attack types include: replay attacks, man-in-the-middle attacks, and spoofing attacks.
[0033] It should be noted that replay attacks can be categorized into the following types: simple replay, which involves directly copying and resending previously intercepted messages, resulting in the repeated execution of transfers, commands, and other operations; delayed replay, which involves sending old messages after a period of time, resulting in bypassing simple time checks; and parallel replay, which involves sending the same message to multiple recipients simultaneously, resulting in an expanded attack scope. Man-in-the-middle attacks can be divided into the following stages: eavesdropping, where the attacker intercepts the communication traffic of both parties, resulting in the acquisition of sensitive information; tampering, where the attacker modifies the message content and forwards it, resulting in the execution of incorrect commands; and impersonation, where the attacker impersonates one of the communicating parties, resulting in complete control of the communication.
[0034] Blocking operations are performed on detected replay attacks, man-in-the-middle attacks, and spoofing attacks.
[0035] The blocking operations include: terminating the connection, adding to the blacklist, and initiating source tracing and evidence collection.
[0036] Optionally, the method further includes: Embed timestamps and random numbers in the transmitted messages.
[0037] The timestamp is the time when the message was sent, and the random number is an unpredictable random sequence.
[0038] Specifically, by embedding timestamps and random numbers in messages, replay attacks can be identified and blocked through timestamp validity checks and random number uniqueness verification.
[0039] If the deviation between the timestamp and the local time exceeds a preset threshold, the message is deemed expired and discarded.
[0040] The preset threshold can be a pre-set deviation threshold used to determine whether the deviation between the timestamp embedded in the transmitted message and the local time is within the required range. For example, when the deviation between the timestamp and the local time exceeds the preset threshold, the message can be determined to be expired.
[0041] Specifically, the receiver (on the ship or on shore) verifies the deviation between the timestamp and the local time. If the deviation exceeds a preset threshold, the message is deemed expired and discarded.
[0042] Record the random number of the received message. If a duplicate random number is found, it is determined to be a replay attack, and message transmission is blocked.
[0043] Specifically, the receiver (on the ship or on shore) records the random number of the received message. If a duplicate random number is found, it is determined to be a replay attack.
[0044] Optionally, a digital certificate may include a public key, identification information, and a certificate validity period.
[0045] Identity verification includes: The identity is authenticated based on the identification information to obtain the first authentication result.
[0046] The first authentication result can be either "identity valid" or "identity invalid," resulting in two possible outcomes.
[0047] Specifically, you can query the preset whitelist based on the identifier information. If the identifier information exists in the preset whitelist, the identity is considered legitimate; if it does not exist, the identity is considered illegitimate.
[0048] The user's identity is verified based on a dynamic password, resulting in a second authentication result.
[0049] The dynamic password is generated based on a time synchronization algorithm or an event synchronization algorithm.
[0050] The second authentication result can be either "user identity verification passed" or "user identity verification failed," for a total of two results.
[0051] Specifically, a dynamic password can be generated based on a time synchronization algorithm or an event synchronization algorithm. Both the sender and receiver verify the dynamic password. If the dynamic password is verified, the user identities of both parties are considered to have been confirmed. Otherwise, the user identities of both parties are not confirmed.
[0052] The user's identity is identified based on biometrics, resulting in a third-party authentication result.
[0053] Biometric features include at least one of fingerprint features, facial features, and voiceprint features.
[0054] The third-party authentication result can be either "identity valid" or "identity invalid," resulting in two possible outcomes.
[0055] Specifically, for users operating on shore or ship, their identity can be identified based on biometric features such as fingerprints, facial features, and voiceprints. If the biometric identification is successful, the user's identity is considered legitimate; if the biometric identification fails, the user's identity is considered illegitimate.
[0056] The identity authentication result is determined based on the first authentication result, the second authentication result, and the third authentication result.
[0057] It should be noted that the identity authentication result needs to be determined based on the first authentication result, the second authentication result, and the third authentication result.
[0058] Specifically, if the first authentication result is that the identity is valid, the second authentication result is that the user's identity is confirmed, and the third authentication result is that the identity is valid, then the identity authentication result is considered to be successful; otherwise, the identity authentication result is considered to be unsuccessful.
[0059] Optionally, the temporary session key is generated using a symmetric encryption algorithm.
[0060] The temporary session key is transmitted after being encrypted using the public key of an asymmetric encryption algorithm. The recipient decrypts the temporary session key using their private key. The asymmetric encryption algorithm uses a public key and a private key; the public key is used for encryption, and the private key is used for decryption.
[0061] In practice, critical control commands can be encrypted using double encryption: first, asymmetric encryption is performed using the recipient's public key, and then symmetric encryption is performed using a temporary session key.
[0062] In the specific implementation process, an asymmetric encryption algorithm is used to encrypt the actual transmitted data. The sender uses the receiver's public key to encrypt the temporary session key, ensuring that even if the communication is eavesdropped, the attacker cannot obtain the plaintext key, thus achieving end-to-end secure communication. The receiver uses its own private key to decrypt the temporary session key, and then uses the same key to decrypt the data, completing the entire secure transmission process.
[0063] Specifically, a combination of symmetric and asymmetric encryption is used to encrypt communication data and control commands, and each communication uses an independently generated temporary session key.
[0064] The blockchain nodes include: ship-side nodes, shore-side nodes, and trusted third-party nodes.
[0065] The method also includes: When a blockchain node joins or leaves the communication link, the smart contract is triggered to automatically refresh the temporary session key and update the key fragment stored on the blockchain.
[0066] Optionally, the method further includes: Real-time collection of operational data is used for tracing and evidence collection.
[0067] The runtime data includes: system logs, user operation behavior, process startup records, and file access records.
[0068] Specifically, it analyzes communication traffic characteristics and system operation data in real time, identifies abnormal behaviors such as replay attacks, man-in-the-middle attacks, and spoofing attacks, executes automatic blocking, and conducts source tracing and evidence collection based on operation data.
[0069] In the specific implementation process, all detected security events are fully recorded, audit logs are generated, and operator login time, command content, and session termination status are recorded. This supports the tracing of abnormal behavior and provides a basis for post-incident investigation, accountability, and compliance review. When a high-risk threat is confirmed, blocking measures are automatically triggered. By analyzing attack paths and system weaknesses, administrators are helped to identify configuration defects, unpatched vulnerabilities, or weak password policies, and guidance is provided for security policy optimization. Important system files and configuration files are verified, and alarms are immediately triggered once they are found to have been tampered with, deleted, or replaced, to prevent the implantation of abnormal virus data after persistence.
[0070] Compared with existing technologies, the embodiments of the present invention can implement end-to-end algorithm encryption for all control commands and business data, verify the digital certificates of ship-side and shore-side devices before communication is established, and significantly reduce the risk of data tampering and man-in-the-middle attacks through hybrid encryption and dynamic key management, and prevent unauthorized access. Multi-factor authentication and two-way challenge mechanism effectively defend against attacks and identity impersonation, analyze communication traffic characteristics in real time, identify and block abnormal behaviors such as replay attacks and man-in-the-middle attacks, and build a three-dimensional security protection system from the physical layer to the application layer. It solves the risks of eavesdropping, tampering and spoofing attacks faced by remote control data during transmission and meets the requirements of high-security communication.
[0071] Example 2 Figure 2 This is a schematic diagram of a ship communication control device according to an embodiment of the present invention. This embodiment is applicable to the communication control of unmanned engineering vessels. The device can be implemented using software and / or hardware, and can be integrated into any device that provides ship communication control functions, such as... Figure 2 As shown, the ship communication control device specifically includes: a communication link establishment module 201, a session key generation module 202, and a message transmission module 203.
[0072] The communication link establishment module 201 is used to verify the digital certificates of the ship and the shore before establishing a communication link between the ship and the shore, and to perform identity authentication. After the digital certificate verification and identity authentication are passed, the communication link between the ship and the shore is established. The session key generation module 202 is used to generate a temporary session key after a communication link is established between the ship and the shore, and to divide the temporary session key into multiple key fragments and store each key fragment in multiple blockchain nodes. The message transmission module 203 is used to control the ship and shore to obtain key fragments from the blockchain node, reassemble and restore them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission.
[0073] Optionally, the device is also used for: During message transmission between the ship and shore via a communication link, the characteristics of the communication traffic are analyzed in real time. These characteristics include: time characteristics, spatial characteristics, content characteristics, behavioral characteristics, and sequence characteristics. The communication traffic characteristics are compared with an attack signature database to determine the attack type; the attack types include: replay attacks, man-in-the-middle attacks, and spoofing attacks. The system performs blocking operations on detected replay attacks, man-in-the-middle attacks, and spoofing attacks; the blocking operations include: terminating the connection, adding the attacker to the blacklist, and initiating source tracing and evidence collection.
[0074] Optionally, the device is also used for: A timestamp and a random number are embedded in the transmitted message; the timestamp is the time corresponding to when the message was sent, and the random number is an unpredictable random sequence. If the deviation between the timestamp and the local time exceeds a preset threshold, the message is determined to be expired and discarded. Record the random number of the received message. If a duplicate random number is found, it is determined to be a replay attack, and message transmission is blocked.
[0075] Optionally, the digital certificate includes a public key, identification information, and a certificate validity period; The communication link establishment module 201 is specifically used for: Based on the identification information, identity legitimacy authentication is performed to obtain a first authentication result; The user's identity is verified based on a dynamic password to obtain a second authentication result; the dynamic password is generated based on a time synchronization algorithm or an event synchronization algorithm. The user's identity is identified based on biometric features, and a third authentication result is obtained; the biometric features include at least one of fingerprint features, facial features, and voiceprint features. The identity authentication result is determined based on the first authentication result, the second authentication result, and the third authentication result.
[0076] Optionally, the temporary session key is generated using a symmetric encryption algorithm; The blockchain nodes include: ship-side nodes, shore-side nodes, and trusted third-party nodes. The device is also used for: When a blockchain node joins or leaves the communication link, the smart contract is triggered to automatically refresh the temporary session key and update the key fragment stored on the blockchain.
[0077] Optionally, the device is also used for: Real-time collection of operational data for tracing and evidence collection; the operational data includes: system logs, user operation behavior, process startup records, and file access records.
[0078] The above-mentioned products can execute the ship communication control method provided in any embodiment of the present invention, and have the corresponding functional modules and beneficial effects of the method.
[0079] Example 3 Figure 3 A schematic diagram of an electronic device 30 that can be used to implement embodiments of the present invention is shown. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processors, cellular phones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the invention described and / or claimed herein.
[0080] like Figure 3 As shown, the electronic device 30 includes at least one processor 31 and a memory, such as a read-only memory (ROM) 32 or a random access memory (RAM) 33, communicatively connected to the at least one processor 31. The memory stores computer programs executable by the at least one processor. The processor 31 can perform various appropriate actions and processes based on the computer program stored in the ROM 32 or loaded from storage unit 38 into the RAM 33. The RAM 33 can also store various programs and data required for the operation of the electronic device 30. The processor 31, ROM 32, and RAM 33 are interconnected via a bus 34. An input / output (I / O) interface 35 is also connected to the bus 34.
[0081] Multiple components in electronic device 30 are connected to I / O interface 35, including: input unit 36, such as keyboard, mouse, etc.; output unit 37, such as various types of monitors, speakers, etc.; storage unit 38, such as disk, optical disk, etc.; and communication unit 39, such as network card, modem, wireless transceiver, etc. Communication unit 39 allows electronic device 30 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.
[0082] Processor 31 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 31 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. Processor 31 performs the various methods and processes described above, such as ship communication control methods: Before establishing a communication link between the ship and the shore, the digital certificates of the ship and the shore are verified and identity authentication is performed. Once the digital certificate verification and identity authentication are successful, the communication link between the ship and the shore is established. After establishing a communication link between the ship and the shore, a temporary session key is generated and divided into multiple key fragments, which are then stored in multiple blockchain nodes. During message transmission between the ship and shore via a communication link, the ship and shore respectively obtain key fragments from the blockchain node, reassemble and restore them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission.
[0083] In some embodiments, the ship communication control method may be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 38. In some embodiments, part or all of the computer program may be loaded and / or installed on electronic device 30 via ROM 32 and / or communication unit 39. When the computer program is loaded into RAM 33 and executed by processor 31, one or more steps of the ship communication control method described above may be performed. Alternatively, in other embodiments, processor 31 may be configured to perform the ship communication control method by any other suitable means (e.g., by means of firmware).
[0084] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.
[0085] Computer programs used to implement the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be performed. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.
[0086] In the context of this invention, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination thereof. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.
[0087] To provide interaction with a user, the systems and techniques described herein can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the electronic device. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).
[0088] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as data servers), or middleware components (e.g., application servers), or frontend components (e.g., user computers with graphical user interfaces or web browsers through which users can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., communication networks). Examples of communication networks include local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.
[0089] A computing system can include clients and servers. Clients and servers are generally located far apart and typically interact through communication networks. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other. The server can be a cloud server, also known as a cloud computing server or cloud host, which is a hosting product within the cloud computing service system to address the shortcomings of traditional physical hosts and VPS services, such as high management difficulty and weak business scalability.
[0090] In one embodiment, the present invention further includes a computer program product, which includes a computer program that, when executed by a processor, implements the ship communication control method of any embodiment of the present invention.
[0091] In implementing the computer program product, computer program code for performing the operations of this invention can be written in one or more programming languages or a combination thereof. Programming languages include object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as C or similar languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0092] It should be understood that the various forms of processes shown above can be used, with steps reordered, added, or deleted. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and this is not limited herein.
[0093] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.
Claims
1. A ship communication control method, characterized in that, It is applied to both the ship and shore ends, with communication architectures configured on both ends to form a communication link between the ship and shore ends. The method includes: Before establishing a communication link between the ship and the shore, the digital certificates of the ship and the shore are verified and identity authentication is performed. Once the digital certificate verification and identity authentication are successful, the communication link between the ship and the shore is established. After establishing a communication link between the ship and the shore, a temporary session key is generated, and the temporary session key is divided into multiple key fragments, which are then stored in multiple blockchain nodes. During message transmission between the ship and shore via a communication link, the ship and shore respectively obtain key fragments from the blockchain node, reassemble and restore them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission.
2. The method according to claim 1, characterized in that, Also includes: During message transmission between the ship and shore via a communication link, the characteristics of communication traffic are analyzed in real time. The communication traffic characteristics include: time characteristics, spatial characteristics, content characteristics, behavioral characteristics, and sequence characteristics; The communication traffic characteristics are compared with an attack signature database to determine the attack type; the attack types include: replay attacks, man-in-the-middle attacks, and spoofing attacks. The system performs blocking operations on detected replay attacks, man-in-the-middle attacks, and spoofing attacks; the blocking operations include: terminating the connection, adding the attacker to the blacklist, and initiating source tracing and evidence collection.
3. The method according to claim 1, characterized in that, Also includes: A timestamp and a random number are embedded in the transmitted message; the timestamp is the time corresponding to when the message was sent, and the random number is an unpredictable random sequence. If the deviation between the timestamp and the local time exceeds a preset threshold, the message is determined to be expired and discarded. Record the random number of the received message. If a duplicate random number is found, it is determined to be a replay attack, and message transmission is blocked.
4. The method according to claim 1, characterized in that, The digital certificate contains a public key, identification information, and a certificate validity period; Identity verification includes: Based on the identification information, identity legitimacy authentication is performed to obtain a first authentication result; The user's identity is verified based on a dynamic password to obtain a second authentication result; the dynamic password is generated based on a time synchronization algorithm or an event synchronization algorithm. The user's identity is identified based on biometric features, and a third authentication result is obtained; the biometric features include at least one of fingerprint features, facial features, and voiceprint features. The identity authentication result is determined based on the first authentication result, the second authentication result, and the third authentication result.
5. The method according to claim 1, characterized in that, The temporary session key is generated using a symmetric encryption algorithm; The blockchain nodes include: ship-side nodes, shore-side nodes, and trusted third-party nodes. Also includes: When a blockchain node joins or leaves the communication link, the smart contract is triggered to automatically refresh the temporary session key and update the key fragment stored on the blockchain.
6. The method according to claim 1, characterized in that, Also includes: Real-time collection of operational data for tracing and evidence collection; the operational data includes: system logs, user operation behavior, process startup records, and file access records.
7. A ship communication control device, characterized in that, include: The communication link establishment module is used to verify the digital certificates of the ship and the shore before establishing a communication link between the ship and the shore, and to perform identity authentication. After the digital certificate verification and identity authentication are successful, the communication link between the ship and the shore is established. The session key generation module is used to generate a temporary session key after a communication link is established between the ship and the shore, and to divide the temporary session key into multiple key fragments and store each key fragment in multiple blockchain nodes. The message transmission module is used to control the ship and shore to obtain key fragments from the blockchain node, reassemble and restore them to obtain the temporary session key, and encrypt the transmitted message based on the temporary session key before transmission.
8. An electronic device, characterized in that, The electronic device includes: At least one processor; and A memory communicatively connected to the at least one processor; wherein, The memory stores a computer program that can be executed by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the ship communication control method according to any one of claims 1-6.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that cause a processor to execute the ship communication control method according to any one of claims 1-6.
10. A computer program product, characterized in that, It includes a computer program that, when executed by a processor, implements the ship communication control method according to any one of claims 1-6.