An end-to-end encrypted data collection method and system for industrial control scenarios

By analyzing the differences in the collection sequence number, timestamp, and digest of the encrypted collection packets, and combining the hierarchical transmission status, the continuity of the collection sequence and the reliability of the data chain are quantified. This solves the problem that intermediate nodes cannot identify attacks under the end-to-end encryption mechanism, enables compliant classification of collection packets, and improves the security and reliability of industrial control systems.

CN122394969APending Publication Date: 2026-07-14BEIJING GEMOTECH INTELLIGENT TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING GEMOTECH INTELLIGENT TECH
Filing Date
2026-06-12
Publication Date
2026-07-14

Smart Images

  • Figure CN122394969A_ABST
    Figure CN122394969A_ABST
Patent Text Reader

Abstract

The present application relates to the technical field of communication security monitoring, and in particular to an end-to-end encrypted data collection method and system for industrial control scenarios. According to the difference between the collection sequence and the collection time of the current ciphertext collection package and the ciphertext collection package received last time by the receiving end and belonging to the same source end, the collection time sequence continuity is obtained. According to the consistency of the digest of the current ciphertext collection package and the ciphertext collection package received last time by the same device, the data chain trustworthiness is obtained. Based on the hierarchical transmission state of the intermediate nodes passed by the current ciphertext collection package, the hierarchical transmission state deviation is obtained. And combined with the repeated arrival performance of the current ciphertext collection package at the receiving end, the collection time sequence continuity is corrected, the comprehensive time sequence trustworthiness score is determined, and the current ciphertext collection package is classified according to the regulations. The present application uses the collection package time sequence, chain and trajectory characteristics to realize the pre-decryption risk prediction and compliance classification of encrypted industrial control data through the comprehensive time sequence trustworthiness score.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of communication security monitoring technology, specifically to an end-to-end encrypted data acquisition method and system for industrial control scenarios. Background Technology

[0002] Industrial control system (ICS) data acquisition typically originates from field sensors, programmable logic controllers (PLCs), distributed control systems (DCS), or data acquisition terminals, and is uploaded via multiple layers of links, including edge gateways, protocol conversion devices, factory servers, and operation and maintenance platforms. Because ICS systems have extremely high requirements for data authenticity, integrity, and real-time performance, end-to-end encryption technology is usually employed to prevent data theft or tampering during transmission.

[0003] The existing patent document CN116192418A discloses a data acquisition and monitoring method and device based on blockchain and 5G slicing private network technology. Specifically, the client encrypts the acquired data and attaches a digest; the server receives the data, decrypts it, and recalculates the digest to verify integrity. While this method achieves end-to-end data security, its verification logic is deeply decryption-dependent, meaning verification can only be completed after decryption to obtain the plaintext. However, in actual industrial control scenarios, acquired data typically passes through multiple intermediate nodes to perform critical tasks such as protocol conversion, batch repackaging, aggregation and sorting, and breakpoint resumption. Existing technologies suffer from the inability of intermediate nodes to decrypt the content, making it difficult to determine whether encrypted packets represent a genuine, continuous acquisition process without accessing the plaintext. This makes it impossible to identify illegal data insertion, logical disorder, or replay attacks in the link, leading to a large influx of abnormal or duplicate encrypted packets into the backend. This not only triggers energy-intensive and ineffective decryption operations but also causes the monitoring system to generate incorrect process alarms or misjudged trends due to data timing disorder, threatening industrial production safety. Summary of the Invention

[0004] To address the technical problem that end-to-end encryption mechanisms make plaintext content invisible to intermediate nodes, making it difficult for the receiving end to effectively identify temporal reliability risks of the ciphertext data stream before decryption, this invention aims to provide an end-to-end encrypted data acquisition method and system for industrial control scenarios. The specific technical solution adopted is as follows: In a first aspect, one embodiment of the present invention provides an end-to-end encrypted data acquisition method for industrial control scenarios, the method comprising: Obtain the current encrypted acquisition packet received by the receiving end. The encrypted acquisition packet includes: acquisition sequence number, acquisition timestamp, previous data digest, current encrypted digest and process encrypted packet; Based on the difference in the collection order and collection time between the current encrypted collection packet and the previously received encrypted collection packet from the same source, the collection sequence continuity of the current encrypted collection packet is obtained. Based on the consistency between the preceding data digest of the current encrypted data acquisition packet and the current encrypted data acquisition packet received by the same device identity, as well as the digest self-check result of the current encrypted data acquisition packet's process encrypted data packet, the data chain reliability of the current encrypted data acquisition packet is obtained. Based on the degree of deviation of the hierarchical transmission state of the current encrypted packet from the source to the receiver through all intermediate nodes relative to the ideal transmission state, obtain the hierarchical transmission state deviation of the current encrypted packet. Based on the data chain reliability, the hierarchical transmission state deviation, and the repeated arrival behavior of the current encrypted collection packet at the receiving end, the collection timing continuity is corrected, the comprehensive timing reliability score of the current encrypted collection packet is determined, and the current encrypted collection packet is classified for compliance.

[0005] Furthermore, obtaining the temporal continuity of the current encrypted acquisition packet includes: The encrypted data acquisition package also includes the source device identifier, acquisition sequence number, and acquisition timestamp; The most recent encrypted data packet that the receiving end received before receiving the current encrypted data packet has the same source device identifier as the current encrypted data packet is called the same source preceding data packet. The difference between the current encrypted acquisition packet and the previous acquisition packet from the same source is recorded as the acquisition sequence number difference, and the difference between the acquisition timestamps is recorded as the actual acquisition delay. Obtain the preset acquisition period of the source device identifier corresponding to the source in the current encrypted acquisition packet, and use the product of the acquisition sequence number difference and the preset acquisition period as the theoretical acquisition delay between the current encrypted acquisition packet and the preceding acquisition packet from the same source. Calculate the ratio of the absolute difference between the actual acquisition delay and the theoretical acquisition delay to the preset acquisition period to obtain the temporal fit deviation between the current encrypted acquisition packet and the preceding acquisition packet from the same source; The absolute value of the difference between the acquisition sequence number difference and the unit increment value is used as the sequence number jump penalty value between the current encrypted acquisition packet and the preceding acquisition packet from the same source. By performing a negative correlation mapping between the sum of the time-series fitting deviation and the sequence number jump penalty value, the acquisition time-series continuity of the current encrypted acquisition packet is obtained.

[0006] Furthermore, obtaining the data chain credibility of the current encrypted acquisition packet includes: Determine whether the preceding data digest of the current encrypted data collection packet is identical to the current encrypted data digest of its source preceding data collection packet at all index positions. If not, set the data chain confidence of the current encrypted data collection packet to 0. If so, perform a hash operation on the process ciphertext in the current ciphertext acquisition packet, and record the resulting hash value as the digest to be verified; if the digest to be verified is the same as the current ciphertext digest in the current ciphertext acquisition packet, set the data chain confidence of the current ciphertext acquisition packet to 1; if the digest to be verified is different from the current ciphertext digest in the current ciphertext acquisition packet, set the data chain confidence of the current ciphertext acquisition packet to 0.

[0007] Furthermore, the step of obtaining the hierarchical transmission state deviation of the current encrypted acquisition packet includes: Hierarchical transitive states include several hierarchical transitive values; For each intermediate node through which the current encrypted packet passes from the source to the receiver, the absolute difference between each level of transmission value of the intermediate node and the preset ideal state value is standardized to obtain the standard state deviation value; the maximum value of the standard state deviation value corresponding to all levels of transmission values ​​of the intermediate node is selected as the node state deviation value. Calculate the arithmetic mean of the node state deviation values ​​of all intermediate nodes that the current encrypted packet passes through from the source to the receiver, and use it as the hierarchical transmission state deviation of the current encrypted packet.

[0008] Furthermore, determining the comprehensive temporal reliability score of the current encrypted acquisition packet includes: The time when the receiver receives the current encrypted packet is recorded as the current time; based on the degree of overlap between the encrypted packets received by the receiver within the preset historical analysis period at the current time and the current encrypted packet, the degree of overlap of the current encrypted packet is obtained. A negative correlation mapping is performed on the data chain credibility of the current encrypted acquisition packet, and the arithmetic mean of the mapping result, the hierarchical transmission state deviation, and the degree of repeated arrival is used as the comprehensive unreliability of the current encrypted acquisition packet. Calculate the difference between constant 1 and the comprehensive unreliability, and use the product of the difference and the acquisition time sequence continuity as the comprehensive time sequence reliability score of the current encrypted acquisition packet.

[0009] Furthermore, the determination of the degree of repeated arrival of the current encrypted packet includes: From all the encrypted collection packets received by the receiving end within the preset historical analysis period at the current moment, select the encrypted collection packet that has the same collection sequence number, the same collection timestamp, or the same current encrypted digest as the current encrypted collection packet, and use it as the encrypted collection packet with the same identifier. The number of identical ciphertext acquisition packets in the current ciphertext acquisition packet is normalized to obtain the degree of duplicate arrival of the current ciphertext acquisition packet.

[0010] Furthermore, the compliance classification of the current encrypted data collection package includes: If the current encrypted collection packet meets the preset conditions for the collection time continuity, data chain reliability, and hierarchical transmission state deviation, and the comprehensive time sequence reliability score is greater than the preset risk threshold, then the current encrypted collection packet is determined to be a compliant and reliable collection packet. If any of the following conditions are not met in the current encrypted collection package: collection time continuity, data chain reliability, and hierarchical transmission state deviation, or if the comprehensive time sequence reliability score is less than or equal to the preset risk threshold, then the current encrypted collection package is determined to be a non-compliant and untrusted collection package.

[0011] Furthermore, the preset conditions include: the timing continuity of data acquisition is greater than a preset timing continuity threshold, the reliability of data chain is greater than a preset chain reliability threshold, and the deviation of hierarchical transmission state is less than a preset state deviation threshold.

[0012] Furthermore, the unit increment value is 1.

[0013] Secondly, another embodiment of the present invention provides an end-to-end encrypted data acquisition system for industrial control scenarios, the system comprising: The data acquisition module is used to acquire the current encrypted acquisition packet received by the receiving end. The encrypted acquisition packet includes: acquisition sequence number, acquisition timestamp, previous data digest, current encrypted digest and process encrypted packet; The acquisition timing evaluation module is used to obtain the acquisition timing continuity of the current encrypted acquisition packet based on the difference in acquisition order and acquisition time between the current encrypted acquisition packet and the previously received encrypted acquisition packet from the same source. The chain-based trusted verification module is used to obtain the data chain trustworthiness of the current encrypted acquisition packet based on the consistency between the preceding data digest of the current encrypted acquisition packet and the current encrypted acquisition packet received by the same device identity, as well as the digest self-check result of the process encrypted packet of the current encrypted acquisition packet. The transmission state analysis module is used to obtain the hierarchical transmission state deviation of the current encrypted data acquisition packet based on the degree of deviation of the hierarchical transmission state of all intermediate nodes traversed by the current encrypted data acquisition packet from the source end to the receiver end from the ideal transmission state. The compliance classification module is used to correct the collection timing continuity based on the data chain reliability, the hierarchical transmission state deviation, and the repeated arrival performance of the current encrypted collection packet at the receiving end, determine the comprehensive timing reliability score of the current encrypted collection packet, and classify the current encrypted collection packet for compliance.

[0014] The present invention has the following beneficial effects: In this embodiment of the invention, by analyzing the differences in acquisition sequence number and timestamp between the current encrypted acquisition packet and the preceding identical acquisition packet, the stability of the sampling frequency is quantified without relying on plaintext logic. This allows the acquisition timing continuity to effectively identify timing compliance risks caused by malicious interception, delayed replay, or clock tampering. By utilizing the consistency between the preceding data digest and the current encrypted digest, combined with the self-check results of the current encrypted digest on the process encrypted packet, the data chain credibility logically guarantees the authenticity of the encrypted stream's transmission under encrypted conditions, fundamentally solving the risk perception loss caused by end-to-end encryption mechanisms. The system addresses efficiency issues by collaboratively analyzing the continuity of acquisition timing, data chain reliability, and hierarchical transmission state deviation. This effectively identifies risky packets with correct summary logic but abnormal hierarchical transmission state, as well as forged packets with normal timing characteristics but broken continuity, significantly improving the detection sensitivity against replay, insertion, and tampering attacks. Finally, by using repeated arrival behavior, data chain reliability, and hierarchical transmission state deviation to correct the continuity of acquisition timing, the determined comprehensive timing reliability score can accurately distinguish between normal network retransmission and malicious attack injection, effectively preventing non-compliant acquisition packets from penetrating the logic of industrial control systems. Attached Figure Description

[0015] To more clearly illustrate the technical solutions and advantages in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0016] Figure 1 This is a flowchart illustrating the steps of an end-to-end encrypted data acquisition method for industrial control scenarios, as provided in one embodiment of the present invention. Figure 2 This is a system architecture diagram of an end-to-end encrypted data acquisition system for industrial control scenarios, provided in one embodiment of the present invention. Figure 3 This is a schematic diagram of a computer device for an end-to-end encrypted data acquisition device for industrial control scenarios, provided as an embodiment of the present invention. Detailed Implementation

[0017] To further illustrate the technical means and effects adopted by the present invention to achieve its intended purpose, the following, in conjunction with the accompanying drawings and preferred embodiments, details the specific implementation, structure, features, and effects of an end-to-end encrypted data acquisition method and system for industrial control scenarios proposed according to the present invention. In the following description, different "one embodiment" or "another embodiment" do not necessarily refer to the same embodiment. Furthermore, specific features, structures, or characteristics in one or more embodiments can be combined in any suitable form.

[0018] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.

[0019] The following description, in conjunction with the accompanying drawings, details the specific scheme of the end-to-end encrypted data acquisition method and system for industrial control scenarios provided by this invention.

[0020] Example 1: This invention proposes an end-to-end encrypted data acquisition method for industrial control scenarios. Please refer to [link / reference]. Figure 1 The diagram illustrates a flowchart of an end-to-end encrypted data acquisition method for industrial control scenarios, provided by an embodiment of the present invention. The method includes: Step S1: Obtain the current encrypted acquisition packet received by the receiving end. The encrypted acquisition packet includes: acquisition sequence number, acquisition timestamp, previous data digest, current encrypted digest and process encrypted packet.

[0021] This solution adopts a topology with multiple source terminals, multiple intermediate stages, and a single receiver. The multiple source terminals are distributed in the industrial control field and are responsible for the encrypted encapsulation of the raw data and the generation of chain authentication; the multiple intermediate stages are composed of edge gateways, protocol converters, and factory servers connected in series, and are responsible for performing intermediate multi-level hop forwarding and recording physical trajectories; the single receiver is responsible for multi-dimensional credibility verification and risk decision-making for the entire network encrypted stream.

[0022] Each source device continuously performs the encapsulation and generation of encrypted acquisition packets according to a preset acquisition cycle: First, the source device presets the acquisition cycle based on the process characteristics of its load; at each moment, the source device encrypts the original process data to generate a process encrypted packet; then, it calls a hash algorithm to calculate the feature fingerprint of the process encrypted packet to obtain the current encrypted digest, and extracts the current encrypted digest generated at the previous sampling moment from the local cache as the preceding data digest; finally, it assembles the source device identifier, acquisition sequence number, acquisition timestamp, preceding data digest, current encrypted digest, and process encrypted packet into a packet according to a preset message format, forming an encrypted acquisition packet that is sent to the intermediate multi-level link. The current encrypted acquisition packet is the encrypted acquisition packet generated by the source device at the current moment. The preset acquisition cycle value is pre-calibrated according to the process monitoring requirements corresponding to each source device; the preset acquisition cycle for high-frequency dynamic sampling devices is set to 50 milliseconds, and the preset acquisition cycle for low-frequency static sampling devices is set to 30 seconds. Implementers can set this value according to specific circumstances.

[0023] It should be noted that the source device identifier refers to the characteristic used to uniquely identify the data source in an industrial control network. This can be a MAC address or device serial number at the hardware level, or a pre-assigned unique node number at the network protocol level. The acquisition sequence number is a monotonically increasing integer assigned to each encrypted packet by the source device according to the order in which the acquisition action is initiated, such as 1, 2, 3, ... The acquisition timestamp is the physical time point generated when the source device completes each process parameter acquisition, such as a Unix timestamp or system time with millisecond precision. The preceding data digest refers to the data generated by the source device when generating the current encrypted acquisition. When a packet is collected, the hash value is obtained by hashing the process ciphertext packet generated in the previous ciphertext acquisition packet and extracting it from the local cache of the source end. The current ciphertext digest refers to the hash value obtained by hashing the process ciphertext packet collected this time by the source end, and it is used as the preceding data digest of the next ciphertext acquisition packet to continue to be transmitted. The process ciphertext packet is a block of ciphertext data generated by the source end by using a pre-allocated key to perform symmetric or asymmetric encryption on the original process data (such as business plaintext such as temperature, pressure, valve opening, etc.) actually collected by the sensor, and the content remains invisible to intermediate nodes throughout the transmission process.

[0024] It should be noted that for the first encrypted collection packet generated after each source starts, its preceding data digest is filled with a pre-agreed fixed string or random code; if the first encrypted collection packet has no preceding collection packet from the same source, its collection sequence continuity and data chain reliability are both assigned a value of 1.

[0025] Step S2: Based on the difference in collection order and collection time between the current encrypted collection packet and the previously received encrypted collection packet from the same source, obtain the collection timing continuity of the current encrypted collection packet.

[0026] Industrial control data acquisition is typically generated by field sensors, PLCs, DCSs, or data acquisition terminals, and uploaded through multiple links such as edge gateways, protocol conversion devices, factory servers, and operation and maintenance platforms. It has characteristics such as acquisition cycle, continuous status changes, and stable device sources. The real data stream should show the time sequence characteristics of being continuously generated by the same device in a cycle and transmitted step by step through the links.

[0027] Because industrial data acquisition has a strict isochronous rhythm, any replay attack or illegal insertion will disrupt the native sampling frequency. By analyzing the differences in logical bit order and sampling time between the current encrypted acquisition packet and its preceding source acquisition packet, it is possible to determine whether the data belongs to the original continuous acquisition process at the source end by quantifying the stability of the sampling frequency, without relying on plaintext business logic. This allows the timing continuity of acquisition to effectively identify timing compliance risks caused by malicious interception, delayed replay, or clock tampering.

[0028] Step S3: Based on the consistency between the preceding data digest of the current encrypted data acquisition packet and the current encrypted data digest of the previously received encrypted data acquisition packet under the same device identity, as well as the digest self-check result of the current encrypted data acquisition packet's process encrypted data packet, obtain the data chain reliability of the current encrypted data acquisition packet.

[0029] To simultaneously address the issues of continuity in the logical chain between packets and integrity of the packet body, the consistency between the preceding data digest and the current ciphertext digest is adopted, and collaborative verification is performed in conjunction with the digest self-check results of the process ciphertext packet. This ensures the immutability and sequential uniqueness of the ciphertext packet in the logical chain, enabling the data chain credibility to accurately identify whether intermediate nodes have performed illegal truncation or forged packet injection on the encrypted chain. From the logical architecture level, this guarantees the authenticity of the ciphertext stream in the encrypted state.

[0030] Step S4: Based on the degree of deviation of the hierarchical transmission state of the current encrypted data acquisition packet from the source end to the receiver end relative to the ideal transmission state, obtain the hierarchical transmission state deviation of the current encrypted data acquisition packet.

[0031] The physical transmission process of data packets across multiple layers of industrial control nodes exhibits specific trajectory characteristics, and this physical transmission trajectory is crucial evidence for determining whether it has encountered a middleman attack. By quantifying the deviation of the hierarchical transmission state of all intermediate nodes through which the current encrypted packet passes from the ideal transmission state, the shortcomings of imperceptible content (i.e., end-to-end encryption) can be effectively compensated for. This allows the deviation of the hierarchical transmission state to effectively identify logically correct but abnormally delayed or improperly cached risk packets, providing side-channel evidence from the physical transmission layer for encrypted credibility assessment.

[0032] Step S5: Based on the data chain reliability, hierarchical transmission state deviation, and the repeated arrival performance of the current encrypted collection packet at the receiving end, correct the collection timing continuity, determine the comprehensive timing reliability score of the current encrypted collection packet, and classify the current encrypted collection packet for compliance.

[0033] To counter highly covert complex attacks, the initial continuity is corrected by using data chain credibility, hierarchical transmission state deviation, and repeated arrival behavior. This enables cross-dimensional confidence calibration of the comprehensive time-series credibility score. Under the premise of ensuring privacy and security, it achieves accurate release of compliant data and effective isolation of abnormal data, effectively preventing illegal replay or damaged ciphertext from entering the decryption process, and significantly improving the defense robustness of the industrial control system.

[0034] Preferably, in some possible implementations of the embodiments of the present invention, the method for obtaining the acquisition timing continuity includes: the encrypted acquisition packet further includes a source device identifier, an acquisition sequence number, and an acquisition timestamp; the encrypted acquisition packet most recently received by the receiving end before receiving the current encrypted acquisition packet, which has the same source device identifier as the current encrypted acquisition packet, is recorded as a priori acquisition packet from the same source; the difference between the acquisition sequence number of the current encrypted acquisition packet and the priori acquisition packet from the same source is calculated and recorded as the acquisition sequence number difference, and the difference between the acquisition timestamps is recorded as the actual acquisition delay; the source device identifier corresponding to the source device in the current encrypted acquisition packet is obtained. A preset acquisition period is established, and the product of the acquisition sequence number difference and the preset acquisition period is used as the theoretical acquisition delay between the current encrypted acquisition packet and the preceding acquisition packet from the same source. The ratio of the absolute difference between the actual acquisition delay and the theoretical acquisition delay to the preset acquisition period is calculated to obtain the temporal fitting deviation between the current encrypted acquisition packet and the preceding acquisition packet from the same source. The absolute value of the difference between the acquisition sequence number difference and the unit increment value is used as the sequence number jump penalty value between the current encrypted acquisition packet and the preceding acquisition packet from the same source. A negative correlation mapping is performed on the sum of the temporal fitting deviation and the sequence number jump penalty value to obtain the acquisition temporal continuity of the current encrypted acquisition packet.

[0035] In one specific implementation of this invention, the timing continuity of data acquisition is expressed by the formula: In the formula, d represents the temporal continuity of the current encrypted data collection packet; d represents the current encrypted data collection packet. This is the timestamp of the current encrypted data packet collection. This is the collection timestamp of the preceding collection packet that is from the same source as the current encrypted collection packet; This is the collection sequence number of the current encrypted collection packet; T is the acquisition sequence number of the preceding acquisition packet from the same source as the current encrypted acquisition packet; T is the preset acquisition period of the source device identifier corresponding to the source end in the current encrypted acquisition packet; D is the unit increment value, which is set to 1 in this embodiment, aiming to define the ideal acquisition state of the industrial control source end as the continuous increment of the acquisition sequence number; This represents the theoretical acquisition delay between the current encrypted acquisition packet and its preceding, same-origin acquisition packet. This represents the temporal fit deviation between the current encrypted acquisition packet and its preceding homologous acquisition packet. `exp` is the sequence number jump penalty value between the current encrypted packet and its preceding homologous packets; `exp` is an exponential function with the natural constant `e` as the base, used to implement... The negative correlation was normalized.

[0036] It should be noted that the difference in collection sequence number Reflects the sequence span between the current encrypted acquisition packet and its preceding source acquisition packet, and the actual acquisition latency. This reflects the actual time interval between two corresponding acquisition actions. The timing deviation is used to quantify the subtle jitter of the actual transmission rhythm relative to the preset acquisition cycle. The larger this value, the more likely the current encrypted acquisition packet is arriving early, late, or missing during the acquisition process. The sequence number jump penalty value is used to capture logical discontinuity behavior. The larger this value, the worse the sequence number continuity of the data stream, and the higher the risk of missing, out-of-order, or illegal replay. The ideal state refers to the industrial control data acquisition and transmission system operating in a preset optimal environment. In this state, the source end continuously generates data according to a fixed cycle, intermediate nodes perform transparent forwarding without delay or packet loss, and the data stream is not affected by external replay or insertion interference, i.e., the sequence number has good continuity, making both the timing deviation and the sequence number jump penalty value approach zero. The acquisition timing continuity comprehensively reflects the temporal reliability level of the encrypted data stream in both the time dimension and logical bit order. The larger this value, the more likely the current encrypted acquisition packet highly replicates the actual acquisition process at the source end, exhibiting extremely high continuity and authenticity.

[0037] Preferably, in some possible implementations of the embodiments of the present invention, the method for obtaining the data chain credibility includes: determining whether the preceding data digest of the current encrypted acquisition packet is the same as the current encrypted digest of its source preceding acquisition packet in terms of bit data at all index positions; if not, setting the data chain credibility of the current encrypted acquisition packet to 0; if so, performing a hash operation on the process encrypted packet in the current encrypted acquisition packet, and recording the resulting hash value as the digest to be verified; when the digest to be verified is the same as the current encrypted digest in the current encrypted acquisition packet, setting the data chain credibility of the current encrypted acquisition packet to 1; when the digest to be verified is not the same as the current encrypted digest in the current encrypted acquisition packet, setting the data chain credibility of the current encrypted acquisition packet to 0.

[0038] It should be noted that the preceding data digest comparison represents the structured connection logic of the acquired data stream. Any bit difference indicates an illegal break in the ciphertext chain or the insertion of a forged packet, thus triggering a zero-confidence veto. The verification digest comparison, on the other hand, verifies the integrity of the ciphertext entity. Based on the avalanche effect of hash algorithms, any noise interference or partial tampering will cause the digest comparison to fail, triggering a veto of the ciphertext entity. Specifically, by comparing the preceding data digest of the current ciphertext acquisition packet with the current ciphertext digest of a related preceding acquisition packet, it verifies whether the current ciphertext acquisition packet is correctly connected to the preset device acquisition chain. If they are different, it is determined that an illegal link insertion or truncation has occurred, and the data chain confidence is directly set to zero. If they are the same, i.e., the link connection is normal, it is further determined whether the verification digest is the same as the current ciphertext digest. If the digest to be verified is the same as the current encrypted digest, it means that the process encrypted packet has not encountered any noise interference or malicious tampering during the transmission of the multi-level industrial control link, and the encrypted entity is complete and authentic. In this case, the data chain credibility is set to 1. Otherwise, it means that the process encrypted packet has been damaged or tampered with, and the data chain credibility is set to 0.

[0039] Preferably, in some possible implementations of the embodiments of the present invention, the method for obtaining the hierarchical transmission state deviation includes: the hierarchical transmission state includes several hierarchical transmission values; for each intermediate node traversed by the current encrypted acquisition packet from the source end to the receiver end, the absolute difference between each hierarchical transmission value of the intermediate node and the preset ideal state value is standardized to obtain a standard state deviation value; the maximum value among the standard state deviation values ​​corresponding to all hierarchical transmission values ​​of the intermediate node is selected as the node state deviation value; the arithmetic mean of the node state deviation values ​​of all intermediate nodes traversed by the current encrypted acquisition packet from the source end to the receiver end is calculated as the hierarchical transmission state deviation of the current encrypted acquisition packet.

[0040] It should be noted that standardizing the absolute difference between each level of transmission value and the preset ideal state value ensures the comparability of various level transmission values ​​on the same numerical scale. The maximum value among the standard state deviation values ​​corresponding to all level transmission values ​​of intermediate nodes is selected as the node state deviation value, following the "barrel effect" in industrial monitoring, ensuring that any abnormal deviation in any transmission dimension can be sensitively detected. The hierarchical transmission state deviation is obtained by comprehensively considering the abnormal behavior of the current encrypted data acquisition packet in the physical link through the arithmetic mean of the node state deviation values ​​of all intermediate nodes. A larger hierarchical transmission state deviation means that the physical trajectory of the current encrypted data acquisition packet during transmission deviates less from the preset ideal industrial control transmission characteristics of each level, thus increasing the likelihood of transmission state distortion caused by node congestion, abnormal re-encapsulation, or malicious interception during forwarding. In this embodiment of the invention, the hierarchical transmission state includes: buffer duration and retransmission count, etc. The node records the reception time of the encrypted acquisition record using its local system clock the instant it receives the record, and records the forwarding time the instant it completes the forwarding action. The difference between the forwarding time and the reception time of each node through which the current encrypted acquisition packet passes is used as the buffer duration. The number of retransmissions is provided by the retransmission counter of the node's communication protocol stack. Each level of transmission corresponds to a preset ideal state value. The preset ideal state value for the number of retransmissions is always set to 0, aiming to correspond to an ideal communication environment with no packet loss and no interference. The preset ideal state value for the buffer duration is set to the physical layer-to-physical layer forwarding delay defined in the node's hardware specifications. During the multi-level transmission of the encrypted acquisition packet, each intermediate node, upon receiving the encrypted acquisition packet, does not decrypt the packet's technical content. Instead, it appends its own node level identifier, reception time, forwarding time, and the number of retransmissions output by the communication protocol stack, etc., in plaintext to the unencrypted extended header of the encrypted acquisition packet, and then performs cascading forwarding. Thus, when the receiving end receives the current encrypted acquisition packet, it can parse the level transmission status of the packet generated by each intermediate node in the transmission link from its extended header.

[0041] In this embodiment of the invention, the preset ideal state value for the buffer duration is set to 2 milliseconds to characterize the non-blocking forwarding latency of conventional hardware. Based on the real-time requirements of industrial control communication standards, the preset tolerance limit for the buffer duration is set to 100 milliseconds. The preset ideal state value for the number of retransmissions is set to 0 times, representing an ideal communication environment with no packet loss. Based on the retransmission policy limits of common network transmission protocol stacks, the preset tolerance limit for the number of retransmissions is set to 3 times. By calculating the ratio of the absolute difference between the transmission value of each level of intermediate nodes and the preset ideal state value to the corresponding tolerance limit, the above absolute difference is standardized. If the ratio is greater than 1, the standard state deviation value is set to 1. Preferably, in some possible implementations of the embodiments of the present invention, the method for obtaining the comprehensive temporal reliability score includes: recording the time when the current encrypted acquisition packet is received by the receiving end as the current time; obtaining the degree of duplication of the current encrypted acquisition packet based on the degree of duplication between the encrypted acquisition packets received by the receiving end within a preset historical analysis period at the current time and the current encrypted acquisition packet; performing a negative correlation mapping on the data chain reliability of the current encrypted acquisition packet, and taking the arithmetic mean of the mapping result, the hierarchical transmission state deviation, and the degree of duplication as the comprehensive unreliability of the current encrypted acquisition packet; calculating the difference between the constant 1 and the comprehensive unreliability, and taking the product of the difference and the acquisition temporal continuity as the comprehensive temporal reliability score of the current encrypted acquisition packet.

[0042] It should be noted that, in this embodiment of the invention, the method for obtaining the degree of repeated arrival includes: selecting, from all encrypted acquisition packets received by the receiving end within a preset historical analysis period at the current time, encrypted acquisition packets that have the same acquisition sequence number, the same acquisition timestamp, or the same current encrypted digest as the current encrypted acquisition packet, as encrypted acquisition packets with the same identifier; normalizing the number of encrypted acquisition packets with the same identifier for the current encrypted acquisition packet to obtain the degree of repeated arrival of the current encrypted acquisition packet. Encoded acquisition packets with the same identifier are historical acquisition packets with the same acquisition identifier characteristics as the current encrypted acquisition packet, used to characterize the redundant reception state of the current encrypted acquisition packet in the transmission link; the number of encrypted acquisition packets with the same identifier does not include the initial count of the current encrypted acquisition packet itself. To eliminate the interference of different source device acquisition frequencies on the statistical results, normalization is achieved by dividing the number of encrypted acquisition packets with the same identifier by a preset network redundancy tolerance threshold to obtain the degree of repeated arrival. A higher degree of repeated arrivals indicates that the current encrypted data packet is highly likely to be a replay packet that has been maliciously intercepted and re-delivered, or it reflects serious protocol logic faults and forwarding redundancy risks in multi-level industrial control links. The preset network redundancy tolerance threshold is pre-set based on the network topology depth and link communication quality benchmark of the corresponding industrial control level. Specifically, for near-end data acquisition scenarios with simple link structures and few forwarding layers, this threshold is usually set to a small value, preferably 3 times; while for remote monitoring scenarios spanning multiple factory areas, requiring multi-level asynchronous caching, or performing breakpoint resumption, considering the possible legitimate retransmission mechanisms of the industrial control protocol, this threshold can be appropriately relaxed, preferably set to 8 times.

[0043] A negative correlation mapping is applied to the data chain credibility to transform the confidence level at the content level into a deviation risk quantity, thereby aligning it with the deviation of hierarchical transmission status and the degree of repeated arrival in terms of risk characteristics. By selecting the arithmetic mean of these three factors, the overall credibility risk of the current encrypted data acquisition packet in the industrial control link can be comprehensively reflected. The difference between the constant 1 and the comprehensive unreliability represents the credibility gain, which is used to weight the collection time sequence continuity to obtain a comprehensive time sequence credibility score. The larger this value, the more compliant the current encrypted data acquisition packet is with logical chain acceptance, physical transmission path, and time sequence reception distribution, meaning that the probability of the current encrypted data acquisition packet being genuine and reliable industrial data is higher, and the risk of attack or interference is lower.

[0044] In this embodiment of the invention, the duration of the historical analysis period is set to 30 times the preset collection cycle of the source corresponding to the current encrypted collection packet. The implementer can set it according to the situation.

[0045] In this embodiment of the invention, the method for classifying the current encrypted collection package for compliance includes: if the collection timing continuity, data chain reliability, and hierarchical transmission state deviation of the current encrypted collection package all meet preset conditions, and the comprehensive timing reliability score is greater than a preset risk threshold, it means that the current encrypted collection package is in the safe and compliant range in terms of source end collection rhythm, logical chain continuity, intermediate transmission trajectory, and timing redundancy performance, and is a real production sampling point generated by a legitimate source end without external malicious intervention or intermediate node logical tampering, then the current encrypted collection package is determined to be a compliant and reliable collection package; if any of the collection timing continuity, data chain reliability, and hierarchical transmission state deviation of the current encrypted collection package does not meet the preset conditions, or the comprehensive timing reliability score is less than or equal to the preset risk threshold, it means that the current encrypted collection package has an extremely high risk of malicious replay, content tampering, or path anomaly, then the current encrypted collection package is determined to be a non-compliant and reliable collection package.

[0046] It should be noted that the preset conditions include: the collection sequence continuity is greater than the preset sequence continuity threshold, reflecting that the collection behavior rhythm of the current encrypted collection packet at the source end is compliant, and there is no illegal out-of-order or significant time tampering; the data chain credibility is greater than the preset chain credibility threshold, reflecting that the logical continuity of the data stream traversed by the current encrypted collection packet is compliant and the content is basically complete, not illegally truncated, and the encrypted packet has not suffered serious data damage during transmission; the hierarchical transmission state deviation is less than the preset state deviation threshold, reflecting that the physical transmission path trajectory of the current encrypted collection packet is compliant, and there is no abnormal caching or unauthorized processing at untrusted intermediate nodes. A comprehensive sequence credibility score greater than the preset risk threshold means that the current encrypted collection packet is a genuine and trustworthy data stream sampling point generated by a legitimate source end and has not been attacked or interfered with, thus possessing the security foundation to enter the subsequent decryption and write-back process.

[0047] In this embodiment of the invention, long-term data acquisition and transmission are performed under normal operating conditions without external attack interference. The acquisition timing continuity and hierarchical transmission state deviation of each encrypted acquisition packet during transmission are obtained. The minimum value among all acquisition timing continuity values ​​is used as a preset timing continuity threshold, and the maximum value among all hierarchical transmission state deviation values ​​is used as a preset state deviation threshold. Since data chain credibility has strong authentication properties through cryptographic hash comparison, the preset chain credibility threshold is set to 1, requiring a perfect match. Abnormal response sample data of the comprehensive timing credibility score under attack conditions are obtained by artificially injecting replay attacks, packet tampering, illegal packet insertion, and network congestion interference of preset strength into the transmission link. Cross-validation is used to compare and analyze the detection rate of attack packets and the false positive rate of normal packets under different candidate threshold settings. The comprehensive timing credibility score with the largest Youden exponent in the Receiver Operating Characteristic (ROC) curve is selected as the preset risk threshold. The acquisition methods for acquisition timing continuity, hierarchical transmission state deviation, and comprehensive timing credibility score are the same as those used in this scheme.

[0048] This invention is now complete.

[0049] Example 2: This invention proposes an end-to-end encrypted data acquisition system for industrial control scenarios. Please refer to [link / reference]. Figure 2 The diagram illustrates a system architecture of an end-to-end encrypted data acquisition system for industrial control scenarios, provided by an embodiment of the present invention. The system includes: The data acquisition module 610 is used to acquire the current encrypted acquisition packet received by the receiving end. The encrypted acquisition packet includes: acquisition sequence number, acquisition timestamp, previous data digest, current encrypted digest and process encrypted packet; The acquisition timing evaluation module 620 is used to obtain the acquisition timing continuity of the current encrypted acquisition packet based on the difference in acquisition order and acquisition time between the current encrypted acquisition packet and the previously received encrypted acquisition packet from the same source. The chain-based trusted verification module 630 is used to obtain the data chain trustworthiness of the current encrypted collection packet based on the consistency between the preceding data digest of the current encrypted collection packet and the current encrypted collection packet received by the same device identity, as well as the digest self-check result of the process encrypted packet of the current encrypted collection packet. The transmission state analysis module 640 is used to obtain the hierarchical transmission state deviation of the current encrypted data acquisition packet based on the degree of deviation of the hierarchical transmission state of all intermediate nodes traversed by the current encrypted data acquisition packet from the source end to the receiver end from the ideal transmission state. The compliance classification module 650 is used to correct the collection timing continuity based on the data chain reliability, hierarchical transmission state deviation and the repeated arrival performance of the current encrypted collection packet at the receiving end, determine the comprehensive timing reliability score of the current encrypted collection packet, and classify the current encrypted collection packet for compliance.

[0050] It should be noted that the devices provided in the above embodiments are only illustrative examples of the division of the above functional modules. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the computer device can be divided into different functional modules to complete all or part of the functions described above. In addition, the end-to-end encrypted data acquisition system for industrial control scenarios and the end-to-end encrypted data acquisition method for industrial control scenarios provided in the above embodiments belong to the same concept, and their specific implementation process can be found in the method embodiments, which will not be repeated here.

[0051] Example 3: Figure 3 This is a schematic diagram of a computer device for an end-to-end encrypted data acquisition device for industrial control scenarios, provided as an embodiment of the present invention. For example,... Figure 3 As shown, the computer device includes: a memory 701, a processor 702, and a computer program 703 stored in the memory 701 and running on the processor 702. When the processor 702 executes the computer program 703, the computer device can execute any of the end-to-end encrypted data acquisition methods for industrial control scenarios described above.

[0052] Furthermore, embodiments of this application also protect an apparatus that may include a memory and a processor, wherein the memory stores executable program code, and the processor is used to call and execute the executable program code to execute an end-to-end encrypted data acquisition method for industrial control scenarios provided in embodiments of this application.

[0053] This embodiment can divide the device into functional modules based on the above method example. For example, each module can correspond to a separate function, or two or more functions can be integrated into one processing module. The integrated module can be implemented in hardware. It should be noted that the module division in this embodiment is illustrative and only represents one logical functional division. In actual implementation, there may be other division methods.

[0054] It should be understood that the device provided in this embodiment is used to execute the above-described end-to-end encrypted data acquisition method for industrial control scenarios, and therefore can achieve the same effect as the above-described implementation method.

[0055] When using integrated units, the device may include a processing module and a storage module. When applied to a workpiece, the processing module can be used to control and manage the workpiece's operations. The storage module can be used to support the execution of relevant program code by the workpiece.

[0056] The processing module may be a processor or a controller, which can implement or execute various exemplary logic blocks, modules, and circuits contained in conjunction with the disclosure of this application. The processor may also be a combination of functions that implement computing capabilities, such as a combination of one or more microprocessors, a combination of digital signal processing (DSP) and microprocessors, etc., and the storage module may be a memory.

[0057] Example 4: This embodiment also provides a computer program product. When the computer program product is run on a computer, it causes the computer to perform the above-mentioned related steps to realize the end-to-end encrypted data acquisition method for industrial control scenarios provided in the above embodiment.

[0058] The apparatus or computer program product provided in this embodiment is used to execute the corresponding method provided above. Therefore, the beneficial effects it can achieve can be referred to the beneficial effects in the corresponding method provided above, and will not be repeated here.

[0059] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules or units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another device, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.

[0060] It should be noted that the order of the above embodiments of the present invention is merely for descriptive purposes and does not represent the superiority or inferiority of the embodiments. The processes depicted in the accompanying drawings do not necessarily require a specific or sequential order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

[0061] The various embodiments in this specification are described in a progressive manner. The same or similar parts between the various embodiments can be referred to each other. Each embodiment focuses on describing the differences from other embodiments.

Claims

1. An end-to-end encrypted data acquisition method for industrial control scenarios, characterized in that, The method includes: Obtain the current encrypted acquisition packet received by the receiving end. The encrypted acquisition packet includes: acquisition sequence number, acquisition timestamp, previous data digest, current encrypted digest and process encrypted packet; Based on the difference in the collection order and collection time between the current encrypted collection packet and the previously received encrypted collection packet from the same source, the collection sequence continuity of the current encrypted collection packet is obtained. Based on the consistency between the preceding data digest of the current encrypted data acquisition packet and the current encrypted data acquisition packet received by the same device identity, as well as the digest self-check result of the current encrypted data acquisition packet's process encrypted data packet, the data chain reliability of the current encrypted data acquisition packet is obtained. Based on the degree of deviation of the hierarchical transmission state of the current encrypted packet from the source to the receiver through all intermediate nodes relative to the ideal transmission state, obtain the hierarchical transmission state deviation of the current encrypted packet. Based on the data chain reliability, the hierarchical transmission state deviation, and the repeated arrival behavior of the current encrypted collection packet at the receiving end, the collection timing continuity is corrected, the comprehensive timing reliability score of the current encrypted collection packet is determined, and the current encrypted collection packet is classified for compliance.

2. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 1, characterized in that, The step of obtaining the temporal continuity of the current encrypted acquisition packet includes: The encrypted data acquisition package also includes the source device identifier, acquisition sequence number, and acquisition timestamp; The most recent encrypted data packet that the receiving end received before receiving the current encrypted data packet has the same source device identifier as the current encrypted data packet is called the same source preceding data packet. The difference between the current encrypted acquisition packet and the previous acquisition packet from the same source is recorded as the acquisition sequence number difference, and the difference between the acquisition timestamps is recorded as the actual acquisition delay. Obtain the preset acquisition period of the source device identifier corresponding to the source in the current encrypted acquisition packet, and use the product of the acquisition sequence number difference and the preset acquisition period as the theoretical acquisition delay between the current encrypted acquisition packet and the preceding acquisition packet from the same source. Calculate the ratio of the absolute difference between the actual acquisition delay and the theoretical acquisition delay to the preset acquisition period to obtain the temporal fit deviation between the current encrypted acquisition packet and the preceding acquisition packet from the same source; The absolute difference between the acquisition sequence number difference and the unit increment value is used as the sequence number jump penalty value between the current encrypted acquisition packet and the preceding acquisition packet from the same source. The sum of the time-series fitting deviation and the sequence number jump penalty value is negatively correlated and normalized to obtain the acquisition time-series continuity of the current ciphertext acquisition packet.

3. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 2, characterized in that, The process of obtaining the data chain credibility of the current encrypted acquisition packet includes: Determine whether the preceding data digest of the current encrypted data collection packet is identical to the current encrypted data digest of its source preceding data collection packet at all index positions. If not, set the data chain confidence of the current encrypted data collection packet to 0. If so, perform a hash operation on the process ciphertext in the current ciphertext acquisition packet, and record the resulting hash value as the digest to be verified; if the digest to be verified is the same as the current ciphertext digest in the current ciphertext acquisition packet, set the data chain confidence of the current ciphertext acquisition packet to 1; if the digest to be verified is different from the current ciphertext digest in the current ciphertext acquisition packet, set the data chain confidence of the current ciphertext acquisition packet to 0.

4. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 1, characterized in that, The step of obtaining the hierarchical transmission state deviation of the current encrypted packet includes: Hierarchical transitive states include several hierarchical transitive values; For each intermediate node through which the current encrypted packet passes from the source to the receiver, the absolute difference between each level of transmission value of the intermediate node and the preset ideal state value is standardized to obtain the standard state deviation value; the maximum value of the standard state deviation value corresponding to all levels of transmission values ​​of the intermediate node is selected as the node state deviation value. Calculate the arithmetic mean of the node state deviation values ​​of all intermediate nodes that the current encrypted packet passes through from the source to the receiver, and use it as the hierarchical transmission state deviation of the current encrypted packet.

5. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 1, characterized in that, The determination of the comprehensive temporal reliability score of the current encrypted acquisition packet includes: The time when the receiver receives the current encrypted packet is recorded as the current time; based on the degree of overlap between the encrypted packets received by the receiver within the preset historical analysis period at the current time and the current encrypted packet, the degree of overlap of the current encrypted packet is obtained. A negative correlation mapping is performed on the data chain credibility of the current encrypted acquisition packet, and the arithmetic mean of the mapping result, the hierarchical transmission state deviation, and the degree of repeated arrival is used as the comprehensive unreliability of the current encrypted acquisition packet. Calculate the difference between constant 1 and the comprehensive unreliability, and use the product of the difference and the acquisition time sequence continuity as the comprehensive time sequence reliability score of the current encrypted acquisition packet.

6. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 5, characterized in that, The process of obtaining the degree of repeated arrival of the current encrypted packet includes: From all the encrypted collection packets received by the receiving end within the preset historical analysis period at the current moment, select the encrypted collection packet that has the same collection sequence number, the same collection timestamp, or the same current encrypted digest as the current encrypted collection packet, and use it as the encrypted collection packet with the same identifier. The number of identical ciphertext acquisition packets in the current ciphertext acquisition packet is normalized to obtain the degree of duplicate arrival of the current ciphertext acquisition packet.

7. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 1, characterized in that, The compliance classification of the current encrypted data collection package includes: If the current encrypted collection packet meets the preset conditions for the collection time continuity, data chain reliability, and hierarchical transmission state deviation, and the comprehensive time sequence reliability score is greater than the preset risk threshold, then the current encrypted collection packet is determined to be a compliant and reliable collection packet. If any of the following conditions are not met in the current encrypted collection package: collection time continuity, data chain reliability, and hierarchical transmission state deviation, or if the comprehensive time sequence reliability score is less than or equal to the preset risk threshold, then the current encrypted collection package is determined to be a non-compliant and untrusted collection package.

8. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 7, characterized in that, The preset conditions include: the continuity of the acquisition time sequence is greater than a preset time sequence continuity threshold, the reliability of the data chain is greater than a preset chain reliability threshold, and the deviation of the hierarchical transmission state is less than a preset state deviation threshold.

9. The end-to-end encrypted data acquisition method for industrial control scenarios according to claim 2, characterized in that, The unit increment value is 1.

10. An end-to-end encrypted data acquisition system for industrial control scenarios, characterized in that, The system includes: The data acquisition module is used to acquire the current encrypted acquisition packet received by the receiving end. The encrypted acquisition packet includes: acquisition sequence number, acquisition timestamp, previous data digest, current encrypted digest and process encrypted packet; The acquisition timing evaluation module is used to obtain the acquisition timing continuity of the current encrypted acquisition packet based on the difference in acquisition order and acquisition time between the current encrypted acquisition packet and the previously received encrypted acquisition packet from the same source. The chain-based trusted verification module is used to obtain the data chain trustworthiness of the current encrypted acquisition packet based on the consistency between the preceding data digest of the current encrypted acquisition packet and the current encrypted acquisition packet received by the same device identity, as well as the digest self-check result of the process encrypted packet of the current encrypted acquisition packet. The transmission state analysis module is used to obtain the hierarchical transmission state deviation of the current encrypted data acquisition packet based on the degree of deviation of the hierarchical transmission state of all intermediate nodes traversed by the current encrypted data acquisition packet from the source end to the receiver end from the ideal transmission state. The compliance classification module is used to correct the collection timing continuity based on the data chain reliability, the hierarchical transmission state deviation, and the repeated arrival performance of the current encrypted collection packet at the receiving end, determine the comprehensive timing reliability score of the current encrypted collection packet, and classify the current encrypted collection packet for compliance.