CN106230856A - A kind of System of Industrial Device Controls based on Internet of Things - Google Patents

Abstract

The invention provides a kind of System of Industrial Device Controls based on Internet of Things, including video surveillance devices, communication system, central monitoring center, customer mobile terminal, video monitoring display and Information Security Management System；Described video surveillance devices is arranged according to industrial equipment position；Described communication system includes multiple switch, and described video surveillance devices is connected with central monitoring center by switch, and central monitoring center connects customer mobile terminal and video monitoring display by wireless network；Described health center includes the health status monitoring system for monitoring industrial equipment health status；Described Information Security Management System is for managing the information data relevant to industrial equipment, and ensures the safety of described information data.Monitor while present invention achieves multiple customer mobile terminal and central monitoring center, and the monitoring management of Internet of things type, safety height.

Description

A kind of System of Industrial Device Controls based on Internet of Things

Technical field

The present invention relates to monitoring of tools technical field, be specifically related to a kind of System of Industrial Device Controls based on Internet of Things.

Background technology

Industrialized production is typically made up of a plurality of production line, a production line includes one even more than important Equipment, whether the operation of these equipment normally by affecting the operation of whole production line, needs to carry out important equipment in real time Monitoring ensure the properly functioning of whole production line.In correlation technique, the equipment in industrialized production is the most all installed commonly Monitoring system, common monitoring system mainly by front end monitor equipment, transmission equipment, rear end control this three big portion of display device Being grouped into, wherein rear end equipment can be further divided into central control equipment and sub-control control equipment.Front and back ends equipment has multiple composition Mode, the contact between them can be realized by various ways such as cable, optical fiber or microwaves.Described common monitoring system is past Toward processing delayed state, it is impossible to real-time notice to operator, operator need the moment to pay close attention to rear end control platform, with The operator of Shi Houduan do not know about the operating mode of each key equipment of industrialized production equipment, it is impossible to real-time being monitored and doing The process being suitable for, it is impossible to realize the management of net network type.

Summary of the invention

For solving the problems referred to above, it is desirable to provide a kind of System of Industrial Device Controls based on Internet of Things.

The purpose of the present invention realizes by the following technical solutions:

Provide a kind of System of Industrial Device Controls based on Internet of Things, including video surveillance devices, communication system, central authorities Surveillance center, customer mobile terminal, video monitoring display and Information Security Management System；Described video surveillance devices root It is arranged according to industrial equipment position；Described communication system includes that multiple switch, described video surveillance devices pass through switch Being connected with central monitoring center, central monitoring center connects customer mobile terminal by wireless network and video monitoring shows Device；Described health center includes the health status monitoring system for monitoring industrial equipment health status；Described information security pipe Reason system is for managing the information data relevant to industrial equipment, and ensures the safety of described information data.

The invention have the benefit that and monitor while achieving multiple customer mobile terminal and central monitoring center, energy In real time operation of industrial installation will be notified the mobile and management personnel of central monitoring center and show, it is achieved that thing The monitoring management of network type, thus solve above-mentioned technical problem.

Accompanying drawing explanation

The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings Other accompanying drawing.

Fig. 1 is present configuration connection diagram.

Fig. 2 is the structural representation of Information Security Management System of the present invention.

Reference:

Video surveillance devices 1, communication system 2, central monitoring center 3, Information Security Management System 4, customer mobile terminal 5, video monitoring display 6, source of early warning 7, information data service system 40, information data pretreatment system 41, cloud storage add Decryption system 42, control system 43, security management center 44.

Detailed description of the invention

The invention will be further described with the following Examples.

Application scenarios 1

Seeing Fig. 1, Fig. 2, the System of Industrial Device Controls based on Internet of Things of an embodiment of this application scene includes Video surveillance devices 1, communication system 2, central monitoring center 3, Information Security Management System 4, customer mobile terminal 5, video are supervised Control display 6；Described video surveillance devices 1 is arranged according to industrial equipment position；Described communication system 2 includes multiple friendship Changing planes, described video surveillance devices 1 is connected with central monitoring center 3 by switch, and central monitoring center 3 passes through wireless network Connect customer mobile terminal 5 and video monitoring display 6；Described health center includes for monitoring industrial equipment health status Health status monitoring system；Described Information Security Management System 4 is for managing the information data relevant to industrial equipment, and protects Hinder the safety of described information data.

The above embodiment of the present invention achieves and monitors while multiple customer mobile terminal 5 and central monitoring center 3, can be by In real time operation of industrial installation is notified the mobile and management personnel of central monitoring center 3 and shows, it is achieved that thing The monitoring management of network type, thus solve above-mentioned technical problem.

Preferably, described central monitoring center 3 is also connected with the source of early warning for carrying out reporting to the police when industrial equipment exception 7。

This preferred embodiment adds the warning function of system, improves the safety of system.

Preferably, described customer mobile terminal 5 is connected by wireless network with described source of early warning 7.

This preferred embodiment is easy to customer mobile terminal 5 and is reported to the police, and further increases the safety of system.

Preferably, described Information Security Management System 4 includes information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control system 43 and security management center 44；Described information data service system 40 is used for bearing Blame the storage of information data, back up and inquire about；Described information data pretreatment system 41 is for entering the information data that need to maintain secrecy Row pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the Information Number to maintaining secrecy of the access control safety strategy according to optimization According to being encrypted or deciphering；Described control system 43 is used for information data storing to corresponding storage device；Described bursting tube Reason center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of Information Security Management System 4.

Preferably, the storage of described responsible information data, back up and inquire about, including:

(1) information data format is changed, set up and be applicable to the form that non-relation information data base carries out storing；

(2) information data is divided into basic information data and specialized information data, uses centralized and distributed combination Information data is stored by strategy, and during storage, all information datas all back up；Described centralized and distributed combination Strategy includes: using centralised storage for the basic information data higher than predeterminated frequency, by information data, administrative center unifies Safeguard, for the specialized information data acquisition distributed storage less than predeterminated frequency, each specialized information data center tie up respectively Protect；

(3) set up corresponding information data retrieval algorithm, information data is carried out quick-searching, described information data retrieval The mode that algorithm uses catalogue retrieval and search engine to combine is carried out, and specifically includes: set up information data catalogue, according to catalogue Information data is carried out preliminary search；Input key word at search engine, information data is carried out precise search；Search engine is pressed Find the information data of coupling according to certain mode, and be ranked up feeding back to according to the matching degree of information data with key word User.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Information data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control The security protection that system 43 processed is different requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, is formed Complete security protection system；

(2) set up effective information data security strategy, the safety in information data storing, transmission, access process is entered Row considers, and is not only encrypted information data, is encrypted the host-host protocol of information data simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal information data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described information data pretreatment system 41 includes information data cutting unit, information data extracting unit With access control safety policy optimization unit, described information data cutting unit is for being divided into many to the information data that need to maintain secrecy The information data set of individual mutual exclusion；Described information data extracting unit is used for the information data set to described mutual exclusion according to making by oneself The ordering rule of justice is ranked up, and is sequentially extracted by first information data unit in each information data set, with Described ordering rule preserves as fritter information data together, and wherein said mutual exclusion represents the information two-by-two in information data set Any association is there is not between data cell；Described access control safety policy optimization unit is for based on fine granularity division of resources Access control safety policy optimization method generate system access control safety strategy, including:

(1) information data set based on the mutual exclusion after being processed by information data extracting unit, builds Hierarchical Information number According to table structure, described Hierarchical Information data tree structure is layer three information data tree structure, and it includes service layer, logical layer and thing Reason layer, described service layer is the root vertex relevant to information data dispatch service, and described logical layer is access control safety plan The information data of association in slightly, the information data unit in the information data set containing all mutual exclusions of the described physical layer packet；

(2) based on accessing the access control controlling markup language XACML formulation for the information data of different safety class Security strategy, projects to the information data set of described mutual exclusion with information data by the rule associated in access control safety strategy In information data unit on, thus the rule in access control safety strategy is refine to information data dimension；

(3) the information data unit enterprising line discipline optimization in the information data set of each described mutual exclusion, to delete The conflict of distribution rule on each information data unit and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by information data storing to corresponding storage device, including:

(1) by fritter information data storing to local storage, and use user-defined encryption technology to little block message Data are encrypted；

(2) after remaining information data being encrypted by cloud storage encrypting and deciphering system 42, storage is to the cloud of central monitoring center 3 In data base；Wherein, after the cloud data base of central monitoring center 3 receives information data, this information data has been carried out by cloud It is saved in memory node after the verification of whole property.

Above-mentioned two preferred embodiment configuration information data pretreatment 41, first carries out letter to the information data that need to maintain secrecy Breath data segmentation and information data extraction process, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce information The amount of physical memory of data storage, reduces the expense of storage, and eliminates the conflict in access control safety strategy and redundancy, carry High access control decision efficiency；Extraction part information data storing is processed in local storage by information data extraction, its Remaining information data stores to the cloud data base of central monitoring center 3 after arranging corresponding access control safety strategy, solves Traditional cloud storage information data privacy security mechanism based on simple encryption technology is in actual information data operating process The bigger overhead that brings and loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting The privacy information data of user, improve the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 mainly by information data owner, attribute mechanism, cloud, credible three Side, five entities of user are constituted, and the described information data to maintaining secrecy is encrypted or deciphers, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for information data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

$\begin{array}{c}{\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}\\ {\mathrm{CK}}_{UAID}=({\∝}_{AID},{\mathrm{\β}}_{AID})\end{array}$

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes information data double secret key need to store the cloud data of central monitoring center 3 The information data in storehouse carries out information data encryption, obtains ciphertext CT, is then utilized respectively identity public key and attribute PKI to information Data key is encrypted, and generates identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate information data key DK:

DK=IK | | AK

B, the information data of the information data key DK cloud data base to central monitoring center 3 need to be stored is utilized to carry out letter Breath data encryption, after obtaining ciphertext CT, utilizes attribute PKI to encrypt AK, generates attribute key ciphertext CT_A, utilize identity public key IK is encrypted, generates identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the formation data request of user, cloud utilizes and acts on behalf of re-encrypted private key by body Part key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is had by information data Person's own private key and identity public key calculate and generate；

(5), when carrying out information data decryption, after user receives information data, it is utilized respectively identity private key CK_UAIDAnd attribute Private key CK_AIDDecryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconfiguration information data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize thin to eurypalynous information data Granularity accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the information data that need to maintain secrecy, construct respectively The encryption and decryption key of identity-based, attribute encryption and decryption key, merge configuration information data encryption key and carry out this information data Encryption, thus the user only simultaneously meeting identity and attribute double condition can decipher, and greatly improves information security management The security performance of system 4.

In this application scenarios, update cycle T takes 6, and the safety of system improves 12% relatively.

Application scenarios 2

Seeing Fig. 1, Fig. 2, the System of Industrial Device Controls based on Internet of Things of an embodiment of this application scene includes Video surveillance devices 1, communication system 2, central monitoring center 3, Information Security Management System 4, customer mobile terminal 5, video are supervised Control display 6；Described video surveillance devices 1 is arranged according to industrial equipment position；Described communication system 2 includes multiple friendship Changing planes, described video surveillance devices 1 is connected with central monitoring center 3 by switch, and central monitoring center 3 passes through wireless network Connect customer mobile terminal 5 and video monitoring display 6；Described health center includes for monitoring industrial equipment health status Health status monitoring system；Described Information Security Management System 4 is for managing the information data relevant to industrial equipment, and protects Hinder the safety of described information data.

The above embodiment of the present invention achieves and monitors while multiple customer mobile terminal 5 and central monitoring center 3, can be by In real time operation of industrial installation is notified the mobile and management personnel of central monitoring center 3 and shows, it is achieved that thing The monitoring management of network type, thus solve above-mentioned technical problem.

Preferably, described central monitoring center 3 is also connected with the source of early warning for carrying out reporting to the police when industrial equipment exception 7。

This preferred embodiment adds the warning function of system, improves the safety of system.

Preferably, described customer mobile terminal 5 is connected by wireless network with described source of early warning 7.

This preferred embodiment is easy to customer mobile terminal 5 and is reported to the police, and further increases the safety of system.

Preferably, described Information Security Management System 4 includes information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control system 43 and security management center 44；Described information data service system 40 is used for bearing Blame the storage of information data, back up and inquire about；Described information data pretreatment system 41 is for entering the information data that need to maintain secrecy Row pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the Information Number to maintaining secrecy of the access control safety strategy according to optimization According to being encrypted or deciphering；Described control system 43 is used for information data storing to corresponding storage device；Described bursting tube Reason center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of Information Security Management System 4.

Preferably, the storage of described responsible information data, back up and inquire about, including:

(1) information data format is changed, set up and be applicable to the form that non-relation information data base carries out storing；

(2) information data is divided into basic information data and specialized information data, uses centralized and distributed combination Information data is stored by strategy, and during storage, all information datas all back up；Described centralized and distributed combination Strategy includes: using centralised storage for the basic information data higher than predeterminated frequency, by information data, administrative center unifies Safeguard, for the specialized information data acquisition distributed storage less than predeterminated frequency, each specialized information data center tie up respectively Protect；

(3) set up corresponding information data retrieval algorithm, information data is carried out quick-searching, described information data retrieval The mode that algorithm uses catalogue retrieval and search engine to combine is carried out, and specifically includes: set up information data catalogue, according to catalogue Information data is carried out preliminary search；Input key word at search engine, information data is carried out precise search；Search engine is pressed Find the information data of coupling according to certain mode, and be ranked up feeding back to according to the matching degree of information data with key word User.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Information data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control The security protection that system 43 processed is different requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, is formed Complete security protection system；

(2) set up effective information data security strategy, the safety in information data storing, transmission, access process is entered Row considers, and is not only encrypted information data, is encrypted the host-host protocol of information data simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal information data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described information data pretreatment system 41 includes information data cutting unit, information data extracting unit With access control safety policy optimization unit, described information data cutting unit is for being divided into many to the information data that need to maintain secrecy The information data set of individual mutual exclusion；Described information data extracting unit is used for the information data set to described mutual exclusion according to making by oneself The ordering rule of justice is ranked up, and is sequentially extracted by first information data unit in each information data set, with Described ordering rule preserves as fritter information data together, and wherein said mutual exclusion represents the information two-by-two in information data set Any association is there is not between data cell；Described access control safety policy optimization unit is for based on fine granularity division of resources Access control safety policy optimization method generate system access control safety strategy, including:

(1) information data set based on the mutual exclusion after being processed by information data extracting unit, builds Hierarchical Information number According to table structure, described Hierarchical Information data tree structure is layer three information data tree structure, and it includes service layer, logical layer and thing Reason layer, described service layer is the root vertex relevant to information data dispatch service, and described logical layer is access control safety plan The information data of association in slightly, the information data unit in the information data set containing all mutual exclusions of the described physical layer packet；

(2) based on accessing the access control controlling markup language XACML formulation for the information data of different safety class Security strategy, projects to the information data set of described mutual exclusion with information data by the rule associated in access control safety strategy In information data unit on, thus the rule in access control safety strategy is refine to information data dimension；

(3) the information data unit enterprising line discipline optimization in the information data set of each described mutual exclusion, to delete The conflict of distribution rule on each information data unit and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by information data storing to corresponding storage device, including:

(1) by fritter information data storing to local storage, and use user-defined encryption technology to little block message Data are encrypted；

(2) after remaining information data being encrypted by cloud storage encrypting and deciphering system 42, storage is to the cloud of central monitoring center 3 In data base；Wherein, after the cloud data base of central monitoring center 3 receives information data, this information data has been carried out by cloud It is saved in memory node after the verification of whole property.

Above-mentioned two preferred embodiment configuration information data pretreatment 41, first carries out letter to the information data that need to maintain secrecy Breath data segmentation and information data extraction process, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce information The amount of physical memory of data storage, reduces the expense of storage, and eliminates the conflict in access control safety strategy and redundancy, carry High access control decision efficiency；Extraction part information data storing is processed in local storage by information data extraction, its Remaining information data stores to the cloud data base of central monitoring center 3 after arranging corresponding access control safety strategy, solves Traditional cloud storage information data privacy security mechanism based on simple encryption technology is in actual information data operating process The bigger overhead that brings and loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting The privacy information data of user, improve the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 mainly by information data owner, attribute mechanism, cloud, credible three Side, five entities of user are constituted, and the described information data to maintaining secrecy is encrypted or deciphers, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for information data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

$\begin{array}{c}{\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}\\ {\mathrm{CK}}_{UAID}=({\∝}_{AID},{\mathrm{\β}}_{AID})\end{array}$

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes information data double secret key need to store the cloud data of central monitoring center 3 The information data in storehouse carries out information data encryption, obtains ciphertext CT, is then utilized respectively identity public key and attribute PKI to information Data key is encrypted, and generates identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate information data key DK:

DK=IK | | AK

B, the information data of the information data key DK cloud data base to central monitoring center 3 need to be stored is utilized to carry out letter Breath data encryption, after obtaining ciphertext CT, utilizes attribute PKI to encrypt AK, generates attribute key ciphertext CT_A, utilize identity public key IK is encrypted, generates identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the formation data request of user, cloud utilizes and acts on behalf of re-encrypted private key by body Part key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is had by information data Person's own private key and identity public key calculate and generate；

(5), when carrying out information data decryption, after user receives information data, it is utilized respectively identity private key CK_UAIDAnd attribute Private key CK_AIDDecryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconfiguration information data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize thin to eurypalynous information data Granularity accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the information data that need to maintain secrecy, construct respectively The encryption and decryption key of identity-based, attribute encryption and decryption key, merge configuration information data encryption key and carry out this information data Encryption, thus the user only simultaneously meeting identity and attribute double condition can decipher, and greatly improves information security management The security performance of system 4.

In this application scenarios, update cycle T takes 7, and the safety of system improves 11% relatively.

Application scenarios 3

Seeing Fig. 1, Fig. 2, the System of Industrial Device Controls based on Internet of Things of an embodiment of this application scene includes Video surveillance devices 1, communication system 2, central monitoring center 3, Information Security Management System 4, customer mobile terminal 5, video are supervised Control display 6；Described video surveillance devices 1 is arranged according to industrial equipment position；Described communication system 2 includes multiple friendship Changing planes, described video surveillance devices 1 is connected with central monitoring center 3 by switch, and central monitoring center 3 passes through wireless network Connect customer mobile terminal 5 and video monitoring display 6；Described health center includes for monitoring industrial equipment health status Health status monitoring system；Described Information Security Management System 4 is for managing the information data relevant to industrial equipment, and protects Hinder the safety of described information data.

The above embodiment of the present invention achieves and monitors while multiple customer mobile terminal 5 and central monitoring center 3, can be by In real time operation of industrial installation is notified the mobile and management personnel of central monitoring center 3 and shows, it is achieved that thing The monitoring management of network type, thus solve above-mentioned technical problem.

Preferably, described central monitoring center 3 is also connected with the source of early warning for carrying out reporting to the police when industrial equipment exception 7。

This preferred embodiment adds the warning function of system, improves the safety of system.

Preferably, described customer mobile terminal 5 is connected by wireless network with described source of early warning 7.

This preferred embodiment is easy to customer mobile terminal 5 and is reported to the police, and further increases the safety of system.

Preferably, described Information Security Management System 4 includes information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control system 43 and security management center 44；Described information data service system 40 is used for bearing Blame the storage of information data, back up and inquire about；Described information data pretreatment system 41 is for entering the information data that need to maintain secrecy Row pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the Information Number to maintaining secrecy of the access control safety strategy according to optimization According to being encrypted or deciphering；Described control system 43 is used for information data storing to corresponding storage device；Described bursting tube Reason center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of Information Security Management System 4.

Preferably, the storage of described responsible information data, back up and inquire about, including:

(1) information data format is changed, set up and be applicable to the form that non-relation information data base carries out storing；

(2) information data is divided into basic information data and specialized information data, uses centralized and distributed combination Information data is stored by strategy, and during storage, all information datas all back up；Described centralized and distributed combination Strategy includes: using centralised storage for the basic information data higher than predeterminated frequency, by information data, administrative center unifies Safeguard, for the specialized information data acquisition distributed storage less than predeterminated frequency, each specialized information data center tie up respectively Protect；

(3) set up corresponding information data retrieval algorithm, information data is carried out quick-searching, described information data retrieval The mode that algorithm uses catalogue retrieval and search engine to combine is carried out, and specifically includes: set up information data catalogue, according to catalogue Information data is carried out preliminary search；Input key word at search engine, information data is carried out precise search；Search engine is pressed Find the information data of coupling according to certain mode, and be ranked up feeding back to according to the matching degree of information data with key word User.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Information data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control The security protection that system 43 processed is different requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, is formed Complete security protection system；

(2) set up effective information data security strategy, the safety in information data storing, transmission, access process is entered Row considers, and is not only encrypted information data, is encrypted the host-host protocol of information data simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal information data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described information data pretreatment system 41 includes information data cutting unit, information data extracting unit With access control safety policy optimization unit, described information data cutting unit is for being divided into many to the information data that need to maintain secrecy The information data set of individual mutual exclusion；Described information data extracting unit is used for the information data set to described mutual exclusion according to making by oneself The ordering rule of justice is ranked up, and is sequentially extracted by first information data unit in each information data set, with Described ordering rule preserves as fritter information data together, and wherein said mutual exclusion represents the information two-by-two in information data set Any association is there is not between data cell；Described access control safety policy optimization unit is for based on fine granularity division of resources Access control safety policy optimization method generate system access control safety strategy, including:

(1) information data set based on the mutual exclusion after being processed by information data extracting unit, builds Hierarchical Information number According to table structure, described Hierarchical Information data tree structure is layer three information data tree structure, and it includes service layer, logical layer and thing Reason layer, described service layer is the root vertex relevant to information data dispatch service, and described logical layer is access control safety plan The information data of association in slightly, the information data unit in the information data set containing all mutual exclusions of the described physical layer packet；

(2) based on accessing the access control controlling markup language XACML formulation for the information data of different safety class Security strategy, projects to the information data set of described mutual exclusion with information data by the rule associated in access control safety strategy In information data unit on, thus the rule in access control safety strategy is refine to information data dimension；

(3) the information data unit enterprising line discipline optimization in the information data set of each described mutual exclusion, to delete The conflict of distribution rule on each information data unit and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by information data storing to corresponding storage device, including:

(1) by fritter information data storing to local storage, and use user-defined encryption technology to little block message Data are encrypted；

(2) after remaining information data being encrypted by cloud storage encrypting and deciphering system 42, storage is to the cloud of central monitoring center 3 In data base；Wherein, after the cloud data base of central monitoring center 3 receives information data, this information data has been carried out by cloud It is saved in memory node after the verification of whole property.

Above-mentioned two preferred embodiment configuration information data pretreatment 41, first carries out letter to the information data that need to maintain secrecy Breath data segmentation and information data extraction process, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce information The amount of physical memory of data storage, reduces the expense of storage, and eliminates the conflict in access control safety strategy and redundancy, carry High access control decision efficiency；Extraction part information data storing is processed in local storage by information data extraction, its Remaining information data stores to the cloud data base of central monitoring center 3 after arranging corresponding access control safety strategy, solves Traditional cloud storage information data privacy security mechanism based on simple encryption technology is in actual information data operating process The bigger overhead that brings and loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting The privacy information data of user, improve the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 mainly by information data owner, attribute mechanism, cloud, credible three Side, five entities of user are constituted, and the described information data to maintaining secrecy is encrypted or deciphers, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for information data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

$\begin{array}{c}{\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}\\ {\mathrm{CK}}_{UAID}=({\∝}_{AID},{\mathrm{\β}}_{AID})\end{array}$

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes information data double secret key need to store the cloud data of central monitoring center 3 The information data in storehouse carries out information data encryption, obtains ciphertext CT, is then utilized respectively identity public key and attribute PKI to information Data key is encrypted, and generates identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate information data key DK:

DK=IK | | AK

B, the information data of the information data key DK cloud data base to central monitoring center 3 need to be stored is utilized to carry out letter Breath data encryption, after obtaining ciphertext CT, utilizes attribute PKI to encrypt AK, generates attribute key ciphertext CT_A, utilize identity public key IK is encrypted, generates identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the formation data request of user, cloud utilizes and acts on behalf of re-encrypted private key by body Part key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is had by information data Person's own private key and identity public key calculate and generate；

(5), when carrying out information data decryption, after user receives information data, it is utilized respectively identity private key CK_UAIDAnd attribute Private key CK_AIDDecryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconfiguration information data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize thin to eurypalynous information data Granularity accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the information data that need to maintain secrecy, construct respectively The encryption and decryption key of identity-based, attribute encryption and decryption key, merge configuration information data encryption key and carry out this information data Encryption, thus the user only simultaneously meeting identity and attribute double condition can decipher, and greatly improves information security management The security performance of system 4.

In this application scenarios, update cycle T takes 8, and the safety of system improves 10% relatively.

Application scenarios 4

Seeing Fig. 1, Fig. 2, the System of Industrial Device Controls based on Internet of Things of an embodiment of this application scene includes Video surveillance devices 1, communication system 2, central monitoring center 3, Information Security Management System 4, customer mobile terminal 5, video are supervised Control display 6；Described video surveillance devices 1 is arranged according to industrial equipment position；Described communication system 2 includes multiple friendship Changing planes, described video surveillance devices 1 is connected with central monitoring center 3 by switch, and central monitoring center 3 passes through wireless network Connect customer mobile terminal 5 and video monitoring display 6；Described health center includes for monitoring industrial equipment health status Health status monitoring system；Described Information Security Management System 4 is for managing the information data relevant to industrial equipment, and protects Hinder the safety of described information data.

The above embodiment of the present invention achieves and monitors while multiple customer mobile terminal 5 and central monitoring center 3, can be by In real time operation of industrial installation is notified the mobile and management personnel of central monitoring center 3 and shows, it is achieved that thing The monitoring management of network type, thus solve above-mentioned technical problem.

Preferably, described central monitoring center 3 is also connected with the source of early warning for carrying out reporting to the police when industrial equipment exception 7。

This preferred embodiment adds the warning function of system, improves the safety of system.

Preferably, described customer mobile terminal 5 is connected by wireless network with described source of early warning 7.

This preferred embodiment is easy to customer mobile terminal 5 and is reported to the police, and further increases the safety of system.

Preferably, described Information Security Management System 4 includes information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control system 43 and security management center 44；Described information data service system 40 is used for bearing Blame the storage of information data, back up and inquire about；Described information data pretreatment system 41 is for entering the information data that need to maintain secrecy Row pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the Information Number to maintaining secrecy of the access control safety strategy according to optimization According to being encrypted or deciphering；Described control system 43 is used for information data storing to corresponding storage device；Described bursting tube Reason center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of Information Security Management System 4.

Preferably, the storage of described responsible information data, back up and inquire about, including:

(1) information data format is changed, set up and be applicable to the form that non-relation information data base carries out storing；

(2) information data is divided into basic information data and specialized information data, uses centralized and distributed combination Information data is stored by strategy, and during storage, all information datas all back up；Described centralized and distributed combination Strategy includes: using centralised storage for the basic information data higher than predeterminated frequency, by information data, administrative center unifies Safeguard, for the specialized information data acquisition distributed storage less than predeterminated frequency, each specialized information data center tie up respectively Protect；

(3) set up corresponding information data retrieval algorithm, information data is carried out quick-searching, described information data retrieval The mode that algorithm uses catalogue retrieval and search engine to combine is carried out, and specifically includes: set up information data catalogue, according to catalogue Information data is carried out preliminary search；Input key word at search engine, information data is carried out precise search；Search engine is pressed Find the information data of coupling according to certain mode, and be ranked up feeding back to according to the matching degree of information data with key word User.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Information data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control The security protection that system 43 processed is different requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, is formed Complete security protection system；

(2) set up effective information data security strategy, the safety in information data storing, transmission, access process is entered Row considers, and is not only encrypted information data, is encrypted the host-host protocol of information data simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal information data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described information data pretreatment system 41 includes information data cutting unit, information data extracting unit With access control safety policy optimization unit, described information data cutting unit is for being divided into many to the information data that need to maintain secrecy The information data set of individual mutual exclusion；Described information data extracting unit is used for the information data set to described mutual exclusion according to making by oneself The ordering rule of justice is ranked up, and is sequentially extracted by first information data unit in each information data set, with Described ordering rule preserves as fritter information data together, and wherein said mutual exclusion represents the information two-by-two in information data set Any association is there is not between data cell；Described access control safety policy optimization unit is for based on fine granularity division of resources Access control safety policy optimization method generate system access control safety strategy, including:

(1) information data set based on the mutual exclusion after being processed by information data extracting unit, builds Hierarchical Information number According to table structure, described Hierarchical Information data tree structure is layer three information data tree structure, and it includes service layer, logical layer and thing Reason layer, described service layer is the root vertex relevant to information data dispatch service, and described logical layer is access control safety plan The information data of association in slightly, the information data unit in the information data set containing all mutual exclusions of the described physical layer packet；

(2) based on accessing the access control controlling markup language XACML formulation for the information data of different safety class Security strategy, projects to the information data set of described mutual exclusion with information data by the rule associated in access control safety strategy In information data unit on, thus the rule in access control safety strategy is refine to information data dimension；

(3) the information data unit enterprising line discipline optimization in the information data set of each described mutual exclusion, to delete The conflict of distribution rule on each information data unit and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by information data storing to corresponding storage device, including:

(1) by fritter information data storing to local storage, and use user-defined encryption technology to little block message Data are encrypted；

(2) after remaining information data being encrypted by cloud storage encrypting and deciphering system 42, storage is to the cloud of central monitoring center 3 In data base；Wherein, after the cloud data base of central monitoring center 3 receives information data, this information data has been carried out by cloud It is saved in memory node after the verification of whole property.

Above-mentioned two preferred embodiment configuration information data pretreatment 41, first carries out letter to the information data that need to maintain secrecy Breath data segmentation and information data extraction process, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce information The amount of physical memory of data storage, reduces the expense of storage, and eliminates the conflict in access control safety strategy and redundancy, carry High access control decision efficiency；Extraction part information data storing is processed in local storage by information data extraction, its Remaining information data stores to the cloud data base of central monitoring center 3 after arranging corresponding access control safety strategy, solves Traditional cloud storage information data privacy security mechanism based on simple encryption technology is in actual information data operating process The bigger overhead that brings and loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting The privacy information data of user, improve the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 mainly by information data owner, attribute mechanism, cloud, credible three Side, five entities of user are constituted, and the described information data to maintaining secrecy is encrypted or deciphers, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for information data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

$\begin{array}{c}{\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}\\ {\mathrm{CK}}_{UAID}=({\∝}_{AID},{\mathrm{\β}}_{AID})\end{array}$

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes information data double secret key need to store the cloud data of central monitoring center 3 The information data in storehouse carries out information data encryption, obtains ciphertext CT, is then utilized respectively identity public key and attribute PKI to information Data key is encrypted, and generates identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate information data key DK:

DK=IK | | AK

B, the information data of the information data key DK cloud data base to central monitoring center 3 need to be stored is utilized to carry out letter Breath data encryption, after obtaining ciphertext CT, utilizes attribute PKI to encrypt AK, generates attribute key ciphertext CT_A, utilize identity public key IK is encrypted, generates identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the formation data request of user, cloud utilizes and acts on behalf of re-encrypted private key by body Part key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is had by information data Person's own private key and identity public key calculate and generate；

(5), when carrying out information data decryption, after user receives information data, it is utilized respectively identity private key CK_UAIDAnd attribute Private key CK_AIDDecryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconfiguration information data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize thin to eurypalynous information data Granularity accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the information data that need to maintain secrecy, construct respectively The encryption and decryption key of identity-based, attribute encryption and decryption key, merge configuration information data encryption key and carry out this information data Encryption, thus the user only simultaneously meeting identity and attribute double condition can decipher, and greatly improves information security management The security performance of system 4.

In this application scenarios, update cycle T takes 9, and the safety of system improves 9% relatively.

Application scenarios 5

Seeing Fig. 1, Fig. 2, the System of Industrial Device Controls based on Internet of Things of an embodiment of this application scene includes Video surveillance devices 1, communication system 2, central monitoring center 3, Information Security Management System 4, customer mobile terminal 5, video are supervised Control display 6；Described video surveillance devices 1 is arranged according to industrial equipment position；Described communication system 2 includes multiple friendship Changing planes, described video surveillance devices 1 is connected with central monitoring center 3 by switch, and central monitoring center 3 passes through wireless network Connect customer mobile terminal 5 and video monitoring display 6；Described health center includes for monitoring industrial equipment health status Health status monitoring system；Described Information Security Management System 4 is for managing the information data relevant to industrial equipment, and protects Hinder the safety of described information data.

The above embodiment of the present invention achieves and monitors while multiple customer mobile terminal 5 and central monitoring center 3, can be by In real time operation of industrial installation is notified the mobile and management personnel of central monitoring center 3 and shows, it is achieved that thing The monitoring management of network type, thus solve above-mentioned technical problem.

Preferably, described central monitoring center 3 is also connected with the source of early warning for carrying out reporting to the police when industrial equipment exception 7。

This preferred embodiment adds the warning function of system, improves the safety of system.

Preferably, described customer mobile terminal 5 is connected by wireless network with described source of early warning 7.

This preferred embodiment is easy to customer mobile terminal 5 and is reported to the police, and further increases the safety of system.

Preferably, described Information Security Management System 4 includes information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control system 43 and security management center 44；Described information data service system 40 is used for bearing Blame the storage of information data, back up and inquire about；Described information data pretreatment system 41 is for entering the information data that need to maintain secrecy Row pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the Information Number to maintaining secrecy of the access control safety strategy according to optimization According to being encrypted or deciphering；Described control system 43 is used for information data storing to corresponding storage device；Described bursting tube Reason center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of Information Security Management System 4.

Preferably, the storage of described responsible information data, back up and inquire about, including:

(1) information data format is changed, set up and be applicable to the form that non-relation information data base carries out storing；

(2) information data is divided into basic information data and specialized information data, uses centralized and distributed combination Information data is stored by strategy, and during storage, all information datas all back up；Described centralized and distributed combination Strategy includes: using centralised storage for the basic information data higher than predeterminated frequency, by information data, administrative center unifies Safeguard, for the specialized information data acquisition distributed storage less than predeterminated frequency, each specialized information data center tie up respectively Protect；

(3) set up corresponding information data retrieval algorithm, information data is carried out quick-searching, described information data retrieval The mode that algorithm uses catalogue retrieval and search engine to combine is carried out, and specifically includes: set up information data catalogue, according to catalogue Information data is carried out preliminary search；Input key word at search engine, information data is carried out precise search；Search engine is pressed Find the information data of coupling according to certain mode, and be ranked up feeding back to according to the matching degree of information data with key word User.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Information data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for information data service system 40, information data pretreatment system 41, cloud storage encrypting and deciphering system 42, control The security protection that system 43 processed is different requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, is formed Complete security protection system；

(2) set up effective information data security strategy, the safety in information data storing, transmission, access process is entered Row considers, and is not only encrypted information data, is encrypted the host-host protocol of information data simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal information data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described information data pretreatment system 41 includes information data cutting unit, information data extracting unit With access control safety policy optimization unit, described information data cutting unit is for being divided into many to the information data that need to maintain secrecy The information data set of individual mutual exclusion；Described information data extracting unit is used for the information data set to described mutual exclusion according to making by oneself The ordering rule of justice is ranked up, and is sequentially extracted by first information data unit in each information data set, with Described ordering rule preserves as fritter information data together, and wherein said mutual exclusion represents the information two-by-two in information data set Any association is there is not between data cell；Described access control safety policy optimization unit is for based on fine granularity division of resources Access control safety policy optimization method generate system access control safety strategy, including:

(1) information data set based on the mutual exclusion after being processed by information data extracting unit, builds Hierarchical Information number According to table structure, described Hierarchical Information data tree structure is layer three information data tree structure, and it includes service layer, logical layer and thing Reason layer, described service layer is the root vertex relevant to information data dispatch service, and described logical layer is access control safety plan The information data of association in slightly, the information data unit in the information data set containing all mutual exclusions of the described physical layer packet；

(2) based on accessing the access control controlling markup language XACML formulation for the information data of different safety class Security strategy, projects to the information data set of described mutual exclusion with information data by the rule associated in access control safety strategy In information data unit on, thus the rule in access control safety strategy is refine to information data dimension；

(3) the information data unit enterprising line discipline optimization in the information data set of each described mutual exclusion, to delete The conflict of distribution rule on each information data unit and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by information data storing to corresponding storage device, including:

(1) by fritter information data storing to local storage, and use user-defined encryption technology to little block message Data are encrypted；

(2) after remaining information data being encrypted by cloud storage encrypting and deciphering system 42, storage is to the cloud of central monitoring center 3 In data base；Wherein, after the cloud data base of central monitoring center 3 receives information data, this information data has been carried out by cloud It is saved in memory node after the verification of whole property.

Above-mentioned two preferred embodiment configuration information data pretreatment 41, first carries out letter to the information data that need to maintain secrecy Breath data segmentation and information data extraction process, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce information The amount of physical memory of data storage, reduces the expense of storage, and eliminates the conflict in access control safety strategy and redundancy, carry High access control decision efficiency；Extraction part information data storing is processed in local storage by information data extraction, its Remaining information data stores to the cloud data base of central monitoring center 3 after arranging corresponding access control safety strategy, solves Traditional cloud storage information data privacy security mechanism based on simple encryption technology is in actual information data operating process The bigger overhead that brings and loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting The privacy information data of user, improve the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 mainly by information data owner, attribute mechanism, cloud, credible three Side, five entities of user are constituted, and the described information data to maintaining secrecy is encrypted or deciphers, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for information data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

$\begin{array}{c}{\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}\\ {\mathrm{CK}}_{UAID}=({\∝}_{AID},{\mathrm{\β}}_{AID})\end{array}$

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes information data double secret key need to store the cloud data of central monitoring center 3 The information data in storehouse carries out information data encryption, obtains ciphertext CT, is then utilized respectively identity public key and attribute PKI to information Data key is encrypted, and generates identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate information data key DK:

DK=IK | | AK

B, the information data of the information data key DK cloud data base to central monitoring center 3 need to be stored is utilized to carry out letter Breath data encryption, after obtaining ciphertext CT, utilizes attribute PKI to encrypt AK, generates attribute key ciphertext CT_A, utilize identity public key IK is encrypted, generates identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the formation data request of user, cloud utilizes and acts on behalf of re-encrypted private key by body Part key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is had by information data Person's own private key and identity public key calculate and generate；

(5), when carrying out information data decryption, after user receives information data, it is utilized respectively identity private key CK_UAIDAnd attribute Private key CK_AIDDecryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconfiguration information data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize thin to eurypalynous information data Granularity accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the information data that need to maintain secrecy, construct respectively The encryption and decryption key of identity-based, attribute encryption and decryption key, merge configuration information data encryption key and carry out this information data Encryption, thus the user only simultaneously meeting identity and attribute double condition can decipher, and greatly improves information security management The security performance of system 4.

In this application scenarios, update cycle T takes 10, and the safety of system improves 8% relatively.

Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention Matter and scope.

Claims (3)

1. a System of Industrial Device Controls based on Internet of Things, is characterized in that, including video surveillance devices, communication system, in Centre Surveillance center, customer mobile terminal, video monitoring display and Information Security Management System；Described video surveillance devices It is arranged according to industrial equipment position；Described communication system includes multiple switch, and described video surveillance devices is by exchange Machine is connected with central monitoring center, and central monitoring center connects customer mobile terminal by wireless network and video monitoring shows Device；Described health center includes the health status monitoring system for monitoring industrial equipment health status；Described information security pipe Reason system is for managing the information data relevant to industrial equipment, and ensures the safety of described information data.

A kind of System of Industrial Device Controls based on Internet of Things the most according to claim 1, is characterized in that, described central authorities prison Control center is also connected with the source of early warning for carrying out reporting to the police when industrial equipment exception.

A kind of System of Industrial Device Controls based on Internet of Things the most according to claim 2, is characterized in that, described user moves Dynamic terminal is connected by wireless network with described source of early warning.