CN113411289B - System and method for controlling access of cameras in split mode - Google Patents

System and method for controlling access of cameras in split mode Download PDF

Info

Publication number
CN113411289B
CN113411289B CN202010185758.2A CN202010185758A CN113411289B CN 113411289 B CN113411289 B CN 113411289B CN 202010185758 A CN202010185758 A CN 202010185758A CN 113411289 B CN113411289 B CN 113411289B
Authority
CN
China
Prior art keywords
module
camera
access
gateway
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010185758.2A
Other languages
Chinese (zh)
Other versions
CN113411289A (en
Inventor
邵帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Wangkong Huian Technology Co ltd
Original Assignee
Suzhou Wangkong Huian Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Wangkong Huian Technology Co ltd filed Critical Suzhou Wangkong Huian Technology Co ltd
Priority to CN202010185758.2A priority Critical patent/CN113411289B/en
Publication of CN113411289A publication Critical patent/CN113411289A/en
Application granted granted Critical
Publication of CN113411289B publication Critical patent/CN113411289B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
    • H04N7/181Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast for receiving images from a plurality of remote sources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Power Engineering (AREA)
  • Multimedia (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A camera access control system is characterized by comprising a client subsystem and a gateway subsystem; the client system automatically identifies the equipment where the monitoring agent is located and sends the information of the equipment of the monitoring agent to the gateway system; the gateway system groups the user access rights and the corresponding camera rights, and when the gateway system is applied to the operation access of the camera through the monitoring agent equipment, the gateway system can ensure that users with different rights can only access the camera corresponding to the corresponding rights and cannot access the camera across rights by analyzing the RTSP protocol/GB\T28181 protocol/HTTP protocol/video monitoring manufacturer private protocol; logging is performed for the detected unauthorized access. The system and the method of the invention do not change the existing system network, have comprehensive protection and high safety, play the roles of auditing and blocking illegal unauthorized access, and have good user experience.

Description

System and method for controlling access of cameras in split mode
Technical Field
The invention relates to a system and a method for controlling access of a camera by dividing rights, which are used for preventing access of a cross-right through analysis of RTSP (real time streaming protocol)/GB\T 28181 protocol/HTTP (hyper text transport protocol)/private protocol of a video monitoring manufacturer by corresponding relation between user rights grouping and camera characteristic grouping when a video monitoring client/Web page performs camera operation through a monitoring platform, realizing operation control of cameras with different security levels and realizing traceability of abnormal access/abnormal attack aiming at audit records of the cross-right.
Abbreviations and noun interpretation:
GB/T28181: and the technical requirements of information transmission, exchange and control of the video monitoring networking system are prevented.
RTSP: real Time Streaming Protocol, RFC2326, real-time streaming protocol.
HTTP: is a simple request-response protocol that typically runs on top of the TCP protocol. It specifies what messages the client might send to the server and what responses it gets. HTTP is based on client/server model and connection oriented.
Private protocol of video monitoring manufacturer: the client of the video monitoring manufacturer and the monitoring platform can adopt a Haikang Williams private protocol in a non-standard protocol format defined between the client software and the monitoring platform, such as Haikang Williams.
Socket: two programs on the network implement the exchange of data via a bi-directional communication connection, one end of which is called a socket.
Linux: a set of Unix-like operating systems which are free to use and spread is a multi-user, multi-task, multi-thread and multi-CPU supporting operating system based on POSIX and UNIX.
MySQL: one of the most popular relational database management systems, mySQL, in terms of WEB applications, is the best RDBMS (Relational Database Management System ) application software.
Tomcat: the server is a Web application server with free open source codes, belongs to lightweight application servers, and is widely used in small and medium-sized systems and occasions where concurrent access users are not many.
Background
Along with the construction of a national video monitoring system, the video monitoring field of China is gradually perfected, along with the gradual perfection of the video monitoring construction, the distribution positions of cameras are also quite different, and because the distribution positions are quite different, the sensitivity and confidentiality of the related video content are quite different, so that the camera operations with different sensitivities (including real-time browsing/online downloading/historical playback/camera media information acquisition/camera angle rotation/camera lens scaling) are required to be controlled with different authorities, and illegal personnel are prevented from accessing the cameras with high confidentiality authorities.
The video sharing needs between the two departments/fields are more and more frequent, sensitive data are not lacking, when the video data of the cameras are shared to other departments, if the video data are not managed and controlled according to the authority, illegal operations (including real-time browsing/online downloading/historical playback/acquisition of the media information of the cameras/rotation of angles of the cameras and the like) of the video content of the retrieval departments can occur, so that video leakage or illegal stealing is generated, information leakage and illegal stealing events caused by the scenes frequently occur, and the source of the leakage cannot be effectively traced after the video leakage or illegal stealing occurs.
The existing security management and control mechanism of the video monitoring system can only open all camera control authorities for account numbers, or can only make account number authority groups for private protocols by a video monitoring manufacturer, meanwhile, as a super manager (the manager has the highest authority) exists, once related personnel have the super manager authorities, video data of the cameras in the whole network can be randomly accessed, the security management and control depending on the video monitoring platform system is insufficient, and the risk of illegal access still exists, so that the security manufacturer of a third party is required to make security management and control and audit on the camera authority division of the monitoring system, and the security of the whole system is ensured.
Disclosure of Invention
The invention provides a system for managing and controlling access of a camera by dividing rights, which is applied to the situation that personnel with different security rights operate cameras with corresponding security grades according to rights or forbid cross-region/cross-department video access of the cameras; and according to the combination of the camera security information group and the personnel authority group, the management and control of camera access are carried out, so that the unauthorized access is avoided, and the video information leakage/illegal management and control caused by the illegal occurrence are avoided.
The protection system of the invention can prevent the video data from being illegally accessed from the following five aspects
On a scene
Figure GSB0000189160730000031
Sensitive video unauthorized access problems.
Figure GSB0000189160730000032
Illegal access of cross-department video data by unauthorized users.
Figure GSB0000189160730000033
Illegal access to the high-permission-level camera by the low-permission-level user is performed.
Functionally, functionally
Figure GSB0000189160730000034
Preventing illegal access (online browsing, video downloading, playback) of video data.
Figure GSB0000189160730000035
The camera is prevented from being maliciously operated (rotation of view angle, scaling of picture, information acquisition and parameter acquisition).
Fig. 1 is a system for controlling access of a camera in a split mode, which comprises a gateway Server system (database module, network message processing module, protocol analysis module, access control module and log audit record module); and client systems (registration login module, monitoring module, network communication module, access management and control module, log audit record module).
1. Gateway system
In actual deployment of the network, the gateway system is deployed in front of the video monitoring platform (as shown in fig. 7), and the whole video monitoring system is responsible for streaming video flow of the whole camera into the video monitoring platform system except for a monitoring seat, so that a high-speed network message flow and processing technology is required to adapt to forwarding and controlling of such large flow of video in the video monitoring network, a high-speed forwarding framework of a bypass Linux kernel is adopted by a network message processing module of the gateway system, a Memory HugePage, wen Ling copy and batch multi-message vector programming processing technology is adopted, a network card multi-queue and software multi-thread multi-queue architecture is adopted, and a software design mode of pipeline is overlapped, so that the gateway system achieves line speed forwarding capability; meanwhile, a CPU function configuration template mode is used, so that a special CPU core mode or a service processing and forwarding processing common core mode can be flexibly selected, and the method can be suitable for equipment with different CPU numbers and different network card numbers; meanwhile, the network forwarding architecture can support X86, ARM and MIPS mainstream CPU chips and has good compatibility and expansibility.
1. The network message processing module is responsible for: the network message passing through the equipment is monitored in real time, the access control message conforming to the rule is obtained and sent to a protocol analysis module for processing; and according to the processing results of the protocol analysis module and the authority management and control module, the processing message is passed through and discarded.
2. The protocol analysis module is responsible for: aiming at the message which is extracted by the network message processing module and accords with the rule of IP/UDP/TCP, analyzing the message according to different protocol rules; extracting camera information and equipment information of the current access control terminal carried in the message, and outputting the extracted information to the permission control module for processing.
3. The access control module is responsible for matching the extracted camera information with the terminal equipment information according to the authority grouping rule in the strategy configuration, and if the terminal equipment has the authority to access the camera, the access is released; if the terminal device does not have permission to access the camera, the access is denied.
4. The log audit record module is responsible for: and recording the illegal access in the access control module, and outputting illegal access information to the database module.
5. The function configuration module is responsible for: and accessing the system through the webpage to perform relevant configuration of functions, such as configuring user grouping, configuring camera grouping, and configuring the corresponding relation between the camera map and the user grouping.
6. The database module is responsible for: the function configuration data is stored in a lasting mode, and the normal operation of the functions can be ensured without reconfiguration after the system is restarted; and the illegal access record data is stored in a lasting mode, so that after the system is restarted, the historical illegal access record can be queried for traceability.
2. Client system
1. The registration login module is responsible for: the method comprises the steps of receiving a user name password input by a user, encrypting the user name password in a safe mode, sending the encrypted user name password to a gateway for verification and recording by the gateway, receiving a response message replied by the gateway, and informing a log audit recording module to record registration login time into a log file.
2. The configuration processing module is responsible for: receiving user authority group information, camera authority group information (camera number and camera IP) and a corresponding relation between the user authority group information and the camera authority group information which are issued by a gateway system; simultaneously storing the configuration into a database module; after restarting the client system, the configuration processing module directly reads the configuration from the database for the access control module to call.
3. The monitoring module is responsible for: the operation of the seat system when accessing the video monitoring system is monitored in real time, and when the operation of accessing the video monitoring platform occurs, the monitoring module informs the access control module and the log audit record module.
4. The access control module is responsible for: and receiving the behavior of the monitoring module for accessing the camera, combining the authority corresponding relation between the user and the camera, which is inquired by the configuration processing module, controlling the operation of the monitoring agent system for accessing the camera equipment, and recording the operation in the log file by the notification log audit recording module.
5. The log audit record module is responsible for: according to the instruction sent by the registration login module and the access control module, log record of all operations is realized
Fig. 1 is a client subsystem and gateway subsystem of a system.
Fig. 2 is an overall functional module of the gateway system.
Fig. 3 is an overall functional module of the client system.
Fig. 4 is a transmission format of a camera access operation signaling of GB/T28181 in the present invention.
Fig. 5 is a diagram illustrating a transmission format of a camera access operation signaling of RTSP according to the present invention.
Fig. 6 is a diagram illustrating a transmission format of a camera access operation signaling of HTTP according to the present invention.
Fig. 7 is a logic diagram of a client subsystem and gateway subsystem network deployment shown in this discovery.
The invention also provides a method for managing and controlling the access of the camera by the split rights, which adopts the camera to conduct the system for managing and controlling the split rights, and each module of the gateway system can be automatically started along with the start of the Linux system; the modules of the client system can be started automatically along with the startup of the windows system.
After the client system is started, a user needs to manually input a user name and a password when the client system is started for the first time, and then a login message is sent to the network management system; when the system is restarted, automatically sending a login message to the network management system; the gateway system records the relationship of the user name and the corresponding IP/MAC address; and simultaneously records the registration login message into a log. When the behavior of directly accessing the camera system occurs, the monitoring module informs the access control module of the occurrence of the access behavior and informs the log audit record module of logging; the access control module is used for controlling the access operation of the access information monitoring seat system to the camera and informing the log recording module to record the operation into a log file;
after the gateway system is started, the client user needs to be opened, different user names and passwords are configured for different users, and different users are divided into different user permission groups; configuring the numbers/names of the cameras to a function configuration module, and dividing the cameras with different sensitivity levels into different permission groups; finally, configuring an association access relation between the user permission group and the camera permission group, and storing configuration data in a database module after configuration is completed;
the network processing module monitors IP messages passing through equipment on the network in real time, and when the messages meeting the requirements are found, the messages are sent to the protocol analysis processing module; the protocol analysis processing module can identify message protocol types (RTSP, GB\T28181, HTTP and private format) and analyze the name number of the camera; the access management and control module inquires the authority group of the camera through the name number of the camera, inquires the authority group of the user through the IP address carried in the message, and if the relevance of the two authority groups is matched, the operation behavior is released; if the two rights group associations do not match, this operational behavior is prevented.
The specific embodiment is as follows:
1. gateway system
The gateway system is deployed in a network of the monitoring system; the system is positioned between the monitoring agent and the monitoring platform, and is generally deployed at the front end of the monitoring platform system to protect the monitoring platform system.
After the gateway system is started, the client user needs to be opened, different user names and passwords are configured for different users, and different users are divided into different user permission groups; configuring the numbers/names of the cameras to a function configuration module, and dividing the cameras with different sensitivity levels into different permission groups; finally, configuring an association access relation between the user permission group and the camera permission group, and storing configuration data in a database module after configuration is completed;
the network processing module monitors IP messages passing through equipment on the network in real time, and when the messages meeting the requirements are found, the messages are sent to the protocol analysis processing module; the protocol analysis processing module can identify message protocol types (RTSP, GB\T28181, HTTP and private format) and analyze the name number of the camera; the access management and control module inquires the authority group of the camera through the name number of the camera, inquires the authority group of the user through the IP address carried in the message, and if the relevance of the two authority groups is matched, the operation behavior is released; if the two rights group associations do not match, this operational behavior is prevented.
The gateway system supports three modes of serial deployment, bypass strategy routing deployment and bypass mirror image flow deployment, is flexibly adapted to various networking scenes, and has minimal influence on the change of the existing network.
2. Client system
The application of the present invention is illustrated by the PC of Windows system.
The programs of Windows system have two modes, user mode and kernel mode, kernel part is divided into device and file system driver, kernel process and a series of kernel mode API interfaces. The monitoring module and the access control module adopt a Hook system calling mode, and control of camera operation access is realized by changing the workflow of an operating system.
Drawings
Fig. 1 is a client subsystem and gateway subsystem of a system.
Fig. 2 is an overall functional module of the gateway system.
Fig. 3 is an overall functional module of the client system.
Fig. 4 is a transmission format of a camera access operation signaling of GB/T28181 in the present invention.
Fig. 5 is a diagram illustrating a transmission format of a camera access operation signaling of RTSP according to the present invention.
Fig. 6 is a diagram illustrating a transmission format of a camera access operation signaling of HTTP according to the present invention.
Fig. 7 is a logic diagram of a client subsystem and gateway subsystem network deployment shown in this discovery.
Examples of camera information carried by each protocol
Figure GSB0000189160730000081
RTSP message DESCRIBE BE
rtsp://172.16.6.6:554/IPC-S232-IR-1161_1/20190428T000000Z/20190428T101226Z/PlayMode=rawmode+unv979157729 RTSP/1.0
Figure GSB0000189160730000091
GB28181 message INVITE
sip:2001$51385020190426112033+XP&[email protected]:7003 SIP/2.0
Via:SIP/2.0/UDP
172.16.6.6:5060;branch=z9hG4bK52f352ce17f352ce9de352ce8
From:
<sip:[email protected]:5060>;tag=aa788a88ef788a8865688a887b788a88
To:<sip:2001$51385020190426112033+XP&[email protected]:7003>
CSeq:1 INVITE
Contact:<sip:[email protected]:5060>
Max-Forwards:70
Content-Length:0
Figure GSB0000189160730000092
HTTP messages
POST/vms/services/VmsCuService HTTP/1.1
Host:172.100.7.11
User-Agent:gSOAP/2.8
Content-Type:application/soap+xml;charset=utf-8;action=″″
Content-Length:871
Connection:close
SOAPAction:″″
<?xml version=″1.0″ encoding=″UTF-8″?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=″http://www.w3.org/2003/05/soap-envelope″
xmlns:SOAP-ENC=″http://www.w3.org/2003/05/soap-encoding″
xmlns:xsi=″http://www.w3.org/2001/XMLSchema-instance″
xmlns:xsd=″http://www.w3.org/2001/XMLSchema″
xmlns:cs2=″http://ws.vms.ivms6.hikvision.com/VmsCuServiceSoap11Binding″ xmlns:cs1=″http://ws.vms.ivms6.hikvision.com″
xmlns:cs3=″http://ws.vms.ivms6.hikvision.com/VmsCuServiceSoap12Binding″><SOAP-ENV:Body><cs1:getStorageLabel><cs1:token>ST-85147-feWIZwXKvgU4xdKtXYTj-cas</cs1:token><cs1:startTime>2019-03-26
00:00:00</cs1:startTime><cs1:endTime>2019-03-26
23:59:59</cs1:endTime><cs1:keyword></cs1:keyword><cs1:pageSize>300</cs1:pageSize><cs1:pageNo>1</cs1:pageNo><cs1:labelTypes>1</cs1:labelTypes><cs1:cameraIndexs>004115</cs1:cameraIndexs></cs1:getStorageLabel></SOAP-ENV:Body></SOAP-ENV:Envelope>。

Claims (11)

1. A camera access control system is characterized by comprising a client terminal system and a gateway subsystem, wherein the client terminal system runs on a Windows system, the gateway system runs on a Linux system, and the client terminal system automatically identifies equipment where a monitoring mat is located and sends monitoring mat equipment information to the gateway system; the gateway system groups the users according to the held access rights and groups the camera equipment according to the identity characteristics, and is applied to control when the monitoring agent APP software or the browser performs operation access on the cameras through the monitoring platform system or directly, wherein the access types capable of being controlled comprise real-time browsing/online downloading/historical playback/camera media information acquisition/camera angle rotation/camera equipment management/camera media information configuration/camera image information configuration; meanwhile, the network attack initiated by platform access can be protected, and log recording is carried out aiming at the detected illegal unauthorized access and network attack;
the whole system is divided into a gateway subsystem and a client subsystem:
A. the client subsystem comprises a registration login module, a configuration processing module, a monitoring module, an access control module and a log audit record module; wherein:
(1) The registration login module is responsible for: receiving a user name password input by a user, encrypting the user name password in a safe mode, sending the encrypted user name password to a gateway for verification and recording by the gateway, receiving a response message replied by the gateway, and informing a log audit recording module to record registration login time into a log file;
(2) The configuration processing module is responsible for: receiving user permission group information, camera permission group information and a corresponding relation between the user permission group information and the camera permission group information which are issued by a gateway system, wherein the camera permission group information comprises a camera number, a camera IP, a camera manufacturer, a model and fingerprint information of an identification camera formed by combining a camera access protocol; simultaneously storing the configuration into a database module; after restarting the client system, the configuration processing module directly reads the configuration from the database for the access control module to call;
(3) The monitoring module is responsible for: the operation of the seat system when accessing the video monitoring system is monitored in real time, and when the operation of accessing the video monitoring platform occurs, the monitoring module notifies the log audit record module;
(4) The access control module is responsible for: the behavior of the monitoring module for camera access is received, and the operation of the monitoring seat system for accessing the camera equipment is controlled by combining the authority corresponding relation between the user and the camera which are inquired by the configuration processing module, namely if the authority of the user inquiring the monitoring seat is matched with the authority of the user accessing the camera, the access operation is conducted; if rights are found to be mismatched, the operation is blocked. And notifying a log audit record module to record the operation into a log file;
(5) The log audit record module is responsible for: according to the instructions sent by the registration login module and the access control module, log recording is carried out on all operations;
B. the gateway subsystem comprises a function configuration module, a database module, a network message processing module, a protocol analysis module, an access management control module and a log audit record module, wherein:
(1) The network message processing module is responsible for monitoring network messages passing through the equipment in real time, acquiring access control messages conforming to rules, and sending the access control messages to the protocol analysis module for processing; according to the processing results of the protocol analysis module and the authority management and control module, the processing message is put through and discarded; the gateway subsystem can be compatible with X86, ARM and MIPS mainstream chip operation;
(2) The protocol analysis module is responsible for analyzing the message according to different protocol rules aiming at the message which is extracted by the network message processing module and accords with the rule of IP/UDP/TCP; extracting camera information and IP information of the current access control terminal carried in the message, and outputting the extracted information to an access control module for processing;
(3) The access control module is responsible for matching the extracted camera information with the terminal IP information according to the authority grouping rule in the strategy configuration, and if the terminal IP has authority to access the camera, the access is released; if the terminal IP does not have permission to access the camera, rejecting the access;
(4) The log audit record module is responsible for: recording the illegal access in the access control module, and outputting illegal access information to the database module;
(5) The function configuration module is responsible for: the related configuration of the functions is carried out by accessing the system through the webpage, comprising the steps of configuring user grouping, configuring camera grouping, and configuring the corresponding relation between the camera image and the user grouping;
(6) The database module is responsible for: the function configuration data is stored in a lasting mode, and the normal operation of the functions can be ensured without reconfiguration after the system is restarted; and the illegal access record data is stored in a lasting mode, so that after the system is restarted, the historical illegal access record can be queried for traceability.
2. The camera access control system according to claim 1, wherein the network message processing module of the gateway subsystem can screen out access control messages conforming to rules and send the access control messages to the protocol analysis module; and meanwhile, according to the processing results of the protocol analysis module and the authority management and control module, the control access message is put through and discarded.
3. The camera access control system according to claim 1, wherein the protocol parsing module of the gateway subsystem may parse and process RTSP protocol/gb\t28181 protocol/HTTP protocol/video monitoring manufacturer private protocol network messages.
4. The camera access management and control system according to claim 1, wherein the configuration module of the gateway subsystem is configured to group users, group cameras, and a correspondence between group cameras and group users.
5. The camera access control system of claim 1, wherein the log audit module of the gateway subsystem records a log when the system detects an illegal cross-rights access; for use in post-hoc auditing and traceability.
6. The camera access management and control system according to claim 1, wherein the access control module of the gateway subsystem is responsible for matching the extracted camera information with the terminal device information according to the rights grouping rules in the policy configuration, performing audit records for accesses within access rights, and performing blocking and audit records for cross-rights access.
7. The camera access control system according to claim 1, wherein the registration logging module of the client subsystem is configured to receive a user name password entered by a user, notify the gateway in a secure manner for verification and recording by the gateway, receive a response message replied by the gateway, and notify the log audit recording module to record the registration logging time in the log file.
8. The camera access control system according to claim 1, wherein the configuration processing module of the client subsystem can receive the user permission set information, the camera permission set information-camera number, the camera IP and the correspondence relationship between the two issued by the gateway system; and storing in a database module; once the client system is restarted, the configuration processing module directly reads the configuration from the database for the access control module to call.
9. The camera access management and control system of claim 1, wherein the monitoring module of the client subsystem is capable of monitoring operation of the seat system when accessing the video monitoring system in real time, and the monitoring module notifies the access control module and the log audit record module when monitoring that access to the video monitoring platform occurs.
10. The system of claim 1, wherein the access control module of the client subsystem receives the behavior of the monitoring module for accessing the camera, combines the authority corresponding relationship between the user and the camera queried by the configuration processing module, controls the operation of the monitoring agent system for accessing the camera device, and records the operation into the log file by the notification log audit recording module.
11. The camera access control method is characterized in that the camera access control system according to claim 1 is divided into a client subsystem and a gateway subsystem;
each module of the client subsystem can be started automatically along with the startup of the windows system; after the client subsystem is started, a user needs to manually input a user name and a password when the client subsystem is started for the first time, and then a login message is sent to the gateway system; when the system is restarted, automatically sending a login message to the network management system; the gateway system records the relationship of the user name and the corresponding IP/MAC address; recording the registration login information into a log at the same time; when the behavior of directly accessing the camera system occurs, the monitoring module informs the access control module of the occurrence of the access behavior and informs the log audit record module of log record; the access control module is used for controlling the access operation of the access information monitoring seat system to the camera and informing the log recording module to record the operation into a log file;
each module of the gateway subsystem can be started automatically along with the start of the Linux system; after the starting, the user grouping and the camera grouping and the corresponding access relation between the user grouping and the camera grouping are required to be configured through the function configuration module, and after the configuration is completed, the configuration data are stored in the database module; meanwhile, the network message processing module monitors the IP message passing through the equipment on the network in real time, and when the message conforming to the rule is found, the message is sent to the protocol analysis module; the protocol analysis module analyzes the message according to RTSP/GB/T28181/HTTP/private protocols of each monitoring manufacturer, extracts the information of the camera and the information of the IP address accessed by the terminal, inquires the extracted information and the packet authority management and control strategy in the configuration, and releases the access message when the inquiry has the access right; and when the query does not have the access right, judging that the access is illegal, and rejecting the access message.
CN202010185758.2A 2020-03-16 2020-03-16 System and method for controlling access of cameras in split mode Active CN113411289B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010185758.2A CN113411289B (en) 2020-03-16 2020-03-16 System and method for controlling access of cameras in split mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010185758.2A CN113411289B (en) 2020-03-16 2020-03-16 System and method for controlling access of cameras in split mode

Publications (2)

Publication Number Publication Date
CN113411289A CN113411289A (en) 2021-09-17
CN113411289B true CN113411289B (en) 2023-05-26

Family

ID=77677086

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010185758.2A Active CN113411289B (en) 2020-03-16 2020-03-16 System and method for controlling access of cameras in split mode

Country Status (1)

Country Link
CN (1) CN113411289B (en)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040250083A1 (en) * 1994-03-03 2004-12-09 Barry Schwab Secure interactive digital system for displaying items to a user identified as having permission to access the system
US8635207B2 (en) * 2010-01-27 2014-01-21 26-F, Llc Computerized system and method for assisting in resolution of litigation discovery in conjunction with the federal rules of practice and procedure and other jurisdictions
EP2509345A1 (en) * 2011-04-05 2012-10-10 Panasonic Corporation Improved small data transmissions for machine-type-communication (MTC) devices
CN104168165B (en) * 2014-07-02 2017-11-17 北京交通大学 Access control method and device based on GPRS network and integrated identification network
CN104333553A (en) * 2014-11-11 2015-02-04 安徽四创电子股份有限公司 Mass data authority control strategy based on combination of blacklist and whitelist
CN105025255B (en) * 2015-01-07 2018-01-19 泰华智慧产业集团股份有限公司 A kind of city management processing system for video and method of work
CN105450660A (en) * 2015-12-23 2016-03-30 北京安托软件技术有限公司 Business resource security control system
CN107196976B (en) * 2017-07-27 2023-06-20 元清信息技术(上海)有限公司 Audit gateway based on video protocol and method and system thereof

Also Published As

Publication number Publication date
CN113411289A (en) 2021-09-17

Similar Documents

Publication Publication Date Title
US11775686B2 (en) Security systems and methods for encoding and decoding content
US10552636B2 (en) Security systems and methods for encoding and decoding digital content
US9842230B1 (en) System and method for automatically detecting and then self-repairing corrupt, modified or non-existent files via a communication medium
US8881224B2 (en) Method and system for providing masking services
US20210203503A1 (en) Permissions from entities to access information
JP4177957B2 (en) Access control system
US20010056550A1 (en) Protective device for internal resource protection in network and method for operating the same
US10476733B2 (en) Single sign-on system and single sign-on method
JP2008204468A (en) Access control system
CN101841537A (en) Method and system for realizing file sharing access control based on protocol proxy
CN111245838B (en) Method for protecting key information by anti-crawler
US20030089675A1 (en) Authenticating resource requests in a computer system
CN109309690B (en) Software white list control method based on message authentication code
JP4123733B2 (en) Access control equipment
CN109302397B (en) Network security management method, platform and computer readable storage medium
US20190018751A1 (en) Digital Asset Tracking System And Method
CN112837194A (en) Intelligent system
CN111046405B (en) Data processing method, device, equipment and storage medium
KR101658450B1 (en) Security device using transaction information obtained from web application server and proper session id
CN113411289B (en) System and method for controlling access of cameras in split mode
US8819815B1 (en) Method and system for distributing and tracking information
CN107426151A (en) A kind of file decryption method and device
CN114861160A (en) Method, device, equipment and storage medium for improving non-administrator account authority
JP4412489B2 (en) Defense policy creation system and method for unauthorized access and program thereof
CN115801472B (en) Authority management method and system based on authentication gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant