CN104378657A - Video security access system based on agency and isolation and method of video security access system - Google Patents
Video security access system based on agency and isolation and method of video security access system Download PDFInfo
- Publication number
- CN104378657A CN104378657A CN201410441429.4A CN201410441429A CN104378657A CN 104378657 A CN104378657 A CN 104378657A CN 201410441429 A CN201410441429 A CN 201410441429A CN 104378657 A CN104378657 A CN 104378657A
- Authority
- CN
- China
- Prior art keywords
- video
- isolation
- agency
- module
- preposition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 76
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000001914 filtration Methods 0.000 claims abstract description 75
- 238000004891 communication Methods 0.000 claims abstract description 26
- 238000007726 management method Methods 0.000 claims description 17
- 125000006850 spacer group Chemical group 0.000 claims description 13
- 238000005538 encapsulation Methods 0.000 claims description 11
- 239000000284 extract Substances 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 5
- 238000012550 audit Methods 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 abstract description 5
- 238000004806 packaging method and process Methods 0.000 abstract 1
- 239000003795 chemical substances by application Substances 0.000 description 21
- 230000008569 process Effects 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 12
- 238000004458 analytical method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 101000911390 Homo sapiens Coagulation factor VIII Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 102000057593 human F8 Human genes 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 229940047431 recombinate Drugs 0.000 description 1
- 238000004064 recycling Methods 0.000 description 1
- 238000011946 reduction process Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/643—Communication protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/21—Server components or server architectures
- H04N21/222—Secondary servers, e.g. proxy server, cable television Head-end
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/234—Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs
- H04N21/23418—Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving operations for analysing video streams, e.g. detecting features or characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/235—Processing of additional data, e.g. scrambling of additional data or processing content descriptors
- H04N21/2353—Processing of additional data, e.g. scrambling of additional data or processing content descriptors specifically adapted to content descriptors, e.g. coding, compressing or processing of metadata
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/254—Management at additional data server, e.g. shopping server, rights management server
- H04N21/2541—Rights Management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/258—Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
- H04N21/25808—Management of client data
- H04N21/25816—Management of client data involving client authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/647—Control signaling between network components and server or clients; Network processes for video distribution between server and clients, e.g. controlling the quality of the video stream, by dropping packets, protecting content from unauthorised alteration within the network, monitoring of network load, bridging between two different networks, e.g. between IP and wireless
- H04N21/64723—Monitoring of network processes or resources, e.g. monitoring of network load
Abstract
The invention relates to a video security access system based on agency and isolation and a method of the video security access system. The video security access system comprises a front agency module, a special communication protocol and an isolation filtering module, wherein a video source safely has access to an internal network unified monitoring platform through the front agency module, the special communication protocol and the isolation filtering module. The method includes the steps that firstly, the front agency module authenticates the video source which has access to the internal network unified monitoring platform; secondly, video data have access to the front agency module, and the video protocol is analyzed; thirdly, characteristic filtering, scrambling and strategy labor adding are conducted on the video data; fourthly, the video data are recombined through the special communication protocol and sent to the isolation filtering module; fifthly, the isolation filtering module receives the video data, packaged through the special protocol, sent by the front agency module; sixthly, the isolation filtering module analyzes labels and conducts filtering; seventhly, video metadata are recovered; eighthly, the video format packaging is conducted on the video metadata, and the video metadata are sent to the internal network unified monitoring platform.
Description
Technical field
The invention belongs to Computer and Network Security technical field, be specifically related to a kind of based on agency and the Video security connecting system of isolating and method thereof.
Background technology
Day by day perfect along with IT application to our society, a lot of large enterprise, government affairs department have realized office operation information and digitlization.In government, the inner and inner large-scale dedicated network that there is multiple cascading networks of large enterprise, because process of construction considers fail safe, remains the situation of horizontal partition, inside and outside separation between each network.Informationalized develop rapidly band, has carried out information network dispersion and has built the demand changed to each resource-sharing of interconnecting to resources integration transformation, information system independent operating.Wherein, the video information of intranet and extranet is shared is exactly an important business demand.
For the realization of video source access, the processing mode that general employing is following:
First, general purpose firewall opens specific port to access video source.Then, by special module, video source message is resolved.If relate to safe service application, also may can carry out packet filtering when video source packet parsing, abandon some invalid packets.Finally, by resolve after message transmissions to video playback platform.
This mode is processing mode comparatively general at present, functionally can realize access and the transmission of video source.But shortcoming is apparent: security protection is more weak.Universal fire compartment wall effectively can not identify the legitimacy in access source, whether the agreement of access is designated source protocol, also cannot filter the content of video source agreement or recombinate, there is the risk invaded by other application protocols in the video source therefore accessed, also there is the risk that harmful program or instruction are invaded by video source agreement.Further, on the network channel of transmission of video source messages, also lack safety guarantee, there is certain security risk.
Due to features such as video data placement scope are wide, data traffic is large, protocol format is single, when video data is linked into Intranet by outer net, is necessary to propose unified Video security connecting system, guarantees the safety of video data in intranet and extranet exchange process.
Summary of the invention
For the deficiencies in the prior art, the invention provides a kind of based on agency and the Video security connecting system of isolating and method thereof, the present invention has advanced video proxy service module, isolation filtering module and intermodule communication specialized protocol.Video source is linked into preposition proxy module by certification, and proxy service module gives isolation filtering module after carrying out format analysis, interpolation interference, increase Management label, use specialized protocol Reseal to video data; Isolation is after filtering module receives data, and resolution data, is eliminated interference, filtered by the abundant label of tactical management, after guaranteeing safety, is become by video data Reseal source video format to ferry Intranet.This video connecting system is based on the safely instruction thought of agency with isolation, resolve with video protocols, filter, scrambling and be reassembled as core technology, realize video request program client by agent skill group to reinforce with automatic protocol conversion, being undertaken communicating, by carrying out policy filtering at isolation module to video source data by proprietary protocol, make any illegal video source information or harmful instructions can be undertaken filtering and isolating, to ensure the secure accessing of video source by agreement protection and secure transmission tunnel.
The object of the invention is to adopt following technical proposals to realize:
Based on the Video security connecting system of agency with isolation, its improvements are, described system comprises preposition proxy module, private communication protocol, isolation filtering module;
Video source is accessed to Intranet unification monitor supervision platform from outer net by described preposition proxy module, private communication protocol, isolation filtering module.
Preferably, described video source client installs video source middleware or middleware equipment;
Video source middleware uses the intelligent USBKEY supporting state close office SM2 cryptographic algorithm, carries out authentication by ICP/IP protocol and preposition agent apparatus; Video source is sent to preposition agent apparatus by middleware with udp protocol by certification.
Preferably, described preposition agent apparatus carries out certification and control operation by ICP/IP protocol and video flowing client, and the user name of foundation access video source, IP address, letter of identity information carry out certification to it.
Preferably, described system carries out comprehensive log audit to preposition proxy module and isolation module, carries out log audit to the software and hardware state of video flowing safety access device and operation information, keeper's operation.
Preferably, the communications status of described system to video source is monitored in real time, comprises connectionist's identity, the initial time of connection establishment, upload and download data volume, and keeper can be interrupted its communication as required at any time and be connected.
What the present invention is based on that another object provides is a kind of based on the Video security cut-in method of agency with isolation, and its improvements are, described method comprises:
(1) preposition proxy module carries out certification to access video source;
(2) preposition proxy module accesses video data and resolves video protocols;
(3) characteristic filter, scrambling and interpolation policy tag are carried out to video data;
(4) private communication protocol restructuring video data is adopted to be sent to isolation filtering module;
(5) video data that filtering module receives the specialized protocol encapsulation that preposition proxy module sends is isolated;
(6) isolate filtering module resolve label and filter;
(7) video metadata is recovered;
(8) video metadata carried out video format encapsulation and be sent to Intranet unification monitor supervision platform.
Preferably, video source is resolved to video metadata by the video protocols that described step (2) comprises described parsing video protocols establishing criteria.
Preferably, described step (3) comprises described video source characteristic filter, scrambling and tag extraction, and adopt specific features filter algorithm and filtering rule, filtering does not meet the invalid packet of video source message characteristic.
Preferably, described step (3) is included in video metadata and adds useless frame of video upset information.
Preferably, described step (3) comprises and extracts video message, the feature of video message and management strategy as label information.
Preferably, described step (4) comprises restructuring video data by random for scrambling video data piecemeal, by special privately owned communication protocol together with label information, encapsulates, and is sent to isolation filtering module.
Preferably, described step (5) comprises the video source data that isolation filtering module real-time listening sends over after specialized protocol encapsulation from preposition service module.
Preferably, described step (6) comprises specialized protocol and resolves according to special privately owned communications protocol format parsing video data, removes scrambling frame of video, extracts label; Label filters according to management strategy storehouse, mates, by video data label information, filter video the label extracted.
Preferably, described step (7) comprises the noise video metadata of resolving random piecemeal, recovers video metadata.
Preferably, described step (8) comprises video by after safety filtering, is recovered by video data through normal video agreement, is forwarded to Intranet unification monitor supervision platform.
Preferably, the video stream data after encapsulation is sent to spacer assembly by ICP/IP protocol by described preposition agent apparatus; Particular port monitored by described spacer assembly, receives the TCP message encapsulated with privately owned form of preposition agent apparatus; The video source data of recovery is forwarded to unification monitor supervision platform by udp port by described spacer assembly.
Compared with the prior art, beneficial effect of the present invention is:
1, the present invention adopts special proprietary protocol to communicate between video request program platform and video source, achieves the isolation of video source information, filtration, function of exchange by agent skill group.
2, the video source secure accessing service of the present invention's deployment-specific after general purpose firewall, carries out protocal analysis to all communication messages of process, by the identification to video source protocol characteristic, and the message of all non-designated video source agreements capable of blocking.
3, the present invention is based on the feature of video source agreement, utilize signal scrambling technique to improve the safe class of agreement protection.When video source packet parsing and restructuring, by invalid informations such as the useless frame data of insertion portion, reach the object of data perturbation, hacker can be destroyed and implant aggressive code or data, meet the service application demand that safe class is higher.
4, the Security Administration that the uniform security policies filtering services in the present invention can be formulated according to administrative department controls flexibly, such as video source level of confidentiality division, mandate etc.Just easily video source is caused to be accessed by unauthorized user if ignore Security Strategies, the security risks such as video source leakage.
5, uniform security policies filtering services is when video source carries out feature identification, extract key message forming strategies Management label, in the policy library by formulating according to administrative department during isolation module is to label, information is mated, and matcher can be transferred to video request program platform.This filtering services both can the change of flexible adaptation tension management strategy, turn improved the fail safe of video source access device.
6, the present invention is by preposition proxy module, private communication protocol, the isolation filtering module Trinity, based on agent skill group, specialized protocol transmission channel technology with have can the isolation technology of security strategy filtering services of flexible configuration, realize the secure accessing of video, to guarantee to be transferred to the safe and reliable of Intranet from the video source of outer net.
7, the present invention is based on agency and first carry out certification to accessing video source with the Video security connecting system of isolation, then by preposition proxy module, protocol analysis is carried out to video data, recycling private communication protocol is to video data Reseal, with escape way transmission isolation filtering module, then carry out management strategy by isolation filtering module and filter successfully and be sent to Intranet.Preposition proxy module and isolation filtering module build the secure accessing of video jointly by private communication protocol, the safe transmission of passage, and the security strategy of video data is filtered, thus achieves efficient data access and agreement protective capacities.
Accompanying drawing explanation
Fig. 1 is provided by the invention a kind of based on the Video security connecting system schematic diagram of agency with isolation.
Fig. 2 is provided by the invention a kind of based on the Video security connecting system structure chart of agency with isolation.
Fig. 3 is provided by the invention a kind of based on the Video security cut-in method schematic diagram of agency with isolation.
Fig. 4 is provided by the invention a kind of based on the Video security cut-in method flow chart of agency with isolation.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in further detail.
The present invention is a kind of based on the Video security connecting system of agency with isolation, by preposition proxy module, specialized protocol and isolation safe filtering module, unsafe for outer net video source is linked into Intranet.Video source is linked into advanced video proxy service module by certification, video proxy service module carries out format analysis to video data, extract video metadata, noise data is increased to video metadata, increase Management label, use specialized protocol Reseal, finally send data to isolation filtering module; After isolation filtering module receives the data of specialized protocol encapsulation, resolution data, noise reduction process, after line pipe of going forward side by side reason policy filtering, safety ferry-boat is to video request program platform, has carried out the secure accessing of video.This video access device, based on the safely instruction thought of agency with isolation, is resolved with video protocols, is filtered, scrambling and be reassembled as core technology, guarantees video access procedure safety.
As shown in Figure 2, the present invention is a kind of based on the Video security connecting system of agency with isolation.
Preposition agent apparatus comprises source and receives authentication module (1), video flowing protocol resolution module (2), video stream characteristics filtering module (3), video flowing agreement upset module (4), management strategy tag extraction module (5), Protocol reassembling module (6) composition.
Isolation filtering module comprises data decryptor module (7), agreement deblocking module (8), label strategy filtering module (9), protocol forward module (10).
Wherein, source receives the TCP message that authentication module (1) receiver, video source is imported into, and carry out source filtration and source certification according to information such as the user name accessed, IP address and letters of identity, after certification is passed through, preposition agent apparatus receiver, video source sends video data by udp protocol.Video flowing protocol resolution module (2) is according to the video flowing protocol analysis video streaming data packet of standard.Video stream characteristics filtering module (3) adopts specific features filter algorithm and filtering rule, filtering all do not meet the invalid packet of video flowing message characteristic.Video flowing agreement upsets module (4) on the basis of having filtered, and adds upset information, but do not affect video playback capability to particular data packet.Management strategy tag extraction module (5) extracts the label information of feature in this message information, and this part label information will carry out uniform security policies filtration in label strategy filtering module (9).Packet is carried out package assembling according to special privately owned communication protocol by Protocol reassembling module (6), is sent to isolation filtering module designated port.
Data decryptor module (7) and preposition service module use specialized protocol to communicate, and after connecting with preposition agent apparatus, real-time listening serve port, is processed by agreement deblocking module (8) after receiving request of data.Agreement deblocking module (8), according to special privately owned communications protocol format resolution data bag, calls filtering module after completing parsing.Label strategy filtering module (9) is according to the management strategy label in message, and policy library carries out coupling filtration.Message after final policy filtering is sent to video request program platform by protocol forward module (10).So far, Video stream information is from video source safe transmission to video request program platform, and any illegal application protocol and invalid data bag are all filtered isolation.
The present invention is a kind of based on agency and the Video security cut-in method of isolation is:
Video flowing connecting system, by the preposition agent apparatus of isolation and spacer assembly, is linked into program request platform to after video flowing safety filtering.
Step 1: video source is carried out authentication with preposition agent apparatus by Transmission Control Protocol and communicated, after certification is passed through, carries out the video stream data communication of udp protocol, sends Video stream information to preposition agent apparatus designated port.Preposition agent apparatus receiving process is responsible for video source mutual: the wherein IO event of watcher thread real-time listening video flowing port, after receiving Video stream information, puts into task queue; Task dispatch thread sends according to disposition taking-up task from task queue.
Step 2: the task dispatch thread of preposition agent apparatus receiving process is responsible for carrying out alternately with treatment progress: connecting of task dispatch thread and treatment progress, treatment progress sends service request according to service needed to task dispatch thread, after task dispatch thread receives request, Video stream information is sent to treatment progress.The Video stream information received is put into task queue by treatment progress, and the task processing threads of giving carries out the identification filter operations such as characteristic filter, tag extraction, message scrambling, sends after completing.
Step 3: preposition agent apparatus sends process and treatment progress connects, being sended over by treatment progress of task is transmitted to spacer assembly, need point source process carrying out message in process of transmitting, the data of homology send to the filter course of spacer assembly to process in the future.
Step 4: preposition agent apparatus transmission process is set up TCP with spacer assembly and is connected, and uses proprietary communication protocol message transmission.The receiving process of spacer assembly is responsible for carrying out alternately with preposition agent apparatus: one is that the request of monitoring preposition agent apparatus also connects with it, and two is carry out state-detection to task treatment progress.
Step 5: receiving process and the treatment progress of spacer assembly inside connect.The task that treatment progress monitoring reception process sends over, then calls relevance filtering plug-in unit, sends after completing.
Step 6: will video request program platform be transmitted to by the video stream data after filtering after recovery original video format: the transmission process in spacer assembly is responsible for video flowing message to be sent to the udp port of video request program platform.
The present invention is a kind of based on the Video security cut-in method flow process of agency with isolation, is specially:
1) video source data and preposition proxy module carry out bidirectional identity authentication;
2) authentication is by rear preposition proxy module access video data;
3) preposition proxy module is resolved video data format, extracts video data, data source information feature and video metadata (not the video data of tape format);
4) noise (interference) data are added to video metadata;
5) interpolation tag operational is carried out according to data source information feature, the configuration of agency service strategy and the video metadata after adding noise;
6) use specialized protocol to encapsulate the video metadata after label and random piecemeal, be sent to isolation filtering module;
7) isolate filtering module and receive the label of specialized protocol encapsulation and the noisy video metadata of band of random piecemeal;
8) resolve label, the policy library according to isolation filtering module filters label, filters and does not pass through, make mistakes, and terminates;
9) resolve the noise video metadata of random piecemeal, recover video metadata;
10) again video metadata is carried out video format encapsulation, be sent to unification monitor supervision platform.
Embodiment
The present invention proposes a kind of based on the Video security connecting system of agency with isolation, automatic protocol conversion is realized by agent skill group, agency builds escape way with isolation filtering module jointly by specialized protocol, achieves efficient data access and agreement protective capacities.After preposition server carries out characteristic filter, scrambling and Protocol reassembling to video, giving isolation filtering module based on handed down from ancient times on the escape way of specialized protocol; Isolation filtering module finally transfers to video request program platform after completing agreement deblocking and security strategy filtration.Connecting system guarantees the video data safety of video access procedure.It is safe, stable, reliable, controlled that whole system ensure that video source accesses.
Based on the Video security cut-in method flow process of agency with isolation, be specially:
1. preposition proxy module
Step 1.1: preposition proxy module by after carrying out certification to standard video source and passing through, the video data V of access standard video source;
Step 1.2: resolve video data V, peels off the video format in video data, extracts first video data Vm;
Step 1.3: carry out characteristic processing to first video data Vm, obtains characteristic F;
Step 1.4: random interpolation interfering data Vi in first video data Vm, obtains chaff element video data Vmi;
Step 1.5: for video data source, video data V and first video data, according to policing rule repository, construction strategy Management label Lm;
Step 1.6: <Vmi, F, Lm> are encapsulated with proprietary protocol form;
Step 1.7: be sent to isolation filtering module by designated port;
2. isolate filtering module
Step 2.1: received the proprietary protocol video data sended over by preposition proxy module by designated port;
Step 2.2: resolve proprietary protocol data, fetch strategy Management label Lm, filters label according to policy filtering rule, filters and do not pass through, abandon data, report an error;
Step 2.3: resolve proprietary protocol data, removes interfering data Vi, recovers first video data Vm from random disturbances unit video data Vmi;
Step 2.4: the characteristic F ' of Computing Meta video data, resolves proprietary protocol data, extracts the characteristic F of first video data, compare F ' and F, not etc., abandon data, report an error;
Step 2.5: metadata Vm Reseal is become video data V, and V is forwarded to Intranet unification monitor supervision platform.
3. proprietary protocol and tactical management label
Proprietary protocol is oneself definition agreement, is applied between proxy module with isolation filtering module and communicates.In preposition proxy module, the video metadata of band interference is carried out random packet by specialized protocol, then grouped data and label data is encapsulated with professional format.
Tactical management label is according to the security configuration of proxy service module with isolation filtering module, and the data extracted of video data and the feature of data source obtain.
Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit, although with reference to above-described embodiment to invention has been detailed description, those of ordinary skill in the field are to be understood that: still can modify to the specific embodiment of the present invention or equivalent replacement, and not departing from any amendment of spirit and scope of the invention or equivalent replacement, it all should be encompassed in the middle of right of the present invention.
Claims (16)
1., based on the Video security connecting system of agency with isolation, it is characterized in that, described system comprises preposition proxy module, private communication protocol, isolation filtering module;
Video source is accessed to Intranet unification monitor supervision platform from outer net by described preposition proxy module, private communication protocol, isolation filtering module.
2. a kind ofly as claimed in claim 1 it is characterized in that based on the Video security connecting system of agency with isolation, described video source client installs video source middleware or middleware equipment;
Video source middleware uses the intelligent USBKEY supporting state close office SM2 cryptographic algorithm, carries out authentication by ICP/IP protocol and preposition agent apparatus; Video source is sent to preposition agent apparatus by middleware with udp protocol by certification.
3. a kind of based on the Video security connecting system of agency with isolation as claimed in claim 1, it is characterized in that, described preposition agent apparatus carries out certification and control operation by ICP/IP protocol and video flowing client, and the user name of foundation access video source, IP address, letter of identity information carry out certification to it.
4. a kind of based on the Video security connecting system of agency with isolation as claimed in claim 1, it is characterized in that, described system carries out comprehensive log audit to preposition proxy module and isolation module, carries out log audit to the software and hardware state of video flowing safety access device and operation information, keeper's operation.
5. a kind of based on the Video security connecting system of agency with isolation as claimed in claim 1, it is characterized in that, the communications status of described system to video source is monitored in real time, comprise connectionist's identity, the initial time of connection establishment, upload and download data volume, keeper can be interrupted its communication as required at any time and be connected.
6., based on the Video security cut-in method of agency with isolation, it is characterized in that, described method comprises:
(1) preposition proxy module carries out certification to access video source;
(2) preposition proxy module accesses video data and resolves video protocols;
(3) characteristic filter, scrambling and interpolation policy tag are carried out to video data;
(4) private communication protocol restructuring video data is adopted to be sent to isolation filtering module;
(5) video data that filtering module receives the specialized protocol encapsulation that preposition proxy module sends is isolated;
(6) isolate filtering module resolve label and filter;
(7) video metadata is recovered;
(8) video metadata carried out video format encapsulation and be sent to Intranet unification monitor supervision platform.
7. a kind of based on the Video security cut-in method of agency with isolation as claimed in claim 6, it is characterized in that, video source is resolved to video metadata by the video protocols that described step (2) comprises described parsing video protocols establishing criteria.
8. a kind of based on the Video security cut-in method of agency with isolation as claimed in claim 6, it is characterized in that, described step (3) comprises described video source characteristic filter, scrambling and tag extraction, adopt specific features filter algorithm and filtering rule, filtering does not meet the invalid packet of video source message characteristic.
9. a kind ofly as claimed in claim 6 it is characterized in that based on the Video security cut-in method of agency with isolation, described step (3) is included in video metadata and adds useless frame of video and upset information.
10. a kind ofly as claimed in claim 6 it is characterized in that based on the Video security cut-in method of agency with isolation, described step (3) comprises extracts video message, the feature of video message and management strategy as label information.
11. is a kind of based on the Video security cut-in method of agency with isolation as claimed in claim 6, it is characterized in that, described step (4) comprises restructuring video data by random for scrambling video data piecemeal, by special privately owned communication protocol together with label information, encapsulate, and be sent to isolation filtering module.
12. is a kind of based on the Video security cut-in method of agency with isolation as claimed in claim 6, it is characterized in that, described step (5) comprises the video source data that isolation filtering module real-time listening sends over after specialized protocol encapsulation from preposition service module.
13. is a kind of based on the Video security cut-in method of agency with isolation as claimed in claim 6, it is characterized in that, described step (6) comprises specialized protocol and resolves according to special privately owned communications protocol format parsing video data, removes scrambling frame of video, extracts label; Label filters according to management strategy storehouse, mates, by video data label information, filter video the label extracted.
14. is a kind of based on acting on behalf of the Video security cut-in method with isolation as claimed in claim 6, and it is characterized in that, described step (7) comprises the noise video metadata of resolving random piecemeal, recovers video metadata.
15. is a kind of based on the Video security cut-in method of agency with isolation as claimed in claim 6, it is characterized in that, described step (8) comprises video by after safety filtering, is recovered by video data through normal video agreement, is forwarded to Intranet unification monitor supervision platform.
16. as claimed in claim 6 a kind of based on agency with isolation Video security cut-in method, it is characterized in that, described preposition agent apparatus by encapsulation after video stream data be sent to spacer assembly by ICP/IP protocol; Particular port monitored by described spacer assembly, receives the TCP message encapsulated with privately owned form of preposition agent apparatus; The video source data of recovery is forwarded to unification monitor supervision platform by udp port by described spacer assembly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410441429.4A CN104378657A (en) | 2014-09-01 | 2014-09-01 | Video security access system based on agency and isolation and method of video security access system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410441429.4A CN104378657A (en) | 2014-09-01 | 2014-09-01 | Video security access system based on agency and isolation and method of video security access system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104378657A true CN104378657A (en) | 2015-02-25 |
Family
ID=52557260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410441429.4A Pending CN104378657A (en) | 2014-09-01 | 2014-09-01 | Video security access system based on agency and isolation and method of video security access system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104378657A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105491023A (en) * | 2015-11-24 | 2016-04-13 | 国网智能电网研究院 | Data isolation exchange and security filtering method orienting electric power internet of things |
| CN105939491A (en) * | 2016-05-25 | 2016-09-14 | 乐视控股(北京)有限公司 | Video playing method and device |
| CN106296349A (en) * | 2016-08-03 | 2017-01-04 | 海南警视者科技开发有限公司 | A kind of multi-functional house keeper's service management system |
| CN107113313A (en) * | 2015-03-02 | 2017-08-29 | 微软技术许可有限责任公司 | Data are uploaded to the agency service of destination from source |
| CN107948122A (en) * | 2016-10-12 | 2018-04-20 | 成都鼎桥通信技术有限公司 | Isolating device traversing method and device |
| CN108234523A (en) * | 2018-03-08 | 2018-06-29 | 江苏省广播电视总台 | A kind of multi-level intranet and extranet data interaction system applied to TV station |
| CN108920937A (en) * | 2018-07-03 | 2018-11-30 | 广州视源电子科技股份有限公司 | It throws screen system, throw screen method and apparatus |
| CN109729381A (en) * | 2018-12-27 | 2019-05-07 | 杭州当虹科技股份有限公司 | A kind of HLS push-and-pull stream identity identifying method |
| CN115103224A (en) * | 2022-06-07 | 2022-09-23 | 慧之安信息技术股份有限公司 | Intelligent video analysis method supporting GAT 1400 protocol |
| CN117240603A (en) * | 2023-11-10 | 2023-12-15 | 紫光恒越技术有限公司 | Data transmission method, system, device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601955A (en) * | 2003-09-23 | 2005-03-30 | 北京国保金泰信息安全技术有限公司 | Data one-way transmission system based on one-way isolated hardware channel |
| CN102567512A (en) * | 2011-12-27 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method and device for webpage video control by classification |
| CN103686385A (en) * | 2013-12-20 | 2014-03-26 | 乐视致新电子科技(天津)有限公司 | Play control method and device for smart televisions |
-
2014
- 2014-09-01 CN CN201410441429.4A patent/CN104378657A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601955A (en) * | 2003-09-23 | 2005-03-30 | 北京国保金泰信息安全技术有限公司 | Data one-way transmission system based on one-way isolated hardware channel |
| CN102567512A (en) * | 2011-12-27 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method and device for webpage video control by classification |
| CN103686385A (en) * | 2013-12-20 | 2014-03-26 | 乐视致新电子科技(天津)有限公司 | Play control method and device for smart televisions |
Non-Patent Citations (2)
| Title |
|---|
| 吴旭东,李欣: "视频监控安全接入系统研究实现", 《第25次全国计算机安全学术交流会论文集》 * |
| 汪伟,董亚波,陈宇峰,鲁东明: "基于GAP技术的隔离网间安全数据传输系统研究与实现", 《全国网络与信息安全技术研讨会2004》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107113313A (en) * | 2015-03-02 | 2017-08-29 | 微软技术许可有限责任公司 | Data are uploaded to the agency service of destination from source |
| CN105491023A (en) * | 2015-11-24 | 2016-04-13 | 国网智能电网研究院 | Data isolation exchange and security filtering method orienting electric power internet of things |
| CN105491023B (en) * | 2015-11-24 | 2020-10-27 | 国网智能电网研究院 | Data isolation exchange and safety filtering method for power Internet of things |
| CN105939491A (en) * | 2016-05-25 | 2016-09-14 | 乐视控股(北京)有限公司 | Video playing method and device |
| CN106296349A (en) * | 2016-08-03 | 2017-01-04 | 海南警视者科技开发有限公司 | A kind of multi-functional house keeper's service management system |
| CN107948122A (en) * | 2016-10-12 | 2018-04-20 | 成都鼎桥通信技术有限公司 | Isolating device traversing method and device |
| CN108234523A (en) * | 2018-03-08 | 2018-06-29 | 江苏省广播电视总台 | A kind of multi-level intranet and extranet data interaction system applied to TV station |
| CN108920937A (en) * | 2018-07-03 | 2018-11-30 | 广州视源电子科技股份有限公司 | It throws screen system, throw screen method and apparatus |
| CN109729381A (en) * | 2018-12-27 | 2019-05-07 | 杭州当虹科技股份有限公司 | A kind of HLS push-and-pull stream identity identifying method |
| CN115103224A (en) * | 2022-06-07 | 2022-09-23 | 慧之安信息技术股份有限公司 | Intelligent video analysis method supporting GAT 1400 protocol |
| CN117240603A (en) * | 2023-11-10 | 2023-12-15 | 紫光恒越技术有限公司 | Data transmission method, system, device, electronic equipment and storage medium |
| CN117240603B (en) * | 2023-11-10 | 2024-02-06 | 紫光恒越技术有限公司 | Data transmission method, system, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104378657A (en) | Video security access system based on agency and isolation and method of video security access system | |
| CN110996318B (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| Aïvodji et al. | IOTFLA: A secured and privacy-preserving smart home architecture implementing federated learning | |
| CN102594814B (en) | Terminal-based network access control system | |
| WO2019036019A1 (en) | Systems and methods for implementing data communications with security tokens | |
| CN103139058A (en) | Internet of things security access gateway | |
| CN101197715B (en) | Method for centrally capturing mobile data service condition | |
| CN107172020A (en) | A kind of network data security exchange method and system | |
| CN101754221A (en) | Data transmission method between heterogeneous systems and data transmission system | |
| DE19740547A1 (en) | Secure network proxy for connecting entities | |
| CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
| CN103200201A (en) | Public-security inner network and special video network isolation system and method | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| RU2402881C2 (en) | Method and facility for control of data streams of protected distributed information systems in network of coded communication | |
| CN105306483B (en) | A kind of Anonymizing networks communication means and system safely and fast | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| CN202475474U (en) | Multi-network integration intelligent home gateway device and system | |
| CN110611665B (en) | Safe operation and maintenance gateway method for telecontrol operation and maintenance of power secondary system | |
| CN115549932B (en) | Security access system and access method for massive heterogeneous Internet of things terminals | |
| CN107749863B (en) | Method for network security isolation of information system | |
| CN107453861B (en) | A kind of collecting method based on SSH2 agreement | |
| EP2974355A2 (en) | A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network | |
| CN105743868A (en) | Data acquisition system supporting encrypted and non-encrypted protocols and method | |
| CN101669330B (en) | Synthetic bridging | |
| CN108881127A (en) | A kind of method and system of control remote access permission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160425 Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: China Electric Power Research Institute Applicant after: State Grid Smart Grid Institute Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: China Electric Power Research Institute |
|
| CB02 | Change of applicant information |
Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: China Electric Power Research Institute Applicant after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: China Electric Power Research Institute Applicant before: State Grid Smart Grid Institute |
|
| COR | Change of bibliographic data | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150225 |