Summary of the invention
For the deficiencies of the prior art, the present invention provides a kind of forestry Internet of things system comprising back-stage management client
End, back-stage management server, edge calculations equipment and multiple internet of things equipment, edge calculations equipment are set to back-stage management service
Between device and internet of things equipment, the edge calculations equipment is for managing each class associated with each forestry Internet of Things service
The communication of other internet of things equipment and the data acquired to internet of things equipment are analyzed and processed, the forestry Internet of Things service
Including forest disease and pest protection, forest fire protection and timber management;
The edge calculations equipment includes communication module, authentication module, controller and strategy execution unit, wherein described
Controller is for storing and distributing safety regulation, wherein each safety regulation corresponds to a kind of internet of things equipment, the safety rule
Then define the access rule of particular category internet of things equipment;
Dimensional labels are distributed to Internet of Things according to mode associated with classification by its tag unit by the authentication module
Net equipment, so that the corresponding a kind of internet of things equipment of each dimensional labels;The dimensional labels have public key certificate, and dimension mark
It signs associated with the classification of internet of things equipment and forestry Internet of Things service;
The authentication module is also used to receive authentication key from the TLS endpoint of internet of things equipment and judges the object of the category
Whether networked devices are assigned dimensional labels;
The strategy execution unit be used for according to safety regulation manage internet of things equipment with it is other in forestry Internet of things system
The communication of equipment.
According to a preferred embodiment, if the internet of things equipment being newly added belongs to and has distributed the Internet of Things of dimensional labels and set
Existing dimensional labels are distributed to internet of things equipment by standby classification, the tag unit;
If the internet of things equipment being newly added is not belonging to distribute the internet of things equipment classification of dimensional labels, the tag unit
Authentication key based on internet of things equipment generates new dimensional labels, and the authentication key includes MAC Address and general unique mark
Know symbol.
According to a preferred embodiment, the tag unit is new dimensional labels generation public key certificate, and described
Controller is that new dimensional labels distribute safety regulation.
According to a preferred embodiment, the strategy execution unit verifies the certificate of the first equipment, and from described first
Identifier and dimensional labels are extracted in the certificate of equipment;The strategy execution unit retrieves the dimensional labels of second equipment,
And the require parameter in the dimensional labels of second equipment is compared with the dimensional labels of first equipment;If
Dimensional labels matching, then strategy execution unit allows the communication between the first equipment and the second equipment.Aforementioned first equipment and
Two equipment include internet of things equipment, back-stage management client and back-stage management server.First equipment typically refers to initiation and object
The equipment of the relevant communication of the Internet services, the second equipment typically refer to service relevant equipment in response to the Internet of Things of initiation.
According to a preferred embodiment, dimensional labels relevant to forest disease and pest protection include environmental sensor, disease
The geographical location of insect pest district occurred frequently and the high-incidence temporal information of pest and disease damage;Dimensional labels relevant to forest fire protection include infrared
Sensor, temperature sensor, smoke alarm etc.;Relevant dimensional labels are remotely managed to timber to include video monitoring, make a reservation for
Fell geographical location, predetermined felling time and vehicle identification registration.
According to a preferred embodiment, each safety regulation is access rule, and aforementioned access rule includes white list.Recognize
Demonstrate,proving module can also include safety regulation storage unit, be used to store safety regulation.
According to a preferred embodiment, Intelligent internet of things is additionally provided between internet of things equipment and edge calculations equipment
Gateway, Intelligent internet of things gateway have computing unit and memory, and Intelligent internet of things gateway is using decision logic come according to data
Type and data content flow into the sequence of row major grade to data, and the data that then will be above pre-set priority are transmitted to edge calculations
Equipment.
The invention has the following advantages:
1, the forestry Internet of Things service range supported is wide, classification is more, can be according to the classification of each forestry Internet of Things service
Different safety regulations is executed, the safety of forestry Internet of things system is significantly improved.
2, edge calculations technology is used, by edge calculations equipment to object at the network edge of forestry internet of things equipment
The data of networked devices acquisition carry out preliminary treatment, and the data generated so as to avoid all internet of things equipment all intensively upload
The waste of bandwidth resources caused by back-stage management server, reduces the occupancy of bandwidth, improves the effect of data classification transmission
Rate.
Specific embodiment
In order to make the objectives, technical solutions and advantages of the present invention clearer, With reference to embodiment and join
According to attached drawing, the present invention is described in more detail.It should be understood that these descriptions are merely illustrative, and it is not intended to limit this hair
Bright range.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid this is unnecessarily obscured
The concept of invention.
As shown in Figure 1, forestry Internet of things system of the invention includes back-stage management client, back-stage management server, side
Edge calculates equipment and multiple internet of things equipment, edge calculations equipment are set between back-stage management server and internet of things equipment.
Back-stage management client includes that smart phone, tablet computer, desktop computer, laptop etc. have communication and computing function
Equipment.
Edge calculations equipment is for managing the internet of things equipment for servicing associated each classification with each forestry Internet of Things
Communication and to internet of things equipment acquisition data carry out preliminary treatment, edge calculations equipment support tls protocol.Edge calculations
Equipment can be equipment, such as server, computer etc. with computing capability and communication function.Edge calculations equipment in the present invention
" edge " concept refer to positioned at the network edge side of internet of things equipment, consequently facilitating carrying out classification communication tube to internet of things equipment
Reason and the data acquired to internet of things equipment are handled.Edge calculations equipment carries out just the data that internet of things equipment acquires
Step processing, which is specifically included, is analyzed and is screened according to the demand of forestry Internet of Things service to the data of internet of things equipment acquisition, from
And reduce the burden of network bandwidth.
Forestry Internet of Things service includes that forest disease and pest protection, forest fire protection and timber remotely manage.Aforementioned Internet of Things
Net equipment includes the picture pick-up device with communication function, enviromental monitoring equipment, temperature sensor, infrared sensor etc., Internet of Things
The usual scattering device of equipment is in the wood land of management to be monitored.
Edge calculations equipment includes communication module, authentication module, controller and strategy execution unit.Wherein, controller is used
In storing and distributing safety regulation, wherein each safety regulation corresponds to a kind of internet of things equipment, safety regulation defines each
The access rule of classification internet of things equipment.
Dimensional labels are distributed to Internet of Things according to mode associated with classification by its tag unit and set by authentication module
It is standby, so that the corresponding a kind of internet of things equipment of each dimensional labels;Dimensional labels have public key certificate, and dimensional labels and Internet of Things
Net equipment and the classification of forestry Internet of Things service are associated.
Illustratively, it includes environmental sensor, pest and disease damage district occurred frequently that relevant dimensional labels are protected to forest disease and pest
Geographical location and the high-incidence temporal information of pest and disease damage;Dimensional labels relevant to forest fire protection include infrared sensor, temperature
Sensor, smoke alarm etc.;It includes video monitoring, the geographical position of predetermined felling that relevant dimensional labels are remotely managed to timber
It sets, predetermined felling time and vehicle identification register.
Authentication module is also used to receive authentication key from the TLS endpoint of internet of things equipment and judges the Internet of Things of the category
Whether equipment is assigned dimensional labels.Strategy execution unit is used to manage the safety regulation of internet of things equipment, and Internet of Things
Equipment carries out TLS communication by strategy execution unit.
Preferably, if the internet of things equipment being newly added belongs to the internet of things equipment classification for having distributed dimensional labels, label list
Existing dimensional labels are distributed to internet of things equipment by member.If the internet of things equipment being newly added is not belonging to distribute dimensional labels
Internet of things equipment classification, tag unit generate new dimensional labels based on the authentication key of internet of things equipment, and authentication key includes
MAC Address and universal unique identifier.Correspondingly, tag unit is that new dimensional labels generate public key certificate, and controller
Safety regulation is distributed for new dimensional labels.
Preferably, strategy execution unit verifies the certificate of the first equipment, and extracts identifier from the certificate of the first equipment
And dimensional labels;Strategy execution unit retrieves the dimensional labels of the second equipment, and will be in the dimensional labels of the second equipment
Require parameter is compared with the dimensional labels of the first equipment;If dimensional labels match, strategy execution unit allows first
Communication between equipment and the second equipment.
Since the area coverage of forest is wide, since system for forestry is for forest disease and pest protection, forest fire protection and wood
Material such as remotely manages at the regulatory requirement in fields, and the quantity and data volume to be treated of internet of things equipment relevant to forestry are all
Rapid growth, if these data are uploaded directly into the back-stage management server of cloud or forest department, this requires clouds
The case where end provides a large amount of memory space, and it is easy to appear network congestions.The present invention uses edge calculations technology, in woods
Edge calculations equipment is set at the network edge of industry internet of things equipment, the data that internet of things equipment acquires can not only be carried out just
Step processing is to reduce bandwidth demand and cloud storage burden, additionally it is possible to pass through tls protocol and the tool of combination forestry Internet of Things service
Body classification demand carries out classification telecommunication management to internet of things equipment to significantly improve the communication security of forestry Internet of things system.This
Outside, the present invention can support to carry out telecommunication management to newly-increased forestry internet of things equipment, have good expansibility.
The working principle of the invention is described in detail below:
In edge calculations equipment, controller can store multiple safety regulations in its policy engine, and can give birth to
At with distribution safety regulation.
Authentication module receives authentication key from the TLS endpoint in each internet of things equipment, and authentication module can determine Internet of Things
Whether the classification of net equipment has been allocated that dimensional labels.If dimensional labels are associated with internet of things equipment, mould is authenticated
Block will return to TLS endpoint associated with specific internet of things equipment with the certificate of ID and label.
Each strategy execution unit (PEP) is controlled by controller, to each internet of things equipment or service rule with high safety
Then.Each strategy execution unit includes acting on behalf of for downloading/implementing the TLS of TLS strategy.Each internet of things equipment or Internet of Things clothes
Business is configured as executing TLS communication by strategy execution unit.
In forestry Internet of things system, backstage manager can be first one as forestry Internet of Things architecture
Point each of new internet of things equipment authentication registration key/voucher, to be detected based on authentication key/voucher after system
Each equipment.Authentication module includes tag unit, which, which can according to need, generates new dimensional labels or will show
Some dimensional labels distribute to internet of things equipment or service.
System is that the internet of things equipment of each classification distributes dimensional labels, and tag unit can also generate and issue public key card
Book;Authentication module can also include safety regulation storage unit, manage the safety regulation implemented by strategy execution unit, and deposit
Store up the system safety regulation sent by backstage manager.
When new internet of things equipment is added in forestry Internet of things system, administrator can be the Internet of Things being newly added
Equipment is configured.The method of configuration is classified according to whether support tls protocol.
For supporting the internet of things equipment of TLS, authentication module that can receive authentication key from each internet of things equipment, this is recognized
Card key can be used for identifying the ID and dimensional labels of internet of things equipment distribution.For example, in one embodiment, authentication key
The MAC Address or universal unique identifier (UUID) of each internet of things equipment can be allocated to.If internet of things equipment is not
A part of existing internet of things equipment classification in system, then the dimension mark with ID and internet of things equipment can be generated in authentication module
The certificate of label.
Optionally, filtering and monitoring can also be performed in strategy execution unit, when identifying new internet of things equipment and be
When the new internet of things equipment is assigned with a label that can not be protected, strategy execution unit is arranged for the Internet of Things and sets
It is standby.Communication between internet of things equipment by TLS endpoint and strategy execution unit the safety regulation based on specific internet of things equipment come
Control.
Equipment for not supporting TLS, can be connected to edge calculations equipment by things-internet gateway, in things-internet gateway
With bridge, things-internet gateway can be used TLS endpoint and represent, and there is the equipment of non-TLS function to execute TLS communication.Internet of Things net
It closes and bridge can be the software realization run on the Linux machine with communication connection function.
The register method of internet of things equipment is specific as follows: the authentication module of edge calculations equipment includes for storing Internet of Things
The database of the authentication key of equipment, ID and dimensional labels.Backstage manager sends a request to authentication module to request equipment to be infused
Volume list, after receiving enrollment form, backstage manager sends authentication key, ID and the dimensional labels of new internet of things equipment.
Then, authentication module stores the data about new internet of things equipment, and confirms that new internet of things equipment can be certified in systems
With use.If new internet of things equipment or the no valid certificate of service, new internet of things equipment can be by by authentication key and public affairs
Encryption key is sent to authentication module to start the process of request certificate altogether.Then authentication module retrieval and received certification are close
The associated ID of key and dimensional labels, and generate and return the certificate of new internet of things equipment or service.
Strategy execution unit has end port forwarding setting, and when carrying out telecommunication management, strategy execution unit is mentioned from certificate
ID and dimensional labels are taken, and determines whether to communicate based on safety regulation.Strategy execution unit is obtained from strategy file
Require parameter.If one of starter label is included in require parameter, allow to communicate, on the contrary then prevention is led to
Letter.
One preferred embodiment is additionally provided with Intelligent internet of things gateway between internet of things equipment and edge calculations equipment,
Intelligent internet of things gateway can find neighbouring internet of things equipment automatically, be connected to them by wired or wireless communication channel.
The communication connection mode that Intelligent internet of things gateway is supported includes cellular network, Zigbee, bluetooth, WiFi and NFC.
Intelligent internet of things gateway has enough computing capabilitys, memory and memory capacity and artificial intelligence to analyze this
Ground data are to realize the decision of local rank.Intelligent internet of things gateway has computing unit and memory, Intelligent internet of things gateway
The decision logic of use includes artificial intelligence, video analysis, regulation engine and decision tree.
Intelligent internet of things gateway does not retain all data instead of and sends it to edge calculations unit, is patrolled using decision
It collects to flow into the sequence of row major grade to data according to data type and data content, and creates reduced data flow, it is only selected
Or the data of highest priority be used for transmission.
For example, Intelligent internet of things gateway can analyze the video data of the acquisition of the photographic device in internet of things equipment,
To determine whether picture material has changed from time T1 to time T2.Intelligent internet of things gateway uses the rule comprising rule to draw
It holds up, if " video camera 1 is equal to picture material of the video camera 1 at time T1 in the picture material of time T2 ",
Then small significance is assigned to the video data at time T1.According to available bandwidth, can be omitted from transmission be identified as it is low
It is transmitted again after the data or reduction resolution ratio of importance.Similarly, similar analysis can be carried out to sensing data.For example,
Small significance data can be alternately stored in local.Therefore, from the number of the total data reduction of edge calculations equipment to be transferred to
It may depend on the availability of the bandwidth to upload data according to amount.In this way, local intelligent things-internet gateway be used to select
Property optimize data, thus in the case where not losing important information transmit data needed for bandwidth it is less.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.