CN110830419B - Access control method and device for internet protocol camera - Google Patents
Access control method and device for internet protocol camera Download PDFInfo
- Publication number
- CN110830419B CN110830419B CN201810905193.3A CN201810905193A CN110830419B CN 110830419 B CN110830419 B CN 110830419B CN 201810905193 A CN201810905193 A CN 201810905193A CN 110830419 B CN110830419 B CN 110830419B
- Authority
- CN
- China
- Prior art keywords
- access
- control
- camera
- control message
- ipc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An access control method and device of an internet protocol camera relates to the technical field of video monitoring and is used for simplifying the access control of an IP camera in a video monitoring network. The method comprises the following steps: the access equipment captures at least one control message which accords with the control protocol characteristics of the IP camera according to the IP address range, wherein the at least one control message comprises a first control message; and if the access condition is met, the access equipment allows the IP camera to access the network, wherein the access condition comprises that the first control message is a designated control message.
Description
Technical Field
The present application relates to the field of video surveillance technologies, and in particular, to an access control method and apparatus for an internet protocol camera.
Background
A conventional access control scheme for an Internet Protocol (IP) camera is complicated.
Disclosure of Invention
The application provides an access control method and device of an IP camera, which are used for simplifying the access control of the IP camera in a video monitoring network.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, an access control method for an IP camera is provided, the method including: the access equipment captures at least one control message which accords with the control protocol characteristics of the IP camera according to the IP address range, wherein the at least one control message comprises a first control message; the access device allows the IP camera to access the network if an access condition is met, where the access condition includes that the first control message is a specific control message (for example, the specific control message includes a registration success response message in a registration process). In the technical scheme, the access equipment analyzes the control message of the IP camera and allows the IP camera to access the network when the control message of the IP camera meets a certain condition, so that the access control process of the IP camera is simplified, the safety of the network can be ensured, and illegal access of illegal equipment is avoided.
In a possible implementation manner of the first aspect, the at least one control packet includes a plurality of control packets; the access condition further includes that the plurality of control messages are captured by the access device in a specified order. For example, the control messages include a hypertext Transfer Protocol (HTTP) request authentication message and an HTTP response authentication message in a complete authentication stream, and the access device captures the HTTP request authentication message and then captures the HTTP response authentication message. In the possible implementation manner, the accuracy of access control of the IP camera can be further improved, and the safety of the network is further guaranteed.
In a possible implementation manner of the first aspect, the method further includes: if the access equipment also receives one or more control messages of the IP camera which violate the characteristics of the control protocol or if the G2 access condition is not met, the access equipment captures the data message of the IP camera; the access equipment determines the access behavior of the IP camera according to the data message; and the access equipment controls the access of the IP camera according to the access behavior of the IP camera. For example, when the access behavior of the IP camera is normal, the access of the IP camera is permitted, and when the access behavior of the IP camera is abnormal, the access of the IP camera is denied. In the possible implementation manner, the access device implements access control over the IP camera through the access behavior of the IP camera, thereby improving the compatibility of the scheme.
In one possible implementation manner of the first aspect, the compliance control protocol is characterized by: and the port number of a transmission layer corresponding to the opposite terminal equipment in the at least one control message is 80, 5080 or 6060, wherein the IP address of the opposite terminal equipment and the IP address of the IP camera are two IP addresses in the IP header of the at least one control message. In the possible implementation manner, a control protocol feature is provided, and the access device can simply and effectively judge whether the control message of the IP camera meets the protocol specification or not through the control protocol feature.
In a possible implementation manner of the first aspect, the manner for the access device to acquire the control protocol feature and/or the IP address range includes: configured by network staff or issued to the access equipment by the control equipment. In the above possible implementations, several implementations are provided for the access device to obtain the control protocol features and/or the IP address range.
In a possible implementation manner of the first aspect, when the access device allows the access of the IP camera, the access device determines that the IP camera is a legal device; and when the access equipment refuses the access of the IP camera or the IP address of the IP camera does not belong to the IP address range, the access equipment determines that the IP camera is illegal equipment. Optionally, the access device acquires at least one of the MAC address of the IP camera, the access port accessed to the access device, or the physical location, and sends at least one of the validity of the IP camera, the MAC address of the IP camera, the access port accessed to the access device, or the physical location to the control device. In the possible implementation manner, the control device can present the device state information sent by the access device to the network maintenance staff, so that the network maintenance staff can know the network condition in time and maintain the network.
In a second aspect, there is provided an access control apparatus for an IP camera, the apparatus including: the capturing unit is used for capturing at least one control message which accords with the control protocol characteristics of the IP camera according to the IP address range, wherein the at least one control message comprises a first control message; and the control unit is used for allowing the IP camera to access the network if the access condition is met, wherein the access condition comprises that the first control message is a designated control message.
In a possible implementation manner of the second aspect, the at least one control packet includes a plurality of control packets; the access condition further comprises that the plurality of control messages are captured by the capturing unit in a specified order.
In a possible implementation manner of the second aspect, the capturing unit is further configured to capture the data packet of the IP camera if the apparatus further receives one or more control packets of the IP camera that violate a control protocol characteristic; the control unit is also used for determining the access behavior of the IP camera according to the data message; and controlling the access of the IP camera according to the access behavior of the IP camera.
In one possible implementation manner of the second aspect, the compliance control protocol is characterized by: and the port number of a transmission layer corresponding to the opposite terminal equipment in the at least one control message is 80, 5080 or 6060, wherein the IP address of the opposite terminal equipment and the IP address of the IP camera are two IP addresses in the IP header of the at least one control message.
In one possible implementation of the second aspect, the control protocol feature and/or the IP address range is configured by a network operator; alternatively, the apparatus further comprises: and the receiving unit is used for receiving the control protocol features and/or the IP address range sent by the control equipment.
In a third aspect, a network device is provided, where the network device is configured to implement a function of an access device, and the network device includes: a processor, and a memory coupled to the processor, the memory for storing program code that, when executed by the processor, causes the access control device of the IP camera to perform the steps of: capturing at least one control message which accords with the control protocol characteristics of the IP camera according to the IP address range, wherein the at least one control message comprises a first control message; and if the access condition is met, allowing the IP camera to access the network, wherein the access condition comprises that the first control message is a designated control message.
In a possible implementation manner of the third aspect, the at least one control packet includes a plurality of control packets; the access condition further includes that the plurality of control messages are captured by the access device in a specified order.
In a possible implementation manner of the third aspect, the access control device of the IP camera further performs the following steps: if one or more control messages of the IP camera which violate the control protocol characteristics are also received or if the access condition is not met, capturing the data messages of the IP camera; determining the access behavior of the IP camera according to the data message; and controlling the access of the IP camera according to the access behavior of the IP camera.
In a possible implementation manner of the third aspect, the conforming control protocol is characterized by: and the port number of a transmission layer corresponding to the opposite terminal equipment in the at least one control message is 80, 5080 or 6060, wherein the IP address of the opposite terminal equipment and the IP address of the IP camera are two IP addresses in the IP header of the at least one control message.
In a fourth aspect, a chip is provided, where the chip includes a processor and a memory, the memory stores codes and data, and the processor executes the codes in the memory, so that the chip executes the access control method of the IP camera provided in the first aspect or any possible implementation manner of the first aspect.
In a fifth aspect, a readable storage medium is provided, where instructions are stored, and when the readable storage medium is run on a device, the device is caused to execute the access control method of the IP camera provided in the first aspect or any one of the possible implementation manners of the first aspect.
A sixth aspect provides a computer program product for causing a computer to execute the method for controlling access to an IP camera provided in the first aspect or any one of the possible implementations of the first aspect when the computer program product runs on the computer.
It is understood that the apparatus, the computer storage medium, or the computer program product of any one of the above-provided access control methods for an IP camera is used to execute the corresponding methods provided above, and therefore, the beneficial effects achieved by the method can refer to the beneficial effects in the corresponding methods provided above, and are not described herein again.
Drawings
Fig. 1 is an architecture diagram of a video monitoring network according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of an access control method of IPC provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a control protocol feature provided in an embodiment of the present application;
FIG. 4 is a flowchart illustrating another IPC access control method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an access control apparatus of an IPC according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
Fig. 1 is a schematic structural diagram of a video monitoring network according to an embodiment of the present application, where the video monitoring network includes a control layer, a convergence layer, an access layer, and multiple IP cameras (IP cameras, IPC) that access the network through the access layer.
The control layer may include a control device and a storage device, where the control device is mainly responsible for unified management and configuration of devices in the video monitoring network, for example, the control device may be used to perform identity authentication on multiple IPCs in the access network; the storage device is mainly used for storing video resources in the video monitoring network. The convergence layer is in communication with the control layer through an IP network, and is mainly used to converge traffic of the access layer and converge the traffic to the control layer, and the convergence layer may include one or more convergence switches, which may generally adopt a manageable triple-layer switch and a stack switch. The access layer is mainly used for access of the IPC and access and isolation of IPC traffic, and may include an Access Router (AR) and/or an access switch, and may further include an Optical Network Unit (ONU), a splitter (splitter), and an Optical Line Terminal (OLT). Each of the multiple IPCs can be used for video shooting, and video resources in a storage device of the control layer can be accessed through the access layer and the convergence layer. In practical application, the IPC may include a mobile phone, a tablet computer, a monitoring camera, and the like, and for convenience of description, the embodiments of the present application are collectively referred to as IPC.
Fig. 2 is a schematic flowchart of an access control method of an IPC according to an embodiment of the present disclosure, where the method can be applied to the video monitoring network shown in fig. 1, and referring to fig. 2, the method includes the following steps.
S201: the access equipment captures at least one control message which accords with the control protocol characteristics of the IPC according to the IP address range, wherein the at least one control message comprises a first control message.
Wherein the access device may be an AR, an access switch, or an ONU. The IP address range is a plurality of IP addresses that the control device assigns to IPCs in the network in advance, and the values of the plurality of IP addresses may be continuous or dispersed. Alternatively, the IP address range may be manually configured to the access device, or the control device may send the IP address range to the access device.
The at least one control message may include a control message sent by the IPC, and/or the first control message of the control message sent to the IPC may be a control message sent by the IPC or a control message sent to the IPC. The opposite terminal device communicating with the IPC can be a control device or a storage device, and the message header of each control message comprises the IP address of the IPC and the IP address of the opposite terminal device. In the control message sent by the IPC to the opposite terminal equipment, the IP address of the IPC is a source IP address, and the IP address of the opposite terminal equipment is a destination IP address; in the control message sent to the IPC by the opposite terminal equipment, the IP address of the IPC is a destination IP address, and the IP address of the opposite terminal equipment is a source IP address.
The Control Protocol feature is used to indicate a port number corresponding to an opposite terminal device in at least one Control message, where the port number is a transport layer Protocol port number, and the transport layer Protocol includes two types, namely a Transmission Control Protocol (TCP) and a User Datagram Protocol (UDP).
Common application layer protocols supported by IPC may include the ONVIF protocol, the GB/T28181 protocol, and the Huacheng SDK protocol. As shown in the table of fig. 3, the port numbers of the transport layer protocols used by different application layer protocols are different, the type of the transport layer protocol corresponding to the ONVIF protocol is TCP, and the port number of the transport layer protocol used is 80; the transport layer protocol types corresponding to the GB/T28181 protocol are TCP and UDP, and the used transport layer protocol port number is 5080; the type of the transport layer protocol corresponding to the Huashi SDK protocol is TCP, and the number of the used transport layer protocol port is 6060.
The above-mentioned application layer protocols supported by the IPC provided in fig. 3 and the port numbers used by the transport layer protocols used by the different application layer protocols are only, for example, with the continuous progress of the technology, the application layer protocols supported by the IPC may also include other protocols, and the port numbers used by the application layer protocols may also be other port numbers of the transport layer protocols.
When one or more IPCs are connected to the access device, each of the one or more IPCs may send a control packet to the access device, where the control packet includes an IP address (i.e., a source IP address) of the IPC and a transport layer port number (i.e., a destination port number) of the peer device. The control device in the video monitoring network may also send a control packet to each IPC of the one or more IPCs through the access device, where the control packet may also include an IP address (i.e., a destination IP address) of the IPC and a transport layer port number (i.e., a source port number) of the control device.
For each control message sent by the IPC to the opposite terminal equipment, when the access equipment receives the control message, the access equipment can acquire a source IP address and a destination port number contained in the control message, and if the source IP address does not belong to the IP address range, the access equipment can determine that the IPC to which the control message belongs is illegal equipment, so that the IPC can be refused to access the network; if the source IP address belongs to the IP address range and the destination port number belongs to one of the port numbers indicated by the control protocol feature (e.g., one of destination port numbers 80, 5080, or 6060), the access device determines that the control message conforms to the control protocol feature; if the source IP address belongs to the IP address range but the destination port number does not belong to the port number indicated by the control protocol characteristic, the access device determines that the control message violates the control protocol characteristic. Similarly, for the control packet sent by the peer device to each IPC, the access device may also determine whether the control packet conforms to the control protocol characteristics according to the above manner, where the difference is that the IP address of the IPC acquired by the access device is the destination IP address in the control packet, and the acquired port number of the transport layer of the peer device is the source port number.
For example, the control protocol feature is used to indicate that the port number corresponding to the peer device is one of 80, 5080, and 6060, and the IP address range is 192.168.2.0 to 192.168.2.255, taking the case where the access device receives one control packet sent by each of 3 IPCs as an example. If the access device analyzes the 1 st IPC sending control message, and the source IP address contained in the control message is 192.168.3.0, the access device may determine that the source IP address of the 1 st IPC does not belong to the IP address range, that is, the 1 st IPC is an illegal device, so that the access device may deny the 1 st IPC access. If the access device analyzes the IPC send control message 2, and obtains that the source IP address contained in the control message is 192.168.2.10 and the destination port number is 5080, the access device may determine that the source IP address of the IPC 2 belongs to the IP address range, and the destination port number 5080 belongs to the control protocol feature, that is, the control message conforms to the control protocol feature. If the access device analyzes the 3 rd IPC sending control message, and obtains that the source IP address contained in the control message is 192.168.2.222 and the destination port number is 90, the access device may determine that the source IP address of the 3 rd IPC belongs to the IP address range, but the destination port number 90 does not belong to the control protocol feature, that is, the control message violates the control protocol feature.
S202: if the access condition is met, the access equipment allows the IPC to which the first control message belongs to access the network. The access condition includes that the first control message is a designated control message.
The designated control message may include one or more types of control messages. When the specified control packet includes one type of control packet, the first control packet is the specified control packet, i.e., the access condition is satisfied. When the designated control message includes a plurality of types of control messages, the first control message is any one type of control message in the designated control message, that is, the access condition is satisfied. If the designated control message includes multiple types of control messages, the access condition may further include that the second control message is any one type of control message in the designated control message. The second control message is another control message except the first control message in the at least one control message.
Further, the accessing condition further includes capturing the plurality of control packets in a designated order. The plurality of control messages are some or all of at least one control message. Capturing the plurality of control packets in the specified order may refer to any of the following: the access equipment captures the control messages only according to a specified sequence, and does not capture other control messages except the control messages; or, the access device captures not only the plurality of control messages but also other control messages except the plurality of control messages according to a specified sequence. The plurality of control packets captured in the designated order may include the first control packet and/or the second control packet.
In one possible implementation manner, the specified control message may include a control message related to an IPC authentication procedure or a control message related to an IPC registration procedure. The specific control packet may be related to an application layer protocol type, that is, the type, the number, and the capturing order of the specific control packet may depend on the application layer protocol type.
For example, the application layer Protocol type is the ONVIF Protocol, the specified control message includes a hypertext Transfer Protocol (HTTP) request authentication message and an HTTP response authentication message, and when the access device captures the HTTP request authentication message first and then captures the HTTP response authentication message (that is, the access device detects a completed authentication procedure of the IPC), the access condition is satisfied. The application layer Protocol type is a GB// T28181 Protocol, the designated control packet is a response packet in which Session Initiation Protocol (SIP) registration is successful, and when the access device captures the response packet, the access condition is satisfied. The application layer protocol type is the SDK protocol, the designated control message comprises a response message which is the SDK protocol registration success, and when the access equipment captures the response message, the access condition is satisfied.
In addition, in the video monitoring network, when there is a scene that the IPC is online first and then online, the IPC that is online first does not execute the IPC authentication procedure or the IPC registration procedure any more, and at this time, the specified control message may be another control message, for example, the specified control message may be a HELLO message or another control message or the like sent to the IPC by the control device.
Specifically, when the access condition is satisfied, the access device allows the IPC to access the network, that is, the IPC can access the video resource in the control layer through the access device, for example, the IPC can read the video resource from the storage device in the control layer or write the video resource into the storage device in the control layer.
Further, referring to fig. 4, the method further includes: S203-S205. S201 and S203 may not be in sequence, and fig. 4 illustrates that S203 is located after S201.
S203: if the access device also receives one or more control messages of the IPC which violate the characteristics of the control protocol or the access condition is not satisfied, the access device captures the data messages of the IPC.
When the access device further receives one or more control messages of the IPC, which violate the characteristics of the control protocol, that is, the access device receives the control messages of the IPC, and the control messages which conform to the characteristics of the protocol and the control messages which violate the characteristics of the control protocol simultaneously exist or the access condition is not satisfied, the control device can capture the data messages of the IPC. The data message of the IPC may include a data message sent by the IPC, and may also include a data message sent by the control device and/or the storage device to the IPC through the access device.
S204: and the access equipment determines the access behavior of the IPC according to the data message.
The access device may analyze the data packet to obtain the access frequency and/or the access purpose of the IPC. For example, the access frequency of the IPC is determined according to the sending and receiving time of the data message, the sending and receiving time interval of the adjacent data message, or the access purpose of the IPC is determined according to the type of the data message, if the access frequency and/or the access purpose of the IPC are normal, that is, the access behavior of the IPC is normal, if the access frequency and/or the access purpose of the IPC are abnormal, that is, the access behavior of the IPC is abnormal.
S205: the access equipment controls the access of the IPC according to the access behavior of the IPC.
If the access behavior of the IPC is normal, the access device can allow the IPC to access the network, and if the access behavior of the IPC is abnormal, the access device can deny the IPC from accessing the network, for example, the access device can directly close the corresponding access port of the IPC.
Further, after S201, if all the control messages received by the access device for a certain IPC do not conform to the protocol feature, the access device may determine that the IPC is an illegal device; if all the control messages of a certain IPC received by the access equipment conform to the protocol characteristics, the access equipment can determine that the IPC is legal equipment; if the access device receives a part of control messages of an IPC that conforms to the protocol characteristics and another part of control messages conforms to the protocol characteristics (for example, the situation referred to in S203), and the access device cannot determine that the IPC is a legal device or an illegal device (that is, the validity of the IPC is unknown), the access device may determine the validity of the IPC according to S204 and S205, that is, determine that the IPC is a legal device when the access behavior of the IPC is normal, and determine that the IPC is an illegal device when the access behavior of the IPC is abnormal.
In addition, the Access device can also obtain a Media Access Control (MAC) address of the IPC, an Access port and a physical location of the Access device, and send one or more of the legality, the MAC address, the Access port or the physical location of the IPC to the Control device, so that the Control device presents the device state information of the IPC to a network maintainer, and the network maintainer can know the network state and maintain the network in time, thereby improving the security of the network.
In the embodiment of the application, the access device captures at least one control message which accords with the control protocol characteristics of the IPC according to the IP address range, wherein the at least one control message comprises a first control message, and when the first control message meets the access condition, the IPC to which the first control message belongs is allowed to access the network, so that a simple and effective IPC access control scheme is provided, meanwhile, the security of the network can be ensured, and the illegal access of illegal devices is avoided.
The above description mainly introduces the scheme provided in the embodiment of the present application from the perspective of the access device. It will be appreciated that the access device, in order to carry out the above-described functions, may comprise corresponding hardware structures and/or software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the access device may be divided into the functional modules according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The functional modules can be realized in a hardware form, and can also be realized in a software functional module form. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. The following description will be given by taking the division of each functional module by corresponding functions as an example:
fig. 5 shows a schematic diagram of a possible structure of the access control device of the IPC according to the above-described exemplary embodiment, in the case of an integrated unit. The apparatus may be an access device or a chip built in the access device, and includes: a capturing unit 301 and a control unit 302. Wherein the capturing unit 301 is configured to support the apparatus to perform one or more steps of S201 and S203 in the above embodiments; the control unit 302 is used to support the apparatus to perform S202, S204, and/or S205 in the above-described embodiments. Further, the apparatus may further include: a receiving unit 303 and a transmitting unit 304; the receiving unit 303 is configured to support the apparatus to receive a control packet and a data packet from the IPC and receive a control packet from the peer device; the sending unit 304 is used to support the apparatus to send the device status information to the control device. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Based on the hardware implementation, the capturing unit 301 and the control unit 302 may be processors, the receiving unit 303 may be a receiver, the transmitting unit 304 may be a transmitter, and the receiver and the transmitter may be integrated into a transceiver, which may also be referred to as a communication interface.
Fig. 6 is a schematic diagram of a possible structure of a network device according to an embodiment of the present application, where the network device is used to implement the function of an access device. The network device includes: a memory 401 and a processor 402. The memory 401 is used for storing the program codes and data of the apparatus, the processor 402 is used for controlling and managing the operation of the network device shown in fig. 6, and for example, the processor 402 is used for executing the steps of processing messages or data on the network device side shown in fig. 6. For example, processor 402 supports the network device shown in fig. 6 to perform S201-S205 in the above-described method embodiments, and/or other processes for the techniques described herein. Optionally, the network device shown in fig. 6 may further include a communication interface 403, where the communication interface 403 is configured to support the network device shown in fig. 6 to perform one or more steps of receiving a control packet and a data packet from the IPC, receiving a control packet from a peer device, and sending device status information to the control device in the foregoing method embodiment.
The processor 402 may be a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a processing chip, a field programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform various ones of the logic blocks, modules, and circuits described in connection with the disclosure of the embodiments of the application. Processor 402 may also be a combination implementing computing functionality, e.g., a combination comprising one or more microprocessors, a digital signal processor and a microprocessor, or the like. The communication interface 403 may be a transceiver, a transceiving circuit or a transceiving interface, etc. The memory 401 may be a volatile memory, a nonvolatile memory, or the like.
For example, the communication interface 403, the processor 402, and the memory 401 are connected to each other by a bus 404; the bus 404 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus 404 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 6, but this is not intended to represent only one bus or type of bus.
Optionally, the memory 401 may be included in the processor 402.
The methods provided by the embodiments of the present application may be implemented in whole or in part by software, hardware, or a combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network appliance or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, optical fiber, twisted pair) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any medium that can be accessed by a computer or a data storage device, including one or more media integrated servers, data centers, and the like. The media may be magnetic media (e.g., floppy disks, hard disks, magnetic tape), optical media (e.g., compact disks), or semiconductor media (e.g., Solid State Disks (SSDs)), among others.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (9)
1. An access control method for an internet protocol, IP, camera, the method comprising:
the access equipment captures at least one control message which accords with the control protocol characteristics of the IP camera according to the IP address range, wherein the at least one control message comprises a first control message;
if the access condition is met, the access equipment allows the IP camera to access the network, and the access condition comprises that the first control message is a designated control message;
the at least one control message comprises a plurality of control messages; the access condition further includes that the plurality of control packets are captured by the access device in a specified order.
2. The access control method of an IP camera according to claim 1, characterized by further comprising:
if the access equipment also receives one or more control messages of the IP camera which violate the control protocol characteristics or if the access conditions are not met, the access equipment captures the data messages of the IP camera;
the access equipment determines the access behavior of the IP camera according to the data message;
and the access equipment controls the access of the IP camera according to the access behavior of the IP camera.
3. The access control method of an IP camera according to claim 1 or 2, characterized in that conforming to the control protocol features: the port number of a transport layer corresponding to the opposite terminal device in the at least one control message is 80, 5080 or 6060, wherein the IP address of the opposite terminal device and the IP address of the IP camera are two IP addresses in an IP header of the at least one control message.
4. An access control apparatus of an internet protocol IP camera, the apparatus comprising:
the device comprises a capturing unit, a judging unit and a judging unit, wherein the capturing unit is used for capturing at least one control message which accords with the characteristics of a control protocol of an IP camera according to an IP address range, and the at least one control message comprises a first control message;
a control unit, configured to allow the IP camera to access a network if an access condition is met, where the access condition includes that the first control packet is a designated control packet;
the at least one control message comprises a plurality of control messages; the access condition further comprises that the plurality of control messages are captured by the capturing unit in a specified order.
5. The IP camera access control device according to claim 4,
the capturing unit is further configured to capture a data packet of the IP camera if the device further receives one or more control packets of the IP camera that violate the control protocol feature or if the access condition is not satisfied;
the control unit is further configured to determine an access behavior of the IP camera according to the data packet; and controlling the access of the IP camera according to the access behavior of the IP camera.
6. The access control device of an IP camera according to claim 4 or 5, characterized in that conforming to the control protocol features: the port number of a transport layer corresponding to the opposite terminal device in the at least one control message is 80, 5080 or 6060, wherein the IP address of the opposite terminal device and the IP address of the IP camera are two IP addresses in an IP header of the at least one control message.
7. A network device, comprising: a processor and a memory for storing executable instructions of the processor; wherein the processor is configured to support the network device to perform the access control method of the IP camera according to any one of claims 1 to 3.
8. A storage medium characterized in that instructions in the storage medium, when executed by a processor of an access device, enable the access device to execute the access control method of an IP camera according to any one of claims 1 to 3.
9. A computer program product, characterized in that, when the computer program product is run on a computer, it causes the computer to execute the access control method of an IP camera according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810905193.3A CN110830419B (en) | 2018-08-09 | 2018-08-09 | Access control method and device for internet protocol camera |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810905193.3A CN110830419B (en) | 2018-08-09 | 2018-08-09 | Access control method and device for internet protocol camera |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110830419A CN110830419A (en) | 2020-02-21 |
| CN110830419B true CN110830419B (en) | 2021-05-18 |
Family
ID=69541028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810905193.3A Active CN110830419B (en) | 2018-08-09 | 2018-08-09 | Access control method and device for internet protocol camera |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830419B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988576B (en) * | 2020-08-31 | 2023-02-10 | 深圳市新龙鹏科技有限公司 | PON (passive optical network) network camera access control method, device, equipment and storage medium |
| CN112689167A (en) * | 2020-12-18 | 2021-04-20 | 杭州迪普科技股份有限公司 | Method and device for detecting change of network camera |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383818A (en) * | 2007-09-05 | 2009-03-11 | 华为技术有限公司 | Processing method and device for access network |
| CN102932263A (en) * | 2012-06-29 | 2013-02-13 | 浙江宇视科技有限公司 | Access terminal |
| CN103209318A (en) * | 2013-03-05 | 2013-07-17 | 浙江宇视科技有限公司 | Internet protocol camera |
| CN103973712A (en) * | 2014-05-29 | 2014-08-06 | 段超 | Access control method and device for network data |
| CN104105096A (en) * | 2014-07-28 | 2014-10-15 | 浙江宇视科技有限公司 | Wireless access method of internet protocol camera (IPC) devices |
| CN204859405U (en) * | 2015-07-24 | 2015-12-09 | 浙江宇视科技有限公司 | Network digital video recorder based on NFC carries out internet protocol camera and inserts |
| CN105939294A (en) * | 2015-09-06 | 2016-09-14 | 杭州迪普科技有限公司 | Message control method and device |
| CN106657891A (en) * | 2016-11-04 | 2017-05-10 | 南京物联传感技术有限公司 | Gateway type intelligent video camera |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9953182B2 (en) * | 2015-09-29 | 2018-04-24 | International Business Machines Corporation | Inter-process access control |
-
2018
- 2018-08-09 CN CN201810905193.3A patent/CN110830419B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383818A (en) * | 2007-09-05 | 2009-03-11 | 华为技术有限公司 | Processing method and device for access network |
| CN102932263A (en) * | 2012-06-29 | 2013-02-13 | 浙江宇视科技有限公司 | Access terminal |
| CN103209318A (en) * | 2013-03-05 | 2013-07-17 | 浙江宇视科技有限公司 | Internet protocol camera |
| CN103973712A (en) * | 2014-05-29 | 2014-08-06 | 段超 | Access control method and device for network data |
| CN104105096A (en) * | 2014-07-28 | 2014-10-15 | 浙江宇视科技有限公司 | Wireless access method of internet protocol camera (IPC) devices |
| CN204859405U (en) * | 2015-07-24 | 2015-12-09 | 浙江宇视科技有限公司 | Network digital video recorder based on NFC carries out internet protocol camera and inserts |
| CN105939294A (en) * | 2015-09-06 | 2016-09-14 | 杭州迪普科技有限公司 | Message control method and device |
| CN106657891A (en) * | 2016-11-04 | 2017-05-10 | 南京物联传感技术有限公司 | Gateway type intelligent video camera |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110830419A (en) | 2020-02-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9515995B2 (en) | Method and apparatus for network address translation and firewall traversal | |
| CN110611723B (en) | Scheduling method and device of service resources | |
| US10044812B2 (en) | Communication device, terminal device, and computer program product | |
| CN111083102A (en) | Internet of things data processing method, device and equipment | |
| US10673724B2 (en) | Application peering | |
| CN111526132B (en) | Attack transfer method, device, equipment and computer readable storage medium | |
| US8514845B2 (en) | Usage of physical layer information in combination with signaling and media parameters | |
| CN113206814B (en) | Network event processing method and device and readable storage medium | |
| US20220263823A1 (en) | Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium | |
| CN105635084A (en) | Apparatus and method for authenticating terminal | |
| US9032487B2 (en) | Method and system for providing service access to a user | |
| JP2023532924A (en) | Ensuring Separation of Control and User Planes in Mobile Networks | |
| CN109889521B (en) | Memory, communication channel multiplexing implementation method, device and equipment | |
| CN110830419B (en) | Access control method and device for internet protocol camera | |
| CN113271299B (en) | Login method and server | |
| CN109561049B (en) | Dynamic access method and device based on monitoring service | |
| CN113765846A (en) | Intelligent detection and response method and device for network abnormal behavior and electronic equipment | |
| CN114390049A (en) | Application data acquisition method and device | |
| US11082309B2 (en) | Dynamic and interactive control of a residential gateway connected to a communication network | |
| CN108064441B (en) | Method and system for accelerating network transmission optimization | |
| KR101426464B1 (en) | Apparatus and method extraction qos parameter in mobile equipment | |
| WO2016197993A1 (en) | Router, mobile terminal, and alarm information sending method, and alarm information receiving method | |
| CN113162922B (en) | Client data acquisition method and device, storage medium and electronic equipment | |
| CN105915565B (en) | Authentication method, device and system | |
| US20150089058A1 (en) | System and method for software defined adaptation of broadband network gateway services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |