CN112261658B - Terminal and terminal use method - Google Patents
Terminal and terminal use method Download PDFInfo
- Publication number
- CN112261658B CN112261658B CN202010917005.6A CN202010917005A CN112261658B CN 112261658 B CN112261658 B CN 112261658B CN 202010917005 A CN202010917005 A CN 202010917005A CN 112261658 B CN112261658 B CN 112261658B
- Authority
- CN
- China
- Prior art keywords
- terminal
- function
- network
- instruction
- permission message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 230000006855 networking Effects 0.000 claims description 53
- 230000003993 interaction Effects 0.000 claims description 13
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 230000006870 function Effects 0.000 abstract description 218
- 230000002829 reductive effect Effects 0.000 abstract description 6
- 230000015654 memory Effects 0.000 description 62
- 230000008569 process Effects 0.000 description 33
- 238000012545 processing Methods 0.000 description 22
- 238000004891 communication Methods 0.000 description 20
- 230000004044 response Effects 0.000 description 12
- 238000012795 verification Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 7
- 230000001105 regulatory effect Effects 0.000 description 7
- 230000001360 synchronised effect Effects 0.000 description 7
- 230000005856 abnormality Effects 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 230000000670 limiting effect Effects 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000005094 computer simulation Methods 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 229920001690 polydopamine Polymers 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 229910052804 chromium Inorganic materials 0.000 description 1
- 239000011651 chromium Substances 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 230000001808 coupling effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000002096 quantum dot Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The application discloses a terminal and a terminal use method, wherein the terminal and the terminal use method are used for preventing illegal use of specific functions in a management and control area by responding to information of a management and control device and controlling a display to display a function set which is permitted to use or accepting a request for using the functions and prohibiting the use of the functions, so that the risk of disclosure is further reduced.
Description
Technical Field
The application relates to the field of terminal safety control, in particular to terminal safety control equipment, a terminal safety control method, a terminal and a terminal use method.
Background
In smart manufacturing plants or in some strictly confidential control areas, such as closed plants, mobile terminals (PDAs, tablets, notebooks, etc.) are usually controlled, the types of control usually comprising limiting the use of cameras, bluetooth, wiFi, etc. Once a mobile terminal is able to network or be brought out of a controlled area, the problem of compromise is prone to occur and the security risk will increase substantially. Therefore, a factory typically issues dedicated industrial terminals to staff who need to use the terminals in a regulatory region, and the interior of the factory may be divided into multiple regulatory regions, with different regional regulatory requirements. How to effectively manage the industrial terminal in a plurality of management and control areas so as to achieve the purpose that different management and control areas permit the terminal to use different function sets, and the method has important significance for improving the working efficiency and reducing the leakage risk.
Disclosure of Invention
In view of the above, it is necessary to provide a terminal security management apparatus and method.
Terminal safety control equipment includes: the communicator is used for receiving the first networking information sent by the terminal; a processor, coupled to the communicator, for: according to the first networking information, determining the grade of a first network connected with the terminal as a first grade; forming a first permission message according to the first grade, wherein the first permission message comprises an instruction for permitting the terminal to use a first function; the communicator is further configured to send the first permission message to the terminal to permit the terminal to use the first function.
Further, the communicator is further configured to receive identity information sent by the terminal; the processor is further configured to: determining that the identity information accords with preset identity information; forming a function list of the terminal based on the identity information conforming to preset identity information; and forming the first permission message according to the first grade and the function list.
Further, the communicator is further configured to receive second networking information sent by the terminal; the processor is further configured to: determining the grade of a second network connected with the terminal as a second grade according to the second networking information; forming a second permission message according to the second level, wherein the second permission message does not contain an instruction for permitting the terminal to use the first function; the communicator is further configured to send the second permission message to the terminal to deny the terminal to use the first function.
Further, wherein the first permission message does not include a second instruction to permit the terminal to use a second function; wherein the communicator is further configured to receive an exception record from the terminal, the exception record including the terminal second enablement request; the processor is further configured to determine that the terminal is illegal to operate according to the request of the second function and the instruction, and form an alarm message.
Further, the processor is further configured to form a positioning instruction that only allows the terminal to use a positioning function according to the alarm message; the communicator is further configured to: sending the positioning instruction to the terminal; and receiving positioning information sent by the terminal based on sending the positioning instruction to the terminal.
Further, the communicator is further configured to: sending an inquiry command to the terminal; based on sending an inquiry command to the terminal, receiving third networking information sent by the terminal; the processor is further configured to: determining the grade of a third network connected with the terminal as a third grade according to the third networking information; forming a third license message according to the third level; the communicator is further configured to send the third permission message to the terminal.
The application also includes a terminal security management and control method, including: the communicator is further configured to receive a security record sent by the terminal based on sending the third permission message to the terminal; the processor is further used for determining that the terminal is illegal to operate according to the security record; the communicator is further configured to send a clearing instruction to instruct the terminal to clear data interacted when the terminal is connected to the first network, based on that the terminal is illegally operated.
Further, receiving first networking information sent by a terminal; according to the first networking information, determining the grade of a first network connected with the terminal as a first grade; forming a first permission message according to the first grade, wherein the first permission message comprises an instruction for permitting the terminal to use a first function; and sending the first permission message to the terminal so as to permit the terminal to use the first function.
Further, the step of forming the first permission message includes: receiving identity information sent by the terminal; determining that the identity information accords with preset identity information; forming a function list of the terminal based on the identity information conforming to preset identity information; and forming the first permission message according to the first grade and the function list.
Further, receiving second networking information sent by the terminal; determining the grade of a second network connected with the terminal as a second grade according to the second networking information; forming a second permission message according to the second level, wherein the second permission message does not contain an instruction for permitting the terminal to use the first function; and sending the second permission message to the terminal so as to refuse the terminal to use the first function.
Further, wherein the first permission message does not include a second instruction to permit the terminal to use a second function; further comprising: receiving an exception record from the terminal, the exception record including a second enablement request for the terminal; and determining that the terminal is illegally operated according to the request of the second function and the second instruction to form an alarm message.
Further, forming a positioning instruction which only permits the terminal to use a positioning function according to the alarm message; sending the positioning instruction to the terminal; and receiving positioning information sent by the terminal based on sending the positioning instruction to the terminal.
Further, sending an inquiry command to the terminal; based on sending an inquiry command to the terminal, receiving third networking information sent by the terminal; determining the grade of a third network connected with the terminal as a third grade according to the third networking information; forming a third license message according to the third level; and sending the third permission message to the terminal. Further, based on sending the third permission message to the terminal, receiving a security record sent by the terminal; determining that the terminal is illegal to operate according to the security record; and sending a clearing instruction based on illegal operation of the terminal to instruct the terminal to clear the data interacted when the terminal is connected with the first network.
The application also includes a terminal comprising: a communicator for: connecting a first network, and sending first networking information to the management and control equipment; receiving a first permission message from the management and control equipment based on the sending of the first networking information, wherein the first permission message comprises a first instruction for permitting the terminal to use a first function; a processor, coupled to the communicator, for: receiving a first enabling request of the first function; and enabling the first function according to the first enabling request and the first instruction.
Further, the method further comprises: a display coupled to the processor; the processor is further configured to display a user interaction interface of the first function according to the first instruction.
Further, wherein the first permission message does not include a second instruction to permit the terminal to use a second function; further comprising: the processor is further configured to prohibit enabling the second function based on the first permission message not including an instruction to permit the terminal to use the second function.
Further, wherein the first permission message does not include a second instruction to permit the terminal to use a second function; the processor is further configured to: receiving a second enabling request of the second function; and rejecting the second enabling request based on the first permission message not including a second instruction to permit the terminal to use a second function.
Further, the processor is further configured to form an exception record according to the second enablement request and the first permission message not including a second instruction that permits the terminal to use a second function; the communicator is further configured to send the anomaly record to the management and control device.
Further, wherein the communicator is further configured to: switching connection to a second network, and sending second networking information to the control equipment; receiving a second permission message from the management and control equipment based on the sending of the second networking information, wherein the second permission message comprises a second instruction for permitting the terminal to use a second function; the processor is further configured to: receiving a second enabling request of the second function; and enabling the second function according to the second enabling request and the second instruction.
Further, wherein the processor is further configured to: and clearing interaction data stored by the terminal during the connection of the first network based on switching from the connection of the first network to the connection of the second network.
Also provided is a terminal use method, comprising: connecting a first network, and sending first networking information to the management and control equipment; receiving a first permission message from the management and control equipment based on the sending of the first networking information, wherein the first permission message comprises a first instruction for permitting the terminal to use a first function; receiving a first enabling request of the first function; and enabling the first function according to the first enabling request and the first instruction.
Further, according to the first instruction, a user interaction interface of the first function is displayed.
Further, wherein the first permission message does not include a second instruction to permit the terminal to use a second function; and prohibiting enabling the second function based on the first permission message not including an instruction for permitting the terminal to use the second function.
Further, wherein the first permission message does not include a second instruction to permit the terminal to use a second function; receiving a second enabling request of the second function; and rejecting the second enabling request based on the first permission message not including a second instruction to permit the terminal to use a second function.
Further, according to the second enabling request and the first permission message not including a second instruction for permitting the terminal to use a second function, forming an abnormal record; and sending the abnormal record to the control equipment.
Further, switching connection to a second network, and sending second networking information to the management and control equipment; receiving a second permission message from the management and control equipment based on the sending of the second networking information, wherein the second permission message comprises a second instruction for permitting the terminal to use a second function; receiving a second enabling request of the second function; and enabling the second function according to the second enabling request and the second instruction.
Further, based on switching from connecting the first network to connecting the second network, interaction data stored by the terminal during connecting the first network is cleared.
According to the terminal safety management and control equipment and the terminal safety management and control method, the network is classified, the grade of limiting the use of the function is formed by connecting the terminal with the network is obtained, and the grade is sent to the terminal so as to manage and control the use function of the terminal; different feature management terminals of the network can be connected in a plurality of management and control areas, so that the purpose that different management and control areas permit the terminals to use different function sets is achieved, the working efficiency is improved, and the leakage risk is reduced;
the terminal and the terminal use method are also provided, and the display is controlled to display the function set which is permitted to use or accept the request of using the function to prohibit the function from being used by responding to the information of the management and control device, so that the specific function is prevented from being illegally used in the management and control area, and the risk of disclosure is further reduced.
Drawings
FIG. 1 presents an example of an operating environment for a management and control system in accordance with one or more embodiments of the present application.
FIG. 2 illustrates an example of an operating environment for managing system physical process domains and digital copy domains in accordance with one or more embodiments of the present application.
Fig. 3 presents an example of a terminal security management apparatus in accordance with one or more embodiments of the present application.
Fig. 4 presents an example of a license module of a terminal security management apparatus in accordance with one or more embodiments of the present application.
Fig. 5 presents an example of a terminal in accordance with one or more embodiments of the present application.
Fig. 6 presents an example of a response module of a terminal in accordance with one or more embodiments of the present application.
Fig. 7A-7F illustrate respective examples for terminal security management in accordance with one or more embodiments of the present application.
The following detailed description will further illustrate the application in conjunction with the above-described figures.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It will be understood that when an element or component is referred to as being "connected" to another element or component, it can be directly connected to the other element or component or intervening elements or components may also be present. When an element or component is referred to as being "disposed on" another element or component, it can be directly on the other element or component or intervening elements or components may also be present.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The term "and/or" as used herein encompasses any and all combinations of one or more of the associated listed items.
Various embodiments of the present application may take the form of an entirely or partially hardware embodiment, an entirely or partially software embodiment, or a combination of software and hardware (e.g., a firmware embodiment). Furthermore, as described herein, various embodiments (e.g., systems and methods) of the present application may take the form of a computer program product containing a computer-readable non-transitory storage medium having computer-accessible instructions (e.g., computer-readable and/or computer-executable instructions) such as computer software encoded or embodied in such storage medium.
These instructions may be read or accessed and executed by one or more processors to perform or enable performance of the operations described herein. The instructions may be provided in any suitable form, for example, source code, compiled code, interpreted code, executable code, static code, dynamic code, assembly code, a combination of the foregoing, and the like. Any suitable computer readable non-transitory storage medium may be utilized to form a computer program product. For example, a computer-readable medium may comprise any tangible, non-transitory medium for storing information in a form readable or otherwise accessible by one or more computers or processors functionally coupled thereto. The non-transitory storage medium may be implemented as or may contain ROM; a RAM; a magnetic disk storage medium; an optical storage medium; flash memory, etc.
At least some implementations of operating environments and techniques are described herein with reference to block diagrams and flowcharts of methods, systems, devices, and computer program products. It will be understood that each block of the block diagrams and flowchart illustrations, and combinations of blocks in the block diagrams and flowchart illustrations, respectively, can be implemented by computer-accessible instructions. In some implementations, the computer-accessible instructions may be loaded onto or incorporated into a general purpose computer, special purpose computer, or other programmable information processing apparatus to produce a particular machine, such that the operations or functions specified in the flowchart block or blocks are implemented in response to execution at the computer or processing apparatus.
Any arrangement, program, process, or technique presented herein should in no way be construed as requiring that its acts or steps be performed in a particular order, unless expressly indicated otherwise. Accordingly, when a process or method claim does not actually recite an order to be followed by its acts or steps, or it is not otherwise specifically recited in the claims or descriptions of the subject disclosure that the steps are to be limited to a specific order, it is in no way intended that the order be inferred, in any respect. This applies to any possible non-explicit basis for interpretation, including: logic matters concerning the arrangement of steps or operational flows; plain meaning from grammatical organization or punctuation; the number or type of embodiments described in the specification or drawings, etc.
As used in this application, the terms "environment," "system," "engine," "module," "member," "architecture," "interface," "unit," and the like are intended to refer to a computer-related entity or entity related to an operating device having one or more defined functionalities. The terms "environment," "system," "engine," "module," "member," "architecture," "interface," and "unit" are used interchangeably and may refer to functional elements in general. Such an entity may be hardware, a combination of hardware and software, or software in execution. For example, a module may be implemented as a process running on a processor, an object, an executable portion of software, a thread of execution, a program, and/or a computing device. As another example, both a software application executing on a computing device and the computing device may be implemented as modules. For another example, one or more modules may reside within a process and/or thread of execution. A module may be located on one computing device or distributed between two or more computing devices. As disclosed herein, modules may be executed from various computer-readable non-transitory storage media having various data structures stored thereon. The modules may communicate via local and/or remote processes in accordance with a signal (analog or digital) having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a wide area network such as with other systems via the signal).
For another example, a module may be implemented as or may comprise a device having defined functionality provided by mechanical components operated by circuitry or electronic circuitry controlled by a software application or firmware application executed by a processor. Such a processor may be internal or external to the device and may execute at least a portion of a software or firmware application. For another example, a module may be implemented as or may contain equipment that provides a defined function through electronic components without mechanical components. The electronic component may include a processor to execute software or firmware that allows or at least partially facilitates the functionality of the electronic component.
In some implementations, the modules may communicate via local and/or remote processes in accordance with a signal (analog or digital) having one or more data packets (e.g., data from a component interacting with another component in a local system, distributed system, and/or across a wide area network such as with other systems via the signal). Additionally, or in other embodiments, the modules may communicate or otherwise be coupled by thermal, mechanical, electrical, and/or electromechanical coupling mechanisms (e.g., conduits, connectors, combinations thereof, etc.). The interface may include Input/Output (I/O) components and associated processors, applications, and/or other programming components.
As used in this application, the term "communicator" may refer to any type of communication circuit or device. The communicator may be implemented as or may comprise several types of network elements, including base stations; a router device; a switching device; a server device; an aggregator apparatus; a bus architecture; combinations of the foregoing; or the like. The one or more bus architectures CAN include an industrial bus architecture, such as an ethernet-based industrial bus, a Controller Area Network (CAN) bus, modbus, other types of fieldbus architectures, and the like.
As used in this application, the term "processor" may refer to any type of processing circuit or device. A processor may be implemented as a processing circuit or a combination of computing processing units (e.g., (Central Processing Unit, CPU), (Graphics Processing Unit, GPU), or a combination of both). Thus, for descriptive purposes, a processor may refer to a single-core processor; a single processor having software multithreading capability; a multi-core processor; a multi-core processor having software multithreading capability; a multi-core processor having hardware multithreading; a parallel processing (or computing) platform; and a parallel computing platform having a distributed shared memory. In addition, or as another example, a processor may refer to an integrated circuit (Integrated Circuit, IC), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a digital signal processor (Digital Signal Processor, DSP), a field programmable gate array (Field Programmable Gate Array, FPGA), a programmable logic controller (Programmable Logic Controller, PLC), a complex programmable logic device (Complex Programmable Logic Device, CPLD), discrete gate or transistor logic, discrete hardware components, or any combination thereof designed or configured (e.g., manufactured) to perform the functions described herein. In some implementations, the processor may use nanoscale architectures in order to optimize space usage or enhance performance of systems, devices, or other electronic devices according to the present application. For example, the processor may include molecular transistors and/or quantum dot based transistors, switches, and gates.
Furthermore, in the present specification and drawings, terms such as "store," "memory," "data store," "data memory," "repository," and the like, as well as substantially any other information storage means related to the operation and function of the components of the present application, refer to memory means, entities implemented in one or more memory devices, or means forming a memory device. It should be noted that the memory means or memory devices described herein implement or include non-transitory computer storage media that can be read or accessed by a computing device. Such media can be implemented in any method or technology for storage of information such as machine-accessible instructions (e.g., computer-readable instructions), information structures, program modules, or other information objects.
Furthermore, in the present specification and drawings, terms such as "store," "memory," "data store," "data memory," "repository," and the like, as well as substantially any other information storage means related to the operation and function of the components of the present application, refer to memory means, entities implemented in one or more memory devices, or means forming a memory device. The memory means or memory device may be implemented as volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Further, the memory component or memory device may be removable or non-removable and/or may be internal or external to the computing apparatus or component. Examples of various types of non-transitory storage media may include hard drives, zip drives, CD-ROMs, digital versatile disks (Digital Video Disc, DVDs) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, flash memory cards or other types of memory cards, magnetic cassettes, or any other non-transitory medium suitable for retaining the desired information and accessible by a computing device. For example, the nonvolatile Memory may include Read-Only Memory (ROM), programmable ROM (Programmable Read-Only Memory, PROM), electrically programmable ROM (Erasable Programmable Read-Only Memory, EPROM), electrically erasable programmable ROM (Electrically Erasable Programmable Read-Only Memory, EEPROM), or flash Memory. The volatile memory may include random access memory (Random Access Memory, RAM) which acts as an external buffer memory. By way of illustration and not limitation, RAM has various forms such as synchronous RAM (Static Random Access Memory, SRAM), dynamic RAM (Dynamic Random Access Memory, DRAM), synchronous DRAM (Synchronous Dynamic Random Access Memory, SDRAM), double data rate SDRAM (Double Data Rate Synchronous Dynamic Random Access Memory, DDR SDRAM), enhanced SDRAM (Enhanced Synchronous DRAM, ESDRAM), synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The disclosed memory devices or memories of the operating or computing environments described herein are intended to comprise one or more of these and/or any other suitable types of memory.
Conditional language such as "may," "capable," "may," or "may" are generally intended to convey that certain implementations may include certain features, elements, and/or operations, while other implementations do not, unless specifically stated otherwise or otherwise understood in the context of use. Thus, such conditional language is not generally intended to imply that features, elements and/or operations are in any way required for one or more implementations or that one or more implementations must contain logic for deciding, with or without user input or prompting, whether these features, elements and/or operations are contained or are to be performed in any particular implementation.
The computer readable program instructions of the present application may be downloaded to the corresponding computing/processing devices from a computer readable storage medium or an external computer or external storage device via a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network). The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable non-transitory storage medium within the respective computing/processing device.
What has been described in this specification and the drawings includes examples of systems, devices, techniques, and computer program products that individually and in combination allow tracking and tracing of components of products manufactured in industrial plants. It is, of course, not possible to describe every conceivable combination of components and/or methodologies for purposes of describing the various elements of the subject application, but many further combinations and permutations of the disclosed elements are possible. It is therefore evident that various modifications may be made thereto without departing from the scope or spirit of the application. Additionally, or alternatively, other embodiments of the present application may be apparent from consideration of the specification and drawings, and practice of the present application as presented herein. The examples set forth in the specification and drawings are to be considered in all respects as illustrative and not restrictive. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
In smart manufacturing plants or in some strictly confidential control areas, such as closed plants, mobile terminals (PDAs, tablets, notebooks, etc.) are usually controlled, the types of control usually comprising cameras, bluetooth, etc. However, once a mobile terminal can be networked or brought into a controlled area, the security risk is greatly increased, and a problem of disclosure is easily caused, so that a dedicated industrial terminal is generally issued to a worker who needs to use the terminal in the controlled area. How to manage the industrial terminals in a plurality of management and control areas so as to achieve the purpose that different management and control areas permit the terminals to use different function sets, and the method has important significance in improving the working efficiency and reducing the leakage risk.
Referring to FIG. 1, an example of an operating environment 10 for an electronic device is presented, in accordance with one or more embodiments of the present application, the example environment 10 or portions thereof may implement or may constitute various operating environments and systems. Environment 10 includes computing device 100, computing device 101, terminal 151, terminal 152, terminal 160, communication link 141, and network 130. Wherein computing device 100 and computing device 101 are the same or similar devices, and terminal 151 and terminal 152 are the same or similar terminals. If the number of terminals managed by the computing device 100 does not exceed the maximum load capacity, the computing power requirements are low and the environment 10 may include only the computing device 100. If the number of terminals managed by the computing device 100 exceeds the maximum load, the computing capability is required to be high, and since the computing device 101 has substantially the same architecture as the computing device 100, the environment 10 may form a computing system for parallel processing with the computing device 100 and the computing device 101, so as to meet the requirement of the computing capability. The relevant processes of the present application are explained below using computing device 100 as an example. The relevant processing procedure of the present application is also explained by taking the terminal 151 as an example. In some scenarios, environment 10 represents an example of the present application, such as may be responsive to execution of one or more software modules in computing device 100. Such one or more software modules make computing device 100 (or any other computing device containing the software modules) an apparatus for mobile device security management according to the description herein.
In some implementations, terminal 151 may be used to form information (e.g., networking information) and communicate to computing device 100 over communication link 141, network 130, a transmission path of communication link 141 to complete a defined logic process. Terminal 151 may also be configured to respond to a command (e.g., use of a management application, or display of a management application) from terminal 160. The terminal 160 presents to the administrator to monitor the terminal 151 by receiving information (e.g., verification results, ranks, application listings corresponding to ranks) from the computing device 100.
Computing device 100 includes a processor 104, one or more I/O interfaces 106, and one or more memory devices (collectively referred to as memory 116). Bus 142 may allow or facilitate exchange of information (e.g., data, metadata, and/or signaling) between processor 104, a communicator (e.g., I/O interface 106), and/or memory 116 or other corresponding functional elements. Bus 142 may include at least one of a system bus, a memory bus, an address bus, or a message bus.
The processor 104 is configured to collect information (such as identity information and networking information) of the terminal 151 and complete judgment actions (such as judging identity information and judging a configured level) to form a calculation result (such as a verification result and a level) through a communication path formed by the I/O interface 106, the communication link 141, the network 130 and the communication link 141, and send the calculation result (such as a verification result and a level) to the terminal 160. After receiving the calculation result, the terminal 160 sends formation information (such as a permission instruction and an alarm message) to the terminal 151.
The processor 104 may also receive information sent by the terminal 160 to form a calculation result and send corresponding information (such as a permission instruction) to the terminal 151 to control the terminal 151, but is not limited thereto. When computing device 100 includes multiple processors 104, parallel computing may be implemented by connecting the multiple processors 104 via bus 142.
Memory 116 is a variety of computer-readable media. In some embodiments, memory 116 may include instruction memory 118 and information memory 120.
The instruction memory 118 may contain computer accessible instructions that are invoked by the processor 104 to execute mobile device security management policies that may implement the present application. The computer accessible instructions may be embodied as or may contain one or more software modules shown as license module 230. In implementations, processor 104 executes licensing module 230 and may retrieve information from information storage 120 or retain information in information storage 120 for programming or configuring functions by licensing module 230.
The information within information storage 120 may be collectively referred to as licensing instructions 254, and licensing instructions 254 may include at least one of code instructions and information structures. For example, at least a portion of such an information structure may indicate or represent a list of applications permitted to be used by the terminal 151 according to the class definition, historical operating data of the terminal 151, and so forth.
The instruction memory 118 and other executable program components (e.g., the OS instructions 122) may reside at different times in different memories 116 of the computing device 100 and may be executed by the processor 104. In some cases, the implementation of license module 230 can be maintained on some form of computer-readable media.
The memory 116 may also contain computer-accessible instructions and information (e.g., data, metadata, and/or programming code instructions) that allow or facilitate the operation and/or management (e.g., upgrades, software installation, any other configuration, etc.) of the computing device 100. Thus, the memory 116 includes memory elements implemented as or including one or more OS instructions 122 (Operating System), such as Windows Operating System, unix, linux, symbian, android, chromium and generally any OS suitable for a mobile computing device or a binding computing device. In one aspect, the operational and/or architectural complexity of the computing device 100 may decide what appropriate OS to select.
Memory 116 also includes a system information memory 124 having data, metadata, and/or programming code that may allow or facilitate operation and/or management of computing device 100. OS instructions 122 and system information memory 124 may be accessed or operated upon by processor 104.
Memory 116 also includes an interface 126 for permitting or facilitating communication of information between two or more modules within instruction memory 118.
In some embodiments, the I/O interface 106 may allow or facilitate communication of information between the computing device 100 and external devices. Such communication may include direct communication or indirect communication, such as exchanging information between computing device 100 and an external device via a network or element thereof. In some implementations, the I/O interface 106 may include one or more of a network adapter 108, a peripheral adapter 112, and a display unit 114, allowing or facilitating connection between external devices and the processor 104 or memory 116.
Network adapter 108 is used to allow or facilitate the exchange of information (data, metadata, and/or signaling) between computing device 100 and one or more computing devices 101, alone or in combination, via one or more communication links (wireless, wired, or a combination thereof) through one or more networks 130. Such network coupling, at least partially provided by at least one of the network adapters 108, may be implemented in a wired environment, a wireless environment, or both.
The peripheral adapter 112 may contain a set of ports that may contain at least one of a parallel port, a serial port, an ethernet port, a v.35 port, or an x.21 port for allowing or facilitating wired connection of the computing device 100 to external devices. In some embodiments, the parallel port may comprise a General-purpose interface bus (General-Purpose Interface Bus, GPIB), IEEE-1284, while the serial port may comprise Recommended Standard (RS) -232, V.11, universal Serial Bus (USB), firewire interface, or IEEE-1394 to wire-adapt to connect different interfaces.
The display unit 114 may include functional elements (e.g., lights such as Light Emitting diodes; displays, e.g., liquid crystal displays (Liquid Crystal Display, LCDs), plasma monitors, light-Emitting Diode (LED) monitors, or electrochromic monitors; combinations thereof; or the like) that may allow or facilitate control of the operation of the computing device 100, or may allow transmission or disclosure of operating conditions of the computing device 100.
In some implementations, the computing device 100 optionally includes a radio 102. The radio unit 102 may include one or more antennas and a communication processing unit, which may allow wireless communication between the computing device 100 and another device (e.g., computing device 101).
Computing device 100 may also contain a power source (not shown in fig. 1) that may power up the components or functional elements within these devices. The power source may be a rechargeable power source, such as a rechargeable battery, and it may include one or more transformers to obtain a power level suitable for operation of the computing device 100 and components, functional elements, and related circuitry therein. In some cases, a power source may be attached to a conventional power grid to recharge and ensure that such devices are operational. In one aspect, the power supply may include an I/O interface (e.g., one of the network adapters 108) to operatively connect to a conventional power grid. In another aspect, the power source may include an energy conversion member (e.g., a solar panel) to provide additional or alternative power source or autonomy for the computing device 100.
In some examples, computing device 100 may be a personal computer, portable computer, server, router, network computer, peer device or other common network node, and the like.
In some embodiments, terminals 151, 152, 160 may comprise personal computers; a server computer; a laptop device; a handheld computing device, such as a mobile tablet computer or an electronic reader; a wearable computing device; a multiprocessor system. Additional examples may include programmable consumer electronics, network personal computers (Personal Computer, PCs), minicomputers, mainframe computers, blade computers, programmable logic controllers.
Computer readable media can be any available media (both temporary and non-temporary) that can be accessed by computing device 100. In one aspect, a computer-readable medium may include a computer non-transitory storage medium (or a computer-readable non-transitory storage medium) and a communication medium. Exemplary computer readable non-volatile storage media may include, for example, volatile and non-volatile media, and removable and/or non-removable media.
The bus 142 and all other bus architectures described herein may be implemented via wired or wireless network connections, and each subsystem, including the processor 104, the memory 116, and the memory elements therein, and the I/O interfaces 106 may be contained within one or more remote computing devices 101 at physically separate locations, via bus connections of this form. A fully distributed system is actually achieved. In some implementations, such a distributed system may implement the functionality described herein in a client-host or client-server configuration, where license module 230 or monitoring information 254, or both, may be distributed among computing devices 100.
In some implementations, bus 142 represents one or more of several possible types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of illustration, such architectures can include an industry standard architecture (Industry Standard Architecture, ISA) bus, a micro channel architecture (Micro Channel Architecture, MCA) bus, an enhanced ISA (Enhanced ISA) bus, a video electronics standards association (Video Electronics Standards Association, VESA) local bus, an Accelerated Graphics Port (AGP) bus, a peripheral component interconnect (Peripheral Component Interconnect, PCI) bus, a PCI-Express bus, a personal computer memory card international association (Personal Computer Memory Card International Association, PCMCIA) bus, a universal serial bus (Universal Serial Bus, USB), and the like.
In one or more implementations, one or more of the disclosed methods can be practiced in distributed computing environments (e.g., grid-based environments) where tasks can be performed by remote processing devices (computing devices 101) that are functionally coupled (e.g., communicatively linked or coupled) by at least one of the computing devices 100. In a distributed computing environment, in one aspect, one or more software modules (e.g., program modules) may be located in both local computing devices (e.g., computing apparatus 100) and at least one remote computing device.
In some embodiments, communication Link 141 may include, for example, an Uplink (UL) and a Downlink (DL). Each of the UL and DL may be implemented as or may include a wireless link (e.g., a deep space wireless link and/or a terrestrial wireless link), a wired link (e.g., fiber optic lines, coaxial cables, and/or twisted pair wires), or a combination thereof.
Network 130 may comprise several types of network elements, including base stations; a router device; a switching device; a server device; an aggregator apparatus; a bus architecture; combinations of the foregoing; or the like. The network elements may be assembled to form a Local Area Network (LAN), a Metropolitan Area Network (MAN), a Wide Area Network (WAN), and/or other networks (wireless or wired) having different coverage areas. Network 130 may also include several types of network elements, including base stations; a router device; a switching device; a server device; an aggregator apparatus; a bus architecture; combinations of the foregoing; or the like. The network elements may be assembled to form a Local Area Network (LAN), a Metropolitan Area Network (MAN), a Wide Area Network (WAN), and/or other networks (wireless or wired) having different coverage areas. Information communicated by at least one of the network adapters 108 may result from implementation of one or more operations of methods (or techniques) according to aspects of the present application. Such output may be any form of visual representation including text, graphics, animation, audio, haptic, etc.
The exemplary operating environment 10 is only illustrative and is not intended to suggest or otherwise convey any limitation as to the scope of use or functionality of the architecture of the operating environment.
Software modules (e.g., license module 230) in environment 10 can be implemented as or can include one or more computer-accessible instructions (e.g., computer-readable and/or computer-executable instructions). At least a portion of the computer accessible instructions may be executed to perform one or more of the example methods and/or at least a portion thereof described herein. To achieve such a goal, computer-accessible instructions are packaged into program modules and stored in a computer-readable storage non-transitory medium and executed by a processor (e.g., processor 104), which may be compiled, linked, and/or executed by processor 104 at computing device 100.
As a more specific illustration, fig. 2 shows an example of an operating environment for an electronic device physical process and digital copy correspondence, in accordance with one or more embodiments of the present application. The environment 20 shown includes a physical process domain formed by the terminals 151, 160 that implements a process. The environment 20 also contains a digital copy domain that contains a computer-implemented environment onto which processes in the physical process domain can be mapped. The digital copy domain contains and utilizes a variety of modeling, computing, and artificial intelligence (Artificial Intelligence, AI) techniques that, alone or in combination, can allow for the implementation of digital copies of the process. Such digital copies implement or constitute dynamic simulation models of the physical process.
The terminal 151 may implement or perform a defined process to allow the information 251 (e.g., a human hand clicking on an application icon in a touch screen) to be used to develop the indication information 252. The indication information 252 may have a message representation necessary to provide one or more desired functions (e.g., indicating to the outside that the terminal 151 is not able to use an application that is not permitted to use in the case of the current level, or hiding an application that is not permitted to use in the case of the current level). The indication information 252 may be embodied as physical representations of imaging data, audio data, and/or haptic data, etc.
In some embodiments, the terminal 151 may include a function module 204, and may further include multiple sets of function modules, such as a function module 206 and a function module 208, to respond to the usage information 251. The functional module 204 may be integrated into the hardware 202 (not shown) or otherwise coupled (e.g., bus 242) to the hardware 202 to collect data indicative or representative of the operational state of the terminal 151. In some embodiments, the functional module 204 is selectively executed or selectively displayed (e.g., graying out the corresponding application icon, indicating non-use, or directly hiding the corresponding application icon) according to a management instruction (e.g., a list of applications corresponding to the level) issued by the terminal 160. Any of the functional modules 204, 206, 208 may include a special control item, a general control item, and a configuration control item, where the special control item includes, but is not limited to, NFC control, NFC transmission control, camera control, bluetooth control, and USB control. The general control items comprise WiFi control, wiFi white name control, screen capturing control, watermark control and lock screen PIN code control, but are not limited to the same. Configuration management items include, but are not limited to, network and internet, connected devices, applications and notifications, battery, memory, display, sound, gestures, advanced, storage, security and location information, account numbers, unobstructed, google, systems, developer options, search boxes, display or not of suggestion bars.
Furthermore, to automate the process performed by the terminal 151, the terminal 160 may be functionally coupled (e.g., communicatively coupled, electrically coupled, electromagnetically coupled, and/or electromechanically coupled, not limited to through the network 130 of fig. 1) to the terminal 151. Communication architecture 241 may allow or facilitate the exchange of information (data, metadata, and/or signaling) between terminal 160 and terminal 151.
Bus 242 and communication architecture 241 may be implemented as or may include several types of network elements, including base stations; a router device; a switching device; a server device; an aggregator apparatus; a bus architecture; combinations of the foregoing; or the like. The one or more bus architectures CAN include an industrial bus architecture, such as an ethernet-based industrial bus, a Controller Area Network (CAN) bus, modbus, other types of fieldbus architectures, and the like.
In some implementations, some computing devices may permit or facilitate execution of digital copies. To this end, the digital replica domain may contain a computing system that may receive a model of the data processing process, which model may be run automatically by terminal 160 and at least partially implemented by terminal 151. Thus, the computing system may receive data, metadata, and/or code instructions (which may constitute libraries and/or other types of software components), which may allow all or part of the data processing process to be simulated in the physical process domain.
The digital copy domain contains a license module 230 for the purpose of licensing the terminal 151 for use of the function module according to the present application by the terminal 160. To this end, in some embodiments, the permission module 230 needs to verify the identity information of the terminal 151 to determine that the terminal 151 allows connection to the network, i.e. needs to perform identity verification on the terminal 151, where these identity verification methods optionally use retrieving one or more data structures 238 (named as identity lists 238), where these identity lists 238 are stored in one or more storage devices 236, see if the identity information corresponding to the terminal 151 can be retrieved, and if not, form a disabling instruction, and send the disabling instruction to the terminal 151 through the indication information 252 to disable all functions of the terminal 151; if so, continuing to generate the permission instruction.
In some embodiments, when the license module 230 confirms that the identity information of the terminal 151 is legal, it acquires what level of network the terminal 151 is currently connected to, such as the first level network 171, the second level network 172 to the nth level network 173, from the networks to which the terminal 151 is connected. The level of such networks is divided according to the located regulatory domain, for example, the network outside the regulatory domain is a third level network, the network inside the regulatory domain is a second level network 172, the network inside the strict regulatory domain is a first level network 171, the types, numbers, etc. of the corresponding licensed terminal 151 usage function modules are different, the network levels correspond to the set of usable functions stored in one or more data structures (i.e., function lists 234), and one or more storage devices 232 are used to store these function lists 234. After obtaining the network level to which the current terminal 151 is connected, the license module 230 forms a license instruction 253 capable of characterizing the information of the function list 234 according to the function list 234, and maps the license instruction 253 into a physical process domain through a digital copy domain, so as to form indication information 252 which is convenient for understanding with an object (e.g., a user or an input signal triggering the use of a function) of the interactive terminal 151.
Such digital copies may be referred to as "digital twins" for use in implementing or constructing a dynamic simulation model of a physical process. In some implementations, the digital copies may integrate information of the physical process, logic controlling the physical process, and simulation models of the physical process. The digital copy may use a model driven approach based on a machine learning approach. In addition, or in some embodiments, the digital copy may use or utilize model driven methods based on physical phenomena of the real process and rules of such process. Thus, in some cases, by incorporating a model of the physical reality process, the digital copy may be synchronized with its physical copy in near real-time. The digital copy also allows or facilitates simulating and evaluating the state of the process before the state is implemented in the corresponding physical system. Digital twins can learn almost continuously and can update themselves from multiple sources to improve the real-time representation of their physical processes.
Referring to fig. 3, in some embodiments, in some scenarios where the number of data dimensions is low and the computation amount is small, for example, the number of terminals 151 managed by the terminal 160 is less than 50, but not limited thereto, the function of terminal security management is implemented by using the management and control device 30 (such as integrating or coupling the functions of the computing device 100 into the terminal 160). The management and control device 30 includes a processor 310, a memory 320, and a communicator 330, where the license module 230 is disposed in the memory 320, and the communicator 330 is used as one of UL or DL to implement internal coupling or interaction with the outside. The communication architecture 350 may allow or facilitate the exchange of information (data, metadata, and/or signaling) between the management and control device 30 and the terminal 50.
In some embodiments, the functions of the elements in the management device 30 are: a communicator 330 for receiving the first networking information transmitted from the terminal 50; a processor 310, coupled to the communicator 330, for: determining, according to the first networking information, a level of a first network to which the terminal 50 is connected as a first level; forming a first permission message according to the first level, the first permission message including instructions for permitting the terminal 50 to use a first function; the communicator 330 is further configured to send the first permission message to the terminal 50 to permit the terminal 50 to use the first function.
In some embodiments, memory 320 contains a licensing module 230, wherein licensing module 230 is used to implement a functionality that the administration device 30 licenses for use of the functionality module by the terminal 50 according to the present application.
Referring to fig. 4, in some embodiments, the license module 230 includes an exception handling module 237 and an analysis module 233, and optionally includes a data structure 235 and a transceiver module 231. Data structure 235 is used to store data (e.g., function list 234, identity list 238) stored in license module 230. The transceiver module 231 is configured to receive the networking level (e.g., the first level) determined by the processor 310, receive an instruction to adjust the set of function modules corresponding to the networking level, and control the communicator 330 to send a permission instruction to the terminal 50.
In some embodiments, when the network is not switched, the terminal 50 finds that the second function is used, and needs to be paid attention to by the management and control personnel, and at this time, the abnormality processing module 237 is configured to determine that the terminal 50 is illegally operated according to the received abnormality record, and form an alarm message to prompt the management and control personnel to pay attention to the abnormality, and optionally send a positioning instruction to prohibit the terminal 50 from continuously using all functions except the positioning function, and according to the positioning function, let the management and control personnel obtain the terminal position, perform manual intervention in time, and prevent information leakage.
In some embodiments, analysis module 233 includes identity information module 2331, rank determination module 2333, and selection module 2335.
In some embodiments, the identity information module 2331 is used to be invoked by the processor 310 to determine whether the identity information of the terminal 50 received by the communicator 330 matches with the preset identity information in the memory 320, and if so, form a verification result to the level determination module 2333, and if not, directly form a positioning instruction (i.e. an instruction only allowing the positioning function to be used), and control the communicator 330 to send to the terminal 50.
In some embodiments, after obtaining the verification result of the identity information module 2331, the level determining module 2333 is configured to be invoked by the processor 310, determine a level at which the network is configured (e.g., the first network is configured as the first level) according to networking information (e.g., the first networking information) formed by connecting the terminal 50 to the network (e.g., the first network, may be a WIFI, a cellular network, etc.), and send the determination result to the selecting module 2335.
In some embodiments, after the selection module 2335 receives the determination result (e.g., the determination result is the first level), the selection module 2335 selects a function in the memory 320 (e.g., the function list 234 in the data structure 235) according to the determination result, e.g., the data structure 235 stores a function of A, B, C for which use is permitted in the first level and a function of B, C, D, E for which use is permitted in the second level, and the selection module 2335 selects a permission instruction characterizing the B, C, D, E function when the determination result of the level determination module 2333 is the second level, and sends the permission instruction to the terminal 50 through the communicator 330 to regulate that the terminal 50 can only use the B, C, D, E function. Further, in some embodiments, if the terminal 50 has only A, B, F functions and does not have E functions, the selecting module 2335 forms an identifier of a function (optionally, an intersection of the function list and functions permitted to be used by the first level, i.e., an intersection of A, B, C functions and A, B, F functions, an identifier of a function is A, B functions) according to the function list of the terminal 50 (i.e., the function list includes A, B, F functions) and the determination result (e.g., the first level), and forms a first permission message according to the identifier of the function (e.g., the identifier of the first function), where the first permission message is only permitted to use A, B functions when the terminal 50 is connected to the first network of the first level.
Further, in some embodiments, when a change in networking information occurs for the terminal 50 (e.g., switching from connecting the first network to connecting the second network), the communicator 330 receives the second networking information and passes it to the processor 310, and the processor 310 invokes the level determination module 2333 in the memory 320 to determine that the second network is configured as the second level, and as a result of authentication, authentication may no longer be performed since authentication by the identity information module 2331 has been invoked when the terminal 50 connects the first network. The selection module 2335 grants a function B, C, D, E based on a second level, e.g., the second level, but does not include a first function (e.g., a function) that grants the terminal 50, and the selection module 2335 forms a second grant message that does not include the first grant message that grants the terminal 50 a function. The selection module 2335 is invoked by the processor 310 to control the communicator 330 to transmit a second approval message to the terminal 50, and when an external input requests to use the a function of the terminal 50, the terminal 50 will reject the use request of the a function according to the second approval message. Similarly, for example, when the terminal 50 is connected to the first network, the management and control device 30 issues a permission instruction to refuse the terminal 50 to use the D function, but when the terminal 50 is switched to the second network, under the second level of management and control, the terminal 50 is allowed to use the D function, which specifically includes: when the terminal 50 is connected to the first network and receives the first permission message, the first permission message does not include the second permission message for permitting the terminal to use the second function, and thus the terminal 50 refuses the use request of the D function; when the terminal 50 is connected to the second network, the communicator 330 receives the second networking information, the processor 310 retrieves the memory 320 according to the second networking information, determines that the second network is configured as a second level, and forms a second permission message including permission of the terminal 50 to use the D function according to the verification result and the second level; finally, the processor 310 controls the communicator 330 to transmit the second permission message to the terminal 50, so that the terminal 50 allows the external input to make a request for using the D function.
Referring to fig. 5, in some embodiments, the terminal 50 includes a processor 510, a memory 520, and a communicator 530, and a response module 521 is stored in the memory 520. The communicator 530 is used to implement internal coupling or interact with the outside as one of UL or DL.
In some embodiments, the functions of the elements in the terminal 50 are: a communicator 530 for connecting to a first network, the first network being configured as a first level; transmitting first networking information to the management and control device 30, wherein the first networking information comprises identity information of the terminal 50; in response to the transmission of the first networking information, a first permission message is received from the management and control device 30, the first permission message including a first permission message that permits the terminal 50 to use a first function according to the first level and the identity information. A processor 510 coupled to the communicator 530 for obtaining a request to use the first function (e.g., the a function described above); and permitting the terminal to use the first function according to the first enabling request and the first permitting message.
In some implementations, the memory 520 includes a response module 521. Wherein the response module 521 is used for implementing a response to the request of the terminal 50 for using the function module, which is internal to the terminal 50 or external to the terminal 50, by invoking the one or more processors 510 after the terminal 50 receives the permission instruction of the management and control device 30 according to the present application. The term "internal" may be selected as data interaction within the terminal 50 or within the system of the terminal 50 and the management and control device 30, such as application programs or other functional modules, such as the aforementioned requests for permission of the modules to use functions, occurring within the system; the term "external" may be selected as an input external to the terminal 50, for example, the terminal 50 has a touch screen, and the user requests to use the function module by clicking an icon triggering the touch screen.
Referring to fig. 6, in some embodiments, the response module 521 includes a processing module 523, optionally including a data structure 525 and an input-output module 527. The data structure 525 is used to store data (e.g., first permission message, second permission message, permission instructions, etc.) stored in the response module 521. The input/output module 527 is configured to receive data sent by the control device 30 and transmitted through the communicator 530, and output feedback information (e.g. prompting that the current network requests use of the a function is illegal, etc.).
In some embodiments, the processing module 523 includes a validity determination module 5231 and a call module 5233.
In some embodiments, the validity judging module 5231 is used for being invoked by the processor 510, judging whether a request of using a certain function (e.g. a function) input from the outside or the inside is legal under the current network environment and network level conditions according to information (e.g. a first permission message, a second permission message, etc.) including a permission instruction sent by the management and control device 30, if so, transmitting a judging result to the invoking module 5233, if not, feeding back to the outside or the inside to prompt that the operation is illegal, if not, forming an abnormal record, and sending to the management and control device 30 through the communicator 530.
In some embodiments, the calling module 5233, after receiving the result that the validity judging module 5231 judges as valid, selects a function module corresponding to the request, for example, an a function, according to the request input from the outside or the inside, so that the processor 530 can call the a function and respond to the request input from the outside or the inside.
In some embodiments, if the first permission message does not include a second permission message for permitting the terminal 50 to use the second function (e.g., the D function described above), when the processor 510 obtains a request for using the D function (e.g., a second enabling request) from the internal or external input, the processor 510 invokes the response module 521, and determines that the request is illegal according to the request and the first permission message, and denies the request, thereby prohibiting the external use of the D function.
Further, the behavior of illegally using the D function is prompted, so that the outside is informed that the D function is not allowed to be used currently, if the D function is still triggered by the outside, the abnormal record of the behavior is actively uploaded to the management and control device 30 through the communicator 530, so that the abnormal processing module 237 is called to request the security management and control personnel to judge, and if the behavior is judged not to involve the security problem, the security management and control personnel are not processed; if it is determined that there is a risk of compromise, the terminal 50 receives a positioning instruction, disabling functions other than the positioning function that are potentially compromised.
In some embodiments, when the terminal 50 changes networking information, for example, switches from the first network to connect to the second network, because the second network is configured to be of a second level, the communicator 530 will receive a second permission message sent by the management and control device 30, the second permission message containing the second permission message for permitting the terminal 50 to use the second function (e.g., D function) according to the second level and the identity information, and the processor 510 invokes the response module 521, at which time an internal or external request for use of D function may be received. Similarly, processor 510 denies external use of the a-function since the second level does not allow use of the first function (e.g., the a-function).
In some embodiments, the terminal 50 optionally includes a display 540, where the display 540 is coupled to the processor 510, and since the processor 510 permits use of the a function when the terminal 50 is connected to the first network, the display 540 displays a first interface for interaction between the a function and the outside of the terminal 50, where the first interface includes an identifier (e.g., an icon) for requesting use of the a function by an external input, and the external input may use the a function of the terminal 50 by clicking on the identifier corresponding to the a function. Similarly, for example, since the processor 510 refuses to use the second function (e.g., the D function) when the terminal 50 is connected to the first network, the display 540 hides the second interface of the D function and the terminal 50, the second interface does not display the identifier (e.g., icon) of the D function requested to be used by the external input, and the D function cannot be actively triggered by the external input, so that the risk of misuse is avoided; in combination with the foregoing abnormality processing module 237, the alarm can also be given in time to avoid disclosure when the authority of the terminal 50 to use the D function in the first network is broken for illegal purposes.
Referring to fig. 7, a corresponding example for terminal security administration is shown, for convenience of explanation, a terminal security administration method is described together with a terminal usage method, except that the terminal security administration method is a method of a controller, the terminal usage method is a controlled method, and the example is executed in a system having an electronic device 411 (e.g., the computing device 100 in fig. 1 or the administration device 30 in fig. 3) and a terminal 412. Some of the operations in this example 40 are optionally combined, and/or the order of some of the operations are optionally changed.
In some embodiments, the electronic device 411 stores preset identity information of the terminal in advance, such as a character string or an identification code, biometric information, and NFC data information. The preset identity information contains legal identities recorded in the electronic device 411, and conventional database operations such as adding, modifying, deleting, inquiring and the like can be performed.
In some embodiments, the terminal 412 is connected to a first network, and the formed first networking information is then sent (422), and the electronic device 411 receives the first networking information (424), and the optional first networking information includes identity information of the terminal 412.
Optionally, the electronic device 411 determines whether the identity information matches with the preset identity information (426), if not, an alarm message is sent out (428), and if yes, the network level identification is continued. In this way, it can be ensured that the connected terminal 412 is a legitimate terminal, rather than a counterfeit terminal, reducing the risk of compromise.
In some embodiments, after determining that the identities match in step 426, the electronic device 411 forms a verification result, determines, according to the first networking information, that the level of the first network to which the terminal is connected is a first level (430), forms a first permission message according to the first level, and sends (432). The terminal 412 receives the first permission message (434) to form a set of permission internal or external to use the function, and when the internal or external requests to use a certain function are issued, the function can be called if the function is in the set, and if the function is out of the set, the call is refused, in this way, the possibility of misusing the function of the terminal 412 and causing leakage can be avoided.
Specifically, referring to fig. 7B, step 432 may further include: forming a function list (4322) of the terminal based on the identity information of the terminal conforming to the preset identity information; forming an identification (4324) of the first function from the list of functions; a first permission message (4326) is formed containing the first instruction based on the identification of the first function. In some cases, for example, the terminal 412 has only A, B, F functions and no E functions, and according to the function list of the terminal 412 (i.e. including A, B, F functions), and the networking level (e.g. the first level), an identification of the functions (optionally, an intersection of the function list and functions permitted for use by the first level, i.e. an intersection of A, B, C functions and A, B, F functions, an identification of the functions being an identification of A, B functions) is formed, and then according to the identification of the functions (e.g. an identification of the first function), a first permission message is formed, the first permission message being at least one of permitting only the terminal 412 to use the A, B functions when connecting to the first network of the first level.
In other embodiments, the terminal 412 receives a first enablement request for the first function (436), and enables the first function (438) based on the first enablement request and the first instruction in such a way as to permit the terminal 412 to be able to use the permitted functions of the set of limited functions.
In some implementations, the terminal 412 receives a second enablement request for the second function (440); the second function is denied access (442) based on the second enablement request and the first grant message. In this manner, terminal 412 is disabled from using functions in the set of functions that are not licensed.
As shown in fig. 7C, optionally, in some embodiments, after the terminal 412 performs step 434, because the terminal 412 is capable of using the first function due to the first instruction, a user interaction interface (4342) of the first function is displayed according to the first instruction, so that the user can enable the first function by, for example, a touch screen. If the first instruction is not available, the interface of the first function and the user interaction can be hidden, external calling is avoided, and the risk of disclosure is further reduced. However, the first permission message does not contain a second instruction to permit the terminal to use the second function; according to the first permission message, the second interface (4344) where the second function interacts with the outside of the terminal is hidden, in this way, false touches by the user can be avoided, and the user can not open the function refused to use in the terminal 412.
As shown in fig. 7D, in some embodiments, the terminal 412 discovers that the internal or external multiple initiation steps 4422 to 4424 (e.g. 3 times), forms an exception record (4442) according to the second enabling request and the first permission message and sends the exception record to the electronic device 411 (4444), the electronic device 411 receives the exception record, the exception record includes the terminal second enabling request (446), a third party (e.g. a manager) determines whether the terminal operation is illegal (448), and if not, ends the processing of the exception record (450); if so, an alarm message is formed (452) informing the relevant person (e.g., the person controlling the terminal 412, its superordinate supervisor or other security supervisor) of the abnormality, and forming a positioning instruction permitting only the terminal to use the positioning function, and sending to the terminal 412 (454). After receiving the positioning instruction (456), the terminal 412 forms positioning information of the terminal, and sends the positioning information to the electronic device 411 (458), and the electronic device 411 receives the position of the terminal 412 and prompts a management and control person to process (460). By the method, abnormal operation can be fed back timely, so that the problem that greater loss is caused when a secret leakage behavior possibly occurs is solved.
As shown in fig. 7E, in some embodiments, when the terminal 412 switches connecting the first network to connecting the second network, second networking information is formed and sent to the electronic device 411 (462). After receiving the second networking information (464), the electronic device 411 determines, according to the second networking information, that the level of the second network to which the terminal is connected is a second level (466), and forms a second permission message, where the second permission message includes the second instruction for permitting the terminal to use the second function according to the second level and the identity information, and sends (468). Step 426 need not be performed again here because authentication is already completed when the terminal 412 connects to the first network, which can increase the efficiency and speed of managing the terminal 412 in response to switching networks.
In some embodiments, after receiving the second permission message (470), the terminal 412 forms a set of permitted usage functions, and upon obtaining the second enablement request (472), permits usage of the second function according to the second enablement request and the second permit instruction (474). The terminal 412 receives a first enablement request for use of the first function (476), and denies use of the first function based on the first enablement request and the second permission message (478). The first function is permitted to be used when the terminal 412 is connected to the first network, and the second function is denied to be used when the terminal 412 is connected to the first network, so that the list of permitted to use functions of the terminal 412 is updated synchronously after passing through step 470.
In some embodiments, the electronic device 411 may query the terminal 412 for networking conditions at irregular intervals for supervisory control considerations. When a query occurs, the electronic device 411 forms a query and then sends the query to the terminal 412 (480). The terminal 412 is currently connected to a third network to form third network information (482), and sends the third network information to the electronic device 411 (484), and the electronic device 411 determines, according to the third network information, a level of the third network to which the terminal is connected to be a third level (486), and forms a third permission message according to the third level and sends the third permission message to the terminal 412 (488). The terminal 412 receives the third license message, forms a security record based on the third license message (490), and transmits the security record to the electronic device 411 (492). The security record may include when to switch connection of the first network to the third network, and which data was uploaded and downloaded after connection to the third network, which may include any network other than the first network (e.g., the second network). Since the electronic device 411 previously confirms that the terminal 412 is connected to the first network, the security record may further include a switching time and a switching duration to help the electronic device 411 determine whether the security record is legal (494), if so, it may be determined that the network connection is unstable, rather than being attacked illegally, and the query process is ended (4962); if not, a clear command is formed and issued (4964) to cause the terminal 412 to clear the data that the terminal interacted with when connecting to the first network (498), and if necessary, the terminal 412 may be formatted to avoid serious consequences of more information leakage.
According to the terminal safety management and control equipment and the terminal safety management and control method, the network is classified, the grade of limiting the use of the function is formed by connecting the terminal with the network is obtained, and the grade is sent to the terminal so as to manage and control the use function of the terminal; different feature management terminals of the network can be connected in a plurality of management and control areas, so that the purpose that different management and control areas permit the terminals to use different function sets is achieved, the working efficiency is improved, and the leakage risk is reduced;
the terminal and the terminal use method are also provided, and the display is controlled to display the function set which is permitted to use or accept the request of using the function to prohibit the function from being used by responding to the information of the management and control device, so that the specific function is prevented from being illegally used in the management and control area, and the risk of disclosure is further reduced.
Each of the modules and applications identified above corresponds to a set of executable instructions for performing one or more of the functions described above as well as the methods described in the present application. These modules (i.e., sets of instructions) need not be implemented in separate software programs, procedures or modules, and thus various subsets of these modules are optionally combined or otherwise rearranged in various embodiments. In some embodiments, the memory optionally stores a subset of the modules and data structures described above. Furthermore, the memory optionally stores additional modules and data structures not described above.
In addition, other variations within the spirit of the present application will occur to those skilled in the art, and of course, such variations as may be included within the scope of the present application as claimed. For purposes of explanation, the foregoing description was described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the application to the precise forms disclosed. Many modifications and variations are possible in light of the above teaching, for example, the sequential structure of the flowcharts may be defaults or otherwise modified. The embodiments were chosen and described in order to explain the principles of the present application and its practical application to thereby enable others skilled in the art to best utilize the present application and various described embodiments with various modifications as are suited to the particular use contemplated.
Claims (10)
1. A terminal, comprising:
a communicator for:
connecting a first network, and sending first networking information to the management and control equipment;
receiving a first permission message from the management and control equipment based on the sending of the first networking information, wherein the first permission message is formed according to the grade of the first network, the grade of the first network is divided according to the management and control area where the first network is located, and the first permission message comprises a first instruction for permitting the terminal to use a first function; a processor, coupled to the communicator, for:
Receiving a first enabling request of the first function;
enabling the first function according to the first enabling request and the first instruction;
the communicator is further configured to:
switching connection to a second network, and sending second networking information to the control equipment;
receiving a second permission message from the management and control equipment based on the sending of the second networking information, wherein the second permission message is formed according to the grade of the second network, the grade of the second network is divided according to the management and control area where the second network is located, and the second permission message comprises a second instruction for permitting the terminal to use a second function; the processor is further configured to:
receiving a second enabling request of the second function;
enabling the second function according to the second enabling request and the second instruction;
and clearing interaction data stored by the terminal during the connection of the first network based on switching from the connection of the first network to the connection of the second network.
2. The terminal of claim 1, further comprising:
a display coupled to the processor;
the processor is further configured to display a user interaction interface of the first function according to the first instruction.
3. The terminal of claim 1, wherein the first permission message does not contain the second instruction to permit the terminal to use the second function; further comprising:
the processor is further configured to prohibit enabling the second function based on the first permission message not including an instruction to permit the terminal to use the second function.
4. The terminal of claim 1, wherein the first permission message does not contain the second instruction to permit the terminal to use the second function;
the processor is further configured to:
receiving the second enabling request of the second function;
the second enablement request is denied based on the first permission message not including the second instruction to permit the terminal to use the second function.
5. The terminal of claim 4, wherein
The processor is further configured to form an exception record according to the second enablement request and the first permission message not including the second instruction for permitting the terminal to use the second function;
the communicator is further configured to send the anomaly record to the management and control device.
6. A method for terminal use, comprising:
Connecting a first network, and sending first networking information to the management and control equipment;
receiving a first permission message from the management and control equipment based on the sending of the first networking information, wherein the first permission message is formed according to the grade of the first network, the grade of the first network is divided according to the management and control area where the first network is located, and the first permission message comprises a first instruction for permitting the terminal to use a first function;
receiving a first enabling request of the first function;
enabling the first function according to the first enabling request and the first instruction;
switching connection to a second network, and sending second networking information to the control equipment;
receiving a second permission message from the management and control equipment based on the sending of the second networking information, wherein the second permission message is formed according to the grade of the second network, the grade of the second network is divided according to the management and control area where the second network is located, and the second permission message comprises a second instruction for permitting the terminal to use a second function;
receiving a second enabling request of the second function;
enabling the second function according to the second enabling request and the second instruction;
and clearing interaction data stored by the terminal during the connection of the first network based on switching from the connection of the first network to the connection of the second network.
7. The method of claim 6, further comprising:
and displaying the user interaction interface of the first function according to the first instruction.
8. The method of claim 6, wherein the first permission message does not include the second instruction to permit the terminal to use the second function;
and prohibiting the second function from being started based on that the first permission message does not contain an instruction for permitting the terminal to use the second function.
9. The method of claim 6, wherein the first permission message does not include the second instruction to permit the terminal to use the second function;
receiving the second enabling request of the second function;
the second enablement request is denied based on the first permission message not including the second instruction to permit the terminal to use the second function.
10. The method of claim 9, further comprising:
forming an abnormal record according to the second enabling request and the first permission message not containing the second instruction for permitting the terminal to use the second function;
and sending the abnormal record to the control equipment.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010917005.6A CN112261658B (en) | 2020-09-03 | 2020-09-03 | Terminal and terminal use method |
| US17/466,041 US20220067128A1 (en) | 2020-09-03 | 2021-09-03 | Terminal device security management device, method, and terminal device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010917005.6A CN112261658B (en) | 2020-09-03 | 2020-09-03 | Terminal and terminal use method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112261658A CN112261658A (en) | 2021-01-22 |
| CN112261658B true CN112261658B (en) | 2024-04-16 |
Family
ID=74224079
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010917005.6A Active CN112261658B (en) | 2020-09-03 | 2020-09-03 | Terminal and terminal use method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112261658B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113766086B (en) * | 2021-10-08 | 2024-05-07 | 珠海奔图电子有限公司 | Access authentication method and device for image forming device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516545A (en) * | 2013-08-14 | 2014-01-15 | 西安方诚通讯技术服务有限公司 | Real-time management system and management method of certain area mobile phone functions |
| CN106331288A (en) * | 2015-06-24 | 2017-01-11 | 中兴通讯股份有限公司 | Application processing method and device |
| CN107820702A (en) * | 2017-07-03 | 2018-03-20 | 深圳前海达闼云端智能科技有限公司 | A kind of management-control method, device and electronic equipment |
| CN108573135A (en) * | 2018-04-23 | 2018-09-25 | 北京小米移动软件有限公司 | Terminal management-control method, apparatus and system |
| CN110247906A (en) * | 2019-06-10 | 2019-09-17 | 平安科技(深圳)有限公司 | A kind of method for monitoring network and device, equipment, storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7414529B2 (en) * | 2006-08-04 | 2008-08-19 | International Business Machines Corporation | Disablement of camera functionality for a portable device |
-
2020
- 2020-09-03 CN CN202010917005.6A patent/CN112261658B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516545A (en) * | 2013-08-14 | 2014-01-15 | 西安方诚通讯技术服务有限公司 | Real-time management system and management method of certain area mobile phone functions |
| CN106331288A (en) * | 2015-06-24 | 2017-01-11 | 中兴通讯股份有限公司 | Application processing method and device |
| CN107820702A (en) * | 2017-07-03 | 2018-03-20 | 深圳前海达闼云端智能科技有限公司 | A kind of management-control method, device and electronic equipment |
| CN108573135A (en) * | 2018-04-23 | 2018-09-25 | 北京小米移动软件有限公司 | Terminal management-control method, apparatus and system |
| CN110247906A (en) * | 2019-06-10 | 2019-09-17 | 平安科技(深圳)有限公司 | A kind of method for monitoring network and device, equipment, storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112261658A (en) | 2021-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Quarta et al. | An experimental security analysis of an industrial robot controller | |
| CN106326738B (en) | Computer security system framework and relevant calculation method | |
| JP4999240B2 (en) | Process control system, security system and method thereof, and software system thereof | |
| CN106227159B (en) | The security system using dynamic signature for Industry Control infrastructure | |
| JP7013153B2 (en) | Authentication and authorization to control access to process controls in the process plant | |
| CN102906759B (en) | context aware data protection | |
| CN113625665B (en) | Centralized security event generation policies | |
| CN102742243A (en) | Checking a configuration modification for an ied | |
| US9560523B2 (en) | Mobile device authentication | |
| JP2006099777A (en) | Centrally managed proxy-based security for legacy automation systems | |
| CN104423370A (en) | Remote asset management services for industrial assets | |
| US10521550B2 (en) | Planning and engineering method, software tool and simulation tool for an automation solution | |
| CN109690545A (en) | The automatic distributing of PLC virtual patch and safe context | |
| US10805304B2 (en) | Edge server and management server | |
| CN106227158B (en) | Rapid configuration security system for Industry Control infrastructure | |
| JP2021096834A (en) | Personnel profiles and fingerprint authentication for configuration engineering and runtime applications | |
| CN110390184A (en) | For executing the method, apparatus and computer program product of application in cloud | |
| CN112261658B (en) | Terminal and terminal use method | |
| EP3667526B1 (en) | Rapid file authentication on automation devices | |
| CN112260985B (en) | Terminal safety control equipment and terminal safety control method | |
| JP2021051740A (en) | Secure off-premises access of process control data by mobile device | |
| CN110765471B (en) | Working method of microcontroller-based access capability embedded platform | |
| CN110266666A (en) | A kind of method for managing security and system based on industry internet | |
| Hollerer et al. | Challenges in ot security and their impacts on safety-related cyber-physical production systems | |
| US20220067128A1 (en) | Terminal device security management device, method, and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 451162 building 7, intersection of Huaxia Avenue and Donghai Road, hanghanggang District, Zhengzhou City, Henan Province Applicant after: Fulian intelligent workshop (Zhengzhou) Co.,Ltd. Address before: 451162 room 320, 3rd floor, Yufa Lanshan mansion, 100m east of the intersection of Zhenggang 6th Road and Zhenggang 2nd Street, HANGGANG District, Zhengzhou City, Henan Province Applicant before: Zhengzhou Fulian intelligent workshop Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |