CN108377365B - Video monitoring system based on video safety access path - Google Patents
Video monitoring system based on video safety access path Download PDFInfo
- Publication number
- CN108377365B CN108377365B CN201810130482.0A CN201810130482A CN108377365B CN 108377365 B CN108377365 B CN 108377365B CN 201810130482 A CN201810130482 A CN 201810130482A CN 108377365 B CN108377365 B CN 108377365B
- Authority
- CN
- China
- Prior art keywords
- information
- port
- data input
- gateway module
- video
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
- H04N7/181—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast for receiving images from a plurality of remote sources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
The invention discloses a video monitoring system based on a video safety access path, which relates to the field of monitoring networks and comprises a plurality of ports for information access or output, wherein each port forms a communication path through an open/closed network; the ports comprise a server port, a plurality of monitoring data input ports and a plurality of other equipment ports; a gateway module A is arranged between a server port and an open/closed network, and a gateway module B is arranged between the open/closed network and a monitoring data input port; an effective information transmission path between the server port and the monitoring data input port is formed through the unidirectional comparison/verification/audit processing of the information from the gateway module A to the gateway module B. The invention adopts one-way comparison/check/audit to realize the classification of effective and invalid paths of network information transmission and one-way transmission locking, and realizes low-cost and high-safety network protection.
Description
Technical Field
The invention relates to the field of monitoring networks, in particular to a video monitoring system based on a video security access path.
Background
With the popularization of monitoring networks, various devices such as servers, monitors and the like communicate with each other to form a transmission network. However, an effective self-defense mechanism is still lacking. A malicious party can easily attack the monitoring network from any device to acquire/destroy the device/information in the monitoring network, and even hijack the branch device.
The construction of a defense system for monitoring a network based on soft and hard architecture of the network is currently the mainstream development direction of the technology, and has a considerable prior art foundation in many high-end research organizations, for example, the following systems are disclosed in the Chinese invention patent with the application number of 200680016779. X:
a method and system for a configurable security and surveillance system that may include at least one programmable sensor agent and/or at least one programmable content analysis agent. The system manager may configure the security and surveillance system to provide a variety of processing features by programming configurable hardware devices in the programmable sensor agents and/or the programmable content analysis agents. The configurable hardware device may be programmed using the device programming file. The device programming file may be encrypted and a key may be requested to cause different processing features to be programmed into the programmable sensor agent and/or the programmable content analysis agent. The device programming files and/or keys may be received from an e-commerce provider via a network transmission and/or via a machine-readable medium.
The technical achievements are released in the early stage of the network era, and the foundation of a monitoring network security architecture is laid, however, the technical scheme relates to the setting of a plurality of parameters, and discloses a method for encrypting and decrypting captured video information by using hardware and software in a video monitoring network and a corresponding system, so that the realization cost is high.
Disclosure of Invention
The invention aims to provide a video monitoring system based on a video safety access path, which adopts one-way comparison/verification/audit to realize the classification of effective and invalid paths of network information transmission and one-way transmission locking and realize low-cost and high-safety network protection.
The technical purpose of the invention is realized by the following technical scheme:
the video monitoring system based on the video safety access path comprises a plurality of ports for information access or output, wherein each port forms a communication path through an open/closed network;
the ports comprise a server port, a plurality of monitoring data input ports and a plurality of other equipment ports;
a gateway module A is arranged between a server port and the open/closed network, and a gateway module B is arranged between the open/closed network and the monitoring data input port; and forming an effective information transmission path between the server port and the monitoring data input port through the unidirectional comparison/verification/audit processing of the information from the gateway module A to the gateway module B.
According to the technical scheme, the information transmission path between the server port and the monitoring data input port is constructed by adopting one-way comparison/check/audit of the information from the gateway module A to the gateway module B, so that the classification of effective and invalid paths of network information transmission and one-way transmission locking are realized, the network configuration is simplified, the network load is reduced, and the low-cost and high-safety network protection is realized.
In some embodiments, the gateway module a transparently transmits, to the information packet having the destination IP address list and the destination port number list stored inside the matching device, the information packet sent from the server port to the monitoring data input port or the port of the other device without any processing.
By adopting the technical scheme, the simplified combing of the complex network is realized, and the load of the network is reduced.
In some embodiments, the gateway module a performs information marking and forwarding on information packets, except for a destination IP address list and a destination port number list stored inside the matching device, in the information sent from the server port direction to the monitoring data input port or the port direction of other devices.
By adopting the technical scheme, the locking of the information is realized, and a third party is prevented from acquiring the video monitoring information, so that the safety of a monitoring network is ensured.
In some embodiments, the gateway module a transparently passes all information sent from the direction of the monitor data input port or other device port to the direction of the server port without any processing.
By adopting the technical scheme, unidirectional transmission locking from the server port direction to the monitoring data input port direction is formed, so that low-cost and high-security network protection is realized.
In some embodiments, the gateway module B performs information tag confirmation on the information tag, and if the information tag is successful, the information reaches the monitoring data input port, otherwise, the signal transmission is terminated.
By adopting the technical scheme, the effective information transmission path between the server port and the monitoring data input port is formed, and the classification of the effective path and the invalid path of the network information transmission is realized.
In some embodiments, the information tag is encrypted and the information tag confirms that the information is decrypted.
According to the technical scheme, the gateway module A and the gateway module B are matched for encryption and decryption, so that unidirectional information comparison/verification/audit from the server port direction to the monitoring data input port direction is realized.
In some embodiments, the gateway module B directly discards all information without information tagging from the information sent from the server port or other device port direction to the monitoring data input port direction without forwarding.
By adopting the technical scheme, all signal sources except the non-server are automatically defined as invalid/illegal information sources to form a closed circuit framework in the monitoring system network, and an effective and invalid communication path is intelligently divided, so that any port except the non-server port cannot effectively acquire video monitoring information, the safety of the monitoring network is ensured, a malicious party is effectively prevented from attacking the monitoring network, and a safe, efficient and low-cost monitoring network safety framework system is realized.
In some embodiments, the gateway module B directly discards all information not directed to the server port from the information sent from the direction of the monitoring data input port to the direction of the server port.
By adopting the technical scheme, protection is further formed at the monitoring data input port, the information closed loop is formed at the monitoring front end, any malicious party can not attack the monitoring network from any port except the monitoring data input port and acquire/destroy effective information, and the safety of the monitoring network is greatly improved.
In some embodiments, the gateway module B directly discards the information whose information type is not the video protocol type, from the information sent from the direction of the monitoring data input port to the direction of the server port.
By adopting the technical scheme, all information of non-video protocol types is defined as invalid/illegal information at the gateway module B and is directly discarded without transmitting and forwarding, thereby reducing network load, simplifying network configuration and reducing cost.
In some embodiments, the monitoring data input port comprises a number of branch ports; an IP address filtering module, a port information comparison module and an information format judging module are configured in the gateway module B.
In the above technical solution, an IP address filtering module, a port information comparing module and an information format judging module are configured in the gateway module B to judge whether information sent from the direction of the monitoring data input port to the direction of the server port points to the server port, that is, judge whether a destination IP address is an IP address of the monitoring device accessing the server or whether a port number thereof is an open port of the monitoring device accessing the server or whether an information type thereof is a video protocol type in the information sent from the direction of the monitoring data input port to the direction of the server port.
Compared with the prior art, the video monitoring system based on the video safety access path has the following advantages:
1. through the one-way path marking, the information transmission between the server port and the monitoring data input port is constructed, all signal sources except non-servers are automatically defined as invalid/illegal information sources, so that a closed-circuit framework is formed in the monitoring system network, and an effective communication path and an invalid communication path are intelligently divided.
2. Further, protection is formed at the monitoring data input port, an information closed loop is formed at the monitoring front end, any malicious party cannot attack the monitoring network from any port except the monitoring data input port and obtain/destroy effective information, and the safety of the monitoring network is greatly improved.
Drawings
Fig. 1 is a schematic structural diagram of a video surveillance system based on a video security access path according to the present disclosure;
fig. 2 is a block diagram of a gateway module B in the video surveillance system based on the video security access path shown in fig. 1.
In the figure, 1, port; 11. a server port; 12. monitoring a data input port; 13. other device ports; 2. open/closed networks; 3. a gateway module A; 4. a gateway module B; 41. an IP address filtering module; 42. a port information comparison module; 43. and an information format judging module.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
The invention discloses a video monitoring system based on a video security access path, which is characterized in that as shown in figure 1, a plurality of ports 1 for information access or output and an open/closed network 2 forming a communication path among the ports 1 are provided, and the open/closed network 2 is a local area network built by an operator or a user.
As shown in fig. 1, the port 1 includes a server port 11, a monitoring data input port 12, and a plurality of other device ports 13, where the server port 11 is accessed to a server and used for processing and responding to a service request of a monitoring device; the monitoring data input port 12 includes a number of branch ports for accessing monitoring equipment, such as a camera or other image sensor equipment; the other device port 13 is used to access other network devices. Taking the public security bureau security monitoring system as an example, the monitoring data input port 12 is connected to the monitoring device inside the public security bureau, and the other device ports 13 can be regarded as network devices of the subordinate mechanisms of the public security bureau.
As shown in fig. 1, a gateway module A3 is accessed between a server port 11 and an open/closed network 2, and the server port 11 is located upstream of a gateway module A3; a gateway module B4 is connected between the open/closed network 2 and the monitoring data input ports 12, the monitoring data input ports 12 are downstream of the gateway module B4, and all the monitoring data input ports 12 are connected to the same gateway module B4.
In this embodiment of the present invention, the necessary functions of the gateway module a3 are configured as follows:
1. for the information sent from the uplink server port 11 to the downlink monitoring data input port 12 or the other device ports 13, it may be configured to select data of an IP address and a port number for some purpose to be transmitted without any processing, that is, to transmit an information packet having a destination IP address list and a destination port number list stored inside the matching device without any processing. Therefore, the server port 11 is accessed to the server, the monitoring data input port 12 is accessed to the monitoring device, and in the network device accessed to the server, the gateway module a3 allows the monitoring device to be accessed, so that the data for determining the destination IP address and the port number do not need to be checked, thereby realizing simplified combing of a complex network and reducing the load of the network.
2. In the information sent from the direction of the uplink server port 11 to the direction of the downlink monitoring data input port 12 or the other device ports 13, the information except the destination IP address and the destination port number is forwarded after being marked, that is, the information except the destination IP address list and the destination port number list stored inside the matching device is forwarded after being marked. The information marking here refers to information encryption.
Corresponding to the gateway module a3, the gateway module B4 has the following functional configuration: for the information sent from the direction of the uplink server port 11 or other equipment ports 13 to the direction of the downlink monitoring data input port 12, if the message is non-encrypted information, the message is directly discarded without being forwarded; and if the information is encrypted data, the information is decrypted and then forwarded in the information sent from the direction of the uplink server port 11 to the direction of the downlink monitoring data input port 12.
Under the condition of this functional configuration, if anyone who wants to attack the intranet of the communication network through intrusion wants to access the front-end camera or other image sensor device of the monitoring data input port 12 through the intranet, the message sent by the front-end camera or other image sensor device is discarded by the gateway module B4 because the message sent by the front-end camera or other image sensor device is unencrypted or the encryption mode and the key are inconsistent with the gateway module B4, thereby preventing a third party from obtaining video monitoring information and ensuring the security of the monitoring network.
3. All information from the direction of the monitor data input port 12 or the other device port 13 to the direction of the server port 11 is transmitted through without any processing. The reason for this is that even if any device that wants to attack the communication network intranet instead of the front-end camera or other image sensor device of the monitoring data input port 12, the information returned by the target network device that it attacks is unencrypted data, and its message is discarded by the gateway module B4. Under the condition of the function configuration, unidirectional transmission locking from the direction of the server port 11 to the direction of the monitoring data input port 12 is formed, and low-cost and high-security network protection is realized.
The gateway module B4 has the following necessary functional configurations in addition to the second functional configuration corresponding to the gateway module A3:
1. for the information sent from the direction of the downlink monitoring data input port 12 to the direction of the uplink server port 11, if the destination IP address is not the address of the monitoring device accessing the server, or the port number is not the port number opened by the monitoring device accessing the server, the information is directly discarded without forwarding.
Under the above premise, any device that wants to tap into the communication network intranet instead of the front-end camera or other image sensor device of the monitoring data input port 12 will discard its message by the gateway module B4 because the destination IP address or port number of the data message sent by it is not the allowed IP address or port number.
2. For the information sent from the direction of the downstream monitoring data input port 12 to the direction of the upstream server port 11, the information of which the information type is the non-video protocol type is directly discarded.
Under the above premise, any device that wants to attack the communication network intranet instead of the front-end camera or other image sensor device of the monitoring data input port 12 will discard its message by the gateway module B4 because its information data type is not the video protocol type.
In order to implement the functional configuration, as shown in fig. 2, the gateway module B4 is configured with an IP address filtering module 41, a port information comparing module 42, and an information format determining module 43, and the IP address filtering module 41, the port information comparing module 42, and the information format determining module 43 are configured in the gateway module B4 to determine whether the information sent from the direction of the monitoring data input port 12 to the direction of the server port 11 is directed to the server port 11, that is, to determine whether the destination IP address of the information sent from the direction of the monitoring data input port 12 to the direction of the server port 11 is the IP address of the monitoring device accessing the server, or whether the port number thereof is the port opened by the monitoring device accessing the server, or whether the information type thereof is the video protocol type.
The working principle is as follows:
the server port 11 is connected with the server, and the monitoring data input port 12 is connected with the monitoring equipment. The network device allowed to access can identify the received information returned by the monitoring device access server because the information returned by the monitoring device access server is not encrypted and transmitted through the gateway module A3, and in the network device accessed to the server, the monitoring device can be accessed only if the monitoring device is allowed to access by the gateway module A3;
the network device which is not allowed to access because the information returned by the monitoring device access server is encrypted and forwarded by the gateway module a3, and the received information returned by the monitoring device access server cannot be identified, so that the network device cannot access the monitoring device;
the information sent by the monitoring device access server to the front-end camera or other image sensor devices is encrypted by the gateway module a3 and then forwarded, and the gateway module B4 decrypts the received encrypted information and then forwards the encrypted information, so that the front-end camera or other image sensor devices can correctly receive the information sent by the monitoring device access server.
Therefore, in summary, in the video monitoring system based on the video security access path disclosed in the present invention, the gateway module a3 to the gateway module B4 perform unidirectional comparison/verification/audit (i.e. encryption) processing on information to form an effective information transmission path between the server port 11 and the monitoring data input port 12, except for the server port 11 and the monitoring data input port 12, an attack on the monitoring network from any third party under the framework will be defined as invalid communication, so that any port other than the non-server port 11 and the monitoring data input port 12 cannot effectively acquire video monitoring information, thereby ensuring the security of the monitoring network, effectively avoiding a malicious party from attacking the monitoring network, and implementing a safe, efficient, and low-cost monitoring network security framework system.
Claims (8)
1. The video monitoring system based on the video safety access path comprises a plurality of ports (1) for information access or output, wherein each port (1) forms a communication path through an open/closed network (2);
the port (1) comprises a server port (11), a plurality of monitoring data input ports (12) and a plurality of other equipment ports (13);
characterized in that a gateway module A (3) is arranged between a server port (11) and the open/closed network (2), and a gateway module B (4) is arranged between the open/closed network (2) and the monitoring data input port (12); forming an effective information transmission path between a server port (11) and a monitoring data input port (12) through the unidirectional comparison/verification/audit processing of information from the gateway module A (3) to the gateway module B (4);
the gateway module A (3) transparently transmits information messages with a destination IP address list and a destination port number list stored in the matching equipment without any processing in the information sent from the server port (11) to the monitoring data input port (12) or other equipment ports (13);
and the gateway module A (3) marks and forwards information messages except a destination IP address list and a destination port number list stored in the matching equipment in the information sent from the server port (11) to the monitoring data input port (12) or other equipment ports (13).
2. The video surveillance system based on the video security access path according to claim 1, characterized in that: the gateway module A (3) transparently transmits all information sent from the direction of the monitoring data input port (12) or other equipment ports (13) to the direction of the server port (11) without any processing.
3. The video surveillance system based on the video security access path according to claim 2, characterized in that: and the gateway module B (4) confirms the information mark on the information mark, transmits the signal of the information to the monitoring data input port (12) after the information mark is successfully confirmed, and terminates the signal transmission if the information mark is not successfully confirmed.
4. The video surveillance system based on the video security access path according to claim 3, characterized in that: the information mark is encrypted, and the information mark confirms that the information is decrypted.
5. The video surveillance system based on the video security access path according to claim 1, characterized in that: and the gateway module B (4) directly discards all information which is not marked with information and does not forward the information in the information which is sent from the server port (11) or other equipment ports (13) to the monitoring data input port (12).
6. The video surveillance system based on the video security access path according to claim 1, characterized in that: the gateway module B (4) directly discards all information which is not directed to the server port (11) from the information sent from the direction of the monitoring data input port (12) to the direction of the server port (11).
7. The video surveillance system based on the video security access path according to claim 6, characterized in that: the gateway module B (4) directly discards the information of which the information type is a non-video protocol type in the information sent from the direction of the monitoring data input port (12) to the direction of the server port (11).
8. The video surveillance system based on the video security access path according to claim 7, characterized in that: the monitoring data input port (12) comprises a plurality of branch ports; an IP address filtering module (41), a port information comparison module (42) and an information format judging module (43) are arranged in the gateway module B (4).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810130482.0A CN108377365B (en) | 2018-02-08 | 2018-02-08 | Video monitoring system based on video safety access path |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810130482.0A CN108377365B (en) | 2018-02-08 | 2018-02-08 | Video monitoring system based on video safety access path |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108377365A CN108377365A (en) | 2018-08-07 |
| CN108377365B true CN108377365B (en) | 2020-03-24 |
Family
ID=63017428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810130482.0A Active CN108377365B (en) | 2018-02-08 | 2018-02-08 | Video monitoring system based on video safety access path |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108377365B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2081323A1 (en) * | 2007-06-13 | 2009-07-22 | Huawei Technologies Co., Ltd. | Method, apparatus and system for controlling multicast bearing resource |
| CN101945086A (en) * | 2009-11-30 | 2011-01-12 | 广州市聚晖电子科技有限公司 | Security system access business platform for video type security gateway and information transmission method |
| CN103200396A (en) * | 2013-04-09 | 2013-07-10 | 广东粤铁瀚阳科技有限公司 | Real-time video stream display method and system based on information display platform |
| CN104954764A (en) * | 2015-07-21 | 2015-09-30 | 上海远哲电子技术有限公司 | Video monitoring system based on video resource safety gateway |
| CN106027358A (en) * | 2016-07-12 | 2016-10-12 | 上海厚泽信息技术有限公司 | Network security management and control system for accessing social video networks to video private network |
| CN107395588A (en) * | 2017-07-18 | 2017-11-24 | 浙江远望通信技术有限公司 | Video monitoring accesses safe blocking-up method and system |
-
2018
- 2018-02-08 CN CN201810130482.0A patent/CN108377365B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2081323A1 (en) * | 2007-06-13 | 2009-07-22 | Huawei Technologies Co., Ltd. | Method, apparatus and system for controlling multicast bearing resource |
| CN101945086A (en) * | 2009-11-30 | 2011-01-12 | 广州市聚晖电子科技有限公司 | Security system access business platform for video type security gateway and information transmission method |
| CN103200396A (en) * | 2013-04-09 | 2013-07-10 | 广东粤铁瀚阳科技有限公司 | Real-time video stream display method and system based on information display platform |
| CN104954764A (en) * | 2015-07-21 | 2015-09-30 | 上海远哲电子技术有限公司 | Video monitoring system based on video resource safety gateway |
| CN106027358A (en) * | 2016-07-12 | 2016-10-12 | 上海厚泽信息技术有限公司 | Network security management and control system for accessing social video networks to video private network |
| CN107395588A (en) * | 2017-07-18 | 2017-11-24 | 浙江远望通信技术有限公司 | Video monitoring accesses safe blocking-up method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108377365A (en) | 2018-08-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111034150B (en) | Method and apparatus for selectively decrypting SSL/TLS communications | |
| Weinberg et al. | Stegotorus: a camouflage proxy for the tor anonymity system | |
| JP3688830B2 (en) | Packet transfer method and packet processing apparatus | |
| EP1484892B1 (en) | Method and system for lawful interception of packet switched network services | |
| CN101911639B (en) | Method for securing a bi-directional communication channel and device for implementing said method | |
| JP3825258B2 (en) | Interception method and system | |
| US7370354B2 (en) | Method of remotely managing a firewall | |
| CN101795271B (en) | Network secure printing system and printing method | |
| US7516485B1 (en) | Method and apparatus for securely transmitting encrypted data through a firewall and for monitoring user traffic | |
| US20050187934A1 (en) | Methods, systems and computer program products for geography and time monitoring of a server application user | |
| US20050198099A1 (en) | Methods, systems and computer program products for monitoring protocol responses for a server application | |
| Iqbal et al. | Security issues in software defined networking (SDN): risks, challenges and potential solutions | |
| US9219709B2 (en) | Multi-wrapped virtual private network | |
| US7475420B1 (en) | Detecting network proxies through observation of symmetric relationships | |
| Lucena et al. | Syntax and semantics-preserving application-layer protocol steganography | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| Žagar et al. | Security aspects in IPv6 networks–implementation and testing | |
| US8386783B2 (en) | Communication apparatus and communication method | |
| US20110145572A1 (en) | Apparatus and method for protecting packet-switched networks from unauthorized traffic | |
| Abdullaziz et al. | AIPISteg: An active IP identification based steganographic method | |
| Pisaric | Communications encryption as an investigative obstacle | |
| CN108377365B (en) | Video monitoring system based on video safety access path | |
| JP2007173959A (en) | Encryption communication apparatus | |
| KR101628094B1 (en) | Security apparatus and method for permitting access thereof | |
| Liubinskii | The Great Firewall’s active probing circumvention technique with port knocking and SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |