Summary of the invention
For the deficiencies of the prior art, the present invention provides a kind of communication management method for Internet of Things security system,
Be analyzed and processed by the data that edge calculations equipment acquires internet of things equipment, edge calculations equipment include communication module,
Controller and strategy execution unit.
Dimensional labels are distributed to Internet of Things according to mode associated with classification by its tag unit by certificate server
Equipment, so that the corresponding a kind of internet of things equipment of each dimensional labels;Dimensional labels have public key certificate, and dimensional labels and object
Networked devices and the classification of Internet of Things security protection service are associated;The Internet of Things security protection service includes Fire-Fighting Service, gate inhibition's clothes
Business and video monitoring service;
Safety regulation is stored and distributed by controller, wherein each safety regulation corresponds to a kind of internet of things equipment, peace
Full rule defines the access rule of internet of things equipment;
Certificate server receives authentication key from the TLS endpoint of internet of things equipment and judges the internet of things equipment of the category
Whether dimensional labels are assigned;Strategy execution unit manages the communication of internet of things equipment according to safety regulation.
According to a preferred embodiment, dimensional labels relevant to Fire-Fighting Service include smoke sensor device, temperature sensing
Device and infrared sensor;Dimensional labels relevant to gate inhibition's service include fingerprint sensor, smart card and RFID radio-frequency card;With view
The relevant dimensional labels of frequency monitoring service include camera, video camera and digital media processor.
According to a preferred embodiment, if the internet of things equipment being newly added belongs to and has distributed the Internet of Things of dimensional labels and set
Existing dimensional labels are distributed to internet of things equipment by standby classification, the tag unit;
If the internet of things equipment being newly added is not belonging to distribute the internet of things equipment classification of dimensional labels, the tag unit
Authentication key based on internet of things equipment generates new dimensional labels, and the authentication key includes MAC Address and general unique mark
Know symbol.
According to a preferred embodiment, the tag unit is new dimensional labels generation public key certificate, and described
Controller is that new dimensional labels distribute safety regulation.
According to a preferred embodiment, the strategy execution unit verifies the certificate of the first equipment, and from described first
Identifier and dimensional labels are extracted in the certificate of equipment;The strategy execution unit retrieves the dimensional labels of the second equipment, and will
The dimensional labels of second equipment are compared with the dimensional labels of the first equipment;If dimensional labels match, strategy execution unit
Allow to be communicated between the first equipment and the second equipment;Aforementioned first equipment and the second equipment include internet of things equipment, management
Client and management server.
According to a preferred embodiment, Intelligent internet of things is additionally provided between internet of things equipment and edge calculations equipment
Gateway, Intelligent internet of things gateway flow into row major grade row to data according to data type and data content using decision logic
Sequence, the data that then will be above pre-set priority are transmitted to edge calculations equipment.
The invention has the following advantages:
The Internet of Things security protection service range that the present invention supports is wide, classification is more, can be according to each Internet of Things security protection service
Classification executes different safety regulations, significantly improves the safety of security system.In addition, edge calculations technology is used,
Preliminary treatment is carried out to the data that internet of things equipment acquires by edge calculations equipment at the network edge of internet of things equipment, thus
It avoids the data that all internet of things equipment generate and is all intensively uploaded to the waste of bandwidth resources caused by management server, subtract
The occupancy for having lacked bandwidth improves the efficiency of data classification transmission.
Specific embodiment
In order to make the objectives, technical solutions and advantages of the present invention clearer, With reference to embodiment and join
According to attached drawing, the present invention is described in more detail.It should be understood that these descriptions are merely illustrative, and it is not intended to limit this hair
Bright range.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid this is unnecessarily obscured
The concept of invention.
As shown in Figure 1, the communication management method for Internet of Things security system of the invention includes: to be set by edge calculations
The standby data to internet of things equipment relevant to security protection acquisition are analyzed and processed, and edge calculations equipment includes communication module, control
Device processed and strategy execution unit.
Dimensional labels are distributed to Internet of Things according to mode associated with classification by its tag unit by certificate server
Equipment, so that the corresponding a kind of internet of things equipment of each dimensional labels;Dimensional labels have public key certificate, and dimensional labels and object
Networked devices and the classification of Internet of Things security protection service are associated;Internet of Things security protection service include Fire-Fighting Service, gate inhibition service and
Video monitoring service.
Safety regulation is stored and distributed by controller, wherein each safety regulation corresponds to a kind of internet of things equipment, peace
Full rule defines the access rule of internet of things equipment.
Certificate server receives authentication key from the TLS endpoint of internet of things equipment and judges the internet of things equipment of the category
Whether dimensional labels are assigned;Strategy execution unit manages the communication of internet of things equipment according to safety regulation.
Illustratively, dimensional labels relevant to Fire-Fighting Service include smoke sensor device, temperature sensor and infrared sensing
Device;Dimensional labels relevant to gate inhibition's service include fingerprint sensor, smart card and RFID radio-frequency card;Phase is serviced with video monitoring
The dimensional labels of pass include camera, video camera and digital media processor.
Preferably, if the internet of things equipment being newly added belongs to the internet of things equipment classification for having distributed dimensional labels, label list
Existing dimensional labels are distributed to internet of things equipment by member;If the internet of things equipment being newly added is not belonging to distribute dimensional labels
Internet of things equipment classification, tag unit generate new dimensional labels based on the authentication key of internet of things equipment, and authentication key includes
MAC Address and universal unique identifier.Further, tag unit is that new dimensional labels generate public key certificate, and control
Device is that new dimensional labels distribute safety regulation.
Specifically, strategy execution unit verifies the certificate of the first equipment, and extracts identifier from the certificate of the first equipment
And dimensional labels;Strategy execution unit retrieves the dimensional labels of the second equipment, and the dimensional labels of the second equipment are set with first
Standby dimensional labels are compared;If dimensional labels match, strategy execution unit allows between the first equipment and the second equipment
It is communicated;Aforementioned first equipment and the second equipment include internet of things equipment, management client and management server.
Preferably, Intelligent internet of things gateway, intelligent things are additionally provided between internet of things equipment and edge calculations equipment
Net gateway flows into the sequence of row major grade to data according to data type and data content using decision logic, then will be above pre-
The data of setting priority are transmitted to edge calculations equipment.In this way, local intelligent things-internet gateway can be used for selectively optimizing
Data, thus bandwidth needed for reducing transmission data in the case where not losing important information.
The present invention uses edge calculations technology, and edge meter is arranged at the network edge of internet of things equipment relevant to security protection
Equipment is calculated, the data that can not only be acquired to internet of things equipment carry out preliminary treatment to reduce bandwidth demand and cloud and store and bear
Load, additionally it is possible to pass through tls protocol and the specific category demand of Internet of Things security protection service is combined to carry out classification to internet of things equipment and lead to
Fuse tube reason is to significantly improve the communication security of security system.In addition, the present invention can support to newly-increased internet of things equipment into
Row telecommunication management has good expansibility.
As shown in Fig. 2, the Internet of Things security system by executing the method for the present invention includes including based on internet of things equipment, edge
Calculate equipment, certificate server and safeguard management platform.Safeguard management platform includes that management server, management client and alarm are set
It is standby.Internet of things equipment includes temperature sensor, smoke sensor device, fingerprint sensor, video camera, smart card, card reader etc..Management
Client includes smart phone, tablet computer, desktop computer, laptop etc..Alarm equipment include buzzer, LED light and
Display etc..
Edge calculations equipment is set between internet of things equipment and safeguard management platform, edge calculations equipment for manage with
Internet of Things security protection services the communication of associated internet of things equipment of all categories and divides the data of internet of things equipment acquisition
Analysis processing, edge calculations equipment support tls protocol.Edge calculations equipment can be setting with computing capability and communication function
It is standby, such as server, computer etc.." edge " concept of edge calculations equipment refers to the network positioned at internet of things equipment in the present invention
Edge side, consequently facilitating being carried out at classification telecommunication management and the data acquired to internet of things equipment to internet of things equipment
Reason.Edge calculations equipment carries out preliminary treatment to the data that internet of things equipment acquires and specifically includes the number acquired to internet of things equipment
It is analyzed and is screened according to according to the demand of Internet of Things security protection service, to reduce the burden of network bandwidth.
Dimensional labels are distributed to Internet of Things according to mode associated with classification by its tag unit by certificate server
Equipment, so that the corresponding a kind of internet of things equipment of each dimensional labels.Dimensional labels have public key certificate, and dimensional labels and object
Networked devices and the classification of Internet of Things security protection service are associated.
Edge calculations equipment includes communication module, controller and strategy execution unit, and controller is for storing and distributing peace
Full rule, wherein each safety regulation corresponds to a kind of internet of things equipment, safety regulation defines the access rule of internet of things equipment
Then;
Certificate server is also used to receive authentication key from the TLS endpoint of internet of things equipment and judges the Internet of Things of the category
Whether net equipment is assigned dimensional labels;Strategy execution unit is used to manage the communication of internet of things equipment according to safety regulation.
The working principle of Internet of Things security system is described in detail below:
In edge calculations equipment, controller can store multiple safety regulations in its policy engine, and can give birth to
At with distribution safety regulation.
Certificate server receives authentication key from the TLS endpoint in each internet of things equipment, and certificate server can determine
Whether the classification of internet of things equipment has been allocated that dimensional labels.If dimensional labels are associated with internet of things equipment, recognize
TLS endpoint associated with specific internet of things equipment will be returned to the certificate of ID and label by demonstrate,proving server.
Each strategy execution unit is controlled by controller, to each internet of things equipment or service rule with high safety.Often
A strategy execution unit includes acting on behalf of for downloading/implementing the TLS of TLS strategy.Each internet of things equipment or Internet of Things service quilt
It is configured to execute TLS communication by strategy execution unit.
In security system, backstage manager can be first a part as Internet of Things security system architecture
Each of new internet of things equipment authentication registration key/voucher, to be detected based on authentication key/voucher after system often
A equipment.Certificate server includes tag unit, which, which can according to need, generates new dimensional labels or will show
Some dimensional labels distribute to internet of things equipment or service.
System is that the internet of things equipment of each classification distributes dimensional labels, and tag unit can also generate and issue public key card
Book;Certificate server can also include safety regulation storage unit, manage the safety regulation implemented by strategy execution unit, and
Store the system safety regulation sent by backstage manager.
When new internet of things equipment is added in security system, administrator can for the internet of things equipment that is newly added into
Row configuration.The method of configuration is classified according to whether support tls protocol.
It, should for supporting the internet of things equipment of TLS, certificate server that can receive authentication key from each internet of things equipment
Authentication key can be used for identifying the ID and dimensional labels of internet of things equipment distribution.For example, in one embodiment, authenticating close
Key can be allocated to the MAC Address or universal unique identifier (UUID) of each internet of things equipment.If internet of things equipment is not
It is a part of existing internet of things equipment classification in system, then the dimension with ID and internet of things equipment can be generated in certificate server
The certificate of scale label.
Optionally, filtering and monitoring can also be performed in strategy execution unit, when identifying new internet of things equipment and be
When the new internet of things equipment is assigned with a label that can not be protected, strategy execution unit is arranged for the Internet of Things and sets
It is standby.Communication between internet of things equipment by TLS endpoint and strategy execution unit the safety regulation based on specific internet of things equipment come
Control.
Equipment for not supporting TLS, can be connected to edge calculations equipment by things-internet gateway, in things-internet gateway
With bridge, things-internet gateway can be used TLS endpoint and represent, and there is the equipment of non-TLS function to execute TLS communication.Internet of Things net
It closes and bridge can be the software realization run on the Linux machine with communication connection function.
The register method of internet of things equipment is specific as follows: certificate server includes close for storing the certification of internet of things equipment
The database of key, ID and dimensional labels.Backstage manager sends a request to certificate server to request facility registration list, is receiving
To after enrollment form, backstage manager sends authentication key, ID and the dimensional labels of new internet of things equipment.Then, certification clothes
Business device stores the data about new internet of things equipment, and confirms that new internet of things equipment can be certified and use in systems.Such as
The new internet of things equipment of fruit or the no valid certificate of service, new internet of things equipment can be by by authentication keys and common encryption key
Certificate server is sent to start the process of request certificate.Then certificate server retrieval is related to the received authentication key of institute
The ID and dimensional labels of connection, and generate and return the certificate of new internet of things equipment or service.
Strategy execution unit has end port forwarding setting, and when carrying out telecommunication management, strategy execution unit is mentioned from certificate
ID and dimensional labels are taken, and determines whether to communicate based on safety regulation.Strategy execution unit is obtained from strategy file
Require parameter.If one of starter label is included in require parameter, allow to communicate, on the contrary then prevention is led to
Letter.
One preferred embodiment is additionally provided with Intelligent internet of things gateway between internet of things equipment and edge calculations equipment,
Intelligent internet of things gateway can find neighbouring internet of things equipment automatically, be connected to them by wired or wireless communication channel.
The communication connection mode that Intelligent internet of things gateway is supported includes cellular network, Zigbee, bluetooth, WiFi and NFC.
Intelligent internet of things gateway has enough computing capabilitys, memory and memory capacity and artificial intelligence to analyze this
Ground data are to realize the decision of local rank.Intelligent internet of things gateway has computing unit and memory, Intelligent internet of things gateway
The decision logic of use includes artificial intelligence, video analysis, regulation engine and decision tree.
Intelligent internet of things gateway does not retain all data instead of and sends it to edge calculations unit, is patrolled using decision
It collects to flow into the sequence of row major grade to data according to data type and data content, and creates reduced data flow, it is only selected
Or the data of highest priority be used for transmission.
For example, Intelligent internet of things gateway can analyze the video data of the acquisition of the video camera in internet of things equipment, with
Determine whether picture material has changed from time T1 to time T2.Intelligent internet of things gateway uses the rule comprising rule to draw
It holds up, if " video camera 1 is equal to picture material of the video camera 1 at time T1 in the picture material of time T2 ",
Then small significance is assigned to the video data at time T1.According to available bandwidth, can be omitted from transmission be identified as it is low
It is transmitted again after the data or reduction resolution ratio of importance.Similarly, similar analysis can be carried out to sensing data.For example,
Small significance data can be alternately stored in local.Therefore, from the number of the total data reduction of edge calculations equipment to be transferred to
It may depend on the availability of the bandwidth to upload data according to amount.In this way, local intelligent things-internet gateway be used to select
Property optimize data, thus in the case where not losing important information transmit data needed for bandwidth it is less.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.