CN112287246B - Method and device for realizing access control and information filtering based on protocol identification - Google Patents
Method and device for realizing access control and information filtering based on protocol identification Download PDFInfo
- Publication number
- CN112287246B CN112287246B CN202011594830.3A CN202011594830A CN112287246B CN 112287246 B CN112287246 B CN 112287246B CN 202011594830 A CN202011594830 A CN 202011594830A CN 112287246 B CN112287246 B CN 112287246B
- Authority
- CN
- China
- Prior art keywords
- conference
- security level
- video
- terminal
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9536—Search customisation based on social or collaborative filtering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The embodiment of the invention provides a method and a device for realizing access control and information filtering based on protocol identification, which are applied to a video network, wherein the video network comprises a video network terminal and a server, and the method comprises the following steps: the video network terminal reports the security level of the video network terminal to the server; reporting a meeting entering request to the server at the same time of or after reporting the security level to the server; and receiving the conference-in response sent by the server. The access control and message filtering aiming at the video networking conference of the video networking terminal are directly realized by the server according to different security levels, the potential safety hazard that data streams are received to terminal equipment firstly and then message filtering is realized by upper application in the traditional IP network is solved, and the safety of a security system is greatly improved.
Description
Technical Field
The invention relates to the technical field of video networking, in particular to a method for realizing access control and information filtering based on protocol identification and a device for realizing access control and information filtering based on protocol identification.
Background
With the development of communication technology and network technology, message transmission is more and more dependent on network implementation, and then the mode for message transmission can directly relate to the transmitted message security.
Generally, a mode of encrypting a message to be transmitted is adopted to ensure message security, a traditional encryption service is to superpose a secret level identifier on a session layer or an application layer above an IP protocol for relevant processing, however, since the secret level identifier is superposed on the session layer or the application layer, when the message with the secret level identifier is transmitted to a terminal device, the terminal device usually receives a service stream on the IP layer of a system protocol stack first, and then judges and processes operations related to the secret level in an application program on an upper layer, at this time, the secret-related message is already received by the terminal device, so that a risk of being intercepted by a system vulnerability or a malicious program exists, and the security of the secret-related message is not favorably protected.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are provided to provide a method for implementing access control and information filtering based on protocol identification and a corresponding apparatus for implementing access control and information filtering based on protocol identification, which overcome or at least partially solve the above problems.
In order to solve the above problems, an embodiment of the present invention discloses a method for implementing access control and information filtering based on a protocol identifier, which is applied to a video network, wherein the video network includes a video network terminal and a server, and the method includes:
the video network terminal reports the security level of the video network terminal to the server; the security level is used for indicating the permission of the conference accessible to the video networking terminal;
reporting a meeting entering request to the server at the same time of or after reporting the security level to the server;
receiving a conference joining response sent by the server; the conference joining response is generated according to the security level of the video networking terminal and is used for indicating whether the video networking terminal joins the conference successfully or not.
The embodiment of the invention also discloses a method for realizing access control and information filtering based on protocol identification, which is applied to the video network, wherein the video network comprises a video network terminal and a server, and the method comprises the following steps:
receiving a meeting entering request reported by the video networking terminal;
determining whether the security level of the video networking terminal is matched with the conference security level of the conference requested to be conferred; the security level of the video networking terminal is received by the server from the video networking terminal side, and the security level is used for indicating the authority of a conference accessible to the video networking terminal;
generating an conference entering response according to the matching result, and sending the conference entering response to the video network terminal; and the conference joining response is used for indicating whether the video networking terminal is successfully joined into the conference or not.
The embodiment of the invention also discloses a device for realizing access control and information filtering based on the protocol identification, which is applied to the video network and comprises:
the security level reporting module is used for reporting the security level of the video networking terminal to the server; the security level is used for indicating the permission of the conference accessible to the video networking terminal;
an admission request sending module, configured to report an admission request to the server while or after sending the security level to the server;
an conference response receiving module, configured to receive a conference response sent by the server; and the conference joining response is generated according to the security level of the video networking terminal and is used for indicating whether the video networking terminal is successfully joined in the conference or not.
The embodiment of the invention also discloses a device for realizing access control and information filtering based on the protocol identification, which is applied to the video network and comprises:
an admission request receiving module, configured to receive an admission request reported by the video network terminal;
the security level matching module is used for determining whether the security level of the video networking terminal is matched with the conference security level of the conference which requests to enter the conference, wherein the security level of the video networking terminal is received by the server from the video networking terminal side, and the security level is used for indicating the authority of the conference which can be accessed by the video networking terminal;
the conference entrance response generating module is used for generating a conference entrance response according to the matching result and sending the conference entrance response to the video network terminal; and the conference joining response is used for indicating whether the video networking terminal is successfully joined into the conference or not.
The embodiment of the invention also discloses a device for realizing access control and information filtering based on the protocol identification, which comprises one or more processors; and one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform a method for implementing access control and information filtering based on protocol identification as in any one of the above.
The embodiment of the invention also discloses a computer readable storage medium, and a stored computer program enables a processor to execute any method for realizing access control and information filtering based on the protocol identification.
The embodiment of the invention has the following advantages:
in the embodiment of the invention, the characteristic of the video network is applied, and the security level of the video network terminal is reported to the server through the video network terminal, so that the server can directly realize the access control and the message filtering of the video network terminal aiming at the video network conference according to different security levels when responding to the conference access request sent by the video network terminal, the potential safety hazard that the data stream is firstly received by the terminal equipment in the traditional IP network and then the message filtering is realized by upper application is solved, and the security of a security system is greatly improved.
Drawings
FIG. 1 is a schematic diagram of a secret identification protocol of a conventional IP protocol;
FIG. 2 is a framework schematic diagram of a video networking network in an embodiment of the invention;
FIG. 3 is a flowchart illustrating steps of a method for implementing access control and information filtering based on protocol identification in accordance with the present invention;
FIG. 4 is a schematic diagram of a video networking security level identification protocol in an embodiment of the invention;
FIG. 5 is a flowchart illustrating steps of another method for implementing access control and information filtering based on protocol identification in accordance with the present invention;
FIG. 6 is a diagram of an application scenario for video networking based conference control in an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of an apparatus for implementing access control and information filtering based on protocol identification according to the present invention;
FIG. 8 is a schematic structural diagram of another apparatus for implementing access control and information filtering based on protocol identification according to the present invention;
FIG. 9 is a networking schematic of a video network of the present invention;
FIG. 10 is a diagram of a hardware architecture of a node server according to the present invention;
fig. 11 is a schematic diagram of a hardware architecture of an access switch of the present invention;
fig. 12 is a schematic diagram of a hardware structure of an ethernet protocol conversion gateway according to the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
In general, the security level identification field may be integrated into the network layer switching protocol so that forwarding devices in the network may perform the task of forwarding or not based on the field, implementing message filtering and access control at the network device.
Referring to fig. 1, a schematic diagram of a security classification identification protocol of a conventional IP protocol is shown, for a security classification identification of a conventional IP network, a data stream with the security classification identification is encapsulated in a data frame form of an ethernet header field, an IP header field, a TCP header field, a user data field, and an ethernet trailer field, where the security classification identification carried by the data stream is a security classification identification superimposed by a session layer or an application layer located above the IP protocol, that is, the security classification identification field is located in the user data field together with the application data field in a message body of the data stream.
As shown in fig. 1, the superimposed security class identification is encapsulated with the application data to the user data; when the data stream with the security level identifier is transmitted to the terminal device, the terminal device usually receives the data stream at first in the IP layer of the system protocol stack, and then performs operations related to the security level judgment and processing in the application program of the upper layer, at this time, the security-related message is already received by the terminal device, and there is a risk of being intercepted by a system bug or a malicious program, which is not beneficial to protecting the security of the security-related message.
One of the core ideas of the embodiment of the invention is to apply the characteristics of the video networking, and encapsulate the data stream with the security level identification according to the video networking protocol, so that the security level identification field is added at the adjacent position in front of the user data field of the video networking protocol stack, and whether the data stream is forwarded is judged directly through a network node or switching equipment according to the security level identification on the video networking protocol stack, that is, the access control and message filtering functions are directly realized according to different security levels, and the data stream does not need to be received on the terminal equipment first and then is subjected to filtering control.
Referring to fig. 2, a schematic diagram of a framework of an internet of view network in an embodiment of the present invention is shown, which relates to a core switching server, an autonomous server, an internet of view terminal, a network management server, a conference management server, and a conference scheduling terminal.
The video network is an entity network which is different from the existing internet and has a tree structure formed by dividing regions; the core exchange server and the autonomous service can be an independently developed video network controller, can integrate video network audio and video forwarding, set top box control, registration and other functions, and is provided with a split mounting machine box type and portable server; the network management server may manage network access in a video network. A server for multicast and other services and carrying an encryption module; the conference scheduling terminal can be used for controlling the video conference, such as selecting terminals for group meeting, setting roles of the terminals in the conference, sending a conference control instruction and the like; the video networking conference scheduling terminal can be video networking conference scheduling software (such as Pamir (Pamir) software, a mobile phone terminal, a Web terminal and the like), the video networking conference scheduling software is a client used for controlling video networking conference services, and the video networking conference scheduling software can be installed on equipment such as a Personal Computer (PC), a mobile phone, wearable equipment and the like and is generally deployed on the PC; the conference management server is used for realizing the function of communication between the video networking conference scheduling software and the video networking terminal and realizing the service of managing the video conference function; the video network terminal is a service landing device on the video network, an actual participant or a server of the video network service, and the video network terminal can be various set top boxes, PCs and the like.
Referring to fig. 3, a flowchart illustrating steps of a method for implementing access control and information filtering based on protocol identification in an embodiment of the present invention is shown, where a video network may include a video network terminal and a server, and specifically may include the following steps:
the message filtering and access control are carried out through forwarding equipment in the network, and the video networking terminal can directly report the security level of the video networking terminal to the server, so that the server serving as the forwarding equipment in the video networking can directly filter the video networking terminal through a conference which is used for indicating the video networking terminal to be accessed.
in an embodiment of the present invention, the time when the video network terminal reports the security level of the video network terminal to the server may be the security level reported when the conference entering request is sent to the server, or the security level reported before the conference entering request is sent to the server.
In an optional embodiment, the server may directly implement access control and message filtering for the video networking terminal for the video networking conference according to different security levels, and in a scenario where the video networking terminal joins the video networking conference, the video networking terminal may generate a conference joining request and send the generated conference joining request to the server. The opportunity of sending the conference entering request to the server by the video network terminal can be after sending the security level to the server or when sending the security level to the server.
Specifically, step 302 may include the following sub-steps:
substep S11, sending a conference entering request message to the server, and carrying the security level of the video network terminal in the conference entering request message; wherein, the message body of the conference entering request message can carry a security classification identifier corresponding to the security classification;
in practical application, the security level reported by the video network terminal when sending the conference access request to the server may be represented by sending a conference access request message to the server, and the security level of the video network terminal is carried in the conference access request message. The video networking terminal can report the conference entering request message to the server while reporting the security level grade to the server, and the server can receive the conference entering request message sent by the video networking terminal, wherein the conference entering request message sent by the video networking terminal can carry the security level grade of the video networking terminal, and the security level grade of the video networking terminal can be determined by the server according to the security level identification contained in the message body of the conference entering request message sent by the video networking terminal.
In order to perform message filtering and access control through a forwarding device in a network (e.g., a conference management server in a meeting scenario, a network management server in a network entry scenario, etc.), the security level identification field may be integrated into a network layer switching protocol, and in the embodiment of the present invention, the security level identification field is encapsulated by using an internet protocol rather than a conventional IP protocol.
The security level identifier of the conference entry request message may be located at a preset position of a message body of the conference entry request message, and the preset position may be implemented by performing encapsulation according to a video network security level identifier protocol.
Referring to fig. 4, which shows a schematic diagram of a security level identification protocol of an internet of things in an embodiment of the present invention, for a security level identification field of an internet of things, a data stream having a security level identification may be encapsulated in a data frame form of an ethernet header field, an internet of things destination number field, an internet of things local number field, a security level identification field, a user data field, and an ethernet trailer field, where a security level identification field carried by a message body of the data stream is not a security level identification superimposed by a session layer or an application layer located above the internet of things protocol.
As shown in fig. 4, the security level identification field is located at a preset position in the message body, and the preset position may be located before and adjacent to the user data field. The security level identification field may have a length of 2 bytes, and different fields having 2 bytes may represent different security levels, for example, if the security level identification is 00, it may indicate that the security level corresponding to the current message is an absolute security level a; if the security level identifier is 01, it may indicate that the security level corresponding to the current message is secret level B; if the secret level identifier is 10, it may indicate that the secret level corresponding to the current message is secret level C; if the security level id is 11, it may indicate that the security level corresponding to the current message is a security-free level (i.e., public) D. In practical applications, the security level identifier carried by the terminal is used to indicate the security level of the current message, and also can be used to indicate the security level of the device sending the message, such as the security level of the terminal of the video network in the embodiment of the present invention.
It should be noted that, in this application scenario, the network forwarding device for performing message filtering and access control may be a conference management server having a function of managing a video conference service, that is, a conference management server may receive a conference entry request message to receive a security level of the video networking terminal, where a message body of the conference entry request message may carry a security level identifier encapsulated in a data frame form as shown in fig. 4, and the security level identifier carried by the conference entry request message has a corresponding security level.
Substep S12, before reporting the conference joining request to the server, sending a network joining request message to the server; the network access request message may include the security level and the terminal information of the video network.
In a preferred embodiment, before the video network terminal sends the conference access request to the conference management server, the video network terminal further needs to perform a video network access operation, which may be embodied as the video network terminal sending the network access request to the server, where the server may be a network management server with a management device network access verification service.
In practical application, during the process that the video network terminal is deployed to the field meeting place, the security administrator may set the current security level according to the security level of the current meeting place, that is, configure the corresponding security level for the video network terminal in the current meeting place, so that the message (e.g., a conference entry request message, a network entry request message) sent by the video network terminal with the security level may have the same security level as the video network terminal, and encapsulate the security level identification field corresponding to the message body containing the message related to the security level according to the data frame form shown in fig. 4.
Specifically, the video networking terminal may have a pre-assigned video networking virtual number and a pre-set security level, and at this time, the video networking terminal information (for example, MAC, which is a unique device number identified by the video networking terminal device) of its own device may be acquired, and the video networking virtual number and the pre-set security level are carried to generate a network access request message having a security level identification. The message body of the network access request message generated by the video network terminal may have a security classification identifier corresponding to the security classification, and the message body of the network access request message may also be encapsulated according to the data frame form shown in fig. 4.
In practical application, the terminal of the video network may send a network access request message to the network management server, where the network access request message may include a virtual number of the video network, a security level of the video network, and terminal information of the video network. After receiving the network access request message, the network management server may respond to the received network access request, and determine whether the virtual number of the video network carried in the request message is registered in the network management platform, and if so, allow the video network terminal to access the video network.
After allowing the video network terminal to access the video network, the network management server can store the corresponding relation between the security level of the video network terminal and the video network terminal information, wherein the video network terminal information (such as MAC, which is the unique equipment number identified by the video network terminal equipment) can be obtained firstly, and the corresponding relation between the security level corresponding to the security level identification carried in the message body of the network access request information and the MAC of the video network terminal is established, and the corresponding relation is put into a data table; and then the network management server can synchronously send the established or updated data table for storing the corresponding relation between the video networking terminal MAC and the security level thereof to the conference management server.
In an embodiment of the present invention, after receiving a conference joining request sent by a video network terminal, a conference management server may respond to the received conference joining request and generate a conference joining response, and return the generated conference joining response to the video network terminal to indicate whether the video network terminal initiating the conference joining request successfully joins the conference.
In a specific implementation, the conference management server may generate a conference joining response according to a matching result of the security level reported by the video networking terminal for the video networking terminal and the conference security level of the conference requested to join, that is, may directly perform access control and message filtering on the video networking conference by the video networking terminal according to the reported security level.
And the conference management server determines whether the security level of the video network terminal is matched with the conference security level of the video network conference or not, and generates a conference joining response according to a matching result, wherein the conference joining response can comprise a conference joining success response and a conference joining failure response.
In one case, if the conference management server determines that the access level (which may be the authority of the video networking terminal to access the conference) of the video networking terminal is matched with the conference security level of the current video networking conference according to the security level reported by the video networking terminal, an conference entry success response can be generated and returned to the video networking terminal to inform the video networking terminal of successfully joining the current video networking conference; in another case, if the conference management server determines that the security level of the video networking terminal is not matched with the conference security level of the current video networking conference according to the security level reported by the video networking terminal, an conference entry failure response can be generated and returned to the video networking terminal to inform the video networking terminal that the video networking terminal does not join the current video networking conference.
In the embodiment of the invention, the characteristic of the video network is applied, the security level of the video network terminal is reported to the server through the video network terminal, so that the server can directly realize the access control and the message filtering of the video network terminal aiming at the video network conference according to different security levels when responding to the conference access request sent by the video network terminal, the potential safety hazard that the data stream is firstly received by the terminal equipment in the traditional IP network and then the message filtering is realized by the upper application is solved, and the security of a security system is greatly improved.
Referring to fig. 5, a flowchart illustrating steps of another method for implementing access control and information filtering based on protocol identification in an embodiment of the present invention is shown, and is applied to a video network, where the video network includes a video network terminal and a server, and the method specifically includes the following steps:
the server can receive the conference access request sent by the video network terminal when receiving the security level reported by the video network terminal or after receiving the security level reported by the video network terminal; after receiving the conference entering request, the server can acquire the conference security level of the video networking conference requested to be joined, so that judgment can be carried out according to the security level of the video networking terminal reported by the video networking terminal and the conference security level. The server for receiving the security level reported by the video networking terminal and judging the security level may be a conference management server having a function of managing a video conference service.
In a preferred embodiment, the conference privacy level for the networked conference may be determined by the server setting the conference privacy level for the conference at the time the conference is created, depending on the manner in which the conference privacy level of the networked conference is determined. Wherein the server for setting the conference privacy level may be a conference scheduling server with control video conferencing.
Specifically, the conference security level of the video networking conference may be obtained from the conference scheduling server through the conference management server.
In practical application, when the video networking conference is dynamically created, the conference scheduling terminal can dynamically set the conference security level corresponding to the created video networking conference, and send the conference security level of the current video networking conference to the conference management server. The conference privacy classes may include an absolute secret class a, a secret class B, a secret class C, and a secret-less class D.
In an alternative embodiment, after acquiring the conference privacy level of the current conference, the conference management server may determine whether the privacy level of the video networking terminal matches the acquired conference privacy level of the current conference (i.e., request to join). Specifically, when the security level of the video networking terminal is higher than or equal to the conference security level, it is determined that the security level of the video networking terminal is successfully matched with the conference security level.
It should be noted that the security level of the video networking terminal used for matching may be received by the conference management server from the video networking terminal side, and may be the security level reported by the video networking terminal when sending the conference entering request to the server, that is, the security level determined according to the security level identifier carried by the conference entering request, or the security level reported by the video networking terminal before sending the conference entering request to the server, that is, the security level determined according to the data table updated or established by the network entering request. The embodiments of the present invention are not limited thereto.
In an embodiment of the invention, message filtering and access control are performed through forwarding equipment in a network, and a video networking terminal can directly report a security level of the video networking terminal to a server, wherein the security level can be used for indicating the permission of a conference accessible by the video networking terminal so as to determine the conference level of the conference allowed to be accessed by the video networking terminal; after receiving the security level reported by the video networking terminal, the server can directly filter the video networking terminal through the authority used for indicating the conference which can be accessed by the video networking terminal.
In practical application, the time when the video network terminal reports the security level of the video network terminal to the conference management server may be the security level reported when the conference entry request is sent to the conference management server, or the security level reported before the conference entry request is sent to the conference management server.
In the first case, the security level reported when the conference entry request is sent to the conference management server may be represented by sending a conference entry request message to the conference management server, where a message body of the conference entry request message may carry a security level identifier of the video networking terminal, and in this case, after receiving the conference entry request message sent by the video networking terminal, the conference management server may obtain the security level identifier of the video networking terminal from the message body of the conference entry request message, and determine the security level corresponding to the obtained security level identifier.
The security identifier carried in the message body of the conference entry request message may be a security identifier encapsulated according to the data frame shown in fig. 4, that is, a security identifier corresponding to the security level is provided; according to the data frame format described in fig. 4, the video networking local number may be a video networking virtual number pre-assigned by the video networking terminal, and the video networking destination number may be a video networking number fixed and unique by the conference management server.
Further, the security class identifier field encapsulated in the form of the data frame shown in fig. 4 may be located at a preset position of the message body of the conference entry request message, the preset position may be before and adjacent to the user data field, and the request related to the conference entry request message (i.e. the conference entry request) may be located in the user data field (which may be located in the application data field contained in the user data field), then at the communication protocol layer, the conference management server, after receiving the conference entry request message, firstly, the judgment is made according to the security classification identification field contained in the message body of the conference entering request message, whether the conference entering request contained in the user data field in the message body is read or not is judged according to the current security classification, and then, after determining the read, responding to the conference entry request contained in the user data field.
In a preferred embodiment, before receiving the conference access request reported by the video network terminal, the server may also receive a network access request and a security level simultaneously sent by the video network terminal and the video network terminal.
The server can receive a network access request message sent by the video networking terminal, and a message body of the network access request message can have a security classification identifier corresponding to the security classification; after receiving a network access request and a security level sent by the video network terminal at the same time, the server may store a corresponding relationship of the security level of the video network terminal, and specifically store the corresponding relationship in a pre-established data table, so that the security level matched with the video network terminal may be obtained from the corresponding relationship of the pre-established data table in the subsequent matching of the security level of the video network terminal and the conference security level.
In practical applications, the server for receiving the network access request message and establishing or updating the data table may be a network management server.
Specifically, the network management server may establish a correspondence between the security level corresponding to the security level identifier carried in the message body of the access request message sent by the video network terminal that is allowed to access the video network and the MAC of the video network terminal, place the correspondence in a data table, and synchronize the updated data table with the conference management server; before the conference management server receives the access request sent by the video network terminal, a data table sent by the network management server for storing the security level of the video network terminal can be received, and the data table can be determined by the network management server in response to the access request in the access request message sent by the video network terminal.
In the second case, the security level reported before the conference entry request is sent to the conference management server may be expressed as a security level of the video network terminal carried in the network entry request message, specifically, as a security level identifier for the video network terminal carried in the message body of the network entry request message.
And 503, generating an conference joining response according to the matching result, and sending the conference joining response to the video network terminal.
In an embodiment of the present invention, after determining whether the security level of the video networking terminal matches the conference security level of the current conference, the conference management server may obtain a matching result, and at this time, may generate a conference joining response according to the matching result, and send the generated conference joining response to the video networking terminal.
The conference joining response can be used for indicating whether the video network terminal is successfully joined in the conference or not, and the conference joining response can comprise a conference joining success response and a conference joining failure response.
In a specific implementation, if the matching result is that the security level of the video networking terminal reaches the conference security level of the current conference, the video networking terminal can be added into the current video networking conference, and a successful conference-entering response is generated.
In one case, in the communication protocol layer, after the conference management server judges the security level of the video networking terminal according to the security level of the conference, if the security level corresponding to the security level identifier in the message body of the conference entry request message reaches the security level of the conference of the current conference, that is, the security level is the same as the security level of the current conference, or the security level is higher than the security level of the current conference, the conference entry request sent by the video networking terminal can be responded, and the video networking terminal with the security level conforming to the security level is allowed to join the video networking conference.
In another case, when receiving a conference entering request sent by the video networking terminal, the conference management server may further obtain a security level corresponding to the video networking terminal from a pre-obtained data table, and determine whether the security level obtained from the data table is the same as a conference security level of a current conference, and/or determine whether the security level obtained from the data table is higher than the current conference security level, and if the security level is the same as or higher than the current conference security level, it indicates that the security level of the video networking terminal reaches the conference security level of the current conference, and has an access right for the conference, and at this time, the video networking terminal may be added to the video networking conference.
In the embodiment of the invention, the characteristic of the video network is applied, the security level aiming at the video network terminal reported by the video network terminal is received by the conference management server, so that the access control and the message filtering aiming at the video network conference of the video network terminal are directly realized by the conference management server according to different security levels, the potential safety hazard that the data stream is firstly received by the terminal equipment in the traditional IP network and then the message filtering is realized by the upper layer application is solved, and the security of the security system is greatly improved.
Referring to fig. 6, a view showing an application scenario of video networking based conference control in the embodiment of the present invention relates to a video networking terminal, a network management server, a conference management server, and a conference scheduling terminal, and in the video networking based conference control process, the following stages may exist: the video networking terminal accesses the video networking stage and the video networking terminal joins the video networking conference stage.
In the stage of accessing the video networking terminal into the video networking, firstly, a security administrator can set the security level of the video networking terminal in different meeting places and configure the security level into the corresponding video networking terminal; the video network terminal can send a network access application (namely a network access request) to the network management server, and the network access application can carry the security level of the current video network terminal; after the network management server judges that the video network terminal can be accessed to the video network, the MAC and the security level corresponding to the video network terminal can be stored in the data table, and the network management server can synchronously update the stored data table to the conference management server.
In the stage that the video networking terminal joins the video networking conference, the Pamier scheduling software (shown as a conference scheduling terminal) can create the video networking conference and set the security level of the current video networking conference; when the video network terminal applies for a meeting to the conference management server, that is, sends a meeting application (that is, a meeting request), the conference management server may compare the security level corresponding to the MAC of the video network terminal with the current conference security level. If the security level is the same or the security level of the video networking terminal is higher than that of the current conference, allowing the video networking terminal to enter a conference; and if the security level of the video networking terminal is lower than the security level of the current conference, the current video networking terminal is not allowed to enter the conference. In the embodiment of the invention, the security level identification is integrated in the network layer protocol field of the video network, and the conference management server directly realizes the access control and the message filtering function according to different security levels without receiving the data stream on the terminal equipment and then carrying out filtering control.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 7, a schematic structural diagram of an apparatus for implementing access control and information filtering based on protocol identification according to the present invention is shown, where the apparatus may be applied to a video network, and specifically may include the following modules:
a security level reporting module 701, configured to report the security level of the terminal of the video networking to the server; the security level is used for indicating the permission of the conference accessible to the video networking terminal;
an conference joining request reporting module 702, configured to report a conference joining request to the server while or after sending the security level to the server;
an conference response receiving module 703, configured to receive a conference response sent by the server; and the conference joining response is generated according to the security level of the video networking terminal and is used for indicating whether the video networking terminal is successfully joined in the conference or not.
In an embodiment of the present invention, the conference joining request reporting module 702 may include the following sub-modules:
and the conference joining request message sending submodule is used for sending a conference joining request message to the server, and carrying the security level of the video network terminal in the conference joining request message.
In an embodiment of the present invention, the conference entry request message sending sub-module may include the following units:
and the security level identifier carrying unit is used for carrying the security level identifier corresponding to the security level in the message body of the conference entering request message.
In an embodiment of the present invention, the security level reporting module 701 may include the following sub-modules:
a network access request message sending submodule, configured to send a network access request message to the server before reporting the conference access request to the server; the network access request message comprises a security level and video network terminal information.
Referring to fig. 8, a schematic structural diagram of another apparatus for implementing access control and information filtering based on protocol identification according to the present invention is shown, where the apparatus may be applied to a video network, and specifically may include the following modules:
an admission request receiving module 801, configured to receive an admission request reported by the video network terminal;
a security level matching module 802, configured to determine whether a security level of the video networking terminal is matched with a conference security level of a conference requested to enter the conference, where the security level of the video networking terminal is received by the server from the video networking terminal side, and the security level is used to indicate a right of the conference accessible to the video networking terminal;
an conference response generation module 803, configured to generate a conference response according to the matching result, and send the conference response to the video network terminal; and the conference joining response is used for indicating whether the video networking terminal is successfully joined into the conference or not.
In one embodiment of the present invention, the security level matching module 802 may include the following sub-modules:
and the security level matching submodule is used for determining that the security level of the video networking terminal is successfully matched with the security level of the conference when the security level of the video networking terminal is higher than or equal to the security level of the conference.
In one embodiment of the present invention, the conference request receiving module 801 may include the following sub-modules:
the conference access request message receiving submodule is used for receiving the conference access request message sent by the video network terminal; a security level identification corresponding to the security level of the video network terminal exists in the message body of the conference entering request message;
the secret level identification obtaining submodule is used for obtaining the secret level identification from the conference entering request message;
and the security level determining submodule is used for determining the security level of the video networking terminal corresponding to the security level identification.
In an embodiment of the present invention, before receiving the conference entry request reported by the terminal of the video networking, the method may further include the following modules:
the network access request message receiving module is used for receiving a network access request message which is sent by the video network terminal and carries the security level of the video network terminal and the video network terminal information;
and the corresponding relation storage module is used for storing the corresponding relation between the security level of the video network terminal and the video network terminal information so as to obtain the security level of the video network terminal from the corresponding relation when the security level is matched in the following process.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiment of the invention also provides a conference control device based on the video network, which comprises: one or more processors; and one or more machine-readable media having instructions stored thereon, which, when executed by the one or more processors, enable the apparatus to perform the processes of the embodiments of the method for implementing access control and information filtering based on protocol identification as described above, and achieve the same technical effects, which are not described herein again to avoid repetition.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when being executed by a processor, the computer program implements each process of the above method embodiment for implementing access control and information filtering based on protocol identification, and can achieve the same technical effect, and is not described herein again to avoid repetition.
The video networking is an important milestone for network development, is a real-time network, can realize high-definition video real-time transmission, and pushes a plurality of internet applications to high-definition video, and high-definition faces each other.
The video networking adopts a real-time high-definition video exchange technology, can integrate required services such as dozens of services of video, voice, pictures, characters, communication, data and the like on a system platform on a network platform, such as high-definition video conference, video monitoring, intelligent monitoring analysis, emergency command, digital broadcast television, delayed television, network teaching, live broadcast, VOD on demand, television mail, Personal Video Recorder (PVR), intranet (self-office) channels, intelligent video broadcasting control, message distribution and the like, and realizes high-definition quality video broadcasting through a television or a computer.
To better understand the embodiments of the present invention, the following description refers to the internet of view:
some of the technologies applied in the video networking are as follows:
network Technology (Network Technology)
Network technology innovation in video networking has improved over traditional Ethernet (Ethernet) to face the potentially enormous video traffic on the network. Unlike pure network Packet Switching (Packet Switching) or network Circuit Switching (Circuit Switching), the Packet Switching is adopted by the technology of the video networking to meet the Streaming requirement. The video networking technology has the advantages of flexibility, simplicity and low price of packet switching, and simultaneously has the quality and safety guarantee of circuit switching, thereby realizing the seamless connection of the whole network switching type virtual circuit and the data format.
Switching Technology (Switching Technology)
The video network adopts two advantages of asynchronism and packet switching of the Ethernet, eliminates the defects of the Ethernet on the premise of full compatibility, has end-to-end seamless connection of the whole network, is directly communicated with a user terminal, and directly bears an IP data packet. The user data does not require any format conversion across the entire network. The video networking is a higher-level form of the Ethernet, is a real-time exchange platform, can realize the real-time transmission of the whole-network large-scale high-definition video which cannot be realized by the existing Internet, and pushes a plurality of network video applications to high-definition and unification.
Server Technology (Server Technology)
The server technology on the video networking and unified video platform is different from the traditional server, the streaming media transmission of the video networking and unified video platform is established on the basis of connection orientation, the data processing capacity of the video networking and unified video platform is independent of flow and communication time, and a single network layer can contain signaling and data transmission. For voice and video services, the complexity of video networking and unified video platform streaming media processing is much simpler than that of data processing, and the efficiency is greatly improved by more than one hundred times compared with that of a traditional server.
Storage Technology (Storage Technology)
The super-high speed storage technology of the unified video platform adopts the most advanced real-time operating system in order to adapt to the media content with super-large capacity and super-large flow, the program message in the server instruction is mapped to the specific hard disk space, the media content is not passed through the server any more, and is instantly and directly sent to the user terminal, and the user waiting time is less than 0.2 second. The optimized sector distribution greatly reduces the mechanical motion of the magnetic head track seeking of the hard disk, the resource consumption only accounts for 20% of that of the IP internet of the same grade, but the concurrent flow which is 3 times higher than that of the traditional hard disk array is generated, and the comprehensive efficiency is improved by more than 10 times.
Network Security Technology (Network Security Technology)
The structural design of the video network completely eliminates the network security problem troubling the internet structurally by the modes of independent service permission control each time, complete isolation of equipment and user data and the like, generally does not need antivirus programs and firewalls, avoids the attack of hackers and viruses, and provides a structural carefree security network for users.
Service Innovation Technology (Service Innovation Technology)
The unified video platform integrates services and transmission, and is not only automatically connected once whether a single user, a private network user or a network aggregate. The user terminal, the set-top box or the PC are directly connected to the unified video platform to obtain various multimedia video services in various forms. The unified video platform adopts a menu type configuration table mode to replace the traditional complex application programming, can realize complex application by using very few codes, and realizes infinite new service innovation.
Networking of the video network is as follows:
the video network is a centralized control network structure, and the network can be a tree network, a star network, a ring network and the like, but on the basis of the centralized control node, the whole network is controlled by the centralized control node in the network.
As shown in fig. 9, the video network is divided into an access network and a metropolitan network.
The devices of the access network part can be mainly classified into 3 types: node server, access switch, terminal (including various set-top boxes, coding boards, memories, etc.). The node server is connected to an access switch, which may be connected to a plurality of terminals and may be connected to an ethernet network.
The node server is a node which plays a centralized control function in the access network and can control the access switch and the terminal. The node server can be directly connected with the access switch or directly connected with the terminal.
Similarly, devices of the metropolitan network portion may also be classified into 3 types: a metropolitan area server, a node switch and a node server. The metro server is connected to a node switch, which may be connected to a plurality of node servers.
The node server is a node server of the access network part, namely the node server belongs to both the access network part and the metropolitan area network part.
The metropolitan area server is a node which plays a centralized control function in the metropolitan area network and can control a node switch and a node server. The metropolitan area server can be directly connected with the node switch or directly connected with the node server.
Therefore, the whole video network is a network structure with layered centralized control, and the network controlled by the node server and the metropolitan area server can be in various structures such as tree, star and ring.
The access network part can form a unified video platform (the part in the dotted circle), and a plurality of unified video platforms can form a video network; each unified video platform may be interconnected via metropolitan area and wide area video networking.
Video networking device classification
1.1 devices in the video network of the embodiment of the present invention can be mainly classified into 3 types: servers, switches (including ethernet gateways), terminals (including various set-top boxes, code boards, memories, etc.). The video network as a whole can be divided into a metropolitan area network (or national network, global network, etc.) and an access network.
1.2 wherein the devices of the access network part can be mainly classified into 3 types: node servers, access switches (including ethernet gateways), terminals (including various set-top boxes, code boards, memories, etc.).
The specific hardware structure of each access network device is as follows:
a node server:
as shown in fig. 10, the system mainly includes a network interface module 1001, a switching engine module 1002, a CPU module 1003, and a disk array module 1004;
the network interface module 1001, the CPU module 1003 and the disk array module 1004 enter the switching engine module 1002; the switching engine module 1002 performs an operation of looking up the address table 1005 on the incoming packet, thereby obtaining a packet guidance message; and stores the packet in a queue of a corresponding packet buffer 1006 according to the packet's steering message; if the queue of the packet buffer 1006 is nearly full, it is discarded; the switching engine module 1002 polls all packet buffer queues for forwarding if the following conditions are met: 1) the port send buffer is not full; 2) the queue packet counter is above zero. The disk array module 1004 mainly implements control over the hard disk, including initialization, read-write and other operations; the CPU module 1003 is mainly responsible for protocol processing with an access switch and a terminal (not shown in the figure), configuring an address table 1005 (including a downlink protocol packet address table, an uplink protocol packet address table, and a data packet address table), and configuring the disk array module 1004.
The access switch:
as shown in fig. 11, the network interface module mainly includes a network interface module (a downlink network interface module 1101, an uplink network interface module 1102), a switching engine module 1103 and a CPU module 1104;
wherein, the packet (uplink data) coming from the downlink network interface module 1101 enters the packet detection module 1105; the packet detection module 1105 detects whether the Destination Address (DA), the Source Address (SA), the packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id) and enters the switching engine module 1103, otherwise, discards the stream identifier; incoming packets (downstream data) from the upstream network interface module 1102 enter the switching engine module 1103; the incoming data packet of the CPU module 1104 enters the switching engine module 1103; the switching engine module 1103 performs an operation of looking up the address table 1106 on the incoming packet, thereby obtaining a direction message of the packet; if the packet entering the switching engine module 1103 is from the downstream network interface to the upstream network interface, the packet is stored in the queue of the corresponding packet buffer 1107 in association with the stream-id; if the queue of the packet buffer 1107 is nearly full, it is discarded; if the packet entering the switching engine module 1103 is not from the downstream network interface to the upstream network interface, the packet is stored in the queue of the corresponding packet buffer 1107 according to the packet's direction information; if the queue of the packet buffer 1107 is nearly full, it is discarded.
The switching engine block 1103 polls all packet buffer queues, which is divided into two cases in the embodiment of the present invention:
if the queue is from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port send buffer is not full; 2) the queued packet counter is above zero; 3) obtaining a token generated by a code rate control module;
if the queue is not from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port send buffer is not full; 2) the queue packet counter is above zero.
The rate control module 1108 is configured by the CPU module 1104 to generate tokens for packet buffer queues from all downstream network interfaces to upstream network interfaces at programmable intervals to control the rate of upstream forwarding.
The CPU module 1104 is mainly responsible for protocol processing with the node server, configuration of the address table 1106, and configuration of the code rate control module 1108.
Ethernet protocol conversion gateway:
As shown in fig. 12, the system mainly includes a network interface module (a downlink network interface module 1201, an uplink network interface module 1202), a switching engine module 1203, a CPU module 1204, a packet detection module 1205, a rate control module 1208, an address table 1206, a packet buffer 1207, a MAC adding module 1209, and a MAC deleting module 1210.
Wherein, the data packet coming from the downlink network interface module 1201 enters the packet detection module 1205; the packet detection module 1205 detects whether the ethernet MAC DA, the ethernet MAC SA, the ethernet length or frame type, the video network destination address DA, the video network source address SA, the video network packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id); then, the MAC deletion module 1210 subtracts MAC DA, MAC SA, length or frame type (2 byte) and enters a corresponding receiving buffer, otherwise, discards the MAC deletion;
the downlink network interface module 1201 detects the sending buffer of the port, if a packet exists, the ethernet MAC DA of the corresponding terminal is known according to the destination address DA of the packet, and the ethernet MAC DA of the terminal, the MAC SA of the ethernet protocol gateway, and the ethernet length or frame type are added and sent.
The other modules in the ethernet protocol gateway function similarly to the access switch.
A terminal:
the system mainly comprises a network interface module, a service processing module and a CPU module; for example, the set-top box mainly comprises a network interface module, a video and audio coding and decoding engine module and a CPU module; the coding board mainly comprises a network interface module, a video and audio coding engine module and a CPU module; the memory mainly comprises a network interface module, a CPU module and a disk array module.
1.3 devices of the metropolitan area network part can be mainly classified into 2 types: node server, node exchanger, metropolitan area server. The node switch mainly comprises a network interface module, a switching engine module and a CPU module; the metropolitan area server mainly comprises a network interface module, a switching engine module and a CPU module.
2. Video networking packet definition
2.1 Access network packet definition
The data packet of the access network mainly comprises the following parts: destination Address (DA), Source Address (SA), reserved bytes, payload (pdu), CRC.
As shown in the following table, the data packet of the access network mainly includes the following parts:
| DA | SA | Reserved | Payload | CRC |
wherein:
the Destination Address (DA) is composed of 8 bytes (byte), the first byte represents the type of the data packet (such as various protocol packets, multicast data packets, unicast data packets, etc.), there are 256 possibilities at most, the second byte to the sixth byte are metropolitan area network addresses, and the seventh byte and the eighth byte are access network addresses;
the Source Address (SA) is also composed of 8 bytes (byte), defined as the same as the Destination Address (DA);
the reserved byte consists of 2 bytes;
the payload part has different lengths according to the types of different datagrams, and is 64 bytes if the datagram is various protocols, and is 32 + 1024 = 1056 bytes if the datagram is a unicast datagram, and is of course not limited to the above 2 types;
the CRC consists of 4 bytes and is calculated in accordance with the standard ethernet CRC algorithm.
2.2 metropolitan area network packet definition
The topology of a metropolitan area network is a graph and there may be 2, or even more than 2, connections between two devices, i.e., there may be more than 2 connections between a node switch and a node server, a node switch and a node switch, and a node switch and a node server. However, the metro network address of the metro network device is unique, and in order to accurately describe the connection relationship between the metro network devices, parameters are introduced in the embodiment of the present invention: a label to uniquely describe a metropolitan area network device.
In this specification, the definition of the Label is similar to that of the Label of MPLS (Multi-Protocol Label Switch), and assuming that there are two connections between the device a and the device B, there are 2 labels for the packet from the device a to the device B, and 2 labels for the packet from the device B to the device a. The label is classified into an incoming label and an outgoing label, and assuming that the label (incoming label) of the packet entering the device a is 0x0000, the label (outgoing label) of the packet leaving the device a may become 0x 0001. The network access process of the metro network is a network access process under centralized control, that is, address allocation and label allocation of the metro network are both dominated by the metro server, and the node switch and the node server are both passively executed, which is different from label allocation of MPLS, and label allocation of MPLS is a result of mutual negotiation between the switch and the server.
As shown in the following table, the data packet of the metro network mainly includes the following parts:
| DA | SA | Reserved | label (R) | Payload | CRC |
Namely Destination Address (DA), Source Address (SA), Reserved byte (Reserved), tag, payload (pdu), CRC. The format of the tag may be defined by reference to the following: the tag is 32 bits with the upper 16 bits reserved and only the lower 16 bits used, and its position is between the reserved bytes and payload of the packet.
Based on the characteristics of the video networking, one of the core concepts of the embodiments of the present invention is provided, which applies the characteristics of the video networking and encapsulates the data stream with the security level identifier according to the video networking protocol, so that the security level identifier field is added at an adjacent position in front of the user data field of the video networking protocol stack, and whether the data stream is forwarded is directly judged by the network node or the switching device according to the security level identifier on the video networking protocol stack, that is, the access control and the message filtering function are directly realized according to different security levels, and the data stream does not need to be received on the terminal device first and then is subjected to filtering control.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The method for implementing access control and information filtering based on the protocol identifier and the device for implementing access control and information filtering based on the protocol identifier provided by the present invention are introduced in detail, and specific examples are applied in the text to explain the principle and the implementation of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (12)
1. A method for realizing access control and information filtering based on protocol identification is applied to a video network, wherein the video network comprises video network terminals and servers, the servers comprise servers serving as forwarding devices, and the method comprises the following steps:
the video network terminal reports the security level of the video network terminal to the server so that the server serving as forwarding equipment performs access control and information filtering of the video network terminal according to the security level; the security level is used for indicating the permission of the conference accessible to the video networking terminal; the security level is determined by a security level identification field, the security level identification field is positioned at an adjacent position before a user data field containing a conference access request or a network access request, and the security level identification field is used for judging whether to read the conference access request or the network access request positioned in the same message body;
reporting a meeting entering request to the server at the same time of or after reporting the security level to the server;
receiving a conference joining response sent by the server; the conference joining response is generated according to the security level of the video networking terminal and is used for indicating whether the video networking terminal joins the conference successfully or not.
2. The method of claim 1, wherein reporting the conference entry request to the server while reporting the classification level to the server comprises:
and sending a conference entering request message to the server, wherein the conference entering request message carries the security level of the video networking terminal.
3. The method of claim 2, wherein the step of carrying the security class of the terminal of the video network in the conference entry request message comprises:
and carrying a security classification identifier corresponding to the security classification in the message body of the conference entry request message.
4. The method of claim 1, wherein the reporting, by the video networking terminal, the security class of the video networking terminal to the server comprises:
before reporting the conference access request to the server, sending a network access request message to the server; the network access request message comprises a security level and video network terminal information.
5. A method for realizing access control and information filtering based on protocol identification is applied to a video network, the video network comprises video network terminals and servers, the servers comprise servers serving as forwarding devices, and the method comprises the following steps:
receiving a meeting entering request reported by the video networking terminal;
determining whether the security level of the video networking terminal is matched with the conference security level of the conference requested to be conferred or not, and realizing that a server serving as forwarding equipment performs access control and information filtering on the video networking terminal according to the security level; the security level of the video networking terminal is received by the server from the video networking terminal side, and the security level is used for indicating the authority of a conference accessible to the video networking terminal; the security level is determined by a security level identification field, the security level identification field is positioned at an adjacent position before a user data field containing a conference access request or a network access request, and the security level identification field is used for judging whether to read the conference access request or the network access request positioned in the same message body;
generating an conference entering response according to the matching result, and sending the conference entering response to the video network terminal; and the conference joining response is used for indicating whether the video networking terminal is successfully joined into the conference or not.
6. The method of claim 5, wherein determining whether the privacy level of the video networking terminal matches a meeting privacy level of a meeting for which the meeting is requested comprises:
and when the security level of the video networking terminal is higher than or equal to the conference security level, determining that the security level of the video networking terminal is successfully matched with the conference security level.
7. The method according to claim 5, wherein the receiving the conference joining request reported by the terminal of the video network comprises:
receiving a conference access request message sent by the video network terminal; a security level identification corresponding to the security level of the video network terminal exists in the message body of the conference entering request message;
acquiring the security level identification from the conference entering request message;
and determining the security level of the video networking terminal corresponding to the security level identification.
8. The method according to claim 5, wherein before said receiving the conference entry request reported by the terminal of the video network, further comprising:
receiving a network access request message which is sent by the video network terminal and carries the security level of the video network terminal and the video network terminal information;
and storing the corresponding relation between the security level of the video network terminal and the video network terminal information so as to be used for acquiring the security level of the video network terminal from the corresponding relation when the security level matching is carried out subsequently.
9. An apparatus for implementing access control and information filtering based on protocol identification, wherein the apparatus is applied to a video network, the video network comprises a video network terminal and a server, wherein the server comprises a server as a forwarding device, the apparatus comprises:
the security level reporting module is used for reporting the security level of the video network terminal to a server so that the server serving as forwarding equipment can perform access control and information filtering of the video network terminal according to the security level; the security level is used for indicating the permission of the conference accessible to the video networking terminal; the security level is determined by a security level identification field, the security level identification field is positioned at an adjacent position before a user data field containing a conference access request or a network access request, and the security level identification field is used for judging whether to read the conference access request or the network access request positioned in the same message body;
a conference joining request reporting module, configured to report a conference joining request to the server while or after sending the security level to the server;
an conference response receiving module, configured to receive a conference response sent by the server; and the conference joining response is generated according to the security level of the video networking terminal and is used for indicating whether the video networking terminal is successfully joined in the conference or not.
10. An apparatus for implementing access control and information filtering based on protocol identification, wherein the apparatus is applied to a video network, the video network comprises a video network terminal and a server, wherein the server comprises a server as a forwarding device, the apparatus comprises:
an admission request receiving module, configured to receive an admission request reported by the video network terminal;
the security level matching module is used for determining whether the security level of the video network terminal is matched with the conference security level of the conference requested to be conferred or not, and realizing the access control and information filtering of the video network terminal by a server serving as forwarding equipment according to the security level; the security level of the video networking terminal is received by a server from the video networking terminal side, and the security level is used for indicating the authority of a conference accessible to the video networking terminal; the security level is determined by a security level identification field, the security level identification field is positioned at an adjacent position before a user data field containing a conference access request or a network access request, and the security level identification field is used for judging whether to read the conference access request or the network access request positioned in the same message body;
the conference entrance response generating module is used for generating a conference entrance response according to the matching result and sending the conference entrance response to the video network terminal; and the conference joining response is used for indicating whether the video networking terminal is successfully joined into the conference or not.
11. An apparatus for implementing access control and information filtering based on protocol identification, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform a method for implementing access control and information filtering based on protocol identification as recited in any of claims 1 to 4 or claims 5 to 8.
12. A computer-readable storage medium storing a computer program for causing a processor to execute a method for performing access control and information filtering based on protocol identification according to any one of claims 1 to 4 or claims 5 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011594830.3A CN112287246B (en) | 2020-12-29 | 2020-12-29 | Method and device for realizing access control and information filtering based on protocol identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011594830.3A CN112287246B (en) | 2020-12-29 | 2020-12-29 | Method and device for realizing access control and information filtering based on protocol identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112287246A CN112287246A (en) | 2021-01-29 |
| CN112287246B true CN112287246B (en) | 2021-11-16 |
Family
ID=74426289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011594830.3A Active CN112287246B (en) | 2020-12-29 | 2020-12-29 | Method and device for realizing access control and information filtering based on protocol identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112287246B (en) |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753961B (en) * | 2008-12-08 | 2013-02-13 | 北京中星微电子有限公司 | Meeting realizing method in video monitoring system and video monitoring meeting system |
| CN107396033A (en) * | 2017-08-04 | 2017-11-24 | 河南云软信息技术有限公司 | Video conferencing system and method |
| CN108346034B (en) * | 2018-02-02 | 2021-10-15 | 深圳市鹰硕技术有限公司 | Intelligent conference management method and system |
| KR102200923B1 (en) * | 2018-04-27 | 2021-01-12 | 유의식 | Multilateral Online Meeting System and Method Thereof |
| CN110505429B (en) * | 2018-05-16 | 2022-09-20 | 视联动力信息技术股份有限公司 | Meeting place processing method and system |
| CN111382451A (en) * | 2019-12-28 | 2020-07-07 | 成都卫士通信息产业股份有限公司 | Security level identification method and device, electronic equipment and storage medium |
| CN111935111B (en) * | 2020-07-27 | 2023-04-07 | 北京字节跳动网络技术有限公司 | Interaction method and device and electronic equipment |
-
2020
- 2020-12-29 CN CN202011594830.3A patent/CN112287246B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112287246A (en) | 2021-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108574818B (en) | Information display method and device and server | |
| CN110035005B (en) | Data processing method and device | |
| CN109768963B (en) | Conference opening method and system based on video network | |
| CN110602039A (en) | Data acquisition method and system | |
| CN110460469B (en) | System upgrading method and device and storage medium | |
| CN110086771B (en) | Method and device for managing protocol conversion equipment | |
| CN111786778A (en) | Method and device for updating key | |
| CN109347844B (en) | Method and device for accessing equipment to Internet | |
| CN109286775B (en) | Multi-person conference control method and system | |
| CN110545244A (en) | message distribution method and device | |
| CN109640194B (en) | Method and device for acquiring terminal permission through two-dimensional code based on video network | |
| CN110519549B (en) | Conference terminal list obtaining method and system | |
| CN110417792B (en) | Communication method, system, gateway device and storage medium | |
| CN110266577B (en) | Tunnel establishment method and video networking system | |
| CN109889516B (en) | Method and device for establishing session channel | |
| CN110392289B (en) | Account processing method and system | |
| CN110022353B (en) | Service sharing method and video networking system | |
| CN109769012B (en) | Web server access method and device | |
| CN110808896B (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN110445806B (en) | Method and device for calling internet terminal and protocol conversion server | |
| CN110493311B (en) | Service processing method and device | |
| CN110213533B (en) | Method and device for acquiring video stream monitored by video network | |
| CN112287246B (en) | Method and device for realizing access control and information filtering based on protocol identification | |
| CN109587436B (en) | Video networking conference management platform login method and device | |
| CN110324477B (en) | Address book processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |