CN113839922A - Video monitoring system information safety protection system and method - Google Patents

Abstract

The invention discloses an information security protection system of a video monitoring system, which comprises a login subsystem, a data subsystem, a strategy subsystem, an encryption subsystem, an application subsystem, a network subsystem and an acquisition subsystem, wherein the login subsystem is connected with the data subsystem through a network; the data subsystem receives the requirement information sent by the login subsystem, analyzes and processes the coding and encryption requirement information according to the coding and the encryption subsystem, and sends a result to the strategy subsystem to produce a new security strategy, the data subsystem sends an execution task to the application subsystem, the network subsystem or the acquisition subsystem according to the new security strategy, and feeds the execution result back to the login subsystem to inform a user or a system administrator. The system and the method have the advantages of high protection level, secret leakage prevention, safety and reliability.

Description

Video monitoring system information safety protection system and method

Technical Field

The invention relates to the technical field of information safety protection, in particular to a system and a method for protecting information safety of a video monitoring system.

Background

With the continuous development and application of video monitoring technology, a large number of sensitive data files are stored in a video monitoring system, and the video data has the potential safety hazards of leakage and attack. However, at present, the security protection against disclosure and attack is limited to the level of network security transmission, and the technical means of using secure channel transmission or video data encryption transmission is adopted to prevent data disclosure by network data theft, but the protection against the video monitoring terminal has serious disadvantages:

1. the camera is installed falsely to acquire false information, or in the monitoring process, an operator can easily acquire video data through operation modes such as picture grabbing, screen capturing or screen recording to cause secret leakage;

2. the video monitoring terminal can randomly call the video and store the video files into the terminal computer by downloading, exporting and other operations, and for the files, operators can easily copy the files or can be attacked by viruses and hackers to cause information leakage and reduction of safety performance;

3. the video monitoring system cannot predict the safety condition of the video monitoring system, can trace the poor type, such as the connection state of a network, illegal operation of an operator and the like, cannot give an alarm and log record in time, and has no way for preventing and treating potential safety hazards and tracing afterwards.

Disclosure of Invention

The invention aims to provide an information security protection system and method for a video monitoring system, which aim to solve the problems in the prior art.

In order to achieve the purpose, the invention adopts the technical scheme that: the information security protection system of the video monitoring system comprises a login subsystem, a data subsystem, a strategy subsystem, an encryption subsystem, an application subsystem, a network subsystem and an acquisition subsystem; wherein the content of the first and second substances,

the login subsystem is used for recording and pre-storing a code given to a user, transmitting the code of the user and user requirement information to the encryption subsystem for encryption, and then transmitting the encrypted code and user requirement information to the data subsystem for storage; the data subsystem is in communication connection with the data subsystem, receives and decrypts a feedback result obtained by acquiring the demand request, and sends a demand request completed instruction to the data subsystem when the feedback result is matched with the stored coding and encryption demand information;

the data subsystem is used for receiving the requirement information sent by the login subsystem, analyzing and processing the coding and encryption requirement information according to the coding and the encryption subsystem, and sending a result to the strategy subsystem to generate a new security strategy.

Preferably, in the present technical solution, the data subsystem at least includes a database subsystem and a control subsystem.

Preferably, in the present technical solution, the database subsystem at least includes a database module and an identity management module; wherein the content of the first and second substances,

the database module adopts Oracle 10g as a database;

the identity management module is used for managing the user information related to the system, providing the system administrator with the use authority and the account information for each user, and meanwhile, the system administrator needs to be capable of inquiring the historical browsing records and the use logs of each user.

Preferably, in the technical solution, the policy subsystem is configured to record security logs of the logging subsystem, the data subsystem, the encryption subsystem, the application subsystem, the network subsystem, and the acquisition subsystem, monitor system information security according to the security logs, and make a security protection policy for instructing each subsystem of the system.

Preferably, in the technical solution, the encryption subsystem is configured to encrypt data of each level in the system, generate a key file of the encrypted data, transmit the key file to the data subsystem and the policy subsystem, store the key file in the encryption subsystem, and decrypt the key file.

Preferably, in the technical solution, the application subsystem is configured to perform identity authentication, user right and access control on a login subsystem, and connect the policy subsystem to perform resource control of the video monitoring system based on the data subsystem.

Preferably, in the present technical solution, the application subsystem includes an information access control module and a file access control module;

the information access control module is used for processing the executive task signaling control message sent by the data subsystem, determining the type of the access message and sending the access message;

the file access control module receives the information processing result of the information access control module, identifies whether the processing result is file access information or not, acquires a decryption password from the encryption subsystem to be matched with the secret key when the file access information is determined, decrypts the file and sends a decryption signal to the data subsystem if the file access information is consistent with the secret key, and extracts a corresponding file to feed back the file to a logger by the database subsystem of the data subsystem after the identity management module checks the ID; and if the result is confirmed, a warning signal is sent to the login subsystem and the data subsystem for warning prompt.

Preferably, in the present technical solution, the application subsystem includes an information access control module and an equipment access control module; when the information type determined by the information access control module is equipment access, the information access control module sends the equipment access information to the equipment access control module, the equipment access control module autonomously identifies and confirms, when the information is determined to be the equipment access information, a decryption password is obtained from the encryption subsystem to be matched with the ID and the secret key, the file is decrypted and sent to the data subsystem if the matching is consistent, and after the ID is checked by the identity management module, the database subsystem of the data subsystem extracts corresponding equipment information and feeds the corresponding equipment information back to a login user; and if the result is confirmed, a warning signal is sent to the login subsystem and the data subsystem for warning prompt.

Preferably, in the technical scheme, the network subsystem is used for realizing communication connection between the inside of each system and an external network and monitoring loggers in real time when accessing the video monitoring system protection system;

the network subsystem at least comprises a network monitoring module, a network communication module, a network protocol module and a network current limiting module.

Another objective of the present invention is to provide a protection method for an information security protection system of a video monitoring system, which is characterized in that the method comprises the following steps:

s010, in a secure network environment, determining the ID of a user account passing through a login subsystem, encrypting a key, and respectively registering the ID and the key in a data subsystem and an encryption subsystem;

s020, mutually authenticating the data subsystem and the encryption subsystem based on a protocol;

s030, the encryption subsystem confirms that the user ID and the request information are passed, sends the ID and the request information of the user to the strategy subsystem and sends the ID and the request information to the application subsystem, the data acquisition subsystem, the network subsystem and the like;

s040, the strategy subsystem makes a safety protection strategy, sends the safety protection strategy to the data subsystem for analysis, and generates a task execution scheme in the control module based on the safety protection strategy according to the user ID and the request information;

and S050, the application subsystem, the data acquisition subsystem and the network subsystem receive the task execution scheme, execute and process the tasks and generate log records.

Compared with the prior art, the invention has the following beneficial effects:

the protection method of the information security protection system of the video monitoring system avoids the false installation of the camera and the occurrence of the false information acquisition by registering the unique ID of the equipment and communicating the secret key. The video record is stored in the data subsystem, when the access data information is acquired, information matching such as ID, secret key and the like is required, and identification is carried out during login, so that a security policy is generated for protection, even an operator cannot easily check and copy data, and protocol confirmation is carried out on viruses, hackers and the like in the network subsystem, thereby effectively protecting. And for the access of video recording, only an operation manager is allowed to have authority once in the monitoring process, and an operator can easily acquire video data through operation modes such as picture grabbing, screen capturing or screen recording to give an alarm in real time when the secret is divulged, so that the prevention and treatment of hidden dangers and the accountability after the fact can be traced in time.

Drawings

FIG. 1 is a schematic diagram of the system of the present invention;

FIG. 2 is a schematic diagram of the application subsystem of the present invention;

FIG. 3 is a schematic diagram of the network subsystem of the present invention;

FIG. 4 is a schematic diagram of the data subsystem of the present invention;

FIG. 5 is a timing diagram of the safety protection of the present invention;

FIG. 6 is a flow chart of a security protection method of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, an information security protection system for a video monitoring system includes a login subsystem 10, a data subsystem 20, a policy subsystem 30, an encryption subsystem 40, an application subsystem 50, a network subsystem 60, and an acquisition subsystem 70; wherein the content of the first and second substances,

the login subsystem 10 is used for recording and pre-storing a code (ID) given to a user, transmitting the code ID of the user and user requirement information to the encryption subsystem for encryption 40, and then transmitting the encrypted ID and the user requirement information to the data subsystem 20 for storage; and meanwhile, the system is in communication connection with the data subsystem 20, receives and decrypts a feedback result obtained by acquiring the demand request, and sends a demand request completed instruction to the data subsystem 20 when the feedback result is matched with the stored coding ID and the encrypted demand information. The purpose is to limit illegal or illegal access through an account number and a password, thereby preventing a legal user of a non-certain unit from entering the system to carry out illegal operation, damaging the data security of the system and acquiring important information of the certain unit. When a user logs in a subsystem, a plurality of COM interfaces are initialized firstly, objects needing to be collected are matched, and various functions are checked to work normally, wherein the functions comprise video recording, preview, window display, a Filter, a collection device and confirmation of a Filter jump. Then, the collection and storage of pictures, for example, the collection and formation of pictures of faces, are used for realizing the storage of the information data of the loggers, and the information data are stored in a database and used as a data source for verifying the security of the personnel account number of the login system. In the user login process, the system compares the face image information with the information stored in the system database before, sends a control signal to the data subsystem 20 according to the comparison result, and jumps to the system interface if the face image information is consistent with the information stored in the system database before. If the two are inconsistent, the system prohibits personnel from logging in and gives an alarm to prompt safety warning. Further, the login subsystem may be implemented by a single chip, for example, an 8051 single chip or other 8051-replaceable single chips.

And the data subsystem 20 is used for receiving the requirement information sent by the login subsystem 10, analyzing and processing the ID and encryption requirement information according to the ID and encryption subsystem 40, sending a result to the policy subsystem 30 to generate a new security policy, sending an execution task to the application subsystem 50, the network subsystem 60 or the acquisition subsystem 70 according to the new security policy by the data subsystem 20, and feeding back the execution result to the login subsystem 10 to inform a user or a system administrator.

Further, as shown in fig. 4, in the present invention, the data subsystem 20 includes at least a database subsystem 21 and a control subsystem 22.

Further, database subsystem 21 includes at least database module 211 and identity management module 212.

Further, in the present invention, in order to satisfy the requirements of the login subsystem 10 and the application subsystem 50 at the same time, the database module 211 needs to include functions of data storage, data management, data reading, data updating, and the like, in this embodiment, the system preferably uses Oracle 10g as the database, and may also use other databases. For the application subsystem 50, the Oracle 10g as a database ensures the stability inside the application subsystem 50, ensures that data inside the system cannot be leaked, lost or damaged, and ensures efficient and stable program operation. The database module 211 is configured with at least a user information table, a network device table, and a security log table. The user information table contains detailed registration information of system users, such as user names, passwords, and affiliated user groups. The network device table stores information of the network devices, such as device models, MAC addresses, and the like. And the safety log table stores information of the network safety log generated in the system, including generation time, node name, alarm level and the like.

Further, in the present invention, the identity management module 212 is configured to manage user information related to the system, provide a system administrator with usage rights and account information for each user, and meanwhile, the system administrator needs to be able to query historical browsing records, usage logs, and the like of each user.

And the control subsystem 22 is used for processing and analyzing the data information, and generating a control instruction from the data information and sending the control instruction to each module for execution. In the present invention, the control subsystem 22 at least includes a data processing module 221, an instruction control module 222, an alarm control module 223 and an output control module 224, the function of each module of the control subsystem 22 is implemented by using the prior art, and further preferably, the control subsystem 22 can be implemented by using a single chip or a CPU having the functions of video data processing analysis, alarm, etc., for example, a CPU with four cores of strong Xeon-E3 may be considered, and a hadwell architecture design, a 22 nanometer process, and a native four-core design are adopted to support the hyper-threading technology, and the processor has a native 3.30GHz interface and an LGA1150 interface design. The processor of the E3-1230V 3 adopts 8M LLC cache and technology for supporting turbo frequency acceleration, and after the turbo frequency acceleration is started, the highest main frequency of the processor can reach 3.7GHz according to program requirements. All functions of the data processing module 221, the instruction control module 222, the alarm control module 223 and the output control module 224 can be realized quickly, and specific implementation modes can refer to 'Intel to Strong E series CPU parameters', which are not described in detail herein. Besides the selected technical solutions, the technical solutions may also be other technical solutions that can satisfy the required functions of the control subsystem in the prior art, and specific examples are not specifically given.

Further, in the present invention, the control subsystem 22 processes and analyzes the data information, and generates and sends a control command to each module for execution. The process can be completed by adopting the following logical algorithm processing, specifically, the data processing module 221, the instruction control module 222, the alarm control module 223 and the output control module 224, when the algorithm structure of the control system is designed, a safety value judgment function is set for the corresponding strategy subsystem 30, the encryption subsystem 40, the application subsystem 50, the network subsystem 60 and the acquisition subsystem in consideration of the composition of the data processing module 221, the instruction control module 222, the alarm control module 223 and the output control module 224. The output signal OUT of the output module is designed as follows:

OUT＝[O_U，O_F，O_C] (1)

wherein, O_URepresenting the output, O, to the application subsystem_FRepresenting the output, O, to the network subsystem_CRepresenting the output to the acquisition subsystem.

The function definition and the completion result feedback output by the instruction control module are set as follows:

wherein the content of the first and second substances,

if the target instruction is in a video information pixel unit in the system, positive feedback with a numerical value of 1 is given; if the number of the pixel units exceeds 3, negative feedback with the value of-1 is given; both cases are considered to be task done (output successful), returning a True completion task signal. Otherwise, a negative feedback of-0.01 is given, returning a False not complete task signal.

In addition, since the control subsystem is a data network structure connected to the whole system, in the embodiment, the data processing module performs calculation and output of the operation options according to equation (3):

D(x)＝W^Tx+s (3)

the monitoring protection system is characterized by representing the input of each subsystem, representing the weight value of the input of each subsystem and representing the bias of each subsystem.

In the security policy tuning, the security policy is adjusted and optimized by the formula (4)

Wherein theta represents the current time, E represents the expected value of the error between the actual encryption state and the action target of the multiple groups of data, R represents the parameter of the expected target, A represents the security policy parameter correspondingly determined by the network behavior before theta, and Q (O)_U,O_F,O_C(ii) a θ) represents an action value function, Q (O)_U’,O_F’,O_C’(ii) a Theta) indicates the encryption status and the action representative under the current policy informationThe profit value of (2). L (theta) represents the error under the parameter A at the moment theta, represents the gradient of the profit value function to the current strategy, and is used for requesting the strategy subsystem to update the security strategy.

And the strategy subsystem 30 is used for logging in security logs of the subsystem 10, the data subsystem 20, the encryption subsystem 40, the application subsystem 50, the network subsystem 60 and the acquisition subsystem 70, monitoring the information security of the system according to the security logs and making a security protection strategy for guiding each subsystem of the system. The policy subsystem 30 is set by the technical scheme of security policy setting disclosed in the chinese patent of invention "a security protection system and method for information system" with application number 202110377650.09. The important point of implementing the system of the present invention is that the setting of the security policy is performed according to the environment of the system application, and the setting needs to meet the technical requirements of video monitoring networking video information in the security field and controlling the security protection of signaling information, which are specified by the national GB35114-2018 standard, including the technical requirements of the video monitoring contact security system, such as the interconnection structure, the certificate and key requirements, the basic function requirements, and the performance requirements. For example: the setting of the security level, in order to satisfy various customers to different security demands, the security level has the third grade: secret, secret. The selected encryption algorithm setting can set different encryption algorithms such as DES, 3DES, AES, RC4 and the like through an application program. The key setting can set different keys through an application program, and can set keys with any length. And setting a relevant program, namely setting a special reading program in order to realize decryption of the special application program, wherein the authorized application program can normally read the file, the driver can transparently encrypt and decrypt the file, and only the ciphertext can be read for the unauthorized application program, and the file cannot be normally read and used. Policy content setting, setting details of the policy, such as specific file types (wildcard. The policy content may specify any logical sector such as: a @ below: all files under the terminal storage device are stored in an encrypted manner.

And the encryption subsystem 40 is used for encrypting data of all levels in the system, generating a key file of the encrypted data, transmitting the key file to the data subsystem 20 and the strategy subsystem 30, storing the key file in the encryption subsystem 40 and decrypting the key file.

Furthermore, in the system of the invention, when the monitoring equipment is deployed in the video monitoring center, the video data file in the video monitoring center and the picture file obtained by the image capture of the video monitoring software are encrypted in time by a dynamic encryption and decryption technology, the encrypted file can be automatically decrypted and used when being normally used in the video monitoring system, and once the encrypted file is separated from the video monitoring center, the encrypted file cannot be used. Meanwhile, the IO port in the monitoring center is monitored in real time, and once the operation of transmitting the important files through the IO port is found, the important files are encrypted. For example, when an important file is copied through a USB storage device or a recordable optical disc, the important file stored in the USB storage device and the recordable optical disc is automatically encrypted.

Further, in the system of the present invention, the encryption subsystem 40 can also perform a decryption operation based on the legal application of the application subsystem 50, the network subsystem 60 and the acquisition subsystem 70 by the data subsystem 20 when a user reads encrypted data, and the application subsystem 50, the network subsystem 60 and the acquisition subsystem 70 can normally use the data; when the logger writes the file, the encryption subsystem 40 performs the encryption operation, and the files stored by the application subsystem 50, the network subsystem 60 and the collection subsystem 70 are encrypted files; when the login user illegally reads the encrypted data, the encryption subsystem 40 does not perform the decryption operation, and the application subsystem 50, the network subsystem 60 and the acquisition subsystem 70 are not normally performed; when a write operation is performed on a file, the encryption subsystem 40 does not perform an encryption/decryption operation.

And the application subsystem 50 is used for performing identity authentication, user authority and access control on the login subsystem 10, and simultaneously performing resource control on the video monitoring system by connecting the strategy subsystem 30 based on the data subsystem 20. More specifically, in the present invention, the application subsystem 50, as shown in fig. 2, includes at least an information access control module 51, a file access control module 52, a device access control module 53, a logging module 54, and a video backup module 55. The information access control module 51 is configured to process the task execution signaling control message sent by the data subsystem 20, determine the type of the access message, and send the access message. The file access control module 52 receives the information processing result of the information access control module 51, identifies whether the processing result is file access information, acquires a decryption password from the encryption subsystem to match with the ID and the secret key when the file access information is determined, decrypts the file and sends a decryption signal to the data subsystem 20 if the file access information is consistent with the ID and the secret key, and the database subsystem 21 of the data subsystem 20 extracts the corresponding file to feed back to the login user by the database module 211 after the ID is checked by the identity management module 222; if the confirmation is successful, a warning signal is sent to the login subsystem 10 and the data subsystem 20 for warning prompt. When the message type is equipment access, the information access control module 51 sends the equipment access message to the equipment access control module 53, the equipment access control module 53 autonomously identifies and confirms, when the message type is equipment access information, a decryption password is obtained from the encryption subsystem to be matched with an ID and a secret key, the file is decrypted and sent to the data subsystem 20 if the matching is consistent, the database subsystem 21 of the data subsystem 20, and the database module 211 extracts corresponding equipment information and feeds the corresponding equipment information back to a login user after the ID is checked to be correct by the identity management module 222; if the confirmation is successful, a warning signal is sent to the login subsystem 10 and the data subsystem 20 for warning prompt. The log recording module 54 is configured to record error or warning information in the operation process of each subsystem, and record a data transfer condition in the operation process of the system, and includes: receiving IP, receiving port, sending IP, sending port, transmission protocol, key negotiation and the like, and is convenient for tracing. In addition, when the message type is log access, the information access control module 51 sends the log access message to the log recording module 54, the log recording module 54 autonomously identifies and confirms, when the log access message is determined, a decryption password is obtained from the encryption subsystem to be matched with the ID and the secret key, the file is decrypted and sent to the data subsystem 20 if the matching is consistent, the database subsystem 21 of the data subsystem 20 extracts the information of the corresponding day and feeds the information back to the login user after the identity management module 222 checks the ID to be correct; if the confirmation is successful, a warning signal is sent to the login subsystem 10 and the data subsystem 20 for warning prompt. The video backup module 55 is used for backing up video data, and the right of the video backup module only allows a system administrator to access and permit decryption, so that false information can be prevented from being acquired, or in the monitoring process, an operator can easily acquire the video data through operation modes such as picture grabbing, screen capturing or screen recording, so that the problem of disclosure can be prevented, and if the operator is only permitted to access once, the problem tracing and accountability can be facilitated.

And the network subsystem 60 is used for realizing communication connection between the inside of each system and an external network and monitoring the loggers in real time when accessing the video monitoring system protection system. In the present invention, as shown in fig. 3, the network subsystem 60 at least includes a network monitoring module 61, a network communication module 62, a network protocol module 63, and a network current limiting module 64. The network monitoring module 61 requires the system to acquire the data packet in the network in time through the network monitoring function, and analyzes the port type and the protocol content included therein according to the type of the data packet, and by this monitoring mode, it is ensured that the security threat data in the network can be found at the first time. The network communication module 62 includes a plurality of communication modes such as a wireless network and a serial port, so as to realize communication between the inside of each system and the external network. The network protocol module 63 analyzes the protocol to extract information in protocols such as UDP and TCP, and tracks system data transmitted in the protocol in time, so as to prevent the data from being threatened by security, and to prevent the camera from being forged and installed once. And a network current limiting module 64 for performing current limiting communication when the notified registrant accesses files, accesses devices, views logs, downloads videos, and the like.

The acquisition subsystem 70 is used for acquiring and temporarily storing video resources and at least comprises a video acquisition device and an AI camera.

The protection method of the information safety protection system of the video monitoring system of the invention, as shown in fig. 5 and fig. 6, comprises the following steps:

s010, in a secure network environment, determining the ID of a user account passing through a login subsystem, encrypting a key, and respectively registering the ID and the key in a data subsystem and an encryption subsystem;

s020, mutually authenticating the data subsystem and the encryption subsystem based on a protocol (ID, a secret key and other preset parameters);

s030, the encryption subsystem confirms that the user ID and the request information are passed, sends the ID and the request information of the user to the strategy subsystem and sends the ID and the request information to the application subsystem, the data acquisition subsystem, the network subsystem and the like;

s040, the strategy subsystem makes a safety protection strategy, sends the safety protection strategy to the data subsystem for analysis, and generates a task execution scheme in the control module based on the safety protection strategy according to the user ID and the request information;

and S050, the application subsystem, the data acquisition subsystem and the network subsystem receive the task execution scheme, execute and process the tasks and generate log records.

In summary, the protection method of the information security protection system of the video monitoring system of the present invention avoids the camera from being installed falsely and acquiring false information by registering the unique ID of the device and communicating the key. The video record is stored in the data subsystem, when the access data information is acquired, information matching such as ID, secret key and the like is required, and identification is carried out during login, so that a security policy is generated for protection, even an operator cannot easily check and copy data, and protocol confirmation is carried out on viruses, hackers and the like in the network subsystem, thereby effectively protecting. And for the access of video recording, only an operation manager is allowed to have authority once in the monitoring process, and an operator can easily acquire video data through operation modes such as picture grabbing, screen capturing or screen recording to give an alarm in real time when the secret is divulged, so that the prevention and treatment of hidden dangers and the accountability after the fact can be traced in time.

The component structures, connection relationships, operation principles, and the like, which are not described in the present embodiment, are realized by using the prior art, and a description thereof will not be repeated.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. A video monitoring system information security protection system is characterized by comprising a login subsystem, a data subsystem, a strategy subsystem, an encryption subsystem, an application subsystem, a network subsystem and an acquisition subsystem; wherein the content of the first and second substances,

the login subsystem is used for recording and pre-storing a code given to a user, transmitting the code of the user and user requirement information to the encryption subsystem for encryption, and then transmitting the encrypted code and user requirement information to the data subsystem for storage; the data subsystem is in communication connection with the data subsystem, receives and decrypts a feedback result obtained by acquiring the demand request, and sends a demand request completed instruction to the data subsystem when the feedback result is matched with the stored coding and encryption demand information;

the data subsystem is used for receiving the requirement information sent by the login subsystem, analyzing and processing the coding and encryption requirement information according to the coding and the encryption subsystem, and sending a result to the strategy subsystem to generate a new security strategy.

2. The video surveillance system information security system of claim 1, wherein the data subsystem includes at least a database subsystem and a control subsystem.

3. The video surveillance system information security protection system of claim 2, wherein the database subsystem comprises at least a database module and an identity management module; wherein the content of the first and second substances,

the database module adopts Oracle 10g as a database;

the identity management module is used for managing the user information related to the system, providing the system administrator with the use authority and the account information for each user, and meanwhile, the system administrator needs to be capable of inquiring the historical browsing records and the use logs of each user.

4. The system of claim 1, wherein the policy subsystem is configured to log security logs of the logging subsystem, the data subsystem, the encryption subsystem, the application subsystem, the network subsystem, and the collection subsystem, monitor system information security according to the security logs, and make a security policy for instructing each subsystem of the system.

5. The video surveillance system information security system of claim 1, wherein the encryption subsystem is configured to encrypt data of each level in the system, generate a key file of the encrypted data, transmit the key file to the data subsystem and the policy subsystem, store the key file in the encryption subsystem, and decrypt the key file.

6. The system of claim 1, wherein the application subsystem is configured to perform identity authentication, user authorization, and access control on the login subsystem, and perform resource control on the video monitoring system based on the data subsystem connecting to the policy subsystem.

7. The video surveillance system information security system of claim 6, wherein the application subsystem includes an information access control module and a file access control module;

the information access control module is used for processing the executive task signaling control message sent by the data subsystem, determining the type of the access message and sending the access message;

the file access control module receives the information processing result of the information access control module, identifies whether the processing result is file access information or not, acquires a decryption password from the encryption subsystem to be matched with the secret key when the file access information is determined, decrypts the file and sends a decryption signal to the data subsystem if the file access information is consistent with the secret key, and extracts a corresponding file to feed back the file to a logger by the database subsystem of the data subsystem after the identity management module checks the ID; and if the result is confirmed, a warning signal is sent to the login subsystem and the data subsystem for warning prompt.

8. The video surveillance system information security system of claim 6, wherein the application subsystem includes an information access control module and a device access control module; when the information type determined by the information access control module is equipment access, the information access control module sends the equipment access information to the equipment access control module, the equipment access control module autonomously identifies and confirms, when the information is determined to be the equipment access information, a decryption password is obtained from the encryption subsystem to be matched with the ID and the secret key, the file is decrypted and sent to the data subsystem if the matching is consistent, and after the ID is checked by the identity management module, the database subsystem of the data subsystem extracts corresponding equipment information and feeds the corresponding equipment information back to a login user; and if the result is confirmed, a warning signal is sent to the login subsystem and the data subsystem for warning prompt.

9. The video monitoring system information security protection system of claim 1, wherein the network subsystem is configured to implement communication connection between the inside of each system and an external network, and perform real-time monitoring when a login user accesses the video monitoring system protection system;

the network subsystem at least comprises a network monitoring module, a network communication module, a network protocol module and a network current limiting module.

10. The protection method of the video monitoring system information safety protection system according to claim 1, characterized by comprising the following steps:

s010, in a secure network environment, determining the ID of a user account passing through a login subsystem, encrypting a key, and respectively registering the ID and the key in a data subsystem and an encryption subsystem;

s020, mutually authenticating the data subsystem and the encryption subsystem based on a protocol;

s030, the encryption subsystem confirms that the user ID and the request information are passed, sends the ID and the request information of the user to the strategy subsystem and sends the ID and the request information to the application subsystem, the data acquisition subsystem, the network subsystem and the like;

s040, the strategy subsystem makes a safety protection strategy, sends the safety protection strategy to the data subsystem for analysis, and generates a task execution scheme in the control module based on the safety protection strategy according to the user ID and the request information;

and S050, the application subsystem, the data acquisition subsystem and the network subsystem receive the task execution scheme, execute and process the tasks and generate log records.

Images