KR101876183B1 - Security-enhanced residential gateway device based on internet of things - Google Patents

Abstract

The present invention relates to a residential gateway apparatus with enhanced security based on internet of things (IoT). The residential gateway apparatus includes: a device connection module which is connected to one or more IoT devices in a household in a wired or wireless manner to receive the unique device identification information with information data of the individual IoT devices; a data processing module which receives the unique device identification information with the information data of the individual IoT devices from the device connection module, encrypts the received information, and stores and transmits decryption keys for decrypting the unique device identification information with the information data of the individual IoT devices encrypted in advance; and an application service connection module which receives the unique device identification information with the information data of the individual IoT devices encrypted and transmitted by the data processing module and connects the same to IoT-based application services corresponding to the individual IoT devices to enable transmission. The residential gateway apparatus can create a pleasant and convenient household environment through performing a role as an IoT service linkage apparatus and a household appliance integration apparatus instead of a simple communication/network connection apparatus similar to a conventional wireless access point (AP) while enabling the inter-linkage between IoT platforms/protocols.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to an IoT-based residential gateway apparatus,

The present invention relates to a residential gateway device with enhanced security based on Internet of Things (IoT).

In general, the Internet of Things (hereinafter referred to as " IoT ") is an Internet at an advanced stage over the existing wired communication-based Internet and mobile Internet, and is a sensing technology for obtaining information from objects used in daily life and surrounding environments Are intelligent technologies and services that communicate information between people and objects or objects and objects.

Meanwhile, according to the conversion of communication technology, in the early wired communication period, human intervention is required as an intermediary due to occurrence of data exchange only through connection between objects such as a personal computer (PC). However, The range of communication is expanded by people and people, people and objects, objects and objects, and furthermore, it has developed into M2M, which can communicate autonomously between objects.

As the IoT technology evolves, a variety of home appliances (e.g., washing machines, refrigerators, TVs, vacuum cleaners, etc.) are being converted into IoT devices, and IoT devices are connected to each other through various network methods to form an Internet network.

In addition, a plurality of IoT devices constituting a communication network can perform specific tasks by external communication via a network connection in addition to the operation of software and hardware performed at each IoT device terminal.

Meanwhile, various IoT devices are being developed for the activation of IoT service in Korea. However, due to the problem of the home network standard which is in the process of being developed, most of the devices are performing communication / network connection devices such as Bluetooth and Wi- I have not succeeded in this.

In addition, as described above, the IoT devices installed in the home are connected by external wired and / or wireless communication through the communication / network connection device, thereby hacking from the outside or being vulnerable to abnormal external access of the communication / network.

Korean Patent No. 10-1618856

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a home appliance integrated device, an IoT (object Internet) service interworking device which is not a simple communication / And to provide a comfortable and convenient home environment through role fulfillment, and to provide interoperability between IoT (Object Internet) platform / protocol, and to provide an IoT-based residential gateway device with enhanced security.

It is another object of the present invention to provide an IoT-based IoT device capable of increasing the data processing speed by classifying it into channels different in bit rate according to the type and size of information data of the IoT device, The present invention provides a residential gateway apparatus having enhanced security.

Yet another object of the present invention is to provide a method and system for providing a specific access key corresponding to a user access right level based on user unique identification information stored in advance in an external user terminal, And it is an object of the present invention to provide an IoT-based security gateway capable of effectively preventing re-access of data in a device DB by user information having illegal access history.

According to one aspect of the present invention, there is provided a method for controlling a device connected to at least one IoT (Internet of Things) device installed in a house by wire or wireless, A device connection module for connecting the device to receive the device; The device connection module receives unique device identification information together with the information data of each IoT device received from the device connection module and encrypts the received device identification information and decrypts the device identification information unique to the IoT device together with the encrypted information data of each IoT device A data processing module for storing and transmitting the key; And an application service unit for receiving unique device identification information together with information data of each IoT device encrypted and transmitted from the data processing module, and connecting the device identification information to be transmitted to an IoT-based application service corresponding to each IoT device And an IoT-based security-enhanced residential gateway device including a connection module.

Here, the data processing module may include unique device identification information together with information data of each IoT device received from the device connection module, a channel encoded with different bit rates according to the type and size of information data for each IoT device And transmits the encrypted metadata to the application service connection module.

Preferably, the data processing module further includes a device DB for storing and managing information data for each IoT device corresponding to device identification information unique to each IoT device, in a database (DB) under the control of the data processing module.

Preferably, the data processing module receives unique device identification information together with the information data of each IoT device received from the device connection module, receives the device identification information unique to each IoT device stored in the device DB, IoT devices, information data for each IoT device received from the device connection module is divided into channels according to the type and size of data, and then encoded in parallel so as to have different bit rates Metadata can be given through each channel, encrypted and transmitted to the application service connection module.

The DB access control module may further include a DB access control module that monitors a query for accessing the device DB and controls the access to the illegal DB access.

Preferably, the DB access control module comprises: a DB access monitoring unit for monitoring query information for accessing the device DB; The DB access monitoring unit analyzes the query information monitored by the DB access monitoring unit to check the data access commands and checks whether or not the data access commands corresponding to the corresponding query are stored in the black list DB, A DB access blocking unit for allowing or blocking data access of the device DB; And a DB access control unit for controlling operations of the DB access monitoring unit and the DB access blocking unit.

Preferably, when there is an unauthorized data access command matching the identified data access command in the black list DB, the DB access blocking unit controls the access to the data corresponding to the data access command according to the control of the DB access control unit The set specific code is given, the query to which the specific code is assigned is deleted, and the access user information and the access IP address information are stored in the blacklist DB so that the blacklist information is updated.

Preferably, the illegal data access command stored in advance in the blacklist DB may be a command corresponding to at least one of an illegal data creation command, an illegal data modification command, and an illegal data deletion command.

Preferably, the DB access control unit receives the device DB access request message together with the user unique identification information transmitted from the external user terminal, analyzes the received message to extract the user unique identification information, And transmits a specific access key corresponding to one level of the user access right of the corresponding user unique identification information stored in advance in the separate license DB to the corresponding user terminal according to whether or not the user unique identification information previously stored in the user information DB A message for accessing data stored in the device DB together with a specific access key transmitted from the user terminal is analyzed and analyzed to extract a specific access key and then the extracted specific access key and a specific The device DB The operation of the DB access blocking unit can be controlled so that data access is permitted or blocked.

Preferably, the DB access control unit, when there is a specific access key matching the extracted specific access key in the usage right DB, accesses the data access stored in the device DB according to a level of the user access right given to the specific access key The operation of the DB access blocking unit may be controlled so that the DB access blocking unit is allowed.

Preferably, the DB access control unit permits data access stored in the device DB according to a level of a user access right given to the specific access key, and then checks data access result information in real time, And to control the operation of the DB access blocking unit such that re-access of data of the corresponding device DB by the specific access key is permitted or blocked according to whether the illegal data access result information stored in advance in the separate security policy DB matches with the illegal data access result information stored in advance.

Preferably, the DB access control unit deletes the data of the device DB corresponding to the confirmed data access result information, when illegal data access result information matching the confirmed data access result information exists in the security policy DB The data of the deleted device DB is restored to the data before the illegal data access by using the separate backup device DB and the data of the device DB is restored by the specific user It is possible to delete a user access right level of the user unique identification information corresponding to the specific access key stored in the information DB.

The illegal data access result information stored in advance in the security policy DB may be data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion.

Preferably, the DB access control unit receives the user's unique identification information through the user terminal, and based on the received user's unique identification information, Can be controlled to be stored in a database (DB).

Preferably, the DB access control unit controls at least one specific access key that is accessible to the device DB according to a user access right level for the device DB to be stored in a database (DB) for each user access right level .

Preferably, the DB access control unit may manage data stored in the device DB to be backed up periodically in a separate backup device DB.

Preferably, the data processing module stores a decryption key for decrypting unique device identification information together with information data of each encrypted IoT device in a database (DB) for each IoT device in a separate device DB, Can be controlled to be managed.

Preferably, the application service connection module provides a cloud computing service in response to a request from an external client terminal in cooperation with the data processing module, and transmits information data of each IoT device stored in the device DB through the client terminal And provides the client member login cloud web service so that the unique device identification information can be registered, searched, and identified in real time and displayed on the corresponding display screen.

The data processing module may control the decryption key to decrypt the unique device identification information together with the information data of each encrypted IoT device to be transmitted to the client terminal through the application service connection module .

Preferably, the application service connection module transmits, along with the corresponding client member login information, the client member login information and the device identification information unique to the application DB, together with the information data of each IoT device encrypted and stored in the device DB using the transmitted decryption key And provide the client member login cloud web service so that it can be registered, searched, and identified in real time and displayed on the corresponding display screen.

Preferably, the application service connection module provides a cloud web service so that a decryption key capable of decrypting unique device identification information together with information data of each IoT device stored in the device DB can be downloaded through the client terminal can do.

Preferably, the application service connection module registers, searches and identifies a decryption key capable of decrypting unique device identification information together with information data of each IoT device stored in the device DB through the client terminal, Cloud Web services can be provided to download gateway-related cloud applications that can be displayed on the display screen.

Preferably, the application service connection module periodically transmits, to the external cloud server that provides the cloud computing service in response to the request of the external client terminal, unique device identification information together with the information data of each encrypted IoT device Service can be provided.

Preferably, the device identification information unique to each IoT device includes at least one of a name of the IoT device, a password of the IoT device, a serial number of the IoT device, a type of the IoT device, a manufacturer of the IoT device, a MAC (Media Access Control) Address of the IoT device, a unique IP (Internet Protocol) address of the IoT device, a model of the IoT device and a version of the IoT device, authentication information of the IoT device generated by the private key of the IoT device or the PKI-based private key can do.

Preferably, the IoT device includes at least one of a stereoscopic image sensor, an infrared thermal image sensor, a temperature sensor, a humidity sensor, a dust sensor, a smoke sensor, an illuminance sensor, a carbon monoxide sensor, a carbon dioxide sensor, an ozone sensor, An illumination sensor, a smart home appliance, or a door lock.

As described above, according to the IoT-based security gateway of the present invention, it is possible to provide a home gateway integrated device, an IoT (Internet) It is possible to provide a comfortable and convenient home environment by performing a role as a service interlocking device and to provide interoperability between IoT (object Internet) platform / protocol.

In addition, according to the present invention, an advantage of being able to classify channels according to the type and size of information data of the IoT device to different channels to increase the data processing speed, and to transmit meta data to the data transmitted from each channel for effective transmission have.

In addition, according to the present invention, a specific access key corresponding to a user access right level is given based on user unique identification information stored in advance in an external user terminal, and data access of the device DB is allowed using the specific access key, It is possible to effectively prevent the re-access of the data of the device DB by the user information having the illegal access history.

Also, according to the present invention, it is possible to control the monitoring level through the change of the security policy DB, and to effectively prevent access to user information and access IP address information with illegal access history.

FIG. 1 is a block diagram of an overall IOT-based residential gateway apparatus with enhanced security according to an exemplary embodiment of the present invention. Referring to FIG.
FIG. 2 is a block diagram illustrating a DB access control module according to an embodiment of the present invention. Referring to FIG.
FIG. 3 is a block diagram illustrating a user terminal or a client terminal according to an exemplary embodiment of the present invention. Referring to FIG.

The above and other objects, features, and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, which are not intended to limit the scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

Terms including ordinals, such as first, second, etc., may be used to describe various elements, but the elements are not limited to these terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise.

While the present invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments. Also, in certain cases, there may be a term selected arbitrarily by the applicant, in which case the meaning thereof will be described in detail in the description of the corresponding invention. Therefore, the term used in the present invention should be defined based on the meaning of the term, not on the name of a simple term, but on the entire contents of the present invention.

When an element is referred to as "including" an element throughout the specification, it is to be understood that the element may include other elements as well, without departing from the spirit or scope of the present invention. Also, the terms "part," " module, "and the like described in the specification mean units for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software .

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the following embodiments of the present invention may be modified into various other forms, and the scope of the present invention is not limited to the embodiments described below. The embodiments of the present invention are provided to enable those skilled in the art to more fully understand the present invention.

Each block of the accompanying block diagrams and combinations of steps of the flowcharts may be performed by computer program instructions (execution engines), which may be stored in a general-purpose computer, special purpose computer, or other processor of a programmable data processing apparatus The instructions that are executed through the processor of the computer or other programmable data processing equipment will generate means for performing the functions described in each block or flowchart of the block diagram. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of the flowchart.

Computer program instructions may also be loaded onto a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the data processing equipment are capable of providing the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or step may represent a portion of a module, segment, or code that includes one or more executable instructions for executing the specified logical functions, and in some alternative embodiments, It should be noted that functions may occur out of order. For example, two successive blocks or steps may actually be performed substantially concurrently, and it is also possible that the blocks or steps are performed in the reverse order of the function as needed.

FIG. 1 is a block diagram of an overall I / O-based security gateway of a residential gateway device according to an embodiment of the present invention. FIG. 2 is a block diagram of a DB access control module applied to an embodiment of the present invention. FIG. 3 is a block diagram illustrating a user terminal or a client terminal according to an exemplary embodiment of the present invention. Referring to FIG.

1 to 3, an IOT-based security gateway device with enhanced security according to an exemplary embodiment of the present invention includes a device connection module 100, a data processing module 200, Module 300 and the like. In addition, the IOT-based security gateway of the present invention may further include a device DB 400, a DB access control module 500, and the like. 1 are not essential. Therefore, the IoT-based security-enhanced residential gateway apparatus according to an exemplary embodiment of the present invention may have more or fewer components have.

Hereinafter, the components of the IoT-based residential gateway apparatus with enhanced security according to an exemplary embodiment of the present invention will be described in detail.

The device connection module 100 includes at least one Internet of Things (IoT) devices 10-1 to 10-N installed in a home (e.g., a home, a hospital, a factory, a building, Or wirelessly connected to the IoT devices 10-1 to 10-N so as to receive unique device identification information together with information data of the respective IoT devices 10-1 to 10-N.

The device connection module 100 may include a communication / network interface unit (not shown) capable of connecting different types of IoT devices to each other via wired and / or wireless communication (for example, Bluetooth, 6LoWPAN, Wi-Fi, Not shown), and the like.

Each of the IoT devices 10-1 to 10-N may be a three-dimensional image sensor, an infrared thermal image sensor, a temperature sensor, a humidity sensor, a dust sensor, a smoke sensor, an illuminance sensor, a carbon monoxide sensor, It is preferable that at least one of an ultrasonic sensor, a motion sensor, a light sensor, a light sensor, a smart home appliance (e.g., a washing machine, a refrigerator, a TV, a rice cooker, a cleaner, etc.) or a door lock is included.

The unique device identification information of each of the IoT devices 10-1 to 10-N includes, for example, the name of the IoT device, the password of the IoT device, the serial number of the IoT device, the type of the IoT device, The IoT device's MAC (Media Access Control) address, the unique IP address of the IoT device, the IoT device's model and the version of the IoT device, the IoT device's private key, or the PKI-based private key And at least one of authentication information.

The data processing module 200 receives unique device identification information together with information data of each of the IoT devices 10-1 to 10-N received from the device connection module 100, encrypts the device identification information, And stores and transmits a decryption key for decrypting device identification information unique to the IoT devices 10-1 to 10-N together with information data.

The data processing module 200 transmits device identification information unique to each of the IoT devices 10-1 to 10-N received from the device connection module 100 together with information data of the IoT devices 10-1 to 10- N), and transmits the encrypted metadata to the application service connection module 300. The application service connection module 300 transmits the metadata to the application service connection module 300 via the channel encoded with different bit rates according to the type and size of the information data.

The data processing module 200 receives the unique device identification information together with the information data of the respective IoT devices 10-1 to 10-N received from the device connection module 100 and stores them in the device DB 400 The device connection module 100 determines that the IoT devices 10-1 to 10-N are identical to the device information unique to the respective IoT devices 10-1 to 10-N, The information data for each of the IoT devices 10-1 to 10-N received from the IoT devices 10-1 to 10-N is divided for each channel according to the type and size of the data, and the metadata is given through each channel encoded in parallel so as to have different bit rates And transmits the encrypted data to the application service connection module 300.

In addition, the data processing module 200 transmits a decryption key for decrypting unique device identification information together with the information data of the encrypted IoT devices 10-1 to 10-N to a separate device DB 400 It is possible to make a database (DB) for each IoT device and control the storage and management of the database.

In addition, the data processing module 200 transmits the decryption key for decrypting the unique device identification information together with the information data of the encrypted IoT devices 10-1 to 10-N to the application service connection module 300 To the external client terminal 20 via the network.

The application service connection module 300 receives unique device identification information together with the information data of each of the IoT devices 10-1 to 10-N encrypted and transmitted from the data processing module 200, To be transmitted to an IoT-based application service corresponding to the I / O terminals 10-1 to 10-N.

The application service connection module 300 may perform a function of providing a cloud computing service in response to a request of an external client terminal 20 in cooperation with the data processing module 200.

The application service connection module 300 transmits device identification information unique to the IO devices 10-1 through 10-N together with the information data of the IoT devices 10-1 through 10-N stored in the device DB 400 through the client terminal 20 in real time Registered, browsed, and identified, and provides the client member login cloud web service to be displayed on the corresponding display screen.

In addition, the application service connection module 300 transmits the client member login information to the IoT devices 10-1 to 10-n, which are encrypted and stored in the device DB 400 using the decryption key, N), and provides the client member login cloud web service to be displayed on the corresponding display screen by registering, searching, and identifying the unique device identification information in real time.

The application service connection module 300 can decrypt device identification information unique to the application service connection module 300 together with information data of the IoT devices 10-1 to 10-N stored in the device DB 400 through the client terminal 20 And a function of providing a cloud web service (Cloud Web Service) for downloading a decryption key of the decryption key.

The application service connection module 300 decrypts device identification information unique to the application service connection module 300 together with the information data of the respective IoT devices 10-1 to 10-N stored in the device DB 400 through the client terminal 20 And can provide a cloud web service to download a gateway related cloud application that can register, search, and identify the decryption key in real time and display it on the corresponding display screen.

In addition, the application service connection module 300, in association with the information data of each of the encrypted IoT devices 10-1 to 10-N, transmits device identification information unique to the application service connection module 300 in response to a request from the external client terminal 20, And to provide services to be periodically transmitted to the external cloud server 30 providing the service.

The application service connection module 300 is connected to the external client terminal 20 and / or the cloud server 30 through the communication network 1. At this time, the communication network 1 is connected to the external client terminal 20 and / (WiFi), WiGig, Wireless Broadband Internet, Wibro, and World Interoperability (WiBro) for providing high-speed multimedia services. for Microwave Access, Wimax), and the like.

The Internet includes a plurality of services such as HTTP (Hyper Text Transfer Protocol), Telnet, File Transfer Protocol (FTP), Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP) Refers to a worldwide open computer network structure providing a Simple Network Management Protocol (SNMP), a Network File Service (NFS), a Network Information Service (NIS), and the like. The application service connection module 300 includes an external client terminal 20, / RTI > and / or the cloud server (30). Meanwhile, the Internet may be a wired or wireless Internet, or may be a core network integrated with a wired public network, a wireless mobile communication network, or a portable Internet.

If the communication network 1 is a mobile communication network, it may be a synchronous mobile communication network or an asynchronous mobile communication network. As an example of the asynchronous mobile communication network, a WCDMA (Wideband Code Division Multiple Access) communication network is exemplified. In this case, although not shown in the drawing, the mobile communication network may include, for example, a radio network controller (RNC). Meanwhile, although the WCDMA network is described as an example, it may be a next generation communication network such as a 3G LTE network, a 4G network, and a 5G network, or an IP network based on other IPs. The communication network 1 transmits signals and data between the application service connection module 300 and the external client terminal 20 and / or the cloud server 30.

The device DB 400 is connected to each of the IoT devices 10-1 to 10-N corresponding to the unique device identification information of each of the IoT devices 10-1 to 10-N under the control of the data processing module 200 And stores and manages the information data in a database (DB).

The DB access control module 500 monitors a query to access the device DB 400 and performs a function of controlling the access to the illegal DB access.

As shown in FIG. 2, the DB access control module 500 includes a DB access monitoring unit 510 for monitoring query information for accessing the device DB 400, And then confirms the data access commands by analyzing the query information and then checks the corresponding device DB 400 for the query according to whether or not the illegal access command stored in advance in the black list DB 520, And a DB access control unit 540 for controlling operations of the DB access monitoring unit 510 and the DB access blocking unit 530. [ .

If an unauthorized data access command corresponding to the identified data access command exists in the blacklist DB 520, the DB access interception unit 530 controls the data access command in accordance with the control of the DB access control unit 540 A specific code preset in the corresponding query, deletes the query to which the specific code is assigned, stores the access user information and the access IP address information in the blacklist DB 520, and updates the blacklist information. So that it is possible to perform a function of controlling so that

At this time, the blacklist DB 520 stores the illegal data access command as a database (DB), for example, an instruction corresponding to at least one of an illegal data generation instruction, an illegal data modification instruction, and an illegal data deletion instruction And management functions.

In addition, the blacklist DB 520 may store and manage user information and IP address information that have performed illegal data access to the device DB 400 in a database (DB).

The DB access control unit 540 receives a message for access request of the device DB 400 along with the user unique identification information transmitted from the external user terminal 40, analyzes the received message, extracts the user unique identification information, In accordance with whether or not the extracted user unique identification information is identical to the user unique identification information previously stored in the user information DB 550, the user's unique identification information stored in the separate license DB 560 And transmits the corresponding specific access key to the corresponding user terminal 40. [

At this time, the user information DB 550 is preferably stored in the database (DB) with user's unique identification information and IP address information accessible to the device DB 400, and the specific access key may be stored in a database But is not limited to, a temporary unique access key that can be used each time.

The user's unique identification information includes, for example, a member ID / password (ID / PW), a resident number, a telephone number, biometric feature information, a PKI (Public Key Infrastructure), an OTP (One Time Password), and authorized certificate information.

The DB access control unit 540 receives a message for accessing data stored in the device DB 400 together with the specific access key transmitted from the user terminal 40, analyzes the received message, extracts a specific access key, A function of controlling the operation of the DB access blocking unit 530 such that data access of the device DB 400 is permitted or blocked according to whether a specific access key and a specific access key stored in the DB 560 for use right match .

If there is a specific access key corresponding to the extracted specific access key in the DB 560, the DB access controller 540 accesses the device DB 400 according to the level of the user access right given to the specific access key, The DB access control unit 530 may control the operation of the DB access blocking unit 530 such that data accesses stored in the DB access blocking unit 530 are allowed.

In addition, the DB access control unit 540 permits data access stored in the device DB 400 according to the level of the user access right granted to the specific access key, and then confirms the data access result information in real time, In accordance with whether or not illegitimate data access result information stored in the security policy DB 570 is stored in the security policy database 570, the access to the corresponding device DB 400 is permitted or blocked, The control unit 530 may perform the function of controlling the operation of the unit 530.

At this time, illegal data access result information stored in advance in the security policy DB 570 is preferably composed of data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion .

If there is illegal data access result information in the security policy DB 570 that matches the verified data access result information, the DB access control unit 540 accesses the device DB 400 corresponding to the verified data access result information The data of the deleted device DB 400 is restored to the data before the illegal data access by using the separate backup device DB 580 and the data of the corresponding device It is possible to perform a function of deleting a user access right level of the user unique identification information corresponding to the specific access key stored in the separate user information DB 550 so that the data re-access of the DB 400 is blocked.

In addition, the DB access controller 540 receives the user's unique identification information through the user terminal 40 and receives the user's access right to the device DB 400 granted by the administrator, (DB) for each user's unique identification information and stores the DB in the database.

In addition, the DB access controller 540 may be configured to store at least one specific access key accessible to the device DB 400 according to one level of user access right to the device DB 400, And the like.

In addition, the DB access control unit 540 may manage the data stored in the device DB 400 to be backed up periodically in a separate backup device DB 580. [

Meanwhile, the client terminal 20 or the user terminal 40 applied to the embodiment of the present invention may be a smart phone, a smart pad or a smart note communicating through a wireless Internet or a portable Internet A notebook PC, a Palm PC, a mobile play-station, a Digital Multimedia Broadcasting (DMB) phone having a communication function, a tablet, The present invention can comprehensively mean all wired and wireless home appliances / communication devices having a user interface for connecting to the application service connection module 300 such as a PC, an iPad, and the like.

2, the client terminal 20 or the user terminal 40 includes a wireless communication module 21, an A / V input module 22, a user input module 23, Module 24, an output module 25, a storage module 26, an interface module 27, a terminal control module 28, a power module 29, and the like. On the other hand, the components shown in Fig. 2 are not essential, so that the client terminal 20 or the user terminal 40 may have more or fewer components.

Hereinafter, the components of the client terminal 20 or the user terminal 40 will be described in detail.

The wireless communication module 21 may include one or more modules that enable wireless communication between the client terminal 20 or the user terminal 40 and the application service connection module 300. For example, the wireless communication module 21 may include a broadcast receiving module 21a, a mobile communication module 21b, a wireless Internet module 21c, a short distance communication module 21d, and a location information module 21e.

The broadcast receiving module 21a receives a broadcast signal (e.g., a TV broadcast signal, a radio broadcast signal, a data broadcast signal, etc.) from an external broadcast management server through various broadcast channels (e.g., a satellite channel and a terrestrial channel) And receives the related information.

The mobile communication module 21b transmits and receives a radio signal to at least one of a base station, an external terminal, and a server on a mobile communication network. The wireless signal may include various types of data in response to a voice call signal, a video call call signal, or a text / multimedia message transmission / reception.

The wireless Internet module 21c is a module for wireless Internet access, and may be embedded in or embedded in the client terminal 20 or the user terminal 40. [ As the wireless Internet technology, for example, WLAN (Wi-Fi), Wibro, Wimax, HSDPA, LTE and the like can be used.

The short-range communication module 21d is a module for short-range communication. The short-range communication module 21d may be a module for short-range communication, for example, Bluetooth communication, ZigBee communication, UWB communication, RFID (Radio Frequency Identification) communication, ) Communication can be used.

The position information module 21e is a module for confirming or obtaining the position of the client terminal 20 or the user terminal 40. The position information module 21e is a module for checking the position of the client terminal 20 or the user terminal 40, The current location information can be obtained.

The application control module 28 controls the application service connection module (not shown) by using the specific application program stored in the storage module 26 through the wireless communication module 21 and / or the wired communication module 300 to perform data transmission and reception.

The A / V input module 22 is a module for inputting an audio signal or a video signal, and may basically include a camera section 22a and a microphone section 22b. The camera section 22a processes an image frame such as a still image or a moving image obtained by the image sensor in the video communication mode or the photographing mode. The microphone unit 22b receives an external sound signal by a microphone in a communication mode, a recording mode, a voice recognition mode, or the like, and processes it as electrical voice data.

The user input module 23 is a module for generating input data for controlling the operation of the client terminal 20 or the user terminal 40. The user input module 23 is a module for generating input data for controlling the operation of the client terminal 20 or the user terminal 40, For example, a touch panel (static / static) type input by a user's touch or a separate input device (e.g., a key pad dome switch, a jog wheel, a jog wheel, Switches, etc.).

The sensing module 24 may be configured to determine whether the client terminal 20 or the user terminal 40 is open or closed, the position of the client terminal 20 or the user terminal 40, whether the user terminal 20 is touching the user, Such as the orientation of the client terminal 20 or the user terminal 40 or the acceleration or deceleration of the client terminal 20 or the user terminal 40 to detect the current state of the client terminal 20 or the user terminal 40, Or a sensing signal for controlling the operation of the user terminal 40. The sensing signal is transmitted to the terminal control module 28, and the terminal control module 28 can be a basis for performing a specific function.

The output module 25 is a module for generating an output related to visual, auditory or tactile sense and basically includes a display portion 25a, an acoustic output portion 25b, an alarm portion 25c, a haptic portion 25d, .

The display unit 25a is for displaying and outputting information processed by the client terminal 20 or the user terminal 40. For example, when the client terminal 20 or the user terminal 40 is in the call mode, (User Interface) or GUI (Graphical User Interface). In the case of the video communication mode or the photographing mode, the captured and / or received video or UI and GUI are displayed.

The sound output unit 25b may output audio data received from the wireless communication module 21 or stored in the storage module 26 in, for example, a call signal reception mode, a communication mode or a recording mode, a voice recognition mode, a broadcast reception mode, .

The alarm unit 25c may output a signal for notifying the client terminal 20 or the user terminal 40 of the occurrence of an event. Examples of events generated in the client terminal 20 or the user terminal 40 include call signal reception, message reception, key signal input, touch input, and the like.

The haptic portion 25d generates various tactile effects that the user can feel. A typical example of the haptic effect generated by the haptic portion 25d is vibration. The intensity and pattern of the vibration generated by the haptic part 25d can be controlled.

The storage module 26 may store a program for operation of the terminal control module 28 and temporarily store input / output data (e.g., a phone book, a message, a still image, a moving picture, etc.).

In addition, the storage module 26 may store data related to vibration and sound of various patterns output upon touch input on the touch screen, and may store a gateway-related application program.

In addition, the storage module 26 may store source data for forming gateway-related information, such that the gateway-related data may be composed of video and sound, Results can also be stored together.

The storage module 26 may be a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (for example, SD or XD memory), a RAM, an SRAM, a ROM, an EEPROM, , A magnetic memory, a magnetic disk, or an optical disk.

The interface module 27 serves as a channel between the client terminal 20 and all external devices connected to the user terminal 40. The interface module 27 receives data from an external device or receives power from the external device to transfer the data to the respective components in the client terminal 20 or the user terminal 40 or to transmit data in the client terminal 20 or the user terminal 40 To be transmitted to the external device.

The terminal control module 28 is generally for controlling the overall operation of the client terminal 20 or the user terminal 40 and is used to control and control the relevant controls and processes for, for example, voice calls, data communications, video calls, .

That is, the terminal control module 28 controls the gateway-related application program stored in the storage module 26 to be executed, requests generation of gateway-related data through execution of the gateway-related application program, and provides gateway- And the like.

In addition, the terminal control module 28 transmits auxiliary elements including at least one of video, audio, or sound to the display unit 25a and other outputs (not shown) in the process of generating the gateway related data desired by the user through execution of the gateway- And outputs it through at least one of the devices (e.g., the sound output unit 25b, the alarm unit 25c, the haptic unit 25d, and the like).

The terminal control module 28 may regularly monitor the charging current and the charging voltage of the battery unit 29a and temporarily store the monitoring value in the storage module 26. [ At this time, the storage module 26 preferably stores not only the battery charging status information such as the monitored charging current and the charging voltage, but also battery specification information (product code, rating, etc.).

The power supply module 29 receives external power and internal power under the control of the terminal control module 28 and supplies power necessary for operation of the respective components. The power module 29 supplies the power of the built-in battery unit 29a to the respective components and operates the battery, and the battery can be charged using a charging terminal (not shown).

The various embodiments described herein may be embodied in a recording medium readable by a computer or similar device using, for example, software, hardware, or a combination thereof.

According to a hardware implementation, the embodiments described herein may be implemented as application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays Microprocessors, microprocessors, and electrical units for performing functions, as will be described in more detail below. In some cases, such embodiments may be implemented by the terminal control module 28.

According to a software implementation, embodiments such as procedures or functions may be implemented with separate software modules that perform at least one function or operation. The software code may be implemented by a software application written in a suitable programming language. The software code may also be stored in the storage module 26 and executed by the terminal control module 28.

If the client terminal 20 or the user terminal 40 is a smart phone, the smart phone may download various application programs desired by the user, unlike a general mobile phone (a feature phone) It is a phone based on an open operating system that can be freely used and deleted. It does not have any mobile phone or voice call function with mobile office function as well as functions of commonly used voice / video call, internet data communication, etc. It is desirable to be understood as a communication device including all Internet phones or Tablet PCs capable of accessing the Internet.

Such a smart phone can be implemented as a smartphone equipped with various open operating systems. Examples of the open operating system include Nokia, Nokia, Symbian, RIMS, BlackBerry, Apple, Microsoft's Windows Mobile, Google's Android, and Samsung's ocean.

As such, since the smartphone uses an open operating system, a user can arbitrarily install and manage various application programs, unlike a mobile phone having a closed operating system.

That is, the smartphone basically includes a control unit, a memory unit, a screen output unit, a key input unit, a sound output unit, a sound input unit, a camera unit, a wireless network communication module, a short- do.

The controller is a generic term for controlling the operation of the smartphone, and includes at least one processor and an execution memory, and is connected to each functional unit provided in the smart phone through a bus.

The controller controls the operation of the smartphone by loading at least one program code included in the smart phone into the execution memory through the processor and calculating the result by transmitting the result to the at least one functional unit through the bus .

The memory unit is a general term of a nonvolatile memory included in a smartphone, and stores and maintains at least one program code executed through the control unit and at least one data set used by the program code. The memory unit basically stores a system program code and a system data set corresponding to an operating system of a smartphone, a communication program code and a communication data set for processing a wireless communication connection of the smartphone, at least one application program code and an application data set , And the program code and data set for implementing the present invention are also stored in the memory unit.

The screen output unit includes a screen output device (e.g., an LCD (Liquid Crystal Display) device) and an output module for driving the screen output device. The screen output unit is connected to the control unit through a bus, And outputs it to the screen output device.

The key input unit is composed of a key input device having at least one key button (or a touch screen device interlocked with the screen output unit) and an input module for driving the key input unit. The control unit is connected to the control unit via a bus, Or inputs data necessary for the operation of the control unit.

The sound output unit includes a speaker for outputting a sound signal and a sound module for driving the speaker. The sound output unit is connected to the control unit through a bus, and outputs a result of operation corresponding to the sound output from the various operation results of the control unit through the speaker . The sound module decodes sound data to be output through the speaker and converts the sound data into a sound signal.

The sound input unit includes a microphone for receiving a sound signal and a sound module for driving the microphone, and transmits the sound data input through the microphone to the control unit. The sound module encodes and encodes a sound signal input through the microphone.

The camera unit includes an optical unit, a CCD (Charge Coupled Device) and a camera module for driving the CCD unit, and obtains bitmap data input to the CCD through the optical unit. The bitmap data may include both still image data and moving image data.

The wireless network communication module is a collective term for communicating wireless communication and includes at least one antenna, an RF module, a baseband module, and a signal processing module for transmitting and receiving a radio frequency signal of a specific frequency band. And transmits the calculation result corresponding to the wireless communication among the various calculation results of the control unit through the wireless communication or receives the data through the wireless communication and transmits the data to the control unit, , Communication, and handoff procedures.

Also, the wireless network communication module includes a mobile communication structure for performing at least one of connection, location registration, call processing, call connection, data communication, and handoff to a mobile communication network according to the CDMA / WCDMA standard. Meanwhile, according to the intention of those skilled in the art, the wireless network communication module may further include a portable Internet communication structure for performing at least one of connection to the portable Internet, location registration, data communication, and handoff according to the IEEE 802.16 standard, It is evident that the present invention is not limited by the wireless communication configuration provided by the communication module.

The short-range wireless communication module is composed of a short-range wireless communication module that connects a communication session using a radio frequency signal as a communication medium within a predetermined distance. Preferably, the short-range wireless communication module includes RFID communication, Bluetooth communication, Wi- And wireless communication. The short-range wireless communication module may be integrated with the wireless network communication module.

The thus configured smartphone means a terminal capable of wireless communication, and any device capable of transmitting and receiving data through a network including the Internet may be applicable as well as a smart phone. That is, the smart phone may include at least one of a notebook PC, a tablet PC, and a mobile terminal capable of carrying and moving a mobile phone having a short message transmission function and a network connection function.

Although the preferred embodiment of the IOT-based security enhanced residential gateway apparatus according to the present invention has been described above, the present invention is not limited to the above embodiments, but may be applied to the claims, the detailed description of the invention, It is possible to carry out various modifications within the scope of the present invention.

100: Device connection module,
200: data processing module,
300: application service connection module,
400: device DB,
500: DB access control module,
510: DB access monitoring unit,
520: Blacklist DB,
530: DB access blocking part,
540: DB access control unit,
550: user information DB,
560: License DB,
570: security policy DB,
580: Backup device DB

Claims (22)

A device connection module that is connected to at least one IoT (Internet of Things) device installed in the house by wired or wireless connection, so as to receive unique device identification information together with information data of each IoT device;
The device connection module receives unique device identification information together with the information data of each IoT device received from the device connection module and encrypts the received device identification information and decrypts the device identification information unique to the IoT device together with the encrypted information data of each IoT device A data processing module for storing and transmitting the key;
A device DB for storing and managing information data for each IoT device corresponding to the device identification information unique to each IoT device under the control of the data processing module;
A DB access control module that monitors a query for accessing the device DB and controls the access to an illegal DB access; And
An application service connection unit that receives unique device identification information together with the information data of each IoT device encrypted and transmitted from the data processing module and connects it to be transmitted to an IoT-based application service corresponding to each IoT device, Modules,
The data processing module may include device identification information unique to each IoT device received from the device connection module through a channel encoded with different bit rates according to the type and size of the information data for each IoT device, And transmits the encrypted data to the application service connection module. The device connection module receives unique device identification information together with the information data of each IoT device received from the device connection module, Information data for each IoT device corresponding to one device identification information, and if the information data is identical to the information data for each IoT device corresponding to the device identification information, information data for each IoT device received from the device connection module is divided for each channel according to the type and size of data, Each bit encoded in parallel with a bit rate And to give the metadata and sends them to the encryption module via the application service connection,
The DB access control module includes a DB access monitoring part for monitoring query information for accessing the device DB, and a controller for checking data access commands by analyzing the query information monitored by the DB access monitoring part, A DB access blocking unit for allowing or blocking data access of the corresponding device DB to the query in accordance with whether or not an illegal access command stored in advance in the black list database is stored in a separate blacklist database; And a DB access control unit for controlling operations of the sub-
If there is an illegal data access command matching the confirmed data access command in the black list DB, the DB access blocking unit controls the DB access controller to transmit a specific code preset in the query corresponding to the data access command under the control of the DB access control unit Adds the corresponding access user information and the access IP address information to the blacklist DB to control the blacklist information to be updated,
The illegal data access instruction stored in advance in the blacklist DB is composed of an instruction corresponding to at least one of an illegal data creation instruction, illegal data modification instruction, and illegal data deletion instruction,
The DB access control unit receives a message for the device DB access request together with the user unique identification information transmitted from an external user terminal, analyzes the received message, extracts user unique identification information, To the corresponding user terminal, a specific access key corresponding to one level of the user access right of the corresponding user unique identification information stored in advance in the separate license DB according to whether the user unique identification information stored in the user information DB of the user A message for accessing data stored in the device DB is received along with a specific access key transmitted from the terminal, and the message is analyzed to extract a specific access key. Then, the extracted specific access key and a specific access key The data access of the device DB And if the specific access key corresponding to the extracted specific access key exists in the usage right DB, the control unit controls the operation of the device access DB in accordance with one level of the user access right granted to the specific access key, The data access result information is checked in real time after the data access stored in the device DB is allowed according to the level of the user access right given to the specific access key, , The DB access control unit may control the DB access control unit so that re-access of data of the corresponding device DB by the specific access key is permitted or blocked according to whether the identified data access result information is matched with illegal data access result information stored in advance in a separate security policy database The security policy DB, If there is illegal data access result information that matches the previously confirmed data access result information, deletes the data of the device DB corresponding to the confirmed data access result information, DB corresponding to the specific access key stored in the separate user information DB so that the data of the DB is restored to the data before illegal data access and the data access of the corresponding device DB by the specific access key is blocked, The level of user access right to the device DB, which is provided by the administrator, based on the user unique identification information received through the user terminal, Database (DB) and store it And controls at least one specific access key that can access the device DB according to one level of user access right to the device DB to be stored in a database (DB) for each level of user's access right and stores the data in the device DB To be backed up periodically in a separate backup device DB,
The illegal data access result information stored in advance in the security policy DB is composed of data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion,
The data processing module may include a decryption key capable of decrypting device identification information unique to the encrypted IoT device together with information data of the encrypted IoT device in a database DB for each IoT device in a separate device DB, And a decryption key capable of decrypting device identification information unique to the encrypted IoT device together with information data of the encrypted IoT device is transmitted to the client terminal through the application service connection module,
Wherein the application service connection module provides a cloud computing service in response to a request from an external client terminal in cooperation with the data processing module, And provides the client member login cloud web service so that one device identification information can be registered, searched, and identified in real time and displayed on the corresponding display screen, and the client member login cloud web service is provided through the client terminal, It decrypts unique device identification information together with the information data of each IoT device encrypted and stored in the device DB, registers, searches and identifies it in real time and provides a client member login cloud web service to be displayed on the corresponding display screen Provides a cloud web service to download a decryption key capable of decrypting device identification information unique to each IoT device stored in the device DB together with information data of the IoT device via the client terminal, Related cloud application that can register, search, and identify a decryption key that can decrypt unique device identification information together with the information data of each IoT device stored in the DB, and display the corresponding gateway-related cloud application on the corresponding display screen, The I / O device is provided with a web service. The device identification information unique to the encrypted IoT devices is periodically transmitted to an external cloud server that provides a cloud computing service in response to a request from an external client terminal. Wherein the IoT-based residential gateway device is a security-enhanced residential gateway device.
delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete The method according to claim 1,
The unique device identification information of each IoT device includes the name of the IoT device, the password of the IoT device, the serial number of the IoT device, the type of the IoT device, the maker of the IoT device, the MAC (Media Access Control) address of the IoT device, A unique IP (Internet Protocol) address of the device, a model of the IoT device and a version of the IoT device, authentication information of the IoT device generated by the private key of the IoT device or the PKI-based private key IoT based security gateway with enhanced security.
The method according to claim 1,
The IoT device may include at least one of a stereoscopic image sensor, an infrared thermal image sensor, a temperature sensor, a humidity sensor, a dust sensor, a smoke sensor, an illuminance sensor, a carbon monoxide sensor, a carbon dioxide sensor, an ozone sensor, A smart home appliance, or a door lock. ≪ RTI ID = 0.0 > [0002] < / RTI >

Images