RU54686U1 - HARDWARE AND SOFTWARE COMPLEX OF AUTOMATED PRODUCTION MANAGEMENT SYSTEM - Google Patents

Abstract

The utility model relates to the field of automated production control systems, is designed to optimize production and business processes and is a hardware-software complex consisting of specialized equipment, a computer program and a security system, which, in order to increase the efficiency of the automated production control system by increasing the level security and data reliability, equipped with a biometric user identification device and a computer program that provides authentication of users at different stages of production and the full integration of an automated production management system, and, in addition, the security system is additionally equipped with a USB security key that provides cryptographic protection of the file structure of confidential data.

Description

The claimed technical solution relates to the field of automated production control systems, is intended to optimize production and business processes and is a hardware-software complex consisting of specialized equipment, a computer program and a security system.

The inventive utility model can be applied in production management, in which the security and protection of data from the negative interference of the human factor - competitive intelligence, fraud of disloyal personnel, hacker attacks, etc. - are critical, and unauthorized access, inconsistent actions of users of the local computer network, data inaccuracy reduce the effectiveness of the automated system or make it meaningless.

The well-known hardware and software system R-Keeper developed by UCS is designed to manage the restaurant business, for the automated management of such industries as bars, bistros, cafes, restaurants, hotels, etc. The well-known complex is a tool for controlling the hall, warehouse accounting and accounting working time, he is an assistant for owners and financial management (see website www.ucs.ru).

Information is protected from unauthorized interference in a known hardware-software complex based on the use of electronic access cards. Moreover, each card is assigned a certain access level, according to which the user has the right to access the system. Functional diagram of the hardware-software complex connects the reader signals with the program code. Signals arise or do not arise when passing through a reader a card that belongs to a specific user. These cards have learned to fake, "lose", leave at the workplace, etc., i.e. card entry is no longer authentic.

The well-known security system controls the user’s access to the hardware-software complex, without realizing identity

subsequent various stages of the functioning of the hardware-software complex. And thus, it becomes possible to carry out unauthorized, fraudulent actions by both identified and unidentified users, and the inaccurate data resulting from this reduces the management efficiency of the automated system and causes great damage to production. Also known is the hardware-software complex for automated management of the restaurant "ASTOR: Restaurant 2.5", created on the 1C: Enterprise platform, and designed to improve the quality of service, to ensure control over the work of personnel and ensure business security.

Differentiation of access rights for personnel in this complex is also ensured by the use of access cards and passwords.

Currently, traditional methods of personal identification based on the use of passwords or tangible media in the form of a pass, a plastic card with a magnetic strip, electronic keys, key fobs, smart and proximity cards no longer meet modern requirements for reliability and security in determining a person. The password can be forgotten or intercepted, the material medium can be copied, lost or transferred to another person. It is this that does not allow traditional access control systems to provide an appropriate level of reliability and security, which, in turn, leads to significant financial losses. For example, in the MasterCard system, annual losses due to identity fraud are estimated at $ 450 million.

The disadvantage of this hardware-software complex is that the security system in this case identifies the user only for access. After access is granted, the question remains open of who is involved in all subsequent important processes. There remains the possibility of maneuver for fraud at different stages of production, - by different users at different times in the process of all further functioning. Inconsistency of false distorted information with real facts leads to data disintegration, the collapse of the automated control system and, as a result, to financial losses in production.

The inventive utility model solves the problem of increasing the efficiency of an automated production control system by increasing the level of security and ensuring the reliability of the data.

The technical problem is solved due to the fact that in the hardware and software complex of an automated production control system containing a security system, according to the claimed utility model, the security system is equipped with a biometric user identification device and a computer program that provides authentication of users at different stages of production and full integration of the automated control system production, in addition, the security system is additionally equipped with USB- a security key that provides cryptographic protection of the file structure of confidential data.

The security system, equipped with a device for biometric identification of users, due to the uniqueness of biometric data, allows you to abandon the traditional methods of identification in the form of cards and increase the level of protection of the system.

Fingerprint identification verification takes place not only at the user's login to the system, but also during the performance of all important operations from the point of view of data security. This functionality and the algorithm for fulfilling the data security criteria and the system as a whole makes this new technical solution highly efficient.

The full integration and reliability of the data of the automated production control system corresponds to the basics of data security and reliability created in the program, in the right places, the verification of the identity of the person performing the action is ensured by the program, without confirmation of which this action will not be performed, and thus becomes impossible unidentified actions of an unidentified user.

The USB security key, which is additionally equipped with a security system, provides cryptographic protection of the file structure of confidential data.

The presence of distinctive features in the claimed technical solution allows us to conclude that it meets the condition of patentability “novelty”.

The patentability condition "industrial applicability" is confirmed by the example of a specific implementation.

The essence of the technical solution is illustrated by schemes, where:

figure 1 is a diagram of the security of the hardware-software complex of an automated production control system (ACS);

figure 2 - presents a functional diagram of the hardware-software complex ASUP restaurant.

The data security scheme involves a user authentication system (AP) and a system for logging user actions. The proposed scheme ensures the security of application interaction - from workstations, with the main database (DB) on the server.

A module is a part of a hardware-software complex that implements a specific set of its functions. The module includes the application and devices necessary for its operation (security key, fingerprint reader, etc.).

An application is a program that a user directly works with. Different modules have different applications.

For the whole system to work, a network security key 1 is required. At workplaces where it is possible to work offline - module I in figure 1, additional local security keys 2 are installed, which are necessary to ensure the security of information stored in the main database (DB) 3. Associated with them is the operability of the modified kernel of the operating system (OS) 4, which is supplied with the software; initialization of the protected file system 5; operability of the application 6 in local operation mode.

In each of these cases, different security policy scenarios are used, and this makes access by the attacker to protected data more difficult.

Server Security

The loading of the modified OS 4 kernel on the database server 3 is tied to the network security key 1, which in this case is used as a local key. On the server’s hard disk there is an encrypted area of the file system 5, the work with which is carried out by accessing applications 6 to the functions of the network key 1, in this area there is the main database 3. Modified OS 4 kernel

Allows you to access the encrypted area only the modules of a particular project through the database management system (DBMS) 7, which eliminates unauthorized copying and modification of data.

All operations in the system are logged in Log's 8. Since this element is also located in the encrypted area, it cannot be cleared - hide traces of unauthorized actions.

Workplace safety - online mode, regular mode.

When starting up at the workplace, application 6 online, module II in figure 1, accesses the network security key 1. When a user enters the program and during critical operations, a fingerprint reader 9 is used for 100% authentication of the user performing this operation. When performing safety-important operations, fingerprint verification is required. Modified (added) data is signed with a digital fingerprint. When writing them to the main database 3 on the server, this fingerprint is checked. Further, depending on the access level and privileges, this information is either added to the main database 3 or discarded by the server with the corresponding entry in Log's 8 - this way the data is verified.

Data exchange between application 6 - at the workplace, and the main database 3 - on the server, is always carried out through the secure communication channel SSL 10. Certificates for it are generated on the basis of information that identifies the user, including digital fingerprint.

All information transmitted over the Intranet 11 network is digitally signed by the user working with the program. Certificates for each user working with the program are created on the basis of personal information and a fingerprint. This ensures that such certificates no longer exist.

Workplace safety - offline mode, emergency mode.

Offline mode (module I in figure 1) is provided for workstations requiring special operational efficiency, for example, on a cash register. It is involved in the work in case of a malfunction of the local network, i.e. communication with the server of the main database. When there is a connection, module I works in the same way as module II.

The places provided for working in this mode combine the functionality of the workplace (module) and the database server. Differences: a local key is used in conjunction with the network key, and only a local copy is accessed to the temporary database 12

Appendix 6. Appendix 6 switches to work with the temporary database 12 in case of communication failure with the main database 3. When communication is restored, data from the temporary database 12 is automatically transferred to the main database 3 (synchronized). At this stage, new data is verified based on the same principles as when working online. After synchronization, application 6 continues to work with the main database 3.

The whole range of security tasks is divided into the following areas:

1) Security for the developer:

1. protection against leakage of the source code of the program;

2. protection against illegal use of the program;

3. hiding the algorithms for implementing business logic;

2) Security for the customer:

1. protection against illegal data modification;

2. protection against copying data representing commercial or other secrets;

3. protection against unregistered user;

3) Security for the investor of the enterprise:

1. protection against malicious acts of disloyal personnel.

The implementation of the security task for the developer of the control system hardware and software complex is based on the following principles:

1. The launch and execution of programs is tied to hardware protection keys;

2. Each developer uses test keys. Each test key implements only some part of the security functionality;

3. None of the developers have a complete project source code;

4. Each developer implements their own security scheme, which others are not aware of;

5. The project is finally compiled on a separate computer that is not connected to the network, on which all security elements are activated, where the project is attached to real keys;

6. Information about real keys is not available to any of the developers;

7. The Linux kernel modified by developers is used. Work with a software product is possible only on a computer with a modified kernel installed.

The implementation of the security task for the user of the hardware-software complex is based on the following principles:

1. User authentication is based on fingerprint

reader;

2. The operation of the hardware and software complex is tied to accessing network and local security keys;

3. The rights of the hardware and software product are clearly delineated: everyone has access only to the data that he needs to work;

4. The files in which the project database is stored are located on the server in a secure (encrypted) area. Access to it is provided only to dedicated processes (this is implemented in the modified Linux kernel). If you try to unauthorized copy (modify) this data, the attacker will receive it in encrypted form, unusable;

5. When performing important (from a security point of view) operations, the system requires confirmation with a fingerprint, the digital signature of which data is signed;

6. When working through the local network, SSL is used, which ensures the security of the connection. It ensures that data is not intercepted.

The implementation of the security task for the investor of the enterprise that ordered the product is based on the following principles:

1. In the modified Linux kernel, the superuser (root) has limited rights to perform a number of operations related to the protection system. This protects even a highly qualified system administrator who has gained direct access to the server with the database from malicious acts. Thus, access to the database data is possible only from this program.

2. All actions of all users of the product are recorded and signed. If necessary, it is possible to completely restore the sequence of actions of each user. The protocol is also in a protected area, which eliminates its “overwriting";

3. A history of key data values is stored.

The SmartRestaurant automated control system shown in the diagram of FIG. No. 2, organizes the work of all role-playing employees of the hypothetical restaurant "Rainbow". Automated workplaces (AWP) of the restaurant manager, chief accountant, catering accountant, storekeeper, chef and staff of 2 rooms:

the cashier, bartender and waiters of the Blue Hall and the cashier and waiters of the Orange Hall are shown in the diagram of FIG. No. 2.

Programmatically, these solutions are made in the form of separate software modules integrated with the PostgreSQL database (in the diagram - Database Server):

AWP of the cashier, bartender, waiter - “Cash register”

AWP manager, manager, chef - "Trade Accounting"

AWP of the chief accountant, catering accountant, storekeeper -

"Operational accounting"

To perform official duties within their level of access to the system and eliminate unauthorized access at the entrance to the workstation, a security system is provided for each user of the system according to the scheme of FIG. No. 2, AP designation - User Authentication. It is authentication, and not just the identification of the user, the confirmation request of which occurs during the user’s work in the system both randomly and when performing particularly important operations, namely: entering the price of a dish, changing the price of a dish, entering a new employee, changing rights user access, reading an audit protocol, performing a cash Z-report, etc.

Before the system starts to work, in the software modules “Trade Accounting” and “Operational Accounting” reference information is entered into the database — the list of goods and services, prices, employees, customers, currencies, types of payments, etc. etc. In the program module “Hall Editor”, a plan of retail premises, a “top view” from the cash register, is schematically constructed.

The arrival of products and their distribution in the warehouses and pantries of the restaurant units (pantry of the kitchen, pantry of the bar, pastry shop, etc.) is entered into the computer by the storekeeper. The storekeeper has the opportunity to enter information into the system and actually post products to storage locations in different sequences.

Cash desk jobs, consisting of a personal computer (cash register server), fiscal registrar, cash drawer, underfloor printer, if a guest bill is printed, which is considered the rule of restaurant etiquette. If the cash desk is located at the bar and the positions of the cashier and the bartender are not combined, then such a workplace must be supplemented with a vintage printer for the bartender’s liability.

The cash desk can work both autonomously (offline mode) and in a local network (online mode). Without connecting all personal computers to the local network

centralized updating of information is impossible, feedback "kitchen-waiter" is lost, there is no interactive control of the manager. In this case, a backup Wi-Fi network is provided.

The beginning of the restaurant is registered at all cash desks, as the “Start shift” mode. Entrance to the system is allowed only to those employees who have registered the beginning of the work shift.

The waiter, having accepted the guest’s order, dials it on the touch screen independently, or, according to the waiter, the cashier enters the order.

The clear, intuitive interface of the cashier’s workstation and the system’s preset in accordance with the marketing policy of the company (the sales price is automatically set according to the event - calendar date, time of day, day of the week, etc.) allows you to process the order quickly and accurately.

Each employee identifies the entry into the system with a control touch of a finger to the fingerprint reader. According to a certain algorithm (for security purposes, the algorithm is not described), the system may ask the user to confirm authentication by repeated touch.

Upon completion of the next operation at the computer, the employee must revoke his rights, or the system itself after a certain timeout (for example, the interval of 40 seconds is entered by the manager as the initial settings of the system) closes the entrance to the system with an initial splash screen on the monitor screen.

The entered order is automatically transferred to the kitchen: dishes of the "hot" kitchen are printed on one vintage printer, and dishes of the "cold" kitchen, respectively, on the other kitchen printer. If the kitchen is single, then dishes from the order accepted in the hall are printed in a certain sequence, also in the form of two brands. The stamp contains full information on the order: time, hall, table, name of the waiter who accepted the order, names of dishes, their number and additional modifiers, if they are on the menu for this dish.

If the waiter accepts the additional order, then it is also printed on the kitchen printer as a separate brand.

Stamps are necessary to control the execution of the order and the liability of officials, employees of the unit (cold kitchen, hot kitchen, bar, pastry shop, etc.)

The chef informs the specific waiter about the readiness of the dish from order No. N.

The actions of employees are divided by role (waiter, accountant, etc.), and can also be differentiated personally. For example, of all managers, only manager Ivanov II can change sales prices. and manager Petrov P.P.

Within the framework of personal responsibility, many control functions of the system can be distributed. All personnel actions are automatically recorded by the computer system and can be read in the audit protocol by certain responsible employees for any period, date, time. For security purposes and to preserve the integrity of the data of the protocol itself, each transaction in the protocol is duplicated in a copy of the protocol. With certain system settings, it is possible to ensure that a copy of the protocol is transmitted via the WEB interface to a remote computer.

Such a security scheme will help with data recovery with a complete loss of information on the operating day of the restaurant.

At the end of the shift, when closing the restaurant, Z-reports must be executed at all ticket offices of the restaurant, printed cash registers must be printed out, cash cash counted, verified with the report, described and folded in bills and handed over to the official.

As a rule, the process of collecting money in each restaurant is organized in its own way.

Processes cash information the next day, the catering accountant. A vintage cash register report, a commodity report on a warehouse, all overhead movements of products and dishes between warehouses and departments, costing and technological cards of dishes — these and other, mandatory in the accounting of public catering, documents and reports on industry orders and regulations the accountant must draw up daily in unified forms.

Automated accounting accountant workstation automatically calculates and prints these accounting documents.

The software algorithm of the automated enterprise management system gives creative opportunities to the accountant to formalize the calculation as close as possible to the real one:

this is the choice of a calculation card option, for example, standard according to the norms of write-off of losses or according to Act No. N;

replacement or selection of an ingredient in the calculation of the consumption of products in accordance with the situation “as it was in reality”, and not how it develops in machine accounting for book balances “as it is written”;

in the case of a parcel not entered by the storekeeper or requiring corrections, you can automatically recalculate the cost of dishes and reprint all the documents.

An important feature of the software module “Operational Accounting” for the work of an accountant and the competitive advantage of the SmartRestaurant system is the possibility of a single accounting:

- management accounting (control of stock balances and liability of materially responsible persons, costing, pricing together with the manager, control and management of cash flows and expenses for other types of payments, conducting, analysis and execution of inventory, bringing book balances to actual, shortages and surplus - identification of the perpetrators, etc.)

- and accounting (settlements with suppliers of goods and services both under purchase and sale agreements and under commission (consignment) agreements, settlements with accountable persons and customers, calculation of tax costs, compilation of a purchase book and a sales book, tax calculation.

The manager’s workstation, in addition to the initial system setup and entering help information, has a universal reporting system in its functional menu. Reports perform both a control function and an analytical one. According to the information from the report, a control action is generated - price change, menu change, inclusion / exclusion of dishes from the menu, permission / termination of marketing campaigns, etc. As a result of analytical work with the reports of managers on the manager’s desktop, a consolidated report on the trading activities of the restaurant and the work of the staff for any period of work is formed.

In the center of the diagram of FIG. 2, a database server is depicted to emphasize that all AWS systems work with a single integrated database.

Alternatively, the database can be located on a non-dedicated server — either the manager’s workstation or the manager’s workstation.

In the Linux operating system, unlike Windows, there are no special requirements for the technical specifications of the server computer. According to this scheme, the automated control system for the production of public catering enterprises automates and organizes the work of all restaurant employees - from the delivery of products to the calculation of taxes and the preparation of financial statements.

Claims (2)

1. The hardware-software complex of an automated production control system containing a security system, characterized in that the security system is additionally equipped with a biometric user identification device and a computer program that provides authentication of users at different stages of production and the full integration of the automated production control system. 2. The hardware-software complex of the automated production control system according to claim 1, characterized in that the security system is additionally equipped with a USB security key that provides cryptographic protection of the file structure of confidential data.