WO2021071032A1 - Procédé et appareil de contrôle d'accès au dispositif pour l'internet des objets - Google Patents

Procédé et appareil de contrôle d'accès au dispositif pour l'internet des objets Download PDF

Info

Publication number
WO2021071032A1
WO2021071032A1 PCT/KR2020/002807 KR2020002807W WO2021071032A1 WO 2021071032 A1 WO2021071032 A1 WO 2021071032A1 KR 2020002807 W KR2020002807 W KR 2020002807W WO 2021071032 A1 WO2021071032 A1 WO 2021071032A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
internet
things
user
relay service
Prior art date
Application number
PCT/KR2020/002807
Other languages
English (en)
Inventor
Yuchao TANG
Bojun CHAI
Original Assignee
Samsung Electronics Co., Ltd.
Samsung Electronics (China) R&D Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd., Samsung Electronics (China) R&D Center filed Critical Samsung Electronics Co., Ltd.
Publication of WO2021071032A1 publication Critical patent/WO2021071032A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/564Enhancement of application control based on intercepted application data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • the present application relates to the technical field of the Internet of things, and in particular to a device access control method and apparatus for the Internet of things.
  • the Internet of things originates from the field of media, and is the third revolution in the information science and technology industry.
  • the Internet of things is based on information carriers such as the Internet, radio and television network, and traditional telecommunication network, and enables all ordinary physical objects that can be independently addressed to realize interconnection and intercommunication.
  • the concept of "Internet of things” is a network concept which extends and expands its clients to any objects for information exchange and communication on the basis of the concept of "Internet”.
  • the Internet of Things platform serves as: a carrier of the development and operation environment; a management platform for device communication; a carrier of data; a carrier of the enabling tool; a carrier of the application; and, carrying the future business ecology. It is the most valuable part of the architecture of the Internet of things.
  • the related device access schemes for the Internet of things have the problems of low device connection speed, potential security hazard of privacy information, poor connection stability and the like.
  • the specific analysis is as follows:
  • connection speed will slow down, and it is easy to cause unstable connection or even disconnection if the connection speed is influenced by the network condition; secondly, it is very difficult to ensure the security in the network transmission process, and the data is easily stolen and tampered; and thirdly, all controls require intervention of the cloud, and users cannot normally use the Internet of things devices if the cloud server is attacked or goes down.
  • the present application provides a device access control method and apparatus for the Internet of things, which may effectively improve speed of device connection, enhance stability of the device connection, and ensure security of data.
  • a device access control method for the Internet of things comprising:
  • the related information includes a privacy level of the device and a current usage status of the device.
  • the determining the access permission of the UE to devices in the Internet of things comprises: acquiring, by the relay service device, according to a user type corresponding to the UE, a connection mode of the UE and the relay service device, whether an access permission has been set for the UE and a historical connection condition of the UE and the relay service device, the access permission of the UE to devices in the Internet of things based on a preset access control strategy.
  • the access control strategy comprises: if a user corresponding to the UE is a main user of the Internet of things, the access permission of the UE to devices in the Internet of things is that all devices in the Internet of things are permitted to be accessed; if the user corresponding to the UE is not the main user of the Internet of things, a current connection mode of the UE with the relay service device is local access mode, and the UE accesses the relay service device for the first time, the access permission of the UE to devices in the Internet of things is that devices in a medium and/or low privacy level in the Internet of things are permitted to be accessed; if the user corresponding to the UE is not the main user of the Internet of things, the current connection mode of the UE and the relay service device is remote access mode, the UE accesses the relay service device for the first time, and the main user of the Internet of things is not connected to the relay service device currently or the main user does not set the access permission for the UE, the UE has no access permission to devices in the Internet of things
  • the determining whether to permit the UE to access the device requested to be connected comprises: if the device requested to be connected is within the access permission of the UE and the number of UEs, UEs currently connected with the device does not reach a number threshold corresponding to the device, the UE is permitted to access the device; if the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device has reached the number threshold corresponding to the device, wherein user priorities of UEs currently connected with the device are all higher than that of the UE, the UE is not permitted to access the device; if the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device has reached the number threshold corresponding to the device, wherein a user priority of UEi among the UEs currently connected with the device is lower than that of the UE, the UE is permitted to access the device, and access of the UEi to the device is interrupted until the UE completes the access to the device; and
  • the method further comprises: determining, by the relay service device, after the UE passes identity authentication, according to the access permission of the UE, a current network connection status between the UE and a cloud server, and an abnormal access condition in a last specified time period, a device connection mode currently used by the UE based on a preset device connection strategy, wherein the device connection mode comprises a local access mode and a cloud access mode; and when it is determined that the UE is permitted to access the device requested to be connected, configuring the UE to be connected with the corresponding device in the device connection mode.
  • the method further comprises: when the device connection mode used by the UE is local access mode and the privacy level of the connected device is higher than a preset level, an access instruction transmitted to the corresponding device by the UE is parsed by the relay service device, corresponding data is directly transmitted to the corresponding device, and for data that the corresponding device needs to return to the UE, the data is transmitted, by the relay service device, to the UE in a local forwarding manner.
  • the method further comprises: when the device connection mode used by the UE is local access mode, an operation instruction of the user is recorded by the relay service device when the UE accesses the corresponding device; and only when the UE is disconnected from the corresponding device and the network is in an idle state, the operation instruction of the user is uploaded to the cloud server.
  • the method further comprises: when a device accesses the Internet of things for the first time, setting, by the relay service device, a privacy level for the device, comprises:
  • the device has a user-defined privacy level, setting the privacy level of the device to be consistent with the user-defined privacy level; and if the device does not have the user-defined privacy level, acquiring the privacy level of the device by a pre-trained privacy level network model according to a usage scenario of the device, a privacy permission set for the device when leaving the factory and a privacy level of data acquired by the device, wherein the privacy level network model is a neural network model.
  • An device access control apparatus for the Internet of things which is disposed in a relay service device of the Internet of things, wherein the apparatus comprises a processor configured to:
  • a relay service device of the Internet of things determines, when a relay service device of the Internet of things receives a device connection request from user equipment, UE, an access permission of the UE to devices in the Internet of things after the UE passes identity authentication;
  • the related information includes a privacy level of the device and a current usage status of the device.
  • the processor is specifically configured to determine the access permission of the UE to devices in the Internet of things, comprises: acquiring, according to a user type corresponding to the UE, a connection mode of the UE and the relay service device, whether an access permission has been set for the UE and a historical connection condition of the UE and the relay service device, the access permission of the UE to devices in the Internet of things based on a preset access control strategy.
  • the access control strategy comprises: if a user corresponding to the UE is a main user of the Internet of things, the access permission of the UE to devices in the Internet of things is that all devices in the Internet of things are permitted to be accessed; if the user corresponding to the UE is not the main user of the Internet of things, a current connection mode of the UE with the relay service device is local access mode, and the UE accesses the relay service device for the first time, the access permission of the UE to devices in the Internet of things is that devices in a medium and/or low privacy level in the Internet of things are permitted to be accessed; if the user corresponding to the UE is not the main user of the Internet of things, the current connection mode of the UE and the relay service device is remote access mode, the UE accesses the relay service device for the first time, and the main user of the Internet of things is not connected to the relay service device currently or the main user does not set the access permission for the UE, the UE has no access permission to devices in the Internet of things
  • the processor is specifically configured to determine whether to permit the UE to access the device requested to be connected, comprising: if the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device does not reach a number threshold corresponding to the device, the UE is permitted to access the device; if the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device has reached the number threshold corresponding to the device, wherein user priorities of the UEs currently connected with the device are all higher than that of the UE, the UE is not permitted to access the device; if the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device has reached the number threshold corresponding to the device, wherein a user priority of UEi among the UEs currently connected with the device is lower than that of the UE, the UE is permitted to access the device, and access of the UEi to the device is interrupted until the UE completes the access to the device
  • the processor is further configured to determine, after the UE passes identity authentication, according to the access permission of the UE, a current network connection status between the UE and a cloud server, and an abnormal access condition in a last specified time period, a device connection mode currently used by the UE based on a preset device connection strategy, wherein the device connection mode comprises a local access mode and a cloud access mode; and when it is determined that the UE is permitted to access the device requested to be connected, configure the UE to be connected with the corresponding device in the device connection mode.
  • the processor is further configured to, when the device connection mode used by the UE is local access mode and the privacy level of the connected device is higher than a preset level, parse an access instruction transmitted to the corresponding device by the UE, directly transmit the corresponding data to the corresponding device, and transmit data that the corresponding device needs to return to the UE, to the UE in a local forwarding manner.
  • the processor is further configured to, when the device connection mode used by the UE is local access mode, record an operation instruction of the user when the UE accesses the corresponding device; and upload the operation instruction of the user to the cloud server only when the UE is disconnected from the corresponding device and the network is in an idle state.
  • the processor is further configured to set a privacy level for a device when the device accesses the Internet of things for the first time, comprising: if the device has a user-defined privacy level, setting the privacy level of the device to be consistent with the user-defined privacy level; and if the device does not have the user-defined privacy level, acquiring the privacy level of the device by a pre-trained privacy level network model according to a usage scenario of the device, a privacy permission set for the device when leaving the factory and a privacy level of data acquired by the device, wherein the privacy level network model is a neural network model.
  • the processor is specifically configured to perform the identity authentication in a key authentication manner.
  • the processor is further configured to, when a local connection between the UE and the device fails, notify the user to adjust the connection mode between the UE and the device to be a cloud access mode in a manual configuration manner.
  • the processor is further configured to, when the network connection between the relay service device and the cloud server is in an unstable state, and the relay service device cannot automatically adjust the device connection mode of the UE currently using the cloud access mode to be the local access mode, disconnect the UE using the cloud access mode from the corresponding device, switch the control mode of the corresponding device to a manual mode, and notify a corresponding user.
  • the processor is further configured to, when a number of abnormal accesses reaches a preset threshold, adjust a connection mode of all UEs currently connected with devices in the Internet of things to be the local access mode, wherein the determination of the abnormal accesses comprises:
  • the relay service device determines that the UE has no access permission when determining the access permission of the UE, determining the corresponding device connection request as the abnormal access.
  • the present application also provides a non-volatile computer-readable storage medium storing instructions, when executed by a processor, cause the processor to perform the device access control method for the Internet of things.
  • the present application also provides an electronic device, comprising the non-volatile computer-readable storage medium and the processor capable of accessing to the non-volatile computer-readable storage medium.
  • the device access control method and apparatus for the Internet of things provided by the application, the access to devices in the Internet of things is controlled by a relay service device of the Internet of things.
  • the dependence on the cloud is greatly reduced, so that the influence of the network condition of an external network and the cloud failure on the device access can be reduced, and the influence of potential security hazards on the security of data during the network transmission process can be reduced. Consequently, the device connection speed can be effectively improved, the device connection stability can be enhanced, and the data security can be ensured.
  • FIG. 1 is a schematic flowchart of the method according to some embodiments of the present disclosure
  • FIG. 2 is a schematic flowchart in a home scenario according to some embodiments of the present disclosure.
  • FIG. 3 is a schematic flowchart in a factory scenario according to some embodiments of the present disclosure.
  • FIG. 1 is a flowchart of the method according to some embodiments of the present disclosure.
  • the device access control method for the Internet of things implemented in this embodiment mainly comprises the following operations.
  • Operation 101 When a relay service device of the Internet of things receives a device connection request from user equipment, UE, the relay service device determines an access permission of the UE to devices in the Internet of things after the UE passes identity authentication.
  • the relay service device of the Internet of things is required to control the access permission to devices in the Internet of things.
  • the influence of the network condition of an external network and the cloud failure on the device access can be reduced, and the influence of potential security hazards on the security of data during the network transmission process can be reduced. Consequently, the device connection speed can be effectively improved, the device connection stability can be enhanced, and the data security can be ensured.
  • the relay service device refers to a relay service device that connects and controls devices in the Internet of things device, has a certain computing capability, and can communicate with the cloud.
  • the relay service device may include an intelligent router, intelligent speaker box or the like.
  • the devices in the Internet of things mainly refer to some intelligent devices which can be connected to the Internet of things.
  • the devices have some particular functions and can be locally connected to the Hub (by a connection way such as Bluetooth, Wifi, ZigBee, etc.).
  • the devices may include a network camera, an intelligent TV set, an intelligent door lock or the like.
  • the UE refers to a user-oriented terminal device which can access the Hub to realize the control of devices in the Internet of things.
  • the UE may be a mobile phone, a tablet computer, a PC or the like.
  • the identity authentication may be realized by a method of public key authentication, that is, each accessed UE must have a set public key matched with the Hub and the UE may connect to the hub only by providing the correct password.
  • the Hub has a local key management system to authenticate the password provided by the user.
  • the relay service device may determine an access permission of the UE to devices in the Internet of things by comprehensively considering the type of a user corresponding to the UE, a connection mode of the UE and the relay service device, whether an access permission has been set for the UE and the historical connection condition of the UE and the relay service device, that is:
  • the relay service device acquires, according to a preset access control strategy, an access permission of the UE to devices in the Internet of things.
  • the access control strategy may be set as follows:
  • the access permission of the UE to devices in the Internet of things is that all the devices in the Internet of things are permitted to be accessed;
  • the access permission of the UE to devices in the Internet of things is that devices with a privacy level of intermediate or low in the Internet of things are permitted to be accessed;
  • the current connection mode of the UE with the relay service device is remote access, the UE accesses the relay service device for the first time, and a main user of the Internet of things is not connected to the relay service device currently or the main user does not set an access permission for the UE, the UE has no access permission to devices in the Internet of things;
  • the access permission has been set for the UE previously, it is determined that the access permission of the UE to devices in the Internet of things is consistent with the set corresponding access permission.
  • the UE if the user corresponding to the UE is not a main user of the Internet of things, the current connection mode of the UE with the relay service device is remote access, the UE accesses the relay service device for the first time, and the main user of the Internet of things is not connected to the relay service device currently or the main user does not set an access permission for the UE, it is indicated that the UE currently transmitting the device connection request might be an illegal user. Therefore, in order to ensure the security of access to devices in the Internet of things, the UE is set to have no access permission to devices in the Internet of things.
  • Operation 102 The relay service device determines, according to the access permission and related information of a device requested to be connected by the UE, whether to permit the UE to access the device requested to be connected, and performs a corresponding access control operation according to the result of decision, wherein the related information comprises the privacy level of the device and the current usage status of the device.
  • this operation on the basis of the access permission to devices in the Internet of things determined in the operation 101, and combination with the information such as the privacy level and current usage status of the device currently requested to be connected, it is further determined whether to permit the corresponding UE to access the device requested to be connected, and a corresponding access control operation is performed, so that it is ensured that the user accesses devices in the Internet of things within a corresponding access permission range, and the security of access to devices in the Internet of things can thus be ensured.
  • the following method may be adopted in the operation for determining whether to permit the UE to access the device requested to be connected:
  • the UE if the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device does not reach a number threshold corresponding to the device, the UE is permitted to access the device;
  • the UE is not permitted to access the device;
  • the device requested to be connected is within the access permission of the UE and the number of UEs currently connected with the device has reached the number threshold corresponding to the device, wherein the user priority of one UEi among all the UEs currently connected with the device is lower than that of the UE, the UE is permitted to access the device, and the access of the UEi to the device is interrupted until the UE completes the access to the device;
  • the UE if the device requested to be connected is not in the access permission of the UE, the UE is not permitted to access the device.
  • the relay service device may also control the device connection mode currently used by the UE. Specifically, the following method may be used:
  • the relay service device determines, according to a preset device connection strategy, a device connection mode currently used by the UE, wherein the device connection mode comprises local access mode and cloud access mode;
  • the UE When it is determined that the UE is permitted to access the device requested to be connected, the UE is configured to be connected with the corresponding device in the device connection mode.
  • the device connection strategy may be set as the following Table 1, but it is not limited thereto.
  • connection strategy it is necessary to determine the security of the current environment of the user. If it is determined that the current environment is a secure environment, local area network access may be performed to improve the connection stability, high-privacy IOT devices may be accessed without the cloud in the secure environment, to ensure that high-privacy data will not be leaked through the cloud.
  • Feature/scenario User permission IoT device permission Network condition Is there an abnormal access? Connection mode Scenario 1 High High Normal No Cloud or local access Scenario 2 Medium High Normal No Local access Scenario 3 Low High Normal No Cloud or local access Scenario 4 High Medium Normal No Cloud or local access Scenario 5 Medium Medium Normal No Local access Scenario 6 Low Medium Normal No Local access Scenario 7 High Low Normal No Cloud or local access Scenario 8 Medium Low Normal No Cloud or local access Scenario 9 Low Low Normal No Cloud or local access Scenario 10 Arbitrary Arbitrary Normal Yes Local access Scenario 11 Arbitrary Arbitrary Abnormal No Local access Scenario 12 Arbitrary Arbitrary Abnormal Yes Local access Scenario 13 Illegal user Arbitrary Arbitrary Arbitrary Inaccessible
  • information interaction between the UE and the high-privacy device may be realized in a manner of local forwarding by the relay service device, so that the cloud is prevented from participating in the information interaction, and the security of privacy data is further ensured.
  • the following method can be used:
  • the relay service device parses an access instruction transmitted to the corresponding device by the UE and directly transmits the corresponding data to the corresponding device, and for data that the corresponding device needs to return to the UE, the data is transmitted, by the relay service device, to the UE in a local forwarding manner.
  • the relay service device saves user instructions, but does not save data (e.g., camera video information); and uploads the user instructions in idle under a good network condition, so that the cloud performs data analysis and status synchronization.
  • data e.g., camera video information
  • the relay service device records an operation instruction of the user when the UE accesses the corresponding device; and, uploads the operation instruction of the user to the cloud server only when the UE is disconnected from the corresponding device and the network is in an idle state.
  • the method for determining whether the network is in an idle state may be implemented by using the traditional art. For example, it is determined that the network is in an idle state when the network traffic is less than a preset threshold; but it is not limited thereto.
  • the privacy level of the device may be set in a user-defined mode or an artificial intelligence mode. Specifically, the following method may be used:
  • the relay service device sets a privacy level for the device, comprising:
  • the set privacy level of the device is consistent with the user-defined privacy level
  • a privacy level of the device is acquired by a pre-trained privacy level network model according to the usage scenario of the device, the privacy permission set for the device when leaving the factory and the privacy level of data acquired by the device, wherein the privacy level network model is a neural network model.
  • the privacy level of the device is preferably set according to the user definition; and, when the user does not define the privacy level of the device, the current usage scenario of the device, the privacy permission set for the device when leaving the factory and the privacy level of data acquired by the device may be used as model parameters and input to the privacy level network model obtained based on a neural network to obtain the privacy level of the corresponding device.
  • model training samples may be set according to actual security requirements so as to obtain a privacy level network model more matched with the actual requirements, so that the security of devices in the Internet of things may be ensured:
  • the relay service device performs the identity authentication in a key authentication manner.
  • the relay service device may notify the user to adjust the connection mode between the UE and the corresponding device to be a cloud access mode in a manual configuration manner.
  • the UE using the cloud access mode may be disconnected from the corresponding device, the control mode of the corresponding device is switched to a manual mode, and the corresponding user is notified.
  • all UEs may be disconnected from the devices in the Internet of things according to the abnormal access condition. Specifically, the following method may be used:
  • the relay service device adjusts the connection mode of all UEs currently connected with devices in the internet of things to be local access mode, wherein the determining of abnormal accesses comprises:
  • the corresponding device connection request is determined as an abnormal access
  • the relay service device determines that the UE has no access permission when determining the access permission of the UE, the corresponding device connection request is determined as an abnormal access.
  • the present application further provides a device access control apparatus for the Internet of things, which is set in a relay service device of the Internet of things.
  • the apparatus comprises a processor, the processor is configured to:
  • the relay service device of the Internet of things receives a device connection request from user equipment, UE, determine an access permission of the UE to devices in the Internet of things after the UE passes identity authentication;
  • the UE determines, according to the access permission and related information of a device requested to be connected by the UE, whether to permit the UE to access the device requested to be connected, and perform a corresponding access control operation according to the determining result, wherein the related information comprises the privacy level of the device and the current usage status of the device.
  • the processor is specifically configured to determine the access permission of the UE to devices in the Internet of things, comprises:
  • acquiring according to a user type corresponding to the UE, a connection mode of the UE and the relay service device, whether an access permission has been set for the UE and a historical connection condition of the UE and the relay service device, the access permission of the UE to devices in the Internet of things based on a preset access control strategy.
  • the access control strategy comprises:
  • the access permission of the UE to devices in the Internet of things is that all devices in the Internet of things are permitted to be accessed;
  • a current connection mode of the UE with the relay service device is local access mode, and the UE accesses the relay service device for the first time, the access permission of the UE to devices in the Internet of things is that devices in a medium and/or low privacy level in the Internet of things are permitted to be accessed;
  • the UE accesses the relay service device for the first time, and the main user of the Internet of things is not connected to the relay service device currently or the main user does not set the access permission for the UE, the UE has no access permission to devices in the Internet of things;
  • the access permission has been set for the UE previously, it is determined that the access permission of the UE to devices in the Internet of things is consistent with the set corresponding access permission.
  • the processor is specifically configured to determine whether to permit the UE to access the device requested to be connected, comprising:
  • the UE if the device requested to be connected is in the access permission of the UE and the number of UEs currently connected with the device does not reach a number threshold corresponding to the device, the UE is permitted to access the device;
  • the UE is not permitted to access the device;
  • the device requested to be connected is in the access permission of the UE and the number of UEs currently connected with the device has reached the number threshold corresponding to the device, wherein a user priority of UEi among the UEs currently connected with the device is lower than that of the UE, the UE is permitted to access the device, and access of the UEi to the device is interrupted until the UE completes the access to the device;
  • the UE if the device requested to be connected is not in the access permission of the UE, the UE is not permitted to access the device.
  • the processor is further configured to determine, after the UE passes identity authentication, according to the access permission of the UE, a current network connection status between the UE and a cloud server, and an abnormal access condition in a last specified time period, a device connection mode currently used by the UE based on a preset device connection strategy, wherein the device connection mode comprises a local access mode and a cloud access mode; and when it is determined that the UE is permitted to access the device requested to be connected, configure the UE to be connected with the corresponding device in the device connection mode.
  • the processor is further configured to when the device connection mode used by the UE is local access mode and the privacy level of the connected device is higher than a preset level, parse an access instruction transmitted to the corresponding device by the UE, directly transmit the corresponding data to the corresponding device, and transmit data that the corresponding device needs to return to the UE, to the UE in a local forwarding manner.
  • the processor is further configured to: when the device connection mode used by the UE is local access mode, record an operation instruction of the user when the UE accesses the corresponding device; and, upload the operation instruction of the user to the cloud server only when the UE is disconnected from the corresponding device and the network is in an idle state.
  • the processor is further configured to: set a privacy level for a device when the device accesses the Internet of things for the first time, comprising:
  • the device has a user-defined privacy level, setting the privacy level of the device to be consistent with the user-defined privacy level;
  • the device does not have the user-defined privacy level, acquiring the privacy level of the device by a pre-trained privacy level network model according to a usage scenario of the device, a privacy permission set for the device when leaving the factory and a privacy level of data acquired by the device, wherein the privacy level network model is a neural network model.
  • the processor is further configured to: when a local connection between the UE and the device fails, notify the user to adjust the connection mode between the UE and the device to be a cloud access mode in a manual configuration manner.
  • the processor is further configured to: when the network connection between the relay service device and the cloud server is in an unstable state, and the relay service device cannot automatically adjust the device connection mode of the UE currently using the cloud access mode to be local access mode, disconnect the UE using the cloud access mode from the corresponding device is disconnected, switch the control mode of the corresponding device to a manual mode, and notify a corresponding use.
  • the processor is further configured to: when a number of abnormal accesses reaches a preset threshold, adjust a connection mode of all UEs currently connected with devices in the Internet of things to be the local access mode, wherein the determination of the abnormal accesses comprises:
  • the relay service device determines that the UE has no access permission when determining the access permission of the UE, determining the corresponding device connection request as the abnormal access.
  • the relay service device intelligently provide the accessed users with the permissions to access/control devices and provide a secure and stable local access mode, so that it is more efficient and convenient for task distribution, device connection and network management of the Internet of things. Consequently, the device connection speed is effectively improved, the device connection stability is enhanced, and the data security is ensured.
  • FIG. 2 is a flowchart of the operation in the home scenario.
  • a device accesses to the Hub of the home Internet of Things, the device includes: an intelligent door lock, an intelligent household camera, an intelligent air conditioner and an intelligent thermometer.
  • a home main user controls a control terminal (a mobile phone/tablet computer/wearable device and the like) to access the Hub, sets a terminal access key, and may access and control all devices in the Internet of things under a secure network environment.
  • a control terminal a mobile phone/tablet computer/wearable device and the like
  • the home main user i.e. a network administrator manually sets a privacy level for the device accessing the home Internet of Things, wherein the door lock and the camera are set to be in a high privacy level, and the air conditioner and the thermometer are set to be in a low privacy level.
  • the Hub comprehensively determines the privacy level of the device according to the device type and a privacy level of data of the device, and returns the privacy level to the control terminal of the main user.
  • the Hub determines the security of the whole network and grants other access control terminals with permissions to access and control devices in the Internet of things.
  • a user A accesses the Hub through Bluetooth connection by using a correct key to serve as a control terminal.
  • the Hub starts to determine the network security. If it is found that the user A has accessed the hub for multiple times and the main user is currently in the network through Bluetooth connection, the user A is probably a family member. In this case, it is determined that the network condition is secure, and the user A may access and control all devices in the Internet of things through the control terminal of the user A.
  • a user B accesses the Hub through Bluetooth connection by using a correct key to serve as a control terminal.
  • the Hub starts to determine the network security. If it is found that the user B accesses the Hub for the first time, and the main user is currently in the network through Bluetooth connection, the user B is probably a guest. In this case, it is determined that the network condition is secure, but the user B may only access and control low privacy level devices (e.g., an intelligent air conditioner and an intelligent thermometer) in the Internet of things through the control terminal of the user B.
  • low privacy level devices e.g., an intelligent air conditioner and an intelligent thermometer
  • a user C accesses the Hub through remote network connection by using a correct key to serve as a control terminal.
  • the Hub starts to determine the network security. If it is found that the user C accesses the Hub for the first time but the main user is not connected to the Hub currently, the access of the user C is probably an illegal access caused by key leakage and the like, but not a legal access. In this case, it is determined that the network condition is not secure, and the user C cannot access and control any device in the Internet of things through the control terminal of the user C.
  • the Hub may determine the access priority and temporarily restrictions on the access permission according to a usage status of the device. For example, only one user is allowed to access the intelligent camera simultaneously, during a user A accesses the intelligent camera, if the main user accesses the intelligent camera, the connection of the user A may be temporarily disconnected, and the main user may access and control the intelligent camera.
  • control terminal of the user is connected to the Internet of things through wifi or Bluetooth and legally accesses a high privacy level device
  • data may be directly parsed by the Hub and distributed to a designated device instead of being uploaded, parsed and downloaded by the cloud, and the data returned by the high privacy level device is directly and locally returned to the control terminal through the Hub.
  • the privacy level and the access mode of the device are displayed, and the user may manually adjust the access mode according to the network condition. For example, when a high privacy level device is accessed locally and securely, if a local WiFi or Bluetooth connection fails, the connection mode may be manually adjusted to be a remote cloud connection mode, so that the connection stability may be ensured by flexibly switching the connection mode.
  • the Hub in operation 217, in a local connection access mode, the Hub will record operation instructions of the user. When the local connection is terminated, the operation instructions will be uploaded in idle to ensure state synchronization.
  • FIG. 3 is a flowchart of the operation in the factory scenario.
  • an intelligent device accesses a Hub of a factory Internet of Things
  • the intelligent device includes a monitoring camera, a workshop temperature controller, a production machine, an operating configurator, a security alarm and the like.
  • a main user of a factory controls a control terminal (a mobile phone/tablet computer/factory management terminal and the like) to access the Hub, and sets a terminal access key. All devices in the Internet of things may be accessed and controlled under a secure network environment.
  • the main user of the factory i.e. a network administrator manually sets privacy level of devices accessing the factory Internet of things.
  • the workshop temperature controller, the monitoring camera and the security alarm are set to be a high privacy level
  • the production machine and the operating configurator are set to be a low privacy level.
  • the Hub comprehensively determines the privacy levels of the devices according to device types and privacy levels of device data, and returns the privacy levels back to the control terminal of the main user.
  • the main user may perform restrictions on access permissions of other accessing users. For example, if a user A is an employee in a workshop 1, a permission to access low privacy devices in the workshop 1 is assigned to the user A. If a user B is a person in charge of the workshop 1, a permission to access all devices in the workshop 1 is assigned to the user B; if a user C is a production data manager, a permission to access low privacy devices in all workshops is assigned to the user C; and, if a user D is a general person in charge of workshops, a permission to access all devices in all workshops is assigned to the user D.
  • the Hub determines the security of the whole network and grants other access control terminals with permissions to access and control devices.
  • a user A accesses the Hub through Bluetooth connection by using a correct key to serve as a control terminal.
  • the hub starts to determine the network security. If it is found that the user A has accessed the Hub for a multiple times and is assigned with the permission to access all devices in the workshop 1 by the main user, the user A is probably a person in charge of the workshop 1. In this case, it is determined that the network condition is secure, and the user A may access and control all devices in the workshop 1 through the control terminal of the user A.
  • a user B accesses the Hub through Bluetooth connection by using a correct key to serve as a control terminal.
  • the Hub starts to determine the network security decision. If it is found that the user B accesses the Hub for the first time, and the main user does not assign the access permission to the user B. In this case, if the Hub determines, according to signal strength and a location of the control terminal, that the user B is in a workshop 2, the user B is probably a new worker of the workshop 2. In this case, it is determined that the network condition is secure, but the user B may only access and control low privacy devices in the area to which the workshop 2 belongs through the control terminal of the user B.
  • a user C accesses the Hub through remote network connection by using a correct key to serve as a control terminal.
  • the Hub starts to determine the network security. It is found that the user C accesses the Hub for the first time, the connection mode of the user C is a remote connection mode and the user C is not assigned with the access permission by the main user. Then the access of the user C is probably an illegal access caused by key leakage and the like, but not a legal access. In this case, it is determined that the network condition is not secure, and the user C cannot access and control any device in the Internet of things through the control terminal of the user C.
  • the Hub may determine the access priority and temporarily restrictions on the access permission according to a usage status of the device.
  • the use of intelligent devices may also be intelligently started/stopped according to the network security conditions. Two examples will be described below:
  • the data may be directly parsed by the Hub and distributed to a designated device instead of being uploaded, parsed and downloaded by the cloud, and the data returned by the high privacy level device is directly and locally returned to the control terminal through the Hub.
  • the privacy level and the access mode of the device are displayed, and the user may manually adjust the access mode according to the network condition. For example, when a high privacy level device is accessed locally and securely, if a local WiFi or Bluetooth connection fails, the connection mode may be manually adjusted to be a remote cloud connection mode, so that the connection stability may be ensured by flexibly switching the connection mode.
  • the Hub may automatically disconnect the connection with a production device, a control permission of the production device is converted to a manual mode, and a user with the access permission to the production device is prompted to perform a manual control operation.
  • the present application provides a non-transitory computer readable storage medium, storing computer readable instructions, wherein the instructions, when executed by a processor, causing the processor to perform the method for the device access control method for the Internet of things as described above.
  • the present application also provides an electronic device, comprising: a non-transitory computer readable storage medium, and a processor capable of accessing to the non-transitory computer readable storage medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

La présente invention concerne un procédé et un appareil de commande d'accès au dispositif pour l'Internet des objets. Le procédé consiste : lorsqu'un dispositif de service de relais de l'Internet des objets reçoit une demande de connexion de dispositif en provenance d'un équipement utilisateur (UE), à déterminer, par le dispositif de service de relais, une autorisation d'accès de l'UE à des dispositifs dans l'Internet des objets après que l'UE a réussi l'authentification d'identité ; à déterminer, par le dispositif de service de relais, d'après l'autorisation d'accès et des informations associées d'un dispositif demandé pour être connecté par l'UE, s'il faut permettre à l'UE d'accéder au dispositif demandé pour être connecté ; et à exécuter une opération de contrôle d'accès correspondante d'après un résultat de détermination, les informations associées comprenant un niveau de confidentialité du dispositif et un état d'utilisation actuel du dispositif. Grâce aux solutions techniques décrites par l'application, la vitesse de connexion du dispositif peut être efficacement améliorée, la stabilité de connexion du dispositif peut être renforcée et la sécurité des données peut être garantie.
PCT/KR2020/002807 2019-10-09 2020-02-27 Procédé et appareil de contrôle d'accès au dispositif pour l'internet des objets WO2021071032A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910952631.6 2019-10-09
CN201910952631.6A CN110519306B (zh) 2019-10-09 2019-10-09 一种物联网的设备访问控制方法和装置

Publications (1)

Publication Number Publication Date
WO2021071032A1 true WO2021071032A1 (fr) 2021-04-15

Family

ID=68634212

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2020/002807 WO2021071032A1 (fr) 2019-10-09 2020-02-27 Procédé et appareil de contrôle d'accès au dispositif pour l'internet des objets

Country Status (3)

Country Link
KR (1) KR20210042241A (fr)
CN (1) CN110519306B (fr)
WO (1) WO2021071032A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113467966A (zh) * 2021-05-31 2021-10-01 珠海大横琴科技发展有限公司 一种数据处理的方法和装置
CN116669018A (zh) * 2023-07-28 2023-08-29 陕西通信规划设计研究院有限公司 一种基于物联网通信的数据处理方法及设备

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541730B (zh) * 2020-02-25 2021-07-13 中联重科股份有限公司 搅拌车系统、泵送系统和远程服务端及其执行方法
CN112347460A (zh) * 2020-10-29 2021-02-09 深圳市裕展精密科技有限公司 用户权限管理方法、电子装置及存储介质
CN114338107A (zh) * 2021-12-17 2022-04-12 中寰卫星导航通信有限公司 一种安全控制方法及装置
CN114915498B (zh) * 2022-07-14 2022-09-27 国网思极网安科技(北京)有限公司 一种基于密钥保护的安全接入网关
CN116614447A (zh) * 2023-05-08 2023-08-18 黑龙江图启信息技术工程有限公司 一种实验室信息管理平台

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160128043A1 (en) * 2014-10-30 2016-05-05 Qualcomm Incorporated Dynamic mobile ad hoc internet of things (iot) gateway
US20170026472A1 (en) * 2015-07-23 2017-01-26 Centurylink Intellectual Property Llc Customer Based Internet of Things (IOT) - Transparent Privacy Functionality
WO2017062601A1 (fr) * 2015-10-09 2017-04-13 Interdigital Technology Corporation Gestion de confidentialité dynamique à multiples niveaux dans un environnement de l'internet des objets avec de multiples fournisseurs de service personnalisés
US20180014241A1 (en) * 2014-03-14 2018-01-11 goTenna Inc. System and method for digital communication between computing devices
KR20180087654A (ko) * 2017-01-25 2018-08-02 한국과학기술원 사물 인터넷 환경에서 디바이스의 신뢰도를 평가하는 방법과 장치, 및 컴퓨터 판독가능 매체

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040019328A (ko) * 2001-08-03 2004-03-05 마쯔시다덴기산교 가부시키가이샤 액세스 제어 시스템
US20050138380A1 (en) * 2003-12-22 2005-06-23 Fedronic Dominique L.J. Entry control system
US8280978B2 (en) * 2006-12-29 2012-10-02 Prodea Systems, Inc. Demarcation between service provider and user in multi-services gateway device at user premises
CN105933188A (zh) * 2016-03-30 2016-09-07 宁波三博电子科技有限公司 一种基于不同控制权限的智能家居控制方法及系统
CN107465580B (zh) * 2016-06-01 2019-07-02 北京京东尚科信息技术有限公司 智能终端设备接入智点网络的控制方法、装置及存储介质
CN106506442B (zh) * 2016-09-14 2018-03-30 上海百芝龙网络科技有限公司 一种智能家居多用户身份识别及其权限管理系统
CN107070756B (zh) * 2017-02-27 2018-07-13 宁夏宁信信息科技有限公司 智能家居中去中心化验证的家庭网关访问方法及系统
CN109525537A (zh) * 2017-09-19 2019-03-26 中兴通讯股份有限公司 一种访问智能家居系统的控制方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180014241A1 (en) * 2014-03-14 2018-01-11 goTenna Inc. System and method for digital communication between computing devices
US20160128043A1 (en) * 2014-10-30 2016-05-05 Qualcomm Incorporated Dynamic mobile ad hoc internet of things (iot) gateway
US20170026472A1 (en) * 2015-07-23 2017-01-26 Centurylink Intellectual Property Llc Customer Based Internet of Things (IOT) - Transparent Privacy Functionality
WO2017062601A1 (fr) * 2015-10-09 2017-04-13 Interdigital Technology Corporation Gestion de confidentialité dynamique à multiples niveaux dans un environnement de l'internet des objets avec de multiples fournisseurs de service personnalisés
KR20180087654A (ko) * 2017-01-25 2018-08-02 한국과학기술원 사물 인터넷 환경에서 디바이스의 신뢰도를 평가하는 방법과 장치, 및 컴퓨터 판독가능 매체

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113467966A (zh) * 2021-05-31 2021-10-01 珠海大横琴科技发展有限公司 一种数据处理的方法和装置
CN116669018A (zh) * 2023-07-28 2023-08-29 陕西通信规划设计研究院有限公司 一种基于物联网通信的数据处理方法及设备
CN116669018B (zh) * 2023-07-28 2023-10-13 陕西通信规划设计研究院有限公司 一种基于物联网通信的数据处理方法及设备

Also Published As

Publication number Publication date
CN110519306A (zh) 2019-11-29
KR20210042241A (ko) 2021-04-19
CN110519306B (zh) 2022-02-08

Similar Documents

Publication Publication Date Title
WO2021071032A1 (fr) Procédé et appareil de contrôle d'accès au dispositif pour l'internet des objets
WO2014092375A1 (fr) Procédé et appareil de commande d'accès entre un dispositif local et un serveur externe dans un système de réseau local
WO2015126124A1 (fr) Procédé et dispositif pour transmettre et recevoir des informations d'authentification dans un système de communication sans fil
WO2014175602A1 (fr) Dispositif électronique et son procédé d'enregistrement d'un appareil de nuage personnel sur un serveur de portail utilisateur
WO2014200240A1 (fr) Procédé et appareil d'enregistrement de dispositif sans fil dans un système de communication sans fil
WO2014171707A1 (fr) Procédé et système de sécurité destinés à prendre en charge des communications mobiles d'une politique de restriction en matière de renouvellement d'abonnement ou d'abonnement supplémentaire
WO2016148534A1 (fr) Procédé et appareil pour configurer une connexion entre des dispositifs dans un système de communication
WO2011014037A2 (fr) Système pour gérer des terminaux non enregistrés avec des informations d'authentification partagées et procédé correspondant
WO2011062404A2 (fr) Procédé et dispositif d'examen de service d'affichage wi-fi dans un réseau direct wi-fi
EP2745207A2 (fr) Appareil et procédé permettant de prendre en charge un nuage de famille dans un système informatique en nuage
WO2015072788A1 (fr) Procédé et appareil de gestion de clé de sécurité dans un système de communication d2d en champ proche
WO2017049984A1 (fr) Procédé d'accès à un réseau sans fil et nœud d'accès sans fil
WO2011147323A1 (fr) Procédé d'authentification d'accès à un service de terminal de commande à distance, dispositif associé et système de communication pour ce dernier
WO2012099402A2 (fr) Procédé et appareil de communication téléphonique utilisant un réseau domestique
WO2018090465A1 (fr) Procédé et système de surveillance vidéo, et dispositif de surveillance
WO2014088318A1 (fr) Procédé et appareil pour attribuer une adresse de protocole internet à un dispositif client
WO2014010883A1 (fr) Dispositif et procédé d'accès à un réseau sans fil en tenant compte d'une bande de radiofréquences
EP3763164A1 (fr) Dispositif électronique prenant en charge de multiples protocoles de communication sans fil et son procédé
WO2015046954A1 (fr) Appareil et procédé permettant d'accéder à un dispositif électronique ayant une fonction de point d'accès sans fil
WO2014126378A1 (fr) Procédé et appareil pour la connexion entre un client et un serveur
WO2013129804A1 (fr) Procédé, système, et support d'enregistrement pour analyser l'ensemble de règles de réduction de charge d'un réseau radio
WO2020130245A1 (fr) Procédé et appareil de connexion à un réseau
WO2021020834A1 (fr) Procédé d'accès à un réseau par un terminal
WO2021020918A1 (fr) Procédé de production d'un réseau interne logique, et terminal mobile et application pour la mise en œuvre d'un tel réseau
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20873696

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20873696

Country of ref document: EP

Kind code of ref document: A1