WO2021107493A1 - Système de surveillance d'image ayant une capacité de configuration d'environnement d'utilisation de caméra à sécurité renforcée - Google Patents

Système de surveillance d'image ayant une capacité de configuration d'environnement d'utilisation de caméra à sécurité renforcée Download PDF

Info

Publication number
WO2021107493A1
WO2021107493A1 PCT/KR2020/016305 KR2020016305W WO2021107493A1 WO 2021107493 A1 WO2021107493 A1 WO 2021107493A1 KR 2020016305 W KR2020016305 W KR 2020016305W WO 2021107493 A1 WO2021107493 A1 WO 2021107493A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
cameras
camera
image data
information
Prior art date
Application number
PCT/KR2020/016305
Other languages
English (en)
Korean (ko)
Inventor
이지환
장수희
이승현
Original Assignee
지엘디앤아이에프 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 지엘디앤아이에프 주식회사 filed Critical 지엘디앤아이에프 주식회사
Publication of WO2021107493A1 publication Critical patent/WO2021107493A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs

Definitions

  • the present invention relates to a closed circuit monitoring system, and more specifically, video surveillance implemented using an IP camera that is accessible to a control server through the Internet because each camera is assigned an identifier such as, for example, an Internet Protocol (IP) address. It's about the system.
  • IP Internet Protocol
  • the video surveillance system is generally configured to include a plurality of surveillance cameras.
  • a network camera that is, an IP camera connectable to a control server through the Internet, is monitored because an identifier such as an Internet protocol (IP) address is assigned. It is popular as a camera.
  • IP Internet protocol
  • the control server is operated in a state where a program for setting the camera usage environment or data related to the camera access right are left unattended. In this case, the camera or control server may be hacked and data regarding the program or camera access rights for setting the user environment may be leaked. You can try to hack into the internal network of the monitoring system.
  • the present invention provides a method for setting a camera usage environment that can prevent access to other cameras or intrusion into an internal network of a video surveillance system by utilizing a program for setting a camera usage environment or data related to a camera access right.
  • a video surveillance system that can prevent access to other cameras or intrusion into the internal network of the video surveillance system by utilizing a program for setting the camera usage environment or data on camera access rights.
  • the present invention provides a control device capable of preventing intrusion into the entire camera or an internal network even if the camera is hacked or malicious software is hidden in a part of the camera.
  • a camera usage environment setting method includes a plurality of cameras each capable of acquiring image data and transmitting the image data by secure tunneling, and secure tunneling of the image data from the plurality of cameras. It can be executed in a video surveillance system having a control server that can be received by
  • the method of setting a camera use environment includes the steps of: connecting, by the control server, to at least one environment setting target camera among the plurality of cameras;
  • the control server provides login data and environment setting data to the environment setting target camera while receiving a program module for login and environment setting from the environment setting target camera, and setting an operating environment for the environment setting target camera ; initializing by deleting the program module, the login data, and the environment setting data remaining in the storage device of the control server when the setting of the operating environment is completed; and receiving, by the control server, the image data from each of the plurality of cameras and converting the image data into unidirectional image data.
  • the converting of the image data into the unidirectional image data may include separating image information from the image data; converting the image information into first unidirectional data having unidirectionality; checking whether control information included in the image data is normal; and converting the normal control information into second unidirectional data having unidirectionality when it is determined that the control information is normal.
  • the step of the control server connecting to at least one environment setting target camera among the plurality of cameras may include sequentially selecting the environment setting target camera from among the plurality of cameras. In this case, a process of initializing by connecting to the selected environment setting target camera, setting the operating environment, and deleting the remaining items in the storage device of the control server may be performed sequentially.
  • Each of the plurality of cameras may be connected to the control server through an independent, separate tunneling channel.
  • the converting of the image data into the unidirectional image data may include: detecting cracker information included in the abnormal control information when it is determined that the control information is abnormal; converting the abnormal control information into third unidirectional data having unidirectionality; transmitting the third one-way data to the cracker server when the cracker information includes address information of a cracker server related to the cracker information; and transmitting the third one-way data to the cracker server related to the cracker information, and monitoring the plurality of cameras and the control server.
  • a video surveillance system provides a plurality of cameras, each capable of acquiring video data and transmitting the video data by secure tunneling: and transmitting the video data from the plurality of cameras by the secure tunneling.
  • a control server capable of receiving; is provided.
  • the control server includes a memory for storing camera configuration program commands; and a processor communicatively coupled to the memory and executing the camera configuration program instructions stored in the memory.
  • the processor accesses at least one configuration target camera among the plurality of cameras, and receives a program module for logging in and configuration from the configuration target camera while providing login data and the environment setting data to the environment setting target camera to set an operating environment for the environment setting target camera; a function of initializing the program module, by deleting the ones remaining in the memory among the login data and the environment setting data, when the setting of the operating environment is completed; and converting the image data received from each of the plurality of cameras into unidirectional image data.
  • the function of converting the image data into the unidirectional image data may include a function of separating image information from the image data; a function of converting the image information into first unidirectional data having unidirectionality; a function of checking whether control information included in the image data is normal; and a function of converting the normal control information into second unidirectional data having unidirectionality when it is determined that the control information is normal.
  • the processor may: a function of connecting or disconnecting the configuration target camera among the plurality of cameras; and a function of sequentially selecting the environment setting target camera from among the plurality of cameras.
  • Each of the plurality of cameras may be connected to the control server through an independent, separate tunneling channel.
  • the function of converting the image data into the unidirectional image data may include a function of detecting cracker information included in the abnormal control information when it is determined that the control information is abnormal; converting the abnormal control information into third unidirectional data having unidirectionality; a function of transmitting the third one-way data to the cracker server when the cracker information includes address information of a cracker server related to the cracker information; and a function of transmitting the third one-way data to the cracker server related to the cracker information, and monitoring the plurality of cameras and the control server.
  • the present invention can prevent access to other cameras or intrusion into the internal network of a video surveillance system through a program for setting a camera use environment or data on camera access rights.
  • the present invention can prevent intrusion into the entire camera or internal network even if the camera is hacked or malicious software is hidden in a part of the camera.
  • FIG. 1 is a block diagram showing the overall configuration of a video surveillance system according to an embodiment of the present invention
  • FIG. 2 is a conceptual block diagram of a video surveillance system showing a connection form through a virtual private network between the cameras and the control server shown in FIG. 1;
  • Fig. 3 is a block diagram of an embodiment of the control server shown in Figs. 1 and 2;
  • FIG. 4 is a detailed block diagram of an application program loaded and executed in a control server
  • FIG. 5 is a detailed block diagram of an embodiment of the one-way data conversion unit shown in Figure 4.
  • FIG. 6 is a flowchart showing a camera use environment setting process in the video surveillance system of FIG. 1 ;
  • FIG. 8 is a flowchart illustrating a one-way data conversion process by the one-way data conversion unit shown in FIG. 5 .
  • the second component may be referred to as the first component, and similarly, the first component may also be referred to as the second component.
  • a component when it is stated that a component is “connected” or “connected” to another component, it means that it is logically or physically connected or can be connected. In other words, it should be understood that a component may be directly connected or connected to another component, but another component may exist in the middle, and may be indirectly connected or connected.
  • FIG. 1 is a block diagram showing the overall configuration of a video monitoring system according to an embodiment of the present invention
  • FIG. 2 is a video monitoring system showing a connection form between the cameras shown in FIG. 1 and a control server through a virtual private network. It is an enemy block diagram.
  • the video surveillance system includes a plurality of cameras 10a to 10n and a control server to which the plurality of cameras 10a to 10n can be connected through the Internet. (30) is provided.
  • Each of the plurality of cameras 10a to 10n may be connected to the Internet through gateways 12a to 12n provided corresponding thereto, and the control server 30 may also be connected to the Internet through the gateway 32 .
  • Each of the plurality of cameras 10a to 10n is installed in a place requiring security, for example, a building, public facility, cultural property and its surroundings, a house, a street, etc., and captures an image of the surrounding area and transmits the image data to the control server 30 .
  • Each of the plurality of cameras 10a to 10n is a network camera that can access the control server 30 through the Internet, that is, an IP camera, and is assigned an IP address.
  • each camera 10a to 10n may be equipped with a VPN module program for setting and controlling a VPN function so that a secure tunnel can be formed in a network section connected to the control server 30 .
  • Each of the gateways 12a to 12n is a communication node including a virtual router 14a to 14n.
  • the gateways 12a to 12n may be routers. However, the present invention is not limited thereto, and at least some of the gateways 12a to 12n may be a LAN switch, a bridge, a network interface card, or the like.
  • FIG. 1 a case in which the gateways 12a to 12n are configured separately from the corresponding cameras 10a to 10n is illustrated as an example, but each gateway 12a to 12n has a corresponding camera 10a to 10n. can be made integrally with
  • the virtual routers 14a to 14n provided in each of the gateways 12a to 12n are intermediary devices so that the corresponding cameras 10a to 10n are connected to the control server 30 by tunneling to enable VPN communication. say
  • the gateway 32 provided on the control server 30 side is a communication node including a plurality of virtual routers (34a ⁇ 34n).
  • the gateway 32 may be a router.
  • the present invention is not limited thereto, and in another embodiment, the gateway 32 may be a LAN switch, a bridge, a network interface card, or the like.
  • the virtual routers 34a to 34n provided in the gateways 32 mediate the cameras 10a to 10n to be connected to the control server 30 by tunneling to enable VPN communication.
  • FIG. 2 shows a connection form through a virtual private network during a tunneling operation between the cameras 10a to 10n and the control server 30 .
  • a tunneling channel 20 is provided between the plurality of cameras 10a to 10n and the server 30 , and the tunneling channel 20 includes first to n-th channels 22a to 22n.
  • Each of the first to n-th channels 22a to 22n connects the server 30 to any one of the plurality of cameras 10a to 10n.
  • the plurality of cameras 10a to 10n may transmit image data to the server 30 through tunneling.
  • pan/tilt/zoom operation commands and other control signals transmitted from the server 30 to the cameras 10a to 10n may also be transmitted to the corresponding cameras 10a to 10n through tunneling.
  • the tunneling operation may be started automatically by program setting from the beginning of the system operation, or may be started post-booting after the system is booted by the VPN module program installed in the camera 10a and the program executed by the control server 30 . .
  • a virtual private network connects two devices belonging to separate networks located at a distance using an existing public network (eg, the Internet), it forms an environment such that the two devices are connected through a private network such as a dedicated line.
  • a private network such as a dedicated line.
  • the virtual private network is a communication technique in which two devices are connected using a general-purpose communication network, and then exhibits the same effect as the dedicated communication using a predetermined protocol.
  • a communication channel formed between two devices similarly to a dedicated line can be expressed as a VPN, the channel is referred to as a 'tunnel', and data transmission through the tunnel is referred to as 'tunneling'.
  • Tunneling is a communication mechanism for exchanging data by encapsulating a lower layer packet among OSI 7 layers with a higher layer protocol. That is, it uses the fact that no one other than the receiver can distinguish between a normal packet and an encapsulated packet, and the sender encapsulates the data sent and transmits the data.
  • the tunnel originates from forming an invisible virtual transmission path between the transceiver and the transceiver in the form of a pipe, that is, in the form of a tunnel to prevent intrusion from the outside.
  • image data and control commands are transmitted using this tunneling technique.
  • the VPN tunneling protocol which is an important component of VPN connection, encrypts data packets passing between VPN connection points, creates and manages VPN tunnels, and manages encryption keys.
  • Tunneling protocols encapsulate personal data and headers, including routing information, that allow data to traverse a transport network. Based on the routing information added to the header, the encapsulated frame is transmitted to the endpoint of the tunnel through the public network, that is, the Internet. When it reaches the destination, it is decapsulated and directed to the final destination.
  • VPN tunneling devices can use various VPN tunneling protocols. For example, Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSec; IP Security), Secure Sockets Layer (SSL; Secure) Sockets Layer) protocol, Transport Layer Security (TLS) protocol, and OpenVPN protocol can be used.
  • PPTP Point-to-Point Tunneling Protocol
  • L2TP Layer 2 Tunneling Protocol
  • IPSec Internet Protocol Security
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • OpenVPN protocol OpenVPN protocol
  • a VPN tunneling device using various tunneling protocols may be used as a configuration for tunneling, but the present invention is not limited thereto, and other tunneling techniques such as Secure Shell (SSH) or Internet IPv4 (IPv4) are not limited thereto.
  • SSH Secure Shell
  • IPv4 Internet IPv4
  • a tunneling device using a tunneling technique other than VPN through Protocol Version 4) or IPv6 can be used.
  • a plurality of cameras 10a to 10n are all independently connected through a dedicated line. represent Even if any one of the cameras 10a to 10n is hacked by a cracker, it is possible to prevent access to the other cameras.
  • each gateway 12a to 12n is separately provided for each camera 10a to 10n, and each camera 10a to 10n is independent of the control server 30 . They are connected through the in-tunneling channels 22a to 22n.
  • the cameras 10a to 10n are connected in one network form by one network device, for example, a LAN switch, a bridge, a hub, a router, and the like, and this network And the control server 30 side may be connected through one or more tunneling channels. Since such an embodiment can be easily implemented by those skilled in the art based on the present specification, a detailed description thereof will be omitted.
  • FIG. 3 is a block diagram of an embodiment of the control server 30 shown in FIGS. 1 and 2
  • FIG. 4 is a detailed block diagram of an application program loaded and executed in the control server.
  • the cameras 10a to 10n and the tunneling channel 20 are shown together in FIG. 4 .
  • the control server 30 includes a processor 40 , a memory 50 , a storage device 60 , a network interface 92 , and a display unit 94 . ) is included.
  • the processor 40 , the memory 50 , the storage device 60 , the network interface 92 , and the display unit 94 may be connected to each other through a bus 32 to exchange data.
  • the processor 40 executes program commands necessary for the control server 30 to function, controls camera settings, and connects the virtual private network channels 20a to between the cameras 10a to 10n and the control server 30 . 20n) is formed, and camera image data received through the virtual private networks 20a to 20n can be converted into unidirectional data.
  • the processor 40 is not limited thereto, but may be implemented by a typical central processing unit (CPU).
  • the processor 40 may be implemented by one CPU, but is not limited thereto, and may be implemented by two or more CPUs. That is, the control server 30 shown in FIG. 3 may be implemented as two or more data processing devices.
  • the memory 50 may include a non-volatile storage device such as a ROM 52 and a volatile storage device such as a RAM 54 .
  • the ROM 52 may store a boot sequence necessary for booting the control server 30 .
  • the RAM 54 may store program instructions for the operation of the control server 30 and temporary data generated during the operation.
  • the storage device 60 may include a computer-readable recording medium capable of storing program instructions 70 and data necessary for the control server 30 to function.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, compact disk read only memory (CD-ROM), and optical recording media such as DVD (Digital Video Disk).
  • Stores program instructions such as Magneto-Optical Media such as Optical Media, Floptical Disk, and Read Only Memory (ROM), Random Access Memory (RAM), and Flash memory. and hardware devices specially configured to perform
  • the storage device 60 may additionally store the monitoring image data received from the cameras 10a to 10n, but the present invention is not limited thereto, and the monitoring image data may be stored in a separate recording medium.
  • the network interface 92 allows the control server 30 to communicate with the cameras 10a to 10n and/or other external devices through the Internet or other networks.
  • the display unit 94 displays the monitoring image received from the cameras 10a to 10n and/or information about the operation state of the control server 30 .
  • program instructions 70 necessary for the operation of the control server 30 are stored in the storage device 60, and in response to an execution command of an administrator, the RAM of the memory 50 (54) can be loaded.
  • the program instructions are executed in such a state to perform the operations described herein.
  • the program instructions are machine code generated by compiling a source code in a high-level language by a compiler.
  • the present invention is not limited thereto, and codes that can be executed while being translated by a computer using an interpreter or the like may be included.
  • the program instructions may be in the form of one file, it goes without saying that they may be configured in the form of a plurality of files.
  • the program instructions 70 are loaded into the RAM 54 and then executed by the processor 40 , the switching control unit 72 , the switching and camera connection unit 74 , and the virtual private network setting unit 76 . ), an environment setting unit 78 , a one-way data conversion unit 80 , and a transmission unit 82 .
  • the switching control unit 72 controls the overall operation of the control device 30 , and in particular, controls the switching and camera connection unit 74 to connect the cameras 10a to 10n.
  • the switching and camera connection unit 74 when executed by the processor 40, is connected to or disconnected from the cameras 10a to 10n under the control of the switching control unit 72 . In the state of being connected to one of the cameras 10a to 10n, the switching and camera connection unit 74 transmits an environment setting command to the corresponding camera and receives a response thereof. In addition, the switching and camera connection unit 74 may control the pan/tilt/zoom operation of each camera 10a to 10n and other operations.
  • the virtual private network setting unit 76 when executed by the processor 40, includes a VPN module and/or a virtual router 14a to 15n on the camera 10a to 10n side and a VPN module and/or a virtual router on the control server 30 side.
  • a function of setting up a virtual private network may be performed by controlling the routers 34a to 34n.
  • the environment setting unit 78 connects to each camera 10a to 10n through the switching and camera connection unit 74 and logs in.
  • the environment setting unit 78 may receive a predetermined program (eg, client script) required for login, and transmit access information (eg, identifier and password) necessary for login.
  • a predetermined program eg, client script
  • access information eg, identifier and password
  • the environment setting unit 78 After logging out, the environment setting unit 78 completely configures the login program (eg, client script) and connection information (eg, identifier and password) remaining in the RAM 54 or other storage device of the memory 50 . By deleting it, it prevents hackers or crackers from accessing, obtaining and misusing this information.
  • the login program eg, client script
  • connection information eg, identifier and password
  • the environment setting information set through the environment setting unit 78 includes, for example, pan/tilt period setting while there is no moving object, screen brightness setting, masking or mosaic method setting for privacy protection of passers-by, and other artificial intelligence function setting. , and a change of such setting information, but is not limited thereto.
  • the unidirectional data conversion unit 80 may receive image data received from the cameras 10a to 10n and execute a function of converting the image data into unidirectional data.
  • the unidirectional data conversion unit 80 may convert data other than image data into unidirectional data, which will be described later.
  • the one-way data conversion by the one-way data conversion unit 80 serves to separate the plurality of cameras 10a to 10n included in the external network and the control server 30 included in the internal network.
  • the transmitter 82 receives the image data converted to have unidirectionality by the unidirectional data converter 80 after being received from the cameras 10a to 10n, and transmits the received unidirectional image data to another device or a storage medium save to
  • the transmitter 82 may include a network video recorder (NVR) and/or a monitor to display a surveillance image.
  • NVR network video recorder
  • FIG. 5 is a detailed block diagram of an embodiment of the unidirectional data conversion unit 80 shown in FIG. 4 .
  • the unidirectional data conversion unit 80 receives each of the video data tunneled through the tunneling channel 20 for each channel and converts the image data to have unidirectionality that is unilaterally transmitted in one direction.
  • the unidirectional data converter 80 tunnels so that each of the image data tunneled through the first to nth channels 22a to 22n operating independently of each other can be processed by a separate unidirectional data converter 80 . It may be provided as many as the number of channels corresponding to the number of channels of the channel 20, but the present invention is not limited thereto.
  • the one-way data conversion unit 80 may collect network infringement method data.
  • the unidirectional data conversion unit 80 includes an image separation unit 100 , a first conversion unit 102 , a check unit 104 , a second conversion unit 106 , a detection unit 108 , and a third It includes a conversion unit 110 , and a monitoring unit 112 .
  • the image separation unit 100 separates image information from image data received through tunneling. Separation of image information may be performed using a parsing engine.
  • the first conversion unit 102 receives the image information from the image separation unit 100 and converts it into unidirectional data transmitted in one direction, that is, first unidirectional data. Accordingly, the transmission unit 82 that receives the first unidirectional data converted by the first transformation unit 102 transmits data to the first transformation unit 102, or the first transformation through the first unidirectional data Access to the unit 102 or the cameras 10a to 10n is blocked.
  • the image data includes image information and control information
  • the control information includes an operation such as lifting, pan, tilt, and zoom of the photographing means 10, and start or completion of photographing. , power on/off, etc. may be included.
  • the inspection unit 104 receives control information data from which image information is separated by the image separation unit 100 or image data received through tunneling, and checks whether control information included in the received data is normal or abnormal. do.
  • the inspection unit 104 is illustrated as being disposed at the next stage of the image separation unit 100 , but the inspection unit 104 may be disposed at the front end of the image separation unit 100 . In this case, after first examining whether the control information included in the tunneled image data is normal or abnormal, the image separation unit 100 separates the image information.
  • the second conversion unit 106 when it is determined that the control information is normal as a result of the inspection by the inspection unit 104, receives the control information and converts it into second unidirectional data that is unilaterally transmitted in one direction to the transmission unit 82 ) to pass Like the first unidirectional data converted by the above-described first transforming unit 102, the receiving side of the second unidirectional data, that is, the transmitting unit 82, transmits the second unidirectional data through the transmitting side, that is, the first converting unit ( 102) or access to the cameras (10a to 10n) is fundamentally blocked.
  • the detection unit 108 receives abnormal control information as a result of the examination by the inspection unit 104 , and detects cracker information included in the abnormal control information.
  • the detection unit 108 may output cracker information together with abnormal control information.
  • the third conversion unit 110 when it is determined that the control information is abnormal as a result of the inspection by the inspection unit 104, receives the control information and converts it into third unidirectional data that is unilaterally transmitted in one direction. As with the first and second unidirectional data described above. It is virtually impossible to access the receiving side of the third unidirectional data, that is, the following monitoring unit 112 side, to the transmitting side, ie, the first converting unit 102 or the cameras 10a to 10n through the third unidirectional data.
  • the monitoring unit 112 receives and stores the cracker information and the third one-way data, and transmits the third one-way data to the corresponding cracker server 99 when the cracker information includes the information of the cracker server 99 .
  • the monitoring unit 112 monitors the entire video control system according to the present invention including the cameras 10a to 10n and the control server 300 .
  • the cracker server 99 refers to a server that provides a network access service to terminals such as a computer or mobile phone used by the cracker, and the information of the cracker server 99 includes address information of the cracker server 99, for example, an IP address. (IP Address), domain (Domain Name), URL (Uniform Resource Locator), etc. may be applicable.
  • IP Address IP Address
  • domain Domain Name
  • URL Uniform Resource Locator
  • the monitoring unit 112 transmits the third one-way data including the abnormal control information to the cracker, that is, the cracker server 99, and the network intrusion behavior of the received cracker is hidden in the cameras 10a to 10n. Monitors the existence of system operation patterns caused by malicious software. Accordingly, the monitoring unit 112 is able to collect network intrusion method data on the advanced network intrusion method, and intentionally for abnormal access to the internal network, that is, detection and tracking of intrusion such as hacking. It acts as a kind of honeypot installed.
  • a configuration may be separately provided for monitoring this and collecting network intrusion method data.
  • the configuration may include hardware or software provided in each camera 10a to 10n and additional program instructions (eg, a fourth conversion unit) provided in the control server 30 .
  • the camera detects the cracker information (referred to as “second cracker information”), and the detection unit ( 108) separates the second control information detected by the cameras 10a to 10n from among the abnormal control information, and a fourth conversion unit (not shown) converts it into unidirectional data (referred to as “fourth unidirectional data”) do.
  • the monitoring unit 112 additionally collects information about the cameras 10a to 10n connected to the cracker and the fourth unidirectional data to the cracker.
  • the monitoring unit 112 transmits the third one-way data and the fourth one-way data to the cracker server 99, so that the operator of the cracker server 99 urges the cracker to sanction the cracker from illegal acts.
  • the monitoring unit 112 may monitor the next action of the cracker by providing data corresponding to the action of the cracker to the terminal of the cracker.
  • the data provided to the cracker's terminal in response to the cracker's behavior may be real data or false data. Through such an active response, the monitoring unit 112 can accurately identify the cracker's network intrusion behavior, and can predict and respond to the subsequent behavior.
  • the transmission unit 82 receives the image data converted to have unidirectionality by the unidirectional data conversion unit 80 , and transmits the received unidirectional image data to another device or stores it in a storage medium.
  • the transmitter 82 may include a network video recorder (NVR) and/or a monitor to display a surveillance image.
  • NVR network video recorder
  • the unidirectional data converter 80 converts the video data tunneled through the virtual routers 14a to 14n into unidirectional data and provides it to the transmitter 82 . Accordingly, the unidirectional data conversion unit 80 serves as a network separation device that separates the internal network from the plurality of cameras 10a to 10n included in the external network.
  • the image acquired by the cameras 10a to 10n is transmitted to the control server 30 by tunneling through an independent channel, and the one-way data conversion unit 80 in the control server 30 Since additional network separation is achieved by the unidirectional data receiving side, the unidirectional data (video data and/or audio data) received from the receiving side is transmitted to the transmitting side, that is, the cameras 10a to 10n, or through the camera ( 10a ⁇ 10n) is fundamentally impossible to access. Therefore, a plurality of cameras (10a to 10n) built in the video control system are all independently configured, and even if any one of the plurality of cameras (10a to 10n) is hacked by a cracker, the access can be prevented.
  • FIG. 6 is a flowchart illustrating a process of setting a camera use environment in the video surveillance system of FIG. 1 .
  • the switching control unit 72 calls the first camera 10a. Outputs a switching control signal for (S10).
  • the switching and camera connection unit 74 Upon receiving the switching control signal for calling the first camera 10a output by the switching control unit 72 (S20), the switching and camera connection unit 74 connects to the first camera 10a, and then the environment setting unit 76 ) and the first camera 10a are connected (S30).
  • the first camera 10a transmits the login web page to the environment setting unit 76, and the login screen can be displayed on the monitor connected to the control server 30 (S40).
  • the login webpage may include a client script for receiving login data from the control server 30 administrator and transmitting the login data inputted by the administrator to the first camera 10a.
  • the login webpage provided by each camera 10a to 10n may be the same for each camera, but the present invention is not limited thereto, and the webpage may be different between at least some cameras.
  • the administrator inputs login data, for example, an identifier such as an administrator ID and a password
  • the environment setting unit 76 transmits the input identifier and password to the first camera (S50).
  • the first camera 10a transmits the web page for setting the operating environment to the environment setting unit 76, and the operating environment setting screen can be displayed on the monitor connected to the control server 30 (S60).
  • the web page for setting the operation environment may include a client script for receiving the setting data input from the control server 30 manager and transmitting the setting data inputted by the manager to the first camera 10a.
  • the web page for setting the operation environment provided by each camera 10a to 10n may be the same for each camera, but the present invention is not limited thereto, and the web page may be different between at least some cameras. .
  • the environment setting unit 76 transmits the input setting data to the first camera (S70).
  • the switching control unit 72 switches a switching control signal for canceling the connection between the environment setting unit 76 and the first camera 10a. It can be transmitted to the connection part (74). In response, the switching and camera connection unit 74 may release the connection between the environment setting unit 76 and the first camera 10a (S90).
  • the log-in web page, the client script, and the web page for setting the operation environment received by the environment setting unit 76 from the first camera 10a , operation environment setting client script, cookies, administrator input information, etc. may remain, and if this state is maintained, the cracker has already hacked the first camera 10a, or a malicious program is hidden in the user environment setting software. In this case, there is a possibility that crackers may break in and steal it.
  • the environment setting unit 76 sets the web pages, client scripts, cookies, and administrator input information remaining in the RAM 54 and/or the storage device 60 immediately after the connection with the first camera 10a is released. By deleting and initializing the information, the first camera 10a is restored to the state before the connection (S100).
  • the operating environment setting is performed in the same manner for the other cameras 10b to 10n. can be done In particular, it is also possible to sequentially set the operation environment for all the cameras 10a to 10n. 7 shows such a user environment setting process.
  • the operation environment setting process for the first, second, and nth cameras 10a, 10b, and 10n, in which parts (a), (b), and (c) arranged in the vertical direction in FIG. 7 progress over time shows
  • a connection between the environment setting unit 76 and the first camera 10a is established by switching and a switching operation of the camera connection unit 74.
  • a login web page including a client script such as a cgi script is transmitted from the first camera 10a to the environment setting unit 76 .
  • the login data is transmitted to the first camera 10a through the environment setting unit 76
  • the login is completed.
  • an environment setting web page including a client script such as a cgi script is transmitted to the environment setting unit 76
  • the environment setting data is transmitted to the first camera through the environment setting unit 76 It may be transmitted to (10a) to set the environment.
  • the connection with the first camera 10a is terminated, and information such as web pages, client scripts, cookies, and administrator input information remaining in the control server 30 . is deleted and initialized.
  • a connection between the environment setting unit 76 and the second camera 10b may be made by switching and a switching operation of the camera connection unit 74, as described above.
  • Log-in and environment setting for the second camera 10b may be performed through a procedure similar to that described above.
  • the connection with the second camera 10b is terminated, and information such as web pages, client scripts, cookies, and administrator input information remaining in the control server 30 . is deleted and initialized.
  • Such a process may be sequentially performed for each camera, and environment setting and residual information initialization for all cameras 10a to 10n up to the nth camera 10n may be performed.
  • FIG. 8 is a flowchart illustrating a one-way data conversion process by the one-way data conversion unit 78 shown in FIG. 5 .
  • the image data generated by the cameras 10a to 10n is tunneled through each channel 22a to 22n of the VPN channel 20, and is input to the image separation unit 100 of the one-way data conversion unit 78 (S310). ).
  • the image separation unit 100 separates image information from the image data of each channel ( S320 ).
  • the separated image information is transmitted to the first conversion unit 102 (S330), and is converted into first unidirectional data that is unilaterally transmitted in one direction (S340).
  • a method for converting data into unidirectional data by the second and third transforming units 106 and 110 as well as the first transforming unit 102 may use various known methods.
  • the first conversion unit 102 may decode the image information in real time, convert it into an AVI file or an MP4 file, and then convert it into unidirectional data.
  • the image data is decoded and converted into raw data, and then the converted raw data is converted into serial data or parallel data, and then back to the original format. It can also be converted into unidirectional data by encoding as .
  • the converted first unidirectional data is transmitted to the transmitter 82 (S350).
  • the transmission unit 82 may transmit the first unidirectional data together with the second unidirectional data to the server 40 to another device or may be stored in a storage medium.
  • the transmission unit 82 may be provided to a separate display device such as a monitor to be displayed, or may be stored in a separate image storage device such as a network video recorder (NVR).
  • NVR network video recorder
  • the image data from which the image information is separated is transmitted to the inspection unit 104 (S360).
  • the image data transmitted to the inspection unit 104 is displayed as image data in which image information is separated, but the image data received from the cameras 10a to 10n through each channel 22a to 22n is may be used.
  • the inspection unit 104 determines whether the control information included in the image data is normal or abnormal (S370). If any one of the cameras 10a to 10n contains malicious software, that is, if the network cameras 10a to 10n sold by a cracker with the malicious software hidden were used to build the system, the malicious software is included. It is difficult to determine whether the system is installed or not, and it is practically impossible to find hidden malicious software, especially when a large number of cameras are used. Therefore, if you purchase and install the cameras 10a to 10n with the malicious software hidden, the cracking information is activated from the cameras 10a to 10n at a certain point in time, so that it can affect the system by being included in the video data, especially the control information. do.
  • malicious software is included in the cameras 10a to 10n installed in the system by checking whether the control information included in the image data is normal or abnormal through the inspection unit 104 . to determine whether there is
  • Determination of whether the control information is normal or abnormal may be made by comparing the protocol and setting of the control information with the protocol and setting preset in the inspection unit 104 . That is, if the protocol and the settings match each other, it can be determined as normal, and when any one of them is different from each other, it can be determined as abnormal.
  • control information contains contents not instructed by the system administrator or other contents other than those instructed, for example, if any one of image data is damaged, changed, deleted, or illegally copied, the network will be sent to the network. If the accessed IP is not in the authorized IP band, when the user account for which authentication is permitted tries to access outside the permitted time (eg, working hours), when the network is blocked, etc., the protocol is different from the set protocol. When it is determined, the control information may be determined to be abnormal control information.
  • the normal control information is transferred to the second conversion unit 35 (S372), and it is converted into second unidirectional data that is unilaterally transmitted in one direction ( S374), the second unidirectional data is transmitted to the transmission unit 82 (S376).
  • the transmission unit 82 may transmit the transmitted second unidirectional data together with the above-described first unidirectional data to a separate display device to be displayed or may be stored in a separate image storage device.
  • the abnormal control information is transmitted to the detection unit 108 (S380), and the detection unit 108 receives the abnormal control information from the control information. Cracker information is detected (S390)
  • Cracker information can be detected through a variety of known techniques.
  • the cracker information referred to in the present invention may be data directly extracted from abnormal control information, for example, information on malicious software, or log data for abnormal control information.
  • the third conversion unit 110 receives the abnormal control information directly from the inspection unit 104 or receives the abnormal control information in which the cracker information is detected from the detection unit 108 (S400), and the abnormal control information and the cracker The information is unilaterally converted into third unidirectional data transmitted in one direction (S410). The third one-way data for the abnormal control information and the cracker information is transmitted to the monitoring unit 112 (S420).
  • the monitoring unit 112 may perform an analysis operation on the received cracker information to determine what purpose the control information has and how it will affect the system, but in most cases, what kind of content is included in the cracker information? It is difficult to find out if there is
  • the monitoring unit 112 determines whether information of the cracker server 200 such as an IP address, domain, URL, etc. of the cracker server 200 exists in the cracker information (S430), and if there is information on the cracker server, it is used Thus, the third one-way data is transmitted to the cracker server 99 to wait for the cracker's response (S440).
  • the monitoring unit 112 records the information of the cracker server 99 in a separate blacklist to continuously maintain the cracker server 99. It is preferable to monitor with
  • the monitoring unit 112 receives the third unidirectional data, and the cracker server 99 accesses the video control system, or separate control information for controlling the cameras 10a to 10n from the cracker server 99. After being delivered, it is possible to quickly establish a countermeasure against crackers by monitoring how the cameras 10a to 10n operate and what conditions occur in the system according to the operation of the cameras 10a to 10n.
  • the third unidirectional data is transmitted to the cracker server 99 through the monitoring unit 112 rather than the cameras 10a to 10n. That is, the cracker who has received and confirmed the third unidirectional data determines that the data (ie, the third unidirectional data) has been transmitted from the cameras 10a to 10n by malicious software hidden in the cameras 10a to 10n. Accordingly, even if the cracker server 99 executes a system command, for example, ifconfig, inconfig, ipconfig, netstat, etc., to check the IP address of the camera 10a to 10n, it is not actually the camera 10a to 10n. The IP address of the monitoring unit 112 is checked.
  • the cracker determines that the monitoring unit 112 is the cameras 10a to 10n, and even if separate data is transmitted from the cracker to the system, it goes through the monitoring unit 112 serving as a honeypot in the present invention, so it is easy to network It becomes possible to collect breach method data.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Multimedia (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Closed-Circuit Television Systems (AREA)

Abstract

L'invention concerne un procédé de configuration d'environnement d'utilisation de caméra susceptible d'empêcher l'accès à d'autres caméras ou une intrusion dans le réseau interne d'un système de surveillance en utilisant un programme ou des données utilisés dans la configuration d'environnement d'utilisation de caméra. Un procédé de configuration d'environnement d'utilisation de caméra selon un aspect de la présente invention comprend les étapes dans lesquelles : un serveur de commande se connecte à au moins une caméra dont l'environnement doit être configuré parmi une pluralité de caméras ; le serveur de commande fournit des données de connexion et des données de configuration d'environnement à la caméra dont l'environnement doit être configuré, tout en recevant, à partir de la caméra dont l'environnement doit être configuré, un module de programme pour la configuration de la connexion et de l'environnement, de façon à configurer un environnement d'exploitation pour la caméra dont l'environnement doit être configuré ; le reste dans un dispositif de stockage du serveur de commande parmi le module de programme, les données de connexion et les données de configuration d'environnement est supprimé lorsque la configuration pour l'environnement d'exploitation est achevée et une initialisation est effectuée ; et le serveur de commande reçoit des données d'image provenant de chaque caméra de la pluralité de caméras et convertit les données d'image en données d'image unidirectionnelles.
PCT/KR2020/016305 2019-07-19 2020-11-18 Système de surveillance d'image ayant une capacité de configuration d'environnement d'utilisation de caméra à sécurité renforcée WO2021107493A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR20190087737 2019-07-19
KR10-2019-0156601 2019-11-29
KR1020190156601A KR102165000B1 (ko) 2019-07-19 2019-11-29 보안성이 강화된 카메라 사용환경 설정시스템을 구비하는 영상 관제 설비

Publications (1)

Publication Number Publication Date
WO2021107493A1 true WO2021107493A1 (fr) 2021-06-03

Family

ID=72885268

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2020/016305 WO2021107493A1 (fr) 2019-07-19 2020-11-18 Système de surveillance d'image ayant une capacité de configuration d'environnement d'utilisation de caméra à sécurité renforcée

Country Status (2)

Country Link
KR (1) KR102165000B1 (fr)
WO (1) WO2021107493A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102165000B1 (ko) * 2019-07-19 2020-10-13 지엘디앤아이에프 주식회사 보안성이 강화된 카메라 사용환경 설정시스템을 구비하는 영상 관제 설비

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217171A (zh) * 2013-05-30 2014-12-17 安世盾信息技术(北京)有限公司 一种密码破解方法、装置及系统
KR101523142B1 (ko) * 2013-11-19 2015-05-26 건국대학교 산학협력단 감시 카메라를 사용하여 홈 시큐리티 서비스를 제공하는 OSGi 기반의 서버 및 홈 시큐리티 서비스 제공 방법
KR101857716B1 (ko) * 2017-09-21 2018-05-14 지엘디앤아이에프 주식회사 망 분리 장치 및 이를 구비하는 영상 감시 시스템
KR20190003424A (ko) * 2018-11-23 2019-01-09 주식회사 아라드네트웍스 Ip카메라를 위한vpn 관리 방법 및장치
KR20190018799A (ko) * 2017-08-16 2019-02-26 주식회사 좋을 에이전트 기반 접근제어 관리 시스템
KR102165000B1 (ko) * 2019-07-19 2020-10-13 지엘디앤아이에프 주식회사 보안성이 강화된 카메라 사용환경 설정시스템을 구비하는 영상 관제 설비

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090100140A (ko) 2008-03-19 2009-09-23 엘지전자 주식회사 아이피 카메라 및 이를 설정하는 방법
KR101205840B1 (ko) 2011-04-27 2012-11-28 주식회사 아이브이넷 차트를 이용한 카메라 설정정보의 설정장치 및 방법
KR102360453B1 (ko) 2015-04-10 2022-02-09 삼성전자 주식회사 카메라 설정 방법 및 장치
KR20170003299A (ko) 2015-06-30 2017-01-09 주식회사 케이티 카메라 장치 및 이에 의한 동작 모드 설정 방법

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217171A (zh) * 2013-05-30 2014-12-17 安世盾信息技术(北京)有限公司 一种密码破解方法、装置及系统
KR101523142B1 (ko) * 2013-11-19 2015-05-26 건국대학교 산학협력단 감시 카메라를 사용하여 홈 시큐리티 서비스를 제공하는 OSGi 기반의 서버 및 홈 시큐리티 서비스 제공 방법
KR20190018799A (ko) * 2017-08-16 2019-02-26 주식회사 좋을 에이전트 기반 접근제어 관리 시스템
KR101857716B1 (ko) * 2017-09-21 2018-05-14 지엘디앤아이에프 주식회사 망 분리 장치 및 이를 구비하는 영상 감시 시스템
KR20190003424A (ko) * 2018-11-23 2019-01-09 주식회사 아라드네트웍스 Ip카메라를 위한vpn 관리 방법 및장치
KR102165000B1 (ko) * 2019-07-19 2020-10-13 지엘디앤아이에프 주식회사 보안성이 강화된 카메라 사용환경 설정시스템을 구비하는 영상 관제 설비

Also Published As

Publication number Publication date
KR102165000B1 (ko) 2020-10-13

Similar Documents

Publication Publication Date Title
WO2021060853A1 (fr) Système de contrôle d'accès au réseau et procédé associé
JP3262689B2 (ja) 遠隔操作システム
US8255682B2 (en) Early authentication in cable modem initialization
WO2012053807A1 (fr) Procédé et appareil pour partager une connexion internet sur la base d'une configuration automatique d'une interface réseau
US8976262B2 (en) Methods of connecting network-based cameras to video stations, and corresponding video surveillance systems, video stations, and network-based cameras
WO2015194829A2 (fr) Procédé de détection d'un certain nombre de dispositifs sélectionnés parmi une pluralité de terminaux clients dans un réseau privé à l'aide du même ip public par un serveur web doté d'un nom de domaine non spécifié supplémentaire à partir d'un trafic de demandes d'accès à l'internet du terminal client faisant une demande d'accès à l'internet, et système de détection sélective pour un dispositif dans un état dans lequel un ip public est partagé
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
WO2016190663A1 (fr) Procédé de gestion de sécurité et dispositif de gestion de sécurité dans un système de réseau domestique
WO2015105222A1 (fr) Système de prévention de piratage pour terminal mobile et procédé associé
WO2019231215A1 (fr) Dispositif terminal et procédé d'identification d'un ap malveillant à l'aide dudit terminal
WO2021107493A1 (fr) Système de surveillance d'image ayant une capacité de configuration d'environnement d'utilisation de caméra à sécurité renforcée
WO2016200232A1 (fr) Système et procédé destinés à un serveur à distance en cas de défaillance d'un serveur de rétablissement
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2021107492A1 (fr) Système de vidéosurveillance
WO2018056582A1 (fr) Procédé d'inspection de paquet à l'aide d'une communication ssl
WO2019045424A1 (fr) Procédé de déchiffrement de couche de prise de sécurité destinée à la sécurité
WO2018117325A1 (fr) Procédé de liaison d'un système de gestion intégré et système de sécurité vidéo
WO2018088680A1 (fr) Système de sécurité et procédé de traitement de demande d'accès à un site bloqué
KR102173661B1 (ko) 영상 관제시스템
JP2002084326A (ja) 被サービス装置、センタ装置、及びサービス装置
JP2023531034A (ja) サービス伝送方法、装置、ネットワーク機器及び記憶媒体
WO2015023088A1 (fr) Système de traitement pour un fichier joint d'un courrier électronique et procédé de traitement associé
WO2019146854A1 (fr) Unité de dispositif de sécurité pour contrôler un code de vérification de micrologiciel de cctv
WO2013018940A1 (fr) Procédé de détection et de prévention de transactions illégales dans un commerce électronique et système associé
WO2019066098A1 (fr) Système de détection d'utilisation illégale de contenu et procédé associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20894382

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 02/09/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20894382

Country of ref document: EP

Kind code of ref document: A1